Log-based search and alert queries for syslog monitoring

Syslog entries offer crucial information about the health and status of various components within a system or network. Administrators can utilize syslog data to monitor system activities, identify anomalies, and take proactive measures to ensure system stability and security.

In this blog, we'll share a few useful queries for monitoring syslog using Site24x7's log management features. These queries are meant to improve network visibility and simplify troubleshooting. 

Detect suspicious activities by filtering specific messages in syslog entries

Organizations can identify suspicious or unauthorized login attempts by filtering syslog entries using specific criteria related to authentication and authorization events. This involves detecting unauthorized login attempts, privilege escalation, and unauthorized access to sensitive resources. 

Site24x7 offers preconfigured alerts, such as the example query below, to notify you of login failures in syslogs via web notifications. You can tailor these notifications to your preferences by adjusting thresholds and associating log-based alerts with specific user alert groups. 

logtype="Syslog" and application="sshd" and (message CONTAINS "Failed" or message CONTAINS "Invalid user")

Here is an example of a query to find successful login activity:

logtype="Syslogs" and (message CONTAINS "accepted password for" OR message CONTAINS "accepted publickey" OR message CONTAINS "session opened")

Manage memory for optimal system performance

Messages indicating "out of memory" or "killed process" suggest that some processes running in the system have experienced memory-related problems, potentially causing application crashes and decreased performance. 

By configuring an alert for the provided query, administrators can promptly address memory-related issues, mitigating the risk of application downtime or service interruptions.

logtype="Syslogs" and message CONTAINS "out of memory" or message CONTAINS "Killed process"

Manage user access for enhanced system control and efficiency

Ensuring authorized access to resources is important for safeguarding sensitive data and preserving system integrity. 

Creating an alert to notify admins about any unauthorized changes in group memberships, user creation or deletion, and password modifications helps ensure that only authorized users access resources properly. Here's a sample query for reference:

logtype="Syslogs" and (message CONTAINS " group added to /etc/group" OR message CONTAINS "new user: name" OR message CONTAINS "pam_unix(passwd:xxxxx): password changed" OR message CONTAINS "delete user")

Monitor syslog messages for network device health and maintenance

Network devices generate syslog messages to report events, errors, warnings, and other important information. For example, they might mention overheating issues, as shown in the query below. 

Setting alerts allows admins to prevent downtime or damage by taking proactive steps like adjusting cooling systems or replacing faulty hardware.

logtype="Fastvue Syslog" and message CONTAINS "over temperature"

Collect syslogs with Site24x7's log management

Site24x7's log management enhances syslog monitoring by providing comprehensive insights and real-time alerts, empowering administrators to manage system logs efficiently and proactively address potential issues. You have the option to save your search queries, ensuring they're easily accessible for future use. Event-related errors are instantly reported through different channels, such as email, SMS, or voice call, including third-party notifications.  Furthermore, IT automation can aid in automatically resolving application issues. Site24x7 also generates a dedicated dashboard for syslog and displays a set of default widgets. Any search queries that you save will automatically be included in the default dashboard for each log type.

Improve the performance of your application and infrastructure using our single-console log management tool, and receive real-time notifications for critical log events to stay informed. Try Site24x7 for log management now!

Comments (0)