Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Utilities view in the LEM console

Utilities view in the LEM console

Updated: September 15, 2017

The Utilities view (Explore > Utilities) provides several IT analysis utilities, including Whois, NSLookup, Traceroute, and Flow (sFlow and NetFlow). These utilities are also available from the Explore > nDepth view, and Monitor view.

This topic provides help for the Utilities view in the LEM console. For more information, see Use the explorer utilities in LEM to search or analyze nDepth query results.

 

This screen capture shows the Utility view in the LEM console:

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/utility-view.png

 

The following table describes the key features of the Explore > Utilities view.

Name Description

History pane

Displays a record of your explorer viewing history. Selecting an item in the history list displays the corresponding explorer event in the Explorer pane.

Utilities pane

Displays the explorers that are currently open. You can have multiple explorers open at the same time.

Cascade button

Arranges the open explorer windows so they appear in an organized cascade.

Respond

Responds to the event or event field that is the subject of the active explorer. You can also use the Respond menu to take action even when no explorer windows are open or active.

Explore

Contains options to open the other explorers. You can explore the event message or event field that is the subject of the active explorer or open a blank explorer to manually enter the item you want to explore.

Explorer windows

The active explorers within the Utilities pane. You can minimize, resize, and close each explorer window, as needed.

Minimized explorers

Any explorers that you have minimized appear at the bottom of the Utilities pane as a title bar. Click a title bar to reopen that explorer.

The Event explorer utility

The Event explorer displays all events related to an event that you select in the Monitor view events grid.

You can view events that occurred before, during, and after a selected event to identify the root cause of the event. This approach can help you visualize how an event occurred, as well as the system’s response to that event.

When you explore an event, the console sends a request to the LEM Manager to determine which events are related to the event. In response, the Event explorer displays the events that triggered the event, as well as the events that resulted because of the event (such as a response or notification).

The Event explorer includes three sections: Event Details, Event Map, and Event Grid. This example shows an event explorer that provides information about the TCPPortScan event selected in the Monitor events grid.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/lem-ug-event-explorer-screen.png

Event Details

The Event Details pane provides detailed information about the event you select in the Monitor grid. Information about the event data fields may vary depending on the selected event type. For example, network-oriented events display fields for IP addresses and ports, while account-oriented events display account names and domains.

Click Event Details to open the Event Details window. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/button-alertinfo_19x14.png to read the event description and File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/button-alertdetails_19x13.png to return to the event details. If you need to research this event further, click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/button-addfilter_15x14.png to create a filter that displays this event type in the Monitor view event grid. The filter will display in the Filters pane under the last selected grid. When you complete your event review, click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/button-updown_12x13.png to move to the previous or next event in the grid.

Event Map

The Event Map displays a graphical view of the event you are exploring, as well as the triggering and proceeding events. This allows you to move through the entire chain of events to analyze the relationships between each event.

Event explorer always places your selected event in the center of the map. Related prior events that triggered your selected event display to the left. If no prior events exist, a box labeled None displays in the map. Related events that follow the central event appear to the right. These events were caused by the central event (such as system responses). If no events follow, a box labeled None displays. If the same event occurs multiple times, they appear together in a box.

Events that appear in the event map can be events, rules, or commands (system responses to an event). Each event type includes an icon that categorizes the event, as shown below.

Icon Description

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-alertevent.png

Audit Event tree event.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-internalcommand.png

Security Event tree event.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-assetalerts.png Asset Event tree event.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-incident2.gif Incident Event tree event.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-internalalert.png Internal Event tree event that is not related to rules or active response activity.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-internalcommand2.png An internal command indicating the system is responding to an event.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-rule.png

Rule activity from a rule in test mode or a rule that initiated an active response.

Event Grid

The event grid lists all events that appear in the event map in chronological order—from the earliest event (top) to the latest event (bottom). The grid is useful for comparing events and exploring event data.

The event grid’s Order column icons indicate when each event occurred, as shown below.

Icon Description
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-beforeevent.png The event occurred before the central event.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-centralevent.png The event occurred during (as part of) the central event.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-afterevent.png The event occurred after the central event.

The Whois explorer utility

Whois explorer is a network utility that identifies the source of an IP address or domain name based on how it is registered with domain and network authorities. This explorer contacts the central databases for IP addresses and domain names and returns the results of any of your searches. It can tell you where something is located physically in the world, and who actually owns the device you are trying to locate. For example, you can use this explorer to identify who owns a domain that corresponds to the IP address that caused a rule to fire.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/whois_557x308.jpg

The example on the left shows the results for an IP address. The example on the right shows the results for the SolarWinds domain name, SolarWinds.com. From these results, you can find out who owns the IP address and where the server is hosted.

Opening the Whois Explorer adds a Whois explorer File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-whois.png icon in the History pane of the Explore view.

nDepth explorer

nDepth is a search engine that locates all event data or the original log messages that pass through a particular LEM Manager. The log data is stored in real time as it occurs from each host (network device) and source (application or tool) that is monitored by the LEM Manager. You can use nDepth to conduct custom searches, investigate your search results with a graphical tools, investigate event data in other explorers, and take action on your findings.

The NSLookup explorer utility

The NSLookup explorer is a network utility that resolved IP addresses to host names and host names to IP addresses. Use this explorer to locate a name that corresponds to the IP address that caused the rule to fire. For example, you can resolve yourcompany.com to an IP address.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/nslookup.png

In this example, NSLookup explorer is searching for IP address of 192.168.168.10. The explorer retrieved the corresponding host name, which is grendel.corp.trigeo.com.

Opening the NSLookup explorer adds an NSLookup explorer File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-nslookup.png icon to the History pane in the Explore view.

The Traceroute explorer utility

Traceroute explorer is a network utility that traces network links (or hops) from your host computer to a specific destination. Use this explorer to determine the network connections between yourself and the IP address that caused a rule to fire.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/traceroute.png

In this example, Traceroute explorer is tracing IP address 192.168.167.1. The interface displays the hops between your computer and the destination IP address. In this example, connecting to the IP address required two hops.

Opening the Traceroute Explorer adds a Traceroute explorer File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1250-Utilities_view_in_the_LEM_console/icon-traceroute.png icon in the History pane of the Explore view.

The Flow explorer utility

Flow explorer performs flow analysis to determine which IP addresses or ports are generating or receiving the most network traffic. Use this explorer to analyze the volume of data (in bytes or packets) transferring to or from an IP address or port number on your network.

For example, if an unknown IP address displays at the top of the Flow explorer’s activity list, you can select a bar on the graph or a row in the table and choose the Whois explorer from the Explore menu to identify the IP address and why it is transmitting so much data.

For more information, see Collect and view NetFlow and sFlow data in LEM.

Execute a Whois, NSLookup, or Traceroute task from an event or search result

  1. Locate and select the event or search result you want to explore.

  2. Click Explore and select an option in the drop-down menu.

Execute a blank Whois, NSLookup, or Traceroute task

  1. Click the Explore tab and select Utilities.

  2. Click Explore on the Utilities title bar and select a utility.

  3. Complete the form for the utility, and click Search.

Display flow data

LEM supports flow exports from both NetFlow and sFlow devices. Use the Flow Explorer in the LEM console to view graphs, charts, and grids.

See Collect and view NetFlow and sFlow data in LEM to enable flow collection and analysis on the LEM appliance.

Last modified

Tags

Classifications

Public