Hi Experts,

I need to monitor a domain IP (same subnet ) in Net path.

Kindly confirm which port i need to mention there.

Any help will be highly appreciated.

Regards,

Ishant Walia

Never was a big fan of net scaning segment but if you all ready need to do that ..

mmm Why I can't use all of the CP I work so hard about??

+

I have "work around" I use Alert action to change CP of those interfaces I push to Orion..

The work flow will be better if I could do that from the sonar wizard (Change CP and use CP to find/group Nodes and Interfaces)

Make some Sonar group/profiles that will AUTO push to orion +set the CP's to those interfaces..

So our Cisco logging and snmp traps point to Solarwinds currently.  For most uses, it's great! We've been able to set up email alerts for traps such as AP's going offline, power supply failures, etc.

I would like to create a Syslog Viewer alert that will forward ALL Critical or higher syslog severity messages to an email address.  Unfortunately, it is also sending power supply failure messages since they are considered a Critical.  I want to separate out the power supply messages into their own alert, and all others in their own.

I've been monkeying around with Regex to do this, and it sounds as if we need to set up a negative lookahead to match everything but a specific string within the syslog messages.

^(?!.*PLATFORM).*$

The above seems like it would do the trick, but it doesn't actually match anything.  Does anyone have any ideas on how I can get this alert to work the way I want to?

Thanks for any advice,

pwz

Hi,

We currently have a number of the different modules from SolarWinds and i am wondering what peoples thoughts are as to what is the best way to get the most from them from and install point of view

the modules we have are;

NPM

LEM

NTA

NTM

SAM

Should all of these be installed on there own box or together?

thoughts and reasons why ?

Thanks

Introduction

A long journey ended when the proper syntax was found (Thank you, Thwack community) to correlate certain SNMP traps received with other alert values. Here is a short guide on how to use traps in alerts within the GUI of SolarWinds NPM.

In this example, I am receiving a "dying gasp" in SNMP from an Alcatel-Lucent (Now Nokia) 7210SASD. When such an event happens, the equipment is basically telling me it lost power. This allows me to separate losing nodes from network failures or power failures. In other words, I only take action if the node is down due to the network. There isn't much I can do about power in those remote locations or customer premises.

Using Node Custom Properties

It all starts with a custom property on the nodes, which I called LossOfPower. (Boolean) See the attached picture for more details.

SNMP Traps

The traps have to be sent to SolarWinds. Here is the code for the 7210.

        snmp-trap-group 1

            description "SolarWinds 1"

            trap-target "solarwinds1" address <Solarwind NPM Server IP> snmpv2c notify-community "CatchyNameHere"

        exit

        snmp-trap-group 98

            description "OtherSNMPServers"

            trap-target "Server1" address <Server1 IP> snmpv2c notify-community "snmpv2cSAMtrap98"

            trap-target "Server2" address <Server2 IP> snmpv2c notify-community "snmpv2cSAMtrap98"

        exit

        snmp-dying-gasp primary 1 "solarwinds1" secondary 98 "Server1" tertiary 98 "Server2"

The next step is to create the new alert which will set this property. This was written in SQL, not SWQL.

Trigger

SELECT Nodes.NodeID, Nodes.Caption FROM Nodes

INNER JOIN Traps

ON Nodes.NodeID = Traps.NodeID

AND Traps.DateTime > DATEADD(MINUTE, -6, SYSDATETIME())

AND Traps.TrapType = 'TIMETRA-SAS-SYSTEM-MIB:tmnxDyingGasp ';

The two tables intersect using the INNER JOIN command, based ON the NodeID. There is a timer on this and only the DyingGasp received in the last 6 minutes is considered.

Reset

SELECT Nodes.NodeID, Nodes.Caption FROM Nodes

INNER JOIN Traps

ON Nodes.NodeID = Traps.NodeID

AND Traps.DateTime < DATEADD(MINUTE, -9, SYSDATETIME())

AND Traps.TrapType = 'TIMETRA-SAS-SYSTEM-MIB:tmnxDyingGasp '

AND Nodes.Status = 1;

If it has been more than 9 minutes and if the node is back online, this alert is reset.

Trigger Action

It simply sets the LossOfPower variable to "YES".

Reset Action

Set the LossOfPower variable to "No".

Usage

This is modular. The LossOfPower variable is used in another much simpler alert (it could be several other alert contexts) where we get contacted when a node is down. If the node is down due to LossOfPower, we do nothing. If it is otherwise down due to other causes, we take action.

Testing and Researching

To get all the properties from a table, SolarWinds NPM includes a query test page. Note the database names are slightly different. It is located at http://<yourserverIP>/Orion/Admin/swis.aspx

If Orion.Traps is selected as a source, the Generate Select Query button returns this:

SELECT Acknowledged, ColorCode, Community, DateTime, Description, DisplayName, EngineID, Hostname, InstanceType, IPAddress, NodeID, ObservationRowVersion, ObservationSeverity, ObservationSeverityName, ObservationTimestamp, Tag, TimeStamp, TrapID, TrapType, Uri FROM Orion.Traps

This is useful in finding new fields you might need in your particular case.

It is possible to remove certain fields from the SELECT and see what is returned. This won't work with traps though, as the table can get quite lengthy. This particular table is a log file of all traps. Try it on Orion.Nodes instead.

SELECT AgentPort, Allow64BitCounters, AncestorDetailsUrls, AncestorDisplayNames, AvgResponseTime, BlockUntil, BufferBgMissThisHour, BufferBgMissToday, BufferHgMissThisHour, BufferHgMissToday, BufferLgMissThisHour, BufferLgMissToday, BufferMdMissThisHour, BufferMdMissToday, BufferNoMemThisHour, BufferNoMemToday, BufferSmMissThisHour, BufferSmMissToday, Caption, ChildStatus, CMTS, Community, Contact, CPULoad, CustomPollerLastStatisticsPoll, CustomPollerLastStatisticsPollSuccess, CustomStatus, Description, DetailsUrl, DisplayName, DNS, DynamicIP, EngineID, EntityType, External, GroupStatus, Icon, Image, InstanceType, IOSImage, IOSVersion, IP, IP_Address, IPAddress, IPAddressGUID, IPAddressType, IsServer, LastBoot, LastSync, LastSystemUpTimePollUtc, Location, MachineType, MaxResponseTime, MemoryAvailable, MemoryUsed, MinResponseTime, MinutesSinceLastSync, NextPoll, NextRediscovery, NodeDescription, NodeID, NodeName, ObjectSubType, OrionIdColumn, OrionIdPrefix, PercentLoss, PercentMemoryAvailable, PercentMemoryUsed, PollInterval, RediscoveryInterval, ResponseTime, RWCommunity, Severity, SkippedPollingCycles, SNMPVersion, StatCollection, Status, StatusDescription, StatusIcon, StatusIconHint, StatusLED, SysName, SysObjectID, SystemUpTime, TotalMemory, UiSeverity, UnManaged, UnManageFrom, UnManageUntil, Uri, Vendor, VendorIcon FROM Orion.Nodes

Using the SWIS Query test page will be the subject of another entry.

Regards,

Hi All

I presently schedule and save weekly reports using the save to disk option in the web reports.  Is there a variable I can use to create a new folder every week to save the reports e.g. Week 1, Week 2 etc.

Thanks

Brian

Can have or does have?  Can be dropped?

Does this indicate I am missing something on my newly installed poller?

I have created Custom Table for a view and run a SQL query for the result.

Here when I tried to enable 'Details Page Link', it show error (NODENAME - 'Details Page Link' data presenter requires 'db|DetailsUrl' field(s) to be present within the datasource).

Here is an example to use SWQL to build a view to display problematic nodes (servers) with issues from one or more flowing areas:

•    Node Status (column name: CONN) - (1 UP, 2 Down, ignore other status)

•    Node Response Time (column name: M_SECS) - in milliseconds, (> 0 OR When Node is Down, it is -1). If M_SECS> 500: Warning, If  M_SECS> 500: Critical

•    Node CPU Load (column name:  C_LOAD) - in percentage, (Between 0 - 100). If  C_LOAD > 95: Warning, If  C_LOAD > 98: Warning, If  C_LOAD =100: Down

•    Node Memory Usage (column name:  R_Load) - percentage, (Between 0 - 100). If  R_LOAD > 95: Warning, If  R_LOAD > 98: Warning, If  R_LOAD =100: Down

•    Node Highest Volume Usage (column name:  V_PERCENT) - (Between 0 - 100). If  V_PERCENT > 95: Warning, If  V_PERCENT > 98: Warning, If  V_PERCENT =100: Down

•    Node Hardware Components worst  Status (column name: HW_Status) -  (UP, Undefined, Unknown, Warning, Critical, n/a)

•    Node  Application worst Status (column name:  APP_Status)  - (UP, Unmanaged, Unknown, Unreachable, Warning, Critical, Down, n/a)

In order to the worst (highest priority) condition are shown on the top of the list I gave each status different scores, and each column different weights. Then calculate total score as the priority. Here is the calculation:

•    wConn (Connection), scores: Down - 1000, Up - 0; weight 1.00
•    wTime (Response Time), scores:  > 1000ms - 80, >500ms - 10, other - 0; Weight 0.75
•    wCPU (CPU Load), scores: 100% - 600, >98% - 80, >95% - 10, Other - 0; Weight 1.00
•    wRAM (Memory Load), scores: 100% - 600, >98% - 80, >95% - 10, Other 0; Weight 1.00
•    wVol (MAX(Volume Usage)), the highest volume usage of all volumes on a node, scores: 100% - 600, >98% - 80, >95% - 10, Other 0; Weight 0.75
•    wHW  (Hardware Status (worst Value)), the worst HW component status of a node with HW monitor enabled   scores: Critical - 80, Warning - 10, Up - 0, other 1; Weight 0.50
•    wApp (Application Status (worst value), the worst application statues of a node with application monitors assigned.  scores: Down - 600, Critical - 80, Warning - 10, Up - 0, other 1; Weight 0.50

Maximum Total Weighted Score (Exclude wConn):  80*0.75 + 600*1.00 + 600*1.00 + 600*0.75 + 80*0.50 + 600 *0.50  = 2050

Priority = ROUND((t1.wTime*0.75 + t1.wCPU*1.0 + t1.wRAM*1.0 + t1.wVol*0.75 + t1.wHW*0.5 + t1.wApp*0.5)/2.05 + t1.wConn*1.00, 2)

Final Priority value is between 0 and 1000.

You can change the score and weight to meeting your requirement.

Steps:

• Create a view; add “Custom Query” resource.

• In the view, edit Custom Query:
• In the Custom SWQL Query box, add the codes in attached file “thwack-swql-alerts.txt”
• Enable search, and in Search SWQL Query box, add the codes in attached file “thwack-swql-alerts-withSearch.txt”

Done!

Using Search:

•    By Node Name
If you want to just display a node or a group of nodes with similar names, type node name or part of the name in the search box and click search button.
•    By Connection Status
If you want to just display nodes in DOWN status, type “n 1” (white space between n and 1) in the search box and click search button.
•    By CPU or RAM or Volume usage
If you want to just display node with CPU or RAM or Volume usage above certain level, using the following:

     o    “c 80”  (CPU usage above 80%)
     o    “r 80” (Memory usage above 80%)
     o    “v 80” (Volume usage above 80%)
•    By Hardware Status
If you want to just display node with certain hardware status, type “h status” (‘status’ can be one of the following: UP, undefined, Unknown, Warning, Critical, n/a).
•    By Application Status
If you want to just display node with certain application status, type “a status” (‘status‘ can be one of the following: UP, Unmanaged, Unknown, Unreachable, Warning, Critical, Down, n/a).

You can customise the query to meeting your requirements.

Thanks Alex Soul's post https://thwack.solarwinds.com/docs/DOC-174568, which is very helpful!

===========================

Update:  As Alex suggested, I have updated the query and new files are attached. Thanks Alex!

===========================

Update: 11/March/2015

I have added 2 addition columns for Alert Prioritising Dashboard.

One column is AlertTime, another one is Acknowledge (Ack). The Ack column is click-able. Right click it and open a new windows to View or Acknowledge an alert.

Please see the additional document at https://thwack.solarwinds.com/docs/DOC-176727

============================

Update: 11/11/2015

The original query is for NPM & SAM, but if you only need NPM (network nodes) part, I did create another two queries for network devices only.

The files: "networkNOC-ForThwack.txt"  and "InterfaceNOC-ForThwack.txt" are attached.

"networkNOC-ForThwack.txt" is for network device (NPM) only.

"InterfaceNOC-ForThwack.txt" if is for network Interface only.

Both are limited to Vendor = 'Cisco', you can change it to meet your requirements.

Overview

This article provides information about FAQs asked by the customer based on the environments combined.

Environment

Orion Platform versions above NPM 10.6

Strongly recommended to have latest version of Orion

Detail

All of us know SolarWinds SLX license you can montior up to 12000 Elements and beyond this you will need an Additional Polling Engine to monitor.

What is Stackable Poller idea

You can say Stackable poller means license extension on polling  server  if your server hardware can handle it , Basically its another engine on the existing system hardware you have using full  capacity of your current hardware .

This engine will be stacked with your existing engine running on the same hardware boosting the existing polling capacity of current host .

with the latest version of SolarWinds NPM, you can now install up to three unique polling engines on a single polling server, sharing a single IP address. Stackable polling engines enable you to effectively triple the polling capacity of a single server so you can get benefit of available server hardware within the existing installed environment

Further it will help you to monitor more Elements ( Nodes/Volumes/Interfaces/Services ) without having any dedicated servers to be confirmed and manage so its less overhead for the I.T staff to manage .

Benefits :

Using existing Server hardware capacity

No overhead to manage or arrange another system hardware

No management approval process waiting time for system deployment

No troubleshooting and I.T management resources to dedicate  for another hardware

No downtime required during installation

No configuration wizard need to run

No services need to restart during this process on production environment

NO FOE licenses per server to cover more elements for HA

Freedom of polling more elements within the existing environment 

How can i check my Server current hardware meeting this requirments

For more informaiton MINIMUM Hardware Requirments see below.

SolarWinds Orion server hardware requirements

How many Stackable Poller license I can have on the Single Server?

Up to three total polling engines may be installed on a single server (i.e. one primary NPM
polling engine with one or two additional polling engines on Primary Server  or three additional polling engines on
the Additional polling server ).

Note: A stack requires only 1 IP address, regardless of the number of APEs

Can I install Stackable Poller on my existing Additional Polling Engine?

Yes 'Stackable Poller' is basically only extending the licensing capability on the Poller  you can have multiple Stackable poller on your existing Additional Poller It can be update by Smart Bundler  .

How can I update my  Poller for Stackable Poller?

On the  Poller it can be updated by Smart Bundler.

It means that by additional poller package downloadable from customer portal (not the Individual Downloads, but the Main Additional Poller Installer also called Smart Bundler).

How to install Stackable Poller on my Primary Polling Engine?

In this example I am assuming we are implementing Stackable Poller on the Main Poller (that has enough resources to tackle additional load)
As you are aware a single poller can tackle upto 12k elements
Also there is no special installer for Stackable Poller
You will need a license to be purchased as for Additional Polling Engine
You will go into your Customer Portal & download the Additional Poller Smart Bundler  (not the Individual Downloads, but the Main Additional Poller Installer also called Smart Bundler)
Basically when you will run Additional Poller Smart Bundler this installer will say on the main poller that everything is already installed and ask you if you want extend license.
Now simply key in the license of the Additional Poller in the wizard
It will never install anything on main poller it only just update the license
So the customer has got extra capability to fully utilize his server
Also after the license has been applied you can open the License Manager and you will see another entry in the Lincense Manager as following

On Primary Polling Engine it will take up to 2 MAX Additional Polling Engine license keys

On Additional Polling Engine it will looks like this

You will have the message "The machine has reached to license limit" after that therefor it will only be able to take up to 3 licenses.

So if I have have mutiple modules installed on the Primary Poller (do I have to install all the other modules as well , because Smart bundler will download say APE SAM , APE UDT , APE NPM)
so when I run the Smart Bundler on the Primary poller (it will not say that Primary Poller is already installed on this machine)

Yes, it will say on main that everything is installed and ask you if you want extend license
so it will never install anything on main, just update license

If I will install Stackable Poller on my primary server it will increase the capacity to 24K elements to tackle?

It will ask you on main to add license key for additional poller (means 24k elements). Once you run it again, you can add another AP license (means 36k elements) and if you run it third time,

it will say  This machine has reached its license limit .  The same functionality is for Additional Poller installation  And yes, Stackable poller means license extension on polling  server

For more details, please see the post below:

http://thwack.solarwinds.com/community/solarwinds-community/geek-speak_tht/blog/2013/06/19/not-so-stupid-poller-tricks

http://www.solarwinds.com/documentat...Guidelines.pdf

Concurrent Connections by Virtual Server.

This looks like it would be very helpful to understand LB volume and as upgrades happen it would be very interesting to see if this and or other LB statistics change..

We would like to improve user experience and for such reason I'd like to better understand if our users prefers INITIALLY to add nodes manually or run product network discovery in order to import devices to NPM

Version 12.0 NPM

When I list resources and check CPU & Memory and submit it is not staying checked.

I go back into any of the nodes (Cisco 1921) the CPU & Memory are unchecked.

Is this normal, expected behavior?

In attempts to better understand the unique components that make up our SLW instance I have started looking at the DB main logs, trying to find ways to optimize our instance.  I have consistently seen what seem to be obvious problems when the DB attempts to consolidate data related to UNDP.  I do have a decent amount of UNDP in the environment, but nothing excessive.  I have also confirmed by retention times of UNDP data to be the following.

7,20,65 days retention for detailed, hourly, and daily. 

Attached are maint logs where UNDP is referenced, I have left out the rest as it appears normal without error.

Hi,

I wondering if anyone one on the forum successfully use the Netpath services in their networks? I failed to get a detailed either on the MPLS or DMVPN the probe path with or without passing through the Firewall 

As the title said, how can I have netflow top application report match the NPM interface utilization report?

I am asking this because I want it when NPM reports me that my bandwidth got high utilization, I can tell what kind of application traffic that is utilizing that much of bandwidth at that time.

However, I got confused as the total utlization number between netflow top application chart and NPM interface percent utilization chart is different

for example:

I have a 40 Mbps bandwidth from my ISP (I have modified the bandwidth to 40Mbps in the node configuration from fast ethernet default 100Mbps)

My router is cisco 1800 series, I only have flow enabled both ingress & egress in one interface of the router, i also have configured ip flow-cache timeout active 1

From this graph I can know that between 13:10 - 13:14 my link is utilized 43,47% (recv) and 45,65% (xmit)

However, if I observe the total utilization from netflow top applications graph in the same time range is not the same. For example, in below graph:

Total traffic inbound 27.54% + 19.49% + 0.3% + 0.03% = 47.36% --> compared to inbound 43,47%

Total traffic outbound 37.02% + 4.64% + 1.05% + 0.02% + 0.01% = 42,74%--> compared to outbound 45,65%

From what I can say, I dont limit my application monitoring only to only monitor some specified apps, so the traffic recorded in netflow should be all traffic that are "passing" that interface right?

And I can confirm that there are no bandwidth shaper appliance between the links, so everything is as it is.

Please kindly advise.

We're working on some device support improvements around Arista. To ensure broad coverage, we'd like to get as many SNMP walks as possible to verify functionality against.  If you have Arista gear that is missing hardware health info today, please shoot me an SNMP walk!  Hardware health includes power supply health and voltage, fan status and speed, and temperature.

Our very own SNMP walk tool outputs in a format that can be used by tooling we've built to automatically test compatibility.  For that reason, I'd ask you use that tool specifically to take the walk.  Instructions here.  You can upload here.

Thanks!

As i have seen many customer accessing the web console directly outside through WAN IP configured the NAT to LAN directly exposing the network for outside potential threat .So i have just created a very simple diagram to make the end user understand .

In this article you will learn another strong reason why you should have installed Orion Additional Web server application within your environment and how to secure Orion environment with Orion additional web server.

Unsecured network access

This is highly unsecured version of installation where you compromising the Orion server through the directly exposing the LAN network for outside unsecured browsing

Secured WAN access to Orion web console through DMZ 

You can install Additional Web Server within the DMZ and route the WAN browsing traffic through DMZ in order to maintain security for WAN users.

Notes:

For LAN users, you can access the Orion website from both servers so there will not be any issue while you have the web server placed for WAN users .

Orion Additional Web Server will be talking directly to the Orion Database. It will also help to reduce the load from the primary Orion NPM server and will improve browsing performance for the LAN users as well while providing security for your network .

Orion is adding extra line breaks into my HTML alert code and I need to know how to fix.

Here is my Alert HTML code..

Which should look like this:

But in Outlook 2013 I get this ugly email (notice all of the extra line breaks?):

I have created Custom Table for a view and run a SQL query for the result.

Here when I tried to enable 'Details Page Link', it show error (NODENAME - 'Details Page Link' data presenter requires 'db|DetailsUrl' field(s) to be present within the datasource).