Tips and Tricks for Managing Traps and Syslog in Orion NPM

Version 6

    For more details are published under the KB post .

    Tips and tricks for managing traps and syslog in Orion NPM - SolarWinds Worldwide, LLC. Help and Support

     

    Traps Filter Plan:

     

    The best way to maintain the size of your Traps tables it to change the retention settings for your traps. This can be set in the Trap Viewer, in Settings. By Default, we keep traps for 7 days - this can be reduced to keep the size of the database smaller.

     

    Also, I would suggest checking the Trap Viewer for the types of traps being received. If you are receiving a lot of info/debug severity messages from a device, the device itself can be set up to only send higher severity messages. Your vendor should be able to provide configuration commands for sending Traps on the device.

    Also, look for traps being received by the Trap Viewer that you are not interested in keeping - you can create a new Rules based on these Traps by right-clicking and choosing Add Rule, to discard those messages. It should automatically will out all tabs of the new rule to match that trap exactly. Use wildcards ( * ) as appropriate to expand what the rule will match to. Add the actions to "Discard the Trap Message" and to "Stop processing Trap rules".

     

    Trap rules are checked in order top-to-bottom - placing these discard rules at the top of the list will ensure that these messages are discarded first, and that no other rules are checked against those messages.

     

    Syslog Filter Plan:

    Option 1 Easy Solution is to stop Orion’s Syslog Service, This Stops Syslog Table from Growing again.

    Option 2 Edit Your Syslog Retention Settings to keep Syslogs for x Days. I would suggest you tune the Severity levels for the Syslog output on your devices to Warning or above. Launch the Syslog view on the server and go to Server Settings. On the first tab you have a keep data for an amount of days option. Reduce this.

    Option 3 On your Device - Tell them to stop sending some or all Syslog messages

    Option 4 Syslog Message comes to Orion, Syslog Service. Using Rules from Syslog Viewer to Determine whether you want to Store the Syslog message in the Database or whether to discard message.

    If you have a definite need for level 5 (notice) or above, you will have to look at the data retention settings in the Syslog application within Orion. Alternatively you could use filter Rules so that the ones which filter and discard messages, are at the top of the list. This will ensure that they are processed first.

    I recommend to make sure that all rules which are set up to “Discard messages” also contain the line "Stop processing syslog rules".

     

    The syslog and traps filter/rules work very differently to the Orion alerting engine. Each time a syslog message or trap is received it will work through every rule, from the top, until it either gets to the end, or hit a rule that specifically tells it to "stop processing rules".

    "Discard Syslog Message"

    Start -> Program Files -> Solarwinds -> Orion -> Syslog Viewer

    From this tool, Goto File -> Syslog Server settings -> Alert/Filter Rules Tab

    In here you can filter using various methods, By IP address, by Message Type Patterns, Syslog Message Patterns, Severity, etc…

    And then Add the following Alert Actions to your Rule: "Discard Syslog Message" "Stop processing syslog rules"

    "Stop processing syslog rules" Rearrange the syslog rules so that the ones which filter and discard messages, are at the top of the list. This will ensure that they are processed first.

     

    I recommend to make sure that all rules which are set up to “Discard messages” also contain the line "Stop processing syslog rules".

     

    *** Example Rule  Screen shots ****

    sys3.PNG

    sys1.PNG

    sys2.PNG

     

     

    Warning about the size of Syslog table

    Issue:

    Syslog table runs out of space.

    Cause:

    Syslog messages, existing traps and trap variable bindings continue to pile up, consuming space in the Orion NPM database

    SolarWinds Knowledge Base :: Warning about the size of Syslog table

     

     

    For Advanced Alerting please find the detailed video below .

     

    Alertapalooza: Syslogs, Traps, and Advanced Alerting - SolarWinds® Lab #3

    Alertapalooza: Syslogs, Traps, and Advanced Alerting - SolarWinds® Lab #3 - YouTube