• State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 21 subscribers
  • Views 554 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Syslog Server - Flag/Counter Time Interval - Not working as expected.

mezdem

Hi I have just upgraded to 9.3.4 syslog server and I am having trouble with setting up new actions with timers counters.

I have approx 20 rules defined and approx 5 of them need a Time Interval Filter.

These filter syslogs from various cisco hardware, one being Fan Faults.

The intial Filter is set to Include = "%FAN" "%ENVIRONMENT" - works a treat

the 2nd filter is a Flag/Counter for Time Interval - currently set to 60 mins

Actions are . 1 = display in ErrorFan,

                     2. Send snmp trap to server 1

                     3. forward syslog to server 2

When the timer is enabled the syslogs only show 1 every 60 mins for all devices. We currently have 8 bits of kits reporting fan rotation errors etc, and with the timer set I am only seeing the same device or two every hour - not all 8.

When i remove the timer the syslogs come through every 30sec-1min intreval from each device.

In the Syslog Help guide it states:

"When a message arrives from the host "central-router.company.com" that
contains the words "link down" in the text, the first filter (Message text) will
be true. The Time interval filter is then processed. The first time the Time
interval filter is processed, the result will be true, and the actions that
follow will be performed. A countdown timer using the specified value is
started. In the above example it is 15 minutes. If another message arrives from
the same host that contains the words "link down", the first filter (Message
text) will again be true. If the countdown timer has not reached zero, the Time
interval filter will return false and the actions following will not be
performed."

I cannot get this to work 'per host' it just stops all messages coming through from ll devices except 1.

So I dont think it is correctly storing 'counter/flag' for each host and is just setting the filter for the first message received from any host.

I would also like to know if 60 mins is the maximum, as this can still be quite annoying for backend systems, and It would be great to see this increase to maybe 3 or 4 hours - or to be able to put a once a day for each host filter on. Is there a way around this? for instance can i put a 2nd time interval timer on (when it works properly) for a further 60mins etc so i would get 120 mins in total?

  • 0

    The help text is misleading. It's talking about the whole scenario described and not just the time interval filter. As far as I have been able to tell, this is a global interval and is not going to store the interval per device. If you want some help with a script that will do this filtering for you just let me know and I can come up with something like this fairly quickly.

    (Vbscript - your preference or mileage may vary)

    You just need to check that INStr(VarCleanMessageText,"FAN") <> 0 and INStr(VarCleanMessageText,"ENVIRONMENT") <> 0

    Then add the hostname to a dictionary with the current time if it's not already there. If it's there, diff the time and alert or skip to the next rule.

    To answer your other question, I don't see any set limitation other than the number of characters you can type into the box, but just for testing purposes, I just setup a rule for 120 minutes and in 2 hours we'll know if it works for sure.

  • 0 in reply to Aforsythe

    thanks, yes help with the vbscript as I have not done this is syslog at all!


    And i did originally have it set for 240 (mins) but had no hits at all on it at all, 60 works but with limitations mentioned.

    any help appreciated - step by step tho for this sql bod!

  • 0 in reply to mezdem

    mezdem,

    Here you go:

    keep your message_text filter in place, get rid of your flags/counters interval filter, then make your first action a run_script action and use that script. You may need to do some basic editing, but I did set the default interval to 14400 seconds for you (240 minutes) so that may be all you want/need and in that case you won't have to edit at all.

    It's just a text file though, and vbScript isn't so alien compared to T-SQL so you should be able to look at it and follow along. Think of dictionaries as tables that can only have 2 columns, a primary key column and a value column. If you want to store more than one piece of data, you have to delimit the value column.

    My favoritest job ever was a database analyst/administrator. Loved it. I spent all day creating and deleting databases, moving stuff from Btreive in DOS and OS/2 or from Universe in Pick/Unix to SQL, Sybase, MySQL or Oracle.

    Let me know if you have any questions and oh yeah... 120 minutes worked. Testing 240 right now, but we won't find out till tomorrow.

  • 0 in reply to Aforsythe


    brilliant thanks acy! it is working - well not had duplicate for same host...just need to wait another 3 hours!

    Thank you, and yes I guess now i can see the similarities between the coding - I will have to attempt the next one on my own (maybe)

  • 0 in reply to mezdem

    Mezdem,

    I was out sick at the end of last week, but I checked this morning and 240 minutes was working for me on that filter. Not that you need it now, but I did want to confirm that it does work...

  • 0 in reply to Aforsythe

    Yep thanks yes i have been off ill too! checked today as syslog forwarding is working like a charm - thank you very much emoticons_happy.png

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.