I have found several sites that clients are becoming Shunned on the ASA Firewall. I would like to get an Alert of some kind when this occurs.
There's no syslog-flavored alert specifically but they do let you reach into those tables with SWQL queries. You could create an alert of type "Custom SWQL Alert (Advanced)" with the following. I'm not certain about the severity value (my system has all 6s) so you'll want to double check that or remove that line from the query entirely and have it consider all messages with the shun string in them.
The first line is provided by the alert interface so the rest are what you would fill in. I'm limiting this to the last minute of syslog but you may need to adjust it depending how often you're having it check.
SELECT Nodes.Uri, Nodes.DisplayName FROM Orion.Nodes AS NodesJOIN Orion.Syslog AS s ON s.NodeID = Nodes.NodeIDWHERE MINUTEDIFF(s.DateTime, GetDate()) <= 1AND s.SysLogSeverity = 6AND s.Message LIKE '%Shun added%'
A screenshot showing how it's configured and validated all together:
Hope this helps!
--
Steven W. Klassen
Programmer Analyst @ Loop1 Systems
http://www.loop1systems.com/
http://www.linkedin.com/in/mrxinu
