Microsoft KB Archive/942863

= How to collect and monitor UNIX Syslogs in System Center Operations Manager 2007 or in System Center Essentials 2007 =

Article ID: 942863

Article Last Modified on 10/9/2007

-

APPLIES TO


 * Microsoft System Center Operations Manager 2007
 * Microsoft System Center Essentials 2007

-



INTRODUCTION
This article describes how to configure Microsoft System Center Operations Manager 2007 or Microsoft System Center Essentials 2007 to collect or to respond to UNIX Syslog messages.



Overview
The following rule types are available to collect or to respond to UNIX Syslog messages:
 * You can collect Syslog messages based on certain criteria, such as a collection rule.
 * You can respond to a Syslog message by generating an alert, by running a script, or by running a command. This response is based on certain criteria, such as an alert-generating rule.

To use either of these rule types, you must consider the following:
 * You must identify one or more Operations Manager agents that will listen for Syslog messages. These agents will be the destination (targets) for the deployment of one or more collection rules or alert-generating rules.
 * The agents to which the Syslog monitoring rules are deployed listen on UDP port 514. Therefore, you must configure UNIX or Linux hosts to forward Syslog messages to the appropriate Operations Manager agent.
 * Operations Manager can only use the default Syslog listening port (UDP 514). Therefore, you must consider the location of the agents that monitor Syslog messages. This monitoring may be affected if a router that blocks UDP traffic is located between an agent and the UNIX or Linux host.

Note When you configure a collection rule or a response rule, we recommend that you create a new management pack in which to store the rule. This is a rule management best practice. We recommend that you do not store the new rules in the default management pack.

To configure a rule
To configure an alert-generating rule, follow these steps:  Start the Operations Console if this tool is not already running. Click Authoring, expand Management Pack Objects under the Authoring node, and then click Rules. In the Actions pane, click Create a rule. In the Create Rule Wizard that appears, click a management pack in the Select a destination management pack list.

Note You can also create a new management pack in which to store the rule. In the Select a type of rule to create box, expand Event Based, click Syslog (Alert), and then click Next. In the Rule name box, type the name that you want to use for the rule, and then select a rule target such as Agent.

Note Targeting abstract classes such as Groups is not supported in Operations Manager. Click Next, and then create the criteria on which the alert response will be generated under Filter one or more events.

For example, to generate an alert for the Cron daemon that generates a Critical severity condition, enter the following values: <ul> Parameter Name: Facility </li> Operator: Equals </li> Value: 9 </li></ul>

Note For more information about the Facility values, the Severity values, and the Alert strings that are available, see the &quot;Facility values, Severity values, and Alert strings&quot; section.</li> Click Next.</li> In the Alert name box, type the name that you want to use for the alert, click an alert priority in the Priority list, and then click a severity level in the Severity list. To configure alert suppression fields, click Alert Suppression, configure the handling of duplicate alerts, and then click OK.</li> In the Alert description box, you can configure the display of the Syslog message by using an Alert string. For example, to display the Syslog message, type the following Alert string in the Alert description box:

$Data/EventData/DataItem/Message$

Note For more information about the Alert strings that are available, see the &quot;Facility values, Severity values, and Alert strings&quot; section.</li> When you are finished creating the alert information, click Create to create the alert-generating rule.</li></ol>

Facility values, Severity values, and Alert strings
Table of Facility values

Table of Severity values

List of Alert strings
 * $Data/EventData/DataItem/Facility$
 * $Data/EventData/DataItem/Severity$
 * $Data/EventData/DataItem/Priority$
 * $Data/EventData/DataItem/PriorityName$
 * $Data/EventData/DataItem/TimeStamp$
 * $Data/EventData/DataItem/HostName$
 * $Data/EventData/DataItem/Message$

Keywords: kbhowto kbinfo KB942863

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.