cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

SNMP Trap & Syslog Rules Overhaul

SNMP Trap & Syslog Rules Overhaul

In my opinion these two items have been neglected by SolarWinds for many years.  We use SNMP trapping extensively within my organization and every rule we have to create is an arduous process.  Ideally there are several aspects of both of these functions that should be improved upon.

1.  Copy/Paste rule creation.  When we look at alerts we can take a similar alert and make a copy of it altering the rule to suit our needs.  This element doesn't exist in the SNMP or Sylsog rules.  Each rule must be built from scratch.  For example I have multiple rules that are exactly the same with the minor exception being one specific OID for Netscaler traps.  If the OID equals one of our web servers we send it to the web team...if it is one of our exchange servers we send to our messaging team, and so on.  However to build these rules we have to manually create.

2.  Import/Export actions.  In alerts you can import/export an action for use within another alert.  This functionality is missing from the Syslog/SNMP rules.

3.  Enhanced ordering.  At my last count I have 160 + SNMP rules.  These rules are top down ordered.  When I create a new rule it is placed at the bottom.  If I need that rule to go to the top I have to click my mouse 160 times to get it to the top (no wonder I've had carpal tunnel surgery on both hands).  A drag an drop feature would solve this issue.

My first three requests I would think should be relatively simple because these features exist today within other components of SW.  The 4th I assume would be a little trickier to accomplish.

4.  Treat SNMP/Syslog rules like alerts that must be acknowledged (if desired).  Right now if I get an SNMP trap that I would consider to be critical it sends an email. It is not treated like an alert that requires acknowledgement.  I understand this would be a much greater challenge because you would have to have well defined reset scenarios.

I know that I am in the minority in this as it seems that many other members of the community rely less dependently on traps but they are a part of our environment and they aren't going away.  As they continue to grow I will be forced to look for alternatives to SW in this space if SW doesn't evolve these areas.  I have been using SW for 6 years and I have seen little to no improvement in these two areas.  I had hoped with the acquisition of Kiwi there would have been some nice improvements but alas that isn't the case.

Tags (1)
197 Comments
Level 8

I am using syslog alerts also but only able to send an email. Trying to get it respond on the Orion map with a down sign for the node is not happening. Anybody had more luck or is there a way to get this added in a new release?

Would like a syslog (+ trap) action to trigger a poll on the object (node, interface, volume, etc).

Level 12

I was also thinking along the same lines. Every monitored value on Orion DB, should have the capability to be updated by SNMP traps. Authentication for the modifying message is provided by Community string and using SNMP OID it is easy to identify which rows to update. This would make the monitoring real time. For e.g, if an interface goes down, and if it is already monitored by Orion, the SNMP trap should tirgger a DB update to mark the interface as down so that Orion alert policies can kick in and trigger email alert with all the custom properties and other fancy stuff. Instead, currently the system needs to wait for the polling interval to identify the state of an interface.

strangely enough this is one area the trap monitor has already -- the ifup and ifDown traps should already do this.

As an aside, you can get traps into the current alert manager; create a custom SQL alert on the NODE and put something like the following in the custom SQL clause:

WHERE  nodeid IN (SELECT nodeid

                  FROM   traps

                  WHERE  traps.traptype like 'CERENT-454-MIB:%'

                         AND Datediff(day, traps.datetime, Sysdatetime()) < 1

                         AND traps.Acknowledged=0

                 )

This is for traps from our ONS devices that arrived today, and have not been acknowledged (done from the message center page).

I use the trap manager to discard the login/logout traps that are insignificant to the management of the nodes (e.g. login/logout from CTC)

Level 12

Richard,

Is this configured automatically? I have never observed this feature in effect.

Level 15

They won't do that automatically but there is an action you can apply to change the status of the interface.

Level 8

I would like to echo the sentiments of the original post 100%. I would also like to echo Peter's comments with regard to trap retention. I've had to do a lot of work putting rules into place to ignore traps and reduce retention to 7 days at the request of support so that the product would work. It would be VERY beneficial make the product robust enough to handle what I consider to be a modest amount of data as compared to other enterprises.

Level 12

So, we're at 6 months on this topic, with +120 on votes and a lot of comments.. is there any comment on these issue's placement in the roadmap from SW for 2013?  Is it in the top 3, 5, 10?  I certainly hope it's far above further enhancements to the Network Atlas?  I really didn't need all my charts re-skinned either, for that matter (in the last update), but we really still need robust trap and syslog support.

Where do we stand?

Peter

Level 15

I agree peter....making it pretty is far less important than making it functional.  What I find troubling is I see several votes and comments from long time users or even SolarWinds MVPs and unless I'm just not recognizing a name I don't see one single comment from a staff member.  I'd really like to see the NPM product manager's comments on this topic.  Not too mention price increases were brought up as to be expected.  It would be nice to see this product handle SNMP traps and syslogging as well as some other products on the market.  I was convinced to see this revamped when Kiwi was acquired or even Trigeo but alas nothing.