SPECTRUM ParseMap error when processing Cisco BGP-3-NOTIFICATION syslog trap (Legacy KB ID CNC TS32491 )

Document ID : KB000051914
Last Modified Date : 14/02/2018
Show Technical Document Details
The solution is to edit the $SPECROOT/SS/CsVendor/ParseMaps/BGP-3-NOTIFICATION file and remove "{STRING 6}" and then update the event cache on the SpectroSERVER. The following is an example of the $SPECROOT/SS/CsVendor/ParseMaps/BGP-3-NOTIFICATION file after making the change:


Event04bd013c
{STRING 1} neighbor {STRING 2}/{STRING 3} ({STRING 4}) {STRING 5} bytes {STRING 6}


Example: %BGP-3-NOTIFICATION: aBcDeFgHiJkL neighbor aBcDeFgHiJkL 100/100 (aBcDeFgHiJkL) 100 bytes aBcDeFgHiJkL



Related Issues/Questions:
SPECTRUM ParseMap error when processing Cisco BGP-3-NOTIFICATION syslog trap

Problem Environment:
SPECTRUM 08.01.00.00
SPECTRUM 09.00.00.00
ParseMap
 BGP-3-NOTIFICATION
The following error is seen in the SPECTRUM Events when processing the Cisco BGP-3-NOTIFICATION syslog trap:


 








"

does not match the format defined in the Parse Map file BGP-3-NOTIFICATION:
"{STRING 1} neighbor {STRING 2}/{STRING 3} ({STRING 4}) {STRING 5} bytes {STRING 6}"


If you are unable to resolve the mismatch please refer to the Southbound Gateway Toolkit Guide (5066).

Regular Expression:
"(?C0)([\s]*)([ a-zA-Z-\t\/\.0-9\(\)=,\\\-\[\]\#\^\$\*\+\?\.{}:%\&\x22]+)(?C1)([\s]*)( neighbor )(?C2)([\s]*)([ a-zA-Z-\t\/\.0-9\(\)=,\\\-\[\]\#\^\$\*\+\?\.{}:%\&\x22]+)(?C3)([\s]*)(/)(?C4)([\s]*)([ a-zA-Z-\t\/\.0-9\(\)=,\\\-\[\]\#\^\$\*\+\?\.{}:%\&\x22]+)(?C5)([\s]*)( \()(?C6)([\s]*)([ a-zA-Z-\t\/\.0-9\(\)=,\\\-\[\]\#\^\$\*\+\?\.{}:%\&\x22]+)(?C7)([\s]*)(\) )(?C8)([\s]*)([ a-zA-Z-\t\/\.0-9\(\)=,\\\-\[\]\#\^\$\*\+\?\.{}:%\&\x22]+)(?C9)([\s]*)( bytes )(?C10)([\s]*)([ a-zA-Z-\t\/\.0-9\(\)=,\\\-\[\]\#\^\$\*\+\?\.{}:%\&\x22]+)(?C11) "

The error occured after the symbol (?C0) and before the symbol (?C1) on substring " sent to neighbor 38.103.69.120 4/0 (hold time expired) 0 bytes ".

See the contents of the Message Map file BGP-3-NOTIFICATION.  Rtr_Cisco (name - pri1). -

.

Causes of this problem:
The cause is the Cisco BGP-3-NOTIFICATION syslog trap is not formatted as expected. The following is the format of the $SPECROOT/SS/CsVendor/ParseMaps/BGP-3-NOTIFICATION file:


Event04bd013c
{STRING 1} neighbor {STRING 2}/{STRING 3} ({STRING 4}) {STRING 5} bytes {STRING 6}


Example: %BGP-3-NOTIFICATION: aBcDeFgHiJkL neighbor aBcDeFgHiJkL 100/100 (aBcDeFgHiJkL) 100 bytes aBcDeFgHiJkL


The following is an example of the format of the BGP-3-NOTIFICATION syslog trap received by SPECTRUM:


%BGP-3-NOTIFICATION: sent to neighbor 38.103.69.120 4/0 (hold time expired) 1234 bytes


When you stack one on top of the other, you will notice in the syslog received, there are no characters to the right of "bytes" as represented by "{STRING 6}" in the BGP-3-NOTIFICATION parsemap file:


{STRING 1} neighbor {STRING 2}/{STRING 3} ({STRING 4}) {STRING 5} bytes {STRING 6}
sent to neighbor 38.103.69.120 4/0 (hold time expired) 1234 bytes


According to the Cisco web page http://www.cisco.com/en/US/docs/ios/12_2/sem1/system/message/emfbgp.html#wp658747, the following is the correct format for this syslog:


Error Message 
%BGP-3-NOTIFICATION : [chars] neighbor [IP_address] [dec]/[dec] ([chars]) [dec] bytes [chars]


Explanation    An error condition has been detected in the BGP session. A notification packet is being sent or received, and the session will be reset. This message appears only if the log-neighbor-changes command is configured for the BGP process.


Recommended Action    This message represents an error in the session. Its origin should be investigated. If the error occurs periodically, copy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information.


According to the Cisco web site, there should be characters to the right of "bytes" but the BGP-3-NOTIFICATION syslog trap received by SPECTRUM does not contain any characters to the right of "bytes".

.

Additional Information:
 Making the above change could cause devices that are sending the Cisco BGP-3-NOTIFICATION syslog trap as documented by Cisco to error. Cisco should be contacted to verify the proper format of the BGP-3-NOTIFICATION syslog trap and the problem devices corrected as needed.


(Legacy KB ID CNC TS32491 )