Generating Alerts from UNIX/Linux SysLog messages in Operations Manager 2007

There's a KB article on the way documenting this, together with some future documentation being put together which will cover this.

A few things to cover off first. The SysLog module in OpsMgr07 together with that in MOM 2005 are hard coded to use UDP port 514. So there is no configuration of the module itself in this respect. This post covers off some of the undocumented parts of the SysLog module and specifically how to configure the expression builder to filter SysLog messages received.

Rather than re-document some of the excellent blog posts around (see https://contoso.se/blog/?p=158 for some excellent background), I simply wanted to cover some of what isn't known:-

In OpsMgr there are two rule types which you can use for processing SysLog messages from UNIX/Linux hosts

1) An Alert generating rule - SysLog module receives a SysLog message on port 514 and creates an OpsMgr Alert based on that message (you can of course configure additional responses to run on the OpsMgr agent as a response (Run a Command, or Run a Script)

2) Collection Rule - SysLog module receiveds a SysLog message on port 514, the event data is stored on the OpsMgr database. You can Run a command or script on the agent as a response, if required.

 

When configuring either rule it's the Expression builder for the SysLogDS (sysLog Data source) which becomes the stumbling block. So what do I put in as the criteria to filter incoming SysLog messages. Well here's the answer together with two tables corresponding to Facility and Severity codes converted by the SysLog module.

 

Figure 1 - SysLog facility names to SysLog module integer values

 

 Figure 2 - SysLog Priorities to SysLog module integer values

 

 

 Putting this together. If you wanted to filter based on Facility = Daemons with a Severity of Critical you can enter the following in the Expression builder as shown below:

 

You may also use property names such as Message (contains the text of issue itself), where if required you can use regular expressions to further filter the message.

 

When generating an OpsMgr alert you can utilize the following strings to output SysLog message data into the Alert:

 

$Data/EventData/DataItem/Facility$

$Data/EventData/DataItem/Severity$

$Data/EventData/DataItem/Priority$

$Data/EventData/DataItem/PriorityName$

$Data/EventData/DataItem/TimeStamp$

$Data/EventData/DataItem/HostName$

$Data/EventData/DataItem/Message$

 

Facility and Severity of course will be output in their numeric format as per the above tables.