Custom Alert - Rogue Devices last 7 days

Hello Community - 

Looking for direction or ideas on how to create an alert on Solarwinds NPM that's customized for a specific result:

Currently there's an out-of-the-box alert - "Alert when a rogue mac address appears on network" that detects and alerts on MAC addresses discovered on our Cisco Cat and Nexus switches. However the Nexus ARP table does not refresh often causing stale\bad data to be flagged. The retention period on the Nexus ARP table seems to be at least a month. After discussing with Cisco's tech support, the retention period is not configurable. 

Possible solution is to adjust how far back the alerts should work with to determine an alert. The trigger conditions unfortunately do not seem to present any variables to use to configure the alert to only recognize MACs whose last update on the same interface is 7 days or less. This will reduce the amount of false positives. After reaching out to Solarwinds support, I was directed by them to Thwack community for possible assistance.in creating a custom sql that can produce the desired results.

Any assistance would be much appreciated. 

Thanks in advance

Parents
  • Something like this would probably work for you:

    It's custom SWQL and not custom SQL, but should do the same thing.  The GETUTCDATE() returns today and the -7 goes back 1 week.

    Is that what you were looking for?

    Rogue+MAC+(within+last+7+days).xml
    <AlertDefinition xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/SolarWinds.Orion.Core.Alerting.Models">
    	<AlertID>204</AlertID>
    	<AlertMessage>Alert me when a rogue MAC address appears on network</AlertMessage>
    	<AlertRefID>67a20ebd-240e-4510-9afc-1c8af6705cb3</AlertRefID>
    	<Canned>false</Canned>
    	<Category/>
    	<CreatedBy i:nil="true"/>
    	<CustomProperties xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
    		<d2p1:KeyValueOfstringanyType>
    			<d2p1:Key>ResponsibleTeam</d2p1:Key>
    			<d2p1:Value xmlns:d4p1="http://schemas.datacontract.org/2004/07/System" i:type="d4p1:DBNull"/>
    		</d2p1:KeyValueOfstringanyType>
    	</CustomProperties>
    	<Description>User Device Tracker alert when rogue MAC address is detected.</Description>
    	<Enabled>true</Enabled>
    	<ExecutionTimePeriods xmlns:d2p1="http://schemas.solarwinds.com/2008/Core"/>
    	<Frequency>PT1M</Frequency>
    	<LastEdit>2021-08-18T21:35:02.3966667Z</LastEdit>
    	<Name>Rogue MAC (within last 7 days)</Name>
    	<NotificationEnabled>false</NotificationEnabled>
    	<NotificationSettings xmlns:d2p1="http://schemas.solarwinds.com/2008/Core">
    		<d2p1:Enabled>false</d2p1:Enabled>
    		<d2p1:NetObjectType>Rogue MACAddress</d2p1:NetObjectType>
    		<d2p1:Severity>Notice</d2p1:Severity>
    		<d2p1:Subject/>
    		<d2p1:_properties xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/>
    	</NotificationSettings>
    	<ObjectType>Rogue MACAddress</ObjectType>
    	<Reset>
    		<Conditions>
    			<ConditionChainItem>
    				<AndThenTimeInterval i:nil="true"/>
    				<ChainType>ResetInverseToTrigger</ChainType>
    				<Condition xmlns:d5p1="http://schemas.datacontract.org/2004/07/SolarWinds.Orion.Core.Models.Alerting" i:nil="true"/>
    				<ConjunctionOperator>None</ConjunctionOperator>
    				<IsInvertedMinCountThreshold>false</IsInvertedMinCountThreshold>
    				<NetObjectsMinCountThreshold i:nil="true"/>
    				<ObjectType i:nil="true"/>
    				<SustainTime i:nil="true"/>
    				<Type i:nil="true"/>
    			</ConditionChainItem>
    		</Conditions>
    	</Reset>
    	<ResetActions xmlns:d2p1="http://schemas.solarwinds.com/2008/Orion"/>
    	<Severity>Critical</Severity>
    	<Trigger>
    		<Conditions>
    			<ConditionChainItem>
    				<AndThenTimeInterval i:nil="true"/>
    				<ChainType>Trigger</ChainType>
    				<Condition xmlns:d5p1="http://schemas.datacontract.org/2004/07/SolarWinds.Orion.Core.Models.Alerting" xmlns:d5p2="http://schemas.datacontract.org/2004/07/SolarWinds.Orion.Core.Alerting.Plugins.Conditions.Swql" i:type="d5p2:AlertConditionCustomSwql">
    					<d5p2:Command>WHERE Rogue = 'True'
    AND LastUpdate &gt;= GETUTCDATE() - 7</d5p2:Command>
    				</Condition>
    				<ConjunctionOperator>None</ConjunctionOperator>
    				<IsInvertedMinCountThreshold>false</IsInvertedMinCountThreshold>
    				<NetObjectsMinCountThreshold i:nil="true"/>
    				<ObjectType>Rogue MACAddress</ObjectType>
    				<SustainTime i:nil="true"/>
    				<Type xmlns:d5p1="http://schemas.datacontract.org/2004/07/SolarWinds.Orion.Core.Alerting.Plugins.Conditions.Swql" i:type="d5p1:ConditionTypeCustomSwql"/>
    			</ConditionChainItem>
    		</Conditions>
    	</Trigger>
    	<TriggerActions xmlns:d2p1="http://schemas.solarwinds.com/2008/Orion"/>
    	<Uri>swis://KMSORION01v.kmsigma.local/Orion/Orion.AlertConfigurations/AlertID=204</Uri>
    </AlertDefinition>

  • That looks like the query I'm looking for - I'm going to give it a shot and see if this will give me the results I'm looking for. I will keep this post updated with any progress. Appreciate the response on this - thank you!

  • Just wanted to update that so far this query seems to work for what we need. It's only been a week but so far so good. 

    Thanks again

Reply Children
No Data