Detecting flapping devices

have you tried setting up traps or a syslog alert?

i set up an alert via syslog to send me an email whenever this happens and it works really well

That would be really helpful. Would you mind posting your filter configuration?

X2 - I'd like to see the config.  Are you basing the "flap" on getting X number of "Device/Interface up" traps  in a specified time period?

You have to setup the configuration on your network device to forward syslog or events to NPM server.

From syslog console you can configure the ALERTS.

From my experience NPM does not detect or trigger alert when the device or interface flapped,especially in WAN. That's for the syslog to cover the detection

Following on from above.

The syslog message of "link flap" is not detected for some certain end devices.  Switch log only reports up/down status.  Advanced alert manager has been configured to show up/down status but does not pick up the flapping.

I have also configured syslog alerts to notify me when there is a flapping port based on string "changed to up", "changed to down".   Problem is, it reports even when users are pluggin/unpluggin their laptops etc.

Has anyone found a way to get this reported correctly?

Try designating the interface as "unpluggable" in Node Management. That should keep it from being included in down interface alerts.

Thanks for the reply.  The solution you have suggested I still think it does not really answer the question of detecting a flapping port/interface.

We would like to detect ANY flapping port.  Whether this may be a:-

• Uplink
• User interface
• Serial Connection
• Server Interface etc tec

As I understand it from SW, Orion Polling engine cannot pick up any flap detection, hence they had suggested to use SNMP or SYSLOG's to pull the information from.  But this presents the problem as described above.  If I use either the SNMP TRAP MIB "SNMPv2-MIB:linkUp" or "SNMPv2-MIB:linkdown" or syslog string "changed to up", "changed to down", it will pick up erroneous alerts when multiple users are connecting/disconnecting their machines simultaniously.

The other problem is, some of the flapping interfaces do not get written to syslog as 'flap' but only reported as up/down.  So specifying the 'flap' does not really work for syslog alerts.

By specifying "unplugged", how would that work?

Is anyone able to answer the above?  I have not found a solution to this yet.  Solarwinds has also been unable to provide any examples of how this would be achieved.  This leads me to believe, is this even possible?

The 'unplugged' feature is only to surpress alerts on specified interfaces.

no, it is not possible (except for alerting on a syslog message that tells you that an interface is flapping of course)

We added a new feature in v10 for SNMP traps which allows you to define an action to change the status of an interface that was done exactly for this use case.