• State Not Answered
  • Locked Locked
  • Replies 30 replies
  • Subscribers 39 subscribers
  • Views 1947 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Orion Syslog/Trap - what we're working on...

chris.lapoint

There have been a lot of requests for enhancements to Orion NPM Syslog and Trap capabilities in various threads and we're tackling quite a few of these in our next Orion NPM release.   I've responded to the individual threads, but I realize nobody has time to read every post so I thought I'd consolidate the list of enhancements we're working on:

1. Ability to reference Trap variable binding names and value pairs as variables in alert messages (e.g. ${vbName1}, ${vbData1})

2. Ability to configure Trap alerts based on pattern matching on Trap Details field (similar to what's possible for Syslog messages)

3. Ability to reference Orion node variables in Syslog and Trap alerts (if source IP address of message exists as a managed Orion node)

4. Respect Orion NPM unmanaged node status in Syslog and Trap alerts

5. Ability to change the status of an interface in Orion NPM based on a Syslog or Trap message

6. Ability to make a Syslog or Trap alert show up in the alert list in the Orion website

PLEASE NOTE:  We are working on these items based on this priority order, but this is NOT a commitment that all of these enhancements will make the next release.    If you have comments or questions on any of these items (e.g. how would it work?) or would like to be included in a preview demo, please let us know!

Thanks!

  • 0

    Item #6 is one we would love to have implemented - I'm always asked by our Operations people why I must send e-mail alerts when they have the alerts screen in front of them.

    A couple of other related suggestions in the same area if I could (they might be already addressed in 9.5, but I'm holding out for a few more weeks).

    The service that writes the SNMP traps into the database appears to be single threaded in some way, or at least during peak times it falls behind in performing the table insert in our implementation. You can see the memory increase on the service, and the timestamp of the last SNMP trap falls further behind. I've opened a number of records back to version 7.x, but the performance hasn't changed (although our database server has been upgraded a few times).

    The web page interface for viewing syslog records is also very very slow. The page refreshes on us before you can perform any useful activity. We RDP onto the poller to view the syslog messages - it's very quick if we don't use the web interface. Once again this has been the subject of a number of problem records. Database traces show that the records get returned to the web server very quickly, meaning that something is going on within the web presentation layer (maybe it's the parsing of the 5000 devices that appear in the drop-down box each time the screen refreshes).

    Happy to open up a couple more problem records if you don't think changes were made in this area for 9.5.

    Thanks for taking the time to inform us of possible future enhancements - it's great to understand both the direction and your priorites.

    Dave.

  • 0 in reply to savell

    Out of interest Chris, is the ability to strip out the "Original Address=192.168.1.1" type tag (that kiwisyslog can insert when forwarding a syslog) on the list somewhere.

    As kiwisyslog and Orion users, we would love to be able to log forwarded kiwisyslog messages under the real address within Orion (firewalls prevent us using the spoofed udp method).

    Dave.

  • 0 in reply to savell

    Yes, that's definitely on the list.

  • 0 in reply to chris.lapoint

    I was also hoping that #6 would be of higher priority. We have been asking for that feature for quite some time. Same reasons as the above user.

  • 0

    Good news that syslog and snmp traps are getting worked ok.  Have been wondering if bringing onboard the Kiwi stuff would bring extra features anytime soon.  I've been especially surprised the SNMP trap console is so basic compared to the Syslog console in terms of alerting/filtering etc - it definitely needs some love!

    We use syslog very heavily but it was only recently that we started looking at using snmp traps more since we're looking at retiring some old hp openview installations that the subject of snmp traps came up and I found it was missing all the great alerting features present in syslog.

    I'm especially looking for #2 and #3.  Pattern matching is sorely missed in snmp traps - works very well in syslog and I was disappointed at the lack of finesse available in the SNMP compared to Syslog console - I could only send the entire msg and couldn't filter for specific content only.

    #3 would really be helpful - I send emails based on incoming syslog msgs and include a link to the device - unfortunately I can't get the NODEID so all I can send is a search string with the IP or hostname which isn't ideal - would be nice to get straight to the device rather than to the search page.

     One thing I'm also looking for is a way to export all the Alarm config I have in syslog (and similarly trap alarms) so I can import on other solarwinds servers and share with my colleagues (and thwack perhaps?).  I've created a lot of custom alerts for servers/switches etc looking for specific event log/syslog msgs and even sending web links to cisco/microsoft pages to resolve that issue - we have this ability in UNDP - lets get in the syslog and trap consoles...!

    Looking forward to the upgrades - sounds like great features!
    Sean

  • 0

    Number one is extremely valuable - smart 'parsing' of traps would be excellent.  Being able to trim the fat from a massive trap with 15 varbinds is great.

    Although when you say 'vbData1' 'vbData2' do you mean to interpret this as tokenized output, or will we be using the actual MIB values from MIBS.cfg for interpolation?

  • 0 in reply to jp

    Thanks for the feedback.   We will use the same values you see after the "=" for each varbind in the Trap Details today if that's what you mean by the actual MIB values.

  • 0

    Chris,

    When you implement #6 will those alerts then also show up in the Event Log as Alert Triggered and Alerts Reset ?

  • 0 in reply to chris.lapoint

    Thanks, Chris - I do understand that comment.  This is exactly how the filtering and 'smarts' should look like.

  • 0 in reply to Ralphr

    When you implement #6 will those alerts then also show up in the Event Log as Alert Triggered and Alerts Reset ?

    Yes, they should.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.