• State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 24 subscribers
  • Views 1944 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Alert or Keep Alive Messages

c1902_r

I have Kiwi Syslog Server version 9.8.  I would like to setup a notification where the application sends an email if it doesn't receive syslogs from a sender(s).  I noticed there is a built in alert where you can be notified if overall a certain amount of syslogs are not received within an hour.  However, I'd like something with a smaller window of 5 minutes.  Also, I noticed keep alive messages can be injected in the received syslogs at a certain interval, but I can't see how I'd make a rule to detect if that keep alive syslog message goes missing.  Is it possible the built-in alert can have a shorter window than 1 hour OR how would I configure a rule that sends notification if the keep-alive message goes missing?  Thanks. 

Parents
  • 0

    I found with the built-in Min & Max message count alarm that it'll trigger soon as the amount of messages specified is received.

  • 0 in reply to c1902_r

    So I found that the Filter: Flags/Counters, Filter Type: Timeout, will do the trick. You'll have to place it below the filter that's matching the criteria you want.  As the setup says, the Timeout filter is true if event "doesn't" occur x times in x minutes. Then set your email action and an action to Reset Flags/Counters.

    Done!

    Nope!  There's a catch.  If you have another rule that has the action of Reset Flags/Counters set, it'll keep your rule from triggering. So in my case, the default Log to Syslog Web Access had the action of Reset Flags/Counters.  Once I disabled that action, my above rule worked.  I didn't figure this out on my own; luck would have it I stumbled across this article that mentioned that.

    support.solarwinds.com/.../Filter-flags-counters-not-working-on-Kiwi-Syslog

Reply
  • 0 in reply to c1902_r

    So I found that the Filter: Flags/Counters, Filter Type: Timeout, will do the trick. You'll have to place it below the filter that's matching the criteria you want.  As the setup says, the Timeout filter is true if event "doesn't" occur x times in x minutes. Then set your email action and an action to Reset Flags/Counters.

    Done!

    Nope!  There's a catch.  If you have another rule that has the action of Reset Flags/Counters set, it'll keep your rule from triggering. So in my case, the default Log to Syslog Web Access had the action of Reset Flags/Counters.  Once I disabled that action, my above rule worked.  I didn't figure this out on my own; luck would have it I stumbled across this article that mentioned that.

    support.solarwinds.com/.../Filter-flags-counters-not-working-on-Kiwi-Syslog

Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.