This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Clearing an Alert generated off a tagged Syslog Message.

So my issue arose with some syslog resetting format:

pastedImage_0.png

I've properly tagged the Syslog coming in as SLAsyslog and obviously tagged the reset in the same fashion.

My issue arises with clearing the alert generated off the Syslog in the first place:

pastedImage_1.png

I've got the logic for when the Syslog comes in, that piece alerts properly.

But I'm unable to determine how to get the Syslog to clear properly, I've included my current reset condition.

It'll clear the syslog but it'll look for the first thing tagged with the SLAsyslogreset and then it'll reset even if the device isn't the same as what triggered in the first place.

pastedImage_2.png

Any help would be greatly appreciated!

  • Welp, I need to re-visit a similar rule that I have in my environment after looking at your case because I'm sure we have a similar issue and I just didn't carry that logic through far enough.

    In your case, I think you've already got the building blocks, so let me see if I can explain it clearly:

    In short, use the AlertActiveID from the Orion.AlertActive table.

    Add "where aa.alertactiveid = ${N=Alerting;M=AlertActiveID}"

    I'm not 100% sure that this would work the way I'm thinking, but seems like it would serve to tie it to the instance you're looking for. If not, another way using a similar technique would be to use something from the original alert if you can, like the caption or IP address if it appears in the syslog message.

  • I'm just not sure how to tie the AlertActiveID or AlertObjectID to the other syslog that is tagged.

    Ideally my logic would go:

    IF Node is tagged with RESET and Active Alert = True AND the Node is the same as where the alert was triggered

    THEN Clear the Alert

    But I'm not sure if I can figure this out on a Friday without hurting my brain any more than I have already. Haha.

  • I don't have anything that I feel like I can directly test with at the moment, but I came up with this which you might be able to make work for you. I'm pretty sure on everything except for the EntityCaption line 3rd from the bottom:

    SELECT Nodes.Uri, Nodes.DisplayName From Orion.Nodes as Nodes

    INNER JOIN Orion.Syslog As S

    On Nodes.IPAddress = S.IPAddress

    INNER JOIN Orion.AlertObjects as AO

    ON AO.EntityCaption = Nodes.DisplayName

    INNER JOIN Orion.AlertActive as AA

    ON AA.AlertActiveID = AO.AlertObjectID

    where s.syslogtag = 'RESET'

    and aa.TriggeredMessage = '<ALERT NAME>'

    and ao.EntityCaption = '${N=SwisEntity;M=Caption}'

    and s.ipaddress <> 'XXXXXXXXX'

    and s.ipaddress <> 'XXXXXXXXX'