Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Modify syslogs from a loglogic syslog server

We have a Loglogic syslog server that handles over 2000 logs per second for us. We have alerts configured so that it will forward the syslog to Orion and then it is displayed on our large operations screens for the system guys to see.

Problem is that the message is forwarded with a bunch of added items, like alert name, date (again), URL etc.

I need to remove all this extra data in the syslog. I created a filter in syslog viewer - syslog server settings - alerts/filter rules that is able to modify using a 'modify syslog message' alert action. But it will not seem to handle phrases or variables or special characters.

Is there a way to modify these messages in a better way?

Example syslog before the "modify": sal-anm-pr01 10.162.1.30 AlertPriority="LOW" AlertType="PRE_DEFINED_SEARCH_FILTER_ALERT" AlertName="WINTEL01" GeneratedBy="10.162.1.30" ForDevices="mtech-dv01.perdue.com_windows" ForDeviceIPs="10.166.33.150" ConfiguredForDevices="Wintel Prototype" FilterName="WINTEL Time" FilterMatch="(14|29|47|54|64)\\s+W32Time" TriggeringMessage="<13>Dec 10 12:38:47 10.166.33.150 MSWinEventLog 0 System 137604466 Thu Dec 10 12:35:27 2009 47 W32Time Unknown Warning MTECH-DV01 None Time Provider NtpClient: No valid response has been received from manually configured peer time.nist.gov,0x1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. 84029" HighThreshold="0" DurationSeconds="60" AlertableEventsCount="0" DetailsURL="10.162.1.30/.../1-1260466728-2359395-99"

After the "modify":

=LOW = = = =sal-inadte-qa01 =10.166.60.58 = = Time = =<13>Dec 10 12:58:15 10.166.60.58 MSWinEventLog 0 System 137632371 Thu Dec 10 12:54:00 2009 47 Unknown Warning SAL-INADTE-QA01 None Time Provider NtpClient: No valid response has been received from manually configured peer time-a.nist.gov,0x1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. 135853 =0 =60 =0 =https:///logapp20/alert/1-1260467896-15728739-99

Thank you VERY VERY much!!!

Find more posts tagged with

Accepted answers

All comments

bshopp

I think you got the best way to do this, we are working on some new functionality here that may interest you, see here