Syslog Alerts

utamav · 9 August 2018 14:27

I have created 2 alerts which monitor the syslog for a regular expression and alert if the expression is seen in the past 5 minutes. I am unable to get these alerts working. What am I doing wrong?

OpenVPN Disconnect:
syslog.timestamp >= “macros.past_5m” AND syslog.msg REGEXP “SIGTERM”

OpenVPN Connect:
syslog.timestamp >= “macros.past_5m” AND syslog.msg REGEXP “Peer Connection Initiated”

Chas · 9 August 2018 14:31

See [Solved] Problem with Syslog alert rule

utamav · 9 August 2018 17:02

Thanks, that worked. It gave me an error that my rule couldn’t be imported, but it imported it anyway.

I found that using: macros.past_5m does the same thing.