When an Appliance that performs Message Collection receives a Syslog message, it performs the following:
- Matches the IP address of the sender to an IP address of a device monitored by a collector group that includes the Appliance.
- If the IP address of the sender does not match an IP address of a device monitored by a collector group that includes the Appliance, the message is discarded and an event is generated. See Syslogs From Unknown Devices.
- Compares the syslog to the defined syslog event policies:
- If the syslog does not match an event policy, the syslog is logged in the Device Logs for the device that sent the syslog. See Syslogs That Do Not Match Event Policies.
- If the syslog matches an event policy, the event is generated. The generated event is aligned with the device the syslog was matched with in step 1.
For more information on syslog events, see the
Use the following menu options to navigate the SL1 user interface:
- To view a pop-out list of menu options, click the menu icon ().
- To view a page containing all the menu options, click the Advanced menu icon ().
This
Syslogs That Do Not Match Event Policies
If an Appliance that performs Message Collection receives a syslog that:
- Is from a device that is monitored by a collection group that includes the Appliance.
- Does not generate an event.
SL1 will log the receipt of the syslog in the device logs for the device. The message field for the Device Log will be the same as the syslog message field.
NOTE: Device Logs that are not associated with an Event are retrieved from Collection Units at five-minute intervals. It may take up to five minutes for syslogs that do not match event policies to appear in the Device Logs.
If an Appliance the performs Message Collection receives a syslog from an unknown device, a "From unknown device: <ip-address-of-unknown-device>, received the following syslog message:" event will be generated. An unknown device is defined as either:
- A device monitored by the SL1 system, but by a collector group that does not include the Appliance.
- A device not monitored by the SL1 system.
The "From unknown device: <ip-address-of-unknown-device>, received the following syslog message:" event will appear in the Event Console page associated with the System organization.
For the first syslog received from an unknown device, the message will have a Severity value of "Notice". If multiple syslogs are received from different unknown devices, additional events will be generated at the following thresholds:
- 10, 25 Syslogs Received. Severity value of "Minor".
- 100 Syslogs Received, and every 100 syslogs up to and including 900 Syslogs Received. Severity value of "Minor".
- 1,000 Syslogs Received, and every 1,000 syslogs up to and including 9,000 Syslogs Received. Severity value of "Minor".
- 10,000 Syslogs Received, and every 10,000 syslogs received thereafter. Severity value of "Major".
Multiple messages received from the same unknown device will not increase the event count of syslog messages received or the event severity.
The counters for the number of syslogs received from unknown devices will be reset to zero if the Event Engine on an Appliance that performs Message Collection is restarted, or the Appliance is restarted.
NOTE: The default threshold for incoming syslogs is set to 25 messages per second to prevent degraded performance.