Skip navigation
1 2 Previous Next

Geek Speak

25 Posts authored by: DanaeA
DanaeA

What's New in LEM 5.7

Posted by DanaeA Jan 17, 2014

SolarWinds Log & Event Manager (LEM) v5.7 provides the following usability and performance enhancements:

  • nDepth Scheduled Searches
    • Schedule nDepth searches to run automatically once or on a recurring basis
    • Scheduled Searches can also be shared between users
    • Email search results as a CSV attachment, or generate an event notifying you of search completion
    • Agents are using Java 7 in this release
  • Agent Node License Recycling - Each time a VM desktop is created, an agent connects to LEM and a license is used. This continues to happen as desktops are created and destroyed, eventually causing all licenses to be used. License recycling allows you to collect and reuse licenses from nodes that have not sent an event to the LEM manager within a specified amount of time
      • Define a schedule to automatically recover unused agent licenses
      • Specify a virtual desktop and workstation devices where licenses can be recovered
  • Scalability Enhancements
    • Improved rules engine and appliance-side processing
  • FIPS Self-Certification
  • Additional Improvements
    • Create User-Defined Groups more easily with the new CSV import
    • Deploy LEM to Hyper-V® on Windows 2012 R2
    • New connectors for NetApp®, IBM®, Brocade, and more

 

For more information on using LEM, please visit the following fount of information on all that is LEM Log & Event Manager

Security Information and Event Management (SIEM) software is beneficial for companies by providing a complete view of the security of their IT environment. Without this type of software, it is difficult to manage the individual event and incident log data that demonstrate a risk to your security. Log data is generated by operating systems, firewalls, devices, and antivirus software, so analyzing and reviewing the large amount of data in logs is a daunting task.

 

SolarWinds Log & Event Manager (LEM) software makes it easy to manage and analyze log files, mitigate threats, and automate compliance processes.LEM collects and catalogs log and event data, in real-time, from anywhere data is generated within your IT infrastructure and delivers true real-time log and event correlation by processing log data before it is written to the database, enabling you to immediately respond to security threats and vital network issues.

 

LEM offers the following log management and compliance options:

  • Log Analysis Servers
  • Log Analysis Antivirus and Malware Protection
  • Log Analysis IDS and Firewall
  • Log Analysis Identity Authentication and Endpoint Protection
  • Vulnerability Assessment
  • Log Analysis Websites FTP and Content Management
  • Log Analysis Other Applications
  • Log Analysis Network Devices
  • IT Security
  • IT Compliance & Audit
  • IT Operations

 

SolarWinds also offers other log and security information management products that assist in collecting, correlating, and analyzing log data and manage enterprise security and compliance.

After installing Log & Event Manager (LEM) v5.6, you may need to download and install these additional pieces of software for further data collection and analysis.


LEM Desktop Console

The LEM desktop console is identical to the web console, only you install it on a Windows computer. Download and install the Adobe AIR Runtime and/or Log & Event Manager desktop console if you want a locally installed version of the LEM console.

Note: Both items below are required to run the LEM desktop console; however, you do not need to download and install the runtime component if you already have it on your system for another application.

 

Agents

Deploying agents allows you to collect data directly from different operating systems, and to connect to the appliance for monitoring, notification, and response. After deploying agents, you can configure the desktop software from Manage > Nodes to enable your different data sources.

 
MSSQL Auditor
 

MSSQL Auditor allows you to audit Microsoft SQL 2000, 2000 MSDE, 2005, 2005 SQL Express, and 2008 databases for changes and failed modification attempts. Install SQL Auditor on your MSSQL server or a remote system with SQL Profiler installed.


LEM Reports

LEM Reports is a standalone reporting application used to access alert information on the LEM database. Download and install the Crystal Reports Runtime and/or Log & Event Manager Reports if you want to run pre-configured security and compliance reports.

Note: Both items below are required to run LEM Reports; however, you do not need to download and install the runtime component if you already have it on your system for another application.

 
LEM Connectors
 

Connectors allow LEM to normalize the data it collects from your agents and network devices. Download and apply the LEM connector update package any time SolarWinds updates a connector you use, usually when Support informs you to do so.

 

Receiving SNMP Alerts from SAM in LEM

Some examples of using the systems together:

  • SAM detects an issue with a service and use LEM to determine if there are errors being generated from that service, when the issue started, and respond by restarting the service, and building a rule to detect & notify you of future outages before the service actually goes completely down.
  • Build rules inside of LEM that combine data from SAM with your event log, device log, and application log data, to combine the power of what's happening in the log with the knowledge that something's gone wrong.
  • Respond to an event detected from SAM in the LEM Console to isolate an issue, quarantine a user or system, restart a service, or kill a process.

To send data from SAM to LEM:

  1. 1) On your LEM appliance, enable SNMP, if you don't already have it enabled.
  2. a) From the virtual/hardware appliance Advanced Configuration console, enter service at the cmc prompt.
  3. b) At the cmc::scm# prompt, enter enablesnmp.
  4. 2) Configure the SolarWinds tool on your LEM appliance via Manage > Appliances, then click the Gear icon and select Tools.
    http://thwack.solarwinds.com/servlet/JiveServlet/showImage/38-159147-5129/pastedImage_77.png
  5. Select Network Management from the Category list.
    http://thwack.solarwinds.com/servlet/JiveServlet/downloadImage/38-159147-5131/620-437/pastedImage_79.png
  6. 4) Click the Gear icon next to the bottom Network Management line and select New and create a new SolarWinds Orion tool.
  7. 5) Click Save to save the configuration (the default name/alias that appears in all of the messages from these tools can be changed).
  8. 6) Click the Gear icon and select Start to enable the tool/connector to monitor for incoming data.
    http://thwack.solarwinds.com/servlet/JiveServlet/downloadImage/38-159147-5132/358-116/pastedImage_80.png

For more information on setting up alerts with SAM, check out the "Creating Alerts" section in the SAM User Guide.

Upgrading from LEM 5.5 to 5.6 performs a database migration of your data. Performing this upgrade converts your existing information, from newest to oldest, into the database format. In our latest release of LEM, we are migrating from a third party database software to an in-house database.

 

We have included a banner that displays the status of the migration and the estimated time until it is complete.

migration_toolbar.png

  • How long does it take?

Depending on the amount of data to be migrated and the system load, the migration could take from hours up to a few weeks. Data is migrated from newest to oldest.

  • Will I lose data?

No, the data is transferred over completely. New data continues to be migrated as it comes in and old data is moved over when new data is not being transferred.

Log data is a record of all the transactions and information that goes through your networks. Companies generate enormous amounts of log data every day.

 

SolarWinds Log & Event Manager (LEM) collects, stores, and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response. Data is also available for scheduled and ad hoc reporting from both the LEM Console and standalone LEM Reports console.

 

Mistake number 1 - Not monitoring your collected logs until you have a major incident

You’ve installed your new LEM software. Your job is done, right? Nope, sorry, but someone has to monitor the collected logs so they learn if there were any events and also to proactively learn when there may be another similar event. Use LEM Reports to view or schedule fixed reports for compliance purposes to:

    • Produce compliance reports
    • View reports based on specific regulatory compliance initiatives
    • Provide proof that you are auditing log and event data to auditors
    • Schedule formatted reports for LEM Reports to run and export automatically

 

Also, your organization may have to look at logs for auditing purposes. HIPAA regulations require medical organizations to establish an audit process. Ensuring data security is vital in business, most especially in any business that stores and transmits cardholder data. Any company with access to cardholder must ensure that they are in compliance with the standards set by the Payment Card Industry Data Security Standard (PCI-DSS). If a company is found to be non-compliant, they may face large fines and even have their credit card processing abilities restricted.

 

I’ll discuss other mistakes commonly made when new to LEM in future blog posts.

IT departments are the heart of most corporations. If there is an IT failure, most companies are dead in the water. No internet = no sales orders. Which is not a good thing for most companies!

 

Most IT departments use the method where issues are responded to based on the order in which they are received. If a higher priority issue is received, then it jumps to the top of the heap. What ends up happening is that the lower priority requests go unresolved since they seem to be placed at the bottom of the stack. If your network is running cleanly and smoothly, there is time to finish your other tasks.

 

Unfortunately, according to a 2012 report from Gartner, more than 60% of an IT department’s time is spent focusing on day-to-day operations and not strategic projects that contribute to the growth of the company. SolarWinds  Engineer’s Toolset includes the necessary solutions that work simply and precisely, providing the diagnostic, performance, and bandwidth measurements you want. SolarWinds was founded by network professionals and continues to design tools for the network professional.

 

  • Cut troubleshooting time in half using the LaunchPad, which puts the tools you need for common situations at your fingertips.
  • Monitor and alert in real time on network availability and health with tools including Real- Time Interface Monitor, SNMP Real-Time Graph, and Advanced CPU Load.
  • Perform robust network diagnostics for troubleshooting and quickly resolving complex network issues with tools such as Ping Sweep, DNS Analyzer, and Trace Route.
  • Deploy an array of network discovery tools including Port Scanner, Switch Port Mapper, and Advanced Subnet Calculator.
  • Manage Cisco® devices with specialized tools including Real-time NetFlow Analyzer, Config Downloader, and Config Compare.

How to enable file auditing in Windows

After you have installed and configured you SolarWinds Log & Event Manager Agents, optimize your SolarWinds LEM deployment by tuning Windows to log the specific events you want to see in your SolarWinds LEM Console and store on your SolarWinds LEM database. Use the recommendations below to get started with this tuning process.

 

  1. Open Administrative Tools > Local Security Policy.
  2. Expand Local Policies and click Audit Policy in the left pane.
  3. Select Audit object access in the right pane, and then click Action > Properties.
  4. Select Success and Failure.
  5. Click OK.
  6. Close the Local Security Policy window.

 

 

To enable file auditing on a file or folder in Windows:

  1. Locate the file or folder you want to audit in Windows Explorer.
  2. Right-click the file or folder and then click Properties.
  3. Click the Security tab.
  4. Click Advanced.
  5. Click the Auditing tab.
  6. If you are using Windows Server 2008, click Edit.
  7. Click Add.
  8. Enter the name of a user or group you want to audit for the selected file or folder, and click Check Names to validate your entry. For example, enter Everyone.
  9. Click OK.
  10. Select Success and Failure next to Full control to audit everything for the selected file or folder.
  11. Optionally, clear Success and Failure for unwanted events, such as:
    • Read attributes
    • Read extended attributes
    • Write extended attributes
    • Read permissions
  12. Click OK in each window until you are back at the Windows Explorer window.
  13. Repeat these steps for all files or folders you want to audit.

SolarWinds Log & Event Manager (LEM) is a powerful SIEM tool that allows you to be proactive with your network needs. It provides functionality where you can monitor your antivirus software to track whether or not your antivirus solution is able to fully clean the viruses it detects.

 

To create a LEM Rule to track when viruses are not cleaned, you need to clone and enable the Virus Attack – Bad State rule to track the state of virus attacks reported by your antivirus software. The Bad Virus State User-Defined Group defines a bad state as any virus that has not been fully cleaned by your antivirus software. That is, any virus that has been left alone, quarantined, or renamed. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.

 

The following is how you can configure your antivirus software to log to your SolarWinds LEM appliance and set up the appropriate tool on your SolarWinds LEM Manager.

  1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Select the Build tab, and then click Rules.
  3. Click Default Rules on the Refine Results pane (left).
  4. Enter Virus Attack – Bad State in the search box at the top of the Refine Results pane.
  5. Click the gear button next to the rule (left), and then click Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. Select Enable at the top of the Rule Creation window, next to the Description field.
  8. Click Save.
  9. Back on the main Rules screen, click Activate Rules.

Have you been seeing some suspicious URLs appear in your reports? You can now set a rule to track that activity with SolarWinds Log & Event Manager (LEM). LEM has many configured rules built into it for your ease of use. For this particular procedure, you can clone and enable the Known Spyware Site Traffic rule to track when users attempt to access suspicious websites by partial or complete URL addresses. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.

Before enabling this rule, ensure your proxy server transmits complete URL addresses to your SolarWinds LEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.

 

To clone and enable the Known Spyware Site Traffic rule:

  1. Open theSolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Select the Build tab, and then click Rules.
  3. Click NATO5 Rules on the Refine Results pane (left).
  4. Enter Known Spyware Site Traffic in the search box at the top of the Refine Results pane.
  5. Click the gear  button next to the rule (left), and then click Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. Select Enable at the top of the Rule Creation window, next to the Description field.
  8. Click Save.
  9. Back on the main Rules screen, click Activate Rules.

Verifying Data

 

Now that LEM is collecting your log data, use nDepth and LEM Reports to search, analyze, and report on that data. In most cases, use the nDepth Explorer in the LEM Console to search and analyze your dataa and use the stand-alone LEM Reports application to report on your data.

 

Which Do I Pick?

 

Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to:

  • Search your log data interactively
  • Search for specific variables, such as user names, IP addresses, or specific events
  • Perform root-cause analysis
  • Troubleshoot specific issues
  • Explore data and produce custom PDF reports

 

Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes or to:

  • Automate reporting
  • Produce compliance reports
  • View reports based on specific regulatory compliance initiatives
  • Provide proof that you are auditing log and event data to auditors
  • Schedule formatted reports for LEM Reports to run and export automatically

 

SolarWinds Log & Event Manager collects, stores, and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response.

This week we are going to discuss Monitoring, Events, and Filters. For the purpose of this blog, I will be using SolarWinds Log & Event Manager (LEM) as our monitoring software. LEM collects, stores, and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response.

 

 

Why do you need monitoring?

 

Network monitoring is necessary to maintain the integrity and safety of your internal network. Monitoring can determine if your network is overloaded, has crashed servers, network connection issues, or even if you are the target of an unauthorized access attempt. LEM monitors network activity by analyzing the log data collected, and then parsing the information with the use of out-of-the-box filters or custom filters.LEM displays the monitored events on your network in real time.

 

Events and Filters

 

Events are messages created from Agent, Manager, and network device log entries. These normalized (remember what this is? If not, then review this blog entry) events are sent from the Agent to the Manager for processing. At the Manager, the events are processed against your Rules, sent to your Database for archiving, and sent to the LEM Console for monitoring. On a busy network, there can be millions of events each day, so the LEM Console uses event filters to manage events.

 

A filter is a subset of your events that focuses on a particular type or group of events and hides all others. When configuring a filter, you can examine and use individual event properties to determine precisely which events are to appear in that filter. Filters also display events in real time. You can turn filters on and off, pause filters to sort or investigate their events, perform actions to respond to events, and configure filters to notify you when they capture a particular event

 

What kind of events necessitate a filter?

  • Change management events
  • High volume events
  • Events you want to monitor (user logon failures, etc)
  • Testing conditions for future rules
DanaeA

Logs 101: Normalization

Posted by DanaeA Feb 15, 2013

In the first blog of this series, What are Logs?, we learned what logs are and why they are useful to your organization. Now we are going to learn what happens when you have different types of log data and how your System Administrators don’t go crazy going through the thousands of logs that are produced.

 

System Administrators monitor logs from hundreds of different devices, all written in proprietary formats. Unfortunately, proprietary log “language” is often not user friendly and unreadable in its native format. Log data is written in the device’s language, which is different than the “language” of another device. Comparing the logs against each other is like comparing a paragraph written in Russian, against one written in Japanese.

 

The following is a sample of a log file from an antivirus program:

Log sample.png

There is some recognizable information, but can you imagine trying to decipher thousands of logs entries a day? Luckily, there are software programs (like our very own SolarWinds Log & Event Manager) that can convert that data to useful information that can be searched for important alerts or events that may have occurred.

 

What is Normalization?

 

The LEM system is based on software modules called Agents, which collect and normalize log data in real time before it’s processed by the virtual appliance, and other non-Agent devices, which send their log data directly to the Manager for both normalization and processing.

By definition, to normalize is to make (text or language) regular and consistent. LEM gathers logs from devices and translates (or normalizes) those logs into the same language, so they can be directly compared against each other.

 

When an Agent cannot be installed on a device, that device can be set to send its log data to the LEM Manager for normalization and processing. Examples of devices that cannot host Agent software include firewalls, routers, and other networking devices. LEM accepts normalized data and raw data from a variety of devices. Non-agent devices send their log data in raw form to the LEM manager. Once normalized, log data is processed by the LEM Manager, which provides a secure management clearinghouse for normalized data. The Manager’s policy engine correlates data based on user defined rules and local alert filters, and initiates the associated actions when applicable. These actions can include notifying users both locally in the Console and by email, blocking an IP address, shutting down or rebooting a workstation, and passing the alerts on to the LEM database for future analysis and reporting within the Reports application.

 

SolarWinds Log & Event Manager collects, stores, and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response.

LEM logs.png

DanaeA

Overflowing Logs?

Posted by DanaeA Feb 1, 2013

Are your Windows Security Logs overflowing? Have you noticed more noise on your logs than normal? Changing your Audit Security Settings can cause a flood of data that you may not have realized is now invading your logs.

 

Having to muddle through extraneous information is cumbersome and time consuming, especially since auditors require that logs be reviewed on a daily basis for any suspicious events or alerts. You want to streamline the data to be analyzed and changing your Audit Security Settings may help filter out the noise. For more information on Windows Auditing and the extra noise it creates, check out our Not All Windows Auditing is Created Equal blog article.

 

For information regarding log management, see SolarWinds Log & Event Manager.

Have you ever left your wallet at home? Or your credit card in the pocket of the jeans you were wearing last night and didn’t realize it until you tried to get gas? I recently had the card in the pocket issue and my gas gauge was on empty and I didn't have any other form of payment on me. I ended up having to call my husband to come to my rescue! If I had Near Field Communication enabled on my phone, I would have been just fine. Near Field Communication (NFC) allows you to use your smartphone as your credit card, and I’m never without my phone..I always know where it is.  Leaving your wallet at home won’t be such a problem soon and you can get gas without your credit card.

 

How Does it Work?

NFC allows smartphones or other devices (tablets, e-readers, etc.) to communicate with each other through radio waves, as long as they are within a close proximity. NFC devices have a chip installed that transmits a signal to other NFC-equipped devices when they are within a few inches of each other. To make a purchase using NFC, you tap your NFC enabled phone to the NFC terminal, enter your passcode, and off you go.

 

Where Can I Find it?     

Many smartphones and tablets are offering this feature now. As for merchants offering this very fast way of paying, Old Navy, The Container Store, ToysRus, CVS, and Macy’s are a few merchants that are working with Google Wallet to make it quick, easy, and safe for you to shop.

Is it Safe?

Your credit card numbers are stored on secure servers that are encrypted for your safety. To access your payment information while making a transaction, you must enter your secure passcode on your phone. If your phone should be stolen, your information is safe. Without the passcode, there is no way your credit card card can be used. This is definitely more secure than using a traditional credit card where nobody checks the signature!

 

Unfortunately, there is the risk of malware or other unauthorized access to your phone. This is a large concern for organizations that are dealing with Bring Your Own Device (BYOD) and network security issues in the workplace. 

Filter Blog

By date: By tag: