In the trap list of the LogFilter agent, it is possible to configure a "User Message". However, the "User Message" does not appear automatically in the alarm message.
How to configure the LogFilter agent to get the "User Message" displayed in the alarm?
The LogFilter rule needs to be modified as follows:
1. Make a backup copy of the rule LogFilter by disabling it and creating a new copy with a new rule name.
2. Click the new rule | select "View and edit" | "Rule Editor"
3. Open the "Fire" action in the "Condition & Action" tab
4. Modify the Condition code as follows:
Original:
case 2:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + "";
case 3:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + "";
case 4:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + "";
Modified:
case 2:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + ": " + entry.get("User_Message") + "";
case 3:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + ": " + entry.get("User_Message") + "";
case 4:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + ": " + entry.get("User_Message") + "";
Leave the rest of the code untouched.
5. Click on "Save All"
6. Now select "Severity Level Variables" and click on the variable "Text"
7. Modify the code as follows:
Original:
case 2:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + "";
case 3:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + "";
case 4:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + "";
Modified:
case 2:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + ": " + entry.get("User_Message") + "";
case 3:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + ": " + entry.get("User_Message") + "";
case 4:
return "" + entry.get("LogName") + ": " + entry.get("Error_Message") + ": " + entry.get("User_Message") + "";
Leave the rest of the code untouched.
8. Click on the "Add" button and confirm that the variable will be overwritten
9. Finally click on "Save All" button
NOTE: If you are modifying a copied/cloned LogFilter rule, please note that you have to change the RuleID that is referenced inside this new rule. Copying it from an existing rule will also copy the RuleID of that rule. Refer to the following KB articles on how to modify the RuleID of the copied rules:
Knowledge Article 110283 - A disabled rule still triggers alarm and sends email
Knowledge Article 65573 - Copied and modified rule do not raise alarms
