Documentation forLog Analyzer
Analyzing logs is a key capability of Hybrid Cloud Observability and is also available in a standalone module, Log Analyzer (LA). Hybrid Cloud Observability and LA are built on the self-hosted SolarWinds Platform.

Create custom log-processing rules in LA

On the Log Processing Configuration page, you can create custom rules to complement the standard, out-of-the-box LA rule sets. You can define rule conditions to identify a specific log entry, and then establish subsequent actions, such as adding event tags, executing commands, and discarding log entries.

The pre-defined Rule Policy groups organize rule policies based on the message source and determine the rule policy evaluation order. The Processing Policies pane is organized into the following policy groups:

  • Log Files (Log Analyzer only)
  • Syslog
  • Traps
  • VMware Events
  • Windows Events (Log Analyzer only)
  • Global Pre-processing: Evaluated before log-specific and global post-processing rule policies
  • Global Post-processing: Evaluated after all log-specific rule policies
Group Message Type Evaluation Order
Global Pre-processing All messages Evaluated first
Log Files (Log Analyzer only) Windows flat file messages Evaluated after items in the pre-processing group. Although the items are ordered alphabetically, they run independently, at the same time. You can see the execution order in the rules list.
Syslog Syslog messages
Traps Trap messages
VMware Events VMware event messages
Windows Events (Log Analyzer only) Windows event messages
Global Post-processing All messages Evaluated last
  1. On the Log Viewer toolbar, click Settings.

  2. In the Processing Policies pane, click to expand a policy group, and then click My Custom Rules.

  3. Click Create.

  4. Enter a descriptive name for the rule, and then click Next.

  5. In Condition, select the This rule fires while.... box and specify conditions and values for one or more sources, and then click Next.

    The log entry conditions vary by log source type. In the example below, an incoming SNMP Trap message meeting specified Varbind element with OID and name criteria will trigger the designated alert action.

  6. Specify the time when the rule will be active. The default value is always active.

  7. For syslogs and traps processing policies, you can configure advanced settings, such as entry count or flood protection.

    • Expand Advanced settings and specify the entry threshold to trigger the rule. The default value is for every matching entry.

    • Expand Advanced Settings and specify how much time to prevent rule from firing for flood protection. The default value is no cooldown time.

  8. Select one or more log entry actions.

    SolarWinds Platform has two types of rule actions:

    • Native actions are actions that are configured while managing rules. Depending on the configuration and available resources, native actions can trigger thousands of times per second.
    • Alerting actions are syslogs and traps that trigger SolarWinds Platform alerts using pubsub, which is an Event alert condition. Event alerts actions can trigger approximately twelve times per second for a single rule or alert. If there are multiple rules or alerts, roughly eighty alert actions can trigger per second.

  9. Integrate an alert action, and then click Next.

  10. Review your rule summary, and then click Save to create the rule. To edit your rule conditions and actions, click Back.

Add custom rule actions

You can add one or more of the following actions to any custom rule:

  • Tag the entry.

    1. In the Rule Actions pane, click Add an Action.

    2. Select Tag the Entry, and then click Configure Action.

    3. Select one or more of the pre-defined log tags, and then click Done.


      Click Create Another Tag, enter a custom tag name, select a tag color, and then click Done.

  • Forward the entry: Send the entry to another system for further processing.

  • Run an external program.

    SolarWinds recommends that you create tailored low-privilege accounts on the machine to run specific external programs, scripts, and alert actions. See Secure external programs and script alerting actions for details.

    1. In the Rule Actions pane, click Add an Action.

    2. Select Run an External Program, and then click Configure Action.

    3. Enter the program to run, command line arguments (optional), account for execution, and then click Done.

      Custom Windows accounts can be used for external program execution that uses SolarWinds Platform's Windows credentials. Click the drop-down menu to refresh if changes are made to Windows credentials.

      Find a list of external program variables here.

  • Flag for discard: The log entry is not saved to the database, but subsequent rule actions are still applied.

  • Stop processing rules: Stops additional rule processing for the active log entry.

  • Real-time config change detection: Sends a notification to NCM or HCO Advanced that a change to a network configuration file was detected.

      Real-time config change detection should be used in place of running SolarWinds.NCM.RTNForwarder.exe with the Run external program action. Like NCM, this action uses a fixed structure that does not take parameters. See Configure real-time change detection in NCM for details.

      If you update from an NCM or HCO Advanced version prior to 2023.2.1, the Configuration Wizard will convert all Run external program actions using RTNForwarder.exe to Real-time config change detection actions.