In case you missed it in our Log & Event Manager Release Roundup: Latest News post, the next release of LEM is now in Release Candidate status. You can join up by filling out the survey over on SurveyMonkey, I'll provision it to your Customer Portal and you can get crackin' on the new features.
LEM 5.4 RC Features: Flexibility!
The "theme" of this release is flexibility - extending the flexibility of your LEM deployment within your organization. We've added several features that make LEM more flexible to deploy, implement, and integrate into your environment.
Virtual Appliance Improvements: Deploy to Microsoft Hyper-V, Export/Import/Migrate Appliances
We've added the ability to deploy our virtual appliance on Hyper-V (instead of just VMware). It's got the same disk/CPU/RAM requirements (250GB disk, at least one 2GHz core preferably 2+, 8GB RAM dedicated) and the same ease of installation.
On all appliances, we've added the ability to export/import/migrate your appliance settings. This is useful in several different ways:
- Migrating from a legacy TriGeo hardware appliance to the LEM virtual appliance
- Migrating from one virtual appliance to another virtual appliance (standing up a new appliance and importing your configuration)
- Disaster recovery scenarios where configuration settings have been lost, a mistake was made, or other unfortunate scenarios occur that make you wish you could go back to yesterday's config
For customers interested in either Hyper-V deployments or the appliance migration functionality, we've got new documentation we can provide that includes extra details if you need them.
Console in your Browser! Awesome!
We've had a lot of requests to not run the LEM Console in AIR, and instead run it in the browser. Good news - we did just that! For the most part, this Console is identical to the AIR console, and you can import/export your settings from your existing AIR install into the web and vice-versa. The browser-based Console does require Flash 11.
To access the LEM console after upgrading, just head to https://<your manager's IP or name>/ and it'll redirect you to the right port and URL. The full URL is actually https://<your manager's IP or name>:8443/lem/ but we put in a couple handy redirects to make it Just Work(tm).
Your settings will now be stored on the manager you're accessing in the URL, so wherever you log in, you'll see the same filters, widgets, saved searches, and customized configuration settings.
Tips & Notes:
- I'd recommend verifying you're on Flash 11 before you access the Console, just in case. We've had situations where someone upgraded from Flash 9 to Flash 11 and the browser was most unhappy! You can manually download and install the latest flash player here.
- If you're having issues with Firefox, try IE (seriously) or Chrome. We support Firefox 11, Chrome 16+, and IE9 and have done a cursory pass on Safari, but we found a few browser inconsistencies that generally apply more to Firefox than the other browsers.
- There shouldn't be cases where you have to close/reopen your browser or tab to fix an issue - if this happens to you (especially consistently), please let us know so we can track down issues where the Console seems to get "stuck" and stops functioning. The same is true of a browser or flash plugin crash, if you see this consistently, let us know.
- If you've been using the AIR console and want to import your settings to the web, first upgrade your AIR Console to 5.4, then go to Manage > Appliances, then click the rightmost gear (underneath the Help icon) and choose "Export User Settings". In the web console, do the same thing, but select "Import User Settings". Your settings will be pushed up to the appliance and applied, and viola! Instant customized Console.
- When reporting issues with the browser Console, be sure to let us know what browser & version you're using, and make sure you're up to date on Flash (Adobe's trying to make it even easier to update Flash, but you never know, you might have hit "stop yelling at me" and not manually upgraded in a while).
- When building rules & filters, you might notice that the item you're dragging appears away from your mouse cursor; there are some timing issues that we're working on here and may not be able to resolve before release. Follow your mouse cursor arrow, not the item text, to determine where it'll be dropped.
Authenticate to LEM via Active Directory Services
As a bonus management feature, we've added the ability for you to authenticate to LEM via Active Directory (not just a LEM built-in user). You can add AD Groups or individual AD Users and assign them to a LEM Role, then the authentication works like magic.
First, configure the "Directory Service Query" inside of LEM to authenticate to the directory:
- Go to Manage > Appliances:
- Click the Gear icon next to your appliance, and click Tools:
- Under "System Tools", click the Gear next to "Directory Service Query" and click "New":
- Specify the (fully qualified) domain name (e.g. corp.local), the IP of your domain controller (preferably IP, DNS name may work if your appliance is configured with reliable DNS), the service account username & password to use, and whether your DCs require SSL or not. If you don't use a custom port, you can ignore that field (the defaults are 389 for non-SSL and 636 with SSL).
- NOTE: If you want to test your connection, you can type in your FQDN in the "Test Domain Connection" box, but don't be alarmed if the button doesn't do anything - it can't actually test until we entirely finish.
- Click Save when you're done.
- IMPORTANT: To actually start/enable the connection, you need to start the tool/connector. Click on the gear again, and click "Start":
- At this point, everything should be configured and running.
- NOTE: If you entered your FQDN in the "Test Domain Name" box, you can click the "Test Domain Connection" button now. Success or failure won't be reflected here, you'll find alerts over in the Monitor area that will indicate success or failure. The alert is an "InternalInfo" alert that says "Connection to Directory Service succeeded", or an "InternalWarning" alert that will let you know it failed and give you some idea of why (password failed, timed out, etc).
- When you're done, click "Close".
Next, add users in LEM that you want to authenticate with the directory:
- Head over to Build > Users:
- Click the + icon on the far right hand side and choose the option corresponding to what you'd like to add:
- LEM User: adds a new built-in LEM user, using built-in LEM authentication. After adding the user, fill out all the information, including the e-mail address(es).
- Directory Service User: lets you specify a new SINGLE user from the directory to add to LEM, using directory authentication.
- In the leftmost panel, select the OU you wish to add the user from.
- In the center panel, select the Group you want to use to narrow down the user. The group in brackets at the top that mirrors the name of the OU will show ALL members of that OU, which might take a while if you've got a big organization (which is why we let you search using groups, too!).
- In the rightmost panel, select the User you want to add to LEM and click "Select User". All of that looks a bit like this (adding the user "npauls" from the "Engineering" OU, using the entire OU to search) - names hidden to protect the innocent:
- After you add the user, specify their LEM Role (Administrator/Auditor/Monitor/Contact), click the "Save" button on the bottom right to officially add them to the list.
- Directory Service Group: lets you specify a new GROUP (and all members therein) from the directory to add to LEM, using directory authentication.
- In the leftmost panel, select the OU you want to view the group in. You might find that your OU contains sub-folders that contain hidden group containers for things like distribution/global groups.
- In the rightmost panel, select the Group you want to add (that is, all members in this group should be able to log in to LEM, and be assigned the same LEM role). All of that looks a bit like this (adding the group "Domain Admins" from the parent domain's built-in "Security Groups" area, which would normally appear in the parent domain itself):
- After you add the group, specify their LEM Role (Administrator/Auditor/Monitor/Contact), click the "Save" button on the bottom right to officially add them to the list.
- Don't forget to hit the "Save" button after you add a group, it's easy to miss!
A few important notes:
- When using Directory Service users, the email address is imported from the directory and not editable inside of LEM.
- The same connector/tool that interfaces for Directory Service Groups in LEM (for use with filters, rules, and searches) is used for authentication, so you only have to configure it once.
- You'll want to set aside a service account that can be used to do this, and you might want to set it to never expire, or suddenly you'll find all your Directory Service users unable to log in.
- Don't forget your LEM built-in admin user password! You can always get in using this account, even if directory services are down. If you've forgotten it, there's a command at the appliance to reset it back to the default of "password".
- When logging in, use DOMAIN\user to indicate you're logging in as a Directory Service user.
- I found it a little confusing at first to have to look in the "Security Groups" folder for my Windows 2003 domain controllers, so don't forget to check there if you don't see the groups you'd expect.
SNMP Notification Support & Integration with NPM/SAM
In LEM 5.4, we've added new connectors to receive data from NPM/SAM and Virtualization Manager. Set up your alerts in the Alert Manager (or via Virtualization Manager's Console) to send to LEM, and use LEM to correlate those events with other events across your enterprise, perform root-cause analysis of problems across systems, and use LEM's active responses to triage or respond to issues.
Receiving SNMP Alerts from NPM/SAM/Virtualization Manager in LEM
Some examples of awesome ways you can use the systems together:
- NPM detects a device outage or performance issue; use LEM to trace back the issue to its FIRST occurrence and determine the problem may be a DoS attack, virus, or other security issue - possibly even detected on an endpoint.
- SAM detects an issue with a service, use LEM to determine if there are errors being generated from that service, when the issue started, and respond by restarting the service, and building a rule to detect & notify you future outages before the service actually goes completely down.
- Build rules inside of LEM that combine data from NPM or SAM with your event log, device log, and application log data, to combine the power of what's happening in the log with the knowledge that something's gone bad.
- Respond to an event detected from SAM or NPM in the LEM Console to isolate an issue, quarantine a user or system, restart a service, or kill a process, among others.
To send data from NPM/SAM/Virtualization Manager to LEM, first on the LEM side:
- Enable SNMP on the appliance, if you don't already have it enabled. From the virtual/hardware appliance "Advanced Configuration" console, type "service" (at the "cmc" prompt) then "enablesnmp" (at the "cmc::scm#" prompt).
- Configure the SolarWinds tool on your LEM appliance via Manage > Appliances, then Gear>Tools:
- In the "Network Management" category, create a new "SolarWinds Orion" tool/connector by clicking Gear>New (this connector does cover all of NPM, SAM, and Virtualization Manager):
- Click "Save" to save the configuration (you can change the default name/alias that appears in all of the messages from these tools, if you'd like).
- Click Gear>Start to enable the tool/connector to monitor for incoming data:
On the NPM/SAM side, use Alert Manager to enable SNMP alerts for different settings. For more information on setting up alerts with SAM, check out the "Creating Alerts" section in the SAM User Guide. For more information on setting up alerts with NPM, check out the "Creating & Managing Alerts" section in the NPM User Guide. For more information on setting up alerts with Virtualization Manager, check out the "Alerts" section in the Virtualization Manager User Guide.
Sending SNMP Notifications from LEM to NPM/SAM and Other Systems
We've also added the ability to send SNMP traps to other systems, including NPM/SAM, so that you can correlate data in LEM and notify other departments, systems, and people, via the infrastructure you've already got set up.
Some examples of how this is useful:
- If LEM correlates an issue, you can send the notification to SAM/NPM, where it'll appear in the SNMP Traps section of the system, and you can perform root cause analysis from the SAM/NPM side to determine if there was a security or other event found in the log data around the time your issue started.
- Rather than using SAM/NPM to receive ALL your event log, syslog, and other data, use LEM and forward only the critical/useful events on to the teams that need them.
- Notify and forward events to third party systems (outside of NPM/SAM) to share data across your organization.
To use the SNMP notifications in LEM, first you'll need to enable the SNMP response tool/connector, then you'll need to add the SNMP notification to any rules you want to pass on to another system.
- Configure the SNMP Active Response tool/connector via Manage > Nodes, then Gear > Tools:
- In the "System Tools" category, click Gear > New next to "SNMP Active Response":
- Click "Save" after creating a new item (all of the configuration regarding which host, ports, etc to use is in the action itself, not in the configuration). You can customize the name/alias if you want it to appear differently.
- Be sure to click Gear > Start to enable the new connector/tool (or no SNMP notifications will be sent!):
- Click "Close" to exit configuration.
- Identify or build a rule you wish to add the SNMP notification to over in Build > Rules. I'll use the NATO5 "Critical Server Suspicious Network Traffic" rule as my example (Clone it to Custom Rules first!), since this might be important information about a node that I want to forward over to SAM or NPM so that if that machine begins behaving unexpectedly (consuming excessive bandwidth, performing poorly), that information is present. This rule also has a default Block IP action that you could choose to keep (and would want to let other systems know the action was taken) or remove in favor of only sending a notification.
- In "Actions", select and drag over the "Send SNMP Trap Alert" notification to the "Actions" box.
- Specify the destination SNMP Trap Host (where you want to send the trap) and port (if you do not specify one, the default of 162 will be used). You'll need to go to "Constants" and drag over a "Text" constant into the "Destination Host" box in order to edit it first.
- Specify the category of alert you'd like to escalate. For now, you can pick from the default "Incident" type of alerts. The type of alert will dictate the kinds of fields you can send over - for example, "HostIncident" will contain fields like Source/Destination Account, where "NetworkIncident" will contain fields like Source/DestinationMachine (and "HybridIncident" tries to be the best of both worlds). Pick the one that best suits this type of rule - in my case, I'm going to go with Network Incident (since the events were detected on the network and I'll find the most useful fields there), but if I'm more server minded, I could also go with Host or Hybrid Incident (indicating there's a problem with a host, but it was detected on the network).
- Fill out the fields from the alerts that contributed to your rule, just like you would other LEM actions. In this case, I'm going to use the "Network Audit Alerts" Alert Group, since that's what my rule uses, and that's where I want the data to come from in the original event. Here's what it'll look like in the end (it goes on, but you get the idea):
- If you want to notify more than one SNMP host, add another "Send SNMP Trap Alert" action and fill it out similarly.
- Save the rule, and don't forget to Activate Rules when you're done! It's at the top right, this tells the appliance/manager you're ready to use the new rule you've built:
At this point, when your rule fires, the SNMP Trap will be sent on to the server you specified. In SAM/NPM, you can view this in the SNMP Traps area of the console.
We Want Your Feedback!
If you join the RC, be sure to check out the Log & Event Manager RC group here on thwack. We'll put up any known issues there and are happy to answer questions about the RC or features in the RC.
We're also interested in any RC customers willing to do a quick screen sharing session/phone call with us to talk about the new features and your experience with them. Let me know via comment, e-mail, or Thwack post and I'll get it set up.
Lastly, for those of you already on the RC, we'll be updating to RC2 early next week, with a couple of quick fixes.