Documentation forLog Analyzer
Analyzing logs is a key capability of SolarWinds Observability Self-Hosted (formerly Hybrid Cloud Observability) and is available in the Essentials edition. Log Analyzer (LA) is also available in a standalone module.

Required privileges and permissions in LA

To monitor logs in LA, your credentials must have the correct permissions for any file or service you wish to monitor. In general, LA will be able to monitor files and services that match the permission level of your credential.

See the following sections for basic minimum permissions required for LA for monitoring WindowsEvents, LogFiles, traps, syslogs, and rule actions.

Required privileges and permissions for monitoring WindowsEvents

Return to top

System

  • SolarWinds.Orion.LogMgmt.Agent.Plugin must:
    • Have write access to C:\ProgramData\SolarWinds\Logs_Agent\LogManager to write logs.
    • Run under an account with administrative rights to access all Windows events.
  • AMS communication must be established between the Agent and Orion.

Orion

  • Must have an LA license.
  • Nodes must be added via the agent polling method.
  • Log monitoring must be enabled.

Required privileges and permissions for monitoring LogFiles

Return to top

System

  • Windows

    • SolarWinds.Orion.LogMgmt.LogFiles.Agent.Plugin must have:
      • Read access to files and directories being monitored.
      • Write access to C:\ProgramData\SolarWinds\Logs_Agent\LogManager to write logs.
      • Write access to C:\ProgramData\SolarWinds\Agent\LogManager.LogFiles to create statefulStorage.json and save reading status.
    • AMS communication must be established between the Agent and Orion.
  • Linux

    • SolarWinds.Agent.LA.Plugin must have:
      • Read access to files and directories being monitored.
      • Write access to /opt/SolarWinds/Agent/bin/appdata/Logs to write logs.
      • Write access to /opt/SolarWinds/Agent/bin/appdata/LogManager.LogFiles/ to create statefulStorage.json and save reading status.
      • The ability to obtain the current RLIMIT_NOFILE value.
      • Kernel RLIMIT_NOFILE set appropriately so files can be read within a reasonable time frame.
    • AMS communication must be established between the Agent and Orion.

Orion

  • Must have an LA license.
  • Nodes must be added via the agent polling method.
  • Log monitoring must be enabled.
  • A profile must be created.

Required privileges and permissions for monitoring rule actions

Return to top

Forward syslogs

  • SolarWinds.Orion.LogMgmt.SyslogService.exe needs:
    • To be allowed for outgoing traffic on all UDP ports (the service chooses from available ports) to forward syslogs via UDP.
    • To be allowed for outgoing traffic on all TCP ports (the service chooses from available ports) to forward syslogs via TCP or TCP over TLS.

Forward traps

  • SolarWinds.Orion.LogMgmt.TrapService.exe needs to be allowed for outgoing traffic on all UDP ports (the service chooses from available ports) to forward traps.

Run external programs

  • A selected account needs to have enough privileges to execute the custom script or program.

Required privileges and permissions for monitoring traps and syslogs

Return to top

System

  • Traps

  • SolarWinds.Orion.LogMgmt.TrapService.exe needs to be allowed for incoming traffic on UDP port specified in the TrapUdpListenPort advanced configuration setting (default is 162) to receive traps.
  • Syslogs

    • SolarWinds.Orion.LogMgmt.SyslogService.exe needs:
      • To be allowed for incoming traffic on UDP port specified in the SyslogUdpListenPort advanced configuration setting (default is 514) to receive syslogs via UDP.
      • To be allowed for incoming traffic on TCP port specified in the SyslogTcpListenPort advanced configuration setting (default is 1468) to receive syslogs via TCP.
      • To be allowed for incoming traffic on TCP port specified in the SyslogTcpSecureListenPort advanced configuration setting (default is 6514) to receive secure syslogs via TCP.

Orion

  • Must have either an LA license or OLV through NCM, NPM, SAM, UDT, or VMAN licenses.
  • Log monitoring must be enabled to the default state after adding a node.
  • Node must be added via SNMP v3 method with correct credentials to receive SNMPv3 traps.

Required privileges and permissions for monitoring legacy traps, syslogs, and rule actions

Return to top

Traps

  • SWTrapService.exe needs to be allowed for incoming traffic on UDP port 162 to receive traps.

Syslogs

  • SyslogService.exe needs
    • To be allowed for incoming traffic on UDP port specified in the 'UDPListenPort' advanced configuration setting (default is 514) to receive syslogs via UDP.
    • To be allowed for incoming traffic on TCP port specified in the 'TCPListenPort' advanced configuration setting (default is 1468) to receive syslogs via TCP.

Rule actions

  • SyslogService.exe needs to be allowed for outgoing traffic on all UDP ports (the service chooses from available ports) to forward syslogs.
  • SWTrapService.exe needs to be allowed for outgoing traffic on UDP port 300 to forward traps.