Administrator Handbook Table of contents version française

Syslog Message Filters

Introduction

The Syslog messages received by LoriotPro can be filtered to generate actions. This document explains how to set up filtering rules and how to configure the actions.

The filters (or filtering rules) are declared in a list and systematically contain a set of conditions and a set of actions.

Possible conditions are :

  • IP source and mask of the Syslog message sender. You can filter a single host or hosts pertaining to an IP network or sub-network.
  • The facility type of the Syslog message. 23 types are defined by the RFC3164.
    The level of the message that helps to classify its severity.
  • A first character string found anywhere or at a specified offset in the Syslog message body..
    And/or a second character string found anywhere or at a specified offset in the Syslog message body.

Possible actions are :

  • No action is performed.
  • The message is color customized and displayed in the custom windows 1,2 and 3.
  • The message is saved on the local history file.
  • The message is customized with a LoriotPro event number and severity level and forwarded to a LoriotPro event console.
  • The message is simply forwarded to another Syslog Collector agent or a standard Syslog server.
  • These last two actions could be triggered by a cumulative count of the same message.

Setting Filter Rule

To define filter rules and actions the Syslog Filter editor must be opened. Open the contextual menu of the syslog window and select the Edit Syslog Filter option.

syslog filter option

The Editor window is displayed:

A set of buttons allows the management of rules within a filter rule list. You can add, insert, and move filter rules. 

Filter creation and modification buttons 

insert syslog filter

Insert a new filter rule in the list above an existing selected rule.

insert rule on syslog filter

Insert a new filter rule in the list below an existing selected rule.

insert rule on syslog filter

Insert a new filter rule at the top of the list.

insert rule on syslog filter

Insert a new filter rule at the bottom of the list.

move insert rule on syslog filter

This button moves one line up the current selected line

move insert rule on syslog filter

This button moves one line down the current selected line

delete syslog filter

Suppress the selected filter rule.


Syslog Filter rules
are sets of filters gathered in a filter list. Each time a Syslog message arrives, it is analyzed by each rule in the list, sequentially processing from top to bottom. A rule contains conditions and actions. If the conditions are satisfied, actions are executed.

A single Syslog message can match multiple filter rules and triggers multiple actions. Among the possible actions, one is able to stop the walking process through the filter list and jump to the processing of the next incoming message.   

syslog filter
Filter Management window 

Filter rule settings 

Parameter table

Columns Explanation

IP Address

IP Mask

This is a condition field. The agent process checks that the source IP address of the sender matches the IP address and network mask specified here.

Example

IP (0.0.0.0) Mask  (0.0.0.0). All IP source addresses are accepted.

IP (10.0.0.0) Mask  (255.0.0.0). All IP addresses pertaining to the network 10.xxx.xxx.xxx are accepted.

IP (10.45.25.63) Mask (255.255.255.255). Only this host is accepted. 

syslog filter 

A double-click on this field in the filter list allows you to modify this parameter.

Facility

This field allows you to filter messages according to their Facility type. The Facility field is defined initially on the device that sends the Syslog message.

syslog filter syslog filter syslog filter 

The  « –1 all » choice matches all types of facility values.

Level

This field allows you to filter messages according to their Facility Level value. The Facility field is defined initially on the device that sends the Syslog message.

.syslog filter

The  « –1 all » choice matches all types of facility level values.

String 1

A Syslog message is a simple character string. The field “String 1” allows you to filter messages based on a match between this string and the contents of the message.

syslog filter

A double-click on the field allows you to specify the search string.

syslog filter 

An empty string (null) will allow any message to match this condition.

Offset

If the offset is specified the predefined string (String 1) will have to start at this precise position.

 Note: This option could be useless because message contents could change and thus the offset is no longer viable.

And/Or

A second condition on a second string can be added. Boolean “or” and “and” operators can be applied to both strings.

syslog filter

String 2

This is the second string that can be defined as a condition.

Offset

Offset that can be applied on this second string. Offset specified the number of characters from the string’s beginning.

 

Column

Explanation

 Case

The case of the string is either sensitive or not. If sensitive, uppercase and lowercase characters are not the same.

syslog filter

Action

If all the previous conditions are satisfied then a basic action is executed.

syslog filter

Actions

Explanation

00 none 

The message is cleared from memory, nothing happens.

01 log 

The message is saved to a file whose name is defined in the Log File column.

02 display 

The message is displayed in the Syslog Global window

03 display 1

The message is displayed in the Syslog 1 window
04 display 2 The message is displayed in the Syslog 2 window
05 display 3 The message is displayed in the Syslog 3 window

06 log+display 

The message is saved to a file defined in the Log File column and displayed in the Syslog Global window

07 log+display 1

The message is saved to a file defined in the Log File column and displayed in the Syslog 1 window

08 log+display 2

The message is saved to a file defined in the Log File column and displayed in the Syslog 2 window

09 log+display 3

The message is saved to a file defined in the Log File column and displayed in the Syslog 3window

 

LoriotPro

If all the conditions are satisfied and if an IP address is defined in this field the agent will send a LoriotPro event message (proprietary format) to this address. The next fields, Event and Level, are used to build the message. However, the event number should be different from 0.

Note:

The LoriotPro message content is a copy of the Syslog message content.

Event

The event number use in the LoriotPro event format.

Level

The severity level used by the LoriotPro event format.

syslog filter

Syslog

If all the filtering conditions are satisfied and if an IP address is defined in this field the agent will send a Syslog message to this address.

The Threshold value sets the number of incoming messages needed to satisfy this filter rule before sending a Syslog message.

 

Columns

Explanation

 Threshold

Is used to trigger the sending of a LoriotPro or Syslog message upon a predefined count.

Example: If the value is set to 3, a LoriotPro and/or a Syslog message will be sent only when three incoming syslog messages of that type will be seen.

syslog filter

Next Filter

This option allows you to stop the filter rule list processing. The next rules in the list are not processed if the NO option is selected.

syslog filter

 

Log File

If all the conditions are satisfied and if the action is log or log+display the message is appended to the file specified here. The final file name is built from this name and from the current date. The file follows the csv format and is text readable.

Note:

A new file is automatically created each 24 hours.

syslog filter

 

 

 


www.loriotpro.com