Monitoring Syslog Configuration

Describes how to monitor applications using Syslog messages.

Leave Feedback

Introduction

Syslog monitoring helps system administrators monitor the health status of applications or resource using Syslog messages.

A Syslog is a daemon process that runs on either Linux or Windows servers. The process sends events and log information to a collector (Syslog server) over an IP network. The gateway gathers and processes the Syslog messages according to a set of rules, translates messages to corresponding alerts, and forwards them to the OpsRamp cloud.

Syslog messages

Syslog messages include specifications that help identify information such as when, where, and how the log was sent. Syslog messages usually include the following details:

  • IP Address
  • Priority Number
  • Timestamp
  • Actual log message
  • Hostname
  • Tag

Example of a Syslog message: <34>Oct 11 22:14:15 mymachine su: ‘su root’ failed for lonvick on /dev/pts/8

Syslog message format

A syslog message consists of three parts:

  • PRI
  • HEADER
  • MSG

The PRI data sent via syslog server help arrange and classify the message using two numeric values:

  • Facility
  • Severity

Facility

Classifies the message type or prompts the system that generated the syslog event. The facility value is one of the fifteen predefined values or locally defined values in the case of 16-23.

Facility Value and Description
NumberFacility Description
0Kernel messages
1User-level messages
2Mail System
3System Daemons
4Security/Authorization Messages
5Messages generated by syslogd
6Line Printer Subsystem
7Network News Subsystem
8UUCP Subsystem
9Clock Daemon
10Security/Authorization Messages
11FTP Daemon
12NTP Subsystem
13Log Audit
14Log Alert
15Clock Daemon
16-23Local Use 0 - 7

Severity

Classifies the severity or importance of the messages ranking from 0-7.

Severity Description
CodeSeverityDescription
0EmergencySystem is unusable
1AlertAction must be taken immediately
2CriticalCritical conditions
3ErrorError conditions
4WarningWarning conditions
5NoticeNormal but significant condition
6InformationalInformational messages
7DebugDebug-level messages

The priority value(PRI) provides the facility and severity of the messages generated from a system. Multiply the facility value by eight and add the severity value to the result to calculate the PRI:

{Faclity value * 8} + Severtity = PRI

The lower the PRI, the higher the priority.

Advantages of Syslog monitoring

  • Increased security
  • Easier detection of any issues
  • Timely action
  • High performance

OpsRamp Syslog process flow

Syslog Monitoring Process Flow

Syslog Monitoring Process Flow

Syslog monitoring configuration

Syslog monitoring configuration is used to:

  • Forward thousands of messages sent from different devices to a daemon exclusively.
  • Configure Syslog listeners. This specifies that Syslog messages are received and processed via TCP/UDP from the target resources.
  • Define include and exclude list. This pre-processes all incoming messages and optimize CPU cycles to process rules for all messages.
  • Define the set of rules. This provides a granular-level filtering for important messages and subsequent alert generation.

Syslog is configured via Setup > Monitoring > Syslog Monitor Configuration and involves:

  1. Adding a configuration profile
    Configuration profiles set the severity and facility of the Syslog messages. Profiles also instruct the Syslog server to filter only those messages that match the facility and severity defined by the user.
  2. Adding rules
    Rules set alert preferences, Syslog message patterns, and actions. For example, rules can be specified to receive warning alerts for user-level messages and mail system that includes the regex pattern: [(.+)] [(.+)] (.+).

Creating Syslog monitors

The Syslog Monitor Configuration functionality is used to filter messages and then generate alerts from the desired messages. For example, to stop receiving alerts for mail system messages, OpsRamp can be “trained” to not monitor those messages.

Prerequisites

  • Syslog server installed in the managed environment.
  • Good knowledge of regular expressions.

To create a Syslog monitoring configuration:

  1. From All Clients, select a client.
  2. Select Setup > Monitoring > Syslog Monitoring Configuration.
  3. From the SYSLOG MONITORING CONFIGURATION screen, select one of the following tabs:
    • Configuration Profile
    • Rules
  4. To add a profile:
    1. Click +Add.
    2. From Configuration Profile section, provide the following information and click Next:
      • Client: Client name.
      • Management Profile: List of management profiles configured in Resources > Management Profiles.
      • Configuration Name: Name provided for the configuration profile.
      • Description: Brief description of the purpose for the profile.
        Note: The SYSLOG MONITORING CONFIGURATION screen displays global filters.
    3. From the Global Filters section, provide the following information and click Save:
      • Severity: Level of intensity of the Syslog messages.
      • Facility: Type of messages to monitor (via Syslog) and use to generate alerts.
      • Resource Filter: IP range for servers used to monitor and receive messages.
      • Rules: Rules that are set to identify the Syslog messages.
  5. To add a new rule:
    1. Click +Add.
    2. From Rules section, provide the following information and click Submit:
      • Scope: Partner or the client-specific rules.
      • Name: Rule name.
      • Action: Determines how to process the Syslog messages.
        • Include: Sends only matching data.
        • Exclude: Ignores the matching data and sends the remaining data.
      • Regex Pattern: The regular expression pattern that is used to compile and compare with the incoming messages. OpsRamp sends an alert in case of a match.
      • Metric Name: Name of the metric. Note: Regular expressions can also be used to specify a metric name. For example, Cisco Emergency Responder.
      • Component: Syslog message module. For example, Authentication Failure.
      • Alert Subject: Summary content of the alert.
      • Alert Description: Brief description of the entities used to generate alerts.
      • Alert Severity: Severity for the alerts.
      • Tags: User-defined tags used for filtering.
        The SYSLOG MONITORING CONFIGURATION screen displays the configured profiles and rules.

If there is a syslog message-rule match, groups can be dynamically extracted using regular expressions to form a dynamic Alert Subject, Alert Description, Component, and Metric Name.

For example, consider the syslog message: [08:52:18] [ERROR] Ceci doit aparaitre where the regular expression: [(.+)] [(.+)] (.+) is entered.

The extracted groups are:

  • Group 1 = 08:52:18
  • Group 2 = ERROR
  • Group 3 = Ceci doit aparaitre.

Alert Subject, Alert Description, Component, and Metric Name can be dynamically formed using the extracted groups. For example, Severity: ${2} . Syslog raised time ${1} dynamically forms Severity: ERROR . Syslog raised time 08:52:18.

Predefined macros for syslog

  • ${timestamp} - Replaces the timestamp in milliseconds.
  • ${received.syslog.message} - Replaces the raw syslog message received from the remote device.

Viewing details

After configuring the Syslog attributes, view the details (such as configuration profile and rules) on the Syslog Monitoring Configuration screen.

Viewing configuration profiles

View profile details in the Syslog Monitoring Configuration > Configuration Profiles tab.

View Configuration Profile

View Configuration Profile

Viewing rules

View rule details in the Syslog Monitoring Configuration > Rules tab.

View Rules

View Rules

Searching profiles and rules

Searching is available on the Syslog Monitoring Configuration screen. Methods used for searching include:

  • Regular search
  • Advanced search
  • Advanced search - configuration profile
  • Advanced search - rules

Use the search option to find a configuration profile and rules using the configuration name and rule name. For searching with criteria, use the Advanced option.

Search results can be filtered by using the advanced search.

Advanced search – configuration profile

To search using additional options:

  1. Click Advanced.
  2. From ADVANCED SEARCH window, provide the following information:
    • Client
    • Configuration Name
  3. Click Search.

The Configuration Profile screen displays the search results.

Advanced search – rules

To search using additional options:

  1. Click Advanced.
  2. From ADVANCED SEARCH, provide the following information:
    • Client
    • Action
    • Tags
  3. Click Search.

The Rules screen displays the search results.

Deleting profiles and rules

Existing configuration profiles or rules are deleted by using the Remove option.