• State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 20 subscribers
  • Views 4159 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to alert on Syslog entries

ebradford

I posted in a different community, under perhaps the wrong subject title. So, I'm posting a message in Alert Lab linking to the solution I developed, in the hopes that more people will see the solution.

SQL: How to search syslog for specific messages

Basically, if you try to create a custom SQL alert, you have to choose the topic of the alert. When you choose a topic, it default selects certain columns and a table. Syslog is not available. 

The solution to this is to select Custom SQL Node Alert and then in the custom field, join to syslog table, and enter the search parameters there. The alert won't pass the syslog data to the alert action, but in an e-mail you can create a Custom SQL entry that has SQL very similar, but slightly different than the alert, and it will then insert the syslog message text into the email (or event log). Please click on link to see the method of doing it.

This same process can work for alerting on SNMP traps, but in my experience SNMP traps don't have the information I'm looking for, where syslog does.

Feed back is welcomed on the solution (or Traps)

  • 0

    I'm not sure why you need a custom SQL alert. In Syslog Viewer you can create an alert that will look for what ever you want.

    Only thing to remember is that you may select "stop processing all rules" after your Send An Email trigger. That way the syslog doesn't go through the rest of the alerts that you may have configured.

    I even use a Syslog Viewer rule to delete syslogs out of the database from devices that just send waaaaay too many syslogs thus filling up the database really quick. I only kept syslogs for 10 days.

  • 0 in reply to superfly

    To be entirely honest, I didn't realize that Syslog Viewer still worked. back in the days of 8.5, all Solarwinds functionality had been individual stand alone programs. How well does that little program work with lots of messages (like 1,000,000)? So, I went in and had a look. I do see that the rules have much of the same old alert functionality. But it seems like there are fewer actions available through that method, and I don't see how the alert could be tied to custom properties (which could be done using custom SQL). For example, maybe you want to send the alert to an "owner" of a device, or maybe just alert on devices managed by one team and not another. Also, I don't see where the alerts would require acknowledgement, or else suffer being escalated.

    Does Syslog Viewer need to be running on a logged-in user's profile, or can it run as a service?

    I agree that for Syslog management, forwarding to e-mails, reasons that you cited, Syslog Viewer Rules may be an easier or better choice.

    I disagree that Syslog Viewer Rules have all the flexibility and functionality that Orion Alerts do.

    Cheers!

  • 0 in reply to ebradford

    By alert I mean you are simply being notified of an issue or whatever.

  • 0

    Hi Guys,

    Any idea how we can achieve this in Log Viewer in 2019.4?

    Thanks,

    Nimesha J.

  • 0 in reply to neokevin

    You need to go into Configure Rules and select Syslog and then My Custom Rules

    pastedImage_0.png

    Then click on Create New Rule and follow the prompts. In here you will also create an Alert for it.

    There is currently a bug where not all syslogs are being sent to email if a device sends more than 1 syslog per minute.

  • 0 in reply to superfly 
    May I know if this bug has been fixed in 2020.5?
  • 0 in reply to kkid9970

    The current version of the Log Analyzer is 2020.2.6.  This initial thread was started over 3 years ago and the previous message was more than 1 year ago.  If I had to guess, this limitation was removed, but without an actual ID for the bug report, I can't be more specific.  You may want to search or check in the Log Analyzer discussion forum for more details.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.