Pandora FMS: Create an Alert Based on a Regular Expression (String Match)

Documentation on setting up this type of alert was sparse, and not very clear. The below is an example of an alert based on a string match — basically, whenever the data from a certain module matches a string that we specify, it will fire an alert. This was originally created for LastLogin, but I updated that here to address Pandora’s lack of multiple criteria (e.g. On Change and RegEx match).

Overview

  1. Create a template with a regular expression criteria
  2. Then create an alert.

Steps to Follow:

  1. Go to Administration->Manage Alerts->Templates
  2. Create a new template and name it. Screenshot from 2014-11-21 09:06:24
  3. I set the priority to Informational. I’m not sure the difference, except my guess is that it may affect the color of the alert when it fires.
  4. In Step 2, you can configure it like below:Screenshot from 2014-11-21 09:11:13
    1. Default action is Mail to Ryan. If you don’t have that configured, see this article.
    2. Condition type is set to “Regular Expression” which means RegEx format. That wasn’t very clear in the documentation.
    3. Leave the Trigger When Matches unchecked, so that we can create basically an exclusion list of domains/hosts to not fire an alert.
    4. The value to set if you want multiple hosts excluded from the alert is:
      1. (hostname1|hostname2|internalip|etc…)
      2. What the above says is if in the data field from LastLogin there is a match (no need for wildcards) for hostname1 OR hostname2 OR 192.168 OR …, don’t send an alert. If it’s anything else, send an alert.
      3. Max number of alerts sets how many times it will be fired before it stops letting you know.
      4. TIP: check your agents to see what they show in the data field for Last Login. I noticed that long hostnames were truncated, so instead of typing in “ryanhallman.com,” I had to put in “ryanhallman”.
  5. Press next to go to Advanced Fields. This is where we set the message information.
  6. Leave the first few fields blank (depending on how many your Mail To action uses). If you use Field1 and Mail To is set to use Field1, your text won’t be transmitted.Here’s what I have in Field 3:
    Hello, this is an automated email coming from Pandora FMS
    
    This alert has been fired because the last user login is from an unknown address:
    
    Agent : _agent_
    Module: _module_
    Module description: _moduledescription_
    Timestamp _timestamp_
    Current value: _data_
    
    Thanks for your time.
    
    Best regards
    Pandora FMS
    
  7. Press Finish and now we need to create an alert.
  8. Go back to Administration->Manage Alerts and press Create
  9. Fill out like below:Screenshot from 2014-11-21 09:29:12
    1. Agent: Choose your agent you’d like to apply to.
    2. Module: Choose LastLogin since that’s what we created our template for.
    3. Template: Choose your template you just made.
    4. Action: should be able to leave it at default action for the template.
    5. Number of alerts to match: this can be less than what’s specified in the template, but not greater than.
  10. Press add alert and test to confirm.
  11. Everything should be done, if it’s working, you should get an email like so:Screenshot from 2014-11-21 09:34:10

Leave a Reply

Your email address will not be published.