Bug 559339

Summary: Log parsing can generated unwanted events
Product: [Other] RHQ Project Reporter: Jay Shaughnessy <jshaughn>
Component: EventsAssignee: Jay Shaughnessy <jshaughn>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: high Docs Contact:
Priority: high    
Version: 1.3CC: cwelton
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: 2.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-12 16:55:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 557793    

Description Jay Shaughnessy 2010-01-27 19:34:34 UTC 
Basically, the Pattern being used for logfile parsing isn't quite right.  It gets fooled if the logEntry detail (i.e. the actual message) contains a severity match.

For example, if 'ERROR' is present in the detail the event system will ignore the actual severity and assign severity ERROR.  This can both upgrade or downgrade the severity. For example, if event source severity is set to FATAL an actual FATAL could get suppressed. If event source severity is set to ERROR it may expose an INFO.

In short, the problem is that we use a greedy match on the date portion. This needs to be reluctant such that the first severity in the logEntry is correctly matched.

This is a one character fix.

Easily reproducible:
1. Activate event source on RHQ server log
2. Set to ERROR level
3. On server go to the log directory and append a message to the log like:

echo `date "+%Y-%m-%d %H:%M:%S,000"` INFO Some detail with ERROR embedded in it.

This will generate an ERROR event but it's actually an INFO message.
Comment 1 Jay Shaughnessy 2010-02-01 16:43:06 UTC 
fixed in 1.3.1 r5279
Comment 2 Corey Welton 2010-02-11 16:09:52 UTC 
qe -> cwelton

QE Verified, the INFO record no longer erroneously gets reported.  No pun intended.
Comment 3 Corey Welton 2010-08-12 16:55:25 UTC 
Mass-closure of verified bugs against JON.