Overview
This article provides a step-by-step process on creating custom Syslog rule sets for non-supported devices.
Process
Should you wish to monitor a device which is not predefined within the GFI EventsManager Syslog rule sets, you will need to create your own custom rule set.
It is recommended to check with the device documentation since this might contain all the necessary information to create your custom Syslog rule sets. If this information is not available in the documentation, you will need to identify what Syslog events are generated by the device. Then, create your custom Syslog rule set. This can be done by following the procedures below.
Creating a default rule set to archive all Syslog messages:
The main problem when creating custom Syslog rule sets for non-supported devices is that one will not know exactly what Syslog messages are generated by the device in question. In this step, a Syslog rule is created which will store every single Syslog message generated by the device and stored within the database. With this information, you can browse through the GFI EventsManager Events Browser and determine which Syslog messages you wish to capture and which you can safely ignore.
- Open the GFI EventsManager Management Console.
- Click on the Configuration button and select Event Processing Rules.
- From the Log Type dropdown menu, select Syslog.
- Click on the Creator folder in the Common Tasks section and enter the name of the device you wish to monitor.
- Right-click on the newly created folder and select Create new rule set. Name this new rule set as Archive all and click OK.
- Right-click on the newly created rule set and click on Create new rule. Name this rule as Archive all rules and click on the Next button.
- Leave all conditions as defaults to archive all Syslog messages and click OK.
- An alert will indicate that all Syslog messages will be triggered by this rule. Click Yes to proceed.
- Set Classify the event as to any classifications you desired. It is recommended to set this to 'Medium' to ensure all logs are logged to the database and no email notifications are sent during this learning phase.
Note: By default, should you set all Syslog alerts as Critical Importance events, an email alert will be sent every time a Syslog message is received (not recommended).
Note: By default, should you set all Syslog alerts as Noise Events, Syslog messages will not be stored to the database and therefore will not be viewable in the GFI EventsManager Events Browser (not recommended).
- Click on Next and Finish to create the new rule.
- Once you have created the rule above, click on the Configuration button in the GFI EventsManager Console and select Event Sources.
- Right-click on the device or group you are adding the rules for and select Properties.
- In the Syslog tab, ensure that only the newly created rule folder is checked.
Now, you can leave GFI EventsManager collect all Syslog messages from your device. By using the Events Browser, you can start to determine which Syslog messages you wish to capture.
Creating the Syslog rule set for your device
Once you have gathered enough information regarding what type of Syslog events are generated by the device, you can start creating specific rule sets for the device and stop capturing all Syslog messages.
- In the GFI EventsManager Management Console, click on the Configuration button and select Event Processing Rules.
- From the Log Type dropdown menu, select Syslog.
- Right-click your new folder and choose Create new rule set and give it an appropriate name for your new rule set.
- Right-click the rule set and select Increase Priority to move it above the Archive All rule set.
Note: If you create any more permanent rule sets, increase the priority above the "Archive All" rule set. - As you collect the Syslog events, create rules and place them in this folder to classify them with a common sense name. Look at how the other rules in the rule set already included work. Rules in this rule set will be triggered first. All Syslog messages that do not match the rules in this set will still be archived by the Archive All rule set below this one in priority and saved to the database.
- Once you have created all the Syslog rules you wish to gather from this device, you can safely delete the Archive All rule set to stop logging every Syslog message received from the device to the GFI EventsManager database.