Chat now with support
Chat with Support

syslog-ng Store Box 6.10.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Creating content-based alerts

The syslog-ng Store Box(SSB) appliance can create content-based alerts about log messages based on specific search expressions. Search queries are run every few seconds and an alert is triggered whenever a match between the contents of a log message and a search expression is found. Alerts are collected and sent to a pre-defined email address (or email addresses).

Some log messages might have particular significance and therefore getting notifications about those can often be more efficient than searching for them manually.

You can set up or modify alerts for local logspaces or those logspaces to which you have the relevant privileges, meaning that:

  • Either the relevant user group has been assigned read and write/perform access to the Search > Logs object on the AAA > Access Control page.

  • Or the user group has been added under the Access control option of the relevant logspace on the Log > Logspaces page.

There are two ways to create alerts, using the search interface or the Search > Content-Based Alerts page:

NOTE: Content-based alerting is currently not available for filtered, multiple, and remote logspaces.

NOTE: In the case of encrypted logspaces, no decryption key is required for content-based alerting to work. SSB has access to the log messages while processing them, and the indexer and content-based alerting services run before encryption happens.

Setting up alerts on the search interface

This section describes how to set up alerts using the search interface.

To set up alerts using the search interface

  1. Configure a target where you wish to send your content-based alerts.

    Alert targets are set up and modified by superusers or user groups that have been assigned read and write/perform access to the Policies object on the AAA > Access Control page.

    To specify an alert target:

    1. Go to Policies > Alert targets.

    2. Click .

      The new tab that opens allows you to record an alert target.

      Figure 221: Policies > Alert targets — Alert targets page

    3. Enter a name for your alert target.

      NOTE: Alert target names must be unique.

    4. In the Target email address field, enter the email address where you wish to send alerts.

      NOTE: You can specify only one email address per target. However, you can add multiple targets per alert, which allows you to send a specific alert to more than one email addresses (if required).

    5. In the Cooldown period field, enter the minimum amount of time (in seconds) that should pass between the sending of two alert messages to this target.

      The minimum value is 60 seconds, and the maximum value is 999999 seconds.

      NOTE: An alert message is sent only when a match is found between the contents of log messages and a search expression. This means that if no match is found, more time may pass between two alert messages than the interval specified as the cooldown period.

    6. Click to save your details.

      Expected result:

      You have successfully configured a target for your alert where alert messages will be sent.

  2. Optional step: You can also specify the email address from which the alerts are sent to your targets. Configuring an email address from where you wish to receive emails can be useful for filtering purposes. If you do not specify such an email address, a default one will be used.

    For detailed instructions, see the steps describing how to specify a Send e-mails as email address in "Configuring e-mail alerts" in the Administration Guide.

  3. Once you have set up a target or targets, navigate to the search interface by going to Search > Logspaces.

    Figure 222: Search > Logspaces — Setting up alerts on the search interface

  4. In the Logspace name menu, select the relevant logspace.

  5. In the Search expression field, enter the search expression that you wish to receive alerts about and click .

  6. To configure additional details for the alert, click . The Content-based alerting panel is displayed.

    Figure 223: Search > Logspaces — Content-based alerting panel

    The Logspace field displays the name of the logspace that you have selected from the Logspace name menu. The Search expression field displays the search expression that you entered in the Search expression field.

  7. Enter a name for your alert in the Alert name field.

    NOTE: Alert names must be globally unique. Using a prefix before alert names can help avoid specifying a name that is already in use.

  8. Select a target from Targets. You can select multiple targets if you wish to distribute the alert to multiple email addresses.

    You can remove targets you have already added by clicking in front of the target's name.

  9. To save your details, click .

    NOTE: If you wish to modify your alert later on, you can make changes via Search > Content-Based Alerts. For details, see Setting up alerts on the Search > Content-Based Alerts page.

Setting up alerts on the Search > Content-Based Alerts page

This section describes how to set up alerts on the Search > Content-Based Alerts page.

To set up alerts on the Search > Content-Based Alerts page

  1. Configure a target where you wish to send content-based alerts. For details on how to do this, see Step 1 in Setting up alerts on the search interface.

  2. Optional step: You can also specify the email address from which alerts are sent. Configuring an email address from where you wish to receive emails can be useful for filtering purposes. If you do not specify such an email address, a default one will be used.

    For detailed instructions, see the steps describing how to specify a Send e-mails as email address in "Configuring e-mail alerts" in the Administration Guide.

  3. Once you have set up a target or targets, navigate to Search > Content-Based Alerts.

  4. Click .

    The new tab that opens allows you to specify a content-based alert.

    Figure 224: Search > Content-Based Alerts — Setting up content-based alerts on the Search

  5. Enter a name for your alert.

    NOTE: Alert names must be globally unique. Using a prefix before alert names can help avoid specifying a name that is already in use.

  6. In the Search expression field, enter the search expression that you wish to receive alerts about.

  7. Select the appropriate logspace from the Logspace menu.

  8. Select a target or targets from the Alert targets menu. You can select multiple targets if you wish to distribute the alert to multiple email addresses.

    You can remove targets you have already added by clicking .

  9. To save your details, click .

    NOTE: If you wish to modify your alert later on, you can make changes by revisiting the relevant steps on the Search > Content-Based Alerts page.

Format of alert messages

Once content-based alerts have been created, syslog-ng Store Box(SSB) will send alert messages to the configured targets.

The alert email's subject line will follow this format:

Alert: [myalert][mylogspace]

Alert messages will be presented in the following format:

Alert: There were at least 10000 matches between Mon 18 Apr 2016 10:45:38 CEST and Mon 18 Apr 2016 10:45:43 CEST on
 * logspace: "<mylogspace>"
 * alert: "<myalert>"
 * search expression: "<mysearchexpression>"

To review these matches on your SSB appliance, see:
https://<IP_address_of_SSB>:<port_number>/index.php?_backend=SearchLogspace#logspace_name=mylogspace&
from=1460976338&to=1460976343&search_expression=mysearchexpression

Note: You will not receive a new alert message for a cooldown period of 1 minute for this alert.

Note that the contents of the log messages are not shared in the alert message. A URL is provided to direct users to their SSB appliance.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating