I am trying to configure OpenNMS to receive Syslog messages from an ASA. My syslogd-configuration file looks like so:
<configuration
syslog-port="514"
new-suspect-on-message="false"
parser="org.opennms.netmgt.syslogd.CustonSyslogParser"
forwarding-regexp="((.+?) (.*))\r?\n?$"
matching-group-host="2"
matching-group-message="3"
/>
The syslog messages arrive in this format:
Sep 13 08:36:37 192.168.75.254 %ASA-4-106023: Deny tcp src outside:144.5.5.255/
56607 dst inside:192.168.75.102/23 by access-group "outside_access_in" [0x0, 0x0]
With this config, I can get syslog messages into Opennms but they come through as indeterminate. It seems as though this regex cannot parse. When I test this regex in other websites like regex101.com it clearly says that there is not a match. I have created a regex that does match how I need:
\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*([\s\S]*)
BUT when I add this to the config, I no longer get any Syslog Messages at all.
Does anyone have an idea of how I make this happen. I have spent wayyy too much time on this as is.
Best Answer
I'm not sure why the original regex nested the groups, but if you remove the outer () group, you'll need to reduce the group numbers for the host and message (since the outer group was group #1), so