I would like to see an alert action added to syslog for NetPefMon Event Log similar to the option in Advanced Alerts. Thanks.
IMHO, advanced syslog will be enough. It shows all the syslog you want rather than mixing it up with all the events?
afarmer-
just out of curiosity, what can the advanced alerting engine do that the Alerts / Filter rules engine can't do? It has nearly all of the actions available as the Alerting engine
If you create an Advanced Alert, click the Trigger Actions tab, and click the Add New Action Button, there is an action to "Log the Alert to the NetPerfMon Event Log". By selecting this, I can create events that appear under the "Last 25 Events" section on my Network Summary Home page or under the Events link on the Orion website. However, this action is not available under the Trigger Actions for Syslog.
So what's the ultimate goal? Do you really need them in the Last 25 Events? Or is that just where you can consolidate them? What if we could provide a consolidated alerts view that included syslog, traps, and advanced/basic alerts?
I thought it odd that alerting option was not available for Syslog as well. However; I like the suggestion that Denny puts fourth of having a consolidated alerts view where I can see only the alerts I want from all of the different facilities.
To further elaborate on the concept of a consolidated alerts view, I would like to be able to control what goes ino this view and this would ultimately be the list of stuff I actually care about.
I would like to be able to control what goes ino this view and this would ultimately be the list of stuff I actually care about.
Great. So what are some examples of how you would divvy stuff up? What would go in and out? We need to understand to figure out how we would provide a control.
Well, just thinking of the cuff here is one idea...
Each of the other facilities has an "Alert" option. You could add a new alert option that would essentially send it into this new consolidated view. As part of this it would be nice to be able to set a Severity (Minor, Major, Critical, etc) so that when it arrives in the consolidated view it is color coded by severity. In addition I would like to attach instructions to it; essentially let my techs know what to do when they see the event. Lastly in the consolidated view it could have an icon associated with it representing which facility it originally came from.
This is just one idea where I am attempting to use some of the thigns you already have in the system. What I don't know is what implications this has to your back-end systems. I also don't have a great bearing on how difficult to mangae this may be once implemented. If I come up with some more ideas I will be sure to post them; this was just the first one that came to mind.
P.S. I came from OpenNMS where I can custom configure events and much of what I have suggested above are taken from how they have things implemented.
You are not alone on this!
Have spent a LOT of time trying to figure out how to get spesific syslog messages into the event list, with no luck.
This simple alert action would do the job in like 15 sec.
create a custom SQL alert on a node, with a condition that looks something like this:
inner join syslog on syslog.nodeid=nodes.nodeid
WHERE syslogseverity = 3
AND datetime > Dateadd(hour, -1, Getdate())
AND message LIKE '%NTP Server Unreachable'
Change the where clause to match your syslog messages.
What i need is to create an event when there comes a syslog message containing 'LOOPGUARD_BLOCK'.
I tried with this custom SQL alert:
Inner join syslog on syslog.nodeid=nodes.nodeid
WHERE message LIKE '*LOOPGUARD_BLOCK*'
But it did not work. Neither did this one:
WHERE nodeid IN (SELECT nodeid
FROM syslog
Can you see any errors in these scripts?
Thanks!
* is the star character
% is the wildcard matching any number of characters
/RjL
