If you want to add an action to run a script, use the examples in the following section to help you get started writing scripts. The \Scripts
folder in the Kiwi Syslog Server installation directory also includes sample scripts that show you how to play sounds, send e-mail, log to file. and other actions.
If you have created a custom parsing script or something that would be useful to others, please share it with the SolarWinds user community.
The following examples are provided:
The function below checks the message for specific PIX message numbers and passes the explanation to a custom message field. The custom fields can then be used in a "Send e-mail" action.
The values used in this script are found on the Cisco website.
Common fields: Read=yes
Custom fields: Write=yes
Rules setup Rule: Lookup PIX msg Filters Filter: Host IP address: Simple: Match PIX firewall address Actions Action: Run Script: Lookup PIX msg Action: Send e-mail To: helpdesk@company.com: Subject: Problem with PIX Body: %MsgText Explanation: %VarCustom01 Action to take: %VarCustom02 Rules Function Main() ' Set the return value to OK Main = "OK" ' By default, skip to the next rule, don't take the actions that follow ' If we exit the function before we get to the end, the default 'skip to next rule' ' will be used. Fields.ActionQuit = 100 ' Example of a PIX message ' %PIX-4-209004: Invalid IP fragment... Dim M ' Message Dim E ' Explanation Dim A ' Action ' Copy message to local variable for speed M = Fields.VarCleanMessageText ' If message length is too short, exit function If Len(M) < 15 then exit function ' Grab the first 15 chrs M = Left(M,15) ' Check the message is a valid PIX message If Mid(M,1,5) <> "%PIX-" then exit function ' Add any additional checks you want to perform here ' Grab the important part ("4-209004") M = Mid(M,6,8) E = "" A = "" ' Now lookup the values and create an explanation and action for each match Select Case M Case "4-209004" E = "An IP fragment is malformed. The total size of the reassembled IP packet exceeds the maximum possible size of 65,535 bytes" A = "A possible intrusion event may be in progress. If this message persists, contact the remote peer's administrator or upstream provider." Case "2-106012" E = "This is a connection-related message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded." A = "A security breach was probably attempted. Check the local site for loose source or strict source routing." ' Insert other values to lookup here End Select ' Exit if we don't have any values to pass If len(E) = 0 then exit function If len(A) = 0 then exit function ' Pass the Explanation and Action to take to the custom variables Fields.VarCustom01 = E Fields.VarCustom02 = A ' Since we have a valid match, we want to execute the send e-mail action which follows. ' Setting ActionQuit to 0 means we won't skip any actions. Fields.ActionQuit = 0 End function
The function below shows all the available field variables. This function can be pasted into your script as a reference.
All the variables are remarks and will not be executed if the function is called.
Function Info() ' // Common fields ' VarFacility ' VarLevel ' VarInputSource ' VarPeerAddress ' VarPeerName ' VarPeerDomain ' VarCleanMessageText ' // Other fields ' VarDate ' VarTime ' VarMilliSeconds ' VarSocketPeerAddress ' VarPeerAddressHex ' VarPeerPort ' VarLocalAddress ' VarLocalPort ' VarPriority ' VarRawMessageText (Read only) ' // Custom fields ' VarCustom01 to VarCustom16 ' // Inter-Script fields ' VarGlobal01 to VarGlobal16 ' // Custom Stats fields ' VarStats01 to VarStats16 ' // Control and timing fields ' ActionQuit ' 0=No skip, 1-99=skip next n actions within rule, ' 100=skip to next rule, 1000=stop processing message ' ' SecondsSinceMidnight ' SecondsSinceStartup ' // Functions and Actions ' IsValidIPAddress(IPAddress as string) as boolean ' ConvertIPtoHex(IPAddress as string) as string ' ActionPlaySound(SoundFilename as string, RepeatCount as long) ' RepeatCount 0=until cancelled, 1-100=repeat x times ' Soundfilename ""=system beep, "wav file name"=play wav file ' ActionSendEmail(MailTo as String, MailFrom as string, MailSubject as string, MailMessage as string ' Sends an e-mail message to the addresses specified in MailTo End function