Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Microsoft Failover Clustering

We are looking at using LEM to capture Microsoft Failover Clustering events from the Windows Application Event log. Are these logs that LEM will be able to capture?

Find more posts tagged with

Accepted answers

FormerMember

To chime in here - some of the logs are covered in a very generic way, just to get the most common data in to LEM. Effectively, there's some generic normalization that makes it easier for you to get data in without having to have a connector built.

However! You can submit requests to either a) create a connector for that data source (if it's a lot of unique events) or b) update our application log connector to include additional (useful) information. We'll need an evtx sample and some idea of what you're looking for.

All comments

byrona

Somebody... anybody?

lchance

Do you have any idea what the Microsoft ProviderSID might be for these events?

curtisi

The LEM has a connector for the Windows Application log. It's not part of the default set that the LEM assigns to a connector when it detects a Windows platform, so you may need to add it to the agent for your server(s).

Now, will it read the app logs correctly? I'm not sure, but getting the connector up and running would be the first step to finding out.

2013-12-05 09_52_41-SolarWinds Log and Event Manager Console.png

byrona

I am in the midst of testing and what I have learned so far is as follows...

The Windows Application log is default as per 5.7RC3
Microsoft Failover Cluster events are in the System log, not the Application log
LEM does capture the events... at least some of them; however, it seems like a lot of the details from the log are getting truncated (not good in this case as those details are important)

curtisi

If you change the connector to get nDepth and Alert, do you see the whole message in the nDepth Raw Log Search? Would that work for what you need?

byrona

Good question, is there some specific way to search the Raw Logs? Is this the case where I need to go through the process indicated HERE?

byrona

An example of a received event is as shown below, the actual event in the Windows Event Log has a lot more data. Is it normal for LEM to truncate a bunch of information out of the log?

Example Failover Event.png

curtisi

Right, you'll have to run through that process to get the LEM prepared to collect the raw logs or message cores.

Next, the relevant connectors need to be set to send raw data to the LEM. Either of these options will do it, but if you still want the normalized data, you should pick Alert, nDepth.

2013-12-06 10_40_57-SolarWinds Log and Event Manager Console.png

Last, you need to tell nDepth to search the raw messages. This toggle has moved around in different iterations of the console, but you'll want the mouse-over to say "Log Messages." In 5.6 and 5.7 it's in the top right corner near the Play button.

2013-12-06 10_41_51-SolarWinds Log and Event Manager Console.png

curtisi

For the normalized alerts, yes. The LEM tries to reduce noise and improve the readability by trimming and formatting data to meet the needs that customers have shared with us. The ability to capture raw logs means you can always get all the data, but it's not the default selection.

byrona

Ah, ok, that makes sense!