72 Replies Latest reply on May 10, 2019 3:48 PM by jrouviere

    Introducing Log Manager for Orion

    jhynds

      Log data is finally where it belongs - within the Orion Platform! Log Manager for Orion is a brand new SolarWinds product which provides powerful log management functionality including aggregation, searching and charting all within the Orion console. Log data contains a wealth of information which can be invaluable in identifying and troubleshooting of issues that may be affecting performance and availability of your network and applications. When integrated with tools such as Network Performance Monitor and Server and Application Monitor, you can now get a unified view of infrastructure monitoring data with log data in a single pane of glass.

       

      Traditionally, there has been a gap between performance and log data. Log data is often aggregated and analyzed using a standalone tool which doesn't offer integration with your performance monitoring tool. Combining the incredible breath and depth of performance data you get with tools such as NPM and SAM with log data makes it easier to identify, troubleshoot and remediate performance impacting issues.

       

       

      So, how do you access your log and SNMP trap data and what can you do with Log Manager?

       

      We've made it really easy to access your log data directly from the Node Details page. As an example, I can see on this Node Details page that NPM has triggered a Hardware Health alert. Using the 'Analyze Logs' button I can drill into the log data and quickly identify log data which indicates a rotation error on the fan. It's like when the dreaded Engine Warning Light comes on your car. You know there's a problem, but need to get more information on the specific error via the onboard diagnostics. NPM will tell you there's an issue and then the log data can provide more information such as error codes and warning messages.

       

       

       

       

      Filtering

      Log data is noisy by nature and can generate a vast amount of data. It can be a challenge to quickly drill into that data and focus on the important log data that will help you identify and solve a particular problem. Log Manager includes very useful filters which enables you to instantly refine your dataset with just a few clicks. Filters include Log Type, Level, Node Name, IP Address and more. Thanks to the Orion integration, you can enrich your logs and apply filters based on information gathered by SNMP including Vendor and Machine Type.

       

       

      Search

      Log Manager's powerful search engine allows you to quickly and easily find that needle in the haystack. You can search for anything from keywords to IP addresses and event ID's without the need to learn any new complex query language. Log Manager's search engine is built upon SQL Full Text Search. We recommend that you have FTS enabled on your SQL Server for optimal search performance.

       

       

      Chart

      Scrolling through realms of 'texty' log data to determine how often a particular event has occurred can be a cumbersome task.The interactive chart included with Log Manager allows you to easily visualize when particular events occurred and how many of those events occurred. The chart also serves as a way to refine your time frame via an intuitive click and drag method. For example, if you've noticed an issue in Network Performance Monitor at a point in time, you can use the chart in Log Manager to quickly drill into the log data for that timeframe to provide an additional layer of visibility.

       

      Live Mode

      One of the many benefits of monitoring your log data is the real-time nature of logs. Tools such as NPM do a great job at collecting a vast amount of performance data at regular polling intervals, however there can be a visibility gap in between those polling intervals. Log data can bridge that gap and provide almost instantaneous visibility into what's going happening on your network devices, servers and applications. Log Manager's Live Mode provides a near real-time stream of log data as it occurs in your environment to aid with identification of issues as they occur. Filters and keyword can be applied to the live stream to hone in a particular events as they occur. This could be based on an event ID, a keyword, an IP address and more.

       

      Tag - you're it!

      Individual log (and trap) entries can contain quite amount of text. When you are receiving hundreds, if not thousands of these logs every second it can be difficult to identify important log entries. Assigning a meaningful name to important logs can help you to easily focus on those logs. You can easily apply multiple tags to your important logs to quickly identify those logs as soon as they appear within Log Manager. What's more, you can even color code those tags to make it even easier to draw your attention to those logs. To configure your tags you simply go to Configure Rules and use the 'Tag Entry' action after you set your rule conditions.

       

       

      Where can I find Log Manager and how do I install it?

      The Log Manager for Orion 30-day evaluation is now available to download from your Customer Portal and SolarWinds.com. It can be installed on your existing Orion server or if you prefer to use a test system that's fine too. Log Manager may require other Orion modules to be updated as part of the installation process - the Orion installer will take care of all of this for you. Log Manager can run as a standalone module, but I'd recommend deploying alongside NPM/SAM to avail of the performance data and log data in a single console I mentioned earlier.

       

      I'm leveraging the Orion Syslog and Trap Viewers - what happens when I install LM?

      These applications will still reside on your Orion server however they will be disabled and will not process any new incoming data once Log Manager is installed. You can view historical data and rule conditions/actions within these viewers, but they will be in a read-only mode. Speaking of rules, I'm sure you're asking what happens to those old syslog/trap rules? These rules will not be migrated as part of the upgrade to Log Manager. Log Manager provides an incredibly intuitive web-based rule builder which can be used to manually create your rules. However, not all of the alert actions are available with Log Manager v1. Log Manager rule actions include Tag an Entry, Run an External Program and Discard Event.

       

      Can I use Log Manager to collect Windows Events?

      Log Manager currently supports syslog and SNMP traps, however you can install our free Event Log Forwarder to convert Windows Events to syslog and transmit to Log Manager.

       

      How is Log Manager licensed?

      Most log management tools are licensed based on the volume of log data you generate. This requires you to estimate your log volume, costs can rapidly increase if you miscalculate your log volume and you may have to selectively chose which logs to send to your log management tool to stay within your volume limit. Log Manager uses a very simple and affordable node-based licensing model. If you are transmitting logs from 100 devices, that simply equates to 100 nodes. It is worth pointing out that each node you are receiving log data from, must be managed by Orion.

       

      Summary

      Log Manager for Orion is a result of feedback we've received from our users on Thwack, SolarWinds User Groups, Trade Shows and more. We're incredibly excited to get your feedback on the tool and answer any questions you may have, please feel free to post Feature Requests here and any questions/comments here. We're already working on some exciting new features for the next release of Log Manager which you can view on the What We're Working On page.

       

      Happy Logging

        • Re: Introducing Log Manager for Orion
          wluther

          This is a very nice tool to be added to the Orion lineup. Great job SolarWinds!

          • Re: Introducing Log Manager for Orion
            David Smith

            So based on the What were working on for LM does the current EC not support Alert integration? I’m surprised that was not the number one item on the list?

            • Re: Introducing Log Manager for Orion
              zyl

              jhynds I'm missing the link on the Customer Portal.

              Should this be available via Download Trials ?

              • Re: Introducing Log Manager for Orion
                tkercher

                We rely on Solarwinds to process SNMP traps from legacy and proprietary applications, and have invested significant development to enable alerts based on SNMP traps.  Disabling this functionality would have a devastating affect on our capabilities.  Aside for being unhappy I now have to purchase a module to replace existing functionality, the trap viewer functionality cannot be disabled before the alert integration is built. 

                1 of 1 people found this helpful
                  • Re: Introducing Log Manager for Orion
                    nglynn

                    I agree and feel like they missed the mark on this product launch.

                    1 of 1 people found this helpful
                    • Re: Introducing Log Manager for Orion
                      jhynds

                      We firmly believe that syslog and traps are an essential part of any network monitoring tool and we fully intend to always include a basic level of syslog & trap functionality with NPM. We also believe that there is strong demand for more extensive log management coverage. We have some very exciting features planned for Log Manager which exceed the basic syslog and trap use cases and we intend to charge for this functionality.

                       

                      The latest version of NPM still ships with the Syslog and Trap Viewers. If you decide to install the LM evaluation, your current Syslog and Trap Viewers are disabled (but not removed from the Orion Server). If the evaluation expires, Log Manager will then run in 'basic' mode which includes functionality such as filtering and searching. Only the licensed version of Log Manager includes features such as tagging, charting and Live Mode. You also have the option of uninstalling Log Manager and reverting to the current iteration of Orion syslog/traps if you feel that Log Manager doesn't meet your needs.

                       

                      We do intend on eventually replacing 'legacy' syslog and traps with the basic version of Log Manager, but for now your current syslog and trap functionality remains as is.

                       

                      I hope that gives you some comfort that we're committed to including syslog and trap functionality within NPM

                      3 of 3 people found this helpful
                    • Re: Introducing Log Manager for Orion
                      rschroeder

                      It's a pretty display.  Can it replace Splunk?  Can it alert me when malicious behavior by packets / flows is detected, and advise me what actions to take, like Splunk does?

                      1 of 1 people found this helpful
                        • Re: Introducing Log Manager for Orion
                          ebradford

                          I'm curious rschroeder, what does Splunk tell you? Do you have any examples?

                            • Re: Introducing Log Manager for Orion
                              rschroeder

                              Splunk takes all incoming traps or syslogs and analyzes them for patterns recognized to be possible trouble.  It then uses its algorithms to determine the most likely cause of the pattern, and reports to us the probable cause, the significance or risk of the event(s), and the best understood remediation for them.

                               

                              It's very much like having a ridiculously large and powerful search tool, pointing at a stunningly large amount of incoming and historically searchable data, that also acts like a robot or a human analyst who knows about bad problems and recognizes them.

                               

                              At $750K for our environment several years ago, it was not an insignificant expenditure.  But it has paid for itself several times over, and while I'm yet to feel comfortable searching it, I have a team of people who dedicate themselves solely to Security events; they let me know when Splunk sees issues, and advise me what should be done to investigate/prevent/remediate them.

                              2 of 2 people found this helpful
                            • Re: Introducing Log Manager for Orion
                              familyofcrowes

                              If it did SIEM stuff then they would be competing with their own product LEM.  So I highly doubt it can perform that type of correlation.  (I wish it did though  :-) )

                            • Re: Introducing Log Manager for Orion
                              wfriesn1

                              Most of us probably limit storage of syslog and traps to a few days at most due to the large impact on the orion database for storing all those records. How does this product handle storing the data? How long can it be stored? How large can the database get? Is it in a separate database?  You get the idea.  We currently use kiwi to send a stream to an archive instance of SQL Server.  At 6 million records per day this adds up.

                               

                              Are we likely to see this on the Orion demo site soon?

                              1 of 1 people found this helpful
                              • Re: Introducing Log Manager for Orion
                                familyofcrowes

                                As soon as this will alert on traps and logs I will be all over it.  But today we have many critical alerts for traps and syslogs that MUST be maintained.

                                 

                                LOVE it, but I'll have to wait till the next version I guess....

                                  • Re: Introducing Log Manager for Orion
                                    stevenstadel

                                    We need at a minimum feature parity with the currently deployed syslog and trap solution before moving to the new product. The V1 release will only supporting Tag an Entry, Run an External Program and Discard Event, and will not meet our current production requirements. Let's hope the next release is quick and addresses these needs.

                                    1 of 1 people found this helpful
                                      • Re: Introducing Log Manager for Orion
                                        brad.hale

                                        Are you willing to share with us your minimum features that would make Log Manager a consideration?

                                          • Re: Introducing Log Manager for Orion
                                            stevenstadel

                                            The main hold up should be solved with integration with the advanced alerts in Orion core.

                                            We need the existing additional options of modifying the syslog message, log the message to file, forward the message, send a new syslog message, and send an e-mail / page actions. We have many existing custom rules that we need to be able to replicate in the new module completely before the current syslog / traps can be set to read-only and deprecated. That or the option to use both the old and the new syslog engines until we are ready for the cut-over to the new.

                                             

                                            A nice to have would be the ability to custom parse and tag the message. For example we have syslogs coming in to Orion from Kiwi and other syslog proxies. These are then filtered and then sent to Orion so we don't overload the engine. Orion is seeing these messages as originating from the Kiwi / syslog proxy and will not correlate the syslog to the system that is actually originally sending the message. If we could parse the hostname or IP from the syslog message contents and attribute that to the monitored hostname/IP would be great.

                                             

                                            Here are a couple of examples of the parsing that we would love to see.

                                             

                                            1 of 1 people found this helpful
                                            • Re: Introducing Log Manager for Orion
                                              planglois

                                              Forwarding traps would be a bare minimum. If this function goes away, there is no point for us to keep the whole SolarWinds infrastructure...

                                              Our traps rules are so complex (and on a per-poller basis) that we have to maintain a visio chart to visualise the flow...

                                        • Re: Introducing Log Manager for Orion
                                          yellowtj

                                          This is really cool.  I would love to have a tool like this capture my application logs.

                                            • Re: Introducing Log Manager for Orion
                                              mavturner

                                              There are a few ways to do this today with LM. We are working on easier out of the box ways, but if you want to see them now, we can help.

                                               

                                              Which applications would you like to see?

                                                • Re: Introducing Log Manager for Orion
                                                  nglynn

                                                  Hey Mav,

                                                   

                                                  Speaking of applications logs.  Would we be able to either now or down the road leverage this tool for regex pattern matches and alerting on custom application logs?  For instance we have SiteScope deployed and it's only looking at very specific often custom application logs today.  It's looking for specific patterns in the log file (could be errors, or disconnects, whatever the app team needs setup.)  With SiteScope it also has the ability to not have to parse through the entire log every time.  It checks say every 10 minutes from where it last left off, so if you're looking for a specific count of an error within an specific time frame it's very good for that.  I know some of this could be replicated with SAM and some custom scripts today, I was just wondering if this will be some of the capabilities of the new log manager, perhaps providing more value than I initially thought.

                                                  • Re: Introducing Log Manager for Orion
                                                    jdwinns

                                                    Would LM be able to capture application logs that are in "Log4j" format?

                                                     

                                                    Currently we are using custom powershell and perl scripts from the "Log Parser" application found on thwack. If there is an easier way to correlate and alert on this data with LM, that would be amazing.

                                                • Re: Introducing Log Manager for Orion
                                                  foonly

                                                  I'm excited that Orion logging is finally being addressed!

                                                   

                                                  I've already asked my account rep for pricing. Any idea of cost?

                                                   

                                                  We will not buy the product unless it provides all the alerting functionality of NPM logging, however.

                                                   

                                                  Another thing I've always said that Orion needs is centralized logging for its own modules. The current multitude of log files in various directories could probably remain, so that you get logs in case the logger or other parts of the system are down. But it would be great if SolarWinds had an actual logging standard for all its products so that its logs could be parsed more easily by scripts. Failing that, if they were at least centralized in a logging DB readable by the Orion Log Manager, your customer support time to fix and customer satisfaction would improve greatly, I think.

                                                  • Re: Introducing Log Manager for Orion
                                                    mr.e

                                                    Hello,

                                                     

                                                    I just read the admin guide for Log Manager and, unless I missed it...,

                                                     

                                                    It appears that the Log Manager is missing a key feature that I (and many SW customers) have been requesting.  What I mean is, I checked but could not find any references to UNMANAGED devices or MUTING alerts.  So, for example, if I place some devices in UNMANAGED mode and/or MUTE their alerts, I mean all alerts -- not just the Polling Alerts.  We need for this to be automatically handled by the application -- once we UNMANAGE and/or MUTE a device.  Else, we still have the same problem of having to remind ourselves and/or other teams to setup SUPPRESSION rules.  That has been one of our greatest headaches with Syslog Viewer and Trap Viewer -- since most people forget about these.

                                                     

                                                    By the way, I would prefer to find out that I simply missed this in the Log Manager Admin Guide.  If I did miss it, please let me know where to find that reference and I'll gladly receive the correction.  Have a great day everyone!!! 

                                                      • Re: Introducing Log Manager for Orion
                                                        jhynds

                                                        If a node is put into an unmanaged state either manually or on a scheduled basis, both syslog and trap messages are discarded until the node is managed again. We are currently working on support for Orion alert integration which will include support the Mute functionality.

                                                      • Re: Introducing Log Manager for Orion
                                                        dhinagar_j

                                                        Hi,

                                                         

                                                        Apart from storing the syslog messages into Database,Does the Log manager have the functionality to Store all syslog messages into a Flat file and archive it after a defined period ( as kiwi syslog).

                                                         

                                                        Our company's Log management policy wants to retain syslog messages for 1 year ,

                                                          • Re: Introducing Log Manager for Orion
                                                            jhynds

                                                            Log archiving is not currently a feature of Log Manager, however you can set a retention period for syslog up to a maximum of one year. Your syslog data will then be persisted in the SQL database for a full year. The size of the database will of course depend on the volume of syslog you are sending to LM. If you are receiving unwanted syslog you could use the discard action to minimize the number of logs being stored in the database.

                                                              • Re: Introducing Log Manager for Orion
                                                                dhinagar_j

                                                                Dear jhynds,

                                                                 

                                                                We are planning to include Log Manager as part of upcoming Solarwinds Implementation, We require few feedbacks on LM.

                                                                 

                                                                Our environment Sizing:

                                                                NPM  : 4500 Devices

                                                                SAM : 2800 Devices

                                                                 

                                                                Along with we have NCM, IPAM & NTA 4.4, Our environment - I would classify as a larger one and so we are planning to use dedicated MS Sql 2016 Server for Orion Database and NTA Database, We already have 2 dedicated Database, But for LM , what should we consider for DB

                                                                We are planning to create  a new instance on existing NTA Database,

                                                                ==> Will it be helpful to manage our environment, or dedicated DB is required(considering the sizing).

                                                                 

                                                                Requirements:(The intent for Log manager here is exactly similar to  a syslog server..)

                                                                 

                                                                Hold the syslog data in Database for 30 Days(retention)

                                                                To store/archive syslog messages for 1 year '

                                                                ==>  Direct archive is not a feature of LM, so do we have any other approach to achieve this.

                                                                 

                                                                Hardware requirement for LM:

                                                                 

                                                                The 2 TB mentioned above, Does it represent the LM database storage or Storage place on Orion platform server ?

                                                                And do you think High  Availability is required for LM Database ??

                                                                 

                                                                Licensing:

                                                                Do we have any unlimited licensing for Log manager to accommodate our requirement ,?

                                                                 

                                                                 

                                                                Sorry for the big thread

                                                                  • Re: Introducing Log Manager for Orion
                                                                    jhynds

                                                                    Hi!

                                                                     

                                                                    In order to assist with the database and Orion Server sizing, we would need some information on the volume of log data you expect to transmit to Log Manager. Do you have any indication as to the Events Per Second (or day) you expect the 7,300 nodes to generate? It may be possible to locate the Log Manager database on the same server as NTA, however we would need information on the log volume and also the resources you have available on the NTA database server.

                                                                     

                                                                    The default retention period for both syslog and traps is 7 days, however this can be set to a maximum of one year. As you mentioned, direct archive is not currently a feature of Log Manager. However, the logs are stored using SQL Partitions, so it may be possible to some how archive those partitions within SQL. The 2TB listed on the requirements represents the LM database storage, but you may need additional storage depending on your log volume and retention requirements.

                                                                     

                                                                    There is no unlimited license tier for Log Manager, however I will arrange for an Account Manager to reach out to you to discuss LM pricing based on the information above.

                                                                     

                                                                    Thanks,

                                                                    Jamie

                                                                      • Re: Introducing Log Manager for Orion
                                                                        dhinagar_j

                                                                        Dear Jamie,

                                                                         

                                                                        Thanks a lot for your response, Currently we dont have any volumetrics available with us, please provide some suggestion with standard assumption

                                                                         

                                                                        Please find the Resource for NTA Database.

                                                                         

                                                                        Solarwinds
                                                                          NTA Flow storage Database ( NTA)

                                                                        MS
                                                                          SQL version 2016 with Service Pack 1 or later

                                                                        2
                                                                          windows servers each with (8 vCPU|32 GB RAM| 800 GB) – SQL always on
                                                                          requested.

                                                                • Re: Introducing Log Manager for Orion
                                                                  planglois

                                                                  I have mixed feelings...

                                                                   

                                                                  Although the intention is there:

                                                                  • I like the near realtime functionnality, the better integration witht the console, and from what I read, the separate database.
                                                                  • I dont like the need for another separate product, the reduced features, and the fact that actual rules are not migrated.

                                                                   

                                                                  I wonder how this can work on a multi-poller setup, and how the system would take the load when retention is higher than the suggested 7 days, which in our case is really not sufficient...

                                                                  • Re: Introducing Log Manager for Orion
                                                                    rschroeder

                                                                    I'd gladly trade Log Manager for a Solarwinds Data Warehouse . . .    Someplace we could store specified outputs so I could show five and ten year trending, or something longer than errors/throughput for a few weeks or months.

                                                                      • Re: Introducing Log Manager for Orion
                                                                        ebradford

                                                                        rschroeder, some sort of implementation of what you are talking about shouldn't be too hard to do on our own. Long term data trends won't need per minute status. I'm thinking about stock prices... you are familiar with candlebars? They are graphical representations of opening, high, low and ending prices. When multiple days are put next to each other, you can visually see trends. Further, with some statistical tools, you could create bolinger bands and 50 and 200 day moving averages from that data to help indicate the relative importance of variances and help predict future utilizations. I'm not sure how you would than incorporate that data into Orion (I'm sure there is a way), but it would be available via other SQL front ends anyway.

                                                                         

                                                                        This could be done using data from the Solarwinds Database by once per day, calculating Min, Max, Average and Std Dev (MAASD) for certain metrics, and also include certain numerical data that doesn't need mins or maxes (like number of nodes, volumes, interfaces in Orion), Database size at end of day, etc. All this, put into a NEW database -- no into Orion's database. And you can keep it there for a long time. When you have just one dataset per node (MAASD) for volumes, CPU, Interfaces, and some SW Orion metrics, you'll easily be able to keep data for several years (I would guess). Maybe I'll make this a project in late July, and then share it out. Maybe Solarwinds will pick it up as a feature.

                                                                         

                                                                        By the, right now --as I write-- our DB is backing up for it's move to it's now SQL server. So exciting! Gonna have a lot more features with SQL 2016, and more volume space. A bit later next month, we are doing the Orion application moves and the 12.3 upgrade. Until that is done, I don't have the time to work on fun stuff like long term statistical analysis tools.

                                                                          • Re: Introducing Log Manager for Orion
                                                                            rschroeder

                                                                            I think you'll be happy with the 2016 solution.  i know my monitoring environment proved easy to move and faster to use after going through the migration & upgrade.

                                                                             

                                                                            Thanks for your thoughts on the database warehouse idea.  They're practical and relatively low cost.  They don't tie into the single pane of glass that is SolarWinds, but hey, if SolarWinds won't build & sell one, someone else will.

                                                                        • Re: Introducing Log Manager for Orion
                                                                          tomarsandbeyond

                                                                          Will it handle 40 GB of logs a day? Are searches thru them as fast as Unix?

                                                                          • Re: Introducing Log Manager for Orion
                                                                            piccallo

                                                                            Hello!

                                                                            Does the Log Manager for Orion support more than 1000 nodes?

                                                                            According information in site it only support 1000 Nodes SolarWinds - Price List

                                                                            Log Manager LM1000 up to 1000 nodes - License with 1st-Year Maintenance

                                                                            • Re: Introducing Log Manager for Orion
                                                                              shuth

                                                                              How is Log Manager licensed?

                                                                              Most log management tools are licensed based on the volume of log data you generate. This requires you to estimate your log volume, costs can rapidly increase if you miscalculate your log volume and you may have to selectively chose which logs to send to your log management tool to stay within your volume limit. Log Manager uses a very simple and affordable node-based licensing model. If you are transmitting logs from 100 devices, that simply equates to 100 nodes. It is worth pointing out that each node you are receiving log data from, must be managed by Orion.

                                                                               

                                                                              How/when is a LM license used? Is there a timeout to when a license is freed up (i.e. no messages in X timeframe)?  Or is it more like NCM where you have to specifically assign devices to be part of LM and use a license?  What will happen if you go over the license? Will the devices past the limit go into "basic LM functionality"?

                                                                                • Re: Introducing Log Manager for Orion
                                                                                  jhynds

                                                                                  By default, when log data is received by a node, that node will consume an LM license. However, this can be overwritten and you can exclude nodes from automatically consuming a license if log data is received. You can also add/remove nodes from the LM license pool, in a similar manner to NCM. It is not possible to go over the license. Once you hit your license limit you will get a notification to inform you that you have reached the limit and it will not be possible to add additional nodes at that point.

                                                                                    • Re: Introducing Log Manager for Orion
                                                                                      wluther

                                                                                      jhynds And once you hit your license limit, ALL additional logs coming through will be discarded, or just not be capable of using all features? For example, in our situation, we would really only need our core devices, plus a handful of another subset of devices, to be licensed, and fully integrated (probably somewhere under 300 nodes). However, we CANNOT lose basic syslog functionality to the remaining 1700 nodes. Are we going to be required to choose between all or nothing, or will we be able to split full/limited functionality across all licensed/unlicensed nodes?

                                                                                       

                                                                                       

                                                                                      Thank you,

                                                                                       

                                                                                      -Will

                                                                                        • Re: Introducing Log Manager for Orion
                                                                                          jhynds

                                                                                          Hey Will! In short, it is all or nothing. Once you hit the license limit any additional logs will be discarded. I totally understand the desire to split the functionality depending on log sources but it would get complex very quickly and could get very confusing, e.g. log messages containing keywords that you want to tag, but only some of the logs are tagged due to the split functionality.

                                                                                          1 of 1 people found this helpful
                                                                                            • Re: Introducing Log Manager for Orion
                                                                                              stevenstadel

                                                                                              What are the features that will be included in the free basic version?

                                                                                               

                                                                                              Like Will above we cannot lose our basic syslog functionality that the current product provides today. Having all additional logs be discarded above a licence threshold does not give us functionality that we currently rely upon with the old versions.

                                                                                              2 of 2 people found this helpful
                                                                                              • Re: Introducing Log Manager for Orion
                                                                                                shuth

                                                                                                Sorry if it sounds like I'm repeating myself here and other threads but I am trying to understand the full impact when the trap/syslog viewer is replaced.

                                                                                                 

                                                                                                1. When syslog/trap viewer is deprecated, NPM will contain a basic cut-down version of LM - no charts, live mode, or "Analyse Logs" button. There won't be any tagging/colouring either so we'll lose that functionality.

                                                                                                2. If you purchase a LM license:

                                                                                                  a) Any device sending a log message to the system will consume a license but you can exclude the node from consuming a license.  What happens to the data that these excluded nodes are sending? Will they still be processed under "basic functionality"? 

                                                                                                  b) If I hit my license limit, any new logs received by the system will be automatically discarded. These would not even be processed under the basic functionality?

                                                                                                 

                                                                                                What about a scenario where I have a small number of key systems (5-10) that I want to process trap/syslog messages fully (tagging, etc), but I also have another 500 devices that I might only receive a couple of messages from a week but I'm still interested in seeing (basic functionality like alerting). I would have to buy a LM500 (or 1000 if I'm past 500 devices) instead of a LM10 license? In wluther's scenario, he'd have to get an even larger license that isn't on the price list (a post further up says to contact an account manager)?

                                                                                                1 of 1 people found this helpful
                                                                                                  • Re: Introducing Log Manager for Orion
                                                                                                    jhynds

                                                                                                    Hey Steven,

                                                                                                     

                                                                                                    1: Correct. The cut-down version of LM will provide basic syslog and trap monitoring and the functionality will remain as close as possible to the syslog/trap viewers. Tagging is one of the only features that is moving from syslog/trap viewers to a paid Log Manager feature. We've made a conscious effort to ensure that the LM version which will replace syslog/trap viewers remains feature rich and provides enough functionality to aggregate, search and alert on your log data. 

                                                                                                     

                                                                                                    2a: If a node is excluded from consuming a license, any log data transmitted to LM from that node will be discarded until it is added to the LM license pool. The logs will not be processed under basic functionality.

                                                                                                     

                                                                                                    2b: Correct. If you hit your license limit, you will not be able to add any additional nodes and therefore logs will be automatically discarded until you free up some licenses or upgrade to a higher tier.

                                                                                                     

                                                                                                    In short, it is not possible to run Log Manager in a mixed-mode whereby some logs can avail of licensed features such as tagging (with more exciting features to come) and other logs cannot avail of licensed features. It would be quite confusing to decipher what you can and can't do with certain logs based on the license assigned to the source device. In your scenario above, you could need an LM500 to cover all 500 devices (or a larger tier if >500 nodes).

                                                                                                    2 of 2 people found this helpful
                                                                                                  • Re: Introducing Log Manager for Orion
                                                                                                    wluther

                                                                                                    I would think, if the syslog message comes from a licensed node, then it has the ability to become tagged. If the syslog message is not licensed, then a tag cannot be applied, regardless if anything in the message matches the rule. Process the rules, only applying tags for nodes which are licensed. I'm sure it's not that straightforward, but I couldn't imagine it being super complex... At least not compared to some of the other magic y'all have achieved throughout the other modules. Come on, we have faith in y'all... You'll figure it out!!

                                                                                            • Re: Introducing Log Manager for Orion
                                                                                              twolf420

                                                                                              After spending some significant $ on this, we find that the alerting is very limited.  We can't even get an email alert that contains the message body of the syslog or trap.  Is this being addressed?  Is it possible to get a refund for this product?  We are currently working to uninstall.

                                                                                                • Re: Introducing Log Manager for Orion
                                                                                                  jhynds

                                                                                                  You can easily add the message body of the log entry by using the Log Entry Message variable within your e-mail alert. Other variables include the rule name that caused the alert to trigger and the hit count of the rule.

                                                                                                   

                                                                                                  Is this the main obstacle you were running into or are there some additional limitations? If you'd like to set up a call to discuss, just let me know.

                                                                                                   

                                                                                                  • Re: Introducing Log Manager for Orion
                                                                                                    ebradford

                                                                                                    twolf420, I'm looking at the product, and am interested to hear if the information the jhynds posted helps you. Please follow-up after you've had a chance to try it out, and let me know how that works for you. Thanks.

                                                                                                      • Re: Introducing Log Manager for Orion
                                                                                                        jrouviere

                                                                                                        Not the OP, but we've had this product for 6+ months and pretty much does what it says on the tin in my opinion. We hadn't needed some of the other features that make sense, like exporting logs, etc, but those seem to be added at a decent clip.

                                                                                                         

                                                                                                        We've been able to add the syslog message to the Orion Alerts in the same way that Jamie has provided.

                                                                                                         

                                                                                                        We use it to alert via Orion on a variety of log sources such as Linux, Storage appliances, database audit logs forwarded via syslog and of course networking devices. We funnel most everything through Kiwi to keep Informational and above and then use Warning and above to forward to Orion for alerting purposes. The alert integration was definitely needed and works great and you can even set up another Log Analyzer rule to use as a reset condition so you don't have just reset immediately or reset after 60 minutes for example, but you can wait for an all clear message from your appliances.