martedì 26 giugno 2012 16:46
I'm using SCOM 2007 R2 - I've read all the articles about setting up a rule (or monitor) to generate an alert for a monitored text file. We have our firewall's dumping data to a syslog and it writes to a flat file. I have setup both a rule and monitor and they both behave the same way. I get the alert when a firewall policy is added/modified/deleted, but I get the alert every time the rule or monitor runs. I only want to be notified once, without using alert suppression, since I want to be alerted on subsequent entries. But this is alerting on the same entries over and over again.
It's as though SCOM isn't remembering the last line that it read and rereads the whole file. The syslog server creates a new log file hourly. I read the following article: http://support.microsoft.com/kb/2691973 and I seem to be following all the correct procedures. The syslog only writes to one file and never writes to a previous file. I also checked the file with a hex editor and do see 0A at the end of the line. I've read Kevin Holman and Anders Bengtsson's blogs and articles and I think everything is configured correctly, but I'm missing something.
Any help is appreciated!
Tutte le risposte
martedì 26 giugno 2012 17:38
You just can redirect your syslogs to server which have scom agent installed and create rule which will be collect syslog events and/or generate alerts.
- Contrassegnato come risposta DigitalHops mercoledì 27 giugno 2012 20:48
martedì 26 giugno 2012 17:50
As an addition, we have another network device that also writes to the syslog, and it also creates a new log file every hour. That rule works correctly and I only get alerted once. The monitors are identical. The pattern for the monitor that alerts once is: vpn.domain.org*
The pattern for the monitor that keeps alerting is: device-*-fw*
When I look at the "alert view link" in the email alerts the alert description is identical, so it truly is alerting on the same entry in the file. We're getting the alert, on average, every 4 minutes.
martedì 26 giugno 2012 17:55
Interesting! I'll look through that article and setup a test syslog rule. That should be feasible in our environment.
The thing that will annoy me is why isn't my current rule/monitor working as it should be? :-)
mercoledì 27 giugno 2012 20:51
Thanks! I was able to get this working using what you recommended. I currently have the syslog server filtering the messages that I want to send to SCOM, and in SCOM I've created a rule (both a collection rule and an alert rule), to alert us on certain events.
Thanks for recommending this solution!