03-31-2014 05:02 PM
I am trying to move from PCM 4 to iCM 7 and I'm starting with the very useful alerts that I used to have in PCM. Most of my PCM alerts were simply syslog partial matches of an event description (e.g. "Over Current", "Bpdu recieved", etc.). I see that this functionality is supposed to exist in iCM under the Syslog to Alarm function but I cannot get this to work. I setup a Syslog template with a wildcard match and then created a Syslog to Alarm entry for this template. When I browse the syslog I see events populating that should match the wildcard entry but nothing shows in "All Alarms" (I've even tried very general wildcards like *received* or *on*) which indicates to me that the alarms is not getting generated. But what is even more troubling is that I do not think that I would be able to receive an email for the alarm even it was being generated This is because when I look at Alarm Notification and look at what Alarms can be selected it only lists the snmp traps not the Alarms that are defined in iCM. I prefer syslog based alarms because in my experience they tend to be more reliable than trapping. So does anyone have this working in iMC version 7, i.e. syslog to alarm wildcarded matches with email notifications? Thank you.
03-31-2014 06:27 PM
04-01-2014 07:56 AM
Do you mean iMC -> Syslog -> "Trap upgraded from syslog"? Also my other issue is that I do not see my Syslog to Alarm entries in All Alarms. So I suspect they are not functioning properly. My setup is:
Syslog Type Any Syslog Level Emergency Alert Critical Error Warning Notification Informational Debugging Repeat Interval (second) 300 Repeat Times (Times) 50 Alarm Level Major Alarm Description %Syslog% Forward to SCC No Syslog Template
I've followed the Admin Guide as well as the short write-up in this article but I still do not see the Syslog to Alarms showing up.
05-20-2014 02:24 AM
there is a filter rule in Trap Management.
go to Trap Management -> Filter Trap -> Duplicate Trap Filter -> Unfiltered Duplicate Traps and add "Trap upgraded from syslog".
05-21-2014 08:12 AM
I am trying to do a very similar thing. I have my windows servers forwarding their warning and above events to the IMC (version 7). I want to be able to get this events turned into alarms with the end-goal of these events being emailed to me. I'm guessing that I have to create an Syslog template? Also need to Syslog to Alarm? From there it needs to somehow be escalated to an IMC reportable alarm? Trouble is, I can't get past first base so far--template. I want the following server events to report to me: Application, Hardware, and System. I have not been able to create the variables (parameters) to make any of this happen. Has anyone had any success in getting from point A to Z as I'm trying to do?
05-21-2014 09:14 PM
How are you forwarding the Windows Events to the IMC server?
Assuming you're using a 3rd-party tool to send them as syslogs, then we should be able to work through the rest.
First part though - get the logs showing up on IMC under Alarm -> Syslog Management -> Browse Syslog.
Do your events show up there?
05-22-2014 05:21 AM
Right now, I'm using Solarwinds windows log forwarder to send the logs. I'm only using a couple of servers at the moment and when I generate test events, they do show up in the syslog browser. thanks for responding.
05-22-2014 05:05 PM
OK, that's a good start. What format are the logs showing up as? Can you give us a screenshot of a couple of the log entries?
I'm doing something similar with nxlog in my lab, but it will be formatting the syslog messages slightly differently to what you're using.
05-23-2014 04:33 PM
05-29-2014 06:18 AM
As far as formats go, I believe it is in the evtx format. If there is a specific way to check, I'm unaware on how to do it. Here are some screenshots of events from a couple of the servers I have set to forward warning and above events to IMC. I'm attaching a Word document with two screenshots as they appear in IMC.
05-30-2014 08:48 PM
OK, so I'd probably start with a couple of templates like this:
To pick up Warning Application events:
"* MSWinEventLog * Application * Warning $(Hostname) 0 $(Message)"
Warning System events:
"* MSWinEventLog * System * Warning $(Hostname) 0 $(Message)"
You can do something similar with Critical events.
06-02-2014 04:53 AM
Thank you very much! I'll give that a try. I'm sure it's a matter of getting the templates right; however, I wasn't sure of what variables to use. I will post the results.