Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Can i filter all Windows Event and Application logs in a seperate filter?

Hi everyone,

I am new to log management so i maybe asking the wrong questions or heading in the wrong direction so please feel free to educate me if required.

My office has just purchased LEM and i have been asked to set up the LEM to pick up all the system and application events which are errors or higher. Once normalised i believe this means severity 4 or higher.

I am a bit confused as to how achieve this.

Can i filter MS Application Events which are level 4 or higher?

Can i filter MS System Events which are levle 4 or higher?

Also am i looking at how the LEM can do things from the worng perspective?

Any advice or tips would be appreciated.

Find more posts tagged with

filters

log_and_event_manager

lem

Accepted answers

byrona

In this case you want to go with AnyAlert.ToolAlias

All comments

byrona

So one important thing to point out is that (to the best of my knowledge) LEM won't necessairly collect all of your system or application events. LEM comes from a background of being a security focused solution so it's designed to look at the Security and Application logs specifically for security related events. Going forward the development of LEM looks to be more broad and less direclty security focused but I don't work at SolarWind so I can't say that definitively.

For your Windows sytems, once you have the agents installed you will need to configure the Tools/Connctors in the LEM appliance to look at both the Application and System logs. At this point your system should be collecting the logs.

For setting up filters keep in mind that one of the core and most important functionalities of the product is the normalization of logs; this allows for true realtime event correlation across multiple differnt platforms. Because of the normalization the logs in LEM are not exactly the same as they were in Windows Eventlog. My recomendation here would be to look at some of the normalized logs in LEM and find the fields that make the most sense to filter on. The Severity that you mention is captured as well as the ToolAlias; since you have different tools for the Application log versus the System log this may be a good thing to filter for.

I hope all of this helps!

meech

Hi Pdyball,

Just wanted to take a moment and introduce myself. I'm one of the people in the User Experience (UX) group here at SolarWinds and our job is to continuously be looking for ways to make all SolarWinds products easier to use, more useful and more efficient. Your LEM questions relate to some upcoming feedback sessions we'll be running on the initial user experiences with LEM. I've sent you a friend request on thwack but also just wanted to say to you and any new LEM users, we'd sure love to talk to you in the near future and show you some mockups of some ideas we have for changes to the initial LEM experience. Feel free to email me at kellie.mecham@solarwinds.com for more info.

Thanks!

pdyball

Hi Byrona,

thanks for your response.

I noticed the tool alias field but am stumped as to how i can filter that as when i do a filter on that it can only be as a subset of an alert. ( i.e. serviceinfo.toolalias) I would want to be able to filter on ToolAlias only for all Alerts. This would also be the case for severity. it seems that i would always be restricted to using the alert.field format.

Is there another way to filter by *.toolalias?

Surely there must be a list which would help us to identify how MS alerts would be normalised? Obviously i want to try to setup up the LEM rules before the alerts happen. After the fact would be a litlle counter productive.

Thanks

byrona

In this case you want to go with AnyAlert.ToolAlias

pdyball

Thanks Bryona,

that is what i was looking for but for some reason i never saw it. Must of been doing a male look as my wife would put it.

Thanks for your assistance and patience.

msterling

I still can't make this work, the tools are started but I can't come up with a filter to show the event log messages...

msterling

After talking with support, you have to go to the node and make sure the Windows Logging tools are started, then make a filter that uses ServiceWarning.DetectionIP = *<node name>*

This works great and logs all warnings and errors from the event log!