solarwinds log analyzer installation guide · log analyzer (la), formerly log manager for orion, is...

INSTALLATION GUIDE

Log AnalyzerVersion 2020.2.1

Last Updated: Wednesday, September 9, 2020

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

INSTALLATION GUIDE: LOG ANALYZER

page 2

Table of ContentsInstallation overview 5

Prepare for installations and upgrades 6

LA 2020.2.1 System Requirements 9

LA port requirements 12

LA agent requirements 16

Cloud instance requirements for the LA database in Azure 17

Monitor logs and events with your LA and Orion Platform product license plans 18

LA feature comparison 21

Install and configure LA 23

Uninstall LA/OLV and restore legacy syslog and trap services 24

LA pre-deployment notes for Microsoft Azure 29

Discover your network with the Discovery Wizard 32

Add a single node for monitoring 38

Deploy agents to monitored nodes 39

Add unknown nodes to the Orion Platform 40

Configure devices to send messages to Log Analyzer 42

Configure secure syslog settings for Log Analyzer 43

Set up Windows event collection in LA 44

Disable and enable log-processing rules 48

Create log collection profiles 51

Create custom log-processing rules 57

Log forwarding 62

Enable existing NCM Real-Time Change Notification rules 65

Integrate Orion alerts with LA 66

Set LA storage and search retention period 72

page 3

Additional requirements 72


page 4

Installation overviewLog Analyzer (LA), formerly Log Manager for Orion, is a fully-integrated log management solution that is accessible through your Orion Web Console. Upon installation, you can instantly view live event messages from nodes currently integrated with the Orion Platform, and quickly map unknown devices through the Node Management feature. Key benefits include live event filtering to target and identify current network issues, and seamless transitions between critical event messages and associated Orion Platform products for on-the-spot troubleshooting and issue resolution.

page 5

Prepare for installations and upgradesTask Description

Review release notes Review product release notes and available documentation in our Customer Success Center.

Review system requirements

Make sure your environment has all the required hardware and software needs for your installations. You can verify the requirements for your installation in the System requirements section.

Review licenses and gather keys, and review the maintenance status of your products

Review your product licenses and maintenance status and determine if you need to make any changes. You can download license keys for your new Orion Platform products through SolarWinds Customer Portal. Verify any license upgrades and needs with your SolarWinds account manager or contact SolarWinds.

Gather credentials Make sure you have all account credentials, SQL database credentials, your SolarWinds account, and local admin server credentials.

Schedule the installation

Set up the maintenance window, preferably during off-peak hours. Depending on the number of products, size of database(s), and size of environment, you may need several hours to complete your installation.

If you upgrade or install new Orion products into an existing Orion Platform, all SolarWinds services and polling engines are required to be offline for a length of time, causing you to lose a portion of polling data.

Notify your company Send a message to your company regarding the upgrade schedule and maintenance window.

Do you need to migrate?

You may need to migrate products and databases to new dedicated servers. Check if you need to migrate by reviewing new product requirements, performance, and company needs.

Migrating adds time to your upgrade, but you have the best opportunity to update to new servers during an upgrade.


page 6

https://documentation.solarwinds.com/en/success_center/LA/content/System_Requirements/LA_2019-4_system_requirements.htm

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Centralized-Licensing.htm

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Orion_Platform_Migration_Guide.htm

Task Description

Use the Upgrade Path in the Orion Installer

The SolarWinds Orion Installer builds the upgrade path for you, directing the entire upgrade process. When you run the installer, it detects your installed Orion products and versions, verifies the latest available product versions available per your maintenance agreement, and builds the upgrade path for you. This occurs prior to the upgrade, so you can run the installer to see your path before launching the upgrade.

While you can still use the Upgrade Product Advisor to see what your upgrade path might look like, we recommended always using the Orion Installer upgrade path.

Support Note: After every product installation, for Legacy and new products, we recommend always running the Orion Installer. It will verify and update the upgrade path every time. It also runs preflight checks for all products detected with available preflight checks (powered via Active Diagnostics).

Gotchas Gotchas for the Orion Installer & products. Before you install your products, you may want to check out the gotchas. For a full list, see the Orion Platform install and upgrade gotchas (includes links to product specific gotchas).

As part of your pre-flight, prepare the Orion environment:

Prepare the environment

l For new server installations, build the servers based on your deployment size and system requirements.

l For installations into an existing Orion Platform, verify that enough drive space is available for installations. Products may require significant space for the downloaded installation ZIP file and installation process.

l For an Orion Platform installation or integration, you may need to build an additional web server. For details, see the SolarWinds Scalability Guidelines.

If adding SolarWinds High Availability (HA) into your environment, review the HA requirements and VIP address information. Prepare two matching servers for installation.

Run all Windows updates

To avoid unnecessary reboots during installation, run all Microsoft Updates on all servers before beginning the installation. The installation cannot complete if your system is waiting to reboot.

page 7

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Install-OrionProducts.htm

https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-install-and-upgrade-gotchas

https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-install-and-upgrade-gotchas

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Orion_Platform_Scalability_Engine_Guidelines.htm

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Orion_Platform_Scalability_Engine_Guidelines.htm

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/HA_Requirements.htm


https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/HA_what_is_VIP.htm

Backup existing database

If you are installing with an existing database, back up the database. If you need help, check your vendor's site for documentation and instructions. If you have your database on a VM, create a snapshot or copy of your VM.

Open ports according to requirements

For your server ports and firewall, open ports according to the system requirements. Orion uses these ports to send and receive data.

Check for antivirus software

Determine if any antivirus software is installed on the server or servers where you plan to install. To ensure the installation goes smoothly, exclude the SolarWinds directory. For example, on Windows Server 2012 R2, exclude C:\ProgramData\SolarWinds\. For a full list of antivirus exclusions, see Files and directories to exclude from antivirus scanning. Do not exclude executable files. SolarWinds assumes that C:\ is the default volume.


page 8

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/core-solarwinds-port-requirements.htm#LM

https://support.solarwinds.com/SuccessCenter/s/article/Files-and-directories-to-exclude-from-antivirus-scanning-for-Orion-Platform-products

LA 2020.2.1 System RequirementsThe following are the system requirements for Log Analyzer (LA) 2020.2.1. This version of LA uses Orion Platform version 2020.2.1. For more information on Orion Platform system requirements, see the Orion Platform requirements.

If you are installing a dedicated log and event database for Orion Log Viewer, reference these requirements.

In addition to the requirements below, most LA monitoring requires the monitored server be polled by an Orion Agent for Windows.

Type Requirements

Operating System l Windows Server 2019 l Windows Server 2016 l Windows Server 2012 R2 l Microsoft Windows 10 (evaluation only) l Microsoft Windows 8.1 (evaluation only)

Operating System language

l English (UK or US) l German l Japanese

Orion Web Console browser

The Orion Platform supports the two latest versions of the following web browsers available on the release date:

l Firefox l Chrome l Edge (79 or higher)

In LA 2020.2 and later, some pages are not compatible with IE11. If you are using IE11, you will see a warning message on incompatible pages. SolarWinds recommends using a different browser (such as Chrome, Firefox, or Microsoft Edge) for the best user experience with LA.

page 9

Type Requirements

LA database Physical server or virtual machine

l Quad core processor or better l 16 GB RAM l 1 x 1 GB dedicated NIC l Windows Server 2016 or 2019, Standard or Datacenter Edition

As of Orion Platform 2019.2, you can use Azure SQL as your database server.

l Disk requirements: 100-130 GB/day (@1000 EPS) on local NTFS disk

Estimate required storage size based on EPS expectation and desired retention. For example, 1 TB capacity for default retention period (7 days).

l Microsoft SQL Server 2016 SP1 or later l Microsoft SQL Server Express

SolarWinds recommends using SQL Server Express only in evaluations. However, if used in a production environment, consider the following: The LA database will have a 10 GB limit. This means that in case of 1000 EPS, only 2-3 hours of data can be saved. For 7 days of data (default retention) only 15 EPS on average can be collected.

l Supported collations: o English with collation setting SQL_Latin1_General_CP1_CI_AS o German with collation setting German_PhoneBook_CI_AS o Japanese with collation setting Japanese_CI_AS

Authentication Either mixed-mode or Windows authentication. If you require SQL authentication, you must enable mixed mode on your SQL server.

LA/Orion server:

Do not install Orion Platform products on the same server as SolarWinds Access Rights Manager (ARM).


page 10

Type Requirements

CPU Quad core processor or better

l Required: 4 cores l Recommended: 8 cores

Do not enable Physical Address Extension (PAE).

Hard drive space 15 GB minimum 40 GB recommended

Two 146 GB 15K (RAID 1/Mirrored Settings) hard drives are recommended with a dedicated drive for the server operating system and SolarWinds installation.

During upgrades, the installer needs 2 GB of free space.

Some common files may need to be installed on the same drive as your server operating system. You may want to move or expand the Windows temporary directories.

Memory l 8 GB minimum l 16 GB recommended

page 11

LA port requirements l Ports 4369, 25672, and 5672 are opened by default on the main server for RabbitMQ

messaging. These ports can be blocked by the firewall. When running SolarWinds High Availability, ensure ports 4369 and 25672 are open.

l RPC ports > 1024 (TCP, bidirectional) is used by the Job Engine v2 process to communicate with Windows nodes.

Port Pro-tocol

Service/ Process Direction Description Encrypt- ion

user-defined, default: 22

SSH SolarWinds Job Engine v2

IIS

Outbound from the Orion server to the device

Port for accessing ASA devices through CLI

Device-based

25 TCP SolarWinds Alerting Service V2

Outbound SMTP port for non-encrypted messages

n/a

53 UDP SolarWinds Job Engine v2

Bi-directional

Resolving DNS queries n/a

80 TCP IIS Inbound Default additional web server port. If you specify any port other than 80, you must include that port in the URL used to access the web console. For example, if you specify an IP address of 192.168.0.3 and port 8080, the URL used to access the web console is http://192.168.0.3:808

0. Open the port to enable communication from your computers to the Orion Web Console.

The port might also be used for Cisco UCS monitoring.

n/a


page 12


Port Pro-tocol


135 TCP Microsoft EPMAP (DCE/RPC Locator service)

Bi-directional

Required for devices polled via WMI. Used to initiate communication with the remotely managed host.

161 UDP SolarWinds Job Engine v2

SolarWinds Cortex

Bi-directional

Send and receive SNMPinformation

SNMP v1 and v2 are unencrypted. SNMP v3 uses AES and 3DES encryption.

162 UDP SolarWinds Trap Service

SNMP Informs

Inbound Receive trap messages n/a

443 TCP IIS Inbound Default port for https binding.

SSL


Outbound SMTP port used to send TLS-enabled email alert actions

SSL

514 UDP SolarWinds Syslog Service

Inbound Receive syslog messages n/a


Outbound SMTP port used to send TLS-enabled email alert actions

TLS

page 13

Port Pro-tocol



SolarWinds Administration Service

SolarWinds Information Service

SolarWinds Information Service V3

SolarWinds Orion Module Engine

Outbound Communication between the Orion server and the SQL Server.

n/a

1434 UDP SolarWinds Alerting Service V2

SolarWinds Administration Service



SolarWinds Orion Module Engine

SQL Server Browse Service

Outbound Communication with the SQL Server Browser Service to determine how to communicate with certain non-standard SQL Server installations. Required only if your SQL Server is configured to use dynamic ports.

n/a

1801 TCP MSMQ Bidirectional MSMQ WCF binding

WCF


page 14

Port Pro-tocol


5671 TCP RabbitMQ Bi-directional

For encrypted RabbitMQ messaging (AMQP/TLS) into the main polling engine from all Orion servers (additional polling engines, HA servers, or additional web servers).

Sending messages to RabbitMQ.

TLS 1.2

17777 TCP SolarWinds Orion Module Engine



SolarWinds Cortex

Bi-directional

Communication between services and SolarWinds Orion module traffic.

Communication between the Orion Web Console and the polling engines.

Communication between the main server and pool members.

RSA handshake, AES 256 communication using WCF

TLS 1.2 with Cortex

17778 HTTPS SolarWinds Agent Inbound to the Orion server

Required for access to the SWIS API and agent communication

SSL

page 15

LA agent requirementsAgent software is free. Licensing occurs through your product and is usually based on the number of monitored elements.

Before you deploy agents to a target computer, review the following system requirements.

Type Windows

Operating System

Only 64-bit operating systems are supported.

l Windows Server 2008 R2 SP1 l Windows Server 2012 l Windows Server 2012 R2 l Windows Server 2016 l Windows Server 2019 l Windows 7 l Windows 7 SP1 l Windows 8 l Windows 8.1 l Windows 10

Only Pro, Enterprise, and Ultimate workstationoperating systems editions are supported.

Hard drive space

Approximately 100 MB of hard drive space on the target computer.

Other software

The following software packages are installed by the agent installer if necessary:

l Microsoft Visual C++ 2013 Redistributable Package for 32-bit or 64-bit l .NET Framework 4.0 (You must install this manually if you are installing an agent

on Windows Server 2008 R2 or earlier or Windows Core l .NET Framework 4.5 (Required for Windows Server 2008 R2 SP1 and later)

Security The VeriSign Root Certificate Authority (CA) must be current. This is required because the agent software is signed using a VeriSign certificate.

After the agent is installed, it runs as a Local System account and does not require administrative permissions to function.

Latency Agents can tolerate up to 500 ms of latency between the remote computer and the Orion server.


page 16

Cloud instance requirements for the LA database in AzureThe cloud instance requirements match the requirements for the LA database server above.

Azure Storage Disk volumes are not your dedicated hardware. Consider using Azure Reserved Instances of storage disk volumes for SQL servers.

page 17

Monitor logs and events with your LA and Orion Platform product license plansMonitor any networked Orion Platform node in the Log Analyzer (LA) Log Viewer with your LA license plan. In the Orion Web Console, check for available licenses by navigating to Settings > All Settings, and then clicking License Details in the Details pane. The License Details page lists all licensed Orion Platform products, including the total number of LA licenses, and the number of nodes currently consuming a license.

Beginning in April 2020, you can choose to use a perpetual license or a subscription-based (term-based) license. Learn more here.

If your LA licenses expire, you will then only have access to the Orion Log Viewer, formerly Log Manager Basic. This means the Orion Log Viewer will use Orion Platform nodes for licenses, so you will continue to receive message data, but will not have access to live event streaming, the event histogram, event tagging, and more. Review the feature comparison here.

As part of the LA licensing framework, LA receives messages from all nodes the Orion Platform manages. When you purchase and register a license as an existing customer, the licensing framework combines Orion Platform nodes with your LA licenses. For instance, if you have NPM SL100 and SAM AL100, and then register an LA100 license, you can monitor up to 300 nodes, but only receive messages from 100 nodes. Of the total (300) nodes, you can select which 100 nodes you would like to monitor in LA.

The Orion Platform does not support using LA with one set of nodes, and the Orion Log Viewer on remaining nodes. In other words, if you have an LA10 license and a SAM AL100 license, you can monitor 10 nodes with LA, but you cannot monitor the other 90 with the Orion Log Viewer.

LA evaluation customers receive unlimited licenses for Orion Platform nodes during the evaluation period.

l The Orion Log Viewer only receives syslog/trap messages from licensed devices. l VMAN requires the Orion Log Viewer to monitor VMware-specific events. l Processing NCM Real-Time Change Notification messages requires an LA-specific license

for each device.

Licensing levels


page 18

https://support.solarwinds.com/SuccessCenter/s/article/Guide-to-SolarWinds-Product-Licenses

License Number of Monitored Elements

LA10 Up to 10 nodes with 1st-Year Maintenance







Message source terminology

l Message source: Any device that sends log messages to LA.

l Unmonitored message source: Unknown device (not in the Orion Platform) that sends messages to LA.

l Managed by LA: Node that sends messages to LA and consumes an LA license.

l Passive Orion Platform node: Node that doesn't send messages and is ignored by LA.

Enable or disable log and event monitoringTo adjust your node settings, edit the node properties, and then select one of the Log and Event Monitoring options.

1. In the Orion Web Console, navigate to Settings > Manage Nodes.

2. Select one or more nodes, and then click Edit Properties.

page 19

3. Scroll down to the Log and Event Monitoring section.

Choose one of the following options from the Status drop-down list:

l Default: Monitoring will be enabled for this node on receipt of the first message.

The Default setting applies to syslog and SNMP trap messages only. Windows and VMware events must be manually set to Enabled or Disabled.

l Enabled: Monitoring is enabled for this node.

l Disabled: Monitoring is disabled for this node. Log and event data will be discarded for this node.

4. Click Submit.

You can also enable a node by selecting one or more nodes and clicking More Actions > Enable Log Monitoring.

Before removing a node, determine if it is collecting events from additional networked nodes that you want to continue monitoring. This action can result in loss of data from multiple nodes.


page 20

LA feature comparisonThe following table lists the features available with the legacy Syslog and Trap Viewers, Orion Log Viewer (Basic), and Log Analyzer.

Feature Syslog/Trap Viewers Orion Log Viewer (Basic)

Log Analyzer

Syslog/trap collection*

Windows event collection

VMware event collection**

Search event logs

Filter event logs

Create custom rules

Log tagging

Histogram

Live Mode

Orion alert integration

Cross-stack correlation via Perfstack™

Filter on log tags

Separate database for log collection

Free polling engine

Centralized Upgrades

Syslog/Trap forwarding

Export logs to CSV

Reorder custom rules

page 21

Feature Syslog/Trap Viewers Orion Log Viewer (Basic)

Log Analyzer

Log Viewer access from Node Details resource

LA instant eval

Log collection profiles

WIndows flat file processing

*Installation of LA or OLV replaces existing legacy syslog and trap services, but does not provide 100 percent feature parity. Learn more here.

** Requires a SolarWinds Virtualization Manager license.


page 22

https://www.solarwinds.com/documentation/kbloader.aspx?kb=SF14875

Install and configure LAAs an Orion Platform product, LA uses the SolarWinds Orion Installer. Please see the SolarWinds Orion Installation and Upgrade Guide for help installing LA.

Do not install Orion Platform products on the same server as SolarWinds Access Rights Manager (ARM).

When installation is complete, the Configuration wizard appears to guide you through additional steps. During the configuration sequence, the wizard also prompts you to apply additional settings to configure the LA (or Orion Log Viewer) database.

If you are installing LA on Microsoft Azure, review the system requirements, follow the pre-deployment notes, and then review the Azure deployment guide.

1. On the Database Settings for Log and Event Monitoring screen, select one of the following options:

l Place the Orion log and event database on the same SQL server as the primary database. Select this option if you expect to send low to moderate log traffic to the Orion Platform.

l Place the Orion log and event database on a dedicated SQL server (recommended for high volumes*). Select this option if you expect to send a large volume of log traffic to the Orion Platform.

2. If you have a separate database, on the following screen, enter your credentials for the additional SQL Server instance.

l Authenticate as currently logged in user. Pass through authentication to the SQL server using the account currently logged in for installing the Orion product.

l Switch user. Provide credentials automatically detected as either SQL, Windows, or Azure credentials, allowing Windows Authentication for the initial setup even if the Orion server is not joined to a domain or the current account does not have permissions to the SQL server.

3. Select either the Create a new database or Use an existing database option.

4. Continue the Configuration wizard sequence.

When installing and configuring SQL Server 2016, enable full-text search to ensure optimum event log search performance within LA. You can still install LA and initiate event log searches without enabling this capability, but the speed and quality of your search may be significantly reduced.

page 23

https://www.solarwinds.com/documentation/kbloader.aspx?kb=MT88165

https://www.solarwinds.com/documentation/kbloader.aspx?kb=MT88165

https://documentation.solarwinds.com/en/success_center/LA/content/LM/LA-pre-deployment-Azure.htm

https://documentation.solarwinds.com/en/success_center/LA/content/LM/LA-pre-deployment-Azure.htm

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/install-orion-azure.htm

https://docs.microsoft.com/en-us/sql/database-engine/install-windows/add-features-to-an-instance-of-sql-server-setup?view=sql-server-2017

*If you have a large environment, you must provide your own SQL server and use the standard installation. During installation, you will receive a server requirement notification as part of the installer preflight check. For additional guidance, refer to the multi-module system guidelines.

EvaluatorsAfter installing LA, you can add nodes to the Orion Platform and enjoy an unlimited number of Orion Platform and LA nodes, including all paid features. When the evaluation period expires, both the Orion Platform and LA licenses expire. You can then only use the Orion Log Viewer to load historical log messages. No new logs are stored.

The standard installation of LA requires Microsoft SQL Server 2016 SP1. The lightweight installation typically used by evaluation customers installs Microsoft SQL Server 2017.

CustomersLA replaces the existing legacy syslog and trap services, but only provides a subset of the legacy functionality. After installation of LA over the legacy syslog and trap services, the records remain in the database, but will not be used by LA. You can still access the read-only legacy records in the Syslog Viewer and Traps Viewer applications. All new syslog and trap messages will be stored in the dedicated LA database.

During installation, you will receive a data migration notification as part of the installer preflight check. You can then choose to proceed or cancel the installation.

Uninstall LA/OLV and restore legacy syslog and trap services

If you have VMAN 8.4 or 8.5 installed, this action also uninstalls the VMAN VMware Events Add-on. In this case, reinstall the VMware Events Add-on.

1. Log in to the Orion Web Console as an administrator and access the Advanced Configuration Global settings. For example, http://localhost/Orion/Admin/AdvancedConfiguration/Global.aspx.

The URL will open the Advanced Configuration Global settings tab.


page 24

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Multi-Module-System-Guidelines.htm

2. Scroll down to the SolarWinds.Orion.Core.Common.Settings.LegacyServicesSettings section and clear the check boxes.

If the Orion Web Console is not available use below SQL query to adjust settings directly in the SolarWinds Orion database:UPDATE [Setting] SET [Value]='False'WHERE [Name] IN 'SolarWinds.Orion.Core.Common.Settings.LegacyServicesSettings.LegacySysLogServiceDisabled', 'SolarWinds.Orion.Core.Common.Settings.LegacyServicesSettings.LegacyTrapServiceDisabled'

3. In the Orion Service Manager, stop all services.

If you are using the stand-alone Orion Service Manager, click Shutdown Everything.

Restarting the services is not necessary.

4. Open Control Panel on your system and uninstall the following programs:

l SolarWinds Log Analyzer (if present) l SolarWinds Orion Log Viewer l SolarWinds Orion SyslogTraps

5. Delete the following files:

l Navigate to C:\Program Files (x86)\SolarWinds\Orion\Packaging\Repository, and then delete the following:

o Orion.SyslogTraps.2.*.opkg

o Orion.Apollo.OLM*.opkg (may not be present on additional polling engines)

l Navigate to C:\Program Files (x86)\SolarWinds\Orion\Packaging\Roots, open Orion.Installer.Packaging.roots in Notepad, and then delete the following line (requires Orion.Apollo.OLM):

page 25

https://support.solarwinds.com/SuccessCenter/s/article/Shutdown-and-restart-Orion-services

o <requires id="Orion.Apollo.OLM" version="[2.*,]" />

o Click Save, and then close Notepad

l Navigate to C:\ProgramData\SolarWinds\Installers, and then delete following:

o Orion.Apollo.OLM*.opkg

o OLM*.msi

o ORIONLOGMANAGER*.msi

o SYSLOGTRAPSLEGACY-2.*.msi

l Navigate to C:\ProgramData\SolarWinds\Agent\Plugins, and then delete LogManager*.apkg.

6. In the Orion database, execute the following SQL script:

UPDATE [WebView]SET [Url] = '/orion/netperfmon/syslog.aspx'WHERE [Name] = 'syslog'

UPDATE [WebView]SET [Url] = '/orion/netperfmon/traps.aspx'WHERE [Name] = 'traps'

DELETE FROM [MenuItems] WHERE [Link] = '/ui/orionlog/logviewer/'DELETE FROM [MenuBars] WHERE [MenuName] = 'LOGS_TabMenu'DELETE FROM [ReportDefinitions] WHERE [Category] = 'Log Manager for Orion' DELETE FROM [ReportDefinitions] WHERE [Category] = 'Log Analyzer'

7. Delete the following registry keys:

l SolarWindsLogPollingService from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SolarWinds.Net\ConfigurationWizard\ServicesName

l On all Orion servers (including HA), make sure the following registry key is removed as well: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SolarWinds\Installer\InstalledFeatures = "OLM"


page 26

The first bullet applies to the main polling engine, its HA backup, and any additional polling engine (free poller too) and its HA backup. The second bullet applies to any Orion server, which means all from the first bullet plus additional websites.

If you can find entry 479 under the following registry path, delete it also: l Computer\HKEY_LOCAL_

MACHINE\SOFTWARE\WOW6432Node\SolarWinds.Net\ConfigurationWizard\ConfiguredModules

8. Download and install the legacy version of Syslog and Traps. Select an installer based on the version of your Orion Platform.

l For Orion Platform version 2018.2, install https://downloads.solarwinds.com/solarwinds/CatalogResources/SyslogTrapsLegacy/1.0/1.0.0.3884/SyslogTrapsInstaller.msi

Orion Platform version 2018.2 includes NPM 12.3, SAM 6.6.1, or NCM 7.8.


Orion Platform version 2018.4 includes NPM 12.4, SAM 6.7.1, or NCM 7.9.


Orion Platform version 2019.2 includes NPM 12.5, SAM 6.9, or NCM 8.0.

l For Orion Platform version 2019.4, install

https://downloads.solarwinds.com/solarwinds/CatalogResources/SyslogTrapsLegacy/1.3/1.3.0.17022/SyslogTrapsInstaller.msi


l For Orion Platform version 2020.2, install



page 27











l For Orion Platform version 2020.2.1, install

https://downloads.solarwinds.com/solarwinds/CatalogResources/SyslogTrapsLegacy/1.4.1/1.4.1.20944/SyslogTrapsInstaller.msi

Orion Platform version 2020.2.1 includes NPM 2020.2.1, SAM 2020.2.1, or NCM 2020.2.1.

During the installation process, the Configuration Wizard appears to guide you through the remaining steps. Steps 1-7 apply to the main Orion server. Repeat steps 4, 5 and 8 for all additional polling engines and additional websites. The wizard restarts all services at this point.

9. Uninstall the LogManager agent plug-in.

l Download the Orion SDK (can be installed on a standalone machine).

a. Start the SWQL studio, and then connect to the Orion server as an administrator.

b. Select Orion.AgentManagement.Agent.

c. Right-click the UninstallPlugin verb, and then select Invoke.

d. For each agent, enter the agentId, LogManager (and LogManager.LogFiles as of version 2020.2) as the pluginId, and then click Invoke.

To find the agent ID in SWQL studio, right-click Orion.AgentManagement.Agent, and then select "Generate Select Statement".

l If you need to force update the agents, do the following:

a. On the Orion Web Console menu bar, navigate to Settings > All Settings.

b. In Node and Group Management, click Manage Agents.

c. Select the agent, and then choose More Actions > Update.

After completing this procedure, the separate LA/OLV SQL server database is no longer required.

Scripts are not supported under any SolarWinds support program or service. Scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.


page 28



https://support.solarwinds.com/SuccessCenter/s/article/Orion-SDK

LA pre-deployment notes for Microsoft AzureBefore deploying LA to Microsoft Azure, review the system requirements and the information below to help avoid installation and configuration issues.

LA officially supports the Azure SQL database and the Azure SQL managed instance. The SQL Data Warehouse and SQL Elastic database pool are not supported.

New installation

The installation process is the same as on-premise deployment. The LA database section of the Configuration Wizard accepts connections to the Azure SQL server. Azure supports SQL authentication and Azure Active Directory authentication methods.

You can select an existing database or let the Configuration Wizard create a new one.

l The newly created database has a Standard S3 tier l An existing database needs to have at least Standard S3 or any of the vCore-based tiers

Azure SQL database has the Read Committed Snapshot Isolation (RCSI) level set by default, which is different from the default for on-premise RCSI level. The Configuration Wizard sets the isolation level to the same as the default on-premise database when creating a new database, but leaves it unchanged when an existing Azure SQL database is used.

Database migration

LA stores data in both the Orion and LA databases. The LA database migration process is the same as the Orion database. This topic focuses mainly on issues one may encounter when migrating the Orion database. The main difference is that migration from the Azure database to an on-premise database is not possible for the LA database, which means LA data is lost. However, all LA-specific settings, configurations and CBQoS data are migrated because they are stored in the Orion database.

You can migrate databases from Orion Platform 2019.2 and higher.

Source Destination

MS SQL Server 2016 SP1 and higher Azure SQL Server database with DTU Tier S3 and higher, or vCore Tiers

Azure SQL Server database with DTU Tier S3 and higher or vCore Tiers

MS SQL Server 2016 SP1 and higher

Pre-migration checklist

page 29

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/install-orion-azure.htm

Task Description

1 Upgrade Orion Platform products to versions that support Azure SQL database and run the Configuration Wizard on all servers.

2 Determine if you are using In-Memory tables* (only if you migrate from SQL 2016 SP1 or higher):

l Run the following query to see if TimeSeries.MemoryOptimizedTables is set to true: o SELECT * FROM dbm_DatabaseProperties WHERE [Key] =

'TimeSeries.MemoryOptimizedTables' l If true, check the your Azure database tier for in-memory OLTP storage support:

o https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dtu-resource-limits-single-databases

o https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vcore-resource-limits-single-databases

l If it doesn't, turn them off before migration by opening C:\Program Files (x86)\SolarWinds\Orion\ConfigurationWizard.exe.config, set <add key="TimeSeries_MemoryOptimizedTables_Enabled" value="false"/> and then rerun the Configuration Wizard

3 Before migration to Azure from on-premise, execute the following command on the LA database:

REVOKE CONNECT FROM guest

*Memory-optimized tables, also known as In-Memory OLTP. A feature available in MS SQL Server 2016 and 2019 that improves the performance of transaction processing, data ingestion, data load, and transient data scenarios.

l After migration, the database uses Columnstore. At this point, you cannot migrate back if you have SQL 2016 RTM or lower where Columnstore isn’t supported.

l Azure does not support file groups. After migration, everything is moved into the default primary file group.

l The on-premise migration process for the LA database is the same as the Orion database.

Supported migration methods:


page 30

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dtu-resource-limits-single-databases




l Export and import script l Microsoft SQL Server Management Studio

a. Right-click a database.

b. Select Deploy Database to Microsoft Azure SQL Database.

c. The wizard guides you through the remaining steps.

The server must already exist, but the wizard creates the database.

Scripts are not supported under any SolarWinds support program or service. Scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.

page 31

Discover your network with the Discovery WizardBefore you begin:

l Enable the networking devices you want to monitor for SNMP. l Enable Windows devices for WMI.

1. If the Discovery Wizard does not start automatically after configuration, click Settings > Network Discovery.

2. Click Add New Discovery, and then click Start.

3. On the Network panel, if this is your first discovery, add a limited number of IP addresses.

As you scale your implementation, you can use the following scanning options.

Option Description

IP Ranges Use this option when you want Orion to scan one or more IP ranges.

If you have many IP ranges to scan, consider adding multiple discovery jobs rather than including all ranges in a single job.

Subnets Use this option to scan every IP address in a subnet. SolarWinds recommends scanning at most a /23 subnet (512 addresses max).

Scanning a subnet returns everything that responds to ping, so we recommend only scanning subnets where the majority of devices are objects you want to monitor.

IP Addresses

Use this option for a limited number of IP addresses that do not fall in a range.

Since a network discovery job can take a long time to complete, SolarWinds recommends using this option when you are first starting out.

Active Directory

Use this option to scan an Active Directory Domain Controller.

Using Active Directory for discovery is particularly useful for adding large subnets because Orion can use the devices specified in Active Directory instead of scanning every IP address.


page 32

4. If the Agents panel appears, you enabled the Quality of Experience (QoE) agent during installation. The QoE agent monitors packet-level traffic. If there are any nodes using agents, select the Check all existing nodes check box.

This setting ensures that any agents you deploy, including the one on your Orion server, are up-to-date. If there are no nodes using agents, you can leave this option unchecked.

page 33

5. On the Virtualization panel, to discover VMware vCenter or ESX hosts on your network:

a. Check Poll for VMware, and click Add vCenter or ESX Credential.

b. Select <New credential> and provide required information.

If you do not add the host credentials, Orion still discovers the virtual machines (VMs) on the host. However, you will not be able to see the relationships mapped between the VMs and hosts.


page 34

6. On the SNMP panel:

a. If all devices on your network require only the default SNMPv1 and SNMPv2 public and private community stings, click Next.

b. If any device on your network uses a community string other than public or private, or if you want to use an SNMPv3 credential, click Add Credential and provide the required information.

7. On the Windows panel, to discover WMI or RPC-enabled Windows devices, click Add New Credential and provide the required information.

page 35

SolarWinds recommends that you monitor Windows devices with WMI instead of SNMP.

8. On the Monitoring Settings panel, SolarWinds recommends manually setting up monitoring the first time you run discovery. This allows you to review the list of discovered objects and select the ones you want to monitor.

When you scale monitoring, you can configure discovery to automatically start monitoring objects it finds.


page 36

9. On the Discovery Settings panel, click Next.

10. Accept the default frequency and run the discovery immediately.

Discovery can take anywhere from a few minutes to a few hours, depending on the number of network elements the system discovers.

page 37

Add a single node for monitoringAs an alternative to using the Network Sonar Discovery wizard, you can add individual nodes for monitoring.

Adding a single node offers more detail in monitoring and is the recommended approach when you have a node with high latency. Do not include nodes with high latency in a discovery job.

As you add a single node for monitoring, you can:

l Select the statistics and resources to monitor. l Identify how often the node status, monitored statistics, or topology details are updated. l Add custom properties. l Edit alert thresholds.

To add a single node for monitoring:

1. Log in to the Orion Web Console as an administrator.

2. Click Settings > Manage Nodes, and then click Add a Node.

3. Specify the node, and click Next.

a. Provide the host name or IP address.

b. Select the polling method, and provide credentials.

4. Select the statistics and resources to monitor on the node, and click Next.

5. Review and adjust the device properties.

a. To edit the SNMP settings, change the values, and click Test.

b. To edit how often the node status, monitored statistics, or topology details are updated, change the values in the Polling area.

For critical nodes, you may need to poll status information or collect statistics more frequently than the default polling intervals. Change the polling intervals if polling the nodes takes too long.


page 38

c. Enter values for custom properties for the node.

The Custom Properties area will be empty if you have not defined any custom properties for the monitored nodes.

d. To adjust when the status of the node changes to Warning or Critical, edit alerting thresholds for the metric. Select the Override box and set thresholds specific for the node.

6. Click OK, Add Node.

The node will be monitored according to the options you set.

Deploy agents to monitored nodes

The Orion server must be able to communicate with the remote nodes. To monitor Linux/Unix-based nodes, TCP port 22 (outbound) must be open on the Orion server or additional polling engine and open (inbound) on the node you want to monitor.

1. Click Settings > All Settings in the menu bar.

2. Under Node & Group Management, click Manage Agents.

3. Click Add Agent.

4. Select Deploy the agent on my network.

5. On the Deploy Agent on Network page, choose where you want to install the agent.

l The IP address field does not accept ranges. l Enter an IP address or host name of a node that has not be managed.

6. Click Next.

page 39

7. Select a node and click Assign Credentials.

l These credentials are only used to connect to the remote device and install the agent software. After the agent is deployed, the credentials may change with no impact to the deployed agent.

l The credentials must have administrator or root-level privileges. On Linux/Unix-based computers, you can connect with one credential set and then use another credential to use su or sudo for package installation. Most Linux/Unix distributions require the user's password when using sudo. Other distributions, such as SUSE, may require the root password. Depending on your Linux/Unix distribution, enter the required credential for the Include Credentials with Elevated Privileges to install the package.

l You can assign credentials to multiple locations or nodes by selecting multiple entries.

8. Click Deploy Agent.

Add unknown nodes to the Orion PlatformMessages received from an unknown network node are discarded until you add the device through Node Management. When log activity is observed from an unknown device, you receive a notification in the Orion Web Console linking you to the Events page, where you can add the node as a managed device.

1. Click the notification to view the message details on the Events page.

2. To add the node as a managed device, click Monitor Node.

The Add Node page prompts you to define the node configuration settings.


page 40

3. Type the hostname or IP Address of the node you are adding (if not present). Both IPv4 and IPv6 are supported.

4. Select a Polling Method:

l External Node: Reports no status for node itself but is useful for monitoring a hosted application.

l Status Only: ICMP reports status, response time, and packet loss only. l Most Devices: SNMP and ICMP default polling method typically used for routers, switches,

and Linux/Unix servers. Make sure to specify a community string if using one other than "public."

l Windows Servers: WMI and ICMP l Windows and Linux Servers: Agent l VMware vCenter or Hyper-V devices

Click Test to verify your settings are valid before continuing.

5. Scroll down to the Log and Event Monitoring section.

Choose one of the following options from the Status drop-down list:

l Default: Monitoring will be enabled for this node on receipt of the first message.

The Default setting applies to syslog and SNMP trap messages only. Windows and VMware events must be manually set to Enabled or Disabled.

l Enabled: Monitoring is enabled for this node. l Disabled: Monitoring is disabled for this node. Log and event data will be discarded for this

node.

6. Select the Additional Monitoring Options, and then click Next.

7. Select the resources and statistics to monitor for the added node, and then click Next.

8. On the Change Properties tab, under Polling, edit the default polling settings if desired.

page 41

l Node Status Polling: The number of seconds between status checks performed on the added node.

l Collect Statistics Every: The period between updates made to displayed statistics for the added node.

9. Under Custom Properties, add appropriate values if you defined custom properties for monitored nodes.

10. When you have completed the properties configuration, click OK, Add Node.

The added node appears in the Config Summary.

Configure devices to send messages to Log AnalyzerTo receive messages from a syslog-capable device, configure the device to send syslog messages to the appropriate port on the computer where the dedicated server is installed.

Log Analyzer listens for UDP messages on port 514. This is the default port for devices sending syslog messages as defined by RFC standard 5426. You can also configure your devices to send SNMP traps to port 162. Learn about configuring secure syslog settings here.

When the device is added as a monitored node to the Orion Platform, messages from this device stream into the Log Viewer and are processed according to the rules that you define.

For information about configuring a specific device, refer to documentation from the device manufacturer. Below is an example for configuring a Cisco switch.

Configure a Cisco Catalyst 2960 switch to send syslog messages to Log Analyzer

The following example shows how to configure a Cisco Catalyst 2960 switch. To configure other types of devices, see the device manufacturer's instructions.

Message logging must be enabled on the device. On many devices that generate syslog messages, logging is enabled by default.

1. On the Cisco Catalyst 2960 switch, open the Cisco command-line interface and begin a session.

2. Verify that you are in privileged EXEC mode on the switch. To enter Privileged EXEC mode, type the command:

enable

3. Switch to global configuration mode. Type the command:

configure terminal


page 42

https://support.solarwinds.com/Success_Center/Orion_Platform/Orion_Documentation/Orion_Platform_Administrator_Guide/Custom_properties

https://documentation.solarwinds.com/en/success_center/LA/content/LM/LM-Add-unknown-nodes.htm

https://documentation.solarwinds.com/en/success_center/LA/content/LM/LM-Create-Custom-Rules.htm

4. Verify that logging is enabled. If logging has been disabled, type the command:

logging enable

5. Configure the switch to send log messages to the Log Analyzer database. Type the command:

logging host

where host is the name or IP address of the device where the dedicated server is installed.

6. Limit the messages sent based on priority level. Type the command:

logging trap level

where level is one of the following, listed in descending order of priority:

l emergencies l alerts l critical l errors l warnings l notifications l informational (default level) l debugging

The device sends messages with the specified priority level and above. For example, the level critical sends messages with priority levels of critical, alerts, and emergencies.

7. Return to privileged EXEC mode. Type the command:

end

Configure secure syslog settings for Log AnalyzerBy default, Log Analyzer will accept secure syslog messages sent to port 6514 provided a secure connection has been established. Log Analyzer will also forward secure syslogs when a log forwarding custom rule action is set to TCP over TLS on port 6514.

l TCP forwarding (with the TCP port) supports both plain TCP and TCP over TLS. l The TCP connection prevents IP spoofing.

If you have devices configured to transmit and forward secure syslog messages, contact SolarWinds Customer Support to ensure the syslog configuration settings are correct to avoid log processing errors. If necessary, SolarWinds can adjust the default values to accommodate a variety of scenarios.

page 43

Log Analyzer uses a non-CCPP compliant transmission method (sending and receiving) for secure syslogs. Many checks and errors, including name mismatches, server certificate revocation, certificate chain errors, and missing certificates are ignored. Log Analyzer includes the SolarWinds-Orion certificate for the server by default, which can only be changed by SolarWinds customer support.

If your TLS certificate subject contains a CN (Common Name) field (for example, OU, O, C), syslog transmissions may fail. Please contact SolarWinds customer support for assistance.

Set up Windows event collection in LAYou can stream, monitor, and alert on Windows event logs from your network devices in LA. From the LA Log Viewer, you can filter Windows events, enable out-of-the-box rules for events, and create custom rules tailored for specific Windows event activity.

During your LA installation or upgrade, install the LA agent plugin with your SolarWinds Orion agent to begin collecting Windows event logs.

Follow the steps below to configure and manage Windows event collection.

l Deploy the Orion agent l Collect windows events from unknown nodes l Collect Windows events from one or more Orion Platform nodes l Disable Windows event collection from one or more Orion Platform nodes l Forward Windows events to an Orion Agent l Collect Windows events without deploying the agent l Enable LA agent overload alerts l Monitor Windows Security events

Deploy the Orion agent

To collect Windows events, deploy the Orion agent to monitored nodes, and then enable LA to monitor Windows events.

Collect Windows events from unknown nodes

Windows events received from an unknown network node are discarded until you add the device through Node Management.

Collect Windows events from one or more Orion Platform nodes

Enable LA to monitor Windows events from any network node.


page 44

https://support.solarwinds.com/Success_Center/Orion_Platform/Orion_Documentation/Orion_Platform_Administrator_Guide/Poll_devices_with_SolarWinds_Orion_agents

https://support.solarwinds.com/Success_Center/Orion_Platform/Orion_Documentation/Orion_Platform_Administrator_Guide/Poll_devices_with_SolarWinds_Orion_agents

Disable Windows event collection from one or more Orion Platform nodes

To stop collecting Windows events, set one or more nodes to Disabled in the Orion Web Console.

Forward Windows events to an Orion agent

Microsoft provides the ability to forward Windows Events from one machine to another. When you forward Windows events to an Orion agent, the events are then sent to LA provided the machine from which the event was forwarded is monitored by the Orion Platform. To set up Windows Event Forwarding, follow the procedures below.

Set up a subscription for forwarding events to an existing agent following Microsoft guidelines:

l Configure Computers to Forward and Collect Events l Create a new subscription

Ensure that any node configured to forward events does not have the Orion agent installed. Otherwise, you will receive duplicate events.

If you made changes to the default query, ensure the query includes the Forwarded Events channel.

Collect Windows events without deploying the agent

If you choose not to deploy the Orion agent, you can convert Windows events to syslogs with SolarWinds Event Log Forwarder for Windows. Find more information about this free tool here.

If you choose not to install the agent, the following features will not be available: l Windows event messages l Out-of-the-box rules for Windows events l Windows event fields in the Rule Builder l Near real-time log collection (unless in Live Mode)

Enable LA agent overload alerts

Enable LA agent overload alerts to receive a notification if the LA agent fails to adequately process events.

Monitor Windows security eventsLA provides a pre-configured whitelist that includes all monitored Windows security events. This whitelist allows the most common security events and restricts unnecessary data that can clutter and overwhelm your log feed.

To add or remove events, go to Global Advanced Configuration and edit the query.

page 45

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v%3dws.11)

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722010(v%3dws.11)

https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows

https://support.solarwinds.com/SuccessCenter/s/article/Advanced-Configuration-access-in-Orion-Platform

Modifying the default configuration may exceed LA’s scalability limit and is not recommended. Please contact Customer Support for assistance.

Windows security event whitelist

Event ID Event

1100 The event logging service has shut down

1102 The audit log was cleared

1108 The event logging service encountered an error

4608 Windows is starting up

4609 Windows is shutting down

4616 The system time was changed

4624 An account was successfully logged on

4625 An account failed to log on

4634 An account was logged off

4688 A new process has been created

4689 A process has exited

4698 A scheduled task was created

4699 A scheduled task was deleted

4700 A scheduled task was enabled

4701 A scheduled task was disabled

4702 A scheduled task was updated

4704 A user right was assigned

4705 A user right was removed

4715 The audit policy (SACL) on an object was changed

4719 System audit policy was changed

4720 A user account was created

4722 A user account was enabled

4723 An attempt was made to change an account's password


page 46

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100














































Event ID Event

4724 An attempt was made to reset an accounts password

4725 A user account was disabled

4726 A user account was deleted

4727 A security-enabled global group was created

4728 A member was added to a security-enabled global group

4729 A member was removed from a security-enabled global group

4730 A security-enabled global group was deleted

4731 A security-enabled local group was created

4732 A member was added to a security-enabled local group

4733 A member was removed from a security-enabled local group

4734 A security-enabled local group was deleted

4735 A security-enabled local group was changed

4737 A security-enabled global group was changed

4738 A user account was changed

4739 Domain Policy was changed

4740 A user account was locked out

4741 A computer account was created

4742 A computer account was changed

4743 A computer account was deleted

4744 A security-disabled local group was created

4745 A security-disabled local group was changed

4746 A member was added to a security-disabled local group

4747 A member was removed from a security-disabled local group

4748 A security-disabled local group was deleted

4749 A security-disabled global group was created

4750 A security-disabled global group was changed

page 47





















































Event ID Event

4751 A member was added to a security-disabled global group

4752 A member was removed from a security-disabled global group

4753 A security-disabled global group was deleted

4754 A security-enabled universal group was created

4755 A security-enabled universal group was changed

4756 A member was added to a security-enabled universal group

4757 A member was removed from a security-enabled universal group

4758 A security-enabled universal group was deleted

4759 A security-disabled universal group was created

4760 A security-disabled universal group was changed

4761 A member was added to a security-disabled universal group

4762 A member was removed from a security-disabled universal group

4763 A security-disabled universal group was deleted

4764 A groups type was changed

4767 A user account was unlocked

4781 The name of an account was changed

5025 The Windows Firewall Service has been stopped

5030 The Windows Firewall Service failed to start

Disable and enable log-processing rulesThe Log Processing Configuration page includes out-of-the-box rules that provide a visual identifier for common event groups. These pre-defined log tags are enabled by default and allow you to quickly identify specific event activity in your Log Viewer table.

Log files larger that 10 KB may not trigger rules.


page 48





































1. On the Log Viewer toolbar, click Configure Rules.

2. In the Processing Policies pane, click to expand Syslog, Traps, or Windows Events, and then click Log Manager Rules.

3. To disable a rule, select a rule check box, and then click Disable Rule.

l You can also click the associated toggle button . l Follow these steps to enable a disabled rule.

page 49

4. To return to the Log Viewer, navigate to My Dashboards > Logs > Log Viewer.

To view a rule summary, select a rule check box, and then click View Rule.


page 50

Create log collection profiles Create log collection profiles to process Windows log files for additional system analysis and troubleshooting. The log collection profile wizard guides you through selecting one or more Orion agent nodes, and then establishing specific file paths and files to monitor.

A log collection profile can contain one or more agents, and an agent can be assigned to one or more collection profiles.

As messages stream into the Log Viewer, expand the Related Entity filter group, and then select a log collection profile filter to view targeted log file data.

1. On the Orion Web Console menu bar, navigate to Settings > All Settings, and then click Log and Event Settings in the Product Specific Settings group.

2. Under Log and Event Settings, click the Profiles tab.

page 51

3. To begin the profile configuration sequence, click Create.

4. Under the Profile details section, enter a profile name and a description (optional), and then click Next.

5. Enter your file path (one per profile), and then click Next.

l The file path can include wildcards (for example, c:\myapp\logs\1.log, or c:\myapp\logs\*.log.).

l You can also use wildcards to ensure that no logs are lost on file rotation by making sure the file path covers both current and already rotated files.


page 52

6. Select one or more agent nodes, and then click Next to review the profile summary.

l Ensure you select agents for all devices from which log files will be collected. l The log profile configuration is propagated to selected agents immediately after

saving. l Previously collected entries are still accessible in the Log Viewer.

page 53

7. If no changes are needed, click Create. The new profile appears in the list of log file collection profiles where you can edit and delete profiles, and create new profiles.

Make note of the profile status indicators. Profiles with a error icon , may indicate an error such as an unlicensed profile node. Profiles with a warning icon , for example, may mean that no matching files are currently found. That could eventually change and the status will reset to green (refresh the page to confirm). Profiles with a green OK icon , indicate that the profile is configured correctly and functioning as intended. For errors and warnings, edit your profile to locate and correct the issue. After making edits, refresh you profile list.

You can now create custom rules to apply actions to specific log entries.

In the LA Log Viewer, expand filter groups to select specific logs for analysis and select an entry to view associated details, which includes the log file name, parsed level, and source time.

Learn how to edit a collection profile here.

Run external program variablesThe Run an external program rule actions allow you to set command line arguments for your executed program or script. As a parameter, you can use variables which will translate to a corresponding string before the program/script is executed.

List of available variables


page 54

General variable defin-ition Description

${IpAddress} The IP address of the source device

${DateTime} The current date and time - String format MM/dd/yyyy hh:mm

${Date} The current date - String format MM/dd/yyyy

${LongDate} The current date - Example: "Tuesday, August 25, 2020"

${LongTime} The current time - Example: 12:23:19 PM

${DayOfWeek} The current day of the week - Example: "Tuesday"

${Year} The current year

${Hour} The current hour

${Minute} The current minute

${Second} The current second

${NodeID} The node ID of the source device

${Message} The message attached to this entry

${Hostname} The node caption of the source device

${Level} The severity level of the message

${SourceType} The message source type (Syslog, Traps, WindowsEvents,VMwareEvents, FlatFiles)

${Vendor} The vendor of the source device

${MachineType} The machine type of the source device

Trap variable definition Description

${TrapType} The message trap type

${TrapOid} The corresponding trap oid to trap type

${Community} The SNMP trap community string for message entry

${VarBindingNames} Dot notation (see chapter below)

${VarBindingValues} Dot notation (see chapter below)

page 55

Syslog variable definition Description

${FacilityName} The Syslog facility name of this entry

Window event variable defin-ition Description

${LogName} The name of the Windows log

${ProviderName} The source of the software that logs the event

${User} The Windows username for the corresponding message. Can be "N/A"

${EventData} Dot notation (see chapter below)

Log files variable definition Description

${Filename} The name of the file to which the message belongs

Accessing fields using Dot notation

Dot notation is available for following fields:

l EventData (Windows Events) l VarBindingNames (Traps) - Returns human readable (oid converted to its string represantation,

values converted to times, ...) varbinding values l VarBindingValues (Traps) - Returns raw varbinding values

Variables from these mentioned fields can be accessed using RootField.name of the variable

Examples:

Variable Example output

${EventData.SubjectDomainName} WORKGROUP

${EventData.ProcessName} C:\Windows\System32\services.exe

${VarBindingNames.sysUpTime} 42 days 0 hours 34 minutes 15,25 seconds

${VarBindingValues.1.3.6.1.2.1.1.3.0} 363085525

${VarBindingNames.snmpTrapEnterprise} SNMPv2-SMI:enterprises.2854

${VarBindingValues.1.3.6.1.2.1.1.3.0} 1.3.6.1.4.1.2854


page 56

Edit a collection profile 1. On the Orion Web Console menu bar, navigate to Settings > All Settings, and then click Log and

Event Settings in the Product Specific Settings group.

2. Under Log and Event Settings, click the Profiles tab.

3. Select a collection profile, and then click Edit.

4. Step through the wizard, make changes where needed, and then click Save.

5. To delete a profile, select a collection profile, and then click Delete.

Create custom log-processing rulesOn the Log Processing Configuration page, you can create custom rules to complement the standard, out-of-the-box LA rule sets. You can define rule conditions to identify a specific log entry, and then establish subsequent actions, such as adding event tags, executing commands, and discarding log entries.

The pre-defined Rule Policy groups organize rule policies based on the message source and determine the rule policy evaluation order. The Processing Policies pane is organized into the following policy groups:

l Log Files (Log Analyzer only) l Syslog l Traps l VMware Events l Windows Events (Log Analyzer only)

page 57

l Global Pre-processing: Evaluated before log-specific and global post-processing rule policies l Global Post-processing: Evaluated after all log-specific rule policies

Group Message Type Evaluation Order

Global Pre-processing All messages 1

Log Files (Log Analyzer only) Windows flat file messages 2

Syslog Syslog messages 3

Traps Trap messages 4

VMware Events VMware event messages 5

Windows Events (Log Analyzer only) Windows event messages 6

Global Post-processing All messages 7


2. In the Processing Policies pane, click to expand a policy group, and then click My Custom Rules.

3. Click Create New Rule.


page 58

4. Enter a descriptive name for the rule, and then click Next.

5. Select your source computers.

You can choose to trigger this alert from all sources, or specify conditions and values for one or more sources.

page 59

6. Define your log entry rule conditions and values, and then click Next.

The log entry conditions vary by log source type. In the example below, an incoming SNMP Trap message meeting specified Varbind element with OID and name criteria will trigger the designated alert action.

7. Select one or more log entry actions.

8. Integrate an alert action, and then click Next.

9. Review your rule summary, and then click Save to create the rule. To edit your rule conditions and actions, click Back.

10. After you create one or more rules, you can then edit, enable, or disable each rule.


Add custom rule actions

You can add one or more of the following actions to any custom rule:


page 60

l Tag the entry.

1. In the Rule Actions pane, click Add an Action.

2. Select Tag the Entry, and then click Configure Action.

3. Select one or more of the pre-defined log tags, and then click Done.

-or-

Click Create Another Tag, enter a custom tag name, select a tag color, and then click Done.

l Forward the entry: Send the entry to another system for further processing. l Run an external program.

1. In the Rule Actions pane, click Add an Action.

2. Select Run an External Program, and then click Configure Action.

3. Enter the program to run, command line arguments (optional), and then click Done.

Find a list of external program variables here.

l Flag for discard: The log entry is not saved to the database, but subsequent rule actions are still applied.

l Stop processing rules: Stops additional rule processing for the active log entry.

Reorder custom rulesOn the Log Processing Configuration page, you can change the processing order for each of your custom rules.



3. Select one or more custom rule check boxes, and then click Move Rule.

page 61

4. In the custom rule list, select a rule, and then click Insert Above, or Insert Below.

Log forwardingOn the LA Log Processing Configuration page, create custom rules to forward your syslog and trap messages to a dedicated server. This feature allows you to forward log data to third-party systems and other SIEM tools.


2. In the Processing Policies pane, click to expand the Syslog or Traps policy group, and then click My Custom Rules.


page 62

3. Click Create New Rule.

4. Enter a descriptive name for the rule, and then click Next.

page 63

5. Select your source computers.

You can choose to trigger this alert from all sources, or specify conditions and values for one or more sources.

6. Define your log entry rule conditions and values, and then click Next.

7. Select Forward the Entry, and then click Configure Action.


page 64

8. Enter the destination server IP and UDP port.

To forward secure syslogs, select TCP over TLS from the Via drop-down list, and then enter port 6514.

Select one of the following options for the source address:

l Use the Orion server's address as the source address l Use the original sender's address as the source address l Use a custom source address

9. Click Done, and then click Next.

10. Review your rule summary, and then click Save to create the rule. To edit your rule conditions and actions, click Back.

Enable existing NCM Real-Time Change Notification rulesYou can apply existing NCM Real-Time Change Notification (RTCN) rules to your current LA log-processing rule set. When LA detects NCM RTCN rules, you will receive a notification in the Orion Web Console, which means you can then access and enable the rules through the LA Log Processing Configuration page. For more information, see Configure real-time change detection.


2. In the Processing Policies pane, click to expand Syslog or Traps, and then click NCM Rule: Real-Time Change Notifications. Each rule displays the established condition and subsequent action.

3. To enable a rule, select a rule check box, and then click Enable Rule.


page 65

https://documentation.solarwinds.com/en/Success_Center/NCM/Content/NCM-Configuring-Real-Time-Configuration-Change-Detection.htm

Integrate Orion alerts with LAOn the Log Processing Configuration page, you can integrate alert actions into your custom rules, or create new rules and apply alert actions. You can configure your rule to send an event to the Orion Platform alerting engine when rule criteria are met, and also create a new alert that fires each time a rule is triggered.

For more information about Orion Platform alerting, see Use alerts to monitor your environment with the Orion Platform. To create a new rule, see Create custom log-processing rules.

Integrate an alert into an existing rule



3. Select an existing rule, and then click Edit Rule.


page 66

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Creating-and-Managing-Alerts-sw1277.htm

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Creating-and-Managing-Alerts-sw1277.htm

4. To integrate an alert, click Next, and then click Next again to view the rule actions.

5. To send a log rule fired event to Orion Platform alerting, select the associated check box. This action allows you to see the event on the Manage Alerts page and use it when defining a custom alert.

6. To create a new alert that fires when the rule is triggered, select the associated check box.

The alert triggers aggregate and roll up, so if you experience a large number in one minute, you receive one alert that includes the trigger count. The first instance indicates one alert, and subsequent triggers are aggregated and published after one minute.

7. Enter a name for the alert.

page 67

8. From the drop-down list, select a severity level.

9. Establish your reset conditions.

l Reset this alert automatically after

Select to reset an alert after a set amount of time has passed. If this interval is less than the amount of time you wait for different escalation levels, the escalation levels that occur after this interval do not fire. This reset condition is especially useful to remove event-based alerts from Active Alerts.

For example, if the trigger conditions still exists after 48 hours, you can use this to trigger your alert actions again. The alert is reset and triggers as soon as the trigger condition is detected, which is as soon as the objects are polled for this example.

l No reset condition - Trigger this alert each time the trigger condition is met

The alert fires each time the trigger conditions are met.

For example, when the alert for node 192.168.4.32 going down fires, a new alert for 192.168.4.32 fires every time the node is down when it is polled.

l No reset action

The alert is active and is never reset. To re-trigger the alert, the alert must be manually cleared from the Active Alerts view.


page 68

10. Click Next. The rule summary displays the alert integration actions.

11. Review the rule summary, and then click Save to apply the settings. To edit the rule conditions, click Back.

12. To view your alerts in the Orion Web Console, navigate to Settings > All Settings.

page 69

13. In Alerts and Reports, click Manage Alerts.

14. In the search field, enter Log Manager.

15. Select an existing alert to edit properties, enable or disable the alert, and assign actions.

You can also integrate alerts when creating a new custom rule and add multiple alert actions to one custom rule.

If you would like to modify the message and trigger actions of an out-of the-box alert, duplicate the alert, and then edit as needed. If you do not change the trigger condition, disable the out-of-the-box alert to avoid duplicate alert notifications.

To add the log message that triggers the alert, copy the macro below to the alert message definition on the Trigger Actions page.

${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}

To view and access linked alerts, click Trigger Orion Alert in your custom rules list on the Log Processing Configuration page.


page 70

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Creating-New-Alerts-sw989.htm

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Creating-New-Alerts-sw989.htm

To view your active alerts in the Orion Web Console, navigate to Alerts and Activity > Alerts. When your alert triggers, it appears in the All Active Alerts page along with all with all your other OrionAlerts. From here, you can acknowledge alerts, view alert details and clear the triggered instance of an alert.

LA agent overload alertIf the LA agent on a remote server becomes overloaded and fails to process events within a designated time (one minute by default), the agent sends a notification event to the Log Analyzer and triggers an alert in the Orion Web Console.

When configured this alert will trigger for Windows events as well as flat log files: SolarWinds LA Agent: Log File plugin overloaded while reading log entries.

This alert is enabled through a default rule on the Log Processing Configuration page. You can access, view, disable, and enable the alert from the LA Log Viewer toolbar.


2. In the Processing Policies pane, click to expand Windows Events, and then click Default Logging Rules.

3. In the rules list, locate Log Analyzer Agent Overloaded - Alert Integration.

4. Select the check box to view, disable, and enable the alert.

The alert criteria are established in the Global Advanced Configuration settings under LogManagement.WindowsEvents.Settings.

Administrators can adjust the following:

l Cool down interval: The amount of time to wait before a new Load Monitor alert triggers if the processing delay is still over the limit.

l Enable alerts: Select the check box to enable alerts. l Max processing delay: The maximum amount of time from the reception of an event until the

event has been processed by the agent.

page 71

The event log displays specific event data in the Entry Details pane, such as the number of unprocessed events and the delay time.

Set LA storage and search retention periodOn the Log and Event Settings page, you can set the number of days that syslog and trap messages are stored and searchable in the LA database. The default setting is seven days, but you can adjust it to anywhere from one day to one year.

1. In the Orion Web Console, navigate to Settings > All Settings.

2. Scroll down to Product Specific Settings and click Log and Event Settings.

3. On the Log Management tab, Enter the total number of days to keep syslog, traps, Windows events, and VMware events, and then click Save.*

The Log and Event Settings page also provides links to log processing rules, unmanaged log senders, managed but unlicensed log senders, and log monitoring options.

*The available options will vary based on the Orion Platform products you have installed.

Additional requirementsFor additional information on SolarWinds requirements and configurations, see the Multi-module system guidelines and the Install or upgrade Orion Platform products instructions.


page 72



https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Install-OrionProducts.htm

solarwinds log analyzer installation guide · log analyzer (la), formerly log manager for orion, is...

Documents