Some requirements and how to solve? RAW logs, and long time storage

A couple requirements that I solve a different way but it would nice if it was just a checkbox in SEM to make it easier to do.

Storage of RAW logs: One requirement is to store logs in RAW log format. Since SEM normalizes the data and puts it into the database this won't solve this requirement. There is an additional database you can create with SEM but it seems not super easy to use and almost not suggested in the admin guide. My solution has been to store the windows event logs myself with scripts to a NAS and Unix / Linux syslog to same NAS separate from SEM. It would be neat if you could just tell SEM to forward the logs it gets to a share somewhere by checking a box.

Another thing that could be made easier perhaps would be to make it easier to separate the application from the data. As it is now most people keep everything in /var which works but it makes for one huge VM. Maybe I'm missing something but separating this data out into other VM database isn't super intuitive?

Bill

Find more posts tagged with

Accepted answers

All comments

ttrogrlic

Hi,

I have same problem with Windows logs, so I also send this logs (*.evtx) to NAS but this process is not in real time-it is manually triggered ones per Year (in first step script collect all logs from one month to each zip and second copy it to NAS share).

It would be nice only to forward origin logs from SEM to some other collector to avoid this process.

The main problem with SEM logs why I do this is (SEM periodically backup logs by retention policy and delete it from main database after 6-12 months depending on database size) to make easier forensic job after a couple of years. If You don't have original logs then You need create additional SEM instance and import archived logs to it and this must be supported by Solarwinds support (what if You are not using SEM anymore and not paying maintenance?!).

In case with original logs You can take original logs from period which You have interest and explore them without SEM.

Can You share with me a script which You're using for send Windows logs to NAS and explain how often is started script?

regards

Tomislav