How do I trigger an email alert from an incoming Syslog message?

Article ID: 399
Category: Configuration
Applies to: All Versions
Updated: 2019-09-10

Forwarding Syslog messages as email alerts is a three-step process assuming that Syslog messages are already successfully received in EventSentry:

  • Enable Syslog to Event Log which creates events in the application event log from the Syslog message(s)
  • Configure one or more Syslog text filters
  • Create filter rule to forward those events to an action (e.g. email)+

1. Enable Syslog to Event Log
In the management console, navigate to Network Services, Syslog Daemon and select the "Syslog to Event Log" tab. Enable the "Log to the APPLICATION Event Log" check box.

After enabling this option you can optionally also review the Severity Mapping, which maps Unix severities to Windows event types.

2. Configuring Syslog text filters
In the settings text box select the "Exclude" option and specify at least one text filter. Any incoming Syslog message that matches one or more text filters will be logged to the application event log with event id 500 from the EventSentry Network Services event source.

3. Creating a filter rule
Once an incoming Syslog message is logged to the event log it can be dispatched to any action (e.g. email) with an event log filter. The easiest and quickest way to create a filter rule is using the built-in event viewer.

Once the Syslog message has been received and written to the event log, navigate to "Event Log Viewer -> Application" and locate the matching event with id 500 (you can use the filters in the ribbon to filter the results). Right-click the event and select "Add Include Filter" which will bring up a helper dialog that will let you select a package and a name for the new filter. If you cannot find a suitable package then hit Cancel, create & assign a new event log package and repeat the process. The package needs to be assigned to the host running the EventSentry Network Services.

Since filters created from the event viewer apply to any event with the select event id, it is highly recommend to further restrict the scope of the newly created filter using a "Content Filter". An example for a content filter would be

  • Failed password for * from * port *

Now just assign one or more actions to the filter and save the configuration.