cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Allow For Syslog Product Overlap; Log Manager & Legacy Syslog (w/Kiwi)

Allow For Syslog Product Overlap; Log Manager & Legacy Syslog (w/Kiwi)

The new Log Manager product is a nice tool to have, and I understand that product is the future of the syslog functionality for SolarWinds. However, it would be nice to be able to continue to use the old/legacy syslog tools in addition to the new Log Manager tools. We have more nodes sending syslog than Log Manager can even be licensed for, so we couldn't even go full Log Manager if we wanted. Having said that, if we put 1000 of our most important devices to send syslog using the LM product, we immediately lose 100% of everything else. (unless I'm missing something here) So, under the presumption I have the basics correct, we can either choose to process syslog from 1000 devices, losing everything else, OR we can stay with our current Kiwi setup, being able to process ALL syslog from ALL devices, but without all the nice features of LM.

Why not just keep functionality for both sides? (At least for a while, until LM evolves into a more mature product.) I would love to be able to use LM and all its wonderful features for our core network, while still being able to process all the syslog from our peon level nodes too. I know it's not as simple as flipping both switches to yes, but I can't imagine it being rocket surgery or anything too difficult.

Thank you,

-Will

9 Comments
Level 16

LM will be expensive “notifications software” if then should replace  my Orion traps alerts

The per node /IP license is not cost effective to SLX type environment with 3000 nodes.

Could you not send all your syslog to Kiwi and then have a rule to forward (maintaining source IP) the syslog messages you do wish to have in LM4O?

This allows you to do the filtering or noise within Kiwi, which will help the processing capacity of LM4O.

Yes, we currently use Kiwi as a filter, but since they are keeping new syslog functionality integration separate from legacy/kiwi, then we have to pick 1. We can either have the new features, or the old. Currently, when we forward syslog from Kiwi to SolarWinds, we can do so for ANY/ALL syslog messages, without a node restriction. Once you choose to take the Log Manager route, you can no longer send other syslog messages (non-licensed) to SolarWinds, as they are simply discarded. Since we cannot use both the legacy AND LM app/features/functionality simultaneously, we have to choose one and lose the other.

I have to agree with you on this one!  I spoke with our SW account manager at length after I demo'd LM about this exact issue.  We have over 1000 nodes sending traps and logs but at any given time we only look at a handful and have alerts set up on only a few.  I do like the functionality of LM with integrated alerts and such but the cost is very prohibitive to do large numbers.  What I would like to see is either keeping both tools or combining them a little more, ie license per node for ones that you can alert off of but still collect all the others into the database and allow searching and viewing of the other traps / logs for trouble shooting purposes. 

sja​ Well, I think it's going to get real bad when they shutdown the current/legacy syslog functionality (which has ~12 actions), replace it with a minimal LM version that does NOT do those same actions, AND the minimal LM canNOT be used along with a paid LM license. In other words, when they replace the fully functional base syslog tool with a version of LM that does not do the same basic functions, we would be forced into using a different product (licensed LM for basic features?). AND, at the same time, we wouldn't be able to use a limited license of LM (maybe 150-250 node count) applied to important nodes, while allowing any and all additional nodes to fall into the minimal/reduced functionality. Hopefully they don't force everyone to go all or nothing.

If they go that way, I'm sure the pitch forks will come out soon after.

justinb@city.ketchikan.ak.us​ I think that idea would be best for everyone. A good middle ground. Having the ability to use licenses for more important/critical nodes while still maintaining the basic syslog functionality that exists today for any remaining nodes should cover all bases.

I sometimes feel bad for some of these decision makers, as I understand they need to make money. But taking away core functionality of a program that has been around for so very long, and replacing it with a shiny replica at a steep price, well that just doesn't feel right to me. And the same goes for forcing folks into the all or nothing choice.

They knocked it out of the park with NetPath, PerfStack, and a few other new features. Those things came out and added more value to the bottom line, perhaps compensating for some other areas in which they have been falling behind the competition.

Level 16

We have alerts on critical doors, cameras, beam sensors, etc.. and EVERY event needs to trigger an alert. If two people scan through the same door into the data center right after one another both entries need to have separate alert events. Similarly if two different people pass by a camera in the data center within the same 10 seconds both need to be noted by our NOC. 

I have been testing the new Log Manager and if you have a rule the triggers for the same Camera/Door/UPS/Air Handler/PDU/YourDeviceGoesHere the minimum amount of time that the event will trigger again is 60 seconds AND your NOC has to acknowledge the message in the Alerts Console before it will trigger again ever.

The old syslog engine triggered every time for every event with very little time lag. The new one triggers once a minute and only for the first event in that minute, then never again unless it is acknowledged.

The new features are nice and being able to get it into the advanced alerting engine is good but the loss of all but the first alert every minute is a show stopper in our environment.

Level 10

Just had to back out the latest upgrade and then re-run without the LM integration. We forward on our syslogs to SIEM via SolarWinds with a rule. If they phase out being able to do this, we will end up looking for another tool to do the job. You cant remove core function and then try and charge for the same thing in another product.

Community Manager
Community Manager
Status changed to: Open for Voting