Syslog from client to LibreNMS

Hi,

I’m just wondering what the benefit is to input client syslogs into LibreNMS ?

I’ve just done this one a test server, and see the syslogs in the interface now, but what can I do with them now they are in there?

I can see a benefit of this would be to filter for a keyword or critical error, and generate an alert from that. Can this be done?

Michael.

Alerting and rules can be setup in librenms, also when you add devices with that are sending syslog entries they will show associated with that device in librenms web ui.

For example:

log in detected on device %syslog.timestamp = %macros.past_5m && %syslog.msg ~ “@logged [email protected]

WARNING PoE Over Power on Switch %syslog.msg ~ “@PoE usage has exceeded threshold of [email protected]” && %syslog.timestamp = %macros.past_5m

CAUTION Syslog Received Emergency Priority Msg
%syslog.timestamp = %macros.past_5m && %syslog.priority ~ “emerg” || %syslog.priority ~ “emergency”

Hi Kevin. Thanks.

Is there documentation on-line for example alerting and rules?

I’m playing with this now, playing with the interface seeing what I can understand about it.

Michael.

I just posted some examples, let me know if need any help or more examples.
All the documentation is here https://docs.librenms.org/Alerting/

Hi Kevin,

Thank you, that is a great start.

With web hosting, it’s very common that these errors show up for PHP apps:

Fatal Error: Allowed Memory Size of 134217728 Bytes Exhausted

where 134217728 could really be any number that the PHP config has limited the memory_limit variable to.

How would I generate a rule for that?

Thanks.

Michael.

Depends on how the message is shown in syslog.

maybe something like this
%syslog.timestamp = %macros.past_5m && %syslog.msg ~ “@Fatal [email protected]

Hi Kevin. Thanks that makes sense. I have added that rule under the “Alerts → Alert Rules” section.

I have also ingested the syslogs for 3 hosts into LibreNMS.

2 of the hosts are relevant for that rule, while the third is not.

Does the above rule get applied to all 3 hosts immediately?

Or, do I need to specify something in particular to allow that rule to work with only 2 of the hosts and not the 3rd ? ( maybe that rule mappings option I see there? )

Please advise. Thanks.

Michael.

By default, the rule is checked against all devices. But yes you could do “rule mapping”.

1 Like