Filter
Top Products
Windows NT Example
The following example is a Windows NT message:
Jan 15 15:06:19 1998 0 Error N/A Service_Control_Manager 7024 \
The UPS service terminated with service-specific error 2481.
The variable parts are the time stamp (Jan 15 15:06:19 1998), possibly the security
ID (N/A), the event ID (7024), the service name (UPS), and the error code (2481).
Another system log message uses the same general format, as shown in the
following example:
Sep 29 14:57:28 1998 0 Error N/A Service_Control_Manager 7025 \
The SNMP service terminated with service-specific error 2482.
The constant parts of a system log message are defined by simply embedding them
in the format string itself. The variable parts are defined using the component
specifier. The format string for the preceding September 29 example could be
written as follows:
%t %s %s Error %s Service_Control_Manager %s The %s \
service terminated with service-specific error %s.
The white space characters that separate the words of a system log message must
also be present in the format string. A single space character (that is, one blank) in
the format string will match any number of white space characters in the message.
Care should be taken when using the arbitrary length repeater component
specifiers (%s* and *s+). The following format specification does not make much
sense:
This is not a good format %s* %s*
The first %s* matches everything through the end of the message, and the second
%s* never matches anything. It might appear that this does not matter, but the
importance becomes apparent as discussed in “Mappings” on page 149.
The following format string, however, is meaningful:
This is a good format %s* : %s*
The first %s* matches everything up to the first colon (:), and the second %s* now
matches everything through the end of the message.
Mappings
The log file adapters translate system log messages into event class instances
containing attribute name=value pairs. The event is then sent to the event server. An
associated BAROC file containing class definitions at the event server is used to
validate the incoming event before processing the event further.
For the log file adapters, the event class for a system log message is determined at
the source by matching a system log message to a format string in the format file.
After a class is determined by this matching, values must be assigned to the
attributes. Attribute values can come from a variety of sources, such as from the
system log message itself, from default values provided by the adapter, or from
mappings within the format specification of a class in the format file. This section
discusses how the mappings in a format specification assign values to attributes.
Appendix B. Format File Reference 149