This will help strip a syslog from an E7 OLT to get the basics for troubleshooting ONT issues.
rule "calix_e7_notfmgrd_parse"
when
has_field("message") &&
contains(to_string($message.message), "notfmgrd[") &&
contains(to_string($message.message), "Category:") &&
contains(to_string($message.message), "Cause:")
then
let msg = to_string($message.message);
// Main E7 notfmgrd notification pattern
let e = grok(
pattern: "^%{HOSTNAME:calix_node} %{WORD:calix_process}\\[%{INT:calix_pid}\\]: \\[%{DATA:calix_bracket_block}\\] \\[%{INT:calix_facility_num}\\] (?:%{DATA:calix_srcfile}: )?Id:%{INT:calix_event_id}, Syslog-Severity:%{INT:calix_syslog_severity}, Perceived-Severity:%{WORD:calix_perceived_severity}, Name:%{DATA:calix_event_name}, Category:%{DATA:calix_category} Cause:%{DATA:calix_cause}, Details:%{DATA:calix_details}, Xpath:%{DATA:calix_xpath} Address:%{DATA:calix_address}, Primary-element:%{DATA:calix_primary_element}, Value:%{DATA:calix_value}, Verb:%{DATA:calix_verb}, Session:%{DATA:calix_session}, Login:%{DATA:calix_login}, IpAddress:%{DATA:calix_ipaddress}, SrcManager:%{DATA:calix_srcmanager}, Secondary-element:%{DATA:calix_secondary_element}$",
value: msg
);
// Tag / classify
set_field("device_type", "calix_e7");
set_field("vendor", "calix");
set_field("platform", "e7");
// Core fields you care about for alerting & dashboards
set_field("calix_category", e.calix_category);
set_field("calix_cause", e.calix_cause);
set_field("calix_event_name", e.calix_event_name);
// Useful extras
set_field("calix_event_id", e.calix_event_id);
set_field("calix_perceived_severity", e.calix_perceived_severity);
set_field("calix_syslog_severity", e.calix_syslog_severity);
set_field("calix_xpath", e.calix_xpath);
// Optional: only set these if you care about user/admin activity correlation
set_field("calix_login", e.calix_login);
set_field("calix_ipaddress", e.calix_ipaddress);
set_field("calix_srcmanager", e.calix_srcmanager);
set_field("calix_verb", e.calix_verb);
end