Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure a Rule Using Syslog

With the syslog ingest settings complete, you can now create a rule using syslog as the sensor.

This rule includes three elements:

  • A syslog sensor

  • Four fields capturing data of interest

  • A trigger that indicates when the interface goes down

Note:

See the usage notes at the end of this section for more detail on what has been configured.

  1. Click Configuration > Rules in the left-navigation bar.
  2. On the Rules page, click the + Add Rule button.
  3. On the page that appears, in the top row of the rule window, set the rule name. In this example, it is check-interface-status.
  4. Add a description and synopsis if you wish.
  5. Click the + Add sensor button and enter the following parameters in the Sensors tab:
    Configuration interface for setting up a syslog sensor named if-status-sensor with options to add or delete the sensor.
  6. Now move to the Fields tab, click the + Add field button, and enter the following parameters to configure the first field, named event-id:
    Configuration interface for defining fields in a software application with tabs for sensors, fields, vectors, and more. Field list shows event-id, fpc-slot, if-name, and snmp-index. Field configuration panel highlights event-id with options for description, field type, rule key, ingest type as Sensor, sensor as if-status-sensor, path as event-id, zero suppression, and data if missing. Action buttons for adding or deleting fields.
  7. Click the + Add field button again and enter the following parameters to configure the second field, named fpc-slot:
    Configuration interface for defining fields in a data processing system. Fields tab selected with fpc-slot field being edited. Options include field type, data source as Sensor, and zero suppression toggle.
  8. Click the + Add fieldbutton again and enter the following parameters to configure the third field, named if-name:
    Configuration interface for defining fields in a software app with tabs: Sensors, Fields, Vectors, Variables, Functions, Triggers, Rule Properties. Field being configured: if-name. Includes empty Description box, Field Type dropdown, Add to Rule Key toggle off, Ingest Type set to Sensor with if-status-sensor, Path set to if-name, Zero Suppression toggle off, Data if Missing dropdown set to all interfaces. Delete button for if-name. Existing fields: event-id, fpc-slot, if-name, snmp-index.
  9. Click the + Add field button once more and enter the following parameters to configure the fourth field, named snmp-index:
    Configuration interface for defining fields in software; Fields tab selected. Field name: snmp-index, Ingest type: Sensor, Sensor: if-status-sensor. Add field and Delete snmp-index buttons available.
  10. Now move to the Triggers tab, click the + Add trigger button, and enter the following parameters to configure a trigger named link-down:
    Configuration interface for setting up monitoring triggers. Trigger named link-down detects link-down events every 2 seconds. Conditions check event-id for SNMP_TRAP_LINK-DOWN and PSEUDO_FPC_DOWN. Actions set color to red and display link-down messages.
  11. At the upper right of the window, click the + Save & Deploy button.

Usage Notes for the rule

  • Sensor tab

    • The sensor name if-status-sensor is user-defined.

    • The sensor type is syslog.

    • Pattern set check-interface-status - it is assumed that the pattern set is configured earlier.

    • If not set, the Maximum hold period defaults to 1s.

  • Fields tab

    • Four fields are defined; although the patterns are capturing more than four fields of data, this example defines four fields of interest here; these fields are used in the trigger settings.

    • The field names (event-id, fpc-slot, if-name, snmp-index) are user-defined.

    • path event-id - default field created by syslog ingest in the raw table; references the field from the pattern configuration.

    • path fpc - references the value from the filter used in the unstructured pattern configuration.

    • path if-name - refers to the interface name field from the pattern configuration. See Configure System Log Ingest.

      • Data if missing all interfaces - if the if-name value is not included in the syslog message, use the string value “all interfaces”.

    • path snmp-index - references the field from the pattern configuration.

  • Triggers tab

    • The trigger name link-down is user-defined.

    • frequency 2s - Paragon Insights checks for link-down syslog messages every 2 seconds

    • term is-link-down - when $event-id is like SNMP_TRAP_LINK_DOWN, in any syslog message in the last 300 seconds, make red and show the message Link down for $if-name(snmp-id: $snmp-index).

      • $event-id - $ indicates to reference the rule field event-id.

      • Link down for $if-name(snmp-id: $snmp-index) - for example, “Link down for ge-2/0/0 of FPC 2”.

      • $if-name - references the field value, i.e., the name of the interface in the syslog message.

    • term is-fpc-down - when $event-id is like PSEUDO_FPC_DOWN, in any syslog message in the last 300 seconds, make red and show the message Link down for $if-name of FPC$fpc-slot.

      • $event-id - $ indicates to reference the rule field event-id.

      • $if-name - “all interfaces”.

      • Link down for $if-name of FPC$fpc-slot - for example, “Link down for all interfaces of FPC 2”.

Related Documentation