HCO Study Guide for 1.3 PDF

7/28/23, 10:54 AM LA 2022.4.1 system requirements LA 2022.4.1 system requirements Release Date: December 14, 2022 The following are the system requirements for LA 2022.4.1. This version of LA uses SolarWinds Platform version 2022.4.1. To upgrade to SolarWinds Platform 2022.4.1, your current deployment must be version 2020.2 or later. For more information on SolarWinds Platform system requirements, see the SolarWinds Platform requirements. LA port requirements LA agent requirements Cloud instance requirements for the LA database in Azure Cloud instance requirements for the LA database in AWS In addition to the requirements below, most LA monitoring requires the monitored server be polled by a SolarWinds Platform Agent for Windows. Type Requirements Operating System Windows Server 2022 Windows Server 2019 Windows Server 2016 Microsoft Windows 11 Microsoft Windows 10 Operating System English (UK or US) language German Japanese Simplified Chinese https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 1/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements Type Requirements SolarWinds SolarWinds Platform supports the two latest versions of the following web Platform Web browsers available on the release date: Console browser Firefox Chrome Edge (79 or higher) In LA 2020.2 and later, some pages are not compatible with IE11. If you are using IE11, you will see a warning message on incompatible pages. SolarWinds recommends using a different browser (such as Chrome, Firefox, or Microsoft Edge) for the best user experience with LA. LA database Physical server or virtual machine Quad core processor or better 16 GB RAM 1 x 1 GB dedicated NIC Windows Server 2016 or 2019, Standard or Datacenter Edition Additionally, Azure SQL is available to use as a database server for LA. Disk requirements: 100-130 GB/day (@1000 EPS) on local NTFS disk Estimate required storage size based on EPS expectation and desired retention. For example, 1 TB capacity for default retention period (7 days). Microsoft SQL Server 2016 SP1 or later Users may experience performance degradation while using synchronous-commit mode for SQL availability groups on Log Analyzer's database. For high-load environments, asynchronous- commit mode is strongly recommended. Microsoft SQL Server Express SolarWinds recommends using SQL Server Express only in evaluations. However, if used in a production environment, consider the following: The LA database will have a 10 GB limit. This means that in case of 1000 EPS, only 2-3 hours of data can be saved. For 7 days of data (default retention) only 15 EPS on average can be collected. Supported collations: English with collation setting SQL_Latin1_General_CP1_CI_AS English with collation setting SQL_Latin1_General_CP1_CS_AS German with collation setting German_PhoneBook_CI_AS Japanese with collation setting Japanese_CI_AS Simplified Chinese with collation setting Chinese_PRC_CI_AS https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 2/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements Type Requirements Authentication Either mixed-mode or Windows authentication. If you require SQL authentication, you must enable mixed mode on your SQL server. LA/SolarWinds Platform server: Do not install SolarWinds Platform products on the same server as SolarWinds Access Rights Manager (ARM). CPU Quad core processor or better Required: 4 cores Recommended: 8 cores Do not enable Physical Address Extension (PAE). Hard drive space 15 GB minimum 40 GB recommended Two 146 GB 15K (RAID 1/Mirrored Settings) hard drives are recommended with a dedicated drive for the server operating system and SolarWinds installation. During upgrades, the installer needs 2 GB of free space. Some common files may need to be installed on the same drive as your server operating system. You may want to move or expand the Windows temporary directories. Memory 8 GB minimum 16 GB recommended https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 3/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements LA port requirements Return to top Ports 4369, 25672, and 5672 are opened by default on the main server for RabbitMQ messaging. These ports can be blocked by the firewall. When running SolarWinds High Availability, ensure ports 4369 and 25672 are open. RPC ports > 1024 (TCP, bidirectional) is used by the Job Engine v2 process to communicate with Windows nodes. Service/ Port Protocol Direction Description Encryption Process user- SSH SolarWinds Job Outbound Port for accessing ASA Device-based defined, Engine v2 from the devices through CLI default: SolarWinds 22 IIS Platform server to the device 25 TCP SolarWinds Alerting Outbound SMTP port for non-encrypted n/a Service V2 messages 53 UDP SolarWinds Job Bi- Resolving DNS queries n/a Engine v2 directional 80 TCP IIS Inbound Default additional web server n/a port. If you specify any port other than 80, you must include that port in the URL used to access the web console. For example, if you specify an IP address of 192.168.0.3 and port 8080, the URL used to access the web console is http://192.168.0.3:8080. Open the port to enable communication from your computers to the SolarWinds Platform Web Console. The port might also be used for Cisco UCS monitoring. 135 TCP Microsoft EPMAP Bi- Required for devices polled (DCE/RPC Locator directional via WMI. Used to initiate service) communication with the remotely managed host. 161 UDP SolarWinds Job Bi- Send and receive SNMP SNMP v1 and v2 a Engine v2 directional information unencrypted. SNM v3 uses AES SolarWinds Cortex and 3DES encryption. https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 4/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements Service/ Port Protocol Direction Description Encryption Process 162 UDP SolarWinds Trap Inbound Receive trap messages SNMP v1 and v2 a Service unencrypted. SNMP Informs SNMP v3 uses: DES56, AES128, AS192, and AES256 for encryption. MD5 and SHA1 for authenticatio 443 TCP IIS Inbound Default port for https binding. SSL 465 TCP SolarWinds Alerting Outbound SMTP port used to send TLS- SSL Service V2 enabled email alert actions 514 UDP SolarWinds Syslog Inbound Receive syslog messages n/a Service 587 TCP SolarWinds Alerting Outbound SMTP port used to send TLS- TLS Service V2 enabled email alert actions 1433 TCP SolarWinds Alerting Outbound Communication between the n/a Service V2 SolarWinds Platform server and the SQL Server. SolarWinds Administration Service SolarWinds Information Service SolarWinds Information Service V3 SolarWinds Platform Module Engine https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 5/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements Service/ Port Protocol Direction Description Encryption Process 1434 UDP SolarWinds Alerting Outbound Communication with the SQL n/a Service V2 Server Browser Service to determine how to SolarWinds communicate with certain Administration non-standard SQL Server Service installations. Required only if your SQL Server is configured SolarWinds to use dynamic ports. Information Service SolarWinds Information Service V3 SolarWinds Platform Module Engine SQL Server Browse Service 1468 TCP SolarWinds Syslog Inbound Receive syslog messages n/a Service 5671 TCP RabbitMQ Bi- For encrypted RabbitMQ TLS 1.2 directional messaging (AMQP/TLS) into the main polling engine from every SolarWinds Platform server (additional polling engines, HA servers, or additional web servers). Sending messages to RabbitMQ. 6514 TCP SolarWinds Syslog Inbound Receive syslog messages TLS Service 17777 TCP SolarWinds Bi- Communication between RSA handshake, Platform Module directional services and SolarWinds AES 256 Engine Platform module traffic. communication using WCF SolarWinds Communication between the Information Service SolarWinds Platform Web TLS 1.2 with Corte Console and the polling SolarWinds engines. Information Service V3 Communication between the main server and pool SolarWinds Cortex members. 17778 HTTPS SolarWinds Agent Inbound to Required for access to the SSL the SWIS API and agent SolarWinds communication Platform server https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 6/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements See SolarWinds Port requirements for a comprehensive list of port requirements for SolarWinds products. Optional, individual components, such as SolarWinds agents and High Availability, have additional port requirements. https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 7/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements LA agent requirements Return to top Agent software is free. Licensing occurs through your product and is usually based on the number of monitored elements. Windows agents run as a service. Before you deploy agents to a target computer, review the following system requirements. Type Windows Linux Operating Only 64-bit operating systems are CentOS 6.x - 8.x, 64-bit System supported. Oracle Linux 6.x - 8.x, 64-bit Windows Server 2008 R2 SP1 Red Hat Enterprise Linux 6.x - 8.x, 64-bit Windows Server 2012 SUSE Linux Enterprise Server 15.x, 64-bit Windows Server 2012 R2 Ubuntu 14.x - 20.x, 64-bit Windows Server 2016 Linux distributions not listed above are not Windows Server 2019 supported. Windows Server 2022 Windows 7 Windows 7 SP1 Windows 8 Windows 8.1 Windows 10 Only Pro, Enterprise, and Ultimate workstation operating systems editions are supported. Hard drive Approximately 100 MB of hard drive space on the target computer. space https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 8/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements Type Windows Linux Other The following software packages For Linux, you may need to install the following software are installed by the agent installer if manually: necessary: Python Microsoft Visual C++ 2013 Redistributable Package for Python 3 is deployed automatically 32-bit or 64-bit. to Linux agents. During upgrades, all Linux Agent plugins are migrated to.NET Framework support Python 3. Orion Platform 2019.2 and earlier require Python 2, versions On operating systems that 2.4.3 and later. support.NET Framework 4.8, all Windows Agent Plugins are The bash shell migrated to.NET 4.8. Upon upgrade to 2019.4,.NET For AIX: 4.8 is deployed automatically You don't need to install Python manually. to operating systems that Required packages are distributed and support.NET 4.8. deployed automatically with the agent plug- ins. Bash or korn shell is required. Security The VeriSign Root Certificate After the agent is installed, it runs under Authority (CA) must be current. This dedicated swiagent account. Some actions is required because the agent require root access. software is signed using a VeriSign certificate. After the agent is installed, it runs as a Local System account and does not require administrative permissions to function. Latency Agents can tolerate up to 500 ms of latency between the remote computer and the SolarWinds Platform server. Cloud instance requirements for the LA database in Azure Return to top The cloud instance requirements match the requirements for the LA database server above. Azure Storage Disk volumes are not your dedicated hardware. Consider using Azure Reserved Instances of storage disk volumes for SQL servers. Cloud instance requirements for the LA database in AWS Return to top https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 9/10 7/28/23, 10:54 AM LA 2022.4.1 system requirements You can install Log Analyzer as part of a small deployment with AWS RDS. Use the the Medium Deployment guidelines as seen in the Multi-module system guidelines. Requirements Small Medium Large XL Log Analyzer Database See Medium r3.xlarge r5d.4xlarge r5d.4xlarge © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/system_requirements/la_2022-4-1_system_requirements.htm#link2 10/10 7/28/23, 10:54 AM Set up Windows event collection in LA Set up Windows event collection in LA You can stream, monitor, and alert on Windows event logs from your network devices in LA. From the LA Log Viewer, you can filter Windows events, enable out-of-the-box rules for events, and create custom rules tailored for specific Windows event activity. During your LA installation or upgrade, install the LA agent plugin with your SolarWinds SolarWinds Platform agent to begin collecting Windows event logs. Follow the steps below to configure and manage Windows event collection. Deploy the SolarWinds Platform agent Collect Windows events from unknown nodes Collect Windows events from one or more SolarWinds Platform nodes Disable Windows event collection from one or more SolarWinds Platform nodes Forward Windows events to an SolarWinds Platform Agent Collect Windows events without deploying the agent LA agent overload alerts Monitor Windows Security events Deploy the SolarWinds Platform agent To collect Windows events, deploy the SolarWinds Platform agent to monitored nodes, and then enable LA to monitor Windows events. Collect Windows events from unknown nodes Windows events received from an unknown network node are discarded until you add the device through Node Management. Collect Windows events from one or more SolarWinds Platform nodes Enable LA to monitor Windows events from any network node. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-set-up-windows-event-collection.htm 1/3 7/28/23, 10:54 AM Set up Windows event collection in LA Disable Windows event collection from one or more SolarWinds Platform nodes To stop collecting Windows events, set one or more nodes to the Disabled state in the SolarWinds Platform Web Console. Disabling log monitoring for a node disables receiving messages from all log sources such as syslogs, traps, etc. Forward Windows events to an SolarWinds Platform agent Microsoft provides the ability to forward Windows Events from one machine to another. When you forward Windows events to a SolarWinds Platform agent, the events are then sent to LA provided the machine from which the event was forwarded is monitored by the SolarWinds Platform. To set up Windows Event Forwarding, follow the procedures below. Set up a subscription for forwarding events to an existing agent following Microsoft guidelines: Configure Computers to Forward and Collect Events Create a new subscription Ensure that any node configured to forward events does not have the SolarWinds Platform agent installed. Otherwise, you will receive duplicate events. If you made changes to the default query, ensure the query includes the Forwarded Events channel. Collect Windows events without deploying the agent If you choose not to deploy the SolarWinds Platform agent, you can convert Windows events to syslogs with SolarWinds Event Log Forwarder for Windows. Find more information about this free tool here. If you choose not to install the agent, the following features will not be available: Windows event messages Out-of-the-box rules for Windows events Windows event fields in the Rule Builder Near real-time log collection (unless in Live Mode) LA agent overload alerts LA agent overload alerts will send a notification if the LA agent fails to adequately process events. Overload alerts are enabled by default. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-set-up-windows-event-collection.htm 2/3 7/28/23, 10:54 AM Set up Windows event collection in LA https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-set-up-windows-event-collection.htm 3/3 7/28/23, 10:54 AM Configure secure syslog settings for Log Analyzer Configure secure syslog settings for Log Analyzer By default, Log Analyzer will accept secure syslog messages sent to port 6514 provided a secure connection has been established. Log Analyzer will also forward secure syslogs when a log forwarding custom rule action is set to TCP over TLS on port 6514. However, no modification options are possible due to certificate-related limitations in the SolarWinds Platform server. TCP forwarding (with the TCP port) supports both plain TCP and TCP over TLS. The TCP connection prevents IP spoofing. If you have devices configured to transmit and forward secure syslog messages, contact SolarWinds Customer Support to ensure the syslog configuration settings are correct to avoid log processing errors. If necessary, SolarWinds can adjust the default values to accommodate a variety of scenarios. Log Analyzer uses a non-CCPP compliant transmission method (sending and receiving) for secure syslogs. Many checks and errors, including name mismatches, server certificate revocation, certificate chain errors, and missing certificates are ignored. Log Analyzer includes the SolarWinds-SolarWinds Platform certificate for the server by default, which can only be changed by SolarWinds customer support. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/lm/la-securesyslogsettingsexternal.htm 1/2 7/28/23, 10:54 AM Configure secure syslog settings for Log Analyzer https://documentation.solarwinds.com/en/success_center/la/content/lm/la-securesyslogsettingsexternal.htm 2/2 7/28/23, 10:55 AM Monitor logs and events with your LA and SolarWinds Platform product license plans Monitor logs and events with your LA and SolarWinds Platform product license plans Monitor any networked SolarWinds Platform node in the Log Analyzer (LA) Log Viewer with your LA license plan. In the SolarWinds Platform Web Console, check for available licenses by navigating to Settings > All Settings, and then clicking License Details in the Details pane. The License Details page lists all licensed SolarWinds Platform products, including the total number of LA licenses, and the number of nodes currently consuming a license. Beginning in April 2020, you can choose to use a perpetual license or a subscription-based (term-based) license. Learn more here. If your LA licenses expire, you will then only have access to the SolarWinds Platform Log Viewer, formerly Log Manager Basic. This means the SolarWinds Platform Log Viewer will use SolarWinds Platform nodes for licenses, so you will continue to receive message data, but will not have access to live event streaming, the event histogram, event tagging, and more. Review the feature comparison here. As part of the LA licensing framework, LA receives messages from all nodes the SolarWinds Platform manages. When you purchase and register a license as an existing customer, the licensing framework combinesSolarWinds Platform nodes with your LA licenses. For instance, if you have NPM SL100 and SAM AL100, and then register an LA100 license, you can monitor up to 300 nodes, but only receive messages from 100 nodes. Of the total (300) nodes, you can select which 100 nodes you would like to monitor in LA. The SolarWinds Platform does not support using LA with one set of nodes, and the SolarWinds Platform Log Viewer on remaining nodes. In other words, if you have an LA10 license and a SAM AL100 license, you can monitor 10 nodes with LA, but you cannot monitor the other 90 with the SolarWinds Platform Log Viewer. LA evaluation customers receive unlimited licenses for SolarWinds Platform nodes during the evaluation period. The SolarWinds Platform Log Viewer only receives syslog/trap messages from licensed devices. VMAN requires the SolarWinds Platform Log Viewer to monitor VMware-specific events. Processing NCM Real-Time Change Notification messages requires an LA-specific license for each device. https://documentation.solarwinds.com/en/success_center/la/content/la/la_licensing_model.htm 1/4 7/28/23, 10:55 AM Monitor logs and events with your LA and SolarWinds Platform product license plans Licensing levels License Number of Monitored Elements LA10 Up to 10 nodes with 1st-Year Maintenance LA25 Up to 25 nodes with 1st-Year Maintenance LA50 Up to 50 nodes with 1st-Year Maintenance LA100 Up to 100 nodes with 1st-Year Maintenance LA250 Up to 250 nodes with 1st-Year Maintenance LA500 Up to 500 nodes with 1st-Year Maintenance LA1000 Up to 1000 nodes with 1st-Year Maintenance Message source terminology Message source: Any device that sends log messages to LA. Unmonitored message source: Unknown device (not in the SolarWinds Platform) that sends messages to LA. Managed by LA: Node that sends messages to LA and consumes an LA license. Passive SolarWinds Platform node: Node that doesn't send messages and is ignored by LA. Enable or disable log and event monitoring To adjust your node settings, edit the node properties, and then select one of the Log and Event Monitoring options. 1. In the SolarWinds Platform Web Console, navigate to Settings > Manage Nodes. 2. Select one or more nodes, and then click Edit Properties. https://documentation.solarwinds.com/en/success_center/la/content/la/la_licensing_model.htm 2/4 7/28/23, 10:55 AM Monitor logs and events with your LA and SolarWinds Platform product license plans 3. Scroll down to the Log and Event Monitoring section. Choose one of the following options from the Status drop-down list: Default: Monitoring will be enabled for this node on receipt of the first message. The Default setting applies to syslog and SNMP trap messages only. Windows and VMware events must be manually set to Enabled or Disabled. Log monitoring is automatically enabled by log profile creation. Enabled: Monitoring is enabled for this node. Disabled: Monitoring is disabled for this node. Log and event data will be discarded for this node. 4. Click Submit. You can also enable a node by selecting one or more nodes and clicking More Actions > Enable Log Monitoring. Before removing a node, determine if it is collecting events from additional networked nodes that you want to continue monitoring. This action can result in loss of data from multiple nodes. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/la/la_licensing_model.htm 3/4 7/28/23, 10:55 AM Monitor logs and events with your LA and SolarWinds Platform product license plans https://documentation.solarwinds.com/en/success_center/la/content/la/la_licensing_model.htm 4/4 7/28/23, 10:55 AM Configure devices to send messages to Log Analyzer Configure devices to send messages to Log Analyzer To receive messages from a syslog-capable device, configure the device to send syslog messages to the appropriate port on the computer where the dedicated server is installed. Log Analyzer listens for UDP messages on port 514 and TCP messages on ports 1468 and 6514. These are the default ports for devices sending syslog messages as defined by RFC standards 5425 and 5426. Learn about configuring secure syslog settings here. Log Analyzer listens for SNMP trap messages on UDP port 162. This is the default port for devices sending SNMP traps as defined by RFC standard 1157. SNMP v1 and v2 are unencrypted. SNMP v3 uses DES56, AES128, AS192, and AES256 for encryption, and MD5 and SHA1 for authentication. When the device is added as a monitored node to the SolarWinds Platform, messages from this device stream into the Log Viewer and are processed according to the rules that you define. For information about configuring a specific device, refer to documentation from the device manufacturer. Below is an example for configuring a Cisco switch. Configure a Cisco Catalyst 2960 switch to send syslog messages to Log Analyzer The following example shows how to configure a Cisco Catalyst 2960 switch. To configure other types of devices, see the device manufacturer's instructions. Message logging must be enabled on the device. On many devices that generate syslog messages, logging is enabled by default. 1. On the Cisco Catalyst 2960 switch, open the Cisco command-line interface and begin a session. 2. Verify that you are in privileged EXEC mode on the switch. To enter Privileged EXEC mode, type the command: enable 3. Switch to global configuration mode. Type the command: https://documentation.solarwinds.com/en/success_center/la/content/la/la-configure-devices-to-send-messages.htm 1/3 7/28/23, 10:55 AM Configure devices to send messages to Log Analyzer configure terminal 4. Verify that logging is enabled. If logging has been disabled, type the command: logging enable 5. Configure the switch to send log messages to the Log Analyzer database. Type the command: logging host where host is the name or IP address of the device where the dedicated server is installed. 6. Limit the messages sent based on priority level. Type the command: logging trap level where level is one of the following, listed in descending order of priority: emergencies alerts critical errors warnings notifications informational (default level) debugging The device sends messages with the specified priority level and above. For example, the level critical sends messages with priority levels of critical, alerts, and emergencies. 7. Return to privileged EXEC mode. Type the command: end © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/la/la-configure-devices-to-send-messages.htm 2/3 7/28/23, 10:55 AM Configure devices to send messages to Log Analyzer https://documentation.solarwinds.com/en/success_center/la/content/la/la-configure-devices-to-send-messages.htm 3/3 7/28/23, 10:56 AM Create custom log-processing rules in LA Create custom log-processing rules in LA On the Log Processing Configuration page, you can create custom rules to complement the standard, out-of-the-box LA rule sets. You can define rule conditions to identify a specific log entry, and then establish subsequent actions, such as adding event tags, executing commands, and discarding log entries. The pre-defined Rule Policy groups organize rule policies based on the message source and determine the rule policy evaluation order. The Processing Policies pane is organized into the following policy groups: Log Files (Log Analyzer only) Syslog Traps VMware Events Windows Events (Log Analyzer only) Global Pre-processing: Evaluated before log-specific and global post-processing rule policies Global Post-processing: Evaluated after all log-specific rule policies Evaluation Group Message Type Order Global Pre-processing All messages Evaluated first Log Files (Log Analyzer only) Windows flat file messages Evaluated after items in the pre- processing Syslog Syslog messages group. Although the items are ordered Traps Trap messages alphabetically, they run VMware Events VMware event messages independently, at the same time. You can see the Windows Events (Log Analyzer only) Windows event messages execution order in the rules list. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-create-custom-rules.htm 1/6 7/28/23, 10:56 AM Create custom log-processing rules in LA Evaluation Group Message Type Order Global Post-processing All messages Evaluated last 1. On the Log Viewer toolbar, click Settings. 2. In the Processing Policies pane, click to expand a policy group, and then click My Custom Rules. 3. Click Create. 4. Enter a descriptive name for the rule, and then click Next. 5. In Condition, select the This rule fires while.... box and specify conditions and values for one or more sources, and then click Next. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-create-custom-rules.htm 2/6 7/28/23, 10:56 AM Create custom log-processing rules in LA The log entry conditions vary by log source type. In the example below, an incoming SNMP Trap message meeting specified Varbind element with OID and name criteria will trigger the designated alert action. 6. Specify the time when the rule will be active. The default value is always active. 7. For syslogs and traps processing policies, you can configure advanced settings, such as entry count or flood protection. Expand Advanced settings and specify the entry threshold to trigger the rule. The default value is for every matching entry. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-create-custom-rules.htm 3/6 7/28/23, 10:56 AM Create custom log-processing rules in LA Expand Advanced Settings and specify how much time to prevent rule from firing for flood protection. The default value is no cooldown time. 8. Select one or more log entry actions. SolarWinds Platform has two types of rule actions: Native actions are actions that are configured while managing rules. Depending on the configuration and available resources, native actions can trigger thousands of times per second. Alerting actions are syslogs and traps that trigger SolarWinds Platform alerts using pubsub, which is an Event alert condition. Event alerts actions can trigger approximately twelve times per second for a single rule or alert. If there are multiple rules or alerts, roughly eighty alert actions can trigger per second. 9. Integrate an alert action, and then click Next. 10. Review your rule summary, and then click Save to create the rule. To edit your rule conditions and actions, click Back. Add custom rule actions You can add one or more of the following actions to any custom rule: Tag the entry. 1. In the Rule Actions pane, click Add an Action. 2. Select Tag the Entry, and then click Configure Action. 3. Select one or more of the pre-defined log tags, and then click Done. -or- Click Create Another Tag, enter a custom tag name, select a tag color, and then click Done. Forward the entry: Send the entry to another system for further processing. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-create-custom-rules.htm 4/6 7/28/23, 10:56 AM Create custom log-processing rules in LA Run an external program. SolarWinds recommends that you create tailored low-privilege accounts on the machine to run specific external programs, scripts, and alert actions. See Secure external programs and script alerting actions for details. 1. In the Rule Actions pane, click Add an Action. 2. Select Run an External Program, and then click Configure Action. 3. Enter the program to run, command line arguments (optional), account for execution, and then click Done. Custom Windows accounts can be used for external program execution that uses SolarWinds Platform's Windows credentials. Click the drop-down menu to refresh if changes are made to Windows credentials. Find a list of external program variables here. Flag for discard: The log entry is not saved to the database, but subsequent rule actions are still applied. Stop processing rules: Stops additional rule processing for the active log entry. Real-time config change detection: Sends a notification to NCM or HCO Advanced that a change to a network configuration file was detected. Real-time config change detection should be used in place of running SolarWinds.NCM.RTNForwarder.exe with the Run external program action. Like NCM, this action uses a fixed structure that does not take parameters. See Configure real-time change detection in NCM for details. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-create-custom-rules.htm 5/6 7/28/23, 10:56 AM Create custom log-processing rules in LA If you update from an NCM or HCO Advanced version prior to 2023.2.1, the Configuration Wizard will convert all Run external program actions using RTNForwarder.exe to Real-time config change detection actions. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-create-custom-rules.htm 6/6 7/28/23, 10:56 AM Set LV storage and search retention period Set LV storage and search retention period This SolarWinds Platform topic applies only to the following products: Hybrid Cloud Observability Essentials — Hybrid Cloud Observability Advanced NCM — NPM — SAM — UDT — VMAN On the Log and Event Settings page, you can set the number of days for each message type for which messages are stored and searchable in the LV database. The default setting is seven days, but you can adjust it to anywhere from one day to one year. 1. On the Log Viewer toolbar, click Settings. 2. Click the Retention tab. 3. On the Retention tab, enter the total number of days to keep syslog and traps events, and then click Save.* The Log and Event Settings page (Management tab) also provides links to unmanaged log senders, managed but unlicensed log senders, and log monitoring options. *The available options will vary based on the SolarWinds Platform products you have installed. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/orionplatform/content/lm/lm-configure-log-manager-settings.htm 1/5 7/28/23, 10:56 AM Set LV storage and search retention period https://documentation.solarwinds.com/en/success_center/orionplatform/content/lm/lm-configure-log-manager-settings.htm 2/5 7/28/23, 10:56 AM Set LV storage and search retention period https://documentation.solarwinds.com/en/success_center/orionplatform/content/lm/lm-configure-log-manager-settings.htm 3/5 7/28/23, 10:56 AM Set LV storage and search retention period https://documentation.solarwinds.com/en/success_center/orionplatform/content/lm/lm-configure-log-manager-settings.htm 4/5 7/28/23, 10:56 AM Set LV storage and search retention period https://documentation.solarwinds.com/en/success_center/orionplatform/content/lm/lm-configure-log-manager-settings.htm 5/5 7/28/23, 10:56 AM Filter and analyze event logs Filter and analyze event logs In the LA Filters pane, select one or more filters to refine your event log stream to display messages based on event type, node, IP address, vendor, and more. To drill down into a log summary for a specific node, click a node link in the Log Viewer table, and then click Analyze Logs in the Node Details Management pane. The associated logs appear in the LA Log Viewer. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-filter-analyze-event-logs.htm 1/2 7/28/23, 10:56 AM Filter and analyze event logs https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-filter-analyze-event-logs.htm 2/2 7/28/23, 10:57 AM Filter and view event logs in live mode Filter and view event logs in live mode Switch the Log Viewer to live mode to view events as they occur in your environment. This is particularly useful when troubleshooting active network problems. You can apply "live" filters to target and identify issues using the Filters pane and keyword search, and then observe the histogram chart to note any spikes in activity or log anomalies. In live mode, Log Viewer data is automatically refreshed every 10 seconds. Live mode also reconciles device polling gaps by processing and correlating a consistent stream of event log data. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-view-event-logs-in-live-mode.htm 1/2 7/28/23, 10:57 AM Filter and view event logs in live mode https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-view-event-logs-in-live-mode.htm 2/2 7/28/23, 10:57 AM Duplicate rules Duplicate rules in LA 1. Under My Custom Rules, rules can be duplicated within the same and different policies. 2. Click Duplicate. Select the location where the rule will be duplicated. Rules can only be duplicated within My Custom Rules. The current policy is selected by default. https://documentation.solarwinds.com/en/success_center/la/content/duplicate-rules.htm 1/3 7/28/23, 10:57 AM Duplicate rules 3. Once the rule is duplicated, a toast message will display. The name of the new rule will be Copy of (previous rule name) by default. Processing is disabled by default. If you duplicate a rule with conditions or actions that are not available in the destination policy, the condition or action is removed. If there is an alternative (such as forwarding), it will be applied, and the port is changed to the default. New duplicated rules are automatically disabled for this reason. Rules from any policy can be duplicated, but only a Custom policy can be used as a target. Multiple rules can only be duplicated one policy at a time. Troubleshooting The location to perform troubleshooting related to rule duplication can be found in the following log file: C:\programdata\SolarWinds\Logs\Orion\ApolloWebApi.log Any error related to file duplication will display after the following debug log: 2020-09-09 13:33:55,350 DEBUG SolarWinds.Orion.LogMgmt.RuleProcessing.Rules.RuleManager - Duplicating rule 9ae27a83-dec0-4b68-af51-6650c004657d to policy f7e41b9a-69a5-4008- 927e-03dd8b7446e4 2020-09-09 13:33:55,775 DEBUG SolarWinds.Orion.LogMgmt.RuleProcessing.Rules.RuleManager - Rule 9ae27a83- dec0-4b68-af51-6650c004657d was sucesfully duplicated to policy f7e41b9a- 69a5-4008-927e-03dd8b7446e4 © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/duplicate-rules.htm 2/3 7/28/23, 10:57 AM Duplicate rules https://documentation.solarwinds.com/en/success_center/la/content/duplicate-rules.htm 3/3 7/28/23, 10:57 AM Reorder custom rules in LA Reorder custom rules in LA Starting with LA 2020.2.5, you can see the execution order of rules per log source in the rules list. Disabled rules are excluded from the order. On the Log and event settings page, you can change the processing order for each of your custom rules in the Processing tab. 1. On the Log Viewer toolbar, click Settings. 2. In the Processing tab, under Processing Policies, click to expand a policy group, and then click My Custom Rules. 3. Select one or more custom rule check boxes, and then click Reorder. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-custome-rules-reorder.htm 1/2 7/28/23, 10:57 AM Reorder custom rules in LA 4. In the custom rule list, select a rule, and then click Insert Above, or Insert Below. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-custome-rules-reorder.htm 2/2 7/28/23, 10:58 AM Integrate SolarWinds Platform alerts with LA Integrate SolarWinds Platform alerts with LA On the Log Processing Configuration page, you can integrate alert actions into your custom rules, or create new rules and apply alert actions. You can configure your rule to send an event to the SolarWinds Platform alerting engine when rule criteria are met, and also create a new alert that fires each time a rule is triggered. For more information about SolarWinds Platform alerting, see Use alerts to monitor your environment with the SolarWinds Platform. To create a new rule, see Create custom log-processing rules. Integrate an alert into an existing rule 1. On the Log Viewer toolbar, click Settings. 2. In the Processing Policies pane, click to expand a policy group, and then click My Custom Rules. 3. Select an existing rule, and then click Edit. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-alerting.htm 1/5 7/28/23, 10:58 AM Integrate SolarWinds Platform alerts with LA 4. To integrate an alert, click Next, and then click Next again to view the rule actions. 5. To send a log rule fired event to SolarWinds Platform alerting, select the associated check box. This action allows you to see the event on the Manage Alerts page and use it when defining a custom alert. 6. To create a new alert that fires when the rule is triggered, select the associated check box. The alert triggers aggregate and roll up, so if you experience a large number in one minute, you receive one alert that includes the trigger count. The first instance indicates one alert, and subsequent triggers are aggregated and published after one minute. 7. Enter a name for the alert. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-alerting.htm 2/5 7/28/23, 10:58 AM Integrate SolarWinds Platform alerts with LA 8. From the drop-down list, select a severity level. 9. Establish your reset conditions. Reset this alert automatically after Select to reset an alert after a set amount of time has passed. If this interval is less than the amount of time you wait for different escalation levels, the escalation levels that occur after this interval do not fire. This reset condition is especially useful to remove event- based alerts from Active Alerts. For example, if the trigger conditions still exists after 48 hours, you can use this to trigger your alert actions again. The alert is reset and triggers as soon as the trigger condition is detected, which is as soon as the objects are polled for this example. No reset condition - Trigger this alert each time the trigger condition is met The alert fires each time the trigger conditions are met. For example, when the alert for node 192.168.4.32 going down fires, a new alert for 192.168.4.32 fires every time the node is down when it is polled. No reset action The alert is active and is never reset. To re-trigger the alert, the alert must be manually cleared from the Active Alerts view. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-alerting.htm 3/5 7/28/23, 10:58 AM Integrate SolarWinds Platform alerts with LA 10. Click Next. The rule summary displays the alert integration actions. 11. Review the rule summary, and then click Save to apply the settings. To edit the rule conditions, click Back. 12. To view your alerts in the SolarWinds Platform Web Console, click Alerts & Activity > Alerts. 13. On All Alerts screen, click Manage Alerts in the top right. 14. In the search field, enter Log Analyzer. 15. Select an existing alert to edit properties, enable or disable the alert, and assign actions. You can also integrate alerts when creating a new custom rule and add multiple alert actions to one custom rule. If you would like to modify the message and trigger actions of an out-of the-box alert, duplicate the alert, and then edit as needed. If you do not change the trigger condition, disable the out- of-the-box alert to avoid duplicate alert notifications. To add the log message that triggers the alert, copy the macro below to the alert message definition on the Trigger Actions page. ${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage} https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-alerting.htm 4/5 7/28/23, 10:58 AM Integrate SolarWinds Platform alerts with LA To view and access linked alerts, click Trigger SolarWinds Platform Alert in your custom rules list on the Log Processing Configuration page. To view your active alerts in the SolarWinds Platform Web Console, navigate to Alerts and Activity > Alerts. When your alert triggers, it appears in the All Active Alerts page along with all with all your other SolarWinds Platform Alerts. From here, you can acknowledge alerts, view alert details and clear the triggered instance of an alert. © 2003-2021 SolarWinds Worldwide, LLC. All rights reserved. https://documentation.solarwinds.com/en/success_center/la/content/lm/lm-alerting.htm 5/5

HCO Study Guide for 1.3 PDF

Document Details

Tags

Related

Summary

Full Transcript