Welcome to LQ, hope you like it here.
I wonder why you set up a remote syslog server first and only then ponder (passive) monitoring and alerting? Because usually you would want to use active SNMP monitoring (Icinga, Nagios, Zenoss or equivalent) or have your devices send SNMP traps for any state changes. If you want to process from logs in the syslog service then you'll have to check if the log lines list the network device designation properly, if messages change / disappear with changes to log verbosity settings of the network device and then collate a list of lines you'll turn into regexes for Swatch, SEC, Logwatch or any other log watcher.
|