cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Log Analyzer 2.0 is now Generally Available

Product Manager

I’m pleased to announce the General Availability of Log Analyzer (LA) 2.0 on the Customer Portal.  You may be wondering what Log Analyzer is. The artist formally known as Log Manager for Orion has undergone a transformation. It has evolved past its former life as a 1.0 product and become Log Analyzer 2.0. Log Analyzer was selected after extensive research to better understand what our users would call a product that solves the problems our tool solves based on our feature set. I hope you like the new name!

This release includes Windows Event Support, Log Export, Log Forwarding and Rule Improvements as well as other items listed in the Release Notes.

Windows Events

As a System Administrator, closely monitoring Windows Events is vital to ensuring your servers and applications are running as they should be. These events can also be hugely valuable when troubleshooting all sorts of Windows problems and determining the root cause of an issue or outage. While there are vast array of Windows Events categories, the three main categories you'll likely focus on when troubleshooting are the Application (events relating to Windows components), System (events related to programs installed on the system) and Security (security related events such as authentication attempts and resource access). Trawling through Windows Event Viewers to find the needle in the haystack on individual servers can be a laborious task. Having a tool such as Log Analyzer can be a real life saver when it comes to charting, searching and aggregating these Windows Events. Thanks to the tight integration with Orion, you can view your Windows Events alongside the performance data collected by other tools such as NPM and SAM. Worth noting that you can also add VMware Events into the mix, thanks to the latest Virtualization Manager (VMAN) release.

In order to start ingesting Windows Events with Log Analyzer, you need to install the Orion Agent on your Windows device. Windows Event Forwarding​ is also supported, so if you prefer to forward events from other nodes to a single node with the Orion agent installed, that's an option too. By default, we collect all Windows Application and System events, along with 70 of the most common Windows Security Events. You can view more information on setting up Windows Event Collection here.

Once you have the agent installed and added the node(s) to Log Analyzer, you'll see the Events within the Log Viewer. Events are automatically tagged with Application, System or Security tags. Predefined rules are also included out of the box which tag events such as Authentication Events, Event Logs Cleared, Account Creation/Lockout/Deletion, Unexpected Shutdowns, Application Crashes and more.

Screenshot 2019-03-12 at 10.18.27.png

Windows Events are also supported in PerfStack, enabling you to correlate performance data with Windows Events. For example, you can see below there are memory spikes on a SQL Server, with some corresponding Windows Events and Orion Alerts. Drilling into the Windows Events you can clearly see there is insufficient system memory which is causing the Node Reboot and SQL Server Insufficient Resources alerts.

Screenshot 2019-03-12 at 10.58.21.png

Log Forwarding

​Log Analyzer shouldn't be seen as a dead end for your log data. There may be times when you need to forward import syslog/traps to another tool such as an Incident Management or SIEM for further processing/analysis. This release includes a new 'Forward Entry' rule action which enables you to forward syslog/traps to another application. You can keep the source IP of the entry intact or replace with Orion's IP address:

Screenshot 2019-03-12 at 11.21.15.png

Screenshot 2019-03-12 at 11.22.12.png

Log Export

When troubleshooting problems it's often necessary to share important log data with other team members, external vendors or attach to a helpdesk ticket. You can now do so thanks to the new Export option within the Log Viewer.

Screenshot 2019-03-12 at 11.33.28.png

Screenshot 2019-03-12 at 11.47.21.png

Rule Improvements

We've added some pre-populated dropdown menus for fields such as MachineType, EngineID, Severity, Vendor and more to make it even easier to create log rules. It is now also possible to adjust the processing order of the rules.

Screenshot 2019-03-12 at 12.00.34.png

The team is already hard at work on the next version of LA, as you can see covered here in the What We're Working On post. Also, please keep the feedback coming on what you think and what you would like to see in the product in the Feature Requests section of the forum.

19 Comments
Level 7

Log Export does not work

MVP
MVP

Very nice features. I really like having a single application through which I do all of my monitoring. This is making SolarWinds much more viable in the log management areas.

Product Manager
Product Manager

Have sent you a private message to discuss further. There are currently no known issues with the new export feature, happy to assist with troubleshooting to get your exports up and running.

MVP
MVP

Hello Guys,

This looks very nice! How it looks for folks with just NPM license and using Basic Log Manager (free license)?

Is there Basic Log Analyzer available, plans to introduce or other Basic features upgrade?

Thanks.

Kind regards,

Marcin.

Level 9

https://thwack.solarwinds.com/people/jhynds, can you expound upon what you mean by "generally available?" Do this mean Mac users are S.O.L.?

Product Manager
Product Manager

Glad you like the features within this release . For users running the basic version, you can avail of the Log Forwarding feature in this release, however Windows Events and Exporting are only available in 'Log Analyzer' (formerly Log Manager for Orion).

Product Manager
Product Manager

In order to deploy Log Analyzer, you will need Windows Server 2016 or greater. Do you need to collect logs from Mac or are you trying to deploy LA on a Mac?

Level 9

jhynds  Neither, bad joke on Mac's being a handicap.

Level 12

We started using the new version. Looks good, can't wait to see how you continue to build on it.

Level 11

hy, enyone... is there a solution to import "the old" syslog / trap alert rules into LA somehow with a SQL string?

I got lot's of alert definitions that need to be migrated to LA...

happy for any help....

Level 10

Hello,

Just curious what the main differences are between Log Analyzer and LEM?

MVP
MVP

This is far better than the log management that I "grew up on" with NPM. I really appreciate the improvements.

Level 16

Just loaded up the latest version and it still suffers the same flaw as the previous version. It can only process and alert one event per minute per host.

So for example if one of your UPS systems loses power and sends a syslog stating power is lost it will generate an alert for the first event. If the UPS sends

a second, third, fourth event withing the same 60 seconds those events do not trigger alerts.

So... if power is restored to the UPS 30 seconds later you will never know it and assume power is still out. 

Hopefully this will eventually get fixed. While it is a nice GUI this flaw prevents me from being able to install it in my production environment.

Still using the 'old' version because it triggers alerts every time.

Orion Platform 2019.2, NPM 12.5, LA 2.1, NetPath 1.1.5 © 1999-2019 SolarWinds Worldwide, LLC. All Rights Reserved.

Level 16

Got word back that Support is turning this in as a bug. Hopefully a fix will come out soon.

Level 16

Here is what I got back

pastedImage_0.png

And then they went on to say...

pastedImage_1.png

So basically they are saying that I can only get a single event per minute, per rule and if I want to go lower it will overload the Orion Alerting Engine.

pastedImage_5.pngworks way better. It triggers an alert for EVERY message.

MVP
MVP

Excellent features to have ..

Next required -

Log Analyzer sizing guidelines based on configured parameters like number of Rules, number of forwarded logs, logs received per hour etc. Sizing from a CPU core perspective, Memory, Storage

Level 10

We had to open a feature request for this. Please vote on it if you get a chance:

Thanks.

Steve

Level 10

Never mind. I see your comments on our thread. I voted on your feature request, too, btw.

MVP
MVP

I've just started using LA and I can't do a simple thing like forward a syslog to an email. Yes I can create the rule to fire off an alert, but I can't attach the actual syslog message to my alert.

Here's my thread on this.

Syslogs in NPM 12.5

Also in the past I was using syslog for instant alerting on link flapping. How am I supposed to do this with LA? With the alert only firing every 1 minute, it will miss link flapping syslogs.

Any ideas?

About the Author
I have been involved in the IT industry for more than 8 years, focusing on IT Audit, Compliance and Information Security. I have held various roles from IT Desktop and Server Support, IT Auditing and Risk Management and Pre-Sales Engineering with SolarWinds.