0 Replies Latest reply on Nov 14, 2012 2:43 PM by trey.s.grun

    Syslog Viewer Alert Behavior Question

    trey.s.grun

      I opened a case for this so I'll just paste in the case notes:

       

      Couldn't find the right Syslog server or version in the dropdown.

      Orion Core 2012.1.0, NCM 7.0.2, NPM 10.3, NTA 3.7, IVIM 1.3.0 © 1995-2012 All Rights Reserved

      In any case, I have set up syslog viewer rules for an annoying application that generates approximately 1200 useless messages per day. It only took 2 rules to accomplish this.

      The first rule is set to discard all messages from level 5 to level 7. This worked and stopped all the annoying iinformational messages polluting the syslog.

      The second rule is set to discard level 4 messages with a specific string. This worked. All these annoying messages stopped appearing in the syslog when I applied this rule.

      The final rule is set to email alerts for all other messages from the message source and I further restricted it by allowing only levels 0 - 4.

      I expected this would email alerts on all 0-4 level messages EXCEPT the one level 4 message which I explicitly discarded.

      I am totally confused because the 5-7 level messages are being ignored and not relayed via email as I expected, but the level 4 message which I specifically set to discard (and which is no longer appearing in the syslog viewer) is still being relayed as an alert.

      I understand rule precedence and made sure the discard is higher in the processing order than the alert action, and yet the alerts persist. Please advise how to troubleshoot this issue, or what the possible problem is. Thanks.

       

      Any ideas why a message that I explicitly discard, and is indeed discarded by the viewer, is still relayed by my alert rule?

       

      SYSLOG_RULES.jpg