Versa Syslog Alerts

Question

Hi - We are trying to create events from Versa syslog alarms. The format of the syslog message is in the below URL.

Syslog Message Format Forwarded by Versa Analytics : Versa Support

The issue is the PRI is missing from the syslog header and rsyslog does not create the alert in SL1. Is there a way to use a rsyslog policy to create an alert for these messages missing the PRI?

If I use the same syslog message and add <165> to the start of the message for the PRI it works.

Thanks

tonyandres · Answer

Hello Miles,
SL1 leverages the rsyslog service to receive syslogs before they are processed into events by SL1. Doing some research, it seems the PRI value is required by rsyslog to properly classify the message it is receiving. In effect, this is not a requirement imposed by SL1, but rather a requirement of rsyslog.&nbsp;
According to the RFC5424, the PRI should be included in the header encased in &lt; and &gt;. It seems like your system is following the older RFC3164, where having PRI in the header was optional. You may need to update your appliance to include the PRI in the header in order for SL1 to properly process them, as SL1 follows the new RFC. Please let me know if you have any further questions.
Antonio Andres
Principal Technical Support Engineer | ScienceLogic

Forum Discussion

Versa Syslog Alerts

1 Reply

Recent Discussions

Powerflow DeviceSync custom run

FortiGate Sensor monitoring

Orphaned Device Class

Powerflow Application Immediate Failure

APM Monitoring for ScienceLogic