• State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 25 subscribers
  • Views 722 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Log Manager - Custom SQL Alert

tony.johnson

The following custom SQL can be used to alert when a matching syslog message is found within the last 5 minutes.

Note: -65 is used for the time calculation for the previous 5 minutes as the message time and SQL GETDATE() times are different. You may need to adjust this.

sql.png

Replace the following:

  • SolarWindsOrionLogRC with the name of your OrionLogs database
  • LOGIN_FAILED with the string you want to search within the syslog messages

Add the following to a custom SQL Alert for a Node.

WHERE nodes.NodeID in (

SELECT LEV.NodeID

FROM SolarWindsOrionLogRC.dbo.OrionLog_LogEntryView LEV

INNER JOIN

(

SELECT NodeID,

MAX(SolarWindsOrionLogRC.dbo.OrionLog_LogEntryView.DateTime) as MessageTime, SolarWindsOrionLogRC.dbo.OrionLog_LogEntryMessageView.Message

FROM SolarWindsOrionLogRC.dbo.OrionLog_LogEntryView

INNER JOIN SolarWindsOrionLogRC.dbo.OrionLog_LogEntryMessageView ON SolarWindsOrionLogRC.dbo.OrionLog_LogEntryView.LogEntryID = SolarWindsOrionLogRC.dbo.OrionLog_LogEntryMessageView.LogEntryID

GROUP BY NodeID,SolarWindsOrionLogRC.dbo.OrionLog_LogEntryMessageView.Message

) LEM

on LEV.NodeID = LEM.NodeID

and LEV.DateTime = LEM.MessageTime

and LEM.Message like '%LOGIN_FAILED%'

and lEV.DateTime >  DATEADD(mi,-65,GETDATE())

)

sql2.png

Massive thanks to mark.d​ for pointing out that this alert will never work if you are testing against a server without LogManager, no matter how many times you click validate and change your code!

  • 0

    Great Job tony.johnson adding a sample email body message and the SQL without the RC for easier copy/paste this would be the default name of Orion log Manage DB.

    =====================================

    WHERE nodes.NodeID in (

    SELECT LEV.NodeID

    FROM SolarWindsOrionLog.dbo.OrionLog_LogEntryView LEV

    INNER JOIN

    (

    SELECT NodeID,

    MAX(SolarWindsOrionLog.dbo.OrionLog_LogEntryView.DateTime) as MessageTime, SolarWindsOrionLog.dbo.OrionLog_LogEntryMessageView.Message

    FROM SolarWindsOrionLog.dbo.OrionLog_LogEntryView

    INNER JOIN SolarWindsOrionLog.dbo.OrionLog_LogEntryMessageView ON SolarWindsOrionLog.dbo.OrionLog_LogEntryView.LogEntryID = SolarWindsOrionLog.dbo.OrionLog_LogEntryMessageView.LogEntryID

    GROUP BY NodeID,SolarWindsOrionLog.dbo.OrionLog_LogEntryMessageView.Message

    ) LEM

    on LEV.NodeID = LEM.NodeID

    and LEV.DateTime = LEM.MessageTime

    and LEM.Message like '% logon was attempted %'  *** This would need to be changed to what you want to be alerted on ***

    and lEV.DateTime >  DATEADD(mi,-65,GETDATE())

    )

    ===========================================

    Trigger Action Email Message

    ============================================

    SYSLOG MESSAGE NOTIFICATION <hr /> RECEIVED AT: ${DateTime} <br /> SOURCE IP: ${N=SwisEntity;M=IP_Address}

    <br /> MESSAGE:

    ${N=SWQL;M=SELECT  Message

    FROM Orion.OLM.LogEntry}

    <br /> LEVEL:

    ${N=SWQL;M=SELECT  Level

    FROM Orion.OLM.LogEntry}

    ====================

    Sample Email Message

    ==================

    pastedImage_1.png

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.