Updated: May 13, 2016
Applies To: System Center 2012 R2 Operations Manager, System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager
Syslog events can be used to collect messages from Unix systems and other devices in Operations Manager. Syslog rules can be run on an agent that is the receiver of messages from one or more devices. When the rule is run, the agent will listen for messages on UDP port 514. This is the only port that can be used.
Rules and monitors run on the agent computer of each instance of the target class, and they usually access data on the local computer. SNMP rules and monitors typically work with information from a computer or device different from the one running the monitors or rules. For SNMP traps, the monitor or rule needs to be running on the agent that receives the trap. The device needs to be configured to deliver traps to this agent. For SNMP probes, the monitor or rule needs to be running on any agent that is authorized to access the device with SNMP. The device may need to be configured to allow communication from this agent.
Network devices that are discovered with the Discovery Wizard are managed by a resource pool that you specify during the discovery process. A resource pool contains one or more management servers. You can use the classes for these devices as targets, and the rule or monitor will run on each computer in the resource pool. In this case, the device will need to send SNMP traps to each of the computers in the pool and allow access to each computer in the pool for SNMP probes.
The table below lists the wizards that are available for both simple and delimited text files.
Management Pack Object
Alert Generating rule
Event collection rule
When you run a Syslog event rule wizard, you will need to provide values for options in the following tables. Each table represents a single page in the wizard.
The General page includes general settings for the rule including its name, category, target, and the management pack file to store it in.
The name used for the rule. The name appears in the Rules view in the Authoring pane. When you create a view or report, you can select this name to use the data collected by it.
Optional description of the rule.
Management pack file to store the rule or monitor.
For more information on management packs, see Selecting a Management Pack File.
Rule Category (Rules only)
The category for the rule. For an event collection rule, this should be Event Collection. For an alerting rule, this should be Alert.
Parent Monitor (Monitors only)
The aggregate monitor that the monitor will be positioned under in the Health Explorer. For more information, see Aggregate Monitors.
The class to use for the target of the rule. The rule will be run on any agent that has at least one instance of this class. For more information on targets, see Understanding Classes and Objects.
Rule is enabled
Specifies whether the rule is enabled.
The Build Event Expression page allows you to filter for specific events to be collected or to generate an alert. The Syslog data properties are shown in the following table:
The facility of the event that uses one of the values from the table that follows.
Numeric value that indicates the severity of the event using one of the following values:
Numeric priority of the message.
Text description of the priority level.
Time that the message was sent.
Name of the device sending the message.
Text of the message
The event expression will almost always contain the Host Name in addition to one or more properties depending on the criteria that you require. Since a single management server may receive messages from multiple network devices, it must be able to determine which device sent a particular event. If the Host Name is not in the criteria, then a single event will most likely create a separate alert for each device.
The value for the facility property defines the part of the system that the message originated from. It will have one of the values from the following table:
Security and authorization
Syslog internal messages
Line printer subsystem
Unix-to-Unix copy program
Security and authorization
Network time subsystem
Local use 0
Local use 1
Local use 2
Local use 3
Local use 4
Local use 5
Local use 6
Local use 7
The following procedure shows how to create a Syslog event alerting rule in Operations Manager with the following details:
Runs on all network devices.
Generates an alert for any message with a severity of error or worse.
To create a Syslog event alerting rule
If you don’t have a management pack for the application that you are monitoring, create one using the process in Selecting a Management Pack File.
In the Operations console, select the Authoring workspace, and then select Rules.
Right-click Rules and select Create a new rule.
On the Rule Type page, do the following:
Expand Alert Generating Rules, expand Event Based, and then click Syslog (Alert).
Select the management pack from step 1.
On the General page, do the following:
In the Rule Name box, type Alert on syslog message.
In the Rule Category box, select Alert.
Next to Rule Target click Select.
Select View all targets.
In the list of targets, select Node and then click OK.
Leave Rule is enabled selected.
On the Build Event Expression page, do the following:
In the Parameter Name box type Severity.
In the Operator box select Less than or equal to.
In the Value box type 3.
In the Parameter Name box type HostName.
In the Operator box select Equals.
Click the ellipse button next to Value and click SNMP Agent Address.
On the Configure Alerts page, do the following:
In the Alert name box, type Syslog error message received
In the Alert description box, type $Data/EventData/DataItem/Message$.