7 Replies Latest reply on Mar 21, 2013 11:36 AM by msterling

    Can i filter all Windows Event and Application logs in a seperate filter?

    pdyball

      Hi everyone,

       

      I am new to log management so i maybe asking the wrong questions or heading in the wrong direction so please feel free to educate me if required.

       

      My office has just purchased LEM and i have been asked to set up the LEM to pick up all the system and application events which are errors or higher. Once normalised i believe this means severity 4 or higher.

       

      I am a bit confused as to how achieve this.

       

      Can i filter MS Application Events which are level 4 or higher?

       

      Can i filter MS System Events which are levle 4 or higher?

       

      Also am i looking at how the LEM can do things from the worng perspective?

       

      Any advice or tips would be appreciated.

        • Re: Can i filter all Windows Event and Application logs in a seperate filter?
          byrona

          So one important thing to point out is that (to the best of my knowledge) LEM won't necessairly collect all of your system or application events.  LEM comes from a background of being a security focused solution so it's designed to look at the Security and Application logs specifically for security related events.  Going forward the development of LEM looks to be more broad and less direclty security focused but I don't work at SolarWind so I can't say that definitively.

           

          For your Windows sytems, once you have the agents installed you will need to configure the Tools/Connctors in the LEM appliance to look at both the Application and System logs.  At this point your system should be collecting the logs.

           

          For setting up filters keep in mind that one of the core and most important functionalities of the product is the normalization of logs; this allows for true realtime event correlation across multiple differnt platforms.  Because of the normalization the logs in LEM are not exactly the same as they were in Windows Eventlog.  My recomendation here would be to look at some of the normalized logs in LEM and find the fields that make the most sense to filter on.  The Severity that you mention is captured as well as the ToolAlias; since you have different tools for the Application log versus the System log this may be a good thing to filter for.

           

          I hope all of this helps!

          • Re: Can i filter all Windows Event and Application logs in a seperate filter?
            Kellie Mecham

            Hi Pdyball,

             

            Just wanted to take a moment and introduce myself. I'm one of the people in the User Experience (UX) group here at SolarWinds and our job is to continuously be looking for ways to make all SolarWinds products easier to use, more useful and more efficient.  Your LEM questions relate to some upcoming feedback sessions we'll be running on the initial user experiences with LEM.  I've sent you a friend request on thwack but also just wanted to say to you and any new LEM users, we'd sure love to talk to you in the near future and show you some mockups of some ideas we have for changes to the initial LEM experience.  Feel free to email me at kellie.mecham@solarwinds.com for more info.

             

            Thanks!

            • Re: Can i filter all Windows Event and Application logs in a seperate filter?
              msterling

              I still can't make this work, the tools are started but I can't come up with a filter to show the event log messages...

              • Re: Can i filter all Windows Event and Application logs in a seperate filter?
                msterling

                After talking with support, you have to go to the node and make sure the Windows Logging tools are started, then make a filter that uses ServiceWarning.DetectionIP = *<node name>*

                This works great and logs all warnings and errors from the event log!