This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Is it possible to monitor Cisco switches for mac address flapping?

We have a situation here where our product engineers often change mac addresses on devices being developed. They do not do a decent job of managing this pool of addresses and hand them out to other engineering teams and no one keeps track and I end up with device flapping more often than I would want. Is there a way with Orion to monitor and alert on this? I was thinking something simple like just watching for the %SW_MATM-4-MACFLAP_NOTIF: message in an iOS switch log buffer and capturing that and emailing it out? We also have Arcsight in our environment if that helps.

I am pretty sure I could eventually muddle my way through this, but I'd rather not spend buckets of time and if someone else has done this and is kind enough to offer some pointers, that would be great.

Thanks

  • If you are pointing syslog messages from the switches in question to Orion, you could certainly set up a syslog rule to watch for these messages and trigger an email action.

  • Using SYSLOG Viewer to trap and msgs with *macflap* then alert email out works ok. Need to direct syslog to orion box on network device.

  • Thanks for all the responses. I have configured a couple of switches to throw syslog messages at my Orion server, but whe I go to start the Solarwinds Syslog service on the server, it's not there. I did not originally setup this server. Would this be a selectable option from the original install? Can I download it separately? Or do I need to run the original install again and select only the syslog service?

    Edit: One of the engineers who originally set this up here said that if you enable the syslog service it will turn on logging for all devices that it manages. Which historically has bumped up the sql db by 100+ GB. So it was turned off. Is this true?  How does it get syslog input from a switch that does not have logging configured to send syslog to Orion in the first place?

    Thanks

  • Bumping this in hopes to get more feedback around the syslog viewer monitoring every device if you enable it.

  • By default, I think the syslog will log everything sent its way to the database. You can create filters in the syslog view to only keep what you want - including rules to delete all traffic from specific hosts, etc. You also have options on how much data to keep (Settings -> Polling Settings, Database Settings, Syslog Message Retention. (Mine is set to 2 days.) )

    You can create rules to delete (ignore/drop) all traffic except the *macflap* message you want.

    I have over 200 devices that log syslog data to my Orion server, and have more of an issue with Netflow data than syslog.

    As for getting the service installed, re-run the Configuration Manager tool from Start -> All Programs -> Solarwinds Orion -> Configuraiton and Auto-Discovery -> Configuration Wizard.  Click on "Services" and hit next - it will show you all services and let you pick the ones you want.

    HTH.

  • Thanks for the response dclick.

  • Using SYSLOG viewer ( tab) in Orion, or do you mean outisde of Orion with some other 3rd party syslog viewer?  I am looking but not really seeing any easy way to setup an email alert on the syslog tab within Orion.  I have got it so that I can see the syslog messages in the syslog tab for the switches that I wan to monitor, but I can't see anywhere to setup email alerts...

    Edit: I think I may have found it. I'm fiddling with the Orion Alert Manager now..

  • The only way to setup an alert trigger with Syslog at this time is through the console based application - there is not any web-support for creating/managing alerts (YET).

  • Hmmm, proving a bit tougher than I thought.

    I am trying to create a new alert. I am in the Trigger Condition tab...so should it be a simple or a complex?  When browsing the network nodes breakout I don't really see anything that looks like it would allow me to scrub a syslog output for a text string. I see network nodes>node details, node status, response time, cpu and mem, cisco buffers, polling details and snmp v4. I was hoping it would be as simple as saying whenever this text string shows up for a monitored device, do the following. But I can't seem to figure out how to do the first part, the text string monitoring of a syslog output.

    Sorry, but pretty new to Solarwinds.

  • Unfortunatly, its not going to be that easy. You cannot create syslog alert from the Advanced alert editor. Solarwinds has not integrated them yet.  You will need to launch the Syslog Viewer appliation, and do everything from there.   Once you have the tool open, you should see all types of traffic flowing. click on the yellow triangle in the button bar to start setting up a rule/alert.

    Its not nearly as "clean" as the Advance alert monitor, but it does work.