Introduction

Syslog monitoring helps system administrators monitor the health status of applications or resource using Syslog messages.

A Syslog is a daemon process that runs on either Linux or Windows servers. The process sends events and log information to a collector (Syslog server) over an IP network. The gateway gathers and processes the Syslog messages according to a set of rules, translates messages to corresponding alerts, and forwards them to the OpsRamp cloud.

Syslog messages

Syslog messages include specifications that help identify information such as when, where, and how the log was sent. Syslog messages usually include the following details:

  • IP Address
  • Priority Number
  • Timestamp
  • Actual log message
  • Hostname
  • Tag

Example of a Syslog message: <25>1 2020-06-24T12:01:39.625926+05:30 bvrmlpt098 appname - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="253500"]This is an actual syslog Message

Syslog message description

Syslog Message Description
Message PartValueInformation
PRI25Facility = 3, Severity = 1
VERSION1Version 1
TIMESTAMP2020-06-24T12:01:39.625926+05:30Message created on Wed Jun 24 17:31:39 UTC 2020
HOSTNAMEabcdept098Message originated from host "abcdept098"
APP-NAMEappnameApp-Name: "appname"
PROCID-Unknown
MSGID-Unknown
STRUCTURED-DATA[timeQuality tzKnown="1" isSynced="1" syncAccuracy="253500"]Structured Data
MSGActual syslog MessageThis is an actual syslog Message

Syslog message format

A Syslog message consists of three parts:

  • PRI
  • HEADER
  • MSG

The PRI data sent via Syslog server help arrange and classify the message using two numeric values:

  • Facility
  • Severity

Facility

Classifies the message type that generated the Syslog event. The facility value is one of the fifteen predefined values or locally defined values ranging from 16-23.

Facility
NumberFacility Description
0Kernel Messages
1User-level Messages
2Mail System
3System Daemons
4Security/Authorization Messages
5Messages generated by syslogd
6Line Printer Subsystem
7Network News Subsystem
8UUCP Subsystem
9Clock Daemon
10Security/Authorization Messages
11FTP Daemon
12NTP Subsystems
13Log Audit
14Log Alert
15Clock Daemon
0-16Local Use 0 - 7

Severity

Classifies the severity or importance of the messages ranging from 0-7.

Severity
NumberSeverityDescription
0EmergencySystem is unusable
1AlertAction must be taken immediately
2CriticalCritical conditions
3ErrorError conditions
4WarningWarning conditions
5NoticeNormal but significant condition
6InformationalInformational messages
7DebugDebug-level messages

The priority value(PRI) provides the facility and severity of the messages generated from a system. Multiply the facility value by eight and add the severity value to the result to calculate the PRI: {Faclity value * 8} + Severity = PRI

The lower the PRI, the higher the priority.

Advantages of Syslog monitoring

  • Increased security
  • Easier detection of any issues
  • Timely action
  • High performance

OpsRamp Syslog monitoring process flow

Syslog Monitoring Process Flow

Syslog Monitoring Process Flow

Syslog monitoring configuration

Syslog monitoring configuration is used to:

  • Forward thousands of messages sent from different devices to a daemon exclusively.
  • Configure Syslog listeners. This specifies that Syslog messages are received and processed via TCP/UDP from the target resources.
  • Define include and exclude list. This pre-processes all incoming messages and optimizes CPU cycles to process rules for all messages.
  • Define the set of rules. This provides granular-level filtering for important messages and subsequent alert generation.

Syslog is configured via Setup > Monitoring > Syslog Monitor Configuration and involves:

  1. Adding a configuration profile
    Configuration profiles set the severity and facility of the Syslog messages. Profiles also instruct the Gateway to filter only those messages that match the facility and severity defined by the user.
  2. Adding rules
    Rules set alert preferences, Syslog message patterns, and actions. For example, rules can be specified to receive warning alerts for user-level messages and mail system that includes the regex pattern: [(.+)] [(.+)] (.+).

Creating Syslog monitoring profiles

The Syslog Monitor Configuration functionality is used to filter messages and then generate alerts from the desired messages. For example, to stop receiving alerts for mail system messages, OpsRamp can be “trained” to not monitor those messages.

Prerequisites

  • Syslog server installed in the managed environment.
  • Good knowledge of regular expressions.

To create a Syslog monitoring configuration:

  1. From All Clients, select a client.
  2. Select Setup > Monitoring > Syslog Monitoring Configuration.
  3. From the SYSLOG MONITORING CONFIGURATION screen, select one of the following tabs:
    • Configuration Profile
    • Rules
  4. To add a profile:
    1. Click +Add.
    2. From the Configuration Profile section, provide the following information and click Next:
      • Client: Client name.
      • Management Profile: List of management profiles configured in Resources > Management Profiles.
      • Configuration Name: Name provided for the configuration profile.
      • Description: Brief description of the purpose for the profile.
    3. From the Global Filters section, provide the following information and click Save:
      • Severity: Level of intensity of the Syslog messages.
      • Facility: Type of messages to monitor (via Syslog) and use to generate alerts.
      • Resource Filter: IP range for servers used to monitor and receive messages.
      • Rules: Rules that are set to identify the Syslog messages.
  5. To add a new rule:
    1. Click +Add.
    2. From the Rules section, provide the following information and click Submit:
      • Scope: Partner or the client-specific rules.
      • Name: Rule name.
      • Action: Determines how to process the Syslog messages.
        • Include: Sends only matching data.
        • Exclude: Ignores the matching data and sends the remaining data.
      • Regex Pattern: The regular expression pattern that is used to compile and compare with the incoming messages. OpsRamp sends an alert in case of a match.
      • Metric Name: Name of the metric. Note: Regular expressions can also be used to specify a metric name. For example, Cisco Emergency Responder.
      • Component: Syslog message module. For example, Authentication Failure.
      • Alert Subject: Summary content of the alert.
      • Alert Description: Brief description of the entities used to generate alerts.
      • Alert Severity: Severity of the alerts.
      • Tags: User-defined tags used for filtering.
        The SYSLOG MONITORING CONFIGURATION screen displays the configured profiles and rules.

The rules displayed in the Rules tab depends on one of the following scopes:

  • Service provider rules
  • Partner rules
  • Client rules

After configuring the rules, you can add configuration profiles for multiple rules using Add > New Configuration Profile from the Rules tab. This facilitates the ease of searching and filtering multiple rules from the Configuration Profiles tab.

Extracting regular expressions dynamically

If there is a Syslog message-rule match, you can dynamically extract groups using regular expressions to generate an Alert Subject, Alert Description, Component, and Metric Name. For example, from the syslog message: [08:52:18] [ERROR] Ceci doit aparaitre and the regular expression: [(.+)] [(.+)] (.+), the extracted groups are:

  • Group 1 = 08:52:18
  • Group 2 = ERROR
  • Group 3 = Ceci doit aparaitre.

The extracted groups can dynamically generate an Alert Subject, Alert Description, Component, and Metric Name. For example, Severity: ${2}. Syslog raised time ${1} dynamically generate Severity: ERROR. Syslog raised time 08:52:18.

Predefined macros for syslog

  • ${timestamp} - Replaces the timestamp in milliseconds.
  • ${received.syslog.message} - Replaces the raw syslog message received from the remote device.

Viewing details

After configuring the Syslog attributes, view the details (such as configuration profile and rules) on the Syslog Monitoring Configuration screen.

Viewing configuration profiles

View profile details in the Syslog Monitoring Configuration > Configuration Profiles tab.

View Configuration Profile

View Configuration Profile

Viewing rules

View rule details in the Syslog Monitoring Configuration > Rules tab.

View Rules

View Rules

Searching profiles and rules

Searching is available on the Syslog Monitoring Configuration screen. Methods used for searching include:

  • Regular search
  • Advanced search
  • Advanced search - configuration profile
  • Advanced search - rules

Use the search option to find a configuration profile and rules using the configuration name and rule name. For searching with criteria, use the Advanced option.

Search results can be filtered by using the advanced search.

Advanced search – configuration profile

To search using additional options:

  1. Click Advanced.
  2. From ADVANCED SEARCH window, provide the following information:
    • Client
    • Configuration Name
  3. Click Search.

The Configuration Profile screen displays the search results.

Advanced search – rules

To search using additional options:

  1. Click Advanced.
  2. From ADVANCED SEARCH, provide the following information:
    • Client
    • Action
    • Tags
  3. Click Search.

The Rules screen displays the search results.

Deleting profiles and rules

Existing configuration profiles or rules are deleted by using the Remove option. You can also remove Syslog configuration from a single Gateway management profile by removing the management profile from your Syslog configuration.