Syslog Management Help >> Operation Guide >> Syslog-to-Alarm Rule

Syslog-to-Alarm Rule

To extract important information from Syslogs, the system only receives Syslogs that match the pre-defined rules of the Syslog management system, matches them against the Syslog-to-alarm rules, and promotes the matching Syslogs to alarms. With the alarms, the administrators can quickly discover network problems and locate the causes.

Syslog-to-Alarm Flowchart

The Syslogs are promoted to alarms in the following workflow.

1. Syslog-to-alarm rules are defined in the system. For more information, see Add/Modify/Copy a Rule.
2. The system receives Syslogs from devices.
3. The system matches the Syslogs against the Syslog-to-alarm rules, and picks out the Syslogs if they match all the following options in a rule.
   • Syslog type
   • Syslog level
   • Syslog template
   The system determines whether a Syslog matches a Syslog template using the following rules:
   • If the Param Value fields for the count parameters are set to N/A, a Syslog matches the Syslog template regardless of the count type (summing count or classifying count) and the count parameter values. For example, the Syslog template "PacketLimit: ARP packet rate($(Packet Rate)) exceeded on interface $(inputDeviceIfDesc). The port will be down!" contains the parameter "($(Packet Rate))". If the Param Value field of the parameter is set to N/A, the Syslog that contains the packet rate parameter will match the Syslog template regardless of the parameter value.
   • If the Param Value field is set to a specific value for a count parameter, a Syslog that contains the specific parameter value will match the Syslog template, regardless of the count type (summing count or classifying count). For example, the Syslog template "PacketLimit: ARP packet rate($(Packet Rate)) exceeded on interface $(inputDeviceIfDesc). The port will be down!" contains the parameter "($(Packet Rate))". If the Param Value field of the parameter is set to 10, the Syslog that contains the packet rate of 10 will match the Syslog template.
4. The system counts the matching Syslogs. If you specify the statistic method as Network, the matching Syslogs throughout the network are counted together. If you specify the statistic method as Single Device, the matching Syslogs are counted per device. The matching Syslogs are counted using the following rules:
• If Summing Count is selected and the Param Value fields for the count parameters are set to N/A, the number of Syslogs that contain the count parameters is counted. For example, if the count parameter of Syslog 1 is A, the count parameter of Syslog 2 is B, and the count parameter of Syslog 3 is A, the total count of Syslogs is 3.
• If Summing Count is selected and the Param Value fields for the count parameters are set to specific values, the number of Syslogs that match the specific parameter values is counted. For example, if you set the Param Value field of the count parameter to A, the count parameter of Syslog 1 is A, the count parameter of Syslog 2 is B, and the count parameter of Syslog 3 is A, the total count of matching Syslogs is 2, and Syslog 2 is considered not matching the rule.
• If Classifying Count is selected and the Param Value fields for the count parameters are set to N/A, the number of Syslogs that contain the count parameters is counted per count parameter values. For example, if the count parameter of Syslog 1 is A, the count parameter of Syslog 2 is B, and the count parameter of Syslog 3 is A, the count of Syslogs matching count parameter A is 2, and the count of Syslogs matching count parameter B is 1.
• If Classifying Count is selected and the Param Value fields for the count parameters are set to specific values, the number of Syslogs that match the specific parameter values is counted. For example, if you set the Param Value field of the count parameter to A, the count parameter of Syslog 1 is A, the count parameter of Syslog 2 is B, and the count parameter of Syslog 3 is A, the count of matching Syslogs is 2, and Syslog 2 is considered not matching the rule.
5. The system generates an alarm when a count reaches the repeat times within a repeat interval. For example, if you set the repeat interval to 60 seconds and the repeat times to 5, the system generates an alarm if a count reaches 5 within a consecutive 60 seconds.
6. If you select the Yes option for Forward to SCC, the generated alarms will be sent to the security control center (SCC) for collaborative processing.
7. If the system receives a Syslog that matches the alarm recovery rule in the Syslog-to-alarm rule, the system immediately generates a recovery alarm. To exactly recover the alarms generated by the Syslog-to-alarm rule, specify the alarm recovery key parameters, which are the location parameters for the recovery alarms. The system uses the location parameters to identify which alarms need be recovered according to the recovery alarms.

Functions

• Rule List
• Add/Modify/Copy a Rule
• Simple Query