Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Forwarding syslogs to SIEM

Hi all, I need to know if the logs generated by Orion of the host can be addressed to a SIEM , specifically ArcSight Express. This configuration can be done on the Web console or database configuration.

Find more posts tagged with

Accepted answers

cnorborg

Ah, ok. I'd suggest doing the opposite, have the SIEM forward syslogs to Orion, hate to say it but the built in syslog processor in Orion isn't all that powerful. That's why they sell their own SIEM. Some SIEMs want to see an untouched syslog also, making sure the source IP and such are pristine in the TCP headers and such, plus they might want to correlate timing and you're not guaranteed how quickly Orion will forward the syslog, but that being said.

You should be able to do this from the Syslog Viewer on your Orion server. Go to "Start" menu, "All Programs", "Solarwinds Orion", "Syslog and SNMP Traps" then "Syslog Viewer".

One your in there click on the "View" menu and go to "Alerts/Filter Rules" and "Add New Rule". Set it up to match whatever syslog messages you want forwarded and in the "Alert Actions" choose "Forward Syslog Message" and fill in the blanks to forward it to your SIEM. You can choose to "Retain the original source address of the message", mileage may vary on this. There is also an option to "Spoof Network Packet", but that requires installing WinPCap, which you might or might not want to do.

All comments

cnorborg

Hmm... What logs? Orion receives logs, I don't know of it generating any on hosts?

RichardLetts

it generates a ton of logs on c:\programdata\solarwinds\ (and subdirectories) [I have over 2100 files with the extension '.log' there]

if you could feed them into a SEIM tool you'd be easily able to spot the errors & open bugs on them...

josue.aguilar

My question is whether Orion could send all syslog to a SIEM, I need to send all events Orion received a SIEM

cnorborg

You should be able to do this from the Syslog Viewer on your Orion server. Go to "Start" menu, "All Programs", "Solarwinds Orion", "Syslog and SNMP Traps" then "Syslog Viewer".

josue.aguilar

There will be another way to make settings from the web console?

cnorborg

No, you must do it in the application on the server at this time. I doubt it will change soon, although I could be wrong.

That application hasn't changed a bit since I've seen it though, and its been around since before NCM which has slowly since been converted to web based. Not to mention they talked about moving alerts to the web for a long time before actually doing it. I haven't heard SW speak a word about changing the syslog app yet...

josue.aguilar

Thanks you so much, I will test the configuration