Submit a ticketCall us

WebinarVisual Monitoring Tactics: Getting More Log Search Value from SolarWinds Log & Event Manager with nDepth Webcast

Do things seem to make more sense when they are visualized? Are you an IT professional or security expert with a wish for more cybersecurity tools that provide an intuitive visual experience? Join Alexis Horn and Jamie Hynds from SolarWinds as they demonstrate how the nDepth feature in LEM can help make visualizing log search results a reality.

Register now.

Home > Success Center > Orion Platform > Orion - Knowledgebase Articles > Tips and tricks for managing traps and syslog in Orion NPM

Tips and tricks for managing traps and syslog in Orion NPM

Created by Malik Haider, last modified by Craig Healy on Jan 22, 2019

Views: 19,528 Votes: 22 Revisions: 22

Updated January 22, 2019


This article provides information about recommended settings in environments with large Syslog / Traps tables that have a direct impact on database size. This post is part of Quick Orion database health check guide; we strongly recommend reviewing that guide if you have not already . 




  • NPM 10.0 and above 



Traps Filter Plan

The best way to maintain the size of Traps tables is to change the retention settings. This can be set in the Trap Viewer, in Settings. By default, traps are retained for 7 days. Reduce the time to keep the size of the database smaller.

SolarWinds suggests checking the Trap Viewer for the types of traps being received. If you receive a lot of info/debug severity messages from a device, the device itself can be set up to only send higher severity messages. Your vendor should be able to provide configuration commands for sending Traps on the device.

You should also look for traps being received by the Trap Viewer that you are not interested in keeping. You can create a new rule to discard traps by right-clicking and choosing Add Rule. It should automatically fill out all tabs of the new rule to match that trap exactly. Use wildcards ( * ) as appropriate to expand what the rule will match to. Add the actions to Discard the Trap Message and Stop processing Trap rules.

Trap rules are checked in order from top to bottom. Place these discard rules at the top of the list to ensure that these messages are discarded first, and that no other rules are checked against those messages.

Syslog Filter Plan

Option 1: An easy solution is to stop Orion’s Syslog Service. This stops the Syslog Table from growing again.

Option 2: Edit your Syslog Retention Settings to keep Syslogs for x Days. Tune the Severity levels for the Syslog output on your devices to Warning or above. Launch the Syslog view on the server and go to Server Settings. On the first tab, reduce the number of days data is kept.

Option 3: Configure a device to stop sending some or all Syslog messages.

Option 4: Syslog Message comes to Orion via the Syslog Service. Use Rules from the Syslog Viewer to determine whether you want to store the Syslog message in the database or discard the message.

If you have a definite need for level 5 (notice) or above, you will have to look at the data retention settings in the Syslog application within Orion. Alternatively, you could use filter Rules so that the ones that filter and discard messages are at the top of the list. This ensures that they are processed first.

SolarWinds recommends making sure that all rules that are set up to discard messages (Discard Syslog Message) that also contain the line Stop processing syslog rules.

The syslog and traps filter/rules work very differently to the Orion alerting engine. Each time a Syslog message or trap is received it will work through every rule, from the top, until it either gets to the end or hits a rule that specifically tells it to stop processing further rules (Stop processing Syslog Rules).


Discard Syslog Message

Choose Start -> Program Files -> Solarwinds -> Orion -> Syslog Viewer.

From this tool, go to File -> Syslog Server settings -> Alert/Filter Rules Tab.

Filter using various methods: by IP address, by Message Type Patterns, Syslog Message Patterns, Severity, etc.

Add the following Alert Actions to your Rules: Discard Syslog Message and Stop processing syslog rules.


Rearrange the Syslog rules so that the ones that filter and discard messages are at the top of the list. This ensures that they are processed first.


*** Example Rule  Screenshots ****






Save low priority logs on shared storage 

You may save  low priority logs on the shared disk as well such as Notice 





Warning : A shared file can grow in size and the syslog / trap service may crash while adding more syslog messages to a single file. The best practice is to disable Syslogs and Traps on the device itself so they are not processed and sent. 



Daily / Weekly scheduled reports for Traps / Syslogs 

You can use Report Writer to create reports for syslog / Traps and then schedule it to run daily or weekly. Click New and then select Syslog Messages. Configure the report to capture the necessary fields, as shown in this example.





You can create multiple reports, one for each severity level you are interested in. Then go into Schedule Manager and schedule your report to run each day and email you the results.


Syslog / Traps message retention 


You must not change your Default Database Retention Settings any change can cause database size increase and Traps / Syslogs can grow quickly and that would affect the database performance. 


Required to store huge logs / Traps / Syslogs from many devices for auditing 


We actually have more powerful appliance LOG & EVENT MANAGER for the more demanding environment. It is easy to use logs for security, compliance, and troubleshooting storing for the longer time period for auditing.


For Advanced Alerting, please see this detailed video:

Alertapalooza: Syslogs, Traps, and Advanced Alerting - SolarWinds® Lab #3 - YouTube (© 2018 YouTube, available at, obtained on October 19, 2018.)


Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third-party content at your own risk, and you will be solely responsible for the incorporation of the same if any.



Last modified