The syslog message logging protocol provides a mechanism for monitoring application and resource status. Syslog runs as a daemon process on Linux or Windows gateways, which monitor, collect, and process messages according to a set of rules, map messages to corresponding alerts, and forward them to the cloud.
You can configure syslog monitoring to:
- Forward multiple messages sent from different devices to a single daemon.
- Configure syslog listeners to receive and process TCP or UDP messages from specified resources.
- Define filtering rules for messages and alert generation.
- Define inclusion and exclusion lists, which preprocesses incoming messages according to the defined rules.
- Define alerts according to severity.
Rules can have the following scope:
- Service provider rules
- Partner rules
- Client rules
Syslog alerts do not self-heal and are visible in the alerts browser.
The gateway schedules a job with the cloud to synchronize with configuration profile and rule updates, when the gateway transitions from the UP
to DOWN
state.
Configuration profile and rule processing sequence
Message filters are processed sequentially according to configuration profile and rule. Processing occurs, alphabetically, by profile name and then by rule ordering within a profile. For example, consider a client gateway with two configuration profiles, UC-A and UC-CB, each with ten rules. The gateway processes syslog messages, alphabetically, in the following order:
- UC-A
- UC-B
In the order in which the rules occur in UC-A, the gateway checks if the rule matches the message. On a match, the gateway executes the rule action. If no rules in the UC-A match, the gateway filters the message according to the UC-B configuration profile and rules. The sequence continues through all profiles and rules until a match is found.
Syslog message format
[RFC5424] Gerhards, R., “The Syslog Protocol”, RFC 5424, DOI 10.17487/RFC5424, March 2009
Extracting message details using regular expressions
As part of message rule matching criteria, you can specify a regular expression that extracts arguments that can be used in generating an alert. The argument syntax is supported only for:
- alert subject
- alert description
- component
- metric name.
Using the following message as an example,
[08:52:18] [ERROR] This must appear
and the regular expression,
[(.+)] [(.+)] (.+)
extracts the following arguments:
- argument 1 =
08:52:18
- argument 2 =
ERROR
- argument 3 =
This must appear
Use the argument replacement syntax to populate alert fields. Applying the arguments from the above example,
Severity: ${2}. Syslog raised time ${1}
generates the following alert message content:
Severity: ERROR. Syslog raised time 08:52:18
Predefined macros
Macro | Description |
---|---|
${timestamp} | Timestamp replacement, in milliseconds |
${received.syslog.message} | Raw syslog message received from device |