abakus

If your're looking for an entry count threshold, it is in the product as described in documentation.solarwinds.com/.../lm-create-custom-rules.htm However, the rule can't be in the Global policies, only in policies specific for log sources (syslog, trap, ...).

Actually, it's the 4th option how it works: - set the reset condition to "No reset condition – Trigger this alert each time the rule fires" - insert ${N=OLM.AlertingMacros;M=OLMAlertMessage.HitCount} macro to your alert message Btw it is possible to trigger alert with every incoming syslog/trap/windows event, but it is…

You can use "Run external program" action and use e.g. PowerShell command to write to a file. There are variable which you can use to add a timestamp and message text: documentation.solarwinds.com/.../la-run-external-program-variables.htm

Note that Advanced Settings are not available in Global Preprocessing or Postprocessing policies.

The syslog message contains "cleared", but but the rule string contains "exceeded".

Database maintenance logs are in the common log C:\ProgramData\SolarWinds\Logs\Orion\swdebugMaintenance.log. The LA part starts with "SolarWinds.Data.DatabaseMaintenance.MaintenanceEngine - Beginning Maintenance for Orion.LogMgmt".

There are ways how to trigger an alert if something happens (e.g. if 5 particular syslogs arrive in 2 minutes), but I'm not sure it's possible to act if something doesn't happen. Maybe alerting has a feature which would help, but Log Analyzer not. 

Windows Events can be obviously polled only by Windows Agent. Log files can be polled by both Windows and Linux Agent the same way. https://documentation.solarwinds.com/en/success_center/la/content/release_notes/la_2022-4_release_notes.htm

AFAIK the free version (Log Viewer) has always been a replacement of legacy syslogs/traps and all the features of legacy made it to Log Viewer. Almost. The paid version, Log Analyzer, adds only things which have never been in legacy. Almost. These are the "almost exceptions": - licensing (it's not possible to receive…

If you use the macro for displaying the whole trap, do you see the trap id (1.3.6.1.6.3.1.1.4.1) twice there? I think the shift by 1 is caused by this.

You can still use the same SQL server. One or two or three databases, what's the difference?

Why do you think so? Syslog/Traps Viewers were the legacy applications (and services) which have been replaced by LV. Is there anything you're missing in LV and you used to have in legacy apps? Maybe the confusion is that prior to 2022 releases it was possible to use the legacy syslogs/traps, but it's no longer possible.…

You have to be either in Syslog or Traps policy. Global Preprocessing or Global Postprocessing don't have this option. Btw the same applies to Entry count or Flood protection rule condition options.

Which of the queries did you use? The query probably needs just a small adjustment.

Why do you think it was an upgrade from legacy syslog/traps? @"hnz980" Was it upgrade from legacy or from OLV/LA?

Probably downgrade, revert DB and then stop services on all additional pollers and websites before performing upgrade. This is likely caused by additionals rewriting rule definitions after the main poller upgraded them to the new version.

Hi, You can use ${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage} macro - it will add the whole message and it is universal for all message types (syslogs, traps, windows events, ...). If you want just some part of it, it gets much more complicated or even impossible.

This option is available in the latest LA (and probably few versions back as well), but it hasn't always been there. Since the rules are triggered in each service separately (trap service, syslog service, etc.), this option is not available either in Global Preprocessing or Global Postprocessing. So - go to a trap rule and…

This SWQL query should work as you need, you can use it e.g. in a report: SELECT NodeID, IPAddress, Caption FROM Orion.Nodes WHERE NodeID NOT IN (SELECT DISTINCT le.NodeID FROM Orion.OLM.LogEntry le JOIN Orion.OLM.LogEntryType let ON le.LogEntryTypeID = let.LogEntryTypeID WHERE let.Type = 'Syslog' AND le.DateTime BETWEEN…

What is your scenario? Why is such information useful? SWQL script might be possible and it can be used as a data source for a report. Or maybe there is a completely different solution.

Have you seen this page? https://documentation.solarwinds.com/en/success_center/la/content/la/la-run-external-program-variables.htm Or fi you need alerting macro, maybe you can use something like ${N=OLM.AlertingMacros;M=OLMAlertMessage.VbData4} if the varbind is always at the same place (4th of all varbinds in ths…

I guess you already figured out. Just for the record - the list of messages is limited to 1000 on purpose. You can use filtering or changing timeframe to refine what you need to see. The histogram above the list shows all mesages (in the filter if you use any). You can drag the mouse inside to histogram to zoom-in.

The first checkbox means that OLV will send a message to alerting to trigger an alert. You have to have this selcted. The second checkbox just adds an alert for you if you don't have one already. Make sure that the alert (its name) you're trying to create doesn't already exist. But I don't know what those errors mean.…

I think you have to add such action in trigger actions:

Enable the Alert integration, let it create a new alert and finish creating the rule. Once you're redirected to the list of rules, click on the Trigger Orion Alert text in your new rule item, a popover with a link to the alert will open, click on the alert's name and it will take you to the alert configuration. There you…

There is an implicit throttling when triggering alerts from LA/OLV. While no other actions are throttled, an alert can be triggered only once a minute to prevent alerting service from being overloaded. It is possible to decrease the cooldown period (not from the regular UI), but it is highly recommended not to turn it off…

Hm, you can set the alert to "No reset condition – Trigger this alert each time the rule fires" not to miss any flap, but I'm not sure how to set the threshold only for the same IP address.

If you know the IP address, you could create an alert for each IP with condition that the message contains the IP. It wouldn't work (or it would be very tedious work to set it up) if there are many possible IPs. Btw which mesaage type is it (syslog, trap, ...) and can you post an example of the messsage?

There is Alert integration section in the Actions step. Enable it and let it create an alert for you. Then go to the alert definition (there is a link to the alert from the rule list when you click on Trigger Orion Alert) and use macros in the alert message.…

Yes, this is exactly what LA's Log Files feature does. You can be alerted based on severity or message content (message = one line of the log file). If you use the free version, which is a part of e.g. NPM, NCM, ... you have the option to activate full LA 30 day trial. If you don't like it and you decide not to buy LA,…