I currently have a basic alert configured to monitor the last status change on a serial interface on a specific router and send me an E-mail. We've seen several of our remote circuits drop briefly enough that Orion doesn't catch the drop, but long enough so that our Cisco VOIP phones go into SRST.
I'd like to set up and advanced alert to monitor ALL serial interfaces on ALL of my routers without having to go through several thousand interfaces on all my devices just to select the serial interfaces. (in a basic alert configuration)
Unfortunately, Advanced alerts doesn't quite give the same alerting options as the basic alerts. It's looking for a greater than, less than, equal to, a given value....not just the fact that the value of "InterfaceLastChange" has changed.
Any Suggestions on this or Advanced Alerts in general ?
We have a new tutorial for Advanced Alerts that may help-
Did you find a way to do this? I am attempting the to do the same with serial interfaces. Any help would be appreciated. Thanks
I'm not an Orion owner yet but heading in that direction. I've worked with several people at Solarwinds and for what they are telling me only the basic alert will function for alerting on the "status" variable.
I've gone through the advanced alert and selected "Interface status" and selected "has changed" but this doesn't work. I don't like the basic alerts because I don't have the ability to easily exclude based on custom properties. Also, all the variables are not available in the basic alerts (I copied over from advanced alerts to basic but most are not populated).
I was also looking for a way to bridge the syslog with NPM. I have all my routers/switches/etc sending syslog for events that occur on these devices. If we could get the syslog to tell NPM to poll on that device/interface, that may work for you or possibly setup alerts on your syslog server for anything starting with "interface ser" or something like that.
I would also think with bouncing serial interfaces they would have considerable errors. You can setup an advanced alert to send you an e-mail if certain error thresholds are reached.
In advanced alerts we have the 'Has Changed' comparison that currently only supports the Last Boot, IOS Version, and IOS Image Family. Please send us what additions you would like to see and we can look into adding the most popular items into the 'Has Changed' comparison.
Until then bcole's suggestion to setup an advanced alert on errors you get when the serial interfaces bounce is something to look into.
I've developed another way of doing the advanced alerts based on "interface status" or "interface operation status".
This is a request I sent to Solarwinds support and my work around.
I thought maybe I could setup an alert on "last changed" but when I try to setup the criteria, I don't have an option for "now" minus 10 minutes or something like that so I can at least do alerting based on date/time. The only option is a calendar that appears to be static by day. I thought I had figured out a way to do this with a custom property. I was able to create a custom property, modify the value in the basic alert, but in order for this to work, I would have to modify the custom property value in the advanced alerts (reset it back to null or no value) but I don't have an action item to modify custom properties in advanced alert action items. And since looking at status=changed, there is no reset ability. I am leaving what I typed above and will explain what my workaround is. It is really klunky and basically renders the "Basic Alert" tab inaccurate. I created a custom property called "interfacestatuschanged". I created two basic alerts: 1. First basic alert has operational status = changed, all interfaces, action is to change the custom property "interfacestatuschanged=yes". Note: since there can be no reset condition, not sure how to clear this alert or disable it from displaying in the alert list. If there is a way to do this, let me know. 2. Second basic alert looks for interface UP, all interfaces, action is to change the custom property "interfacestatuschanged=no". I've set the reset property to "unknown". Note: if there is a way to not display these alerts in the alert list, that would be helpful.
Note: unfortunately, the basic alert is based on specific interfaces so as new interfaces/devices are added, they have to be manually added to any basic alert (or select all when you add devices).
I created 1 Advanced Alert:
1. Trigger condition is when all of the following apply: interfacestatuschanged is equal to down Operational Status is equal to Down Note: I would also have a custom property that would be setup as "important" so I would only alert on important interfaces.
Reset Condition when any of the below are met: Operational Status is equal to UP interfacestatuschanged is equal to no Trigger Actions: Send an e-mail
Note: Escalation is configured to notify every 60 minutes while the condition exists and to not alert if alert is acknowledged. Here are the problems with doing it this way:
1. This renders that basic alerts screen invalid since there is no way to reset the alert when the operational status changes.
2. The basic alert for the UP condition really isn't an alert so those should be ignored.
3. Since in the web page on the home page there is no way to discern between basic alerts and advanced alerts, it will display all the basic alerts that are really bogus. Would have to view any alerts on the "alerts" page and only the "advanced" alerts.
4. If a monitored interface is UP and then it goes and will stay down. It will continually show in the advanced alerts.
We would have to go into the custom properties and manually change the interfacestatuschanged=no.