Required privileges and permissions in LA
To monitor logs in LA, your credentials must have the correct permissions for any file or service you wish to monitor. In general, LA will be able to monitor files and services that match the permission level of your credential.
See the following sections for basic minimum permissions required for LA for monitoring WindowsEvents, LogFiles, traps, syslogs, and rule actions.
Required privileges and permissions for monitoring WindowsEvents
System
SolarWinds.Orion.LogMgmt.Agent.Plugin
must:- Have write access to
C:\ProgramData\SolarWinds\Logs_Agent\LogManager
to write logs. - Run under an account with administrative rights to access all Windows events.
- Have write access to
- AMS communication must be established between the Agent and Orion.
Orion
- Must have an LA license.
- Nodes must be added via the agent polling method.
- Log monitoring must be enabled.
Required privileges and permissions for monitoring LogFiles
System
-
Windows
SolarWinds.Orion.LogMgmt.LogFiles.Agent.Plugin
must have:- Read access to files and directories being monitored.
- Write access to
C:\ProgramData\SolarWinds\Logs_Agent\LogManager
to write logs. - Write access to
C:\ProgramData\SolarWinds\Agent\LogManager.LogFiles
to createstatefulStorage.json
and save reading status.
- AMS communication must be established between the Agent and Orion.
-
Linux
SolarWinds.Agent.LA.Plugin
must have:- Read access to files and directories being monitored.
- Write access to
/opt/SolarWinds/Agent/bin/appdata/Logs
to write logs. - Write access to
/opt/SolarWinds/Agent/bin/appdata/LogManager.LogFiles/
to createstatefulStorage.json
and save reading status. - The ability to obtain the current
RLIMIT_NOFILE
value. - Kernel
RLIMIT_NOFILE
set appropriately so files can be read within a reasonable time frame.
- AMS communication must be established between the Agent and Orion.
Orion
- Must have an LA license.
- Nodes must be added via the agent polling method.
- Log monitoring must be enabled.
- A profile must be created.
Required privileges and permissions for monitoring rule actions
Forward syslogs
SolarWinds.Orion.LogMgmt.SyslogService.exe
needs:- To be allowed for outgoing traffic on all UDP ports (the service chooses from available ports) to forward syslogs via UDP.
- To be allowed for outgoing traffic on all TCP ports (the service chooses from available ports) to forward syslogs via TCP or TCP over TLS.
Forward traps
SolarWinds.Orion.LogMgmt.TrapService.exe
needs to be allowed for outgoing traffic on all UDP ports (the service chooses from available ports) to forward traps.
Run external programs
- A selected account needs to have enough privileges to execute the custom script or program.
Required privileges and permissions for monitoring traps and syslogs
System
-
Traps
SolarWinds.Orion.LogMgmt.TrapService.exe
needs to be allowed for incoming traffic on UDP port specified in theTrapUdpListenPort
advanced configuration setting (default is 162) to receive traps.-
Syslogs
SolarWinds.Orion.LogMgmt.SyslogService.exe
needs:- To be allowed for incoming traffic on UDP port specified in the
SyslogUdpListenPort
advanced configuration setting (default is 514) to receive syslogs via UDP. - To be allowed for incoming traffic on TCP port specified in the
SyslogTcpListenPort
advanced configuration setting (default is 1468) to receive syslogs via TCP. - To be allowed for incoming traffic on TCP port specified in the
SyslogTcpSecureListenPort
advanced configuration setting (default is 6514) to receive secure syslogs via TCP.
- To be allowed for incoming traffic on UDP port specified in the
Orion
- Must have either an LA license or OLV through NCM, NPM, SAM, UDT, or VMAN licenses.
- Log monitoring must be enabled to the default state after adding a node.
- Node must be added via SNMP v3 method with correct credentials to receive SNMPv3 traps.
Required privileges and permissions for monitoring legacy traps, syslogs, and rule actions
Traps
SWTrapService.exe
needs to be allowed for incoming traffic on UDP port 162 to receive traps.
Syslogs
SyslogService.exe
needs- To be allowed for incoming traffic on UDP port specified in the 'UDPListenPort' advanced configuration setting (default is 514) to receive syslogs via UDP.
- To be allowed for incoming traffic on TCP port specified in the 'TCPListenPort' advanced configuration setting (default is 1468) to receive syslogs via TCP.
Rule actions
SyslogService.exe
needs to be allowed for outgoing traffic on all UDP ports (the service chooses from available ports) to forward syslogs.SWTrapService.exe
needs to be allowed for outgoing traffic on UDP port 300 to forward traps.