Event Suppression / Correlation - 4 Syslog Events to 1 new event

Team,

Has anyone created a method to suppress four similar Syslog events and create one new event that states the root cause. In my example, I received the following four events and want to create a new event/alert that states "Host 085 is down" since this is the root cause.

Error Mar 4 03:20:51 nobuslor1 checkmounts.pl[15148]: Pod showing a dysfunctional mount point: 085-Host is down
Error Mar 4 03:20:51 nobuslor1 checkmounts.pl[15148]: Pod showing a dysfunctional mount point: 085-Host is down
Error Mar 4 03:20:51 nobuslor4 checkmounts.pl[20379]: Pod showing a dysfunctional mount point: 085-Host is down
Error Mar 4 03:20:51 nobuslor4 checkmounts.pl[20379]: Pod showing a dysfunctional mount point: 085-Host is down
Error Mar 4 03:20:51 nobuslor13 checkmounts.pl[25460]: Pod showing a dysfunctional mount point: 085-Host is down
Error Mar 4 03:20:51 nobuslor13 checkmounts.pl[25460]: Pod showing a dysfunctional mount point: 085-Host is down

Any ideas? Appreciate the help and comments.

Thanks!

Find more posts tagged with

snmp_events

sylog_events

orion_npm_9.5.1

suppression

event_correlation

correlation

Alerting

orion_events

Accepted answers

All comments

ecklerwr1

This article on Understanding Advanced Alerts is a pretty good explaination on how to correlate some events and supress alerts on devices from for example a wan circuit.

I think you can apply some of this same logic if needed.

benbree

ecklerwr1,

Thanks for the link. I read that one and if Orion converted Syslog messages to Orion events, this article fits perfectly. Unfortunately, the ability to specify attributes for the node is not possible using the Syslog configuration. Has anyone found a convert syslog messages to Orion events and keep source address info?

Is this in the works at SolarWinds? A central console for all events (SNMP, Syslog, and standard events) would be great. This way one could create alerts in one place for all event types.

Thanks for your help.

ecklerwr1

UR right benbree it's a little confusing sometimes with so many places where events reside.

byrona

I wrote a suggestion a while back in a thread that suggests an "Alarms" dashboard. This would be like the events but would allow you to specify anything that appears there.

For all of the alerting facilities (Traps, Syslog, Advanced Alets, etc) you would have an option to create an "Alarm" in the alarm dashboard and it would specify things such as what facility the Alarm originated, would have instructions on how to handle the Alarm, etc.

Eh, just figured I would share that as it seemed appropriate here. = )

benbree

Byron,

Definitely approproate here! I am new to SolarWinds and Orion. What is the best way to make a suggestion and get someone to act on it? Is this the best forum for that?

Thanks!

byrona

Team,
Has anyone created a method to suppress four similar Syslog events and create one new event that states the root cause. In my example, I received the following four events and want to create a new event/alert that states "Host 085 is down" since this is the root cause.

Any ideas? Appreciate the help and comments.
Thanks!

One way to accomplish this is to setup a Syslog Alert rule that says something like "Send me an Alert if you see 10 of these in 5 Minutes" and in the Alert (probably email) you would say "Host 085 is down".

Will that get you what you want?

benbree

Update - Reply from support.

Team,

Here is the response from support. It gives me the ability to get very close to what I needed to do.

Thanks for your help!

Are the Events in Question Syslog Messages that are coming into the the Syslog Viewer?

If it is, you should be able to create a rule and include underMessage> Syslog Message Pattern:

* Pod showing a dysfunctional mount point:*

Then under Trigger Threshold, check Define a Trigger Threshold Rule and Suppress Alert Actions at least 6, are received in a 60 second window, under Alert Actions, add an action of Modify the Syslog Message, and replace all occurences of Pod showing a dysfunctional mount point: with (enter a space)