This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Log Entry Actions - Extract Data

I see 'extracting data' referenced under Log Entry Actions, but it is not apparent of how that would be done.  See below pics.  I would like to have this data for using in alerts.  I would expect one of the log entry actions to revolve around extracting data.

  • There is Alert integration section in the Actions step. Enable it and let it create an alert for you. Then go to the alert definition (there is a link to the alert from the rule list when you click on Trigger Orion Alert) and use macros in the alert message.


  • How would you pick specific pieces from that log message though?  IE regex for the IP address.  Right now I was trying to have an alert created after a log was seen 3 times in 15 minutes, but I would want it created only if the log related to the same IP (like a BGP neighbor flapping) is involved.  Currently if 3 different neighbors went down, it would throw that alert.

  • If you know the IP address, you could create an alert for each IP with condition that the message contains the IP. It wouldn't work (or it would be very tedious work to set it up) if there are many possible IPs.

    Btw which mesaage type is it (syslog, trap, ...) and can you post an example of the messsage?

  • There are MANY possible IPs :)  Just looking at the syslog:

    May 14 18:35:32: %BGP-5-ADJCHANGE: neighbor x.x.x.x Down User reset

    There is a default log for this, but I am using the routing neighbor alert for that use case.  The only issue with that is you can only poll the routing neighbors once per minute, and I have it set up to auto resolve.  I would like to be able to account for a situation where a neighbor may flap through the up/down state, therefore giving a different type of alert (that may be missed when just alerting of the routing neighbor table at some interval)

  • Hm, you can set the alert to "No reset condition – Trigger this alert each time the rule fires" not to miss any flap, but I'm not sure how to set the threshold only for the same IP address.