This video will demonstrate how to use SolarWinds Log & Event Manager or LEM's nDepth Search and Analysis tool.
The nDepth search utility within the web console gives you the ability to search through millions of logs from various devices and applications in one place. You can search for specific data or use simple key word searches and let LEM surface information for you.
So let's get started by walking through the nDepth interface and highlighting its features.
- First off you will need to login to your web console then click on the Explore button in the main navigation bar and select nDepth.
- when entering nDepth for the first time you will be taken to a Dashboard where LEM will present about 10 minutes of log data using several different visualizations.
- The search bar is located here at the top left with a small toggle switch that allows you to switch between the drag-n-drop search mode and text search mode.
- Directly below the search bar LEM organizes data into categories which can be used for further drill down. Below these categories are menus that can be used with the drag-n-drop interface that i will show in a moment.
- to the far left of the search bar we have a drop down that allows you to select common time slots like last day, last week or you can click the custom range option to create a specific time slot for your search. The small blue "play" button is your search button.
- At the bottom of the console right in the middle you will see a row of icons. From right to left the first few offer visualizations of search results. The second to the last icon on the right displays your search results and the last icon opens the drag-n-drop search "builder".
- Finally, the far left of the console displays your search history at the top and saved searches at the bottom.
Alright, now that we have the lay the land let's jump into a couple examples on how to search logs. First we will cover how to use the Search Builder to drag and drop our way into a specific search. To open the search builder go to the bottom of your console and click on the last icon on the right. A conditions box will appear with grouping already in place. LEM uses and/or boolean logic which is embedded on the outside of this group. the thick blue line with a triangle in the middle represents AND. click it again and it will switch to an orange bar with a half circle representing OR.
NOTE: While i am using the search builder for this example you will see as I go that the Search bar synchronizes with the search builder. You can drag item into either area to create your search.
For our first example we will search for logon failures that have occurred over the last week.
- All of the events are located in the Events menu to the left of the search builder here. Click on the menu the Event taxonomy appears. You can either scroll through the events or just type what you are looking for in the small search bar. In this case I will start typing in logon. As you can see it immediately narrows it down to those types of events and I see the logonfailure event I am looking for.
- Now in this case I want to look for all logon failures so I will just drag the event into the search builder like so. Also notice that when i clicked on the event several fields appear below that I can use for more granularity like searching for a specific user or ip address.
- My search criteria is set so I will click on the time drop down and select "last week" to search the last 7 days of the logs then click the blue search button begin the search.
- To make the most use out of every search click the Refine Fields area indicated by the blue funnel, then on the bottom click on the Search Results icon to see your logs.
- The refine fields area is great for organizing search results in a way that may surface information that prompts further investigation. To continue with the example, lets say I want to see all of the usernames in the logon failure logs to get an idea of what accounts are being used in my network. Expand the User Name category and you can see every account that was involved in a logon attempt. The account that immediately stands out to me is Guest so I will drill down a bit further. Double click the username and as you can see it gets added to the search bar above. Now I just hit the search button again view any logon failure events that contain the username Guest. Looks like just one event occurred and here we can see all of the details.
- If I want to go back and search a different username I can revert back to the original search by using the search history to the left.
While the GUI search is great when we need to initiate a specific search however there are many situations where all you have is a small piece of information or you just need a broader scope of data to work with. In the next example I will demonstrate how to generate a search with a keyword.
- In the GUI example above we created a search for a specific event. Now we are going search for ALL events based on the username Administrator
- First let's clear the existing search then switch it to text mode by clicking this little toggle switch to open up the text search option.
- Now all we have to do is type in the key word "administrator", verify the time frame and hit the search button.
- As you can see in the refine fields, every event that contains the word administrator is visible. A couple of events that stand out to me are file deletes, software installs which, like in the previous example I can double click to add to my search and drill down for further details. I can also checkout other bolded categories more information.
Once I have completed my search I can export the data into a csv file by clicking on this gear icon in the right hand corner of the search results. If I want a more formal ad-hoc report jump up to the gear icon on the top right and select EXPORT. This option allows my to use some charts and graphs for visualization then save the data as a pdf report.
Finally, if you want to save the search or schedule it click the same icon and select Save As to save it to the Saved Searches section on the left. Then select that saved search and click the gear icon above the list and select "Schedule". A box will appear allowing you to schedule a daily, weekly or Monthly search where the results will be sent in a CSV attachment up to 10mb in size.
Visit the Success Center for more information on using Log & Event Manager. https://support.solarwinds.com/Succe..._Manager_(LEM)