So one important thing to point out is that (to the best of my knowledge) LEM won't necessairly collect all of your system or application events. LEM comes from a background of being a security focused solution so it's designed to look at the Security and Application logs specifically for security related events. Going forward the development of LEM looks to be more broad and less direclty security focused but I don't work at SolarWind so I can't say that definitively.
For your Windows sytems, once you have the agents installed you will need to configure the Tools/Connctors in the LEM appliance to look at both the Application and System logs. At this point your system should be collecting the logs.
For setting up filters keep in mind that one of the core and most important functionalities of the product is the normalization of logs; this allows for true realtime event correlation across multiple differnt platforms. Because of the normalization the logs in LEM are not exactly the same as they were in Windows Eventlog. My recomendation here would be to look at some of the normalized logs in LEM and find the fields that make the most sense to filter on. The Severity that you mention is captured as well as the ToolAlias; since you have different tools for the Application log versus the System log this may be a good thing to filter for.
I hope all of this helps!
thanks for your response.
I noticed the tool alias field but am stumped as to how i can filter that as when i do a filter on that it can only be as a subset of an alert. ( i.e. serviceinfo.toolalias) I would want to be able to filter on ToolAlias only for all Alerts. This would also be the case for severity. it seems that i would always be restricted to using the alert.field format.
Is there another way to filter by *.toolalias?
Surely there must be a list which would help us to identify how MS alerts would be normalised? Obviously i want to try to setup up the LEM rules before the alerts happen. After the fact would be a litlle counter productive.
In this case you want to go with AnyAlert.ToolAlias
that is what i was looking for but for some reason i never saw it. Must of been doing a male look as my wife would put it.
Thanks for your assistance and patience.
Just wanted to take a moment and introduce myself. I'm one of the people in the User Experience (UX) group here at SolarWinds and our job is to continuously be looking for ways to make all SolarWinds products easier to use, more useful and more efficient. Your LEM questions relate to some upcoming feedback sessions we'll be running on the initial user experiences with LEM. I've sent you a friend request on thwack but also just wanted to say to you and any new LEM users, we'd sure love to talk to you in the near future and show you some mockups of some ideas we have for changes to the initial LEM experience. Feel free to email me at email@example.com for more info.
I still can't make this work, the tools are started but I can't come up with a filter to show the event log messages...
After talking with support, you have to go to the node and make sure the Windows Logging tools are started, then make a filter that uses ServiceWarning.DetectionIP = *<node name>*
This works great and logs all warnings and errors from the event log!