• State Verified Answer
  • Replies 31 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 4603 views
  • Users 0 members are here
Options
Related

Node Remove from SolarWinds Monitoring Environment

ImNishat

Hi Team,

Greetings...!!!

Is there anyway to find that by whom (user) the specific nodes are removed from the SolarWinds monitoring environments. I receive an alert yesterday, which i check that i found this as shown in the snapshot below. When i tried to search the specific mentioned IP 172.25.0.1 am unable to find it in our environment.

Parents
  • 0

    Hi  , I have a dashboard with containing a Custom Query widget that utilises SWQL for things like this that you might find useful. Here is the SWQL query I use below, of course you don't need to create a dashboard/widget, you can use Reports or SWQL Studio to get the information you require, the dashboard is just something you can pull up quickly for instances like this:

    SELECT AuditEventID, ToLocal(TimeLoggedUtc) as [Date], AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName
    FROM Orion.AuditingEvents

    WHERE TimeLoggedUtc > (GetDate()-120)

    ORDER BY TimeLoggedUtc desc

    The query is gathering audit events from the last 120 days (adjust to whatever timeframe you require), and sorting it by date/time.

    Should your audit even retention allow for it, you can use this to go back and find the audit event message that mentions which user deleted the node in question.

    --t.m-k

  • 0 in reply to t.m-k

    Thanks for your response, I will check this and update you.

  • 0 in reply to t.m-k

    Your given query does not work. So I used the below query it works but it required manual intervention to change the date format.

    SELECT TOP 1000
    AuditEventID,
    ToLocal(TimeLoggedUtc) AS LocalTime,
    AccountID,
    AuditEventMessage
    FROM
    Orion.AuditingEvents
    WHERE
    AuditEventMessage LIKE '%deleted node%'
    AND TimeLoggedUtc >= '2024-03-13'     --- Need to change this date time to time.
    ORDER BY
    TimeLoggedUtc DESC;

Reply
  • 0 in reply to t.m-k

    Your given query does not work. So I used the below query it works but it required manual intervention to change the date format.

    SELECT TOP 1000
    AuditEventID,
    ToLocal(TimeLoggedUtc) AS LocalTime,
    AccountID,
    AuditEventMessage
    FROM
    Orion.AuditingEvents
    WHERE
    AuditEventMessage LIKE '%deleted node%'
    AND TimeLoggedUtc >= '2024-03-13'     --- Need to change this date time to time.
    ORDER BY
    TimeLoggedUtc DESC;

Children

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 200,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab Link Customer Portal
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2021 SolarWinds Worldwide, LLC. All Rights Reserved.