cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Orion Log Viewer the New and Improved Version of the Syslog and Trap Viewers

While the existing syslog and trap functionality that ships with the Orion® Platform has served us well over the last several years, there has always been some room for improvement. For example, we would sometimes hear from users that syslog collection would bog down their database or that it was inconvenient to manage logs outside the web console. Another common issue raised was around the lack of integration with Orion alerting.

As we built Log Analyzer, we wanted to do something about this valuable functionality that also seemed to be causing issues for our users. That’s where Orion Log Viewer comes in.

Orion Log Viewer (or OLV for short) is built on the Orion Platform and is a subset of SolarWinds® Log Analyzer’s functionality. It shares the same systems requirements as LA and gives you the ability to collect, view, filter, search, manage, and alert on syslogs and traps from within your SolarWinds web interface. And the best part is, NPM users can get this updated functionality for no additional cost.

pastedImage_0.png

OLV will not only make it easier to manage your logs, but also give you extra visibility into performance issues by including syslog and trap data in your PerfStack dashboards. The additional context can help speed root cause investigation and troubleshooting. Additionally, both OLV and LA use the same alert engine as the other Orion-based products, nearly doubling the amount of alert actions you can take from your logs and reducing the number of alert engines you have to learn and maintain.

Orion Log Viewer also ships with its own database specifically designed for log collection. Lessening the impact of collecting logs on your Orion database. You can see how each of the different versions of the logging tools compare in this knowledge base article.

As mentioned earlier, OLV is a subset of Log Analyzer, so to get this updated functionality, you need to download and install a free trial of Log Analyzer on the same server as your NPM instance. At the end of the 30-day trial, if you decide not to purchase LA, the additional functionality that it provides will simply turn off. All that will remain is the functionality provided with Orion Log Viewer. At that time, OLV will be supported at the same level as your NPM license. If you decide later to upgrade to Log Analyzer, simply activate a license key and the functionality will return.

One note for those using the existing syslog and trap functionality. Installing Log Analyzer/OLV will override your existing rules. This means your previously configured syslog and trap rules and alerts will no longer be active. While there is no migration path for existing rules or log data to transfer to OLV, they will continue to be readable.

Orion Log Viewer is the future of syslogs and traps in Orion. We would love to get your feedback on the tool, so we can continue to improve it and support you.

Labels (2)
Comments

Yes yes yes yes yes and YES! Can't wait to check this out. Spectacular work SolarWinds.

This is cool, can I alert on traps and syslogs, like I did with the old version?

Absolutely! In fact, even better as Orion Log Viewer uses Orion's web based alert manager!

Yes, you are able to alert on syslogs and traps. Here is the blog post that walks you through it: Creating an Orion Alert with Log Manager 1.1

ferrashoo  wrote:

This is cool, can I alert on traps and syslogs, like I did with the old version?

Absolutely! when you evaluate the functionality, you'll see this button in the upper right hand corner that will allow you to configure your alerts.

pastedImage_2.png

pastedImage_3.png

Traditionally syslogs could absolutely kill an Orion database, even with the default retention policies enabled. Mostly due to the amount of chatter firewalls can generate.

Really grateful you went and created an NPM licensed version of this as well. Bringing traps and syslog into the web console fully has been a long time coming.

Will the Kiwi Syslog licensing structure be going away?

Glad to hear you like what we've done with Log Analyzer so far! Kiwi Syslog licensing remains as-is, with no plans to make any adjustments.

hy, we are NPM lizenced user, how to we get OVL ? do I need to upgrade my lizence somehow?

You need to download and install a free trial of Log Analyzer on the same server as your NPM instance. At the end of the 30-day trial, if you decide not to purchase LA, the additional functionality that it provides will simply turn off, and you'll be left with Orion Log Viewer.

Orion Log Viewer also ships with its own database specifically designed for log collection. Lessening the impact of collecting logs on your Orion database.

Query: Does this mean its a mandate to have a new database for OLV ?

Yes, Orion Log Viewer requires its own database (SQL Server 2016 or later), however this database can reside on the same server as your Orion database. When you upgrade to Log Analyzer/Orion Log Viewer, your old log data will remain in the Orion database but all new log data will be stored in the new database.

Couple of questions here:

- Since the "legacy" traps and syslogs aren't migrated, is there any reason to keep/preserve them after installing Log Analyzer?

- If not, is there a handy way to clean them out or is it just a SQL script with a few truncate tables?

Syslog and Trap data collected via the Legacy Syslog & Trap receivers should be purged automatically as part of nightly maintenance based upon their configured retention settings.

Ah; so it will just age off rather than being killed at once.

Makes sense; will just set a reminder for after the retention setting date to see if I need to shrink the db.

Yes you will need an additional database to install it. In my instance I have 3 separate databases. 1 - NCM, 1 - Netflow, 1 - Log Analyzer.

Before installing you want to be aware that it only processes one unique message per host per minute in it's current state.

Here is some more information on this 'bug'

Multiple alerts in a single alert cycle possible in Log Analyzer ?

Be sure to vote in this poll!

Is there any documentation on just the regular Orion Log Viewer?  Some of my coworkers were asking about it and I have never used it before so I am trying to figure it out.  Any documentation I find is for the pay Log Analyzer not the Orion Log Viewer.  Thanks!

jvb​ owns the product and can help with additional questions, but to get you started here's a feature comparison chart LA feature comparison

ok cool. I will have to dig into this next week. Thanks!

jvb​ - Good Afternoon!  I checked the link Serena posted and I really can't figure out what I am doing with this.  Do instructions exist for the built in log viewer or are they all for the Log Analyzer?  I have never used the Syslog viewer so I am at a bit of a loss here.  Thanks!

martian monster​ We are in the process of reorganizing the documentation to more clearly differentiate Orion Log Viewer from Log Analyzer. Give me just a bit to check on the progress of that effort and I'll ping you. In the meantime is there a short list of things you are trying to do that I could try and point you in the right direction on?

jvb​ I have not used the Orion Log Viewer at all before so I am not sure where to start.  If I go to Alerts & Activity > Sys Logs there are logs in the log viewer but I am not sure if I am in the right place.  I can go to My Dashboards > Syslog and there is nothing there.  pastedImage_1.png

When I click on 'configuring required services' both services are running on my Orion server. 

Am I looking in the right place? 

Thanks -Dave

It looks as though you haven't installed Log Viewer yet. Is that correct?

Dunno?  This whole thing has been confusing do we have the log viewer? Do we have the Log Analyzer? One of my team members that used the old log viewer asked me to look into this a few weeks back and all I have been able to do is go around and around and around and not get a straight answer.  What is the log viewer that is included in Orion now? Thanks!!

If you install Log Analyzer, it will fall back to the free Log Viewer after the 30 day evaluation expires.

Ahhhh that's why I could not find anything.  I will probably get this rolling next week and see how things go. 

I just checked the SQL back end and the SolarwindsOrionLog database is at 11GB so it must be getting logs from something.

Very cool!

Couple quick questions -

Can OLV be integrated with SAM? Also, can we configure this to monitor our application logs, some of which are in Log4j format?

OLV can certainly run on the same Orion instance as SAM along with any other Orion modules you have. Collection of flat log files is not supported in the current release but it is something we are considering for possible future releases.

So Far.....  NOT a Fan....  The previous syslog viewer I have been using for the last 16 years with Orion is far easier to use, far easier to understand and is infinitely faster.  We have 18 polling engines and thousands of devices sending syslogs 24 x 7.  With the old syslog viewer if I wanted to research something all that was necessary was to partially match a message apply the search to all servers and BAM you had results filtered and viewable in a fraction of a second.  With the new log viewer the queries constantly time out.  In the end you are needing to take many extra steps just to get the viewer to look at the proper message from the proper host.  You either have to search for the host or sometimes you need to engage the help of a system admin who can SSH or telnet to the device and send you a portion of the syslog and then go back to the web view and perform more searches so a filter can be built that doesn't make the query choke and time out.  With the previous version once you have just a portion of the message you wanted you could follow the tabs across the top all the way to having a custom HTML alert message sent in just a few seconds.  The new log viewer this can take minutes...  Searching is so difficult that we are actually looking at using Kiwi syslog for the searches. 

jdwinns  wrote:

Very cool!

Couple quick questions -

Can OLV be integrated with SAM? Also, can we configure this to monitor our application logs, some of which are in Log4j format?

Yes it can be integrated with SAM. in the version that's commercially available, it's not yet ready to consume Log4j logs, but definitely jvb​ and I have been talking about how to make OLV a great solution to pinpoint application logs. Your feedback on which logs you'd like to support is important, and any additional details (e.g. only log4j? How big are the logs you're looking to parse? What are you looking for in those logs and when?) would be extremely helpful.

My SolarWindsOrionLog database has grown to 112GB whilst I wasn't watching.  I have opened a case as I suspect maitenance isn't working.

Orion Platform 2018.4 HF3, NCM 7.9, NPM 12.4, LM 2.0, NTA 4.5.0, VMAN 8.4.0, SAM 6.8.0, NetPath 1.1.4

Currently a little behind, but I could spot a fix for this in the release notes.   Retention is set to 7 days as default for searching.

jvb​ - I opened a ticket but I am still at a loss at how this works.    I went back and removed nodes so I am only dealing with 4 to try and make this easy. 

Is this where the logs are or should be? This seems like it should be really simple.  

pastedImage_1.png

Or is it here? 

pastedImage_2.png

Or is this it? 

pastedImage_3.png

This is my last response from support -

pastedImage_4.png

The first screen shot is where you should be looking. That being said, I am trying  to piece this together as something doesn't make sense. You said you are only using the basic Log Viewer (you do not have an active license of Log Analyzer) Windows Events are only supported in Log Analyzer LA feature comparison so it is odd that there are Windows Events showing there. With basic Log Viewer only syslog and traps are supported.

That makes sense.  I am getting someone to point a switch to SW and see if that does anything. 

So amazing things happen when one of the Infrastructure Engineers points a switch to Orion. 

One thing I was missing was the node was set to send logs to Orion BUT the node did not know that.  Once we pointed logging to Orion and then added the node to Orion this page propagated.

Our other issue is we were looking at the wrong syslog page via My DashBoards.

  Thanks for the support!!!  jvb

pastedImage_1.png

.

Great! Glad to help! Let me know if there is anything else

We are currently monitoring these Log4j application logs using the SAM Log Parser application monitor template (Powershell/Perl). These are working good but if there is a cleaner way to monitor these logs, I'm definitely up for looking into it.

The logs that we are monitoring range in size but mostly between 100MB - 250MB and we are mostly looking for any "ERROR" strings. We also have a number of these monitors leveraging custom written regex strings, I've included an example below. Most of our app log monitors are configured to parse (run the script) once every 10 minutes (hope this helps).

$regex = "^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3} ERROR (?!.*(rule to wildfly)).*$";

Few quick queries:

Can this be installed as standalone and not have any other plugin installed?

Is device addition mandatory to receive logs? Any other option if only logs need to be received and then filter to alert it further..

What is the max number of devices from which logs can be received?

Thanks for the input JD... Very useful and as serena​ mentioned we are looking at application logs as a possible next step for Log Analyzer so I may ping you offline for some additional detail.

It depends on what you mean by standalone. Orion Log Viewer is an add on that requires at least one of the following modules: NPM, NCM, SAM, VMAN or UDT. However there is a more feature rich paid version Log Analyzer that can be installed as a standalone instance if you want. The nodes you want to collect logs from do have to be managed nodes in Orion either way because we need an entity to tie the logs to. The max number of nodes is less important than the events per second you plan on receiving. Currently Log View / Log Analyzer can handle about 1000 Events Per Second. (Roughly 90 million per day)

Hi k1gaudineer​ sorry for the late reply here. For some reason I missed this when it initially posted. We are actually doing some research in to use cases where timeouts occur during a search and it sounds like you have some of those. I would like to speak to you about those as well as get some deeper input from you on the new alert building process since it sounds like it isn't working well for you. I'll ping you offline to set something up.

Thank you for the reply... Yes please reach out when you have time so we

can discuss. Anything we can do to help make improvements please feel free

to reach out. If you like I can also do some desktop sharing so I can walk

you though my work flow / process when working with the OLV.

Hello, I am trying to understand what Solarwinds recommends.  I am going to install Log Analyzer and use the free "Orion Log Viewer".  Does Log Analyzer handle the same amount of syslog, traps, and Windows event log flow as Kiwi Syslog Server does so it would be redundant to install Kiwi Syslog Server?  Or does Solarwinds recommend that Kiwi Syslog Server still be purchased and use it as your archive system and forward your critical alerts to Log Analyzer? Thanks

Orion Log Viewer / Log Analyzer can handle 1000 Events per second or about 90 million events per day which is significantly more than Kiwi. However, some people do still use Kiwi as a sort of front end to process and discard events and only send along specific message to Orion for further action. It is really just about preference at that point rather than performance.

thanks this answers my query... We have one new customer who is only looking at syslog part and they want to use SolarWinds LA...

And 2 other things:

First on DB, this would sit on separate VM and it is same like any other Orion deployment that we do right?

Second, LA can send logs received to other system or ticketing tool as well right?

The LA DB is separate from the Orion DB so yes you could easily put it on another VM / SQL instance if you like but it can also live in the same instance as the Orion DB too.

Yes, LA can forward logs to other systems and Orion has native integrations to Service Now and Solarwinds Service Desk

Log forwarding

Orion Platform 2019.4 RC - SolarWinds Service Desk Integration

Success Center

Great.. Actually our requirement is to only have LA and no other modules..

Hence I wanted to know about the database.. Any details around the specs

that should be considered if logs need to be kept for a year...?

I sent you a private message to set up some times to discuss.

Hi jhynds​ and adatole

Any plans for LAB episode "how do i migrate lagacy traps to Orion Log Viewer "  ?

Version history
Revision #:
1 of 1
Last update:
‎04-04-2019 03:31 PM
Updated by: