Syslog Alert not working

Question

Hi All,

I need some help creating a syslog alert for the following syslog message

RT_FLOW: RT_FLOW_SESSION_DENY: session denied x.x.x.x/49203->x.x.x.x/2055 None 17(0) default-deny untrust trust

I have tried the following syslog alert, setup, but the alert does not trigger.

Rule is enabled, Source: *, DNS Hostname: *

Message: *

Message Type Pattern: RT_FLOW: RT_FLOW_SESSION_DENY:

Syslog Message Pattern: ?

Severity/Facility: Everything is checked

My intention is to alert when a 'deny' message is received.

I believe the issue is with either the Message Type Pattern or Syslog Message Pattern.

I have confirmed the alert does work with no Message Type Pattern or Syslog Message Pattern match inputted.

Please help!

sedmo · Accepted Answer

I would guess this isn't working because your Message Type Pattern is not matching exactly what Solarwinds is seeing as the Message Type Pattern. If this is the case, you have two options. One is to open the Syslog Viewer app, find the message and see what is contained in the Message Type column. Then you can enter this information into the Message Type Pattern field of the alert. Also, make sure you are using an * in the Syslog Message Pattern field of the alert.

Another option is to use wildcards. For instance, you could enter *RT_FLOW_SESSION_DENY* for the Message Type Pattern. Again, you would want to make sure you are also using an * for the Syslog Message Pattern.