Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure a Rule Using Syslog

With the syslog ingest settings complete, you can now create a rule using syslog as the sensor.

This rule includes three elements:

  • A syslog sensor

  • Four fields capturing data of interest

  • A trigger that indicates when the interface goes down

Note:

See the usage notes at the end of this section for more detail on what has been configured.

  1. Click Configuration > Rules in the left-navigation bar.
  2. On the Rules page, click the + Add Rule button.
  3. On the page that appears, in the top row of the rule window, set the rule name. In this example, it is check-interface-status.
  4. Add a description and synopsis if you wish.
  5. Click the + Add sensor button and enter the following parameters in the Sensors tab:
    Configuration interface for setting up a syslog sensor named if-status-sensor with options to add or delete the sensor.
  6. Now move to the Fields tab, click the + Add field button, and enter the following parameters to configure the first field, named event-id:
    User interface for configuring fields in a software app with tabs: Sensors, Fields, Vectors, Variables, Functions, Triggers, Rule Properties. Fields tab selected. Options to add, delete, and configure fields like event-id with settings for field name, description, type, rule key, ingest type, sensor, path, zero suppression, and default value.
  7. Click the + Add field button again and enter the following parameters to configure the second field, named fpc-slot:
    Configuration interface for defining fields in a data processing system. Fields tab selected with fpc-slot field being edited. Options include field type, data source as Sensor, and zero suppression toggle.
  8. Click the + Add fieldbutton again and enter the following parameters to configure the third field, named if-name:
    Configuration interface for defining fields in a software app. Tabs at top include Sensors, Fields, Vectors, Variables, Functions, Triggers, Rule Properties. Field Configuration section includes field name set to if-name, description box empty, field type dropdown unselected, Add to rule key toggle off, Ingest type set to Sensor, sensor dropdown with if-status-sensor selected, path text box with if-name, Zero suppression toggle off, Data if missing dropdown with all interfaces. Sidebar lists fields: event-id, fpc-slot, if-name selected, snmp-index. Button labeled Add field. Blue button labeled Delete if-name for deleting selected field.
  9. Click the + Add field button once more and enter the following parameters to configure the fourth field, named snmp-index:
    Field configuration interface with tabs for Sensors, Fields, Vectors, Variables, Functions, Triggers, and Rule Properties. Field name is snmp-index with options for description, type, rule key toggle off, ingest type Sensor, sensor if-status-sensor, path snmp-index, zero suppression toggle off, and missing data field empty. Sidebar lists event-id, fpc-slot, if-name, snmp-index selected. Buttons for Add field and Delete snmp-index.
  10. Now move to the Triggers tab, click the + Add trigger button, and enter the following parameters to configure a trigger named link-down:
    Configuration interface for setting up monitoring triggers. Trigger named link-down detects link-down events every 2 seconds. Conditions check event-id for SNMP_TRAP_LINK-DOWN and PSEUDO_FPC_DOWN. Actions set color to red and display link-down messages.
  11. At the upper right of the window, click the + Save & Deploy button.

Usage Notes for the rule

  • Sensor tab

    • The sensor name if-status-sensor is user-defined.

    • The sensor type is syslog.

    • Pattern set check-interface-status - it is assumed that the pattern set is configured earlier.

    • If not set, the Maximum hold period defaults to 1s.

  • Fields tab

    • Four fields are defined; although the patterns are capturing more than four fields of data, this example defines four fields of interest here; these fields are used in the trigger settings.

    • The field names (event-id, fpc-slot, if-name, snmp-index) are user-defined.

    • path event-id - default field created by syslog ingest in the raw table; references the field from the pattern configuration.

    • path fpc - references the value from the filter used in the unstructured pattern configuration.

    • path if-name - refers to the interface name field from the pattern configuration. See Configure System Log Ingest.

      • Data if missing all interfaces - if the if-name value is not included in the syslog message, use the string value “all interfaces”.

    • path snmp-index - references the field from the pattern configuration.

  • Triggers tab

    • The trigger name link-down is user-defined.

    • frequency 2s - Paragon Insights checks for link-down syslog messages every 2 seconds

    • term is-link-down - when $event-id is like SNMP_TRAP_LINK_DOWN, in any syslog message in the last 300 seconds, make red and show the message Link down for $if-name(snmp-id: $snmp-index).

      • $event-id - $ indicates to reference the rule field event-id.

      • Link down for $if-name(snmp-id: $snmp-index) - for example, “Link down for ge-2/0/0 of FPC 2”.

      • $if-name - references the field value, i.e., the name of the interface in the syslog message.

    • term is-fpc-down - when $event-id is like PSEUDO_FPC_DOWN, in any syslog message in the last 300 seconds, make red and show the message Link down for $if-name of FPC$fpc-slot.

      • $event-id - $ indicates to reference the rule field event-id.

      • $if-name - “all interfaces”.

      • Link down for $if-name of FPC$fpc-slot - for example, “Link down for all interfaces of FPC 2”.

Related Documentation