Documentation forLog Analyzer

LA 2.0 Release Notes

Release date: March 12, 2019

These release notes describe the features in Log Analyzer (LA), formerly Log Manager for Orion, 2.0. They also provide information about upgrades and describe workarounds for known issues.

New features and improvements in LA

LA is a fully-integrated log management solution that is accessible through your Orion Web Console. Upon installation, you can instantly view live event messages from nodes currently integrated with the Orion Platform, and quickly map unknown devices through the Node Management feature. Key benefits include live event filtering to target, identify, and alert on current network issues, and seamless transitions between critical event messages and associated Orion Platform products for on-the-spot troubleshooting and issue resolution.

LA 2.0 is an Orion Platform product, and runs on Orion Platform 2018.4.

New in LA 2.0

Monitor Windows event logs

Starting with LA 2.0, you can stream, monitor, and alert on Windows event logs. From the LA Log Viewer, you can filter Windows events, enable out-of-the-box rules for events, and create custom rules tailored for specific Windows event activity.

Log forwarding

On the Log Processing Configuration page, create custom rules to forward your syslog and trap log messages to a dedicated server. This feature allows you to forward log data to third-party systems and other SIEM tools.

Filter and export search results

Filter and export your search results to a CSV file from the LA Log Viewer. Use CSV files to attach search results to a help ticket, share with members of your team, archive data for historical reference, and more.

Reorder custom rules

On the Log Processing Configuration page, you can change the processing order for each of your custom rules.

Additional LA features

Free poller support and Centralized Upgrades

Starting with LA 1.1.1, LA includes free poller support and Centralized Upgrades. Learn more about free poller engines here, and Centralized Upgrades here.

Orion alert integration

On the Log Processing Configuration page, you can integrate alert actions into your custom rules, or create new rules and apply alert actions. You can configure your rule to send an event to the Orion Platform alerting engine when the rule criteria are met, and also create a new alert that fires each time a rule is triggered.

For more information about Orion Platform alerting, see Create and manage alerts in the online LA Administrator Guide. To create a new rule in LA, see Create custom log-processing rules.

Filter on log tags

In the LA Log Viewer Filters pane, you can filter on your pre-defined and custom color-coded log tags as the tagged events stream into the viewer. To filter event logs based on a specific tag, click to expand the Tags group in the Filters pane, and then select one or more tag check boxes.

Filter and analyze event logs

In the LA Filters pane, select one or more filters to refine your event log stream to display messages based on event type, node, IP address, vendor, and more.

To drill down into a log summary for a specific node, click a node link in the Log Viewer table, and then click Analyze Logs in the Node Details Management pane.

Search and filter historical event logs

LA includes an advanced search capability to access your aggregated event logs based on applied filters and a specified range of time. To set your search parameters, select your log filters, and then on the histogram chart, open the custom time picker to set your time frame.

Filter and view event logs in live mode

Switch the Log Viewer to live mode to view events as they occur in your environment. This is particularly useful when troubleshooting active network problems. You can apply "live" filters to target and identify issues using the Filters pane and keyword search, and then observe the histogram chart to note any spikes in activity or log anomalies.

Create custom log-processing rules

On the Log Processing Configuration page, you can create custom rules to complement the standard, out-of-the-box LA rule sets. You can define rule conditions to identify a specific log entry, and then establish subsequent actions, such as adding event tags, executing commands, and discarding log entries.

Apply tags to event logs

Apply pre-defined and custom log tags to quickly identify specific log activity. For example, if you are interested in a certain event ID or keyword, you can configure your rule to display a color-coded tag notification on event logs matching the defined criteria. You can also apply multiple tags to a single log event ID or keyword.

Disable and enable log-processing rules

The Log Processing Configuration page includes out-of-the-box rules that provide a visual identifier for common event groups. These pre-defined log tags are enabled by default and allow you to quickly identify specific event activity in your Log Viewer table.

Monitor Orion Platform nodes in LA

Monitor any networked Orion Platform node in the LA Log Viewer with your LA license plan. In the Orion Web Console, check for available licenses by navigating to Settings > All Settings, and then clicking License Details in the Details pane. The License Details page lists all licensed Orion Platform products, including the total number of LA licenses, and the number of nodes currently consuming a license. For more licensing information, see the LA Installation Guide.

To adjust your LA node settings, edit the node properties, and then select one of the LA monitoring options. For more information, see the LA Getting Started Guide.

Add unknown nodes to the Orion Platform

In the Orion Platform, messages received from an unknown network node are discarded until you add the device through Node Management. When log activity is observed from an unknown device, you will receive a notification in the Orion Web Console linking you to the Events page, where you can add the node as a managed device.

Manually migrate existing NCM Real-Time Change Notification rules

You can apply existing NCM Real-Time Change Notification (RTCN) rules to your current LA log-processing rule set. When LA detects NCM RTCN rules, you will receive a notification in the Orion Web Console, which means you can then access and enable the rules through the LA Log Processing Configuration page. See the NCM RTCN article in the SolarWinds Customer Success Center for more information.

Drop unwanted event logs

Streamline your Log Viewer table by selecting and dropping unwanted event logs that clutter your log feed and occupy valuable database space. You can establish rule parameters that will discard all undesired logs to ensure relevant content displays in a more efficient manner.

Set LA storage and search retention period

On the Log Analyzer Settings page, you can set the number of days that syslog and traps messages are stored and searchable in the LA database. The default setting is seven days, but you can adjust it to anywhere from one day to one year.

Review unlicensed and unmonitored log source reports

You can access LA log source reports in the Orion Web Console by navigating to Reports > All Reports. In the Group By list, select Report Category, and then click Log Analyzer report. Each report lists the IP address and detection timestamp for unlicensed or unmonitored log sources.

Enable full-text search in Microsoft SQL Server 2016

When installing and configuring SQL Server 2016, enable full-text search to ensure optimum event log search performance within LA. You can still install LA and initiate event log searches without enabling this capability, but the speed and quality of your search may be significantly reduced.

Before you upgrade

If you are adding LA 2.0 to your existing Orion Platform products, make note of the following:

LA 2.0 requires Microsoft SQL Server 2016 SP1 or later.

LA 2.0 does not support data migration of existing rules and alerts.

Legacy syslog and traps

LA replaces the existing legacy syslog and trap services, but only provides a subset of the legacy functionality. After installation of LA over the legacy syslog and trap services, the records remain in the database, but will not be used by LA. You can still access the read-only legacy records in the Syslog Viewer and Traps Viewer applications. All new syslog and trap messages will be stored in the dedicated LA database.

New customer installation

Use the SolarWinds Orion Installer, available in the Customer Portal, to install LA. After installation, refer to the LA Getting Started Guide to learn about configuring and customizing LA.

Fixed issues

LA 2.0 fixes the following issues:

Case Number Description
N/A SNMP v3 credentials are not propagated to the trap service immediately.
N/A The Analyze Logs feature is available for disabled nodes.

LA loses its out-of-the-box rule status.


32-bit Microsoft Office products have issues after installing LA.

N/A Used MIBs DB needs to be updated to version
N/A PerfStack Widget doesn't work for any LA metrics.
N/A Log Viewer search throws an exception when a tag is selected.
N/A Log Viewer Filtering failed with multiple checked tags.
N/A The Log Viewer Filter is not always applied in Live Mode.
N/A Log Viewer histogram is empty while zoomed in.
N/A When LA runs in basic mode, the expiration message appears.
N/A TCP Syslog is broken.
N/A Syslog messages do not match the RFC5424 format.
N/A Syslog/Traps wrongly updated to v2.0 in non-LA Orion environment.
N/A SNMP v3 credentials are not propagated to the Trap service immediately.

Known issues

Authentication error in Config Wizard

Issue: An authentication error in the Config Wizard occurs when creating the Log Analyzer db using a local Windows user and connecting to the database using SQL authentication.

Workaround: Use the same authentication type for SQL Server in both steps: create the Log Analyzer db, and define Orion access to the Log Analyzer db.

Log entries may get lost

Issue: Log entries may get lost when diagnostics are being gathered.

Workaround: In diagnostics, do not select Log Analyzer (Log Manager) tables if you do not generate diagnostics for Log Analyzer specific issues.

Rule condition change is not reflected

Issue: After the modifying the rule, the rule is not propagated correctly to some pollers.

Workaround: Restart services.

Previous versions

LA 1.0

LA 1.1

LA 1.1.1

Legal notices

© 2019 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.


The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.