Friday, April 18, 2014

How To Create SolarWinds Custom Syslog Rules

Updated: 2025-08-13

Why Custom Syslog Rules Matter

Syslog is one of the most powerful tools for real-time insight into what’s happening across your network — firewalls, routers, switches, servers, and more. But out of the box, the volume of raw syslog data can be overwhelming. That’s where custom Syslog rules and alerts in SolarWinds come in.

By building your own logic, you can automatically identify critical events — like firewall denials, VPN logins, or service restarts — and trigger actions such as email notifications, ticket creation, or even automated remediation scripts.

Step 1 — Open the Syslog or Log Viewer

If you’re running SolarWinds Log Analyzer or the integrated Log Viewer in the Orion Platform:

  1. Go to Settings → All Settings → Manage Syslog Rules (or Log Analyzer → Rules).

  2. You’ll see a list of existing default rules (e.g., node down, interface flaps). You can edit, disable, or add your own.

Step 2 — Create a New Rule

  1. Click Add New Rule.

  2. Give it a descriptive name (e.g., “ASA VPN Login Alerts” or “Windows Service Restart”).

  3. Choose whether the rule applies to Syslog, SNMP Traps, or both.

  4. Under Rule Conditions, define the matching criteria. For example:

    • Message text contains “%ASA-6-722051”

    • Hostname or IP address equals 192.168.1.2

    • Facility equals local4

    • Severity equals warning or higher

This lets you target very specific events — down to the subsystem or vendor message ID.

Step 3 — Define Actions

Once the condition is matched, choose what happens next. Common actions include:

  • Send an email to your operations team.

  • Write to a log file for long-term archiving.

  • Trigger a SolarWinds alert or update a dashboard widget.

  • Execute an external program or script, such as a PowerShell or Python remediation task.

You can also configure separate actions for when a rule triggers and when it resets.

Step 4 — Test and Validate

To confirm your rule works, generate a matching event manually. For example, send a test syslog from a Cisco device:

logging host inside 192.168.1.50
logging trap informational
send log 6 722051: Test VPN login

Within seconds, you should see it appear under Active Syslog Messages in SolarWinds, and your alert should fire.

Step 5 — Tune and Iterate

The best part about SolarWinds’ rule engine is its flexibility. In a lab environment — such as an EVE-NG setup — you can forward synthetic logs from simulated firewalls or routers to safely test and tune alert thresholds before rolling them into production. This hands-on approach helps you eliminate false positives, reduce noise, and fine-tune exactly what warrants attention.

Step 6 — Monitor and Maintain

Once your rules are deployed:

  • Periodically review rule hit counts to ensure they’re still relevant.

  • Adjust conditions if devices or firmware versions change.

  • Archive or disable rules that no longer serve a purpose to keep your alert stack clean.

Summary

Creating custom Syslog rules and alerts in SolarWinds transforms raw log data into actionable intelligence. By carefully defining message patterns, severity filters, and targeted actions, you gain a proactive window into network events that matter — while filtering out the noise.

Whether you’re protecting production infrastructure or experimenting in a lab, custom Syslog logic in SolarWinds is a powerful way to elevate visibility, refine automation, and keep your network one step ahead.