Trigger alerts when receiving specific Syslog messages
You must be able to log in to the computer running your Orion server.
- Click Start > All Programs > SolarWinds Orion > Syslog Viewer.
- Click File > Settings.
- Click Alerts/Filter Rules.
- Click Add New Rule to create a rule, or edit a selected rule.
- On the General tab, complete the following steps:
- Provide or edit the Rule Name.
- Select Enabled.
- Select the servers from the Apply this Rule To list.
- Enter the IP addresses or subnets to which this rule applies in the Source IP Addresses area.
Syslog rules may not be applied to nodes in an unmanaged state.
For more information about designating nodes as unmanaged, see Suspend data collection or alerts for nodes in Maintenance Mode.
- To limit the rule only to messages from specific hosts, domains, or host name patterns, click the DNS Hostname tab, and enter a DNS Hostname Pattern.
The DNS Hostname Pattern rule is case‑sensitive.
To use regular expressions, select Use Regular Expressions in this Rule.
See Regular Expression Pattern Matching for the Orion Platform.
- To limit the rule only to specific message types or texts within a Syslog message, go to the Message tab, and enter rules for Message Type Pattern and Syslog Message Pattern.
- To apply specific severity or facility types, go to the Severity / Facility tab, and select the severity and facility types.
By default, all message severities and facilities are selected.
- To apply the rule only during a specific period of time, select the Time of Day tab, select Enable Time of Day Checking, enter the time period, and select the days of the week on which to apply the rule.
Messages received outside the specified time frame will not trigger alerts.
Enabling Time of Day checking creates more overhead for the CPU.
- To suppress alert actions until a specified number of messages arrive that match the rule, complete the following procedure:
- Select the Trigger Threshold tab, and select Define a Trigger Threshold for this Rule.
- Enter option values.
When Suspend Further Alert Actions For is selected, alert actions are not sent until the specified amount of time has expired. When the time period expires, only new alerts are sent. All alerts suppressed during the time period are discarded.
- Configure Syslog alert actions on the Alert Actions tab:
- To create an action for the rule, click Add New Action.
- To edit an action for the rule, select the action, and click Edit Selected Action.
- Configure the action.
See Syslog alert actions.
Syslog alerts use a unique set of variables.
See Syslog alert variables in the Orion Platform.
- To delete an action, select the action, and click Delete Action.
- Use the arrow buttons to set the order in which actions are performed.
Actions are processed in the order listed, from top to bottom.
- Click OK to save all changes and return to Syslog Viewer Settings.
- Use the arrow buttons to arrange the order in which the rules are applied.
Rules are processed in the order they appear, from top to bottom.