DX Unified Infrastructure Management

Hi we have Nimsoft on Demand server which is in the "cloud".  We have a few hubs on the inside of our network that feed the QOS message, qos message definitions and alarms to the NMS server in the cloud for display via the web page.

That is the overall architecure where the internal NAS server sends one way alarms to the cloud box where the NIS is as well as the WASP etc.

On the HUB on the inside we have the SYSLOGGTW probe running along with LOGMON.  The probelm is that Cisco severity does not equal what our company considers as severe.  For us BGP neighbor down is BAD for cisco it is a level 5.

So I setup the SYSLOGGTW probe as shown in the picture

Then the HUB has a queue called "SYSLOG-IN"

In the logmon probe It is configured as follows:

On the left side created something called SYSLOG and checked it

Then on the right side type is QUEUE

Name is SYSLOG-IN

Check Interval 1 min

Generate QOS = checked

Generate Alarm = Checked

send message using a specific subject = unchecked

max alarm count = 5

max alarm message = blank

format rules = blank

watcher rule made a few things such as:

"BGP-5-ADJCHANGE" -- Under standard match expression is      *BGP-5-ADJCHANGE*

Message to send on match is blank

severity level is critical

run command on match is blank

variables = blank

advanced = blank

qos = blank

alarm section, message subsystem = blank

alarm section, supression key = $PROFILE.$WATCHER

source = blank

The problem is the messages come in like this via email:

Subject: Alarm: critical Probe: logmon - neomon01 10.3.111.14

In the body we have:

What we would like is to have the followng subject Line in the email:

Alert: <SEVERITY > %BGP-5-ADJCHANGE: neighbor 10.255.81.2 Down

And we would like the body to be cleand up so it shows:

SYSLOG Gateway config pic:

hub queue pic

logmon pic

If you want to change the format of the alarm email message, you have to change your AO profile to run a script rather than send an email. Then you can write a Lua script that sends the email (using the action.email() function) but first formats it exactly as you want. The emailgtw probe automatically formats forwarded alarms in a certain way, but if it receives a pre-formatted message, it should send that as is. You would need to do this if you want to put different fields into the subject of the email.

Some of the changes you want could be done in the logmon probe. You just need to setup the watcher rule with a regular expression that has captures (using parentheses) for the fields you want to extract from the syslog message. After you setup the match to use a regex like that, you can update the alarm message such that it includes the information you want and leaves out everything else. I am fairly certain that you can even specify the source using a variable from the log message text. The one thing that is unclear to me is where the IP address 10.64.2.1 came from. I only see 10.81.254.3 in the original message.

The easiest way to do this and test it would be to put a syslog message in a text file and create a logmon profile that reads that file (using "cat" mode). Then you should get an alarm every time it looks at that file, and you can edit the match regex and alarm message until they look the way you want.

-Keith