cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Syslog Service.exe running at 70

I have been trying to figure out the issues with my syslog service, but running into dead ends. I am finding that it is chewing up my CPU, sometimes going up to 90%. I grabbed a SS of it while in the 80's:

syslog cpu.png

I'm not sure what is causing this, but I'm fairly certain that this consumption of resources is causing the syslogservice to crash due to a lack of resources. My DB server is separate from my main polling server. I run Windows 2012 on a VM with 16GB of RAM.

I'm very much at a loss and any help that could be provided would be great.

Tags (1)
0 Kudos
3 Replies
Level 16

‌Hi

NPM syslog and trap services are not for large scale or to heavy use.

Consolidate your syslog and traps to kiwisyslog and den forward the important stuff to NPM is a good idea

https://m.youtube.com/watch?v=1vTRj6yReaQ


I "save" around 10000 syslog messages from getting to my NPM every hour!!!

very we'll spend 240 $ that help you keep your setup healthy

Level 17

odds are that you have a very large amount of syslog messages coming in.

I had this issue as well and broke out the syslog from Orion.  We now use a syslog-ng server to receive and SW LEM to parse through and report on them; utilizing an agent on the syslog-ng system.

Firewalls are a huge offender of message quantities and one thing you can do (if allowable) is determine which messages you DONT care about and tell the firewalls not to log those.

0 Kudos

Agreed! Here is a script to report on Trap count and below is similar for SysLogs. I would advise you to create both report and alert based on this. The easiest way to create an alert is to use this script in "SQL User Experience Monitor" to create a component (assign to your SolarWinds SQL server) and then simply tracking number of nodes exceeding your defined threshold. Obvoiulsy should be nill at all times

SELECT

  sl.NodeID

,sl.IP

,sl.Hostname_UNICODE

,CASE

    WHEN (sl.NodeID <> '0' AND sl.NodeID IS NOT NULL)

    THEN Nodes.Caption

    ELSE 'Not in SolarWinds'

   END AS 'Caption'

,CONVERT(NVARCHAR(50),COUNT(*)) + ' (over the last 1 hour)' AS 'SYSLOG COUNT'

FROM SolarWindsOrion.dbo.Nodes WITH(NOLOCK)

RIGHT JOIN SolarWindsOrion.dbo.SysLog sl WITH(NOLOCK) ON sl.NodeID = Nodes.NodeID

WHERE

  sl.DateTime > DateAdd(MINUTE,-1440,GETDATE())

 

GROUP BY sl.NodeID,sl.IP,sl.Hostname_UNICODE,Nodes.Caption

HAVING

  COUNT(*) > MAX(500)

ORDER BY COUNT(*) DESC

Note: please adjust your threshold settings (at the moment it is set to report on devices with 500+ syslog messages over the last hour) and database name. (in bold above):

0 Kudos