Hello,
I am setting up LibreNMS to replace an existing monitoring tool and I"m trying to recreate some of the alerts from the other system. I’m a bit confused about alerting behaviours.
I have created a syslog alert to trigger when someone changes config on cisco switch. there is a syslog entry as follows:
%SYS-5-CONFIG_I Configured from console by user on vty0 (10.1.2.3)
However, my email transport wasn’t working at that time so I didn’t get any email. I have since fixed the transport but when I tried to trigger the rule this morning on the same switch, nothing happened. Is this because the original alert is still listed under Alerts > Notifications? Or is because the alert on this device has been acknowledged on the Notification page?
That alert rule will trigger indefinitely, or at least until the entry in the database is purged. You need to include the use of macros to limit how long back the query will search for data, i.e syslog.timestamp greater than or equal to macros.past_15m
That way we are only looking for the rule to match if that syslog entry appears within the last 15 minutes. Alerts will then auto-clear.
You also have max alerts set to 1 so you will only ever get one notification whilst the alert is active. That’s fine if you only look back 15 minutes as you have interval set to 30minutes.
I will test this. I think you just answered my next question about how to get the alert to remove from the notifications page as there is nothing to recover from. I merely want a notice of the change.
So for the syslog alerts, does it only check every 5 minutes (or whatever the polling interval is)? Or is it constantly checking the logs and will trigger anytime it matches?
triggered change on switch with open alert. no new alert.
so I tried a different switch and got my alert email as expected but the alert is still showing in the Notifications list:
How do I purge these from the database? I’m not good with SQL but i’m looking at the DB in dBeaver and not seeing anything that matches. There are alot of alert tables.
One other thought: If I change Severity to OK instead of Warning will it still send the email but not leave the alert open (i.e. it thinks issues is resolved)?