Creating Message Signatures

Procedure

  1. Access Management > Message Signatures from the navigation menu.
  2. Click the arrow next to the Patterns For field drop-down box and select a device type for which you wish to create a Message Signature.
  3. Click Create. The Message Pattern Editor opens.
  4. On the General tab, highlight a message in the lower pane and click it. Your selection appears in the Sample Message pane.
  5. Enter a Pattern Name and Description (optional). Enable the pattern.
  6. Click the Field Tags tab.
  7. Highlight a portion of the Sample Message you want to use as a Field Tag and click Define Field. The portion selected appears grayed out. The application recognizes your selection as one of 15 common tags in the Tag Library. Further identifying information appears in the Tag Attributes section. You can edit these entries, or select different choices from the Tag name: and Extract as: lists.
    Note: You do not need to specify the Tag name and description. If <undefined> is specified, the selected tag is used to recognize the message but is not extracted from the message.
  8. Click the Auto-Identify Tags button to automatically identify the available tags for the selected message. Click the Auto-Identify Tags drop-down arrow to specify how to separate the fields. The options are:
    • Comma separated
    • Tab separated
    • Semi-colon separated
    • Pipe separated fields
  9. To edit your grayed-out selection, click on it and click Remove or Remove All. (This does not remove the data; only the grayed-out condition.)
  10. If you select the Literal check box, the pattern matcher searches for that exact substring in the messages. Your selection appears in bold face type.
  11. To create additional tags from your selected message, highlight another portion and click Define Field again. Your second tag candidate appears grayed out. Again you can accept or edit the default Name, Description, and Type.
  12. In the Tag Name field, choose an existing field tag or create a new tag or leave it as <undefined>.
  13. To create a new tag, click the button to open Create Field Tag window. Enter the Name and Description fields. Click OK.
  14. Provide a Tag description (optional).
  15. Select the value in the Extract as field from the list. For existing fields the value appears automatically.
  16. If you choose the Regular Expression option in the Extract as field, you must enter an expression in the Regex extract field. 

LogLogic supports the following Regular Expression Meta Characters:
    Characters Description
    \a Matches ASCII character code 0x07.
    \d Matches character in the set "0123456789".
    \D Matches any byte not in the set "0123456789".
    \e The escape character. Matches ASCII character code 0x1b.
    \f The form-feed character. Matches ASCII character code 0x0c.
    \n The new line (line feed) character. Matches ASCII character code 0x0a.
    \r The carriage return character. Matches ASCII character code 0x0d.
    \s A white space. Matches white space - \t \n 0x0b \f or \r.
    \S A non-white space. Matches any byte not in \s.
    \t The tab character. Matches any byte not in 0x09.
    \w A word character. Matches any ASCII character in the set underscore, digits, or upper or lower case letter.
    \W A non-word character. Matches any bytes not in \w.
    \xHH Matches a byte specified by the hex code HH. There must be exactly two characters after the \x.
    \Q Starts a quoted region. All meta characters lose their meaning until \E. A \\ can be used to put a backlash into the region.
    \anything else Matches the next character.
    \k<name> Refers to previous named capture.
    [] Specifies a character class - match anything inside the brackets. A leading ^ negates the sense of the class - match anything not inside the brackets. Negated character classes are computed from the set of code in the range 0-127 - in other words no bytes with the high bit set. Within a character class the following backslash characters mean the same thing as outside the character class: \a, \d, \D, \e, \f, \n, \r, \s, \S, \t, \w, \W, and \xHH.
    {num} or {num:num} Specifies a repetition count for the previous regular expression. Num must be less than 16. {num} is equivalent to {0:num}.
    . Matches any byte: 0x00 - 0xFF.
    + Specifies that the previous regular expression is repeated 1 or more times.
    * Specifies that the previous regular expression is repeated zero or more times.
    ( ) (?:) Specifies capturing or non-capturing groups.
    (?<name>) Specifies capturing named groups.
    | Specifies alternation.
    ? Specifies that the previous regular expression is repeated zero or one time.
    anything else Any other character matches itself.
  17. Click Event Type tab.
  18. Click the down arrow for Event name and select one from the list or create a new event type. Accept the Event description, or edit it.
  19. To create a new event type, click the button to open Create Event Type window. Enter the Name, and Description fields. Click OK.
  20. Click Validation tab, and then click the Validate button.
    If the Show Only Matching Messages check box is selected, the messages with the Tag Name is highlighted in color, and the Tag value extracted appears on the right. If the Show Only Matching Messages check box is not selected, all messages appear strike-out for the non-matching message patterns.
  21. Click Save. After a few moments the new Message Signature appears.

Result

The green bullet in the Status column indicates the system is ready to use the new pattern and extract the values in the log data.