The time has come for yet another Log & Event Manager (LEM) Release Candidate! The RC is already available on the Customer Portal for all LEM customers under maintenance. As a Release Candidate you can deploy it in production and work with our awesome support team if you need any assistance. Here's what you'll see in the RC...
Automate Searching and Augment Reporting with Scheduled nDepth Searches
Reporting is useful when you want static content with graphs and charts with pages of content, but it's hard to slice and dice the data and it can be tough to get and edit your report criteria just right. Our search interface, lovingly called nDepth, has the ability for you to do more flexible searching, using components like User-Defined Groups and Directory Service Groups, and to piggy back on existing filter criteria to get a jump-start. With this release, you'll be able to take any Saved Search in nDepth (in the normalized data store or the original log message store) and both generate an event from it and/or have the results sent to you in email.
Let's say I've got a saved search (or am using a default saved search!) for Logon Failure activity for the last week. With reports, I can schedule, filter, and export to different formats, but I might also want to create my own charts or pass the data off to another team for investigation, which are harder to do with reports. nDepth has a new option in the gear menu on the left side, "Schedule," which will open up a dialog that lets me schedule any saved search on whatever repeating interval I like. By specifying an "End Date," I can also decide how long I want the scheduled search to run, in case there's a short-term issue that doesn't need to be ran indefinitely. If I choose to email the results, up to 10MB (millions and millions of records) will be included in an attached zipped CSV file with all of the original data, similar to a manual export from the Console, except MANY more results.
Support Flexible Workstation Environments by Recycling Agent Licenses Automatically
VDI and other flexible temporary workstation initiatives are becoming much more commonplace, but even temporary workstations need to be monitored the same as their semi-permanent counterparts. With LEM Workstation Edition, we've made licensing affordable for workstations, and with this release we've made it possible to automatically recycle licenses from nodes that haven't sent any data in a while.
You'll find the license recycling feature (off by default!) in Manage>Appliances>License toward the bottom. With this feature you can:
- Specify the age of last event before the license is eligible to be recycled (e.g. must have been offline for more than an hour, in case someone is rebooting or temporarily shut down): default 1 hour
- Specify the schedule frequency to recycle licenses (e.g. every day at 5am, check for old licenses to recycle): default every day at 4am, and
- Specify the matching parameters for what systems to recycle so that unexpected systems don't get deleted (e.g. only nodes with hostnames or IP addresses that match your VDI network): default all nodes
...But Wait, There's More!
Import User-Defined Groups from CSV Files
A commonly requested feature is the ability to import CSV files to automatically populate groups, rather than having to edit data elements by hand, which we've implemented in this RC. From Build>Groups, go to (top right) Gear>Import, change to "All File Types" and choose your CSV file. The format of the file is basically what you see in Build>Groups:
UDG, UDG Name, UDG Description
Element Name, Element Data, Element Description
Element 2 Name, Element 2 Data, Element 2 Description
Performance and Platform Improvements
We're investing time in improving things under the hood, too. With this release, we've done some heavy lifting in the correlation engine, updated our agent and appliance Java Runtime Environments, updated Tomcat, and a lot of other somewhat invisible changes. For those of you who want to prevent an agent update from automatically being pushed out after upgrading, make sure to go to Manage>Nodes or Manage>Appliances and turn off Automatic Updates for specific nodes or globally.
We've also improved small areas like the performance of nDepth CSV export from the Console (be sure to check out scheduled searches if you still need to export more than 250,000 records), adding more info to our troubleshooting logs to help our support team help you faster, and a ton of other things.
New Connectors and Device Support
We'll provide a more complete list with the release notes, but the most notable addition is that we've included out of the box support for NetApp File Auditing. Most new connectors are released regularly with the connector download, but for NetApp auditing you'll need to upgrade your appliance and agent to the new release first.
Questions, Issues, Comments - Send 'em Our Way
Feel free to use the Security Event Manager (SEM) Release Candidate Thwack forum to report and comment on any issues, questions, or comments you have about this release. Our product management, development, and QA teams are keeping an eye out for any possible issues.
If you have a question about whether a case you've filed was resolved in this release or a certain feature request implemented, feel free to ping back on this post or in the RC forum and let me know - I'll be sure to look into it.