Explanation Of Actions

LogZilla documentation for Explanation Of Actions

Mark As

This allows users to mark incoming events as Actionable or Non-actionable. This simplifies future searches when using these options from the 'Type' drop down in the search bar.

Query Bar

The value of this is that everyday events that administrators don't need cluttering search results can be marked as Non-actionable, while events like 'low disk space', 'fan failure', or 'CPU over-utilization' can be marked as Actionable.

When searching, events that are not marked with either can be found by selecting the 'Unknown' type.

Send E-mail

For high priority events, administrators may need immediate notification of occurrence. Selecting this option allows users to enter the address of the person or team responsible.

Send e-mail

Users can also add a Subject and message content for this trigger. Variables that can be used are:

  • {{event:host}}
  • {{event:severity}}
  • {{event:facility}}
  • {{event:first_occurrence}}
  • {{event:last_occurrence}}
  • {{event:program}}
  • {{event:cisco_mnemonic}}
  • {{event:snareid}}
  • {{event:message}}
  • {{event:ut:abc}} (the meaning of this is "user tag named abc")
  • {{regexp:message:abc:n}} (see explanation below)

Match-Message can be used to match portions of the event message based on regular expressions. Define one or more patterns in the email template header using lines of the form: Match-Message-<name>: <regex>

For example, to capture an endpoint IP address and MAC address: Match-Message-EndpointIPAddress: EndpointIPAddress="(\d+\.\d+\.\d+\.\d+)" Match-Message-EndpointMacAddress: EndpointMacAddress="((?:\w\w:){5}\w\w)"

Then use the extracted values as {{regexp:message:<name>:n}}, where n is 0 for the whole match, or 1, 2, and so on for content of the nth parenthesized group in the regular expression. Using the examples above: {{regexp:message:EndpointIPAddress:1}}

See the Settings sections of the documentation for information on setting SMTP options for email alerts.

Add note

When an event occurs, other users may need to be given more information to reduce duplication of effort.

Add note

Issue Notification

Selecting this option will produce a notification that will increment in the page header, and show up on the notifications page.

Issue Notification

From the notifications page, users can Search, View, Edit, and Delete notifications. More information on this can be found in the Notifications section of the documentation.

Execute Script

This option is one of LogZilla's most powerful features. Users can write and execute their own scripts and trigger them whenever an event occurs. Just enter the name of the script to run in the box, and it will run whenever the event recurs. The Trigger Scripts section of the documentation provides more information on this feature.

Execute Script

Trigger Settings

Default Trigger settings can be changed in the Setting menu under System Settings, then Triggers.

System settings

Explanation Of Actions | LogZilla Documentation