The syslog alert is not working properly

image841×306 11.7 KB

hello. I’m posting this using a translator first, so I apologize for any sloppiness.
Recently I’ve noticed that my syslog alerts are not working properly.

alert rule:

syslog.timestamp >= “macros.past_2m” AND syslog.msg REGEXP “changed.*(down|up)”

SELECT * FROM devices,syslog WHERE (devices.device_id = ? AND devices.device_id = syslog.device_id) AND syslog.timestamp >= “macros.past_2m” AND syslog.msg REGEXP “changed.*(down|up)”

With the rule set up like this, up until last week it would only react if the time in the device’s syslog message was correct, but now every time it polls, the rule matches regardless of the syslog time and the alarm continues to go off.

However, when you go into the alarm device, all you see is syslogs that are actually way out of date.

image1421×593 66.4 KB

image2000×351 102 KB

I see something like this in the alert history, can you help me troubleshoot this?

Added #1: last_polled => ‘2025-01-31 11:15:34’
last_polled_timetaken => ‘2.973335981369’
last_discovered_timetaken => ‘4.141’
last_discovered => ‘2025-01-31 06:47:38’
msg => ‘Interface GigabitEthernet1/0/1, changed state to down’
Added #2: last_polled => ‘2025-01-31 11:15:34’
last_polled_timetaken => ‘2.973335981369’
last_discovered_timetaken => ‘4.141’
last_discovered => ‘2025-01-31 06:47:38’
msg => ‘Interface GigabitEthernet1/0/2, changed state to administratively down’
Added #3: last_polled => ‘2025-01-31 11:15:34’
last_polled_timetaken => ‘2.973335981369’
last_discovered_timetaken => ‘4.141’
last_discovered => ‘2025-01-31 06:47:38’
msg => ‘Interface GigabitEthernet1/0/2, changed state to down’
Added #4: last_polled => ‘2025-01-31 11:15:34’
last_polled_timetaken => ‘2.973335981369’
last_discovered_timetaken => ‘4.141’
last_discovered => ‘2025-01-31 06:47:38’
msg => ‘Interface GigabitEthernet1/0/1, changed state to administratively down’
Added #5: last_polled => ‘2025-01-31 11:15:34’
last_polled_timetaken => ‘2.973335981369’
last_discovered_timetaken => ‘4.141’
last_discovered => ‘2025-01-31 06:47:38’
msg => ‘Interface GigabitEthernet1/0/1, changed state to down’
Added #6: last_polled => ‘2025-01-31 11:15:34’
last_polled_timetaken => ‘2.973335981369’
last_discovered_timetaken => ‘4.141’
last_discovered => ‘2025-01-31 06:47:38’
msg => ‘Interface GigabitEthernet1/0/1, changed state to administratively down’

Currently, this rule is matched to all the devices and keeps going off, so I’ve disabled it for now.

How can I fix this?

If an alert rule for syslog is not a good idea, is there any way to accomplish this besides syslog notifications?
What I want to do is get notified of events where a port on a registered switch is temporarily up or down.

If that sql query is taken from the alert rule in the WebUI under advanced then it’s not parsed the macro, make sure you use backticks around the field:

image826×260 32.4 KB

image2000×95 24.6 KB

image1386×593 71.7 KB

image1421×331 34.9 KB

Added #1: last_polled => ‘2025-01-31 19:05:43’
last_polled_timetaken => ‘2.3153629302979’
last_discovered_timetaken => ‘16.878’
last_discovered => ‘2025-01-31 18:49:26’
msg => ‘Interface GigabitEthernet1/0/1, changed state to down’
Added #2: last_polled => ‘2025-01-31 19:05:43’
last_polled_timetaken => ‘2.3153629302979’
last_discovered_timetaken => ‘16.878’
last_discovered => ‘2025-01-31 18:49:26’
msg => ‘Interface GigabitEthernet1/0/2, changed state to administratively down’
Added #3: last_polled => ‘2025-01-31 19:05:43’
last_polled_timetaken => ‘2.3153629302979’
last_discovered_timetaken => ‘16.878’
last_discovered => ‘2025-01-31 18:49:26’
msg => ‘Interface GigabitEthernet1/0/2, changed state to down’
Added #4: last_polled => ‘2025-01-31 19:05:43’
last_polled_timetaken => ‘2.3153629302979’
last_discovered_timetaken => ‘16.878’
last_discovered => ‘2025-01-31 18:49:26’
msg => ‘Interface GigabitEthernet1/0/1, changed state to administratively down’

Thank you for your response. laf
Unfortunately, I did a lot of searching and testing before posting this, and the results are the same: the time rule within 2 minutes from the syslog is not matching.

The alert mail appears to be logs from any time that occurred after syslog was enabled on the switch.

If you have written your own SQL query then you cannot use the short hand macros available, you have to write valid SQL which currently that isn’t.

You can do what you need in the alerts builder, look at my example.

Thank you for your response.

This is the first time I have enabled writing my own SQL and previously I was using a generic set of alerting rules.

The problem I’m having now is that the alert rule that was working fine until a few days ago suddenly doesn’t match macros_past 5m and only matches syslog_msg, which triggers the alert.

Is there any way to debug this issue?

Hi laf

It looks like you solved the problem with your custom SQL query.

However, I have an additional question. When I use the SQL query, if an alarm occurs within the time period, the alarm goes off normally,

but after that, the logs don’t show up in the DB, but still show up in the alert notification.

Can this be solved through the interval in the alert rule?

How do I clear the notification for a syslog alert that has sounded once?

I would like to clear the alerts that have been hanging in the NMS since I became aware of them.

Thanks as always.

It still all depends on your query, you’d need to post what that now looks like.

Sorry about that.
The SQL was written like this.

SELECT * FROM syslog WHERE (syslog.device_id = ?) AND (syslog.timestamp >= (DATE_SUB(NOW(),INTERVAL 2 MINUTE))) AND syslog.msg REGEXP “(up|down)”

I’ve checked again now and see that it’s removed from the alert notification 5 minutes after the alarm goes off.

Is this normal behavior by any chance?

Or is this something I can adjust the time to?

image1824×79 5.53 KB

Thank you.