An Introduction To The New SolarWinds Log Manager for Orion

That is the key element to this, SolarWinds have several solutions for dealing with event data from the syslog and SNMP Trap protocols. The idea for Log Manager as an Orion module is that the data received from event-driven messages via these protocols are fully focused to being used to enhance, support and correlate with poll-based monitoring data to which the other Orion modules excel so well at.

This is a first release version of Log Manager and as such is yet to receive the full suite of functions planned, but it is already a strong step ahead of the capability of the current engines within Orion for syslog and SNMP Traps. Let me give you an example of what I mean by operational log management solution; SolarWinds Network Performance Monitor has a single tick box option to capture and monitor dynamic routing data. The primary function of this is to be made aware of routing changes/flapping, current neighbours and also the capture of the routing table. This is fantastic, but what it does not do is tell you why routing changes may be occurring.

This is where event data comes into play as when something causes a routing change to take place, the router is built to record the details of that into an event log record. This record is then incredibly useful to get visibility of and if both of these pieces of information are available side by side, the efficiency of analysis into this issue is tremendous to a network engineer.

Centralising the event logs via either the syslog or SNMP Trap protocols to a log management application means that you can review them in one place, but also take advantage of powerful searching capabilities provided. If you have ever trawled through log files you will know the pain and suffering that comes with keyword searching up and down a file, looking for that elusive nugget of information which tells you what you need to know about the devices/systems service functions.

With Log Manager a couple of key methods stand out; firstly the ability to perform keyword searching through large volumes of data quickly and secondly the rule engine when it receives the event message will tag it, so these allow a way to create rich categorisation structures so the messages can be reviewed in a more efficient manner.

[code]tail -f application.log | grep ERROR[/code]

The above is an example of displaying new events recorded to a file on a Linux OS which includes the keyword ERROR. Log Manager includes a live mode which provides exactly the same function for displaying log data as it arrives. This is particularly useful if you believe something is occurring in the infrastructure and can benefit from seeing in real time the related events flowing in.

Log Manager is licensed in a nice and simple manner, with each device sending log data consuming a license, with the license levels starting at 10 devices, with tiers of size going up from here.

With SolarWinds having 4 log management solutions for installation on-premise or within a private cloud, where does Log Manager for Orion sit? Let me take you through the 4 solutions, so you can see where each solution fits.

Kiwi Syslog Server

A ubiquitous solution with many tens of thousands of installations worldwide due to its ease of use, cheapness and ability to do the basics well. If you just need somewhere to collate your syslog and SNMP Trap event messages this works for many situations. It is however too simplistic for many, with limited enterprise features, but as a quick and easy solution to collect and view log data it works so well.

We often also use Kiwi to act as a sort of event message proxy server, where devices are configured to send log data to a Kiwi installation and then send filtered log messages to Orion. This works well where too much volume will not be great for Orion to process and where long term storage is required than Orion allows.

Performance wise it is able to handle around 500 events per second at peak load and is only dependant on storage space capacity for data retention (read years if you have enough space).

Syslog and SNMP Trap Servers in Orion

This is the current solution within Orion for event data reception from these two protocols. Similar in nature to Kiwi, with keyword and Regex filtering coupled to a simple tabular display and search function, this is a solution at the more basic end of the spectrum. Again an operationally focused solution which is there to provide a support to polling data captured by Orion.

This is a solution currently available, but will eventually be superseded by the Log Manager for Orion module. Able to support around 1,000 events per second, but at that level a short data retention period of fewer than 14 days.

** NEW ** SolarWinds Log Manager for Orion ** NEW **

I will keep this brief, as I have already indicated the features of the new Log Manager for Orion, but will repeat the perfect scenario for this solution. Where event log data will be reviewed to identify how the event messages contain data that gives visibility to issues affecting the health and performance of the device/service sending the log data.

Log Manager is able to receive around 1,000 events per second, but at this level is focused on storing this for a short-term ~14 days.

SolarWinds Log & Event Manager

This is a full-blown SIEM solution, which to unravel another IT acronym is Security Information Event Management. This is the big boy platform for event log data, where the user is going to fulfil operational use, but also move all the way to the security realm. This is due to the engine providing intelligence, with event data being normalised and then categorised with known events having a specific focus.

Event data is received and can actively be captured from multiple sources, not just syslog or SNMP traps, with Windows events, application logs, databases all available to be centralised within LEM. This together with the advanced rule engine, very powerful searching engine and a proprietary database that allows searching capability over long-term periods of time.

Inbuilt reports targeting common compliance standards means this is a solution which will meet the needs of organisations to comply with various compliance such as GPG13, PCI, SOX etc.

LEM supports log digestion in the region of 2,000 events per second, with typical data retention in the months and years.

I hope this has given you a flavour for SolarWinds Log Manager for Orion, and where it fits in relation to the other Log Management solutions within the SolarWinds portfolio. We will be running a webinar on SolarWinds Log Manager for Orion in September, so stay tuned for upcoming details.