If you have been using the Orion platform for any length of time you are probably well familiar with the Syslog and SNMP Trap facilities built into the Orion platform. While these tools have been a mainstay in our platform for many years, the time has come for us to move on to a new set of features that will allow us to modernize and extend the logging capabilities in Orion. As an example, our customers have been asking to see integration of syslog and traps into the Orion alerting engine for a very long time. Orion Log Viewer (OLV) makes that possible! Starting with Orion Core Platform 2019.4, OLV is now a free add-on feature that you can install directly via the SolarWinds Orion installer during fresh installs or upgrades. There are some pre-requisites for OLV and the installer will check on these and give you the option to proceed with an OLV install if those requirements are met. Don't despair if your environment isn't ready to consume OLV. The upgrade from the legacy syslog and traps will still be optional with this release. One note for those using the existing syslog and trap functionality. Installing OLV will override your existing rules. This means your previously configured syslog and trap rules and alerts will no longer be active. While there is no migration path for existing rules or log data to transfer to OLV, they will continue to be readable in the old viewers. We hope this change will be a big step forward in making logging a more valuable tool on the Orion platform. As always, we would love to hear your feedback!
There are several benefits to moving over to OLV such as:
|Click to Enlarge||Click to Enlarge||Click to Enlarge|
In addition to the benefits above you can also enable a 30 day evaluation of Log Analyzer directly from the OLV interface within seconds. (No downtime or reboots needed) Log Analyzer is a paid product that lives on top of the basic Orion Log Viewer and brings additional value by allowing for:
|Click to Enlarge|
jvb Question for you.
We moved Syslog and traps out of Orion and into Kiwi due to the volume of data coming in and the impact it had on the database and platform performance. With OLV having it's own database and i'm sure a raft of other performance improvements under the hood, could i consider moving them back and having Orion take the extra load again?
To give you an idea we are receiving approx 400k entries a day into Kiwi which used to equate to a 20GB Syslog table in Orion before we moved it out, in doing this we lost the single pain of glass view (bouncing between Kiwi and Orion) so moving it back definitely has perks as well as extra benefits especially around alerting.
Hey dsimpkins it sounds like you would be a good candidate to make the move back. Log Viewer is able to handle 1000 Events Per Second which clocks in around 90 million a day. So provided that your 400k a day aren't coming in all at once but roughly spread out over the whole day the system should be well able to handle that level of ingestion.
Is there the concept of de-duplication for logs and traps received?
Our lovely engineers have a habit of configuring multiple syslog and traps destinations in the same device so Orion has to receive and process (and store) the messages twice.
Sorry for the slight delay, I had to verify with the team on this. No, there is no de-duplication done on received messages. You might be able to use NCM to check for configs where that duplicate config is present.
Thanks, figured that would be the case as it would be a challenge to identify the duplicate and remove it safely.
Like the NCM suggestion but unfortunately not all the devices are in NCM (Checkpoint firewalls) so i have to rely on the beating stick for the engineers who keep configuring more than one destination.
I'm spinning up a new instance so will have a go at using OLV and if it starts make the app or database creak then i'll shift the workload over to Kiwi.
I just upgraded the 2019.4 RC2 and opted to upgrade to the integrated log viewer. As per the above article my old trap rules should still be readable via the legacy apps but it appears that the upgrade has uninstalled these. Is there any way I can access my old trap rules so I can manually migrate them?
The menu item was likely removed from the Start Menu when you upgraded, but your Syslog and Trap viewers are still accessible from under 'C:\Program Files (x86)\SolarWinds\Orion'. Just lauch 'SyslogViewer.exe' or 'TrapViewer.exe'. When executed they will tell you they are in Read-only mode which will only allow you to review historical messages or view syslog or trap rule configuration settings.
I've noticed that not all the syslogs make it to my email. Currently I have a device that is sending 4 syslogs per minute in regards to a MACFLAP. All of these syslogs can be seen under Alerts & Activity, Syslogs. Out of those 4 syslogs per minute, I only receive 1 in my email. So I'm missing 3 per minute.
What can I do to assure that I receive all the syslogs that arrive in the syslog database? The old syslog program would forward every single message but this new one doesn't seem to.
And the other thing is that the Syslogs widgets no longer display anything in them. So I had to custom write a widget as per this thread Syslogs in NPM 12.5 I am now on 2019.4.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.