Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > How-To Use Log & Event Manager to Troubleshoot Network Issues - Video

How-To Use Log & Event Manager to Troubleshoot Network Issues - Video

Updated

Overview

This video will show you how to use LEM to troubleshoot network issues.

 

 

Environment

  • Log & Event Manager

Related Resources

Video Transcription

Log & Event Manager can be an effective troubleshooting tool when you need to investigate network issues. Real-time and forensic views of traffic logs and change activity can help you quickly resolve issues and determine root cause.

Let's get started!

  1. Log & Event Manager provides two areas in the web console that can aid in troubleshooting. This example will demonstrate how to begin with real-time analysis in the Monitor section and then move to historical analysis using nDepth.
  2. Within the Monitor section you will see a number of filters located here on the left that are broken down into categories to better organize logs as they are collected. Many of these filters are focused specifically on network traffic. You can view FTP, SNMP, SMTP or see all network traffic. Clicking on a filter will display the specific logs and show you which devices are forwarding the events. If you click on a specific event you can drill down into the details like you see here in this TCP traffic event that displays the source and destination IP address, ports, protocol and interface along with any event message contained in the log. The log data is normalized into fields seen here which can be used create additional filters that focus on specific details.
  3. Let's start by using LEM to troubleshoot network traffic by viewing traffic logs from a specific source to a specific destination. This is helpful in determining whether the traffic is being denied or allowed depending on your use case.
  4. First click the the plus sign (plus) above the filters list to open the interface and create a new filter.
  5. The Conditions box in the center is where you define the filter criteria and configure in-console notifications. The left side of the interface contains all of the details you can use to define your filter broken down into sections.
  6. To look at a specific protocol you can use the Events section. Simply type in TCP, UDP or other protocol names to quickly locate what you need. For example, typing in "TCP" will list of all of the events that contain that entry. Clicking on a specific event name will display a list of fields below.
  7. For this example however, let's look at ALL network traffic from one IP address to another using Event Groups.
  8. In the Event Groups section Log & Event Manager provides several built-in groups however you can also build your own. For the purpose of this example I will click on "Network Audit Events" as it will include all network protocols.
  9. Once selected, drag any of the fields you need from the list into the Conditions box. For this example, drag the SourceMachine and DestinationMachine fields. Make sure both fields populate a single group.
  10. Now type in the IP addresses or hostnames you wish to investigate. You can also use wildcards to indicate subnets or add the source and destination port fields from the list to focus on traffic using a specific port number.
  11. Log & Event Manager uses a Boolean AND/OR logic which is indicated here on the outside of the group. A blue line with a triangle indicates an AND operator while an orange line with a half circle indicates an OR. The small plus sign (plus) in the right-hand corner allows you to create additional groups to further define your filter.
  12. So now, you have a filter that will display all network traffic with a specific source and destination.
  13. The Filter Status icon will alert you to problems with your filter. 
  14. Now name the filter then click "Save." If there is any traffic that meets the criteria of the filter you will immediately see the event data. To see more details, click on individual event.

If you need to continue your investigation into historical data you can use the same filter to initiate a search.

  1. Start a search directly from within an event by clicking on a field. Once you select the field you want to search, click on the small "Explore" button on the right and select "nDepth."
  2. Once selected, Log & Event Manager will perform a 10 minute search.
  3. You can then change the timeframe using the drop-down or review the results under the Refine Fields section directly below the search bar. The Refine Fields section will display a summary of any event that contains your search information and include additional data that may help in your investigation. The actual log data can be viewed by clicking the results icon located here at the bottom of your console.
  4. You can also generate a search using the Filter as well.
  5. Click on the "Monitor" section then select the filter you just created for troubleshooting network traffic.
  6. Now click on the GEAR (plus) sign at the top of your Filter list and select "Send to nDepth".
  7. Now you will be taken to the nDepth search interface where a 10 minute search will occur based on the logic you configured within the filter.
  8. Double-click on anything within the refine fields area then click the "Search" button again to drill down further into the logs.

Visit the Success Center for more information on using Log & Event Manager. https://support.solarwinds.com/Succe..._Manager_(LEM)

 

 

Last modified
14:25, 18 Aug 2016

Tags

Classifications

Public