[OBS-1924] Add possibility for alert & recover in syslog alerting - Observium

Details

Type: New Feature
Resolution: Unresolved
Priority: Minor
Fix Version/s: None
Affects Version/s: None
Component/s: Alerting
Labels:

Description

Can we separate syslog alert in such a way that when you add it, you can have the possibilty to select:

simple notification for syslog
alerter for syslog

where as the first one is just how it works now, and the alerter possibilty would have the possibilty for a regex that sends a "RECOVER message.

You would have to have a table that keeps state for that. This is interesting for say, OSPF alerting.

Attachments

Issue Links

is duplicated by

OBS-2685 Syslog Alert Clearing

Closed

Activity

[OBS-1924] Add possibility for alert & recover in syslog alerting

Sergei Fomin added a comment - 2021/02/02 04:54 PM

Hey Adam,

Circling back on that, is there a roadmap for that feature?

Sergei Fomin added a comment - 2021/02/02 04:54 PM Hey Adam, Circling back on that, is there a roadmap for that feature?

Sergei Fomin added a comment - 2020/11/16 11:13 AM

Indeed, second regex looks more appealing for now. Does Mike or yourself have a priority for that feature? It seems like a relatively quick change, yet resulting in a substantial improvement in Syslog alerting.

Sergei Fomin added a comment - 2020/11/16 11:13 AM Indeed, second regex looks more appealing for now. Does Mike or yourself have a priority for that feature? It seems like a relatively quick change, yet resulting in a substantial improvement in Syslog alerting.

Adam Armstrong added a comment - 2020/11/04 11:52 PM

I think it would be trivial to send "recover" emails using a second regexp, but trying to keep track of state is probably asking for trouble, except in very simple cases, it seems far too easy for things to be unreliable/unpredictable.

Adam Armstrong added a comment - 2020/11/04 11:52 PM I think it would be trivial to send "recover" emails using a second regexp, but trying to keep track of state is probably asking for trouble, except in very simple cases, it seems far too easy for things to be unreliable/unpredictable.

Sergei Fomin added a comment - 2020/11/04 12:01 PM

Hi Adam and Mike,

I'm currently interested in that feature, and to me it looks like a user-defined Alert/Recovery option could work well for now.

I.e. given the following Syslog Rules as an example (in "Name" -> "Regex" mapping syntax):
"Interface Down Rule" -> "/(Line protocol.+down)/"
"Interface Up Rule" -> "/(Line protocol.+up)/"

Static mapping in the Web GUI will look like (in "Name" -> "Event Type" mapping syntax):
"Interface Down Rule" -> "Alert"
"Interface Up Rule" -> "Recovery"

What do you think on that? While that's a very manual approach to solve the problem, it would already be much better than not classifying at all.

Sergei Fomin added a comment - 2020/11/04 12:01 PM Hi Adam and Mike, I'm currently interested in that feature, and to me it looks like a user-defined Alert/Recovery option could work well for now. I.e. given the following Syslog Rules as an example (in "Name" -> "Regex" mapping syntax): " Interface Down Rule " -> " /(Line protocol.+down)/ " " Interface Up Rule " -> " /(Line protocol.+up)/ " Static mapping in the Web GUI will look like (in "Name" -> "Event Type" mapping syntax): " Interface Down Rule " -> " Alert " " Interface Up Rule " -> " Recovery " What do you think on that? While that's a very manual approach to solve the problem, it would already be much better than not classifying at all.

Adam Armstrong added a comment - 2018/06/01 10:14 PM

Ahh, hmm. With there being multiple possible concurrent states related to a single syslog rule?

Adam Armstrong added a comment - 2018/06/01 10:14 PM Ahh, hmm. With there being multiple possible concurrent states related to a single syslog rule?

Mike Stupalov added a comment - 2018/06/01 10:13 PM

I mean 2 syslog regexp in single syslog rule..

Mike Stupalov added a comment - 2018/06/01 10:13 PM I mean 2 syslog regexp in single syslog rule..

Mike Stupalov added a comment - 2018/06/01 10:11 PM

I already have experiments with this

2 syslog rules (first is mandatory/alert), second is recovery, ie BGP neighbor:

/neighbor (?<entity>\S+) Down/i

/neighbor (?<entity>\S+) Up/i

and associated syslog entries:

001858: Jun 1 21:57:22.628: %BGP-5-ADJCHANGE: neighbor 80.93.51.14 Down BGP Notification sent

032701: Jun 1 21:58:35.358: %BGP-5-ADJCHANGE: neighbor 80.93.51.14 Up

in preg_match will compare $matches['entity'] (or $matches[1])..

Mike Stupalov added a comment - 2018/06/01 10:11 PM I already have experiments with this 2 syslog rules (first is mandatory/alert), second is recovery, ie BGP neighbor: /neighbor (?<entity>\S+) Down/i /neighbor (?<entity>\S+) Up/i and associated syslog entries: 001858: Jun 1 21:57:22.628: %BGP-5-ADJCHANGE: neighbor 80.93.51.14 Down BGP Notification sent 032701: Jun 1 21:58:35.358: %BGP-5-ADJCHANGE: neighbor 80.93.51.14 Up in preg_match will compare $matches ['entity'] (or $matches [1] )..

Adam Armstrong added a comment - 2018/06/01 09:59 PM

I don't think this is really possible how you think, because how do we know which OSPF session has gone up and down?

Adam Armstrong added a comment - 2018/06/01 09:59 PM I don't think this is really possible how you think, because how do we know which OSPF session has gone up and down?

People

Assignee:: Mike Stupalov

Reporter:: Maarten Moerman

Votes:: 3 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2016/07/15 01:17 AM

Updated:: 2021/02/02 04:54 PM