Inputs - Keep-alive
Previous  Top  Next


How keep alive messages work

Keep alive messages can be injected into the syslog input stream at a regular interval and used to trigger scripting actions or can serve as a method of stamping the log files at a regular interval.

The injected keep alive messages are treated as any other incoming message would be, and are processed by the rule engine. Depending on the rule set configured, the message may be written to disk, displayed or forwarded on to another syslog server.

When the keep alive message is forwarded on to another syslog server, it can act as a "I am still alive and well" message to tell the other server that everything is OK. On the remote server, a filter can be setup to detect missing keep alive messages and raise an alarm if necessary.

The injected message properties can be modified by specifying a Facility, Level, Host IP address and message text values.

The keep-alive message can be identified in a script by checking the varInputSource field value. A keep-alive message uses a value of "3".


Enable keep-alive messages:
By default this option is disabled. Check the box to enable the injection of keep-alive messages.


Frequency:
This sets how often the keep-alive messages are injected into the input stream. Every 60 seconds is the default value, but any value between 1 and 86400 seconds (1 day) can be entered.


Syslog facility:
This sets the facility of the keep-alive message. You can use a priority filter in the rule set to work with this facility only. Normally this option is set to a value of "Syslog" to indicate that it is the Syslog program generating the message.


Syslog level:
This sets the level of the keep-alive message. You can use a priority filter in the rule set to work with this facility/level combination only. Normally this option is set to a value of "Info" to indicate that it is an informational message.


From IP Address:
This sets the "From" IP address of the keep-alive message. This value can be from 1.1.1.1 to 255.255.255.255. It is recommended that a value of 127.0.0.1 be used as the default. The address specified can be filtered against by the rule set later.


Message text:
This is the message text that is used for the keep-alive message. It can be any message or text string that you like. By default the message reads "Keep-alive message".


How to use a keep alive message:


Scripting use.
Normally, the rules/filters/actions are only run when a message arrives and is processed by the rule engine. If you need to take action based on a time, then you can use the keep alive messages as a regular trigger of the rule engine.

Rules
 Rule: MyScript
  Filters
   Priority: Match Syslog.Info only
  Actions
   Action: Run script
   Action: Stop processing (Exits the rule engine here)
 Other Rules here...

The keep-alive message can be identified in a script by checking the varInputSource field value. A keep-alive message uses a value of "3".


Forwarding to another host as a beacon.
The keep alive messages can be forwarded to another host to tell it that "All is well".

Rules
 Rule: Send keep alive message
  Filters
   Priority: Match Syslog.Info only
  Actions
   Action: Forward to host (send to another host via a syslog message)
   Action: Stop processing (Exits the rule engine here)
 Other Rules here...

Because we are using the "Stop processing" action, the keep alive messages won't be seen by any other rules below this one. The priority filter will match the "Syslog.Info" priority, then the action will be taken (forward message) then the rule engine will discard the message and wait for the next one to arrive.