7 Replies Latest reply on Jun 6, 2016 11:11 AM by nicole pauls

    IP or Hostname or appliance key

    kdevmu

      Hello All,

       

      I am new to Solarwinds and wanted to know how it recognize the firewall/gateway appliances. For example, there are two firewall appliances behind single public IP. They are sending syslogs to LEM which is hosted on internet. Now as LEM will receive syslogs from both the firewalls with same source IP, how it's going to differentiate and monitor both firewalls? I just want to understand whether LEM recognize Nodes/Firewalls from IP or does it also look at the appliance key/serial key/hostname from the syslog fields.

       

      Please let me know if such scenario has been tested with LEM. If yes, please share your observations.

       

      Thank you.

        • Re: IP or Hostname or appliance key
          nicole pauls

          It will likely depend on how the syslog is received and the device. It's possible it will be able to differentiate them by the actual/internal IP. If you have the firewall log its IP/name in the log, it might also pick those up as the appliance names.

           

          Generally, LEM is going to try to parse the IP/hostname of the device out of the logs. It'll pick the syslog IP by default (if you look at syslog formatted messages, there's a <date> <ip/hostname> <message> format), but some devices can also log their IP/hostname within the message, and if syslog messages get forwarded from a syslog forwarder, it'll pick those up instead.

           

          What kind of device? Do you have it logging to LEM already, are you seeing the logs?

            • Re: IP or Hostname or appliance key
              kdevmu

              Yes, I have pointed Fortigate firewall to send syslogs to LEM and when there is an IP change in Fortigate, it detects it as a new node in LEM. I have seen ManageEngine and AlienVault identifying the Nodes based on Device Name which is unique serial no so irrespective of IP change, it detects it as a single appliance.

               

              Sample logs of Fortigate as below.

               

              <190>date=2016-05-24 time=20:15:25 devname=FGVM010000063601 devid=FGVM010000063601 logid=0100044546 type=event subtype=system level=information vd=root logdesc="Attribute configured" user="admin" ui="GUI(40.40.40.26)" action=Edit cfgtid=7274531 cfgpath="system.global" cfgattr="admin-ssh-port[222->22000]" msg="Edit system.global "

                • Re: IP or Hostname or appliance key
                  nicole pauls

                  Ah. Generally, LEM would lean toward using/identifying with the IP address as per syslog (or originating device if syslog forwarding is involved). Since licensing is based on # of nodes under management, it was/is the most logical first step, but it could leave room for improvement. Some folks on thwack have suggested being able to label or edit the names of devices, so we aren't stuck just using the device IPs, too.

                    • Re: IP or Hostname or appliance key
                      kdevmu

                      Well, I understand but what about the Hostname option in node. As I can see from GUI that you can add hostname or IP address. However I tried using the hostname but it didnt help. eventually it shows IP address of the sending node. Is there anyway it can be dealt with using fqdn/hostname so dynamic ip issue can be addressed?

                       

                      Apart from this, is it possible we can dump logs in file format in to LEM, lets say from Syslog-NG?

                        • Re: IP or Hostname or appliance key
                          nicole pauls

                          You could definitely syslog to a syslog-ng host, then put a LEM agent on that host to pick up the logs (or, you could send them to your syslog-NG host and forward them to LEM, but I don't know if the effect would be any different). You do need to make sure the format matches an expected syslog format and the files are statically named (i.e. no date in the current filename), but that would work.

                            • Re: IP or Hostname or appliance key
                              kdevmu

                              Thanks Nicole for your reply. How about adding nodes with Hostname? Can you share a use case? Lets take an example that one of the firewall has registered with Dynamic DNS provider as its IP address is changing so instead of IP now we have FQDN abc.example.com and we want to add node with that FQDN so no matter with which IP address its receiving the syslogs, it will detect it as a single appliance as it will just resolve the FQDN with IP address and will match the table.

                                • Re: IP or Hostname or appliance key
                                  nicole pauls

                                  So, LEM will present what's in the log data, and I think within LEM's syslog config the hostname resolution for syslog is off because it can create performance problems. It is a syslog-ng option, though, so if you syslogged to another syslog-ng host you could have it attempt to resolve the originating IP (as long as those DNS servers are there/able to resolve).

                                   

                                  e.g.

                                  <date> 192.168.1.1 <message>

                                  could become

                                  <date> firewall.internal <message>

                                   

                                  if then you configured LEM to watch that log, it WOULD send firewall.internal as the DetectionIP instead of 192.168.1.1.

                                   

                                  Also worth noting here is when you correlate activity within LEM rules, it does try to do DNS resolution, so if it sees an event from firewall.internal it would know it's the same as 192.168.1.1 (as long as that resolves in the DNS server LEM has configured). It's not common that you end up correlating based on DetectionIP, but it could happen.