RSA Admin

Need help Parsing application error messages

Discussion created by RSA Admin Employee on Feb 28, 2011
Latest reply on Mar 9, 2011 by RSA Admin

 

I am trying to parse messages from an application so I can gather statistics on some errors in a Windows Application Event log. See a partial raw log message below.

 

2011/02/28 09:09:46.007 CST 192.168.252.246 %NICWIN-4-Application_1309_ASP.NET: Application,rn=11280 cid=0x00000003 eid=0x8000051d,Mon Feb 28 08:55:18 2011,1309,ASP.NET 2.0.50727.0,None,Warning,VMR2BUSUNIT,No category string found,,No description string found. string-data=[3005 <~> An unhandled exception has occurred.

 

Since this is a custom application, Envision cannot parse the log message. What is the best way to add this using ESI? Using only the first part of the message as the message ID fails. It looks like I am going to have to create multiple message ID's, one for each application error. Am I correct or is there an easier way?

I tried to use "NICWIN-4-Application" as the message ID instead of the whole string (NICWIN-4-Application_1309_ASP.NET) , because there are also 1316, 1301, 1315, etc error messages that I want to include in a general query. Basically, I want all "Application" error messages in one report. I may want to segment them at a later date but for now, the report should include them all. You can see that the 1309 is listed twice. Could I use the second instance as the message ID?

Outcomes