Submit a ticketCall us

WebinarVisual Monitoring Tactics: Getting More Log Search Value from SolarWinds Log & Event Manager with nDepth Webcast

Do things seem to make more sense when they are visualized? Are you an IT professional or security expert with a wish for more cybersecurity tools that provide an intuitive visual experience? Join Alexis Horn and Jamie Hynds from SolarWinds as they demonstrate how the nDepth feature in LEM can help make visualizing log search results a reality.

Register now.

Home > Success Center > Network Configuration Manager (NCM) > NCM - Knowledgebase Articles > Troubleshooting NCM Real Time Change Detection

Troubleshooting NCM Real Time Change Detection

Created by Seamus.Enright, last modified by Melanie Boyd on Jun 28, 2018

Views: 3,667 Votes: 6 Revisions: 12


Network devices can be configured to send a Syslog message or a Trap message when the configuration on the device changes. If the device has been set up to send such message to NCM upon a change, then you can build a rule in NCM to download the configuration, and check it against the existing saved startup or running configuration. For RTCD (Real-Time Change Detection), running configurations are compared to running configurations and startup is compared to startup only - NCM will not compare one type of configuration with a different type for this purpose.


  • NCM any version


Setting up RTCD

Take the following steps on your NCM server to set up RTCD to test it out. You may need to use a syslog/trap message spoof in order to generate the initial syslog/trap message, to allow this to work, as devices in the Austin lab will not be able to send syslog/trap messages to VMs located in other GEO(s), due to firewalls placed on the WAN links. Full setup details are available in the Admin guide.

  1. Configure the device to send syslog or trap messages upon configuration change. To do this, check the vendor documentation. You may also want to set 'no logging' for logins from the NCM server on the device(s), particularly if NCM must open config mode in order to display the device configuration. Setting 'no logging' will ensure that changes made by the NCM server directly don't trigger RTCD.

  2. On the NCM Web Console, open Settings -> NCM Settings > Configure Real-Time Change Detection. This wizard will guide you through the RTCD setup process.

    1. Create a rule in Syslog Viewer, or in Trap Viewer to match the syslog or trap messages generated by this device upon a config change. The rule MUST execute the following program:

      "C:\Program Files\SolarWinds\Orion\SolarWinds.NCM.RTNforwarder.exe" ${IP}


Make sure you are specifying the path using local file system (LFS), such as C:\File. 
Uniform naming convention (UNC), such as \\Server\Volume\File or / <internet resource name>[\Directory name] will not work with the Real-time Change Notification.

The ${IP} macro will be filled out by the Syslog or Trap viewer at execution time, to pass the IP Address of the device that sent that syslog or trap message.

  1. You'll need to enter additional information into this wizard, including the credentials that should be used to log into the device, and the download, baseline config, and email notification settings. Please take note Syslog message are case sensitive.


Troubleshooting RTCD

RTCD is made up of a number of different components. To troubleshoot why RTCD is not working, you need to troubleshoot each of these components, to find which link in the chain is broken.Capture.JPG

Make sure that UAC is set to a low setting or disabled, when RTN Forwarder is executed UAC will prompt for it and will not launch the application.

To test the UAC, launch Command Prompt as Administrator, and navigate to the RTN Forward executable, by default it is located at C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.NCM.RTNForwarder.exe (target IP address of device):

If a prompt comes up, then disable UAC on the server and test again.


Other issues could be the Regular Expressions for any of the configuration of the Rule, this can be tested by adding the Windows Event Log:


Log Files:

Log File
Device logs Some devices can log to console to confirm they have sent a trap or syslog message upon config change
Wireshark trace Confirm the Trap/Syslog message has been received by the NCM server
Syslog / Traps View Syslogs / Traps from the web console to confirm the syslog / trap has arrived, and confirm the format of the syslog / trap message matches what is being looked for in the Alert Action
Session Trace Confirm that RTNforwarder is successfully downloading a config from the device
Real-Time Change Detection Logs Enabled from the web console (Under NCM Settings -> Advanced Settings). Logs change events, notification success or failure, and device connectivity


Last modified