Collect syslogs and traps from Network Collector
The Syslogs and Traps from Network Collector feature enables Network Collector to detect and collect syslogs and traps sent from on-premises devices. The Network Collector also supports the collection of SNMPv3 traps for secure, authenticated trap messages from network devices, and secure syslog transmission is also supported via TLS, allowing devices to send syslog messages over encrypted channels. A single Network Collector can process about 1000 events per second. These processed syslogs and traps are then displayed in SolarWinds Observability SaaS under Logs. Each log includes the following information:
- The timestamp when SolarWinds Observability SaaS received the syslog or trap
- The device name
- The UTC timestamp when the syslog or trap was processed
Syslogs also contain their message severity and facility values, while traps display variable bindings in both raw form, using OIDs, and translated format.
Setup
Using Syslogs and Traps from Network Collector requires Network Collector 2025.2.1 or newer and an active Logs subscription in SolarWinds Observability SaaS. Before you begin collecting syslogs and traps, ensure the following prerequisites are met:
-
Syslog and Trap services must be running on the Network Collector. If they are not, ensure the Network Collector has a valid license.
-
Verify that the required ports are open for IPv4 and IPv6 on the target device.
Syslogs UDP 514, TCP 1468, or TCP 6514 (secure syslogs)
Traps UDP 162 For more details, see SolarWinds Port Requirements.
-
Confirm that your network devices are configured to send syslogs and traps to the target device's IP address. For configuration details, see your device vendor's documentation.
-
To collect syslogs and traps from a specific device, the device must be added as a node on the Network Collector. For more information on adding nodes, see Discover and add network devices to SolarWinds Platform.
-
Syslogs and traps must follow the relevant Request for Comments (RFC) formatting requirements.
Filtering
The Logs Explorer displays logs collected from multiple sources. Use filters in the search bar to limit your view to syslog and trap logs.
logtype:syslog OR logtype:trap
Logs can be filtered further by using full-text search or structured values. Some examples include the following:
| Filter | Description |
|---|---|
coldStart
|
Filters logs containing the given input, including structured values. |
trapType:coldStart
|
Filters traps by their type. |
message:test
|
Filters syslogs that contain the given substring in the message field. |
pretty.varbinds.sysUpTime:"1 min"
|
Filters traps based on the given translated variable binding value. |
For additional information, see Use advanced search syntax.
Some common log properties are filtered differently. For example, timestamp uses a different format than displayed. Consider using Seek to date. Severity is filtered in metadata and uses different level names.
Monitoring performance
Major issues are reflected in the overall health status of the Network Collector agent. To view the agent status in SolarWinds Observability SaaS, go to Settings > Agents > Agent details, then hover over the status icon for the network-collector plugin. In addition to general health statuses, the following statuses monitor the health status of the Network Collector agent:
| Error Status |
Description |
|---|---|
ERR_301
|
"Logs database size exceeds the warning threshold." |
ERR_302
|
"Logs database size exceeds the critical threshold." |
ERR_303
|
"Repeated data loss due to consistency failures in Logs database." |
ERR_304
|
"Logs database integrity repair operation has failed." |
Log performance metrics
Log performance metrics can be viewed under Analyze > Metrics.
| Metric | Description |
|---|---|
sw.collector.logs.readLogEntries
|
Tracks the total number of syslogs and traps that have been processed. |
sw.collector.logs.logsDatabaseSizeGiB
|
Shows the size of the OrionLog database in GiB. |
sw.collector.logs.partitionsRepairCount
|
Displays the number of times that issues with the OrionLog database's integrity have been detected and fixed. |
sw.collector.logs.lostLogEntries
|
Keeps track of the number of lost syslogs and traps. Causes can be filtered by the |
Usage history
To view the log usage history for entities, navigate to Logs > Usage. The Usage tab displays the volume of logs sent by each entity, measure in bytes and multiples of bytes (kB, MB, GB, TB, etc.).