Email Alerts

Overview

Syslog Watcher sends email alerts based on incoming syslog messages. Syslog alerts help administrators to stay informed about events in real time.

Configuration

Click Configure Icon Configure (Main Toolbar) to open the Server Configuration, then select Email Alerts.

Email Alerts

Each alert is a combination of a syslog filter (alert filter) and a transformation template (alert text). If an incoming syslog message meets the filter conditions, it will be converted into alert text via the specified template.

Syslog Watcher Configuration - Email Alert Filter and Format

  • You can add an email alert by clicking the Add Alert link. Alerts belong to alert groups, and you need to add an alert group before you can add an alert.

  • To delete an email alert, click the cross [✖] button. You need to select the alert to make the button visible.

Before a syslog message reaches the alert filter, it must satisfy the alert group filter.

Email Alert Groups

An alert group is a collection of alerts that have a common group filter and destination.

To add an email alert group click the Add Alert Group link. The Delete link is for deleting the group.

Syslog Watcher Configuration - Email Alert Group

Group Filter

A standard filter pre-screens incoming syslog messages.

Destination: Email

  • SMTP profile — one of the email accounts to send alerts;

  • 'To' email address — email addresses to send the alert to (one or multiple comma-separated addresses);

  • Email subject — subject of an email that may contain more than one alert; leave it blank to use the first alert line as the email subject;

  • Max alerts per email — the number of alerts that can be combined into one to lower the total number of emails;

  • Pause between emails (s) — limits the total number of emails (combining multiple alerts into one email) to reduce the load on the email server.

Formatting an email subject with message fields

Set blank Email subject, set Max alerts per email to 1, and use multiline Alert text where the first line is the email subject, for example:

Email Alert Formatted with Email Subject

SMTP Profiles

To manage email accounts (SMTP profiles) click Configure Icon Configure (Main Toolbar) to open the Server Configuration; then select SMTP Profiles. The settings are the same as those regular email clients and are specific to your server/provider.

Syslog Watcher Configuration - SMTP Profile

Add a new profile using the Add SMTP Profile link, and delete them with the Delete link.

Testing Profile

Be sure to test sending emails after creating a new profile. To test it, enter the recipient’s address for the test email and click the Test Profile link.

Monitoring Alerts

The Server tab displays the main parameters of all active alert groups. It contains statistics of generated alerts for each enabled alert group.

Best Practices

Single Alert Group

One alert group is enough for most cases. Multiple alert groups are needed if you plan to send different alerts to different email addresses or turn some alerts on/off independently.

Use Group Filter

Filtering by severity level and originator is highly optimized for performance. Use these filters to narrow down the set of syslog messages as much as possible.

Email Alert Group - Worst Performance Example
Email Alert Group - Better Performance Example

Same Text Alerts

You can combine these alerts into one if you generate the exact text in multiple alerts (for example, the alert text is just the message itself).

For example, these 2 alerts:

Two email alerts with the same Alert text

are equivalent to a single combined alert:

Single email alert with combined alert filter

Use Filter Lists

For cases where data fields are used for filtering:

Alert filter that compares a field with multiple values

Using filter lists has better performance and is easier to maintain. Move all the values to a filter list file and replace the alert filter with a single simple operation:

Email alert that checks message field against the list

Troubleshooting

If you do not receive alerts, follow the steps for troubleshooting:

  1. Test the SMTP profile to ensure Syslog Watcher can send emails.

  2. Check general configuration parameters: the group is Enabled, the correct SMTP profile is selected, and the group has at least one alert.

  3. Test the alert group filter and individual alert filter expression using a viewer tab:

    1. Copy the group filter parameters:

      Copy the group filter to the clipboard

    2. Open a new viewer tab for the shortest time range that definitely has messages that satisfy the group filter:

      New viewer tab to test group filter

    3. Check an individual alert filter copy-pasting its text to the quick find field (do not forget to switch it to the "complex filter" format):

      Quick find to check individual alert filters

  4. Contact the technical support providing all the details and the support data file.