Possible to send Kiwi alerts based upon CP's from Orion?

Question

I recently stood up a Kiwi server and have rules configured to email users when a node has certain syslog events. Now the users want ONLY their notifications from the devices they manage instead of all of the events.

Is there a way to tie Orion's Syslog alerting engine to use the Nodes Custom Properties and Kiwi to filter based upon a CP? For instance if a device sends an event the filter would look at Orion's CP and then based upon that would send it to the right group.

I was thinking of having the events hit the Kiwi server first then it forward the events to Orion's Syslog. Hopefully from there it can link to the CP and then decide who to email to.

I can't do this by the device IP or hostname......

mkarak · Accepted Answer

Hi,

there is a way how to achieve this using Orion but it's quite complicated. Let me try to explain.

First of all, you will need to upgrade to Orion 10.0. This version brought some improvement to syslog processing that is necessary to make this work.
To be more specific (from Release Notes of Orion 10.0):

* Orion NPM node variables are now available for use in Syslog and trap alerts.
* Forwarded Syslog messages may now be configured to retain the IP address of the original message source

Currently it is not possible in Orion to filter incoming syslogs directly by custom property but there is a workaround. You can create a rule that will change syslog type to value of requested custom property for given source node and then create one rule for each message type (each possible value of custom property) with email action to responsible people.

For example: I have a City custom property for nodes and I want to forward syslog messages only to person responsible for particular city. This needs to be done:

1. Create new action in Kiwi server to forward all syslog messages to Orion (do not forget to check Retain the original source address of the message checkbox)

2. In Orion Syslog Viewer create a new rule with Modify Syslog Message action called for example Change Syslog Type to City
-- Set New SysLog Message Type field to ${Nodes.City}

3. In Orion Syslog Viewer create a new rule for each possible value of City custom property
-- In Message tab change Message Type Patter to city name (e.g *Austin*)
-- Add Send E-Mail action with recipients responsible for given city

Hope this helps.

Milan