LogicMonitor can monitor syslog messages received by the collector.

LogicMonitor is a syslog alerting mechanism, not a syslog viewing or searching tool. Consequently messages of severity INFORMATIONAL syslog messages will be discarded - alerts can only be generated for messages with these severities:

EMERGENCY
CRITICAL
ALERT
ERROR
WARNING

To set up your system to do syslog monitoring, follow the following steps.

1. Configure collector syslog collector
2. Configure syslog message source
3. Create syslog eventsource

Step 1. Configure collector syslog collector

By default, the collector listens on the port UDP/514 to receive the incoming syslog messages. You can edit <collectorInstallDir>/conf/collector.conf if you want the collector to use a different port.

eventcollector.syslog.port=8888

The example above configures the collector to use port UDP/8888.

Step 2. Configure syslog message source

There are 2 typical scenarios:

1. Configure the syslog daemon running on the monitored host to forward syslog messages to collector.
2. If you have a central syslog server, configure it to forward syslog messages to collector.

*.err @172.16.0.12

The example above configures a UNIX syslog daemon to forward all syslog messages with the severity err to the host 172.16.0.12 on which the collector is running.

Please check the manual of your syslog server/daemon for message forwarding configuration.

Step 3. Create syslog eventsource

Datasouce tab -> New -> Eventsource to create a syslog eventsource.

 

The figure above creates a syslog eventsource "syslog test", where

• Name - the name of the eventsource is "syslog test"
• Applies To - the eventsource will be applied to host 192.168.211.1 and 127.0.0.1
• Filters - we create three filters. Only messages that satisfy all filters will be stored in our database and trigger alerts.
  • The first filter "Facility Equal Local use 0 (local0)" means the facility of accepted messages must be local0 (the code 16).
  • The second filter "Severity LessThan Warning" means the severity of accepted messages must be Warning, Error, Critical, Alert, or Emergency (syslog defines lower number severities as being more urgent.)
  • The third filter "Message Contain hello" means the message must contain text "hello" (Tip: operator contain is case-insensitive).

That is it! If you send a test syslog message to collector and go to host tab, you will find:

All syslog messages passing the filters will be shown in the grid in the bottom. If the latest message has the severity equal to or urgent than Warning, an alert will be triggered and shown in the top alert grid. You can comment and acknowledge the alert like other alerts.

Syslog Severity and LogicMonitor Alert Severity Mapping

Syslog severity debug, notice, and informational won't be treated as alert.

Syslog severity warning is equal to LogicMonitor alert severity warning.

Syslog severity error is equal to LogicMonitor alert severity error.

Syslog severity critical, alert, emergency are equal to LogicMonitor alert severity critical.