cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Creating an Orion Alert with Log Analyzer

Log Analyzer (LA) includes the ability to trigger an Orion Alert based on log or SNMP Trap data, which has been a long standing feature request. I'd like to walk you through the steps involved in creating an Orion Alert via LA.

In order to create an Orion Alert from Log Analyzer, you first need to create an LM Rule from the Log Processing Configuration page. I'm going to use a BGP Peer Down alert as an example.

Creating a Log Rule

I've created a rule to monitor for syslog which contains '%BGP-5-ADJCHANGE' and 'down':

Screen Shot 2018-08-02 at 11.29.11 AM.png

Creating an Orion Alert from a Log Rule

In addition to adding tags, running an external program and discarding messages, LA includes an option to 'Send a Log Fired event to Orion Alerting'. Enabling this option creates an event which Orion Alerting can use to trigger an alert.

Screen Shot 2018-08-02 at 11.33.41 AM.png

You can create the alert directly from the Log Rule configuration. Options are limited to assigning a name to the alert, setting the severity and reset conditions. In order to add additional conditions, time of day sets and trigger actions you'll need to do this from the Orion Alerting configuration. We've made it really easy to access the alert, which I'll walk you through shortly. Once you've created the alert, it behaves in the same way as any other Orion alert.

Screen Shot 2018-08-02 at 11.40.12 AM.png

Adding Additional Conditions and Actions to your Alert

In order to access the Orion Alert that you've just linked to your rule, you can do so by clicking on 'Trigger Orion Alert' on the Rule Summary page. From here you can then add additional conditions and actions. Worth noting that you can assign multiple alerts to one log rule. If you have multiple alerts assigned, these will be displayed in the 'Linked Alerts' also.

Screen Shot 2018-08-02 at 11.41.59 AM.png

The trigger condition will look like this. You can add additional conditions here if you wish:

Screen Shot 2018-08-02 at 11.47.31 AM.png

Reset Conditions

Configuring Reset Conditions for polled data is usually pretty straight forward, e.g. if CPU drops below 90% automatically reset the alert. Resetting alerts based on log data can be a bit more challenging as oftentimes there isn't a follow up log/trap to let you know that an issue is resolved. So, what are your options?

Automatically Reset the Alert after X - this option allows you to automatically reset the alert after a specified period. For example, the BGP Peer Down alert has triggered but you could like to automatically reset the alert after 60 minutes.

No Reset Condition - The alert will be triggered each time the associated Log Rule triggers.

No Reset Action - The alert remains active and is never reset. To re-trigger the alert, the alert must be manually cleared from the Active Alerts view.

Create a Special Reset Condition for this Alert - This option is particularly useful in the case where you want to reset the alert based on a 'happy log/trap' being received. For example, if you want to reset the BGP Peer Down alert as soon as a BGP Peer Up event is received. Worth noting that the Node is taken to consideration automatically, so the alert will only reset if the log is received from the same node that triggered the initial alert.

Trigger Actions

Orion alerting includes many powerful alert actions ​and I'm pleased to say that Log Analyzer can leverage every one of these actions. If you'd like to send an e-mail notification, LA has a number of macros available which you can include as part of the e-mail, such as Rule Name and Log Message. This ensures that the e-mail includes the rule name which triggered the alert along with the actual log message. For more information on alert variables, please see here: Adding alert specific variables into email generated by an alert - SolarWinds Worldwide, LLC. Help a...

Alert Details

When your alert triggers it will be displayed in the 'All Active Alerts' resource along with all with all your other Orion Alerts, whereby you can acknowledge alerts, view alert details and clear the triggered instance of an alert.

Screen Shot 2018-08-03 at 9.19.07 AM.png

Screen Shot 2018-08-03 at 9.21.55 AM.png

You may be wondering what happens if an alert triggers but the same syslog or trap keeps coming into LA. In that scenario, the alert is aggregated for a one minute time span. This ensures that you don't get bombarded with alerts/e-mail notifications each time a Log Rule fires. You can view the number of times the alert has triggered over the last minute within the 'Top 10 Objects by Trigger Count of this Alert' resource on the Active Alert Details page.

I hope this post provides with all the information you need to begin with Log Analyzer and Orion Alerting integration. If you have any questions, comments or feedback please feel free to drop them into the comments section below.

Comments

Billedresultat for congratulation

Could we mix 2 source (SNMP poll & Syslog) data to trigger alert?

Yes - you can add additional conditions to your alert to include both polled data and log data. Out of curiosity, what kind of alerts would you like to configure that include both polled and log data?

Screen Shot 2018-08-08 at 2.11.29 PM.png

Hi

could be something like you send  SMS temperature alert.

When you have poll over that temp and the element is sending traps about it.

CISCO-ENVMON-MIB:ciscoEnvMonTemperatureNotification +SNMP poll

/SJA

So I upgraded to the newer version of Solarwinds that utilizes log manager and was without syslog/trap alerting.

This info helped save the day!

There is a major downfall with this alerting method as compared to previous syslog and trap alerts.  We are not able to see the contents of the syslog or trap message in the alert.  This is a serious problem for us as we rely on the information in the email to tell us who, what, when, where.  Does anyone have a solution for this?  We are currently looking to uninstall Log Manager and reinstall the legacy syslog and trap functions.  Wish we hadn't wasted the money on this.

It's possible to add the message contents to the e-mail message, via the steps listed here.

So far I have only used Syslog but the contents of the message are contained in this variable ${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}

Great job on documenting @ jhynds

I was able to also get an alert to reset from a later syslog message by setting up a second Log Analyzer rule that looks for the reset message.

Example, Alert-UPS on battery Power and Reset-UPS on Commercial Power

Just make a rule for both, creating an alert for only the first one then choosing the 'Reset-UPS on Commercial Power' as part of the reset condition.

This is great because I could never do resets with the old Syslog manager.

One note, when you set your alert actions you need to specify at least one action in the alert, I chose log to the NEtPerMon log, but if you don't have at least one action the alert will never

trigger or show up in the Alert Manager

are we there ?

jhynds

should we see that in the next release 12.5 ?

Make Log Analyzer so it is not single threaded.

Go vote here:

Right now it's like that center fielder that caught the first ball of the game and now stands out there watching the rest fly by....

You can actually avail of Orion Log Viewer within NPM today, which includes the Orion alert integration. Please see this blog post for all the information you need: Orion Log Viewer the New and Improved Version of the Syslog and Trap Viewers

Any questions, let me know!

Sorry about this as i know this is an older thread...but when i go and try and make a new rule, i do not get an option to "add a tag" in the "add an action" section....can anyone help me?  where am i going wrong? 

pastedImage_0.png

Time to upgrade

Is it possible to use the varbinds as a variable anywhere? you could do that in Trap Viewer.

pastedImage_0.png

I was using the latest version and had the option to add a tag.

Hi Everyone,

Quick question,

Can "Orion Log Viewer (OLV)" be linked to "Orion Alerting" for triggering of emails or is this function reserved for "Log Analyzer" users only?

I'm currently trying to link OLV Syslog message detection to ORION ALERTING, with a 'configured rule' linked to 'Orion Alerting' with the below Trigger Condition, But it does not seem to be working. Appreciate any assistance =).

Hi All,

I am seeing the same issue what kenny123​ is facing. I don't have LA (Log Analyzer) enabled only LV (Log Viewer) is using at the moment and orion alerting functionality not working as expected. Kindly advice: jhynds

Version history
Revision #:
1 of 1
Last update:
‎08-02-2018 06:31 AM
Updated by: