I have several MikroTik routers configured to send their events to Zenoss via syslog. The messages arrive but all as Event Class: /Unknown and thus all come in as Error instead of appropriately categorizing them into like Warning, Info, or Debug.
The XML output of what it looks like in the console is:
<dedupid>MikroTik _Comp44|input|/Unknown|4|in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto TCP (SYN), 70.106.140.95:50302->50.129.#.##:49576, len 48</dedupid> <summary>in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto TCP (SYN), 70.106.140.95:50302->50.129.#.##:49576, len 48</summary> <message>in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto TCP (SYN), 70.106.140.95:50302->50.129.#.##:49576, len 48</message> <prodState>Production</prodState> <firstTime>2013-07-23 13:51:49</firstTime> <eventClassKey>input</eventClassKey> <agent>zensyslog</agent>
Whereas the syslog event itself looks more like
firewall,info denied by firewall input: in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto UDP, 96.120.28.193:67->255.255.255.255:68, len 328
My question is how can I classify these events into a "firewall" category searching for the "firewall," string in the stream? I'd then like to classify the "firewall" events as Info so people know not to panic when they see them.