Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > User Device Tracker (UDT) > UDT Administrator Guide > Monitor syslog messages > Configure Syslog Viewer filters and alerts

Configure Syslog Viewer filters and alerts

Table of contents
No headers
Created by Steven Bansil_ret, last modified by Steven Bansil_ret on Jan 31, 2017

Views: 41 Votes: 0 Revisions: 2

The Syslog Viewer can be configured to signal Orion alert actions when Syslog messages that are received from network devices match defined rules. The steps in the following procedure establish rules that filter syslog messages and initiate alert actions as you determine.

Syslog rules may not be applied to nodes in an unmanaged state. For more information about designating nodes as unmanaged, see Set device management states.

  1. Click Start > All Programs > SolarWinds Orion > Syslog and SNMP Traps > Syslog Viewer.
  2. Click File > Settings.
  3. Click Alerts/Filter Rules.
  4. If you are creating a new rule, click Add New Rule.
  5. If you are editing an existing rule, select the rule, and then click Edit Selected Rule.
  6. On the General tab, complete the following steps:

    1. Provide or edit the Rule Name, and then check Enabled.
    2. Select appropriate servers from the Apply this Rule to list.
    3. Enter the IP addresses or subnets to which this rule applies in the Source IP Addresses area.

      Use the examples provided on this tab to ensure that the list of source IP addresses is properly formatted.

  7. If you want to limit the rule to only messages from specific hosts, domains, or host name patterns, on the DNS host name tab enter a DNS host name Pattern.

    • The DNS host name Pattern rule is case-sensitive.
    • When Use Regular Expressions in this Rule is checked, you may use regular expressions in place of "like" statements. For more information about using regular expressions in SolarWinds UDT, see Regular expression pattern matching.
  8. If you want to limit the rule to only specific message types or text within a syslog message, on the Message tab enter rules as appropriate for Message Type Pattern and Syslog Message Pattern.

    Use the examples listed on this tab to format the list properly.

  9. If you want to apply specific severity or facility types, on the Severity / Facility tab check the severity and facility types you want to apply.

    By default, all message severities and facilities are selected.

  10. If you want to limit rule application to within a specific period of time, select the Time of Day tab, check Enable Time of Day checking, enter the time period, and then check the days of the week on which to apply the rule.

    • Messages received outside the specified time frame do not trigger alerts.
    • Enabling Time of Day checking creates more overhead for the CPU.
    • Time of Day checking creates more overhead for the CPU.
  11. If you want to suppress alert actions until a specified number of messages arrive that match the rule, complete the following procedure:
    1. Select the Trigger Threshold tab.
    2. Check Define a Trigger Threshold for this Rule.
    3. Enter option values as appropriate.

      When Suspend further Alert Actions for is checked, alert actions are not sent until the specified amount of time has expired. Once the time period has expired, only new alerts are sent. All alerts suppressed during the time period are discarded.

  12. Configure syslog alert actions on the Alert Actions tab, as shown in the following steps:
    1. If you are associating a new action to the rule, click Add New Action. For more information about available actions, see Available syslog alert actions.
    2. If you want to edit an existing action for the rule, select an action from the list, and then click Edit Selected Action.
    3. Configure the action as appropriate.

      Syslog alerts use a unique set of variables.

    4. If you need to delete an action, select the action, and then click Delete Action.
    5. Use the arrow buttons to set the order in which actions are performed.

      Actions are processed in the order listed, from top to bottom.

    6. Click OK to save all changes and return to Syslog Viewer Settings.
  13. Use the arrow buttons to arrange the order in which the rules are applied.

    Rules are processed in the order they appear, from top to bottom.

Last modified