owngeek

Help Configuring SYSLOG and Logmon for Cisco message Severity

Discussion created by owngeek on Jan 27, 2011
Latest reply on Jan 27, 2011 by keith_k

Hi we have Nimsoft on Demand server which is in the "cloud".  We have a few hubs on the inside of our network that feed the QOS message, qos message definitions and alarms to the NMS server in the cloud for display via the web page.

 

That is the overall architecure where the internal NAS server sends one way alarms to the cloud box where the NIS is as well as the WASP etc.

 

On the HUB on the inside we have the SYSLOGGTW probe running along with LOGMON.  The probelm is that Cisco severity does not equal what our company considers as severe.  For us BGP neighbor down is BAD for cisco it is a level 5.

 

So I setup the SYSLOGGTW probe as shown in the picture

 

Then the HUB has a queue called "SYSLOG-IN"

 

In the logmon probe It is configured as follows:

On the left side created something called SYSLOG and checked it

Then on the right side type is QUEUE

Name is SYSLOG-IN

Check Interval 1 min

Generate QOS = checked

Generate Alarm = Checked

send message using a specific subject = unchecked

max alarm count = 5

max alarm message = blank

format rules = blank

watcher rule made a few things such as:

 

"BGP-5-ADJCHANGE" -- Under standard match expression is      *BGP-5-ADJCHANGE*

Message to send on match is blank

severity level is critical

run command on match is blank

variables = blank

advanced = blank

qos = blank

alarm section, message subsystem = blank

alarm section, supression key = $PROFILE.$WATCHER

source = blank

 

 

The problem is the messages come in like this via email:

Subject: Alarm: critical Probe: logmon - neomon01 10.3.111.14

 

In the body we have:

critical

10.3.111.14[neomon01]

Alarm

Robot: neomon01

Probe: logmon

 

notice 10.81.254.3 Jan 25 00:08:36 10.81.254.3 197: Jan 25 08:08:35.484 UTC: %BGP-5-ADJCHANGE: neighbor 10.255.81.2 Down

Time: Mon Jan 24 18:10:14 2011, Arrival Time: Mon Jan 24 18:10:17 2011, Assigned To:Count: 1

 

What we would like is to have the followng subject Line in the email:

Alert: <SEVERITY > %BGP-5-ADJCHANGE: neighbor 10.255.81.2 Down

 

And we would like the body to be cleand up so it shows:

critical

10.64.2.1[wanrouter2]

Alarm

Robot: neomon01

Probe: logmon

 

%BGP-5-ADJCHANGE: neighbor 10.255.81.2 Down

Time: Mon Jan 24 18:10:14 2011, Arrival Time: Mon Jan 24 18:10:17 2011, Assigned To:Count: 1

Outcomes