I have been trying to figure out the issues with my syslog service, but running into dead ends. I am finding that it is chewing up my CPU, sometimes going up to 90%. I grabbed a SS of it while in the 80's:
I'm not sure what is causing this, but I'm fairly certain that this consumption of resources is causing the syslogservice to crash due to a lack of resources. My DB server is separate from my main polling server. I run Windows 2012 on a VM with 16GB of RAM.
I'm very much at a loss and any help that could be provided would be great.
NPM syslog and trap services are not for large scale or to heavy use.
Consolidate your syslog and traps to kiwisyslog and den forward the important stuff to NPM is a good idea
I "save" around 10000 syslog messages from getting to my NPM every hour!!!
very we'll spend 240 $ that help you keep your setup healthy
odds are that you have a very large amount of syslog messages coming in.
I had this issue as well and broke out the syslog from Orion. We now use a syslog-ng server to receive and SW LEM to parse through and report on them; utilizing an agent on the syslog-ng system.
Firewalls are a huge offender of message quantities and one thing you can do (if allowable) is determine which messages you DONT care about and tell the firewalls not to log those.
Agreed! Here is a script to report on Trap count and below is similar for SysLogs. I would advise you to create both report and alert based on this. The easiest way to create an alert is to use this script in "SQL User Experience Monitor" to create a component (assign to your SolarWinds SQL server) and then simply tracking number of nodes exceeding your defined threshold. Obvoiulsy should be nill at all times
WHEN (sl.NodeID <> '0' AND sl.NodeID IS NOT NULL)
ELSE 'Not in SolarWinds'
END AS 'Caption'
,CONVERT(NVARCHAR(50),COUNT(*)) + ' (over the last 1 hour)' AS 'SYSLOG COUNT'
FROM SolarWindsOrion.dbo.Nodes WITH(NOLOCK)
RIGHT JOIN SolarWindsOrion.dbo.SysLog sl WITH(NOLOCK) ON sl.NodeID = Nodes.NodeID
sl.DateTime > DateAdd(MINUTE,-1440,GETDATE())
GROUP BY sl.NodeID,sl.IP,sl.Hostname_UNICODE,Nodes.Caption
COUNT(*) > MAX(500)
ORDER BY COUNT(*) DESC
Note: please adjust your threshold settings (at the moment it is set to report on devices with 500+ syslog messages over the last hour) and database name. (in bold above):
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.