Alert based on rapidly occurring Syslog events - possible?

Product NPM ONLY: No Log Analyzer add-on

Condition: Syslog event is recorded from a SINGLE NODE that contains the text "INVALID SPI" in the event content field AND Syslog event has occurred more more than X times per Y minutes.

Result: Send alert.

We are not configured for SNMP traps, only logging SNMP events.

Is it possible to create an alert with this configuration?

If not, is it possible with the addition of Log Analyzer?

Will enabling SNMP traps provide conditions where this type of alert can be accomplished?

Find more posts tagged with

syslog

npm

Alerts

Accepted answers

All comments

adam.beedell

You probably want to do this with the free log tool, it'd be much easier to get that patched in then work out a replacement system

Chris-S

Thank you, Adam: Which free log tool would you be referring to, specifically?

bobmarley

Sounds like you may want to try a custom SWQL alert for this.

Chris-S

Bob: I'm uncertain how to specify a trigger based upon the frequency of multiple entries in a specific time frame. No one syslog entry would cause the alert to fire, I need it to be greater than X syslog lines per Y amount of time.

bobmarley

Here is an older one I was using for SNMP Traps, the Trap table moved after my last upgrade and I haven't rewritten the query yet. You could use something similar by joining the Syslog table

The alert is scheduled to run every 3 minutes so the SWQL query will run every 3 minutes

My alert SWQL. (Reminder this is Traps, not Syslog below).

Since you can't change the Select statement in the GUI you will need to join to the Syslog table which depending on what version you are running is in a 2 different places. Once you join the tables you can look for a specific string, in this case it in a Trap OID but it could be text as well. The very last line makes the query go back 9 minutes which was what I needed specifically for the purpose of this alert but you would want to tune this to your use case. Typically I would set it to check every 3 minutes and look back 4 minutes in the query just so nothing was missed.

In your case you may need to do an additional Select Count and a Case statement to get the specific number of matching syslogs.

Chris-S

I think I see what you're doing there, bob. Let me try to construct something based on syslog instead of traps and see if I can work it out. I'll post back here on the result.

adam.beedell

I've found the documentation very confusing on this, but there's LA and LEM, and there is still a free logs tool installable as I understand it. I believe LA is the one though you can find a marketing page on google referring to a free trial. Whatever the name is, there should still be one, with nerfed features/performance/whatever it is. (I'm running it!)

Chris-S

bob: I see what you're doing there but there's an added component on my side.

I don't want a conglomerate of all syslog entries for all nodes. I want to fire the alert if a SINGLE node experiences say, 10 events of a specific type within a specific time frame. The query you have above would show everything matching a description for a timeframe, but I need the alert to fire only if a certain node experiences those messages, not all nodes at once. But I need to know if that condition is true for ANY of the nodes, but only within the same node, if that makes sense.

For example...

If node x gets a syslog entry matching a specifc string say, ten times (or more) during the last 30 minutes, then fire an alert.

I need to monitor all nodes for the condition, but the time frame would only match a single node, not all of them at once.