Email Alerts¶
Overview¶
Syslog Watcher sends email alerts based on incoming syslog messages. Syslog alerts help administrators to stay informed about events in real time.
Configuration¶
Click 
Email Alerts¶
Each alert is a combination of a syslog filter (alert filter) and a transformation template (alert text). If an incoming syslog message meets the filter conditions, it will be converted into alert text via the specified template.
-
You can add an email alert by clicking the Add Alert link. Alerts belong to alert groups, and you need to add an alert group before you can add an alert.
-
To delete an email alert, click the cross [✖] button. You need to select the alert to make the button visible.
Do not forget about the Alert Group Filter
Before a syslog message gets to the alert filter, it must satisfy the alert group filter.
Email Alert Groups¶
An alert group is a collection of alerts that have a common group filter and destination.
To add an email alert group click the Add Alert Group link. The Delete link is for deleting the group.
Group Filter¶
Standard filter pre-screens incoming syslog messages.
Destination: Email¶
- SMTP profile — one of email accounts to send alerts;
- 'To' email address — email addresses to send the alert to (one or multiple comma-separated addresses);
- Email subject — subject of an email that may contain more than one alert; leave it blank to use the first alert line as the email subject;
- Max alerts per email — the number of alerts that can be combined into one to lower the total number of emails;
- Pause between emails (s) — limits the total number of emails (combining multiple alerts into one email) to reduce the load on the email server.
Formatting an email subject with message fields
Set blank Email subject, set Max alerts per email to 1, and use multiline Alert text where the first line is the email subject, for example:
SMTP Profiles¶
To manage email accounts (SMTP profiles) click
Add a new profile using the Add SMTP Profile link, and delete them with the Delete link.
Testing Profile¶
Be sure to test sending emails after creating a new profile. To test it, enter the recipient's address for the test email and click the Test Profile link.
Monitoring Alerts¶
The Server tab displays the main parameters of all active alert groups. It contains statistics of generated alerts for each enabled alert group.
Best Practices¶
Single Alert Group¶
One alert group is enough for most cases. Multiple alert groups are needed if you plan to send different alerts to different email addresses or turn some alerts on/off independently.
Use Group Filter¶
Group filtering by severity level and originators are high-performance optimized filters. Use them to narrow down the set of syslog messages maximally.
Same Text Alerts¶
You can combine these alerts into one if you generate the exact text in multiple alerts (for example, the alert text is just the message itself).
For example, these 2 alerts:
are equivalent to a single combined alert:
Use Filter Lists¶
For cases where data fields are used for filtering:
Using filter lists has better performance and is easier to maintain. Extract all of them to a filter list and replace the alert filter with a single simple operation:
Troubleshooting¶
If you do not receive alerts, follow the steps for troubleshooting:
-
Test the SMTP profile to ensure Syslog Watcher can send emails.
-
Check general configuration parameters: the group is Enabled, the correct SMTP profile is selected, and the group has at least one alert.
-
Test the alert group filter and individual alert filter expression using a viewer tab:
- Copy the group filter parameters:
- Open a new viewer tab for the shortest time range that definitely has messages that satisfy the group filter:
- Check an individual alert filter copy-pasting its text to the quick find field (do not forget to switch it to the "complex filter" format):
- Copy the group filter parameters:
-
Contact the technical support providing all the details and the support data file.