Network Management

 View Only
Expand all | Collapse all

iMC Syslog Email Alerts

This thread has been viewed 1 times
  • 1.  iMC Syslog Email Alerts

    Posted Mar 31, 2014 08:02 PM

    I am trying to move from PCM 4 to iCM 7 and I'm starting with the very useful alerts that I used to have in PCM.  Most of my PCM alerts were simply syslog partial matches of an event description (e.g. "Over Current", "Bpdu recieved", etc.).  I see that this functionality is supposed to exist in iCM under the Syslog to Alarm function but I cannot get this to work.  I setup a Syslog template with a wildcard match and then created a Syslog to Alarm entry for this template.  When I browse the syslog I see events populating that should match the wildcard entry but nothing shows in "All Alarms" (I've even tried very general wildcards like *received* or *on*) which indicates to me that the alarms is not getting generated.  But what is even more troubling is that I do not think that I would be able to receive an email for the alarm even it was being generated  This is because when I look at Alarm Notification and look at what Alarms can be selected it only lists the snmp traps not the Alarms that are defined in iCM.  I prefer syslog based alarms because in my experience they tend to be more reliable than trapping.  So does anyone have this working in iMC version 7, i.e. syslog to alarm wildcarded matches with email notifications?  Thank you.


    #syslog


  • 2.  RE: iMC Syslog Email Alerts

    Posted Mar 31, 2014 09:27 PM

    When configuring your alarm to Email rule, look for the "imc Syslog" group - this contains traps you can use for syslogs escalated to alarms.



  • 3.  RE: iMC Syslog Email Alerts

    Posted Apr 01, 2014 10:57 AM

    Do you mean iMC -> Syslog -> "Trap upgraded from syslog"?  Also my other issue is that I do not see my Syslog to Alarm entries in All Alarms.  So I suspect they are not functioning properly.  My setup is:

     

    Syslog Type Any   Syslog Level Emergency Alert Critical Error Warning Notification Informational Debugging   Repeat Interval (second) 300   Repeat Times (Times) 50   Alarm Level Major   Alarm Description %Syslog%   Forward to SCC No   Syslog Template

    *disabled*

     

     

    I've followed the Admin Guide as well as the short write-up in this article but I still do not see the Syslog to Alarms showing up.



  • 4.  RE: iMC Syslog Email Alerts

    Posted May 20, 2014 05:25 AM

    hey

     

    there is a filter rule in Trap Management.

    go to Trap Management -> Filter Trap -> Duplicate Trap Filter -> Unfiltered Duplicate Traps and add  "Trap upgraded from syslog".

     

    best regards,

    luki

     



  • 5.  RE: iMC Syslog Email Alerts

    Posted May 20, 2014 05:28 AM

    ah and set the Repeat Interval and Repeat Times to 1!

    with your setup you need 50 syslog matches in 300 seconds to trigger the alarm.



  • 6.  RE: iMC Syslog Email Alerts

    Posted May 21, 2014 11:12 AM

    I am trying to do a very similar thing.  I have my windows servers forwarding their warning and above events to the IMC (version 7).  I want to be able to get this events turned into alarms with the end-goal of these events being emailed to me.  I'm guessing that I have to create an Syslog template? Also need to Syslog to Alarm?  From there it needs to somehow be escalated to an IMC reportable alarm?  Trouble is, I can't get past first base so far--template.  I want the following server events to report to me: Application, Hardware, and System.  I have not been able to create the variables (parameters) to make any of this happen.  Has anyone had any success in getting from point A to Z as I'm trying to do?



  • 7.  RE: iMC Syslog Email Alerts

    Posted May 22, 2014 12:14 AM

    How are you forwarding the Windows Events to the IMC server?

     

    Assuming you're using a 3rd-party tool to send them as syslogs, then we should be able to work through the rest. 

     

    First part though - get the logs showing up  on IMC under Alarm -> Syslog Management -> Browse Syslog. 

     

    Do your events show up there?



  • 8.  RE: iMC Syslog Email Alerts

    Posted May 22, 2014 08:21 AM

    Right now, I'm using Solarwinds windows log forwarder to send the logs.  I'm only using a couple of servers at the moment and when I generate test events, they do show up in the syslog browser.  thanks for responding.



  • 9.  RE: iMC Syslog Email Alerts

    Posted May 22, 2014 08:06 PM

    OK, that's a good start. What format are the logs showing up as? Can you give us a screenshot of a couple of the log entries?

     

    I'm doing something similar with nxlog in my lab, but it will be formatting the syslog messages slightly differently to what you're using.



  • 10.  RE: iMC Syslog Email Alerts

    Posted May 23, 2014 07:18 AM

    I'll be very happy to provide screenshots.  I am out of town until next Thursday.  I will post the information then.  Have a great Memorial Weekend!



  • 11.  RE: iMC Syslog Email Alerts

    Posted May 23, 2014 07:34 PM
    Cool, we'll work through it then. When you've grabbed those screenshots, we should be able to figure out the right templates that you'll need.

    Enjoy the break


  • 12.  RE: iMC Syslog Email Alerts

    Posted May 29, 2014 09:18 AM
      |   view attached

    As far as formats go, I believe it is in the evtx format.  If there is a specific way to check, I'm unaware on how to do it.  Here are some screenshots of events from a couple of the servers I have set to forward warning and above events to IMC.  I'm attaching a Word document with two screenshots as they appear in IMC.

     

     

     

     

    Attachment(s)

    docx
    IMCSYSlog.docx   703 B 1 version


  • 13.  RE: iMC Syslog Email Alerts

    Posted May 30, 2014 11:48 PM

    OK, so I'd probably start with a couple of templates like this:

     

    To pick up Warning Application events:

    "* MSWinEventLog * Application * Warning $(Hostname) 0 $(Message)"

     

    Warning System events:

    "* MSWinEventLog * System * Warning $(Hostname) 0 $(Message)"

     

    You can do something similar with Critical events.



  • 14.  RE: iMC Syslog Email Alerts

    Posted Jun 02, 2014 07:54 AM

    Thank you very much!  I'll give that a try.  I'm sure it's a matter of getting the templates right; however, I wasn't sure of what variables to use.  I will post the results.