I am new to Sentinel, so please bear with me if anything I say doesn't
make sense.

My project uses Sentinel 6.1 to collect syslog events from a Solaris 9
server. It uses the Collector known as
-Sun_Microsystems_Solaris_9_LOG_600-. It's using the "esec5" syslog
parser.

Occassionally, a syslog message comes through which gets designated as
an "Unsupported Event" in the Sentinel Control Center's Active View
window. The Message field of this event displays a portion of the
original syslog message's body -- basically everything after the host IP
address.

The problem is that the host IP address itself is not included in any
of the fields for this event in the Active View window (InitHostName,
InitIP, TargetIP, etc.). We see the host IP address in the raw data tap
(in Event Source Management) as part of s_RxBufferString, but it does
not make it into the event shown in Active View.

I am new to Sentinel, but my first thought was that perhaps the
Collector's parsing lookups were failing us. I've looked at them,

agent.lkp
core.lkp
template.lkp
syslog_parser.lkp

and just based on the syntax of the filters, I can't see how this would
be.

Can any one offer any suggestions? Am I missing something obvious? As
I said, I am new to this, so I might be looking in the wrong place
entirely.


--
sentinelsurfer
------------------------------------------------------------------------
sentinelsurfer's Profile: http://forums.novell.com/member.php?userid=124111
View this thread: http://forums.novell.com/showthread.php?t=452583