Log & Event Manager's latest Release Candidate (v5.6) is now available on everyone's customer portal. As always, this release candidate is supported in production, so if you have any questions or issues post them here on our Security Event Manager (SEM) Release Candidate forum or contact our awesome support team. Here's the two big items that will make it worth your while to upgrade.
Let's take all those rules... and move them to categories!
LEM ships with a lot of rules out of the box... a lot. The problem we've had is that they are hard to find - if you're looking for "rules that help with PCI Compliance" you have to cross reference a separate list. Well, no longer! We have categorized and tagged everything into different areas that are oriented much more toward how you're actually using rules.
- To use a rule template, click the "Gear" to the right of the rule you want to use, then choose "Clone". (This isn't new, but where it's located is!)
- Your rules will appear in the "Custom" category (underneath "Compliance" in the screenshot above).
- We've hidden some of the advanced refinements (searching by date, user who modified the rule last, etc) to the "Advanced Search" area on the top left.
- There are some rules that monitor common traffic patterns that are enabled by default. They will show up as Created By "Unknown" and be enabled (easy to spot if you click on All Rules).
When editing a rule...
- Click the link next to "Tags" to the top left to add categories and tags. The "Tags" dialog will open where you can add your own or check off existing tags.
- To delete a category/tag from the list, remove the category/tag from any rules that are using that category/tag.
- You can create your own categories/tags on the fly, too, just add them when you're editing the rule, and check them off. You can always go back and add those tags to new rules.
Some cool things you can do with categories and tags:
- Tag rules you're using for compliance so that they don't get inadvertently disabled.
- Categorize rules used for production, lab, and other environments so that you know how rules are used.
- Tag "in progress" or "testing" rules so that you can find rules that you're working on developing.
- Categorize rules for different departments or teams (sort of like how we have Security and IT Operations) so that each team can find their relevant rules quickly.
Improvements to Database Storage Infrastructure, Archiving, and nDepth
We've done some revamping of our database storage backend in order to satisfy some internal and external requirements. What does this mean to you?
- Your data will be migrated to a new format during upgrade. You'll want to take a snapshot (upgrade will remind you) or archive before starting the migration since it's a one-time operation.
- You can resize your appliance beyond the previous 1TB limit (the next most common barrier is 2.2TB, based on virtual infrastructure capabilities to address a single disk).
- Database archiving is not a full archive each time anymore, only what's new. The first time after you upgrade when your archive runs (use "archiveconfig" in the CMC to check) it will effectively be a "full" archive, though, so be prepared.
What you'll see during migration:
- The console will show the progress of your migration, along with an estimate for completion. For most people, it should be a few days to a week. People with larger databases could experience longer migrations (and if you've got a full 1TB database it could be a couple weeks).
- While the migration is taking place, you'll be able to search new data and migrated data, but not older data. Most recent data is prioritized, as is processing real-time data vs. migrating.
- The Database Maintenance Report will also show you the status and historical info (so you can tell how far back you're migrated in days, rather than percentage/numbers).
With nDepth search, you'll see a new cool feature that draws the charts dynamically as your data is returned, rather than waiting until the end. You'll also see that you can now sort results by oldest to newest or newest to oldest, rather than always having them in the same order.
How to Upgrade
- Go to the customer portal. Scroll to the "Release Candidates" area. Click on the LEM v5.6 RC. Download the "Upgrade" bit (zip file). If it's not in the Release Candidates section, you can go to License Management, then under your LEM license you'll see a "Release Candidates" area.
- Extract the zip file contents. Put the "TriGeo" and "Upgrade" folders in a windows file share that the appliance can access. (It's big, so you probably don't want to pull over the WAN or anything)
- Log in to the CMC via SSH, your hardware appliance, or your virtual appliance console's "Advanced Configuration".
- Run the "upgrade" command
- Answer the prompts.
- That's it! (It'll take about 5 minutes to run through everything, then migration starts in the background)
Get help, ask questions, tell us what we missed!
Come to the Security Event Manager (SEM) Release Candidate forum and tell us what you think. There's also an additional thread over there with some more technical details: LEM 5.6 Release Candidate Notes & Info (RC2 - Available Now).