Answer
When referring to Syslog messages, raw data is only a text string. You will be attempting to match phrases within the text string when creating or editing processing rules for archive.
- Note: Both % and * can be used as a wildcard within syslog rules. % is interchangeble for * - * differs from % in that it is applicable to the entire string, rather than matching a single character
Let's say an application has 4 different kinds of syslog messages that include the following raw data:
App1-Stop
App1-Crash
App1-NotVeryInteresting
You would setup rules to categorize these events by using something like:
Rule #1
Match the 'App1-Stop' and 'App1-Crash' events:
%App1-Stop%,%App1-Crash%
Rule #2
Match low interest events:
%App1-NotVeryInteresting%
Rule #3
Match all events that contain 'App1':
%App1%
OR
App1%
Additional Notes:
- It is key that you know what kind of messages the application generates. The Device Manufacturer should be able to provide a list of expected messages to work with
- Another useful tip when creating custom processing rules is to archive all messages first, by setting archive all under properties on the event source, then analyze how the message appears once archived in the Events Browser of GFI EventsManager
- Read through section 8.4 of the Eventsmanager 2011 manual for more information on syslog filter categories: http://manuals.gfi.com/en/esm2011/esm2011manual.1.48.html#9002084