Submit a ticketCall us

AnnouncementsWeb Help Desk Integrations eCourse

Looking to reduce response times? Sign up for our eCourse to learn how integrating Web Help Desk with Dameware Remote Support, Network Configuration Manager, Network Performance Monitor, and Server & Application Monitor can improve communication efficiencies.

Register here.

Home > Success Center > Network Performance Monitor (NPM) > Tips and tricks for managing traps and syslog in Orion NPM

Tips and tricks for managing traps and syslog in Orion NPM

Created by Malik Haider, last modified by carolyn.mazenko on Mar 19, 2018

Views: 12,685 Votes: 20 Revisions: 17

Overview

This article provides information about recommended settings in environments with large Syslog / Traps tables that have a direct impact on database size. This post is part of Quick Orion database health check guide; we strongly recommend reviewing that guide if you have not already . 

 

 

Environment

  • NPM 10.0 and above 

     

Detail

Traps Filter Plan

The best way to maintain the size of Traps tables is to change the retention settings. This can be set in the Trap Viewer, in Settings. By default, traps are retained for 7 days. Reduce the time to keep the size of the database smaller.

SolarWinds suggests checking the Trap Viewer for the types of traps being received. If you receive a lot of info/debug severity messages from a device, the device itself can be set up to only send higher severity messages. Your vendor should be able to provide configuration commands for sending Traps on the device.

You should also look for traps being received by the Trap Viewer that you are not interested in keeping. You can create a new rule to discard traps by right-clicking and choosing Add Rule. It should automatically fill out all tabs of the new rule to match that trap exactly. Use wildcards ( * ) as appropriate to expand what the rule will match to. Add the actions to Discard the Trap Message and Stop processing Trap rules.

Trap rules are checked in order from top to bottom. Place these discard rules at the top of the list to ensure that these messages are discarded first, and that no other rules are checked against those messages.

Syslog Filter Plan

Option 1: An easy solution is to stop Orion’s Syslog Service. This stops the Syslog Table from growing again.

Option 2: Edit your Syslog Retention Settings to keep Syslogs for x Days. Tune the Severity levels for the Syslog output on your devices to Warning or above. Launch the Syslog view on the server and go to Server Settings. On the first tab, reduce the number of days data is kept.

Option 3: Configure a device to stop sending some or all Syslog messages.

Option 4: Syslog Message comes to Orion via theSyslog Service. Use Rules from the Syslog Viewer to determine whether you want to store the Syslog message in the database or discard the message.

If you have a definite need for level 5 (notice) or above, you will have to look at the data retention settings in the Syslog application within Orion. Alternatively, you could use filter Rules so that the ones that filter and discard messages are at the top of the list. This ensures that they are processed first.

SolarWinds recommends making sure that all rules that are set up to discard messages (Discard Syslog Message) that also contain the line Stop processing syslog rules.

The syslog and traps filter/rules work very differently to the Orion alerting engine. Each time a Syslog message or trap is received it will work through every rule, from the top, until it either gets to the end or hits a rule that specifically tells it to stop processing further rules (Stop processing Syslog Rules).

 

Discard Syslog Message

Choose Start -> Program Files -> Solarwinds -> Orion -> Syslog Viewer.

From this tool, go to File -> Syslog Server settings -> Alert/Filter Rules Tab.

Filter using various methods: by IP address, by Message Type Patterns, Syslog Message Patterns, Severity, etc.

Add the following Alert Actions to your Rules: Discard Syslog Message and Stop processing syslog rules.

 

Rearrange the Syslog rules so that the ones that filter and discard messages are at the top of the list. This ensures that they are processed first.

 

*** Example Rule  Screen shots ****

 

sys3.PNG

sys1.PNG

sys2.PNG

 

Save low priority logs on shared storage 

You may can save  low priority logs on the shared disk as well such as Notice 

 

 

 

 

Warning : A shared file can grow in size and the syslog / trap service may crash while adding more syslog messages to a single file. The best practice is to disable Syslogs and Traps on the device itself so they are not processed and sent . 

 

 

Daily / Weekly scheduled reports for Traps / Syslogs 

You can use Report Writer to create reports for syslog / Traps and then schedule it to run daily or weekly. Click New and then select Syslog Messages. Configure the report to capture the necessary fields, as shown in this example.

 

 

 

 

You can create multiple reports, one for each severity level you are interested in. Then go into Schedule Manager and schedule your report to run each day and email you the results.

 

Syslog / Traps message retention 

 

You must not change your Default Database Retention Settings any change can cause database size increase and Traps / Syslogs can grow quickly and that would effect the database performance . 

 

Required to store huge logs / Traps / Syslogs from many devices for auditing 

 

We actually have more powerful appliance LOG & EVENT MANAGER for more demanding environment. It is easy to use logs for security, compliance, and troubleshooting storing for longer time period for auditing .

 

For Advanced Alerting, please see this detailed video:

Alertapalooza: Syslogs, Traps, and Advanced Alerting - SolarWinds® Lab #3 - YouTube

 

 

Last modified

Tags

Classifications

Public