It's been a busy week or two here at SolarWinds, another release candidate is heading your way. I know, I know, you're as excited as when the new phonebooks came and your name was in print!
In true "You Asked, We Listened" style, Log & Event Manager (LEM) 5.5 is going to be a release focused almost entirely on YOUR feedback. We did a ton of customer interviews, Q&A, and show and tell, and have been tracking your feedback on Thwack and support cases. We took the top few items and we decided to get something into your hands sooner rather than later.
Spot issues more quickly with new Top 10 and Health widgets on the LEM Ops Center dashboard
We heard from you that you wanted it to be fast and easy to discover issues, spot trends, and have a dashboards that mix in real-time data with other information. What we've done is added new default widgets that let you spot trends and trouble faster by monitoring the most common things - nodes on your networks, users, and events - in more Top 10 and health-oriented way. We've added 5 new widgets that are right up your alley. In no particular order...
Node Health: sometimes it's most useful to know that a node HASN'T sent you data lately. Maybe a remote site dropped off the map, your firewall configuration disabled logging, or something's not quite right. The Node Health widget shows you a summary of node status, when the last event was received from that node, and any version/OS information we might have (from agents).
Top 10 Events, Users by # of Events, Nodes by # of Events, and Rules by # of Rules Fired: these widgets surface information about frequency of events in the big picture, helping you spot trends and potential anomalies. Use the Top 10 widgets to see your most common type of event (filterable by different general types/groups of events), usernames that appear most frequently across events, nodes that appear most frequently across events, and rules that are being most frequently triggered. These will help you spot items at the top that shouldn't be (why is "administrator" logging on so frequently?), sudden spikes in data (why is my server suddenly generating the most events?), and unexpected high severity events (security issues, scans, or suspicious activity).
Troubleshoot node and user issues with our new Node and User Details Drill-Down Dashboards
We're starting to pull pieces together to enable faster common patterns that our customers use when you want to investigate problems. Those new Health and Top 10 widgets mentioned up above follow a new drill-down pattern that we're introducing on the dashboard by combining info into new dashboards. The Node Details and User Details dashboards will show a summary of the node/user and all events related to that node/user name.
If you've spotted an unexpected trend with a user (say, "Administrator" really is coming up a bunch and you don't know why), click on that user from the Top 10 Users widget to see detail associated with them, and most importantly their most recent events to help troubleshoot the "why". Refine the chart further to find out only certain types of data (say, only changes related to "Administrator" - changes they are making or made to them).
Similarly, if you've spotted a server generating an unexpected amount of error or warning traffic, you might want to check out the last 10 minutes of events to see if there's any commonalities.
Automated configuration for syslog and SNMP-trap based device integrations
Thanks to some great suggestions from you, our support team, and our sales engineering team, we've found a way to make configuring new devices much simpler with some automated configuration. Instead of having to manually configure a connector to match your syslog device up to our connectors, we've made it possible for you to enable syslog (or SNMP trap) forwarding to the appliance and push a button to add the node. But wait, there's more! We've also made it possible for you to scan on-demand for ANY new data, in case you're not sure how many devices or what types have been configured. You'll find these new buttons in Ops Center in the new Node Health widget and in Manage > Nodes.
If a scan is going to take a while, you'll see a notification and the scan will get backgrounded. When new nodes are found, you'll see a handy notification:
When you click the "View Now" you'll be taken to the discovery/scan results, and you have a chance to confirm that you'd like to add new connectors to monitor the detected sources. This summary presents you information about what IP address was generating the data and what vendor/connector will be configured:
After you confirm, magic happens and these connectors are automatically hooked up to those log sources. Note: You won't see new nodes appear until data appears. In the example above, I won't see data from 10.199.19.250 for "Checkpoint Edge-X" until that IP address sends me more data. Nodes appear with the data, but we scan historical data to do the discovery magic. As those nodes appear, you'll see the yellow notification appear with a confirmation as to which IP addresses are now sending data.
Also handy, when new nodes appear for existing connectors, you'll get the same notification that tells you what's happened. This happens if you've already got a connector configured for, say, a Cisco firewall, and you start logging another Cisco firewall to the same facility. You don't need to configure another connector, but LEM will let you know something new is now sending you data.
A few other things you'll notice:
- New Default Filters: We totally revamped our default filters to match your use cases better. Filters are grouped for Overview, Security, IT Operations, Change Management, Authentication, and Compliance, and all have some handy default widgets.
- More Help & Thwack Widgets: We've added a "What's New in LEM" and Thwack feed widget, along with help widget updates to help you find features that lots of people didn't know existed.
- Event is the new alert. After listening to you talk about LEM, we've modified our in-product language to match how you think about events. Things that come in to raw logs are called "messages", these get normalized into "events", which you can then trigger rules on, which may cause "alerts" like notifications or incidents to be fired in addition to active responses. There are still a few things that say "Alert" (e.g. SecurityAlert) that we're saving for a future update, but for the most part, Event Event Event.
- What the heck is a NATO5? We've also eliminated a few of the things that made your brow wrinkle, including renaming rules that are on by default "Default Rules" and rules that are templates for you to use "Rule Library." Along similar lines, we've made it clear that the thing that connects logs to the system are referred to as "connectors" in LEM as well as elsewhere.
- Support for Windows 8/2012, including Hyper-V 2012: We had a compatibility issue with Hyper-V on 2012 that has been resolved. Additionally, we've confirmed you can use the LEM Console in IE 10 on Windows 8, and install the agent in Windows 8 and 2012 (you'll need to run it in compatibility mode for now until we resolve an installation issue, though).
- Customer requests & fixes: Common reported issues include the node statusbar showing non-agent nodes as "disconnected" - now they have a separate entry from agents; refresh and edit buttons are more obvious in Ops Center and nDepth; performance improvements in rules; hotfixes from 5.4 rolled in to 5.5; and lots of new connectors. A full list will be included with the release notes.
Notes for Upgrading Customers
We didn't touch your existing filters or dashboard configuration, we didn't want to mess with your feng shui (or your "zen thing, man"). You can always add the new dashboard widgets to Ops Center by going to Ops Center's "Widget Manager" and perusing the "Additional Widgets" section. For filters, if you're interested in the new defaults, the easiest thing to do is create a new user and check them out to see if you're interested. We can either help wipe out your existing settings and revert to the default, or you can export/import only the stuff that looks good.
If you've got existing connectors already configured and want to try out the new connector discovery scan workflows, no worries. Anything you've already got configured will stick around and we won't configure duplicates. A very small number of you who had connectors configured for /var/log/messages or /var/log/syslog will want to run the new node scan after upgrading to pick up the new default configurations.
Lastly, you'll notice in some places where you had items that said "Alert" they now say "Event". We avoided changing some things (like filter names and descriptions), but others (like groups) will be updated.
Download, download, download! And share your feedback
All LEM and SIM customers under active maintenance can download the 5.5 RC by going to the Customer Portal and clicking "Choose Download" next to the RC. If you want to deploy a new system, use the new installers. If you'd like to upgrade, download the upgrade, and be SURE to check out the instructions (you'll need to extract it to a share - generally the root of a share is safest - and then go to the virtual console or SSH to get it installed).
To give us feedback, join the Security Event Manager (SEM) Release Candidate group on Thwack. What do you think about the new widgets? Are there more you'd like to add? How's automated configuration treating you? Anything we missed or is confusing? Would you like to know more!?