Manage Syslog Messages on a Device

Event logging facilities are indispensable to IT personnel in identifying error conditions (e.g., hardware failures, unauthorized logins or network failures). These conditions are typically identified by scanning the generated log for patterns indicating a problem. SilverBack includes powerful Event Monitors to help you manage your Syslog Event Logs.

This topic takes you through the following processes:

• Adding Syslog Event Monitors

• Counting, Storing and Alerting on Events

Adding Syslog Event Monitors

1. From the Monitoring category page click on the Add Event Monitor link to display the Add Event Monitor form.

You will use all three tabs in the Add Event Monitor form.

2. In the Attributes tab, select your own domain as the parent domain from the Management Domain drop-down.

3. Select Syslog from the Event Monitor Type drop-down.

4. Enter the Event Monitor's Name. The Description is optional.

   The maximum size of this field is 1024 characters. You can also enter HTML links here in the format "http://<target>”, “https://<target>" or "mailto:<email_address>". The quotation marks are mandatory for HTML links.

   Each object in the SilverBack managed services platform requires a unique name that is as descriptive as possible.

   The Event Monitor name is included in both the Current Faults and Event Monitor Summary reports, as well as in all email and pager notification.

   The name should be as descriptive as possible, with a maximum length of 64 characters.

   If you leave the Name field blank, you will be prompted to enter it before you can save.

5. Indicate the Event Monitor’s visibility to other sites by clicking on the Visible to Subdomains checkbox. The default visibility state is False (unchecked).

   The default visibility state is False (unchecked). If left unchecked, the Event Monitor will not generate alerts on devices in subdomains.

6. Click on the Filters tab.

7. In the Filters tab, click on the New Filter button.

You will use only the General tab in the Create Filter dialog.

8. Select the Event Log from the drop-down. You can select from:

• Raw Syslog

• Generic Syslog

• PIX Firewall

9. Select the Category ID from the drop-down list box.

• If the Format is Raw Syslog, you can only select Raw.

• If the Format is Generic Syslog, you can only select Generic.

• If the Format is PIX Firewall, you can select from these choices.

10. Make sure that there is a check mark in the Enabled checkbox. Otherwise your Event Monitor filter will not be activated.

11. Select the Field drop-down. The field you choose determines the available operators.

12. Select the Operator drop-down. Depending on the Event Monitor type and the selected field, the operators vary.

13. Enter the Value. If this field has a finite set of possible values, those values will be available for you to select from the list.

14. Click on the Add button.

15. To accept the default settings for alerting, storing and counting, click on the Apply button. The filter is saved, and the display refreshes to the Filters tab. Notice that the new filter appears in the list.

16. Click on the Targets tab.

18. In the Targets tab, select targets by selecting one of the following radio buttons:

• Select All — Selects all targets in the Monitoring Policy’s parent Management Domain. This is the default option.

• Select Group — Selects all targets in a Group.

• Select Targets — Enables you to select a particular target from a list of targets. You can also select specific targets, either within a single Management Domain or across multiple Management Domain.

19. Click on the Save button to save the new Event Monitor.

You are now managing the selected Syslog Event Monitor for the selected devices.

Counting, Storing and Alerting on Events

Once you are satisfied that your Event Monitors and filters are configured correctly, you will likely want to perform more advanced operations on them in order to maximize their usefulness, as well as to gather as much information as possible. With SilverBack Event Monitors you can:

• Count Event Monitor filter matches

• Store Event Monitor filter match details

• Generate alerts on Event Monitor filter matches

1. From the Monitoring category page click on the Browse Event Monitors link to display the Event Monitors report.

2. Click on an Event Monitor and then select the Edit (or Edit PC from MPT if the Event Monitor resides in a Monitoring Policy Template) option.

3. In the dialog window that appears, click on the OK button to display the Edit Event Monitor form.

4. Click on the Filters Tab.

5. In the Filters tab, click on a filter to select it (it becomes highlighted), then click on the Edit Filter button to display the Edit Filter dialog window.

6. In the Edit Filter dialog window, click on the Advanced tab.

7. In the Advanced tab, select the Generate alerts checkbox to activate the alerting options, then select the alert Severity from the drop-down.

You can select from Critical, Major, Minor and Informational.

8. Select the radio button corresponding to the alerting option you prefer, and configure them as needed:

• Alert on the first filter match only

• Alert on every filter match up to a configurable number of alerts per device

• Alert when a configurable number of alerts occur in a configurable time period.

9. To save details of the events captured, click on the Store matched events detail checkbox.

10. To store a count of the number of times a filter matched an event, but not save the event, click on the Store matched events count checkbox.

11. Click on the Apply button to store the changes and return to the Create Filter dialog.

12. In the Create Filter dialog, click on the Save button to save the filter with its new parameters.