I have rule that sends an email whenever a certain term is found in the syslog message. The rule works, and send alerts, when the syslog is from a Cisco device. But when a Juniper device sends that message, no alert is sent. It's a very basic rule; SOURCE COMPUTERS - All source computers LOG ENTRIES - IF Message OR Contains abc TIME WINDOW - Filtering entries by time window is not set. ENTRY COUNT - Every matching entry fires the rule FLOOD PROTECTION - Flood protection is disabled. ACTIONS - ALERT INTEGRATION - When this rule fires, send a Log Rule Fired event to Orion Alerting. Triggers on all Cisco devices, but my Juniper QFX5100 never causes a trigger. In the Log Viewer, I can search for 'abc' and get results for all devices, Cisco and Juniper. Anyone else have this issue? Or anyone have suggestions, or troubleshooting steps? thanks

This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

syslog rules, Cisco vs Juniper - not alerting on Juniper

bluegrue over 2 years ago

I have rule that sends an email whenever a certain term is found in the syslog message. The rule works, and send alerts, when the syslog is from a Cisco device. But when a Juniper device sends that message, no alert is sent.

It's a very basic rule;

SOURCE COMPUTERS - All source computers
LOG ENTRIES - IF Message OR Contains abc
TIME WINDOW - Filtering entries by time window is not set.
ENTRY COUNT - Every matching entry fires the rule
FLOOD PROTECTION - Flood protection is disabled.
ACTIONS - ALERT INTEGRATION - When this rule fires, send a Log Rule Fired event to Orion Alerting.

Triggers on all Cisco devices, but my Juniper QFX5100 never causes a trigger.

In the Log Viewer, I can search for 'abc' and get results for all devices, Cisco and Juniper.

Anyone else have this issue? Or anyone have suggestions, or troubleshooting steps?

thanks

Top Replies

bluegrue over 2 years ago in reply to KMSigma.SWI +1

The real phrase I'm searching on is 'gss'. And you'll notice this rule is currently disabled, otherwise I get 20+ messages from my Cisco devices (but nothing from Juniper). {"Version":2,"Rules":[{…

Parents

0 bluegrue over 2 years ago

I set up another test rule to send an email just on the host; hostname match, and other rule by sender IP address.

Still no alerts triggered.
Cancel
Vote Up 0 Vote Down

Cancel
0 KMSigma.SWI over 2 years ago in reply to bluegrue

Can you export the rule and attach it so we can see it? It should come out as a JSON file.
Cancel
Vote Up 0 Vote Down

Cancel

0 bluegrue over 2 years ago in reply to KMSigma.SWI

The real phrase I'm searching on is 'gss'. And you'll notice this rule is currently disabled, otherwise I get 20+ messages from my Cisco devices (but nothing from Juniper).

{"Version":2,"Rules":[{"Actions":[{"ActionType":"Alerting"}],"Conditions":[{"Field":"Message","ComparisonValues":[{"TextValue":"gss"}],"Comparison":"Contains"}],"IsEnabled":false,"Rank":0,"Id":"[snip]-1254-470d-bcce-1e2f6475f2f3","PolicyId":"cf65a032-71a7-41c4-b36a-4319b138f056","Name":"test4","SourceType":"Syslog"}]}

Reply

0 bluegrue over 2 years ago in reply to KMSigma.SWI

The real phrase I'm searching on is 'gss'. And you'll notice this rule is currently disabled, otherwise I get 20+ messages from my Cisco devices (but nothing from Juniper).

{"Version":2,"Rules":[{"Actions":[{"ActionType":"Alerting"}],"Conditions":[{"Field":"Message","ComparisonValues":[{"TextValue":"gss"}],"Comparison":"Contains"}],"IsEnabled":false,"Rank":0,"Id":"[snip]-1254-470d-bcce-1e2f6475f2f3","PolicyId":"cf65a032-71a7-41c4-b36a-4319b138f056","Name":"test4","SourceType":"Syslog"}]}

Children

No Data