6 Replies Latest reply on Mar 19, 2013 2:08 PM by nicole pauls

    Do you HAVE to use the agent?

    familyofcrowes

      I have 1300 cisco devices and 700 servers.  I cannot put the agent on all the servers, most likely less than 30% of them.  Plus I cannot add each cisco as a node in LEM, that would take forever.

       

      Am I screwed?  There has got to be a way to get all this in LEM without spoon feeding it.

       

      I have a lasso server that I used with LogLogic.  It takes all the event logs on all my servers and forwards them to loglogic.  I am under the impression that this will work with the lem.

       

      Any body doing anything like this?

       

      I just got it installed today, so....  I'm a bit freaked out now....


        • Re: Do you HAVE to use the agent?
          nicole pauls

          Event Logs: require agent (right now, we have to connect to the event log directly to parse windows events, and don't have connectors for syslog-formatted windows events). You can use the remote agent installer (or your deployment tool of choice) to add them, and you can quickly configure groups of them with templates (connector profiles).

           

          Network devices: syslog them to LEM and run the "add nodes" to scan the syslog data and automatically find the nodes without manual configuration. If you're using a syslog server for your network devices, put an agent on that, and you can configure the connectors you need directly.

           

          For the Windows systems you can't put an agent on, we're looking at an agentless solution that would remotely connect to their event logs, we just don't have it today.

          1 of 1 people found this helpful
            • Re: Do you HAVE to use the agent?
              familyofcrowes

              Is there some way to get "generic" syslogs into it?   If I can just have them in the DB then at least I can do basic searches...


                • Re: Do you HAVE to use the agent?
                  nicole pauls

                  Yeah, you could do that as a backup.

                   

                  What you can do is enable the original/raw message storage on the appliance, then configure a connector (one that generally won't match, but it doesn't matter), and you can search the original/raw message store (from explore>nDepth).

                   

                  We just need to match the connector based on the type of log rotation. The super easiest thing to do is to point a connector at a static filename and rotate the files out from under it - e.g. syslog.log, rotates day 2 to syslog.log.2 but syslog.log is still present for today's data.

                   

                  Enabling original log storage: SolarWinds Knowledge Base :: Configuring Your LEM Appliance for Log Message Storage and nDepth Search

                   

                  Install an agent on the Lasso (or whatever) server. Go to Manage > Nodes, then Gear > Connectors. I would suggest a connector that's built for syslog type data if you're going to point at syslog type files, that way it'll parse out the basic information (source IP/hostname, date) and make it easier to search. Maybe something like AIXsyslog or PAM (so it'd be in the Operating Systems category). Make sure when you configure the connector to specify "Alert, nDepth" instead of just "Alert" - you don't need to touch the ports or IPs, just make sure that option is enabled, that's what tells it to even capture the original data.

                    • Re: Do you HAVE to use the agent?
                      familyofcrowes

                      A big issue for me is that these syslogs are not stored on the "lasso" server, they are forwarded.  The lasso server pulls the event logs from all my servers, converts them to syslog format and forwards them to loglogic.  I pointed the forwarder to LEM and it sees nothing.  But, I pointed a bunch of Cisco switches and routers to the LEM and the LEM does not see that either.

                       

                      I'll keep working on it but if there are any other ideas I would greatly appreciate it...  In about a week I'll have to shelve the tool if I cannot get it to work with lasso or some other system that pulls events....

                       

                      Thanks

                        • Re: Do you HAVE to use the agent?
                          nicole pauls

                          Ah, I see! That's a big duh on my part.

                           

                          So, what you could do is configure "generic" connectors on the LEM side that are reading the syslogs that will pull them into the original log store, where you can search them. I missed the syslog receiver step (the other way would work if Lasso stored them in readable format locally).

                           

                          First... you'll need to get your sword ready for this journey.

                          http://www.zeldauniverse.net/wp-content/uploads/2013/03/its-dangerous-to-go-alone-take-this.jpg

                           

                          For your cisco routers/switches, you should be able to scan for these nodes and LEM will pick them up (use the "scan for new nodes" or "add node" in manage>nodes), or if you know the syslog facility, you can manually configure them.

                           

                          For your generic data, do you have it all sending to a single syslog facility? What you'll do is configure a connector, I'll use Linux PAM as an example, and have it send to original log store.

                          1. Enable original log store - above referenced KB: SolarWinds Knowledge Base :: Configuring Your LEM Appliance for Log Message Storage and nDepth Search
                          2. Enable Lasso data forwarding to LEM appliance - figure out what facility it's sending on
                          3. In LEM, go to Manage>Appliances
                          4. Click the Gear and go to Connectors or Tools
                          5. In Category, pick Operating Systems or in the search box type Linux or PAM (narrowing down the list to make it navigable)
                          6. Click on "Linux PAM" to select it (will show boring description at bottom)
                          7. Click on the Gear and pick "New"
                          8. You can change the alias here to something like "Lasso Connector" so you can find it later
                          9. Change the "Log File" value to match your logging facility - e.g. /var/log/local6.log (each log is named after the facility with .log at the end - user.log, daemon.log, local0.log, ... local6.log)
                          10. In the Output dropdown, pick "nDepth"
                          11. Don't touch the ports or host
                          12. Click Save
                          13. Click on the Gear and pick "Start"

                           

                          At this point, if ANYTHING is found in the log you configured that matches a standard syslog format, it will be dumped into the original log store.

                           

                          To search it, go to Explore>nDepth. You'll have a gadget that toggles between searching the normalized store and the original store (it's a slider, one side looks like nice pretty lines, the other looks like pages). Slide to the original store (normalized is the default) and hit the default search again to see what it's picked up for the last 10 minutes. Might take a couple minutes for data to start coming in at first. In general, it'll be delayed by at most 60 seconds, but much less if there's data coming in regularly (60 seconds or the time it takes to fill a relatively small buffer).

                           

                          Let me know where I can help next.