So I already brought this question to support and they are going to submit a feature request but I had to ask why in the heck this already doesn't work?
Here's my environment and my question...
I have a windows domain with domain joined computers. I also have cisco switches.
Now I wanted to configure an alert with UDT that would tell me if someone plugged in a computer that is not domain joined or doesn't follow our standard naming convention and is only happening on specific subnets. (as these are the only one's someone would be able to reach)
The first is not possible as far as I could find and support could find. The second is somewhat possible but has limits.
I can create a whitelist with the naming convention using wildcards. For example say my naming convention is laptop01.mydomain.com, my whitelist rule (under dns name) would be laptop**.mydomain.com.
However I would also like to only get this for two specific subnets. (Say 192.168.1.x/24 and 10.20.1.x/24) So I would create a second whitelist and (at this point I'm not sure if I add in every other network but these two on the whitelist or just add these two, I went with the former)
then I would create an alert using the canned rogue dnsname alert and duplicating it to edit the parameters.
Going through the alert when I get to trigger condition I select the first action using Rogue DNSName and put in the parameters needed.
Then I check on the 'Enable complex conditions' check box below the selection box (because this is a complex condition?) and add in the parameters for Rogue IP Address.
Finish configuring my alert settings and enable. Then I test it by connecting a computer that 'does not' follow the normal naming convention. And wait, and wait and nothing. No alert.
When I go back to my alert and check under summary to see what if any systems might be triggering this alert I see a big fat 0. Nadda.
So I contact support and I'm told that I can NOT do something like this. I have to ask why?
Why can't I do something like this? It should be supported. Is this not a complex alert?
Anyone have any idea how I might do something like this through other means from within solarwinds?
One other question, How do you clear out old entries for rogue dns entries? I am not able to see these anywhere in solarwinds. I checked dns, dhcp, and everywhere else I could think of.
I ask this because if I take away the ip address part of my alert above I do get alerts for some 'older' systems that we were testing. These do NOT exist anywhere in my AD, DNS or DHCP on the Microsoft side of the house and I checked SolarWinds DNS and DHCP entries and nothing there either. So they are saved in some table somewhere but for the life of me I can't find them and clear them.