Syslog forwarding and alerting

Available since: version 6.3

When registering servers and switches the system now configures them to forward syslog entries to the site controller and from the site controller they are forwarded to the global controller.

A filter is applied at the site controller level to limit the amount of messages that flow to the global controller. The default setup will forward only severity warning and up.

To configure alerting rules

Go to the Global configuration > Alerts tab.

The ‘rules’ are grouped in sets of ‘conditions’ that are joined by the “AND” operator. The rules are joined with the “OR” operator. If you want for example to alert on both warning and error two rules need to be created. If you want that both severity and message to match certain elements they need to be conditions on the same rule.

Warning

It is likely that this mechanism will emit many alert notifications. We recommend using a separate mailbox for alerting.

In addition an optional event is created in the database when a rule is matched.

Connecting an external event monitoring system to the kafka queue.

To connect an external system such as logstash to the syslog feed subscribe to the following kafka topic: io.metalsoft.syslog.messages.

The messages are wrapped in CloudEvent envelope and the data element contains JSON with the format:

{
    "agent_id": "agent-id-string",
    "message": "syslog message JSON stringified"
}