3 Replies Latest reply on Jan 12, 2018 6:25 AM by superfly99

    Alerting if there is a config change on Nodes

    bharris

      Is there a way to set up an alert that fires and emails out when a configuration change has been made on a node?  I have dug around on the out of the box alerts and found "Real-Time Configuration Change", but can't seem to set it to specific nodes or filtering by a node custom property.  Is there something I'm missing?

        • Re: Alerting if there is a config change on Nodes
          superfly99

          Hi, I've not used the out of the box alert so I'm not sure how it works but I use RTCD through syslog. I assume you have NCM? As you'll need it for this to work.

           

          Follow these instructions

          Configure real time change detection

          • Re: Alerting if there is a config change on Nodes
            bourlis

            Bharris,

             

            Real-Time change is your solution, we use it and it's never given us an issue.  However, just enabling it on the NCM settings page along doesn't enable it. I'm going to assume you've already completed the following 5 steps.

             

            1. Enabled Real-Time Change Detection on the NCM settings page.
            2. Configured the SMTP server settings on the NCM settings page.
            3. Configured Email Notification Defaults on the NCM settings page.
            4. Configured the email to be sent to a valid email address and that there's nothing that's going to block emails from Solarwinds in your environment
            5. The nodes in question are configured to send either SNMP traps or SYSLOG messages to Solarwinds and that Solarwinds is processing them.

             

            The golden ticket at this point is configure either the Trap View or Syslog viewer, this is often over looked. We leveraged SYSLOG messages as our action items.  Give this a try if you haven't done so yet.

             

            1. Login to the primary polling engine or an additional polling engine (this can be done on either one).
            2. Launch the Syslog View.
            3. In the title bar click on View | Alerts/Filter Rules...
            4. (I can't remember if the this step was there already or if we had to create it.  If the following is there then edit it and if not create it.) Edit the rule called "NCM Rule: Cisco IOS Realtime Change Notifications".
            5. Ensure that it's enabled and that it's configured to run on all servers.
            6. Put an asterisk in the Source IP Address Field.
            7. Put an asterisk in the DNS Hostname Field.
            8. Put an asterisk in the Message Type Pattern Field.
            9. Enter a SYSLOG message pattern that the node(s) send when a change is made.  Be sure to put an asterisk in front of and behind the message, like this *Configured from console*.
            10. Leave Severity/Facility default.
            11. Leave Time of Day default.
            12. Leave Trigger Threshold default.
            13. If the action item is pre-populated with an Executed program: Solarwinds NCM action item then click ok.  If not create one.
            14. This is what our program action item looks like D:\Program Files (x86)\SolarWinds\Orion\SolarWinds.NCM.RTNForwarder.exe ${IP},RealtimeNotification,${DateTime},${Message}

             

            Caveats that we've ran into.

             

            You can only have one Reat-Time rule, period.  In other words you can't create a Reat-Time action item for a certain vendor and then create a new one for another vendor.  At least I couldn't and Support said I was unable to at the time we enabled it.  To resolve this I just modified the Syslog Message Pattern to include different vendors.  Once I did that Real-Time worked on any vendor that NCM supports, again assuming that device sends SYSLOG messages to Solarwinds.  Here's what my Syslog Message Pattern looks like:

             

            *Configured from console*, *configuration sync'd with HA*, *Commit job*,*Startup configuration changed by CLI*,*Notice-Type='Running Config Change'*,*%VSHD-5-VSHD_SYSLOG_CONFIG_I*,*SYSLOG_CONFIG*

             

            Notice that I put commas between the syslog messages, that's required for multiple SYSLOG message patterns.

              • Re: Alerting if there is a config change on Nodes
                superfly99

                bourlis  wrote:

                 

                 

                 

                Caveats that we've ran into.

                 

                You can only have one Reat-Time rule, period.  In other words you can't create a Reat-Time action item for a certain vendor and then create a new one for another vendor.  At least I couldn't and Support said I was unable to at the time we enabled it.  To resolve this I just modified the Syslog Message Pattern to include different vendors.  Once I did that Real-Time worked on any vendor that NCM supports, again assuming that device sends SYSLOG messages to Solarwinds.  Here's what my Syslog Message Pattern looks like:

                 

                *Configured from console*, *configuration sync'd with HA*, *Commit job*,*Startup configuration changed by CLI*,*Notice-Type='Running Config Change'*,*%VSHD-5-VSHD_SYSLOG_CONFIG_I*,*SYSLOG_CONFIG*

                 

                Notice that I put commas between the syslog messages, that's required for multiple SYSLOG message patterns.

                That's incorrect. You can have multiple RTCD rules in syslog. I have setup separate ones. Remember the syslog message comes in and looks through each rule to find one that is applicable. Then it proceeds to the actions of that rule. I see no reason as to why this would not have worked for you.

                 

                But your workaround works just as well as having multiple rules. If anything, your way would keep things less cluttered.