Centralize critical alerts in a Syslog

Image 10

Do you need help?

ServiceNav offers several notification methods:
- Mail, SMS, Push Mail (mobile application) and SysLog

The notification policy is fully customizable according to :
- time slots
- Types of events (Alert, Critical Alert, Return to normal...)
- the methods used to send the notification (email, SMS, application push, Syslog)

We will focus here on the Syslog notification.
The goal is to allow the ServiceNav user to consolidate all notifications into a centralized Syslog server for processing or archiving.

This method allows writing to a Syslog file on a change ofNagios status" of the type HARD only.

Syslog file on Nagios status change

Prerequisite: Setting up a Syslog server

As a protocol, Syslog consists of a client part and a server part. The client part transmits the information over the network, via UDP port 514. The servers collect the information and take care of creating the logs.

The ServiceNav monitoring unit can be used as a client or as a client and server.

Note You can nevertheless use your own Syslog server. The supervision box will only be used as a client to redirect events to your Syslog server.

Configure the box as a client:

The rsyslog client is already installed on the supervision boxes, it only remains to configure it in order to write in a syslog server. You have to specify to rsyslog what kind of log to redirect and to which server.
In the /etc/rsyslog.d/ folder, create a new configuration file 00-client-remote.conf
cd /etc/rsyslog.d/
nano 00-client-remote.conf
Add the following configuration to redirect logs from the NAGIOS-SYSLOG application (the tag used in the notification command).
In UDP :
if $programname == 'NAGIOS-SYSLOG' then @remote_server:port
if $programname == 'NAGIOS-SYSLOG then @@remote_server:port

If you want to configure the box as a server:

Connect with ssh on the supervision box.

Open the syslog port

The standard syslog port is UDP/514:
1. Edit under vi/nano the following file: /etc/init.d/
2. Insert this line: PORT_RSYSLOG="514″
3. Insert this line:
## Accepting RSYSLOG connections
iptables -A INPUT -p udp -i eth0 -s -dport $PORT_RSYSLOG -j ACCEPT
4. Save the file and reload the rules: /etc/init.d/

Notes: Change the port if you are operating on a different port than the standard port.
Source IP filtering is optional, but it does help limit incoming syslog traffic.

rsyslog format supported by the model
ServiceNav has a "Lin-syslog" service model to exploit the syslog file
1. Edit under vi/nano the following file: /etc/rsyslog.conf and make the modifications described below.
2. Save the file
3. Restart the rsyslog service: service rsyslog restart

critical alerts service rsyslog restart

Configuring syslog notification

Syslog notification is available for all devices and services and works the same way as the standard Nagios notification.

A contact can be notified on its notification time slot, on all or some of the status changes, as soon as the status changes or after several checks on the status change have been made.

Creation of notification contacts

We recommend to create 2 syslog contacts:
- a contact for equipment notifications
- a contact for unit service notifications

To add a contact: navigate to Settings > General > Contacts.

Click on Add

syslog notifications creation step 1
syslog notifications creation step 2
syslog notifications creation step 3
syslog notifications creation step 4

For services :

Syslog service notification

For equipment :

Syslog notifications equipment

Enter the period and type of status that will trigger the notification in the syslog file

Notification configuration for equipment or services

Simple scenario

I supervise the "Teamviewer" service located on the RADIOLOGY equipment and I would like a writing in the syslog file when the equipment is unreachable or when the Teamviewer service is not started.

So I'm going to put syslog notifications on my RADIOLOGY equipment and on the Teamviewer service

Equipment sheet :
Open the record in create or edit mode:

Configuration notification equipment services

In the Notification tab :

Configuration notification equipment services 2

Fill in the linked contact.

Here when the equipment goes DOWN a notification will write in the syslog file the message defined for the contact "CHSA - contact-syslog-equipment".

Unit service form

Open the record in create or edit mode:

Syslog Unit service record change

In the Notification tab

Syslog Unit service record notification

When my service is in CRITICAL, a notification will write in the syslog file the message defined for the contact "CHSA - contact-syslog-service".

Note Notification is only triggered on the Nagios HARD status type
If you have added additional controls the notification will only go out when all additional controls are completed.

Result obtained

It is possible to see the result by checking its syslog server. If the ServiceNav monitoring box is the server, the syslog file is located in: /var/log/
It is of course possible to use the Lin-syslog" template to exploit the syslog file.
Example of writing to the Syslog file :

Syslog result

You may also be interested in

Map 4

Application Mapping

Representing application monitoring Monitoring applications can pose problems of information readability, dependencies and alerts,

Read More "

Our next events

Our upcoming webinars

Our Previous Webinars

Welcome to ServiceNav!

Do you need some help? More information about our products? Write to us!
We will never sell or share your personal data with third parties. You have taken note of our privacy policy.
We use cookies to ensure the best experience on our site. If you continue to use this site, we will assume that you are satisfied with it.

Reserve your place

We will never sell or share your personal data with third parties. You have taken note of our privacy policy.