NetXMS Support Forum

Related to this https://www.netxms.org/forum/general-support/syslog-parser-how-to-parse-the-actual-syslog-message-in-the-alert/
whereby I want to log incorrect login attempts. But only want to generate the alert when there are i.e. 3 invalid login attempts within 30 seconds
So I set the 'Repeat Count' to 3 and 'Repeat interval' to 30 seconds but it doesn't seem to do anything at all. Every single invalid login attempt generates an alert

Edit: This is a bug
I noticed when I set the timer value in the 'Editor' view it would show, but when I change to 'XML' view the repeatcount is 0
Even if I change it in the XML view, if I exit and come back it goes back to 0 again. That is unless I set the value at least 60 or higher. It seems it doesn't like having any form of seconds as the repeat interval, it must be a minute or more
Edit2: Additionally this seems to apply to all SysLog messages, not to the specific device/IP it was received from

so if I try to login to DeviceA 2x, then DeviceB 2x and repeat this cycle every 60 seconds. I will get a Slack message saying I failed to login to DeviceB on the first attempt (I shouldn't get an alert at all)

Have setup a syslog parser that generates an event. Then I created an event processing policy that looks for that event and then it triggers an action (in this case, SLACK notification)

In this case it's a "login failure" message, and in the syslog message it includes the user account and IP address trying to login.
I'm getting the notification come through just fine, but it doesn't include the syslog text. I need that to be parsed through the event chain so I can see exactly what the message said

I'm not sure what parameter to add, and where exactly to add it? Do I add it to the Event, the Action? or the Event Processing Policy?

Edit: Nevermind figured it out. It's at the bottom of this page for anyone wondering https://www.netxms.org/documentation/adminguide/log-monitoring.html

QuoteConsider the following line is received via syslog, or added to a monitored file:

24.04.2015 12:22:15 1 5 system,error,critical login failure for user testUser from 11.2.33.41 via ssh
We can extract username and login method from the syslog message, and pass it as parameters to an event with the following rule:

<match>system,error,critical login failure for user (.*) from .* via (.*)</match>
<event>10000</event>
Username will be sent to the event as %1, IP address will not be sent, and login method will be sent as %2.

I actually did want to match the IP address so I changed the 'match' field in the syslog parser to "system,error,critical login failure for user (.*) from (.*) via (.*)"

Then I change the Event Configuration to "Login Failure: %1 - %2 (%3)"
And the Action to have text "%n - %m %M" which ultimately results in a message such as the below when failing a login attempt

Office Router - Login Failure: SpamUser - 1.2.3.4 (ssh)

Dunno what's happened here but i've logged into NetXMS and I have the Object Browser window showing Entire Network, Instrastructure, Templates etc. But the main window in the middle/right of the screen where you can click on a device and see all its information, DCI's, status etc is completely gone and I can't figure out how to get it back? the View menu doesn't give me an option for it
In addition to that, right clicking on an object and choosing Properties gives me the error "No Property Pages for [Device name]"

I've finally got LDAP (Active Directory) sync working

Question I have now which I can't find an answer to, is can NetXMS also sync the user groups? or have another way to give users permissions?
Right now it syncs the users but they have no permissions, so I have to go in later and assign them. I don't mind doing this once off but if we add/remove staff i'll have to adjust permissions in NetXMS as well and this I don't want to do

I'd rather just assign them into a group in Active Directory that controls permissions, i.e. 'low clearance' or 'high clearance' user groups. And thus low clearance users can log into NetXMS, view information but not change it. High clearance become admins etc

It seems I can't get NetXMS to build a topology map with nodes unless I enable LLDP on them

Is there a way to show a layer 2 map based off just the MAC table instead? I would ideally like to be able to select a bunch of nodes, right click them and choose 'Show L2 Topology', place those nodes, have it scan the MAC table finding where each interface those nodes are on then draw links automatically and show me the port numbers as labels
I do this manually when I need to discover a new network and find where a specific device is, or create a basic network map. It would help a lot if I could have NetXMS do this work for me (without having to enable LLDP because some switches/routers don't support it, but they do support SNMP)

If NetXMS can't do this, is there a good simple program for automatically building network maps like this?

I'm trying to create a usage graph in netXMS and having trouble with the formulas to do so

At the moment i'm polling an interface for the traffic, then using simple delta transformation with "return max($1, 0);" (to avoid negative numbers if i.e. router restarts)
What I need now is a way to read the last dci value and add it to the current result, so that it continually increments

i.e. currently it returns
6pm - 53mb
(router restarts)
7pm - 0mb
8pm - 155mb
9pm - 110mb

I need to add each previous value together so that it shows a running total
i.e.
6pm - 53mb
7pm - (0mb + 53mb) = 53mb
8pm - (53mb + 155mb) = 208mb
9pm - (208mb + 110mb) = 318mb

Is there a way to have a DCI show daily/weekly/monthly usage? And also not lose track of usage if the device reboots and interface counters get reset to 0

Ideally i'd like separate graphs that can show each usage period
I think a way to do this would be to have 3 separate DCI's, each of them copy data from the main interface DCI, then average values for an hour and then store it. But when the month starts at 500gb and ended up at 700gb it would show 700gb of usage, not 200gb. And also if the router rebooted a few times the counters are going to keep resetting to 0 so the calculations would be very wrong

Is there a built in command to assist with this?
A plugin?
Or does anyone have math formula's to make it work?

We currently have Centreon in place for monitoring - it is far too difficult to automate hence we're looking at NetXMS - but it has pretty good notification support. Certainly a lot better than NetXMS at the moment https://wiki.netxms.org/wiki/Slack.com_integration

The above guide works, but is generally unusable for us primarily because we just had an outage on the router where the NetXMS server is located, and once it came back up everybody got bombarded with hundreds of 'Node Down' messages followed by hundreds of 'Node Up' messages. I presume the NetXMS monitor has a delay because the messages all came through approx 1 second apart, meaning complete spam for about 10 minutes straight
I intend to also incorporate a lot of other parameters such as temperature/voltage/SNR monitoring etc, this would only have amplified the spam by 100x

So my questions are this...
1) Is there a better slack addon than the SMS system? providing a bit more flexibility i.e. categories (centreon can mark with low/medium/high priority with colors)

2) Setting dependencies on devices so that i.e. if a main router goes down, don't send notifications for everything behind that router because obviously everything behind it will also be unreachable. We only want a message that the router is down, then suppress all notifications for devices behind it

3) Dependencies for DCI's on devices. Obviously if a client radio loses connection then I don't need notifications about 0 SNR, 0 signal strength, etc

4) Is there a way to buffer the messages for i.e. 2 minutes then sends all of them at the same time, So if we do have a few separate devices all go down at around about the same time, at least we don't have spam every second

5) Re-sending notifications for some core devices. At the moment if a node goes down we only ever get one message. I want important devices such as core routers or radio links to keep sending a notification that it is down every 10 minutes until it comes back up

6) Notification schedule? I havn't found it in NetXMS yet. We do want monitoring to continue, but we don't want any slack messages after 10pm or before 6am

Can someone shed some light on this. The layer2 topology maps seem to vary wildly depending on which device I choose to create the map from
I.e. if I right click on Sw4 and choose Layer 2 Topology it will show ONLY show Sw4
If I do it with Sw5 it will show Sw5, Sw4, Sw7
If I do it with Sw7 it will show every switch
This is really strange because all switches are on the same VLAN, all have LLDP enabled. And if I look at the MAC database of any switch it shows everything correctly

I need to make detailed L2 maps but I get different results depending on which switch I choose. This is a big problem for me because it makes L2 maps very unreliable and that is one of the most important things for me at the moment. Am I doing something wrong? Have tried poll->topology and it doesn't seem to make much of a difference
Is there a way for NetXMS to make a map using lots of switches as a seed and then combine the results into 1 map?

Old forum posts show that remote network discovery was not available through agents. Has it been implemented yet?
We are an ISP with some managed networks but sometimes we take over an existing network and havn't reallocated IP's, hence we have overlapping IP ranges and sometimes they aren't reachable at all by our core. We can install a small device or VM in their network to provide agent reporting and monitoring, but we would ideally like to be able to map the network, at the very least see what device is connected to what port.
We can add devices manually but i'd ideally like for LLDP/CDP to work, as well as IP scanning if it has been implemented. Is this currently supported? Or any ETA as to when it will be?

Cheers