I have a Cisco Catalyst 2960 switch sending syslog messages to PRTG. I would like to stop getting alerts on interface UPDOWN events (i.e. if a computer is rebooted, powered off, unplugged, etc.).
The default configuration of the PRTG Syslog sensor is:
| Include: severity[0-6] |
| Warn on: severity[4] |
| Alert on: severity[0-3] |
Some of these UPDOWN messages come with severity 5 and some are severity 3. This means sometimes they cause sensor failures, and other times they don't. I'm not sure why Cisco sends them with 2 different priorities. Will need to do some research there.
I would like to exclude the UPDOWN messages from causing Alerts (in the cases where the severity is 3). How can I do this while still:
- Receiving an alert for all other severity 0-3 messages
- Still logging/saving the UPDOWN messages? (retaining these messages can be highly valuable for retroactive troubleshooting).
Thanks in advance for your help with this.
- Doug
Article Comments
Stephen,
Thanks for your recommendation. Your solution of using the "AND NOT" logic worked perfectly. I am using your syntax verbatim.
Oct, 2016 - Permalink
Hello - This is my exclude filter but it does not filter the messages: (severity[6] AND message[%FMANFP-6- ]) but it does not work. I want all the syslog messages which start with %FMANFP to be excluded.
Jun, 2020 - Permalink
Would using only FMANFP work as well? The filter does a substring search and it may be sufficient to check for that?
Jun, 2020 - Permalink
How exactly does the UPDOWN message look? We could simply add it to the error filter like this:
(severity[0-3] AND NOT message[UPDOWN])Oct, 2016 - Permalink