How to Alert on Syslog Messages?

Syslog messages provide real-time insight into events occurring on your network devices, such as errors, interface state changes, security warnings, and system notifications. By configuring alerts based on syslog messages in Auvik, you can be notified when important events occur, often before users report an issue.

This article explains how to configure syslog-based alerts.

Prerequisites

Before configuring syslog-based alerts, ensure the following:

• The devices sending syslog are discovered and monitored in Auvik.
• Syslog is enabled on your network devices and configured to send messages to Auvik.
• Syslog messages are visible in Syslog > View Logs.

For more details, refer to How do I get started with syslog?

How Syslog Alerting Works in Auvik

Auvik evaluates incoming syslog messages and triggers alerts when individual messages match defined criteria. Alerts can be configured based on:

• Message content (keywords or phrases)
• Severity level
• Source device

When a syslog message meets the configured conditions, Auvik generates an alert and sends notifications according to your alert notification settings.

Notes:

• Only syslog messages that are successfully processed by Auvik are evaluated for alerting. Messages that are dropped, malformed, or not ingested by the Auvik collector will not trigger syslog alerts.
• Each syslog message is evaluated independently.
• Auvik evaluates only the first 2 KB (2048 bytes) of each syslog message when applying alert conditions. Any message content beyond the first 2 KB is not considered.
• The Message contains trigger conditions that only support alpha numeric characters. Avoid special characters.

Recommendation:
Most vendors include the log type directly in the syslog message. Using the log type as part of your trigger condition allows you to precisely target the events you want to be alerted on and reduce unnecessary notifications.

Creating a Syslog Alert

1. Navigate to Manage Alerts > Alerts.
2. Click Create New Alert.
3. In the search box, enter syslog.
4. Select Syslog - Message, then click Next.
5. Enter an Alert Name and Alert Description (use a name that clearly describes what you want to detect).
6. Under Apply alerts to the following organizations, select the Auvik site(s) that the alert definition should apply to.
7. Under Which devices?, choose which devices the alert applies to:
   1. Select an existing tag, or
   2. Define the device selection directly in the alert.
8. Set the Alert Severity of the alert notification. Note: This is not the same as the syslog message severity.
9. Under Trigger Conditions, click Add Rule to configure when to trigger an alert.
   1. Severity: Set this to the syslog message severity you want to match (for example, Severity equals to Emergency).
   2. Message: Enter the plain-text pattern you want to match (for example, the vendor’s log type ID or keyword that identifies the event).
10. Enter a Trigger message (this text is included in the alert notification and should explain what happened).
11. Under Notifications, select the notification channels to use when the alert triggers.
12. Enter a Clear message to provide context when the alert clears.
13. Click Complete and Save.

The following notification variables are available:

1. Syslog severity
2. Syslog message
3. $system.name for source device
4. $system.serialNo for source device
5. $system.vendor for source device
6. $system.model for source device
7. $system.deviceClass for source device
8. $system.softwareVersion for source device
9. $deviceinterfaces.ipv4.addresses.address.ip for source device
10. $deviceinterfaces.macAddress for source device