By Mark Roberts
By Mark Roberts
Early in June SolarWinds announced the pre-release launch of their new syslog and SNMP Trap solution for their flagship Orion monitoring suite; SolarWinds Log Manager for Orion. This is to be a licensed module, which will provide a solution to allow the reception of event log data for operational use.
That is the key element to this, SolarWinds have several solutions for dealing with event data from the syslog and SNMP Trap protocols. The idea for Log Manager as an Orion module is that the data received from event-driven messages via these protocols are fully focused to being used to enhance, support and correlate with poll-based monitoring data to which the other Orion modules excel so well at.
This is a first release version of Log Manager and as such is yet to receive the full suite of functions planned, but it is already a strong step ahead of the capability of the current engines within Orion for syslog and SNMP Traps. Let me give you an example of what I mean by operational log management solution; SolarWinds Network Performance Monitor has a single tick box option to capture and monitor dynamic routing data. The primary function of this is to be made aware of routing changes/flapping, current neighbours and also the capture of the routing table. This is fantastic, but what it does not do is tell you why routing changes may be occurring.
This is where event data comes into play as when something causes a routing change to take place, the router is built to record the details of that into an event log record. This record is then incredibly useful to get visibility of and if both of these pieces of information are available side by side, the efficiency of analysis into this issue is tremendous to a network engineer.
Centralising the event logs via either the syslog or SNMP Trap protocols to a log management application means that you can review them in one place, but also take advantage of powerful searching capabilities provided. If you have ever trawled through log files you will know the pain and suffering that comes with keyword searching up and down a file, looking for that elusive nugget of information which tells you what you need to know about the devices/systems service functions.
With Log Manager a couple of key methods stand out; firstly the ability to perform keyword searching through large volumes of data quickly and secondly the rule engine when it receives the event message will tag it, so these allow a way to create rich categorisation structures so the messages can be reviewed in a more efficient manner.
tail -f application.log | grep ERROR
The above is an example of displaying new events recorded to a file on a Linux OS which includes the keyword ERROR. Log Manager includes a live mode which provides exactly the same function for displaying log data as it arrives. This is particularly useful if you believe something is occurring in the infrastructure and can benefit from seeing in real time the related events flowing in.
Let’s face it event messages are extremely dry, with row after row of messages being displayed and we all know that us humans better process information visually. Many trigger points when reviewing event log data comes from seeing trends in the quantity of messages. For example, seeing an increase in events within small periods of time could be an indicator of issues worthy of investigation. Seeing this in a filtered view could draw attention to widespread issues if the count of certain event types will result in different actions than small numbers. Log Manager includes a histogram chart which indicates message quantities over a period of time to provide this method of understanding.
Log Manager is licensed in a nice and simple manner, with each device sending log data consuming a license, with the license levels starting at 10 devices, with tiers of size going up from here.
With SolarWinds having 4 log management solutions for installation on-premise or within a private cloud, where does Log Manager for Orion sit? Let me take you through the 4 solutions, so you can see where each solution fits.
A ubiquitous solution with many tens of thousands of installations worldwide due to its ease of use, cheapness and ability to do the basics well. If you just need somewhere to collate your syslog and SNMP Trap event messages this works for many situations. It is however too simplistic for many, with limited enterprise features, but as a quick and easy solution to collect and view log data it works so well.
We often also use Kiwi to act as a sort of event message proxy server, where devices are configured to send log data to a Kiwi installation and then send filtered log messages to Orion. This works well where too much volume will not be great for Orion to process and where long term storage is required than Orion allows.
Performance wise it is able to handle around 500 events per second at peak load and is only dependant on storage space capacity for data retention (read years if you have enough space).
This is the current solution within Orion for event data reception from these two protocols. Similar in nature to Kiwi, with keyword and Regex filtering coupled to a simple tabular display and search function, this is a solution at the more basic end of the spectrum. Again an operationally focused solution which is there to provide a support to polling data captured by Orion.
This is a solution currently available, but will eventually be superseded by the Log Manager for Orion module. Able to support around 1,000 events per second, but at that level a short data retention period of fewer than 14 days.
I will keep this brief, as I have already indicated the features of the new Log Manager for Orion, but will repeat the perfect scenario for this solution. Where event log data will be reviewed to identify how the event messages contain data that gives visibility to issues affecting the health and performance of the device/service sending the log data.
Log Manager is able to receive around 1,000 events per second, but at this level is focused on storing this for a short-term ~14 days.
This is a full-blown SIEM solution, which to unravel another IT acronym is Security Information Event Management. This is the big boy platform for event log data, where the user is going to fulfil operational use, but also move all the way to the security realm. This is due to the engine providing intelligence, with event data being normalised and then categorised with known events having a specific focus.
Event data is received and can actively be captured from multiple sources, not just syslog or SNMP traps, with Windows events, application logs, databases all available to be centralised within LEM. This together with the advanced rule engine, very powerful searching engine and a proprietary database that allows searching capability over long-term periods of time.
Inbuilt reports targeting common compliance standards means this is a solution which will meet the needs of organisations to comply with various compliance such as GPG13, PCI, SOX etc.
LEM supports log digestion in the region of 2,000 events per second, with typical data retention in the months and years.
I hope this has given you a flavour for SolarWinds Log Manager for Orion, and where it fits in relation to the other Log Management solutions within the SolarWinds portfolio. We will be running a webinar on SolarWinds Log Manager for Orion in September, so stay tuned for upcoming details.
Prosperon Networks are the UK's leading authority on SolarWinds IT Management Solutions. We run training courses that suit a number of roles in your organisation, these courses cater for engineers, helpdesk operators and management personnel who all use monitoring platforms differently. The SolarWinds products retain their simplicity and ease of use, however, product training in some form is recommended to get the most out of the tools we use every day.
Copyright © 2018 Prosperon Networks. All rights reserved. Registered Co. No. 5884643. VAT Number 889545649, Argyll House, 15 Liverpool Gardens, Worthing, W. Sussex, BN11 1RY (UK).