Submit a ticketCall us

Putting Your Logs Where They Belong with the New SolarWinds Log Manager for Orion

The new SolarWinds® Log Manager for Orion® finally puts your log data right where it belongs, in the heart of your Orion console. Gain insight into the performance of your infrastructure by monitoring your logs in a unified console allowing you to see a wealth of information about the health and performance of your network and servers.

Reserve a Seat for Wednesday May 23rd 11am CDT | Reserve a Seat for Tuesday May 22nd 10:30am GMT | Reserve a Seat for Tuesday May 22nd 1pm SGT / 3pm AEST

Home > Success Center > Network Configuration Manager (NCM) > NCM Real Time Change Notification

NCM Real Time Change Notification

Created by Seamus.Enright, last modified by Norbert Skurzewski on Jul 31, 2017

Views: 2,536 Votes: 6 Revisions: 11


Network devices can be configured to send a Syslog message or a Trap message when the configuration on the device changes. If the device has been set up to send such message to NCM upon a change, then you can build a rule in NCM to download the configuration, and check it against the existing saved startup or running configuration. For RTCN (Real-Time Change Notification), running configurations are compared to running configurations and startup is compared to startup only - NCM will not compare one type of configuration with a different type for this purpose.


  • NCM any version


Setting up RTCN

Take the following steps on your NCM server to set up RTCN to test it out. You may need to use a syslog/trap message spoof in order to generate the initial syslog/trap message, to allow this to work, as devices in the Austin lab will not be able to send syslog/trap messages to VMs located in other GEO(s), due to firewalls placed on the WAN links. Full setup details are available in the Admin guide.

  1. Configure the device to send syslog or trap messages upon configuration change. To do this, check the vendor documentation. You may also want to set 'no logging' for logins from the NCM server on the device(s), particularly if NCM must open config mode in order to display the device configuration. Setting 'no logging' will ensure that changes made by the NCM server directly don't trigger RTCN.

  2. On the NCM Web Console, open Settings -> NCM Settings > Configure Real-Time Change Detection. This wizard will guide you through the RTCN setup process.

    1. Create a rule in Syslog Viewer, or in Trap Viewer to match the syslog or trap messages generated by this device upon a config change. The rule MUST execute the following program:

      "C:\Program Files\SolarWinds\Orion\SolarWinds.NCM.RTNforwarder.exe" ${IP}


Make sure you are specifying the path using local file system (LFS), such as C:\File. 
Uniform naming convention (UNC), such as \\Server\Volume\File or / <internet resource name>[\Directory name] will not work with the Real-time Change Notification.

The ${IP} macro will be filled out by the Syslog or Trap viewer at execution time, to pass the IP Address of the device that sent that syslog or trap message.

  1. You'll need to enter additional information into this wizard, including the credentials that should be used to log into the device, and the download, baseline config, and email notification settings. Please take note Syslog message are case sensitive.


Troubleshooting RTCN

RTCN is made up of a number of different components. To troubleshoot why RTCN is not working, you need to troubleshoot each of these components, to find which link in the chain is broken.Capture.JPG

Make sure that UAC is set to a low setting or disabled, when RTN Forwarder is executed UAC will prompt for it and will not launch the application.

To test the UAC, launch Command Prompt as Administrator, and navigate to the RTN Forward executable, by default it is located at C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.NCM.RTNForwarder.exe (target IP address of device):

If a prompt comes up, then disable UAC on the server and test again.


Other issues could be the Regular Expressions for any of the configuration of the Rule, this can be tested by adding the Windows Event Log:


Log Files:

Log File
Device logs Some devices can log to console to confirm they have sent a trap or syslog message upon config change
Wireshark trace Confirm the Trap/Syslog message has been received by the NCM server
Syslog / Traps View Syslogs / Traps from the web console to confirm the syslog / trap has arrived, and confirm the format of the syslog / trap message matches what is being looked for in the Alert Action
Session Trace Confirm that RTNforwarder is successfully downloading a config from the device
Real-Time Change Detection Logs Enabled from the web console (Under NCM Settings -> Advanced Settings). Logs change events, notification success or failure, and device connectivity


Last modified