Is it possible to change the format of the syslog messages received by the scom server.
Is there anyway to create views based in the event data from alert context
Technology Tips and News
Is it possible to change the format of the syslog messages received by the scom server.
Is there anyway to create views based in the event data from alert context
Hi
You won't be able to manipulate the syslog message as it comes in if you are just authoring in the standard console. You might be able to script this as a custom data source and manipulate the data using property bags using the Authoring console but this isn't straight forward.
You can create views from the rules that you create - leveraging custom fields in your rules and then create the views based on the custom field are great for this. But you can also create a view based on "specific name".
I have done something similar for a syslog collection rule here:
http://systemcentersolutions.wordpress.com/category/syslog-monitoring/
Cheers
Graham
Can you tell us more on why you want to change the format and what you are trying to achive?
Rob
Hi
If you are just looking to get the messafe ito the description then this should work:
$Data/EventData/DataItem/Message$
You can create views on rule name if you want all alerts from a specific message in one place. Or by computer etc. More complex views can be created by leveraging the custom fields.
More info here (although this is for collection rules rather than for alerting, most of the information is still relevant):
http://support.microsoft.com/kb/942863
Cheers
Graham
Graham - The problem with SYSLOG message is that it contains the actual Server Name's IP (from where the alert originated) is inside the $Data/EventData/DataItem/Message$. So we really want to put that into a Custom Field or a seperate context so we can use that in our view. Isn't that possible with the existing solution?
Regards
Ramesh
We have got the actual Server Name's IP tied to $Data/EventData/DataItem/HostName$ but isn't possible to display its DNS name/FQDN instead of IP?
Regards
Ramesh
Great questionWe have got the actual Server Name's IP tied to $Data/EventData/DataItem/HostName$ but isn't possible to display its DNS name/FQDN instead of IP?
Regards
Ramesh