This is a feature which is currently only included in the Subscription Edition of Observium since r7970.
Syslog alerting allows you to generate notifications from syslog messages that are produced by your devices. This allows notification of potential issues which aren't easily detected during the regular poller process, such as OSPF changes, duplicate IP and MAC addresses and configuration changes.
Syslog alerting in Observium integrates with the existing contact system, so it allows you to notify via the usual channels, E-mail, Slack, Pagerduty, XMPP, webhook, etc.
For a complete overview of transport methods, see: Alerting Transports
First make sure you have configured syslog to integrate with Observium. The documentation for doing this, can be found here: Syslog Integration
If you are running r7970 or later you will find 2 new entries in the global menu:
- Syslog Alerts
- Syslog Rules
Let's start with creating a useful syslog alert rule, that triggers an alert when there is a duplicate mac address found on a Cisco device:
- First click on
Syslog Rulesin the global menu
- Then click on
Add Syslog Rule
You will then be presented with the following screen, where you have to configure the details of the syslog alert rule:
Rule NameThis defines a short name for the actual rule, this is useful for short-format notification methods like SMS
MessageThis is the descriptive message that will be used in the majority of notifications
Regular ExpressionThis is where you configure the actual rule to match syslog content against
Syslog Rules are built using standard PCRE regular expressions.
There are many online resources to help you learn and test regular expressions. Good resources include (regex101.com), Debuggex Cheatsheet, regexr.com and Tutorials Point. There are many other sites with examples which can be found online.
A simple rule to match the word "duplicate" anywhere in the syslog message would look like:
A more complex rule to match SSH authentication failures from PAM for the users root or adama might look like:
Example Syslog Rules¶
Here are a couple of alerts you could implement which come in pretty handy:
To actually send out notifications, you will have to associate the syslog alert rule with the contact. To do this, edit the contact that you have configured and add the syslog rule association:
Select from the drop down a syslog alert rule, and click
+ Associate. Once you have done this, the association is completed
If you associate it to an email contact, the notification will look like this: