Syslog Alerting

Subscription Feature

This is a feature which is currently only included in the Subscription Edition of Observium since r7970.

Syslog alerting allows you to generate notifications from syslog messages that are produced by your devices. This allows notification of potential issues which aren't easily detected during the regular poller process, such as OSPF changes, duplicate IP and MAC addresses and configuration changes.

Syslog alerting in Observium integrates with the existing contact system, so it allows you to notify via the usual channels, E-mail, Slack, Pagerduty, XMPP, webhook, etc.

For a complete overview of transport methods, see: Alerting Transports

Rule Configuration#

First make sure you have configured syslog to integrate with Observium. The documentation for doing this, can be found here: Syslog Integration

If you are running r7970 or later you will find 2 new entries in the global menu:

  • Syslog Alerts
  • Syslog Rules

screenshot1

Let's start with creating a useful syslog alert rule, that triggers an alert when there is a duplicate mac address found on a Cisco device:

  • First click on Syslog Rules in the global menu
  • Then click on Add Syslog Rule

screenshot2

You will then be presented with the following screen, where you have to configure the details of the syslog alert rule:

screenshot3

  • Rule Name This defines a short name for the actual rule, this is useful for short-format notification methods like SMS
  • Message This is the descriptive message that will be used in the majority of notifications
  • Regular Expression This is where you configure the actual rule to match syslog content against

Syslog Rules are built using standard PCRE regular expressions.

There are many online resources to help you learn and test regular expressions. Good resources include (regex101.com), Debuggex Cheatsheet, regexr.com and Tutorials Point. There are many other sites with examples which can be found online.

A simple rule to match the word "duplicate" anywhere in the syslog message would look like:

/duplicate/

A more complex rule to match SSH authentication failures from PAM for the users root or adama might look like:

/pam.+(sshd:auth).+failure.+user\=(root|adama)/

Example Syslog Rules#

Here are a couple of alerts you could implement which come in pretty handy:

screenshot4

Generating Notifications#

To actually send out notifications, you will have to associate the syslog alert rule with the contact. To do this, edit the contact that you have configured and add the syslog rule association:

screenshot5

Select from the drop down a syslog alert rule, and click + Associate. Once you have done this, the association is completed

If you associate it to an email contact, the notification will look like this:

screenshot5