cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Product Manager
Product Manager

Introducing Log Manager for Orion

Log data is finally where it belongs - within the Orion Platform! Log Manager for Orion is a brand new SolarWinds product which provides powerful log management functionality including aggregation, searching and charting all within the Orion console. Log data contains a wealth of information which can be invaluable in identifying and troubleshooting of issues that may be affecting performance and availability of your network and applications. When integrated with tools such as Network Performance Monitor and Server and Application Monitor, you can now get a unified view of infrastructure monitoring data with log data in a single pane of glass.

Traditionally, there has been a gap between performance and log data. Log data is often aggregated and analyzed using a standalone tool which doesn't offer integration with your performance monitoring tool. Combining the incredible breath and depth of performance data you get with tools such as NPM and SAM with log data makes it easier to identify, troubleshoot and remediate performance impacting issues.

Screen Shot 2018-05-31 at 6.27.22 PM.pngScreen Shot 2018-06-01 at 1.02.13 PM.png

So, how do you access your log and SNMP trap data and what can you do with Log Manager?

We've made it really easy to access your log data directly from the Node Details page. As an example, I can see on this Node Details page that NPM has triggered a Hardware Health alert. Using the 'Analyze Logs' button I can drill into the log data and quickly identify log data which indicates a rotation error on the fan. It's like when the dreaded Engine Warning Light comes on your car. You know there's a problem, but need to get more information on the specific error via the onboard diagnostics. NPM will tell you there's an issue and then the log data can provide more information such as error codes and warning messages.

Screen Shot 2018-05-31 at 6.13.30 PM.pngScreen Shot 2018-05-31 at 6.24.38 PM.png

Filtering

Log data is noisy by nature and can generate a vast amount of data. It can be a challenge to quickly drill into that data and focus on the important log data that will help you identify and solve a particular problem. Log Manager includes very useful filters which enables you to instantly refine your dataset with just a few clicks. Filters include Log Type, Level, Node Name, IP Address and more. Thanks to the Orion integration, you can enrich your logs and apply filters based on information gathered by SNMP including Vendor and Machine Type.

Screen Shot 2018-05-21 at 11.53.13 AM.png

Search

Log Manager's powerful search engine allows you to quickly and easily find that needle in the haystack. You can search for anything from keywords to IP addresses and event ID's without the need to learn any new complex query language. Log Manager's search engine is built upon SQL Full Text Search. We recommend that you have FTS enabled on your SQL Server for optimal search performance.

Screen Shot 2018-05-21 at 12.30.24 PM.png

Chart

Scrolling through realms of 'texty' log data to determine how often a particular event has occurred can be a cumbersome task.The interactive chart included with Log Manager allows you to easily visualize when particular events occurred and how many of those events occurred. The chart also serves as a way to refine your time frame via an intuitive click and drag method. For example, if you've noticed an issue in Network Performance Monitor at a point in time, you can use the chart in Log Manager to quickly drill into the log data for that timeframe to provide an additional layer of visibility.

Live Mode

One of the many benefits of monitoring your log data is the real-time nature of logs. Tools such as NPM do a great job at collecting a vast amount of performance data at regular polling intervals, however there can be a visibility gap in between those polling intervals. Log data can bridge that gap and provide almost instantaneous visibility into what's going happening on your network devices, servers and applications. Log Manager's Live Mode provides a near real-time stream of log data as it occurs in your environment to aid with identification of issues as they occur. Filters and keyword can be applied to the live stream to hone in a particular events as they occur. This could be based on an event ID, a keyword, an IP address and more.

Tag - you're it!

Individual log (and trap) entries can contain quite amount of text. When you are receiving hundreds, if not thousands of these logs every second it can be difficult to identify important log entries. Assigning a meaningful name to important logs can help you to easily focus on those logs. You can easily apply multiple tags to your important logs to quickly identify those logs as soon as they appear within Log Manager. What's more, you can even color code those tags to make it even easier to draw your attention to those logs. To configure your tags you simply go to Configure Rules and use the 'Tag Entry' action after you set your rule conditions.

Screen Shot 2018-05-31 at 6.46.06 PM.png

Where can I find Log Manager and how do I install it?

The Log Manager for Orion 30-day evaluation is now available to download from your Customer Portal and SolarWinds.com. It can be installed on your existing Orion server or if you prefer to use a test system that's fine too. Log Manager may require other Orion modules to be updated as part of the installation process - the Orion installer will take care of all of this for you. Log Manager can run as a standalone module, but I'd recommend deploying alongside NPM/SAM to avail of the performance data and log data in a single console I mentioned earlier.

I'm leveraging the Orion Syslog and Trap Viewers - what happens when I install LM?

These applications will still reside on your Orion server however they will be disabled and will not process any new incoming data once Log Manager is installed. You can view historical data and rule conditions/actions within these viewers, but they will be in a read-only mode. Speaking of rules, I'm sure you're asking what happens to those old syslog/trap rules? These rules will not be migrated as part of the upgrade to Log Manager. Log Manager provides an incredibly intuitive web-based rule builder which can be used to manually create your rules. However, not all of the alert actions are available with Log Manager v1. Log Manager rule actions include Tag an Entry, Run an External Program and Discard Event.

Can I use Log Manager to collect Windows Events?

Log Manager currently supports syslog and SNMP traps, however you can install our free Event Log Forwarder to convert Windows Events to syslog and transmit to Log Manager.

How is Log Manager licensed?

Most log management tools are licensed based on the volume of log data you generate. This requires you to estimate your log volume, costs can rapidly increase if you miscalculate your log volume and you may have to selectively chose which logs to send to your log management tool to stay within your volume limit. Log Manager uses a very simple and affordable node-based licensing model. If you are transmitting logs from 100 devices, that simply equates to 100 nodes. It is worth pointing out that each node you are receiving log data from, must be managed by Orion.

Summary

Log Manager for Orion is a result of feedback we've received from our users on Thwack, SolarWinds User Groups, Trade Shows and more. We're incredibly excited to get your feedback on the tool and answer any questions you may have, please feel free to post Feature Requests here and any questions/comments here. We're already working on some exciting new features for the next release of Log Manager which you can view on the What We're Working On page.

Happy Logging

72 Replies
Level 7

After spending some significant $ on this, we find that the alerting is very limited.  We can't even get an email alert that contains the message body of the syslog or trap.  Is this being addressed?  Is it possible to get a refund for this product?  We are currently working to uninstall.

0 Kudos
Level 13

twolf420​, I'm looking at the product, and am interested to hear if the information the jhynds​ posted helps you. Please follow-up after you've had a chance to try it out, and let me know how that works for you. Thanks.

0 Kudos
Level 14

Not the OP, but we've had this product for 6+ months and pretty much does what it says on the tin in my opinion. We hadn't needed some of the other features that make sense, like exporting logs, etc, but those seem to be added at a decent clip.

We've been able to add the syslog message to the Orion Alerts in the same way that Jamie has provided.

We use it to alert via Orion on a variety of log sources such as Linux, Storage appliances, database audit logs forwarded via syslog and of course networking devices. We funnel most everything through Kiwi to keep Informational and above and then use Warning and above to forward to Orion for alerting purposes. The alert integration was definitely needed and works great and you can even set up another Log Analyzer rule to use as a reset condition so you don't have just reset immediately or reset after 60 minutes for example, but you can wait for an all clear message from your appliances.

0 Kudos
Product Manager
Product Manager

You can easily add the message body of the log entry by using the Log Entry Message variable within your e-mail alert. Other variables include the rule name that caused the alert to trigger and the hit count of the rule.

Is this the main obstacle you were running into or are there some additional limitations? If you'd like to set up a call to discuss, just let me know.

Screenshot 2019-05-07 at 10.26.54.png

Screenshot 2019-05-07 at 10.24.26.png

Level 12

Thanks for the information, this was very helpful. We implemented the change and now don't have to perform extra steps to view actual errors.

MVP
MVP

How is Log Manager licensed?

Most log management tools are licensed based on the volume of log data you generate. This requires you to estimate your log volume, costs can rapidly increase if you miscalculate your log volume and you may have to selectively chose which logs to send to your log management tool to stay within your volume limit. Log Manager uses a very simple and affordable node-based licensing model. If you are transmitting logs from 100 devices, that simply equates to 100 nodes. It is worth pointing out that each node you are receiving log data from, must be managed by Orion.

How/when is a LM license used? Is there a timeout to when a license is freed up (i.e. no messages in X timeframe)?  Or is it more like NCM where you have to specifically assign devices to be part of LM and use a license?  What will happen if you go over the license? Will the devices past the limit go into "basic LM functionality"?

0 Kudos
Product Manager
Product Manager

By default, when log data is received by a node, that node will consume an LM license. However, this can be overwritten and you can exclude nodes from automatically consuming a license if log data is received. You can also add/remove nodes from the LM license pool, in a similar manner to NCM. It is not possible to go over the license. Once you hit your license limit you will get a notification to inform you that you have reached the limit and it will not be possible to add additional nodes at that point.

0 Kudos

jhynds​ And once you hit your license limit, ALL additional logs coming through will be discarded, or just not be capable of using all features? For example, in our situation, we would really only need our core devices, plus a handful of another subset of devices, to be licensed, and fully integrated (probably somewhere under 300 nodes). However, we CANNOT lose basic syslog functionality to the remaining 1700 nodes. Are we going to be required to choose between all or nothing, or will we be able to split full/limited functionality across all licensed/unlicensed nodes?

Thank you,

-Will

Product Manager
Product Manager

Hey Will! In short, it is all or nothing. Once you hit the license limit any additional logs will be discarded. I totally understand the desire to split the functionality depending on log sources but it would get complex very quickly and could get very confusing, e.g. log messages containing keywords that you want to tag, but only some of the logs are tagged due to the split functionality.

I would think, if the syslog message comes from a licensed node, then it has the ability to become tagged. If the syslog message is not licensed, then a tag cannot be applied, regardless if anything in the message matches the rule. Process the rules, only applying tags for nodes which are licensed. I'm sure it's not that straightforward, but I couldn't imagine it being super complex... At least not compared to some of the other magic y'all have achieved throughout the other modules. Come on, we have faith in y'all... You'll figure it out!!

MVP
MVP

I was hoping it would be something similar to VMAN licensing where you can set vCenter or ESX hosts to be VMAN or Basic polling, you set certain number of nodes up as LM nodes otherwise basic monitoring kicks in.

YES!

0 Kudos

Feature Request Please!! Got my vote.

- David Smith
0 Kudos
MVP
MVP

Sorry if it sounds like I'm repeating myself here and other threads but I am trying to understand the full impact when the trap/syslog viewer is replaced.

1. When syslog/trap viewer is deprecated, NPM will contain a basic cut-down version of LM - no charts, live mode, or "Analyse Logs" button. There won't be any tagging/colouring either so we'll lose that functionality.

2. If you purchase a LM license:

  a) Any device sending a log message to the system will consume a license but you can exclude the node from consuming a license.  What happens to the data that these excluded nodes are sending? Will they still be processed under "basic functionality"? 

  b) If I hit my license limit, any new logs received by the system will be automatically discarded. These would not even be processed under the basic functionality?

What about a scenario where I have a small number of key systems (5-10) that I want to process trap/syslog messages fully (tagging, etc), but I also have another 500 devices that I might only receive a couple of messages from a week but I'm still interested in seeing (basic functionality like alerting). I would have to buy a LM500 (or 1000 if I'm past 500 devices) instead of a LM10 license? In wluther​'s scenario, he'd have to get an even larger license that isn't on the price list (a post further up says to contact an account manager)?

Product Manager
Product Manager

Hey Steven,

1: Correct. The cut-down version of LM will provide basic syslog and trap monitoring and the functionality will remain as close as possible to the syslog/trap viewers. Tagging is one of the only features that is moving from syslog/trap viewers to a paid Log Manager feature. We've made a conscious effort to ensure that the LM version which will replace syslog/trap viewers remains feature rich and provides enough functionality to aggregate, search and alert on your log data. 

2a: If a node is excluded from consuming a license, any log data transmitted to LM from that node will be discarded until it is added to the LM license pool. The logs will not be processed under basic functionality.

2b: Correct. If you hit your license limit, you will not be able to add any additional nodes and therefore logs will be automatically discarded until you free up some licenses or upgrade to a higher tier.

In short, it is not possible to run Log Manager in a mixed-mode whereby some logs can avail of licensed features such as tagging (with more exciting features to come) and other logs cannot avail of licensed features. It would be quite confusing to decipher what you can and can't do with certain logs based on the license assigned to the source device. In your scenario above, you could need an LM500 to cover all 500 devices (or a larger tier if >500 nodes).

0 Kudos
MVP
MVP

Thanks again for the clarification. This cleared up my confusion. I really wanted to be sure before I accidentally recommended vastly underlicensing some systems.

Thanks for the clarification jhynds are you not worried this will force people into not taking the product and instead choosing to stay on the free, slightly feature-poor version, which is something they have had included in NPM since it's existence?

- David Smith

dgsmith80​ Exactly. For that exact reason, this product has already made it on to our "No Buy" list. I was pretty excited when it came out, but the limited functionality, and poor licensing setup, has pretty much ruined any chances it would have had to be purchased. Now, unfortunately, that functionality will most likely be replaced by another product, from another vendor.

I mean I can see use cases, where maybe you're using Kiwi Syslog or some other type of aggregation/filter layer and only forwarding on the priority devices into Orion directly, but that isn't the most common of situations.

- David Smith

One of the AEs I spoke with suggested we simply send it all to Kiwi (which is a bloody nightmare to manage in the first place), then have kiwi forward over things we need (which we currently do anyway). He said, since it's coming from Kiwi, it would only take a single license. While I initially wrote that off as the worst way to do things, being that all messages would then need to remove the real source in order to work... I had been thinking about the possibility of taking that solution, and combining it with some SQL thingamabobs, parsing the real source IP from the message, and rebuilding the connection to the real node after being processed by LM. Definitely not a top tier priority for me, but it itches my mind enough that I will likely look into it a few times.