Script Types

LogZilla can take any type of executable script, for example:

• Perl
• Python
• sh, bash, zsh, csh, etc.
• Compiled Executables

Script Environment

All triggers passed to a script contain all of the matched message information as environment variables. To manipulate any of the data, simply call that environment variable.

The following list of variables are passed into each script automatically:

# EVENT_CISCO_MNEMONIC          =   <string>
# EVENT_COUNTER                 =   <integer>
# EVENT_FACILITY                =   <integer>
# EVENT_FIRST_OCCURRENCE        =   <float>
# EVENT_HOST                    =   <string>
# EVENT_ID                      =   <int>
# EVENT_LAST_OCCURRENCE         =   <float>
# EVENT_MESSAGE                 =   <string>
# EVENT_PROGRAM                 =   <string>
# EVENT_SEVERITY                =   <integer>
# EVENT_STATUS                  =   <integer>
# EVENT_TRIGGER_AUTHOR          =   <string>
# EVENT_TRIGGER_AUTHOR_EMAIL    =   <string>
# EVENT_TRIGGER_ID              =   <integer>
# EVENT_USER_TAGS               =   <integer>
# TRIGGER_HITS_COUNT            =   <integer>

Script Execution

Scripts may be run directly or on dedicated docker containers. The method used depends on your script requirements:

Simple Scripts

For simple scripts which do not require anything special other than what is available in a standard Ubuntu install, simply copy your script to the lz_watcher container and select it when creating a trigger in the UI. This directory resides on a docker volume, and its contents will persist even after lz_watcher removal.

For example:

chmod 755 myscript

Copy the file to the container where scripts are stored:

docker cp myscript lz_watcher:/var/lib/logzilla/scripts/

Custom Scripts

For scripts which require extra libraries or programs such as perl modules, you may use your own docker image containing all required modules. You may also use any images found on docker hub.

Custom Docker Container

In this example, we will use a container for fixing Cisco's CDP-4-DUPLEX_MISMATCH events, which uses perl to ssh/telnet into the device.

1. Create a new file named Dockerfile with the following content:

   FROM ubuntu:18.04
   RUN apt update && apt install -y \
       liblwp-protocol-https-perl \
       libnet-ssh2-perl \
       libcrypt-ssleay-perl \
       cpanminus \
       build-essential
   RUN cpanm \
       Net::Telnet::Cisco \
       Net::SSH2::Cisco \
       HTTP::Request::Common \
       LWP::UserAgent JSON
   

   Run the following command from the same directory containing the Dockerfile file.

   docker build -t perl .
   

   Once the build completes, verify that the image exists by using the docker image ls command:

   # docker image ls perl
   REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
   perl                latest              132c3c3ce4a2        4 hours ago         313MB
   

2. Download the sample script from our github

   wget 'https://raw.githubusercontent.com/logzilla/extras/master/scripts/cisco-duplex_mismatch-autorepair-slack/duplex-mismatch'
   

3. Edit the script to fit your environment. If you don't use Slack, just comment that section out.

4. $posturl
5. $default_channel
6. $slack_user
7. $ciscoUsername
8. $ciscoPassword

Make sure the script is executable, and move the script to the LogZilla scripts directory.

chmod 755 duplex-mismatch
mv duplex-mismatch /etc/logzilla/scripts

Next, log into the LogZilla Web Interface and:

1. Create a new trigger from the trigger menu
2. Select the execute script option.
3. From the dropdown menu, select your new script.

Any patterns matching this trigger will now be executed.

You may also find some useful scripts on our GitHub page to help you get started.