HPE Community
IMC
1751725 Members
6091 Online
108781 Solutions
New Discussion

Re: iMC Syslog Email Alerts

 
musd
Visitor

‎03-31-2014 05:02 PM

‎03-31-2014 05:02 PM

iMC Syslog Email Alerts

I am trying to move from PCM 4 to iCM 7 and I'm starting with the very useful alerts that I used to have in PCM.  Most of my PCM alerts were simply syslog partial matches of an event description (e.g. "Over Current", "Bpdu recieved", etc.).  I see that this functionality is supposed to exist in iCM under the Syslog to Alarm function but I cannot get this to work.  I setup a Syslog template with a wildcard match and then created a Syslog to Alarm entry for this template.  When I browse the syslog I see events populating that should match the wildcard entry but nothing shows in "All Alarms" (I've even tried very general wildcards like *received* or *on*) which indicates to me that the alarms is not getting generated.  But what is even more troubling is that I do not think that I would be able to receive an email for the alarm even it was being generated  This is because when I look at Alarm Notification and look at what Alarms can be selected it only lists the snmp traps not the Alarms that are defined in iCM.  I prefer syslog based alarms because in my experience they tend to be more reliable than trapping.  So does anyone have this working in iMC version 7, i.e. syslog to alarm wildcarded matches with email notifications?  Thank you.

1 person had this problem.
0 Kudos
13 REPLIES 13
LindsayHill
Honored Contributor

‎03-31-2014 06:27 PM

‎03-31-2014 06:27 PM

Re: iMC Syslog Email Alerts

When configuring your alarm to Email rule, look for the "imc Syslog" group - this contains traps you can use for syslogs escalated to alarms.

__
@northlandboy
0 Kudos
musd
Visitor

‎04-01-2014 07:56 AM

‎04-01-2014 07:56 AM

Re: iMC Syslog Email Alerts

Do you mean iMC -> Syslog -> "Trap upgraded from syslog"?  Also my other issue is that I do not see my Syslog to Alarm entries in All Alarms.  So I suspect they are not functioning properly.  My setup is:

 

Syslog Type Any   Syslog Level Emergency Alert Critical Error Warning Notification Informational Debugging   Repeat Interval (second) 300   Repeat Times (Times) 50   Alarm Level Major   Alarm Description %Syslog%   Forward to SCC No   Syslog Template

*disabled*

 

 

I've followed the Admin Guide as well as the short write-up in this article but I still do not see the Syslog to Alarms showing up.

0 Kudos
luki00
Occasional Visitor

‎05-20-2014 02:24 AM

‎05-20-2014 02:24 AM

Re: iMC Syslog Email Alerts

hey

 

there is a filter rule in Trap Management.

go to Trap Management -> Filter Trap -> Duplicate Trap Filter -> Unfiltered Duplicate Traps and add  "Trap upgraded from syslog".

 

best regards,

luki

 

0 Kudos
luki00
Occasional Visitor

‎05-20-2014 02:27 AM

‎05-20-2014 02:27 AM

Re: iMC Syslog Email Alerts

ah and set the Repeat Interval and Repeat Times to 1!

with your setup you need 50 syslog matches in 300 seconds to trigger the alarm.

0 Kudos
Rick Johnson_6
Occasional Advisor

‎05-21-2014 08:12 AM

‎05-21-2014 08:12 AM

Re: iMC Syslog Email Alerts

I am trying to do a very similar thing.  I have my windows servers forwarding their warning and above events to the IMC (version 7).  I want to be able to get this events turned into alarms with the end-goal of these events being emailed to me.  I'm guessing that I have to create an Syslog template? Also need to Syslog to Alarm?  From there it needs to somehow be escalated to an IMC reportable alarm?  Trouble is, I can't get past first base so far--template.  I want the following server events to report to me: Application, Hardware, and System.  I have not been able to create the variables (parameters) to make any of this happen.  Has anyone had any success in getting from point A to Z as I'm trying to do?

0 Kudos
LindsayHill
Honored Contributor

‎05-21-2014 09:14 PM

‎05-21-2014 09:14 PM

Re: iMC Syslog Email Alerts

How are you forwarding the Windows Events to the IMC server?

 

Assuming you're using a 3rd-party tool to send them as syslogs, then we should be able to work through the rest. 

 

First part though - get the logs showing up  on IMC under Alarm -> Syslog Management -> Browse Syslog. 

 

Do your events show up there?

__
@northlandboy
0 Kudos
Rick Johnson_6
Occasional Advisor

‎05-22-2014 05:21 AM

‎05-22-2014 05:21 AM

Re: iMC Syslog Email Alerts

Right now, I'm using Solarwinds windows log forwarder to send the logs.  I'm only using a couple of servers at the moment and when I generate test events, they do show up in the syslog browser.  thanks for responding.

0 Kudos
LindsayHill
Honored Contributor

‎05-22-2014 05:05 PM

‎05-22-2014 05:05 PM

Re: iMC Syslog Email Alerts

OK, that's a good start. What format are the logs showing up as? Can you give us a screenshot of a couple of the log entries?

 

I'm doing something similar with nxlog in my lab, but it will be formatting the syslog messages slightly differently to what you're using.

__
@northlandboy
0 Kudos
Rick Johnson_6
Occasional Advisor

‎05-23-2014 04:18 AM

‎05-23-2014 04:18 AM

Re: iMC Syslog Email Alerts

I'll be very happy to provide screenshots.  I am out of town until next Thursday.  I will post the information then.  Have a great Memorial Weekend!

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.