Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Setting up an nDepth appliance

Setting up an nDepth appliance

Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 12, 2016

Views: 14 Votes: 0 Revisions: 5

The topics in this section are about configuring nDepth to store and access your original log messages:

  • Setting up the nDepth Appliance (if you are using a separate nDepth Appliance to store original log messages).
  • Configuring your network connectors (sensors)??for use with nDepth to store original log messages.

Using a separate nDepth appliance

If needed, you can use a separate nDepth appliance for long-term storage and retrieval of your network's original event log messages. In this configuration, each Manager has its own dedicated nDepth appliance. The appliance stores all of the original log file source data that passes through a particular Manager. The log data is stored in its entirety, in real time, as it originally occurs from each host (network device) and source (application or connector) that is monitored by the Manager.??

Even when you use a separate appliance, you can still access and explore this information from the Console's nDepth view.

The primary advantage of using a separate nDepth appliance is that it provides you with the capacity for long-term storage and retrieval of the original log messages. If long-term storage of this information is a high priority, then you will want to consider a separate appliance; otherwise, a separate appliance is probably unnecessary. If you have questions, contact your SolarWinds sales representative or SolarWinds Technical Support.

Installing a Separate nDepth Appliance

If you would like to use a separate nDepth appliance for long-term storage and retrieval of the original log messages, then you must install that appliance before you begin using nDepth. Contact SolarWinds Technical Support for instructions on installing a separate appliance.

If you are not using a separate appliance, this procedure is not required, because short-term log messages are stored directly on LEM.

Configuring Network Connectors for Use with nDepth

To use nDepth to explore your network's original log messages, you must configure each connector (sensor) for use with nDepth with the console's Connector Configuration form.

First, decide which network devices, applications, and connectors that are monitored by the Manager are to also send their log messages to nDepth. Then configure each of these connectors for use with nDepth. You can choose to route a connector???s log messages to LEM, directly to nDepth, or to both.

SolarWinds recommends that you configure each connector so it routes its log messages to both nDepth and LEM. This allows you to receive events on these connectors, and to search log messages stored on the separate nDepth appliance.

  • How many days of live data will the LEM database store?
  • The number of days' worth of live data that the LEM database will store varies for every implementation. The information below should help you determine this number for your environment, while also promoting a more detailed understanding of how the database works in general.
  • This article contains the following sections.
  • What the LEM Database Stores
  • Where to Find the Numbers

Alternate storage methods

By default, the LEM database is allowed 230 GB of the 250 GB allocated to the LEM virtual appliance. This partition consists of three data stores:

  • Syslog/SNMP data from devices logging to the LEM appliance
  • Normalized Event data
  • Original, or "raw," log data (if enabled).

The Syslog store (the first store)??consists of all Syslog/SNMP log data sent to the LEM appliance. The LEM appliance reads and processes the data in real time, and then sends it to the event store for long-term storage. The LEM appliance stores the original data for 50 days in its original format, just in case you need to review it, and compresses and rotates the data in the Syslog store daily, maintaining a consistent 50 days worth of data. The amount of data stored here should level off at around the 50-day mark.

The Event store (the second store)??consists of all normalized events generated by the LEM manager and LEM Agents. Data in this store is compressed at a ratio of 40:1 to 60:1, which equates to an average compression rate of 95-98%. LEM reports and nDepth query this store for event data whenever they run.

The Original log store (the third store)??is an optional store for original, or "raw," log messages that are searchable using Log Message queries in nDepth. The data in this store can come from LEM agents or other devices logging to the LEM appliance. You can define whether data is sent to this store at the connector level, so not all devices have to log in this manner. For more information, see Configuring Your LEM Appliance for Log Message Storage and nDepth Search in the SolarWinds Success Center.

Where to find the numbers

There are three primary sources for statistics related to how your LEM database is being used:

  • Disk Usage summary in the CMC
  • Database maintenance report
  • Log storage maintenance report

Disk usage summary in the CMC

When you initially log in to your LEM virtual appliance using the vSphere console view or an SSH client such as PuTTY, the LEM appliance automatically generates a Disk Usage summary. You can also generate an ad hoc disk usage summary by running the diskusage command from the cmc::acm# (cmc > appliance) prompt. The two lines to note here are Logs/Data and Logs.

The Logs/Data figure represents the total space being utilized by your LEM database. This value is presented in the percent % (usedG/allocatedG) format, where percent is the percent of the allocated space currently being used and allocated is the total amount of space that is currently allocated to the LEM database.

The Logs figure represents the amount of space used by the syslog store. This figure is included in the used figure noted above. To figure out how much space is currently being utilized by your Event store, subtract the Logs value from the used value. If you are storing original log messages in your LEM database, the calculation above will show you the combined space being utilized by both your Event and original log stores.

Database maintenance report

Run the Database Maintenance Report in LEM reports to view a snapshot of your current database usage. The report includes Disk Usage Summary, Disk Usage Details, Database Time Span (days), and Other Files.

Disk Usage Summary provides disk usage figures as percentages of the space allocated to the LEM database. Disk Usage Details provides the actual amounts related to the percentages in the Disk Usage Summary section. Database Time Span (days) tells you how many days worth of live event data currently stored on your LEM database. For detailed information about this value, see the second page of the Database Maintenance Report. The Other Files figure in the Database Maintenance Report consists primarily of the data in the Syslog store noted above.

Log storage maintenance report

Run the log storage maintenance report in LEM reports to get detailed information about the original log store. If you have not enabled your LEM appliance and connectors to store original log messages, this report will be blank.

Alternate storage methods

Depending on the needs of your environment, you can use one or more of the alternate storage methods listed below. For more details or assistance with any of these methods, please open a ticket with Support.

  • Backup your LEM virtual appliance on a regular basis. This will give you "offline" storage for all of your LEM data stores and configuration settings. For instructions and recommendations, see the Log & Event Manager > Backup section of the SolarWinds Knowledge Base.
  • Decrease the number of days for which Syslog/SNMP data is stored on your LEM virtual appliance.
  • Deploy another LEM virtual appliance to be used as a syslog server.
  • Deploy another LEM virtual appliance to be used as a database server.
  • Increase the space allocated to your LEM virtual appliance.

 

Last modified
13:50, 12 Sep 2016

Tags

Classifications

Public