Syslog is used extensively by *Nix machines. There is a good post from Anders about using syslog and a step by step guide to creating an example –

He adds some fields so that you can get info from the host into the alert description but this is a picture. So if you want to cut and paste it then here is the text.

Alert Message: $Data/EventData/DataItem/Message$ Hostname: $Data/EventData/DataItem/Hostname$ Priority Name: $Data/EventData/DataItem/PriorityName$ Severity: $Data/EventData/DataItem/Severity$
(By the way – in this area if you want to do carriage returns it is Crtl and Enter.)

The text bits will show up in the Alert Details as is and the parameters (surrounded by $) will be replaced with the relevant values as shown below.

Information in Alert Description. Click to see full size.

You will notice that the message area is empty. That is because I mistyped that bit (hence offering a cut and paste once I corrected it). If you open the alert and go to the Alert Context tab you will see all the information that is sent and you can see where the fields come from. More fields can be added if you want that info to show up in the General tab under alert description rather than going to Alert Context.

Alert Context tab. Click to see full size.

 A new blog from Komal Kashiramka, Microsoft, also covers syslog with a sample MP so you can examine the XML.

Both have links to the MOM 2005 KB regarding Syslog which goes into detail about what to do on the *Nix side.

And for logs in general there is a big post by Sam Patton, a developer on the SCOM team – another new blogger, about Application Log Monitoring.

 There are plenty of event creation tools to test alerts based on events but how do you test your syslog rules?  I have found Kiwi’s free syslog generating tool is excellent. It can send random stuff or you can get it to do specific priorities etc. One at a time or a steady stream of syslog messages.

Kiwi Syslog Message Generator. Click to see full size.

And if you are not sure what syslog is all about then here is an overview.

Here is the Syslog Level and Priority information from RFC 3164.
Numerical Code Severity
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages


  1. Che

    Is there a way to pull data from the syslog message and suppress by it?

  2. Thanks for this post. It was very useful in building my solution. I have extended it a bit a posted the walkthrough here:

%d bloggers like this: