Hide this message
Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.
This article provides information about recommended settings in environments with large Syslog / Traps tables that are having a direct impact on database size. This post is part of Quick Orion database health check guide we strongly recommend to go through with the guide if you have not already .
NPM 10.0 and above
The best way to maintain the size of your Traps tables is to change the retention settings for your traps. This can be set in the Trap Viewer, in Settings. By Default, we keep traps for 7 days. This can be reduced to keep the size of the database smaller.
SolarWinds suggests checking the Trap Viewer for the types of traps being received. If you are receiving a lot of info/debug severity messages from a device, the device itself can be set up to only send higher severity messages. Your vendor should be able to provide configuration commands for sending Traps on the device.
You should also look for traps being received by the Trap Viewer that you are not interested in keeping. You can create a new Rule based on these Traps by right-clicking and choosing Add Rule, to discard those messages. It should automatically will out all tabs of the new rule to match that trap exactly. Use wildcards ( * ) as appropriate to expand what the rule will match to. Add the actions to Discard the Trap Message and Stop processing Trap rules.
Trap rules are checked in order from top to bottom. Place these discard rules at the top of the list to ensure that these messages are discarded first, and that no other rules are checked against those messages.
Option 1: An easy solution is to stop Orion’s Syslog Service. This stops the Syslog Table from growing again.
Option 2: Edit your Syslog Retention Settings to keep Syslogs for x Days. I suggest you tune the Severity levels for the Syslog output on your devices to Warning or above. Launch the Syslog view on the server and go to Server Settings. On the first tab you have a keep data for an amount of days option. Reduce this.
Option 3: On your device, tell them to stop sending some or all Syslog messages.
Option 4: Syslog Message comes to Orion, Syslog Service. Use Rules from the Syslog Viewer to determine whether you want to store the Syslog message in the database or whether to discard the message.
If you have a definite need for level 5 (notice) or above, you will have to look at the data retention settings in the Syslog application within Orion. Alternatively, you could use filter Rules so that the ones that filter and discard messages are at the top of the list. This ensures that they are processed first.
SolarWinds recommends making sure that all rules that are set up to discard messages (Discard Syslog Message) also contain the line Stop processing syslog rules.
The syslog and traps filter/rules work very differently to the Orion alerting engine. Each time a Syslog message or trap is received it will work through every rule, from the top, until it either gets to the end or hits a rule that specifically tells it to stop processing further rules (Stop processing Syslog Rules).
Discard Syslog Message
Choose Start -> Program Files -> Solarwinds -> Orion -> Syslog Viewer.
From this tool, go to File -> Syslog Server settings -> Alert/Filter Rules Tab.
In here you can filter using various methods: by IP address, by Message Type Patterns, Syslog Message Patterns, Severity, etc.
And then add the following Alert Actions to your Rules: Discard Syslog Message and Stop processing syslog rules.
Rearrange the Syslog rules so that the ones that filter and discard messages are at the top of the list. This ensures that they are processed first.
*** Example Rule Screen shots ****
You may can save low priority logs on the shared disk as well such as Notice
Warning : There are certain limits where the shared file can grow in huge size and syslog / trap service may crash while adding more syslog to single file .
Unfortunately on this time there is no way in Orion it could create new file automatically after certain size or time therefor you may have to create some script to create new file after certain size .
Although the best practice is to disable such Syslogs and Traps on the device its self not to process and sent .
You can create some sort of reports for your syslog / Traps and then schedule it to daily / weekely
This is pretty easy to do with Report Writer. Just clicked on New and then selected Syslog Messages.
Then put in the following fields for Select Fields or the filed you required to be listed in your report.
And then I just set the Time Frame for the last 24 hours.
You can create multiple reports , just like create 3 reports, one for each of the severities you're interested in.
Then go into Schedule Manager and schedule your report to run each day and email you the results.
We actually have more powerful appliance LOG & EVENT MANAGER for more demanding environment It easy to use logs for security, compliance, and troubleshooting storing for longer time period for auditing .
For Advanced Alerting please see this detailed video: