Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Network Performance Monitor (NPM) > Tips and tricks for managing traps and syslog in Orion NPM

Tips and tricks for managing traps and syslog in Orion NPM

Created by Malik Haider, last modified by MindTouch on Jun 23, 2016

Views: 4,843 Votes: 14 Revisions: 16

Overview

This article provides information about recommended settings in environments with large Syslog / Traps tables that are having a direct impact on database size. This post is part of Quick Orion database health check guide  we strongly recommend to go through with the guide if you have not already . 

 

 

Environment

  • NPM 10.0 and above 

     

Detail

Traps Filter Plan

The best way to maintain the size of your Traps tables is to change the retention settings for your traps. This can be set in the Trap Viewer, in Settings. By Default, we keep traps for 7 days. This can be reduced to keep the size of the database smaller.

SolarWinds suggests checking the Trap Viewer for the types of traps being received. If you are receiving a lot of info/debug severity messages from a device, the device itself can be set up to only send higher severity messages. Your vendor should be able to provide configuration commands for sending Traps on the device.

You should also look for traps being received by the Trap Viewer that you are not interested in keeping. You can create a new Rule based on these Traps by right-clicking and choosing Add Rule, to discard those messages. It should automatically will out all tabs of the new rule to match that trap exactly. Use wildcards ( * ) as appropriate to expand what the rule will match to. Add the actions to Discard the Trap Message and Stop processing Trap rules.

Trap rules are checked in order from top to bottom. Place these discard rules at the top of the list to ensure that these messages are discarded first, and that no other rules are checked against those messages.

Syslog Filter Plan

Option 1: An easy solution is to stop Orion’s Syslog Service. This stops the Syslog Table from growing again.

Option 2: Edit your Syslog Retention Settings to keep Syslogs for x Days. I suggest you tune the Severity levels for the Syslog output on your devices to Warning or above. Launch the Syslog view on the server and go to Server Settings. On the first tab you have a keep data for an amount of days option. Reduce this.

Option 3: On your device, tell them to stop sending some or all Syslog messages.

Option 4: Syslog Message comes to Orion, Syslog Service. Use Rules from the Syslog Viewer to determine whether you want to store the Syslog message in the database or whether to discard the message.

If you have a definite need for level 5 (notice) or above, you will have to look at the data retention settings in the Syslog application within Orion. Alternatively, you could use filter Rules so that the ones that filter and discard messages are at the top of the list. This ensures that they are processed first.

SolarWinds recommends making sure that all rules that are set up to discard messages (Discard Syslog Message) also contain the line Stop processing syslog rules.

The syslog and traps filter/rules work very differently to the Orion alerting engine. Each time a Syslog message or trap is received it will work through every rule, from the top, until it either gets to the end or hits a rule that specifically tells it to stop processing further rules (Stop processing Syslog Rules).

 

Discard Syslog Message

Choose Start -> Program Files -> Solarwinds -> Orion -> Syslog Viewer.

From this tool, go to File -> Syslog Server settings -> Alert/Filter Rules Tab.

In here you can filter using various methods: by IP address, by Message Type Patterns, Syslog Message Patterns, Severity, etc.

And then add the following Alert Actions to your Rules: Discard Syslog Message and Stop processing syslog rules.

 

Rearrange the Syslog rules so that the ones that filter and discard messages are at the top of the list. This ensures that they are processed first.

 

*** Example Rule  Screen shots ****

 

sys3.PNG

sys1.PNG

sys2.PNG

 

Save low priority logs on shared storage 

You may can save  low priority logs on the shared disk as well such as Notice 

 

 

 

 

Warning : There are certain limits where the shared file can grow in huge size and syslog / trap service may crash while adding more syslog to single file  .

Unfortunately on this time there is no way in Orion it could create new file automatically after certain size or time therefor  you may have to create some script to create new file after certain size .

Although the best practice is to disable such Syslogs and Traps on the device its self not to process and sent . 

 

 

Daily / Weekly scheduled reports for Traps / Syslogs 

You can create some sort of reports for your syslog / Traps and then schedule it to daily / weekely 

 

This is pretty easy to do with Report Writer.  Just clicked on New and then selected Syslog Messages.

Then  put in the following fields for Select Fields or the filed you required to be listed in your report. 

 

 

 

 

And then I just set the Time Frame for the last 24 hours.

You can create multiple reports , just  like create 3 reports, one for each of the severities you're interested in.

Then go into Schedule Manager and schedule your report to run each day and email you the results.

 

Syslog / Traps message retention 

 

You must not change your Default Database Retention Settings any change can cause database size increase and Traps / Syslogs can grow quickly and that would effect the database performance . 

 

Required to store huge logs / Traps / Syslogs from many devices for auditing 

 

We actually have more powerful appliance LOG & EVENT MANAGER for more demanding environment It easy to use logs for security, compliance, and troubleshooting storing for longer time period for auditing .

 

For Advanced Alerting please see this detailed video:

Alertapalooza: Syslogs, Traps, and Advanced Alerting - SolarWinds® Lab #3 - YouTube

 

 

Last modified
23:45, 22 Jun 2016

Tags

Classifications

Public