Log Viewer Tags and Actions

I apologize if this is a "newbie" type question that can be answered by reading the manual... however I'm just a bit confused on Log Viewer vs Log Analyzer in Orion.

We send a lot of syslog and SNMP traps to Orion and would like to start possibly alerting on some of these items (eg: APC Struxureware sends a Device Alarm). I can see what looks like some out-of-box Cisco rules which are set up to add a tag for things like authentication failures under Traps > Default Logging Rules while on the Log Processing Configuration page. 

The question I have is: when building a custom rule, is the ability to add a tag only available with Log Analyzer? And if so, what is the best way to  alert w/ Log Viewer if possible. Here's what options I currently have to configure for Log Entry Actoins:Screenshot 2020-12-01 143559.png

If adding tags with Log Viewer is not possible - which option should I choose if I simply want to make an alert?

Thank you Thwack community!

Parents
  • I have partially answered my question here - LA feature comparison (solarwinds.com)

    I can see that for tagging, I would need a full LA license. 

    Still have the question regarding what would be needed in order to alert off of certain traps - based on the actions available in Log Viewer, I am assuming I would just choose to stop processing rules and then go ahead create my alert?

    1. FLAG FOR DISCARD
      1. Rules will continue processing, but the entry will not be saved to the database.
    1. STOP PROCESSING RULES
      1. Halt further rule processing for the active log entry.
  • I figured this out - just needed to do more experimenting and stop overthinking, as usual.

    In my case, I am forwarding the SNMP traps on to another system for further processing, so I've selected that as the action.

    Then I configured an alert to fire for every instance of this log event. I also have configured a separate rule for this particular use case that fires when "Cleared" traps are received. I then use that rule as my reset condition.

  • Hi  I just wondered if your able to explain how you setup the clear rule and used it as a reset condition for your alert? I have similar scenario in my client for things like OSPF & BGP Resets, where they want an alert to trigger on Down, but want it to Reset on Up etc. At the moment I've got a fairly complicated scenario using Custom SWQL which isn't ideal.

Reply
  • Hi  I just wondered if your able to explain how you setup the clear rule and used it as a reset condition for your alert? I have similar scenario in my client for things like OSPF & BGP Resets, where they want an alert to trigger on Down, but want it to Reset on Up etc. At the moment I've got a fairly complicated scenario using Custom SWQL which isn't ideal.

Children
No Data