I’m pleased to announce the General Availability of Log Analyzer (LA) 2.0 on the Customer Portal. You may be wondering what Log Analyzer is. The artist formally known as Log Manager for Orion has undergone a transformation. It has evolved past its former life as a 1.0 product and become Log Analyzer 2.0. Log Analyzer was selected after extensive research to better understand what our users would call a product that solves the problems our tool solves based on our feature set. I hope you like the new name!
This release includes Windows Event Support, Log Export, Log Forwarding and Rule Improvements as well as other items listed in the Release Notes.
As a System Administrator, closely monitoring Windows Events is vital to ensuring your servers and applications are running as they should be. These events can also be hugely valuable when troubleshooting all sorts of Windows problems and determining the root cause of an issue or outage. While there are vast array of Windows Events categories, the three main categories you'll likely focus on when troubleshooting are the Application (events relating to Windows components), System (events related to programs installed on the system) and Security (security related events such as authentication attempts and resource access). Trawling through Windows Event Viewers to find the needle in the haystack on individual servers can be a laborious task. Having a tool such as Log Analyzer can be a real life saver when it comes to charting, searching and aggregating these Windows Events. Thanks to the tight integration with Orion, you can view your Windows Events alongside the performance data collected by other tools such as NPM and SAM. Worth noting that you can also add VMware Events into the mix, thanks to the latest Virtualization Manager (VMAN) release.
In order to start ingesting Windows Events with Log Analyzer, you need to install the Orion Agent on your Windows device. Windows Event Forwarding is also supported, so if you prefer to forward events from other nodes to a single node with the Orion agent installed, that's an option too. By default, we collect all Windows Application and System events, along with 70 of the most common Windows Security Events. You can view more information on setting up Windows Event Collection here.
Once you have the agent installed and added the node(s) to Log Analyzer, you'll see the Events within the Log Viewer. Events are automatically tagged with Application, System or Security tags. Predefined rules are also included out of the box which tag events such as Authentication Events, Event Logs Cleared, Account Creation/Lockout/Deletion, Unexpected Shutdowns, Application Crashes and more.
Windows Events are also supported in PerfStack, enabling you to correlate performance data with Windows Events. For example, you can see below there are memory spikes on a SQL Server, with some corresponding Windows Events and Orion Alerts. Drilling into the Windows Events you can clearly see there is insufficient system memory which is causing the Node Reboot and SQL Server Insufficient Resources alerts.
Log Analyzer shouldn't be seen as a dead end for your log data. There may be times when you need to forward import syslog/traps to another tool such as an Incident Management or SIEM for further processing/analysis. This release includes a new 'Forward Entry' rule action which enables you to forward syslog/traps to another application. You can keep the source IP of the entry intact or replace with Orion's IP address:
When troubleshooting problems it's often necessary to share important log data with other team members, external vendors or attach to a helpdesk ticket. You can now do so thanks to the new Export option within the Log Viewer.
We've added some pre-populated dropdown menus for fields such as MachineType, EngineID, Severity, Vendor and more to make it even easier to create log rules. It is now also possible to adjust the processing order of the rules.
The team is already hard at work on the next version of LA, as you can see covered here in the What We're Working On post. Also, please keep the feedback coming on what you think and what you would like to see in the product in the Feature Requests section of the forum.