A network can generate a large number of syslog messages, many of which you might not need to see. For example, if you are troubleshooting network problems, you only require a subset of syslog messages to raise incidents to notify you of where there are problems on the network.
There are 3 ways you can control the display of syslog messages:
- create a Syslog Input filter in the event management system (EMS).
- create a Discard Syslogs rule in the EMS post-storage processing stage.
- create a syslog-specific View.
To create a Syslog Input filter:
Entuity's syslog receiver, syslogger, can be configured through the syslogger section of entuity_home\etc\entuity.cfg. The syslogger accepts syslog messages and forwards them to the EMS, where events and incidents are raised. You can filter the syslog messages that syslogger accepts by Facility and by Severity. By default, syslogger accepts syslog messages of all Facilities and of the Severity level notice or more severe. Entuity Support recommends that all unnecessary syslog messages are discarded at this first filter.
The following example section configures syslogger to only accept messages that are:
- from managed devices.
- received on port 514.
- of message type mail, with a log level of debug or higher; or
- of message type kern with a log level of crit or higher.
To create an EMS post-storage rule:
The following example prevents the raising of syslog incidents. It tests for all syslog event types, and has one action: Discard Event.
- Navigate to the Event Administration page. Click the Rules tab.
- In the tree on the left, select the Post Storage processing stage. Click Add Rule to open the Add Rule window.
- Under the General tab, ensure that Type is set to Generic and the enabled box is ticked.
- Enter an appropriate Name and Description for the rule, e.g. "Syslogs Exclude" and "Prevents syslog events from raising syslog incidents."
- Ensure that Condition is set to All tests must succeed.
- In the Tests section, add an Event Type Test and add the 8 syslog events:
- In the Action Steps section, add the Discard Event action.
- Click OK to save your rule, and then save and deploy the updated event project.
To create a syslog-specific View and View filter:
Entutiy Support recommends that, by default, you configure all event and incident filters to exclude syslog events and incidents. Entuity Support also recommends that you create syslog-specific Views that only include syslog events. These Views would only be available to users monitoring syslog messages.
To create a View that only includes syslog events:
- Create a new View.
- Create a new event filter and ensure that only the 8 syslog events are included:
Once the event filter is saved, you can use this filter for any other Views in which you only want to raise syslog events.