Syslog Message Filters
Introduction
The Syslog messages received by LoriotPro can be filtered to generate actions. This document explains how to set up filtering rules and how to configure the actions.
The filters (or filtering rules) are declared in a list and systematically contain a set of conditions and a set of actions.
Possible conditions are :
- IP source and mask of the Syslog message sender. You can filter a single host or hosts pertaining to an IP network or sub-network.
- The facility type of the Syslog message. 23 types are defined by the RFC3164.
The level of the message that helps to classify its severity.
- A first character string found anywhere or at a specified offset in the Syslog message body..
And/or a second character string found anywhere or at a specified offset in the Syslog message body.
Possible actions are :
- No action is performed.
- The message is color customized and displayed in the custom windows 1,2 and 3.
- The message is saved on the local history file.
- The message is customized with a LoriotPro event number and severity level and forwarded to a LoriotPro event console.
- The message is simply forwarded to another Syslog Collector agent or a standard Syslog server.
- These last two actions could be triggered by a cumulative count of the same message.
Setting Filter Rule
To define filter rules and actions the Syslog Filter editor must be opened. Open the contextual menu of the syslog window and select the Edit Syslog Filter option.
The Editor window is displayed:
A set of buttons allows the management of
rules within a filter rule list. You can add, insert, and move filter rules.
Filter
creation and modification buttons
|
Insert a new filter rule in the list above
an existing selected rule. |
|
Insert a new filter rule in the list below
an existing selected rule. |
|
Insert a new filter rule at the top of the
list. |
|
Insert a new filter rule at the bottom of
the list. |
|
This button moves one line up
the current selected line |
|
This button moves one line down
the current selected line |
|
Suppress the selected filter rule. |
Syslog Filter rules are sets of filters gathered in a filter list. Each time a Syslog message arrives, it is analyzed by each rule in the list, sequentially processing from top to bottom. A rule contains conditions and actions. If the conditions are satisfied, actions are executed.
A single Syslog message can match multiple filter rules and triggers multiple actions. Among the possible actions, one is able to stop the walking process through the filter list and jump to the processing of the next incoming message.
Filter
Management window
Parameter table
Columns |
Explanation |
IP Address
IP Mask |
This is a condition field. The agent
process checks that the source IP address of the sender matches the IP address
and network mask specified here.
Example
IP (0.0.0.0) Mask (0.0.0.0). All IP source
addresses are accepted.
IP (10.0.0.0) Mask (255.0.0.0). All IP
addresses pertaining to the network 10.xxx.xxx.xxx are accepted.
IP (10.45.25.63) Mask (255.255.255.255).
Only this host is accepted.
A double-click on this field in the filter
list allows you to modify this parameter. |
Facility |
This field allows you to filter messages
according to their Facility type. The Facility field is defined initially on
the device that sends the Syslog message.
The « –1 all » choice matches
all types of facility values. |
Level |
This field allows you to filter messages
according to their Facility Level value. The Facility field is defined
initially on the device that sends the Syslog message.
.
The « –1 all » choice matches
all types of facility level values. |
String 1 |
A Syslog message is a simple character
string. The field “String 1” allows you to filter messages based on a match
between this string and the contents of the message.
A double-click on the field allows you to
specify the search string.
An empty string (null) will allow
any message to match this condition. |
Offset |
If the offset is specified the predefined
string (String 1) will have to start at this precise position.
Note: This option could be useless because
message contents could change and thus the offset is no longer viable. |
And/Or |
A second condition on a second string can
be added. Boolean “or” and “and” operators can be applied to both strings.
|
String 2 |
This is the second string that can be
defined as a condition. |
Offset |
Offset that can be applied on this second
string. Offset specified the number of characters from the string’s
beginning. |
Column |
Explanation |
Case |
The case of the string is either sensitive
or not. If sensitive, uppercase and lowercase characters are not the same.
|
Action |
If all the previous conditions are
satisfied then a basic action is executed.
Actions |
Explanation |
00 none |
The message is cleared from memory,
nothing happens. |
01 log |
The message is saved to a file whose name
is defined in the Log File column. |
02 display |
The message is displayed in the Syslog Global window |
03 display 1 |
The message is displayed in the Syslog 1 window |
04 display 2 |
The message is displayed in the Syslog 2 window |
05 display 3 |
The message is displayed in the Syslog 3 window |
06 log+display |
The message is saved to a file defined in
the Log File column and displayed in the Syslog Global window |
07 log+display 1 |
The message is saved to a file defined in
the Log File column and displayed in the Syslog 1 window |
08 log+display 2 |
The message is saved to a file defined in
the Log File column and displayed in the Syslog 2 window |
09 log+display 3 |
The message is saved to a file defined in
the Log File column and displayed in the Syslog 3window |
|
LoriotPro |
If all the conditions are satisfied and if
an IP address is defined in this field the agent will send a LoriotPro event
message (proprietary format) to this address. The next fields, Event and
Level, are used to build the message. However, the event number should
be different from 0.
Note:
The LoriotPro message content is a copy of
the Syslog message content. |
Event |
The event number use in the LoriotPro event
format. |
Level |
The severity level used by the LoriotPro event
format.
|
Syslog |
If all the filtering conditions are
satisfied and if an IP address is defined in this field the agent will send a
Syslog message to this address.
The Threshold value sets the number
of incoming messages needed to satisfy this filter rule before sending a
Syslog message. |
Columns |
Explanation |
Threshold |
Is used to trigger the sending of a LoriotPro
or Syslog message upon a predefined count.
Example: If the value is set to 3, a
LoriotPro and/or a Syslog message will be sent only when three incoming
syslog messages of that type will be seen.
|
Next Filter |
This option allows you to stop the filter
rule list processing. The next rules in the list are not processed if the NO
option is selected.
|
Log File |
If all the conditions are satisfied and if
the action is log or log+display the message is appended to the
file specified here. The final file name is built from this name and from the
current date. The file follows the csv format and is text readable.
Note:
A new file is automatically created each 24
hours.
|
|