-
Title
Configuring Azure Sentinel alerts for syslog-ng Store Box SNMP email notifications -
Description
When integrating syslog-ng Store Box (SSB) with Azure Sentinel for alerting, customers may need to identify specific log message values in order to create alert rules and email notifications. In some cases, the exact message body values for certain SSB alerts are not available because those alerts have not occurred recently or because the alert content is dynamically generated.
-
Cause
SNMP-based email notifications generated by syslog-ng Store Box use dynamically changing message bodies that vary depending on the alert type and system state. As a result, there are no fixed or predictable message field values available for all alert scenarios. This makes it unreliable to configure Azure Sentinel alert rules based on the email body or message content.
-
Resolution
Instead of filtering on the email message body, Customer can configure Azure Sentinel alert rules to match on the email subject field, which remains consistent and does not change dynamically.
syslog-ng Store Box uses the following subject format for SNMP email notifications:
'Notification received: XCB-SNMP-MIB::xcb<AlertName>'
Example:
For a data and configuration backup failure, the email subject appears as:
'Notification received: XCB-SNMP-MIB::xcbBackupFailed'
Because the subject field is stable across alert occurrences, it provides a reliable identifier for filtering and triggering alerts in Azure Sentinel.