5 Replies Latest reply on Oct 19, 2015 10:46 AM by mark88

    Reports by user

    rufat87

      Hey guys, I need some help.

       

      Once in a while I get to collect information on a specific user and his/her activity on the network. Since we now have LEM, it is one of the sources of the information I can use to accomplish that. I know how to perform all the granular tasks for this purpose in nDepth, by IP, by username and such, but I also would like to use Reports for this purpose as well. Is it possible to customize any of the report template tables or make one where I just set the criterion by IP or destination account/source/machine and a timeframe and get the fancy looking report ready?

       

      I would really love to get some help making this happen.

        • Re: Reports by user
          qle

          Unfortunately, there's no functionality that allows you to customize the "out of box" reports. However, since you mentioned nDepth, why not use that? You can save your search (query) and then export the results which will include a number of different ways to represent your data visually. You can even schedule those queries to run although I haven't found the need for that feature quite yet.

          • Re: Reports by user
            curtisi

            I'm going to argue with qle: You can customize the out-of-the-box Reports in the Reports console.

             

            Say, for example, that you want authentication events for a specific user.

            1. Run Reports
            2. Run an Authentication report (I'm using Authentication - Log On/Off/Failure) for something like a ten minute span
            3. When it completes, click the Select Expert icon (a green funnel)
            4. When the box pops up, click "New" to add your first filter.  You'll be presented with a list of all the fields in the report.  For your example, I'd pick the AUTHAUDIT_1.DESTINATIONACCOUNT and add that.
            5. This'll take you back to the Select Expert box.  Pick the operator "Is Equal To" and in the box, type the username you want to search for.
            6. Your report may go blank if the user you want didn't occur in the last 10 minutes.  No sweat! Press F9 and you'll be prompted to change the time range.  Run the report.
            7. TA DA! A report for one user's authentication events.  You can hit Export and save it in the Crystal Reports format to keep a version of the report with your filters baked in for future use.

             

            The same sort of logic would apply to any report with user-names in it, though you may have to explore what fields contain what.

             

            See also: [VIDEO] Filtering and Exporting SolarWinds LEM Reports to Quickly Find Events of Interest

             

            You can also use Crystal Reports to customize the OOtB reports: SolarWinds Knowledge Base :: Creating a Custom Report for LEM 5.6 and newer

             

            I also cover something similar for FIM in this YouTube video: Solarwinds Log and Event Manager - Configuring FIM and Analyzing FIM Data - YouTube

              • Re: Reports by user
                rufat87

                That's brilliant! Exactly what I was hoping to get!

                • Re: Reports by user
                  mark88

                  Thanks for the v. useful guide, we have a LEM in a multi-domain environment and have been struggling to schedule custom reports for each domain.  Rather than use the "Is Equal To" operator I used the "Starts With" operator for filtering the report to pickup agent events for a particular domain.  After exporting the filtered report as Crystal Reports, i was then able to manually create a scheduled task to run the custom report as needed:

                   

                  1. Export filtered report to Crystal Reports format.

                  2. Copy the schedule report INI file and manually update the relevant parameters including the name of the report to run and the export options.

                  3. Create a basic task (in Task Scheduler) to run a schedule report using the custom report INI file.

                  4. Sit back and enjoy.

                   

                  I've created a separate folder for all my custom reports sorted by each domain and creating separate scheduled tasks for each report, I may look at bunching daily/weekly reports for each domain into separate batch jobs to simplify scheduling.

                   

                  The above is a bit of a long-winded workaround, but without purchasing Crystal Reports XI R2 ($600) I don't see any other way for creating custom reports which has been a major headache with using LEM in a multi-domain environment (and without having to install a separate manager appliance for each domain).

                   

                  Thanks a lot!

                • Re: Reports by user
                  darragh.delaney

                  Hi rufat87

                  Another option would be to use something like LANGuardian to capture the user information\metadata from network traffic and then integrate this with your SolarWinds views. You can see an example of this at the link below

                   

                  http://demo2.netfort.com/Orion/SummaryView.aspx?viewid=1&AccountID=guest

                   

                  There is also a search feature where you can put in an IP or username and get a view of what they are doing on your network. There is an example of this at the link below or I also included a link to a short video which shows the integration in action.

                   

                  http://demo2.netfort.com/Orion/SummaryView.aspx?viewid=36&AccountID=guest

                   

                  There is a trial version of LANGuardian available if you wanted to test it out yourself

                   

                  Hope this helps

                   

                  Darragh