Tracking the Deletion of a Node ?

Is it possible to delete a node and not see any evidence of that?

I ask, as we have a node that has gone from our setup but I can't see anything in Orion.AuditingEvents that shows that. We have events I can see in the DB up to last week where a space was removed from its name, and we have a ticket raised on our ticket mgmt platform 2 days ago from an alert on it. 

But the node is not findable by any portion of its name or IP and I can't see any event in the above DB location that would imply it was deleted either.

Any ideas?

  • Is there nothing listed in the message center?

    If you select the 'Show audited events' and then filter on 'Node Deleted' does this show anything up?

  • I agree with about the message center. THere are also posts about creating alerts/reports on the audit tables to help track this stuff. You will need to search for the IP address though.

  • It looks like a couple of my replies at the end of last week disappeared or more likely I forgot to submit.

    Anyway, tried what you suggested and whilst a few show up this one doesn't.

  • How far back are you trying to look for this device? 

    If this is outside your data retention period that you keep logs for, then you will no longer have logs ... I.E if you only keep logs for 30 days... you are not going to see devices that where deleted 32 days ago ETC. 

    Same is applied on both the GUI and the SWQL back end database manipulation.

    If you are sure that the device are looking at is within the retention period, then there will defiantly be audit events for "Add/Remove" device or something similar. ... Happy to be messaged to see if I can assist you further. 

  • Thank you ... it's no real biggie TBH, but yes definitely within our retention period. When I first posted it was less than 14 days and can see events / actions / audits on it up to and including the 6th July and then nothing.

    As it is our first experience of this hopefully never to be seen again phenomenon we are putting it down to 'one of them things' but more interested really to hear if others have or suspect they have items that have disappeared without a record.

  • --You can either use this in SWQL studio or create a report with it. 

    SELECT TOP 1000 AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName, ObservationTimestamp, ObservationRowVersion, ObservationSeverity, ObservationSeverityName, Description, InstanceType, Uri, InstanceSiteId FROM Orion.AuditingEvents Where AuditEventMessage LIKE '%deleted%' Order By TimeLoggedUtc DESC
  • Thanks for the report / queries  - we already have a variation of this one but useful to have nonetheless - and @bobmarley (for some reason I can't tag your name).

    Sadly, all those do is confirm what we already know which is on July 6th the node had a space removed from its name and nothing since. But we can't find it anywhere.

    Now, having gone back far enough in the audit logs I think I have the original IP and can see that it was deleted on July 13th.

    So I guess a new query here is:

    - not has SolarWinds not audited it, but why is the name of the node not shown when looking through the audit logs for deleted nodes?
           I guess that is a 'WAD' but doesn't help mere mortals.

    So thanks everyone involved - found it and have learned something in the process.