21 Replies Latest reply on Jun 21, 2012 1:38 PM by crzyr3d

    Post trap or syslog to the Network Monitor Events view

      I am trying to find a way to show trap messages and/or syslog message in the Events viewer.  Has anyone else been able to make this work?
        • Re: Post trap or syslog to the Network Monitor Events view
          qle
          There are already separate syslog and trap viewers. Is there any particular reason why you'd like them all combined?
          1 of 1 people found this helpful
          • Re: Post trap or syslog to the Network Monitor Events view
            I am trying to find a way to show trap messages and/or syslog message in the Events viewer. Has anyone else been able to make this work?


            I've wondered something similar.  In Orion's advanced alerts, it's possible to post an event (in the trigger actions) to orion's event log (on the web pages, etc) -- but not from the syslog or trap viewer (rule actions).  Which seems odd, considering it's possible to send events almost everywhere else (from the trap/syslog subsystem) -- e.g. another syslog server, external program/script, windows net message, windows eventlog, etc.

            In a related vein, on the topic of cool snmptrap/syslog triggers, ability to trigger a poll (or rediscovery) based on certain traps and syslog messages would be very useful.  Can't think of a syslog message off hand, but imagine the utility of prempting a regular polling cycle, for a device, based on IF-MIB:link[Up/Down] messages.   Same with power state changes (onBattery/onUtility) from APC UPS units -- for the custom poller cycle.

            Assuming the maps were changed from static jpg --to--> persistently connected XML-RPC based Flash, it would then be possible to notice network static changes -- within seconds (of the actual event).    And at almost zero performance penalty (in terms of snmp traffic and poller effort).

              • Re: Post trap or syslog to the Network Monitor Events view
                Network_Guru

                I suggested something similar several years ago:

                Based on certain event types, trigger advanced troubleshooting tools.
                EG.

                -when packet loss exceeds 5% run the traceroute program to the node and post the results in the node details page.

                -when an OSPF flap syslog message is received, log onto the router with NCM and run the 'show ip route summary' command and post the results to the node details page. 

              • Re: Post trap or syslog to the Network Monitor Events view
                familyofcrowes

                I just want to re-iterate that we would find it extremely beneficial if syslogs and traps could generate events....

                  • Re: Post trap or syslog to the Network Monitor Events view
                    byrona


                    I just want to re-iterate that we would find it extremely beneficial if syslogs and traps could generate events....

                     



                    See my comments on Feature Request - Syslog Alerting regarding a consolidated alert view.  I think this would accomplish what you are looking for in a much more integrated way.

                      • Re: Post trap or syslog to the Network Monitor Events view
                        bshopp

                        Use case is completely understood.  One of the things we are working on now is a combined syslog, traps, alerts and events view within the web console

                        1 of 1 people found this helpful
                          • Re: Post trap or syslog to the Network Monitor Events view
                            bgrossman

                            I would like to chime in on this issue.

                            1) A unified Alert interface is very desireable;

                            2) Being able to generate NPM Events for SYSLOG/SNMP Alerts is important for us (and should be trivial to add).

                             

                            Thanks,

                            • Re: Post trap or syslog to the Network Monitor Events view
                              familyofcrowes

                              I could REALLY use the ability to alert on traps and syslogs with the advanced alerting engine

                                • Re: Post trap or syslog to the Network Monitor Events view
                                  byrona


                                  I could REALLY use the ability to alert on traps and syslogs with the advanced alerting engine

                                   



                                  The issue here is that the Advanced Alerting engine only works for stateful alerts.  Syslogs and Traps are not stateful, they are just events that happen.

                                  You can send alerts based on traps and syslogs.  We send all alerts from Orion (advanced alerts, syslog alerts, and trap alerts) into our ticketing system to provide one unified tracking and management system for all issues.

                                  I am curious to understand how specifically you would like to see traps and syslogs implemented via the advanced alerts; for the sake of the SolarWinds product management team can you please provide the specific use case that isn't currently being fulfilled?

                                    • Re: Post trap or syslog to the Network Monitor Events view
                                      savell

                                      I'll like to restart this request thread - the ability to create an alert (on the Alert screen) from a syslog or snmp trap.

                                      Whilst I understand the stateful comment above - it's quite how I see it.

                                       

                                      For example, CUCM issues syslog messages when the call manager database sync process fails to sucessfully replicate.

                                      Unfortunately Cisco do not put this status into a MIB that we can query - the only notification avalable is a syslog message.

                                      There is another message that is issued when replication is successful - giving us a method to provide both up and down e-mail alerts (in this instance we can provide a stateful syslog event).

                                       

                                      I would really like to make this appear as an Alert to our operations team on the same consolidated Alert console - triggered by a syslog/snmp message, and reset via another message.

                                       

                                      I don't like sending e-mail's to an operations group who should have all our alarms visible on the NOC screens.

                                       

                                      Regards,

                                      Dave.

                                      • Re: Post trap or syslog to the Network Monitor Events view
                                        Mike Lomax

                                        Let me start by saying that I have several reasons why I would like to handle trap analysis and notifications based on that analysis within Advanced Alerts.

                                         

                                        First...

                                         

                                        I have a situation where I have, what you might call, intelligent traps.  Here is an example:

                                         

                                        entityContainerType = VCS

                                        entityContainerName = ats_qcpr

                                        systemName = ats2

                                        trapOrigin = Veritas_Cluster_Server

                                        entityState = CPU Usage exceeded the threshold on the system

                                        entitySubType = m: 000B8CE1D900, sys: AIX, r: 1

                                        entityType = System

                                        entityName = ats2

                                        eventTime = Tue May 1 09:00:19 CDT 2012

                                        severityId = warning(1)

                                        snmpTrapOID = VERITAS-CLUSTER-MIB:clusterSystemUsageExceededThresholdTrap

                                        sysUpTime = 1 day 9 hours 29 minutes 37.52 seconds

                                         

                                        In the case of Veritas Cluster Manager, they don't allow SNMP queries but do provide traps that contain a bit of useful information.

                                         

                                        Information as is listed above could be used, for example to understand that the trap is a warning and not critical which changes the way I want to alert.  I could write one alert and use the entityName variable value to place the appropriate hostname in the alert message rather than using just the NodeID which might be the non-affending partner in the cluster.  I have run across other similar value that it would add as well but I think you get the idea.

                                         

                                        Second...

                                         

                                        The Trap Viewer Alert interface is difficult and clumsy to deal with.  I am setting up about 100 new alerts this week and in order to do this I have to re-enter a lot of data for each alert that I should be able to glean from another alert I created.  Creating an email action, for example, requires that I hand enter (or cut-n-paste) the From "E-Mail Account" "Name" and "Reply Address" fields as well as the credentials on the SMTP Server tab.  The interface remembers my SMTP server hostname but none of the other fields I listed.

                                         

                                        Another example is that, because of the First item I listed above and the fact that I need to have the hostname in the Subject line, I have to recreate the same trap alert multiple times.  One for each host.  If there was an ability to copy alerts you already created, it would save me tons of time.

                                         

                                        Even little things like the fact that you have to scroll down in the window where you select an action can be time consuming.  If you were just able to expand that window so that you could see the 5 items (two of which I am using in every alert) it would save me a lot of time.

                                         

                                        So my vote would be both for the ability to do Advanced Alerts based on Trap content and then also to have a more robust Basic Trap Alert interface.  Now I need to get back to entering alert data or I will not have this done by the end of the week.

                                         

                                        Thanks for asking and thanks for considering these enhancements.

                                          • Re: Post trap or syslog to the Network Monitor Events view
                                            Mike Lomax

                                            Forgot to mention...

                                             

                                            Another problem I foresee is the fact that the SMTP information is input for every alert.  While I understand that you may want to have the ability to enter different SMTP for some alerts than other, entering the same data each time can lead to alerts not being sent because there is a typo in the SMTP information.

                                             

                                            If on the other hand, there was a central place to put in the SMTP information for each SMTP server within the Trap Viewer Alert interface, the data would only be entered once.  An additional test button there would not hurt either.  Then on the action item just provide a drop-down menu to choose one of the SMTP servers you input on the global screen.

                                             

                                            In my situation, the SMTP server information will be changing in a couple of weeks.  I am going to have to go back through every alert and overwrite the new information with the old information.  The idea of an NMS is to free your time to provide better customer assistance and not to be a data entry clerk.

                                             

                                            Again, enhancement consideration is greatly appreciated.  Also, I am fairly new to this product so if anyone knows any shortcuts that I have not yet discovered, please let me know.

                                             

                                             

                                            THANKS

                                • Re: Post trap or syslog to the Network Monitor Events view
                                  HemiTruck

                                  maybe i missed the boat here but doesnt the new Message Center view give him exacly what he wants?

                                   

                                  I mean you can have it give you all the events/traps/syslog all on one page now.

                                    • Re: Post trap or syslog to the Network Monitor Events view
                                      crzyr3d

                                      The only issue I see with that HemiTruck is trap will fill up the page quickly and you miss some of the other alerts, plus you aren't able to select multiple filters on one trap which completely sucks!  We have operators watch the event log and we have filters so they only see what they have to perform an action.  Traps are going to be one of those as well and I just want the Alert Traps to show in that.