Alert or Keep Alive Messages

c1902_r 5 months ago

I have Kiwi Syslog Server version 9.8. I would like to setup a notification where the application sends an email if it doesn't receive syslogs from a sender(s). I noticed there is a built in alert where you can be notified if overall a certain amount of syslogs are not received within an hour. However, I'd like something with a smaller window of 5 minutes. Also, I noticed keep alive messages can be injected in the received syslogs at a certain interval, but I can't see how I'd make a rule to detect if that keep alive syslog message goes missing. Is it possible the built-in alert can have a shorter window than 1 hour OR how would I configure a rule that sends notification if the keep-alive message goes missing? Thanks.

Parents

0 c1902_r 4 months ago

I found with the built-in Min & Max message count alarm that it'll trigger soon as the amount of messages specified is received.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 c1902_r 4 months ago in reply to c1902_r

So I found that the Filter: Flags/Counters, Filter Type: Timeout, will do the trick. You'll have to place it below the filter that's matching the criteria you want. As the setup says, the Timeout filter is true if event "doesn't" occur x times in x minutes. Then set your email action and an action to Reset Flags/Counters.

Done!

Nope! There's a catch. If you have another rule that has the action of Reset Flags/Counters set, it'll keep your rule from triggering. So in my case, the default Log to Syslog Web Access had the action of Reset Flags/Counters. Once I disabled that action, my above rule worked. I didn't figure this out on my own; luck would have it I stumbled across this article that mentioned that.

support.solarwinds.com/.../Filter-flags-counters-not-working-on-Kiwi-Syslog
Cancel
Up 0 Down

Reply

Verify Answer

Reject Answer

Cancel

Reply

0 c1902_r 4 months ago in reply to c1902_r

So I found that the Filter: Flags/Counters, Filter Type: Timeout, will do the trick. You'll have to place it below the filter that's matching the criteria you want. As the setup says, the Timeout filter is true if event "doesn't" occur x times in x minutes. Then set your email action and an action to Reset Flags/Counters.

Done!

Nope! There's a catch. If you have another rule that has the action of Reset Flags/Counters set, it'll keep your rule from triggering. So in my case, the default Log to Syslog Web Access had the action of Reset Flags/Counters. Once I disabled that action, my above rule worked. I didn't figure this out on my own; luck would have it I stumbled across this article that mentioned that.

support.solarwinds.com/.../Filter-flags-counters-not-working-on-Kiwi-Syslog
Cancel
Up 0 Down

Reply

Verify Answer

Reject Answer

Cancel

Children

No Data