What do I lose if I don't send Syslog messages to Solarwinds? I'm already getting snmp traffic (traps) from these devices and I'm logging to a Kiwi server

I've been streamlining the amount of traffic my Solarwinds server gets and I noticed that much of the Syslog traffic does not get attention unless you create filters for matching to an alert. If I stop sending syslog messages to Solarwinds, what do I lose? I do get traps from the same devices.

Thanks,

--Lunar53

  • That is the most common set up for the use of Syslog in an organisation.

    • Configure the devices to send syslog event messages to Orion
      • Control the level by specifying severity level (e.g. Notice and above) or tuned filters depending on what your device supports. 
    • Configure tagging and/or alerts in Orion syslog for thing you know you want to bring attention to
    • Configure filters to delete syslog messages for things you know is not required and is just noise
    • Set a data retention period to suit your resources and needs
    • Update the Orion web page views to include this data alongside other monitoring data
    • Review the syslog data you have collected for the operational purposes you will encounter i.e. forensic review when issue occurs

    It is unlikely you want to be sending event data to Orion as syslog AND SNMP Traps as this just generates duplicate data, just in different structures. Syslog is our recommended protocol of choice and only where you have specific reasons are you likely to use Traps.

    Mark

  • decide first if you want to make use of the syslog messages in Orion.

    If you're going to use them, use Kiwi to just send the messages that you need.

    We use Kiwi as the syslog forwarder so we only have one destination for syslogs then can fan out/direct messages where they need to go. This was mainly because needed to be able to send the same messages to different destination log managers. Now Kiwi doesn't need to worry about history etc, it lets the destination log manager worry about that.