• State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 32 subscribers
  • Views 1392 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Logging of actions

TimWhite_LC2

Hi,

Firstly, SolarWinds newbie alert (with experience of Dynatrace and HP monitoring tools).

I have a requirement from our security dept to provide the logs that describe automated actions taken by SolarWinds due to an alert (for instance, re-start service), which needs to be ingested by their log monitoring / auditing tools.

I wasn't able to find details for this other than how to enable log forwarding with SEM
https://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/New_In_6_5/SEM-Log-Forwarding.htm
and I don't believe this is what I'm looking for, I don't believe this is for Orion logs per se, but for any logs ingested by the Orion log monitor (please correct me if I'm wrong).


So I set up a duplicate of a couple of very simple alerts (node down and component critical) and used the "run an external program" option to write out to a log using a batch file, purely for testing...
This works fine, but I am unable to identify any Orion/SAM logs that report that this action has been taken.

Is there a log that should be written to?
If so, is this something I need to enable and haven't spotted?
Or is this something that isn't logged?
If it isn't logged, I assume that it will be recorded in the database somewhere, does anyone have an SWQL query that would extract it (or at least point me in the right direction for the tables I would need to query.

Thanks
Tim

  • 0

    You will be able to see such logs in ActionExecutionAlert log files . This can be taken from Solarwinds server in the path C:\ProgramData\SolarWinds\Logs\Orion. These wont be triggered as events is what I know..

  • 0
    You could add a Write to NPM event log action. It has the ability to write custom
    events and text including any variable you can reference in the alert itself. If you go to Alerts & Activity -> Events, thats where they would be.

    Just poking around on 2020.2 NPM, there’s more actions you could assign that may help as well. (Log the alert to file, or event log, send http POST/GET, send a syslog or trap or even log to the windows event log etc.)

    When editing the alert go to the trigger actions and reset actions tab to add and assign these. I haven’t used the log the alert actions... but they look interesting for this purpose.

    Best of luck!!
  • 0 in reply to sreenathmp

    in addition to   suggestion you may have to change the logging level on them to see the actions that you want. By default I believe the only log on errors but if you change the logging level you would be able to see when any action is taken

    https://support.solarwinds.com/SuccessCenter/s/article/Adjust-logging-levels-with-the-Orion-Log-Adjuster

  • 0 in reply to christopher.t.jones123

    Thank you and
    I had found the logs I thought should be written to, it was the added nugget of amending the logs from INFO to DEBUG that solved the issue.
    It seems a bit odd that INFO wouldn't report that the actions had been taken (I could understand it at WARN or ERROR), but this may well be sufficient for the needs of our Security team.
    It's a little disapointing that the variables are left as ex. ${NodeName} rather than being expanded, but I'll have a further play to see if there is anything else we can do.

    Example:
    2020-07-16 14:16:51,794 [83] DEBUG AlertingLogger - (null) Action [145:Execute Batch File (ALERT: Node ${NodeName} is ${Status})] : Executing external program without credentials: [c:\bats\alert.bat]

    Cheers
    Tim

  • 0 in reply to sum_giais

    Thanks  I've added the write to eventlog action too, which may be acceptable by our security team.
    it does rely on admins remembering to add the action to the alert though.

    Cheers
    Tim

  • 0

    You can also look in the AlertHistory table in the database. This records when alerts are triggered and reset, and when the individual alert actions fired with timestamps.

    • EventType 0 = alert triggered
    • EventType 1 = alert reset (?)
    • EventType 6 = trigger alert action  (Send email, log to file, etc)

    I can't recall what the reset action event type is but you can look through the table. Quick example from a test instance below.

    shuth_0-1594952786864.png

  • 0 in reply to shuth

    Cheers.  I thought it must be in a table somewhere.
    I think for resilience a swql rather than sql query would be appropriate, I will investigate.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.