While Alert Central is no longer supported, SolarWinds does offer Pingdom as a great monitoring solution.
After SolarWinds acquired DNSstuff, we interviewed many long standing, recent, and brand new customers to find out what they did with the site and where it was lacking. We heard loud and clear that Toolset - DNSstuff's toolbox of DNS, network, and mail troubleshooting tools - is where most people spend most of their time, but it was suffering from some long-standing usability issues. People reported:
We took your feedback to heart, came up with some new designs, reviewed them with some of those same customers, and went live with the first in a set of changes today. These changes look awesome but more importantly make toolset easier to use.
We've separated the tools out into their relative categories in tabs, so you can narrow down to just the troubleshooting you're interested in.
Inline Collapsible Categories
Those same categories appear on the page, and you can expand/collapse different sections. Just hit the + or - to expand or collapse. You can also use the grab on the left (the dots) to move the sections around.
You'll also see inline links to SolarWinds tools or products that relate to each section.
Consistent Look & Feel
Each tool has:
What We Didn't Change
We have been addressing issues in each tool as we continue to receive feedback, but outside of issues, we did not make major changes to any tools or their output - just how they look on the page. You can still bookmark each tool's results page, the results pages are still formatted the same as they were before, and we didn't change MSTC, RBL Alerts, or Domain Doctor. You'll still need a (free trial) account to run the tools after so many runs.
Here's a peek at where we're going from here with Toolset.
Favorites. In order to make it easy for you to find your most used tools, we're going to add a "favorites" section that lets you pin your frequently used tools to the top.
More page customization. We want you to be able to reorder items on the page, even customize a page theme, and store that in your user settings.
Multi-tools. Some customers frequently run groups of tools and the new DNSstuff architecture makes it possible for us to present to you a "set" of tools that can be ran together.
In addition, we'll keep working on issues you've reported.
We've put up a survey on SurveyMonkey related to the new toolset features and what you'd like to see next. You can also post over on the DNSstuff forum here on Thwack, where product mangement, development, and support all respond to issues.
If you think you've encountered a bug or issue you can't work around (either with a specific tool or the site in general), or have an idea for a new DNSstuff tool or site feature that would really help you, post it over in the DNSstuff forum here on Thwack, too.
We've been developing our centralized IT alert management/escalation system for a while now (see: Say Goodbye to Your Pager: We’re working on a new, multi-vendor, centralized alert management product) and the good news is we're ready to welcome everyone who's interested in participating in the beta to do so. There's more info in this post, but if you already know you want in, visit the Alert Central website and sign up.
Alert Central is a product intended to help you get the right alerts to the right people at the right time. Core features include:
It's different than a helpdesk or ticket tracking system in that Alert Central's focus is around On Call management and escalation. When you need to wake someone up to deal with an issue, when you need to be sure that something is handled promptly, when something is affecting business/people, when an issue is time sensitive, it's a good candidate for Alert Central. When you're tracking ongoing issues, requests for help or new equipment, and things that aren't necessarily time-sensitive, a helpdesk system is a great fit (we happen to know of a good one - Web Help Desk).
Alert Central is deployed as a standalone virtual appliance, not an Orion module or add-on. Anyone can download and install it, and integrate it with SolarWinds and non-SolarWinds products alike. As long as your product sends emails and you want to route them to the right people, Alert Central will work for you.
You heard that right - Alert Central is free. Not just the beta. The product. Free. $0. Also zero in Euros, Canadian dollars, and all other currencies. Except maybe your feedback, that is a currency we really appreciate.
This handy infographic is a great visual of how Alert Central works (borrowed from the Alert Central website).
This video (humorously) shows you why Alert Central is awesome:
These 3 images are also a really good summary of the highlights and top features (also on the Alert Central website) - left side has feature callouts, right side high-res for the curious among you:
On Call Scheduling:
Easy! Go to the Alert Central website and click the big "Sign up for the beta" links. Be sure to check out the beta contest, the winner gets a pretty sweet trip to Austin.
Speaking of feedback... Take a look at the website, install the beta, give us your thoughts. Anything got you stumped? Think you ran into a bug? Think this is the best UI since Netscape Navigator busted open the web? Tell us what you think.
To report bugs, issues, confusion, or praise for the beta, use the The specified item was not found. group. There's an important post there with known issues that you should be sure to check first - Alert Central 1/2013 Beta Notes.
If you have a suggestion for something we didn't get in v1/beta that you think would make Alert Central even more awesome for you, please post (and vote) in the Ideas/Feature Requests area of the beta group. A shortcut: http://thwack.solarwinds.com/groups/alert-central-beta/content?filterID=content~objecttype~idea
Good news, everyone! Log & Event Manager 5.5 is now available for download. Existing customers under maintenance for both LEM and SIM can download the upgrade on the Customer Portal, and if you're not yet a LEM customer, download the evaluation from our product page and check it out. There's a ton of changes especially for new and evaluating customers that'll help you get started with LEM.
I'll keep this post relatively short and instead send you to the previous blog post for the release candidate that covers all of the new features in detail: Log & Event Manager 5.5 Release Candidate is Here!
If you're new to LEM, an evaluating customer, or want to try LEM but hesitated before, you should check out version 5.5 because:
If you've been a LEM (or SIM) customer for a while, you should check out version 5.5 because:
Here's a couple of quick screenshots of the new features, borrowed from the previous post:
Node Health: see when an agent - or device - last sent events; and Top 10 Users: see the most frequent usernames present in your events (check out the other top 10 widgets for rules, events, and nodes)
Connector Auto-Configuration/Discovery: quickly add new nodes and start receiving data without manual configuration steps:
New Default Filters: find what you're interested in faster, in categories that make sense and came straight from customers like you:
For customers, you can find the download by going to "Choose Download" next to LEM in the Customer Portal/License Management, then selecting to download "Upgrade Package for Virtual and Hardware Appliance (includes Appliance, Console & Reports Upgrades) v5.5.0" from the grid.
Questions about this release? Comments about a new feature? Post them here as a reply to this post or in our Thwack discussion space: Security Event Manager (SEM) - Formerly Log & Event Manager. Ideas for new features or want to put in your two cents on what you think we should do next? Post, vote, and comment over in our Thwack Ideas space: Security Event Manager Feature Requests.
In case you missed it, the Log & Event Manager team has recently rolled out new pricing related to monitoring workstation nodes. The goal of this addition is to make it much more affordable for you to monitor workstations together with your servers and network devices in LEM - or even by themselves, if you're solely workstation-minded. It's still the same LEM with the same features and functionality, this just makes it much more possible for you to extend your investment.
So, what does that really mean? What would you want to monitor from workstations? And, how do you do that with LEM?
Traditionally we focus a lot on servers, but realistically workstations are both the entry point to the network from a security perspective and more systems that require maintenance. As you think about moving away from reactive network/systems/security management to proactive network/systems/security management, workstations are a critical part of our enterprises.
From a security perspective, workstations do give you an entry point to the network, and can serve as a gateway to a veritable feast of data. Helpful: your customers and users can access the network quickly and easily from their system to do their jobs well. Not helpful: they have access to so much information and systems that they can also do some serious damage.
Things to monitor:
Monitoring log data from workstations can also grant you insight into the state of the system - if a user calls and complains about something not working correctly, the event log and recent history of activity can provide a lot of useful data.
Things to monitor:
Useful active responses and scenarios for workstations include:
In some cases, data specific to workstations is actually centralized at the server or network device, but you might not have thought about specifics of things to look for for workstations or endpoint issues. There's also some cool things you can do if you correlate activity across multiple sources.
If you want to be alerted when above activity occurs (via e-mail) or automatically respond to the workstation, you need to go to Rules (Build>Rules). Most of the items above are really good candidates for rules. Other areas to look in will be:
If you want to search for activity that has occurred based on a workstation's name and/or IP address, you want to go to nDepth (Explore>nDepth).
If you want to monitor workstations in real time, you can use the widgets in Ops Center to view trends and anomalies, and you can use filters in Monitor to, well, monitor for different categories of activity. Good candidates for filters are things like:
The recent thwackCamp 2012 presentation on the Top 10 Things Logs Can Do for You might have some additional ideas to help spark your creativity in monitoring workstations and your enterprise holistically with LEM.
What about you? Do you monitor workstations? Is there anything you'd like to monitor but aren't sure how? Haven't heard about LEM Workstation Edition and want to know more about what it means? Drop a comment here or feel free to start your own discussion thread over in the Security Event Manager (SEM) - Formerly Log & Event Manager space.
While we're on the topic, here's some other good stuff for workstations that will help extend what you get with LEM even further:
It's been a busy week or two here at SolarWinds, another release candidate is heading your way. I know, I know, you're as excited as when the new phonebooks came and your name was in print!
In true "You Asked, We Listened" style, Log & Event Manager (LEM) 5.5 is going to be a release focused almost entirely on YOUR feedback. We did a ton of customer interviews, Q&A, and show and tell, and have been tracking your feedback on Thwack and support cases. We took the top few items and we decided to get something into your hands sooner rather than later.
We heard from you that you wanted it to be fast and easy to discover issues, spot trends, and have a dashboards that mix in real-time data with other information. What we've done is added new default widgets that let you spot trends and trouble faster by monitoring the most common things - nodes on your networks, users, and events - in more Top 10 and health-oriented way. We've added 5 new widgets that are right up your alley. In no particular order...
Node Health: sometimes it's most useful to know that a node HASN'T sent you data lately. Maybe a remote site dropped off the map, your firewall configuration disabled logging, or something's not quite right. The Node Health widget shows you a summary of node status, when the last event was received from that node, and any version/OS information we might have (from agents).
Top 10 Events, Users by # of Events, Nodes by # of Events, and Rules by # of Rules Fired: these widgets surface information about frequency of events in the big picture, helping you spot trends and potential anomalies. Use the Top 10 widgets to see your most common type of event (filterable by different general types/groups of events), usernames that appear most frequently across events, nodes that appear most frequently across events, and rules that are being most frequently triggered. These will help you spot items at the top that shouldn't be (why is "administrator" logging on so frequently?), sudden spikes in data (why is my server suddenly generating the most events?), and unexpected high severity events (security issues, scans, or suspicious activity).
We're starting to pull pieces together to enable faster common patterns that our customers use when you want to investigate problems. Those new Health and Top 10 widgets mentioned up above follow a new drill-down pattern that we're introducing on the dashboard by combining info into new dashboards. The Node Details and User Details dashboards will show a summary of the node/user and all events related to that node/user name.
If you've spotted an unexpected trend with a user (say, "Administrator" really is coming up a bunch and you don't know why), click on that user from the Top 10 Users widget to see detail associated with them, and most importantly their most recent events to help troubleshoot the "why". Refine the chart further to find out only certain types of data (say, only changes related to "Administrator" - changes they are making or made to them).
Similarly, if you've spotted a server generating an unexpected amount of error or warning traffic, you might want to check out the last 10 minutes of events to see if there's any commonalities.
Thanks to some great suggestions from you, our support team, and our sales engineering team, we've found a way to make configuring new devices much simpler with some automated configuration. Instead of having to manually configure a connector to match your syslog device up to our connectors, we've made it possible for you to enable syslog (or SNMP trap) forwarding to the appliance and push a button to add the node. But wait, there's more! We've also made it possible for you to scan on-demand for ANY new data, in case you're not sure how many devices or what types have been configured. You'll find these new buttons in Ops Center in the new Node Health widget and in Manage > Nodes.
If a scan is going to take a while, you'll see a notification and the scan will get backgrounded. When new nodes are found, you'll see a handy notification:
When you click the "View Now" you'll be taken to the discovery/scan results, and you have a chance to confirm that you'd like to add new connectors to monitor the detected sources. This summary presents you information about what IP address was generating the data and what vendor/connector will be configured:
After you confirm, magic happens and these connectors are automatically hooked up to those log sources. Note: You won't see new nodes appear until data appears. In the example above, I won't see data from 10.199.19.250 for "Checkpoint Edge-X" until that IP address sends me more data. Nodes appear with the data, but we scan historical data to do the discovery magic. As those nodes appear, you'll see the yellow notification appear with a confirmation as to which IP addresses are now sending data.
Also handy, when new nodes appear for existing connectors, you'll get the same notification that tells you what's happened. This happens if you've already got a connector configured for, say, a Cisco firewall, and you start logging another Cisco firewall to the same facility. You don't need to configure another connector, but LEM will let you know something new is now sending you data.
A few other things you'll notice:
We didn't touch your existing filters or dashboard configuration, we didn't want to mess with your feng shui (or your "zen thing, man"). You can always add the new dashboard widgets to Ops Center by going to Ops Center's "Widget Manager" and perusing the "Additional Widgets" section. For filters, if you're interested in the new defaults, the easiest thing to do is create a new user and check them out to see if you're interested. We can either help wipe out your existing settings and revert to the default, or you can export/import only the stuff that looks good.
If you've got existing connectors already configured and want to try out the new connector discovery scan workflows, no worries. Anything you've already got configured will stick around and we won't configure duplicates. A very small number of you who had connectors configured for /var/log/messages or /var/log/syslog will want to run the new node scan after upgrading to pick up the new default configurations.
Lastly, you'll notice in some places where you had items that said "Alert" they now say "Event". We avoided changing some things (like filter names and descriptions), but others (like groups) will be updated.
All LEM and SIM customers under active maintenance can download the 5.5 RC by going to the Customer Portal and clicking "Choose Download" next to the RC. If you want to deploy a new system, use the new installers. If you'd like to upgrade, download the upgrade, and be SURE to check out the instructions (you'll need to extract it to a share - generally the root of a share is safest - and then go to the virtual console or SSH to get it installed).
To give us feedback, join the Security Event Manager (SEM) Release Candidate group on Thwack. What do you think about the new widgets? Are there more you'd like to add? How's automated configuration treating you? Anything we missed or is confusing? Would you like to know more!?
Several SolarWinds products can help with various areas of the Payment Card Industry (PCI) Data Security Standards (DSS) requirements. The purpose of the PCI DSS is to set a baseline of minimum security for any vendor that takes credit cards. This is good for the consumer as it (theoretically) institutes best practices that reduce the risk of a security breach that could expose their data, making vendors that are PCI compliant less likely to put you and I at risk for identity theft that way. This is good for IT shops because it's been historically difficult to get IT budget money for security and privacy initiatives, even if you know they are really the right way to do it. PCI is also an ongoing cost for IT, though, because many of the controls are not one-time checkboxes, they are continuous mandates to help you stay out of the headlines.
The PCI DSS is broken down into several sections. These sections cover everything from physical security requirements to secure IT implementation to scanning and monitoring.
NCM is a network configuration management system that provides auditing of network device policies and changes, and allows you to institute change management procedures (including approvals) around device changes. More info about NCM's features as they apply to PCI compliance can be found here, but here's the specific items it can help with:
NCM provides specific reports for PCI compliance to make it easy to audit configuration settings and changes.
Patch Manager provides integration with native Windows patching technology (WSUS/SCCM) AND provides built-in third-party application patching. More info on Patch Manager's features can be found here, but here's the specific items it can help with:
Serv-U MFT provides the ability to ensure security of transferred files, supporting configurations that keep your sensitive data from hanging out in the wild. If you use file transfer when it comes to cardholder data, Serv-U is for you. More detail is available here on the Serv-U site: Serv-U FTP Server PCI Compliance, but here's the specific items it can help with:
SolarWinds LEM is a Security Information & Event Management (SIEM) and Log Management system that provides capabilities around log collection, real-time correlation/notification/response, flexible and extensive historical search, compliance reporting, and some endpoint security. More info about LEM's features as they apply to PCI compliance can be found here, but here's the specific items it can help with:
LEM provides extensive audit log reporting capabilities for all of the collected log data, whether it's for auditing compliance with any of the standards mentioned above, or the specific items mentioned in 10.6.
No. SolarWinds products do not capture credit card data directly, provide access to card data directly, or authenticate card data directly. Products that are "in scope" for PCI compliance themselves would include things like databases, file servers, firewalls and routers used for networks that store or access cardholder data, user accounts used to directly access cardholder data. Our management products are used to meet specific PCI requirements at what you could think of as a meta level - they aren't providing the cardholder data, they are providing information about access to the cardholder data, networks, and systems.
For LEM, when we collect audit trail data, this data does not include cardholder data, again, only information about access to cardholder data. With NCM, you can approve/modify firewall configurations, but we are not collecting or reviewing network traffic. With other products that monitor or live on the network (like NPM and NTA), we are, again, not collecting or storing actual network traffic that may contain cardholder data, only information ABOUT network traffic. With SAM, we are similarly monitoring system activity, but not directly related to cardholder data itself. With SEUM, your recorded transactions contain the data you choose to submit, which would not be customer cardholder data that they may be submitting to the same site (if you're testing performance on a form related to card number submission). Patch Manager can inform you of missing patches or the state of patching of a system that stores or accesses cardholder data, but never accesses the system for any purpose other than patching.
Requirements such as default user accounts, SNMP communities, and audit trails are often general security best practices. Some of them can be applied to SolarWinds products, others can't. The answer is a solid "it depends."
Specific configuration changes we've been asked about:
Most of the changes in PCI DSS v3.0 don't affect your SolarWinds implementations, and product changes were not necessary though your implementation and processes might need to be tweaked. Notable changes that can apply to SolarWinds products:
If you've got questions about how SolarWinds products are used for PCI, what specific reports or features to look for, or how to implement any of the best practices security configurations, leave them in the comments. I'll update this page with any other common questions we get related to PCI configuration and can direct link any features if that's helpful.
For those of you who have been following our On Call Alert Management developments, we've been soliciting your feedback on several topics, which will continue for the next few weeks. As a new product that a lot of customers are really excited about, we want to make sure it hits the mark on all fronts - from what to name the product to its featureset and deployment.
So, about that deployment. Here at SolarWinds we have a large number of products that are deployed as software that you install on a Windows OS, some of which are built on the Orion platform. We also have another set of products that are deployed as virtual appliances, deployed to a VMware ESX/ESXi or Microsoft Hyper-V virtual server. Centralized On Call/Alert Management is something that everyone can benefit from and will be provided as a standalone product, but we recognize a lot of you are coming from the Orion platform products and may have experiences and opinions that sway you for or against software or virtual deployments.
Bottom line: we want to know your thoughts. If we deployed as a virtual appliance, would that make you more or less likely to evaluate? Is there something about deploying software (or Orion products) that you'd sorely miss with a virtual appliance? Or, is a virtual appliance like a load off your back, a system you don't have to configure and maintain? If you've deployed other virtual appliances, what did you love or hate? Any concerns you feel we'll need to alleviate?
First, go vote in this poll and tell us how comfortable you are with virtual appliances - be honest, it really helps: Deploying Virtual Appliances
Then, if you've got more to add about your preference for a virtual appliance, Orion, or other style software deployment when it comes to Centralized On Call/Alert Management in particular, comment in this thread (or in the poll, we'll read them both).
More opportunities for feedback are coming soon! This truly is a software for the people, by the people kind of process.
Last night, we rolled out a significant update to the DNSstuff site infrastructure. These changes are mostly behind the scenes, but represent something that has been under development for quite some time. Before reporting any issues with the site, be sure to read on about what's new, any issues we're already aware of, and what we're working on next.
NOTE: This post was last updated to reflect current issues on September 28, 2012 at 5:00 PM Central Time.
The biggest change you'll notice is in Professional Toolset. We've completely revamped the backend of Professional Toolset to be a shiny, new platform that provides us the opportunity for future tool and feature development. (More on that in a bit...)
All of the results pages have been reformatted to make what was mostly pretty cumbersome to wade through into output that you can use to quickly identify key results and values from the different tools and tests. Our development and user interface teams tried to find ways to highlight important information and organize results to make more clear, format key-value pairs more clearly, and other key changes to each page's results.
With the migration came the addition of some new tools, including one new free tool.
DNSstuff has been migrated to a different site infrastructure/hosting environment, which affords for better redundancy, management, and monitoring functionality than before. Several tools also rely on these multiple points of redundancy to offer better and more accurate results. Some tools, like Mail Server Test Center, RBL Alerts, and Domain Doctor have not yet been migrated to the new infrastructure, but in coming months will be.
Customers of the old DNS Alerts service should have received both an e-mail and a popup notification recently letting them know that with this migration, we had to phase out support for the old service. Customers of DNS Alerts have long been entitled to Domain Doctor subscriptions, we've just made it official. Based on our records, some people may have still been using the DNS Alerts tool up to the last week, if you didn't get a chance to migrate your alerts and need help, let us know and we'll work with you to sort it out.
As with all new websites or versions of software, we're aware there are going to be some growing pains with the site. If you've got a feature that you used that was removed, a feature that you'd like to see added, let us know here. If you are having issues with any tool, including results that differ from the previous version or what you'd expect, please be sure to report them to technical support. If you have any account issues (accessing the site, purchasing new tools), please report those to support as well.
Here's what we're currently aware of that falls into the features and changes department:
There are still a few outstanding situations where DNS report may be returning unexpected results. We've resolved a lot of them, but what you might still see out there includes: sometimes MX tests pull in MX records for parent domain; sometimes DNSSEC records don't appear even though they exist on the domain; in very few cases MX records do not appear even though they exist; SPF records are shown for every DNS server in your domain but do not show which server the displayed SPF record came from.
Several people have commented that they prefer the old format of DNS Report. You asked, we listened. We put up an even better version of DNS Report that incorporated a ton of your feedback about what you do and why you need it. Check it out and if you've got more comments, be sure to post here: DNS Report Feedback & Thoughts! There's still work to be done in the detail of results, so we're still listening.
Thanks to customer input, we've dug into the "Sorry,..." messages presented sometimes on results pages. We've determined sometimes these errors are somewhat legitimate (i.e. an A record doesn't exist for a domain, so we can't display results), but the information you get back is clearly not helpful. We're going to fix this so that you get appropriate feedback when something goes wrong, and only see the other message when something unexpected happens. If you aren't sure which case your error message falls into, please continue to report it to our support team. You'll see "Sorry, but these probably aren't the results you're looking for" or "We're sorry, but we're unable to execute your request." Provide the "Test ID" value either in your Thwack post or your support case, that will help us track down where the issue is coming from. We're going to be adding better error reporting in an upcoming site update to help differentiate these cases.
We discovered an issue with SRV records that requires some development effort on our end to resolve. We're working on a resolution. As a workaround, if you use the "dig" or "raw" results formats instead of "pretty" in DNS lookup you should see expected results.
We've added some additional RBL sources to the Professional Toolset's Spam Database Lookup Tool that hasn't yet propagated back to RBLalerts. We're adding these into RBL alerts as well to make the results a little more fully-functional and consistent.
Here's some of the stuff we're working on (other than the issues above) in the coming weeks and months. Disclaimer: this is not a commitment to release these features on any specific timeframe, this is just intended as a guide to our general priorities.
We're super excited about this one. We're going to revamp the old and busted DNSstuff Professional Toolset page with some New Hotness that's much easier to navigate. Down the road, this will let us add functionality like favorites (so you can "pin" your most used tools) and multi-tools (tools that run a series of tools, so you don't have to run multiple individual tools to perform a series of troubleshooting steps).
You probably noticed that a lot of our new Professional Toolset tools are mail-oriented. Our goal is to combine the functionality of Mail Server Test Center with Professional Toolset so that you have a one-stop shop for all testing. We'll break out the mail-specific tools into their own area so they are easy to find and use.
We couldn't revamp Professional Toolset without looking at the rest of the site, so that's what we're going to do. We want to build a site that you want to visit, so we're going to look at the things that interest you and how best to present them.
We'll be migrating RBL Alerts and Domain Doctor over to the new site infrastructure. This should improve the stability and management of these platforms, similar to what we did with Professional Toolset.
We've spent some time talking to customers, gathering feedback via surveys, and generally thinking about what's interesting and good for DNSstuff, but if you've got something we missed on the new site, an issue that you've been itching to see addressed, or thoughts on what tools, content, or other features you'd like to see, send them my way!
Disclaimer: this is not a commitment to a timeframe or delivery of any of the features discussed below. This is also not a commitment to deliver all of these features in our next release. This post is intended to give you a rough idea of what we're doing.
Whether you call it Log & Event Management or Security Information/Event Management (SIEM), there's a lot of moving parts to getting the most value out of your investment. We want to make it faster for you to get to the information that's useful whether it's the first time you're setting up LEM or you need to add something after the fact. Areas that we're looking into include:
We've had a lot of great LEM feedback around navigating different areas of the system and are going to make some significant improvements to make it faster to get useful insight out of your data quickly. Things we're improving on include:
We've talked to teams that approach LEM from a security need perspective, and teams that approach LEM more operationally with security as either a secondary or separate issue. A lot of the features you see listed above were created with an eye to one or both teams.
For the security teams:
For the more operationally minded:
Some other things that are brewing here in the LEM kitchen are:
If you've got questions or ideas about how a particular feature would be most useful, or want to take part in a release candidate or beta or any of these features, feel free to comment.
Make sure to file a feature request over in our Security Event Manager Feature Requests forum if you don't see your request. If someone else already posted it, please add your comments so we know there's interest in a particular feature or issue!
In case you missed Brandon 's post on the Blog, the title says it all: Say Goodbye to Your Pager: We’re working on a new, multi-vendor, centralized alert management product. We also need YOUR feedback about what devices you're using, how you manage alerts, and what you're interested in seeing with an alert management product.
The Cliff's Notes version of Alert Management is that you submit your alerts from various products to this system and it crunches the numbers against who is On Call and which group needs to address issues of that type to make sure the right person gets the hot potato. If the first person can't help or doesn't respond, it'll automatically escalate to the next person, or they can reassign to the group or person who might be better suited to help.
We're looking for everything from demographic info (how big is your team?) to how you'd like to receive alerts (smart phone? analog pager with a 4343 at the end for a good laugh? mobile app? just email?) to any thoughts you might have on the subject. We're all about building products for real IT folks, and Thwack is full of you! Those who fill out the whole survey and provide a little contact info will be entered in a drawing for a couple Amazon gift certs.
Here's the link to the survey over on SurveyMonkey: Centralized Alert Management Survey
Microsoft has taken to increasing the complexity of some of their product auditing functions, starting with Exchange and SharePoint's auditing implementations in the 2010 versions. Gone are the days of simple configurations to log to the event log, here are the days of audit tables, databases, and API calls. This makes it difficult if you're someone who is moving content to SharePoint, already has content in SharePoint, or is looking to move toward SharePoint, and have audit or regulatory requirements. We've had a LOT of requests for SharePoint auditing and rather than build something, we've chosen to leave it to the experts.
In case you missed our Unveil SharePoint’s Audit Logs webinar (links to the slides in this post), we've partnered with the fine folks over at the Monterey Technology Group to become one of their SIEM partners with LOGbinder SP, a super useful SharePoint auditing utility. These are the same experts who are also responsible for bringing you Ultimate Windows Security - a site you should surely check out if you're interested in Windows event logs, auditing, and security.
Use LOGbinder SP for:
Use LEM with LOGbinder for:
I just uploaded some rules, filters, and reports for LOGbinder over on the Content Exchange that provides everything you need to get going on the LEM side. There's an integration guide in the Zip file that will explain how to install the files, which are all tailored to the LOGbinder SP event log data. You will need an agent installed on your SharePoint+LOGbinder system, you'll need to make sure you have either LEM version 5.4 or the latest product connectors installed, then it's just a matter of following the guide to get set up and start monitoring.
We're pretty excited about our latest Log & Event Manager release, version 5.4. We've packed a ton of good stuff in this release in typical SolarWinds "You Asked, We Listened" fashion. You can check out the Release Notes for all the details, but here's the slightly more descriptive version. For those of you curious about the picture, it's a shot of the first piloted Mercury spacecraft (just a little less roomy than the Love Boat, only room for a ship's complement of 5).
We've spent a little time improving our virtual appliance support after tons of great customer feedback. With this release we officially support Hyper-V 2008 R2 and have provided an evaluation download just for Hyper-V.
In addition, we've expanded our migration & restoration capabilities (for both hardware and virtual appliance customers), should you find yourself in the situation where you need to:
There's a great KB documenting the appliance migration process: SolarWinds Knowledge Base :: How to import settings from a SIM or LEM appliance backup to another appliance
Lastly, we've made it possible to expand the virtual appliance beyond the default 250G, by popular demand. You'll find those instructions in yet another awesome KB: SolarWinds Knowledge Base :: How to resize a LEM virtual appliance
As we've had our Flex/AIR console in the wild for over 2 years now, we heard from a lot of people who really wanted to run it in the browser. As a part of the SolarWinds family, we've heard this even more, and we put it at the top of our list for this release.
There's only a few differences between the two related to importing/exporting settings, file operation dialogs, popups, and things that in the desktop console are in a separate window, otherwise they are functionally identical. We haven't ended support for the desktop console (and we've included it in the upgrade for those of you that already have it), but response from the RC was that even long-time desktop console users were pretty happy with the move to the browser. Customers interested in moving to the browser-based console from the desktop console should upgrade their desktop console to the new version, Export their desktop settings (all of them!) from Manage > Appliances (gear on the far right), then Import them into the web console from Manage > Appliances (gear on the far right).
Make sure you're running a supported browser AND flash version BEFORE launching the console, there's some misbehavior with older versions of some browsers and Flash. We officially support:
For those of you with NPM, SAM, or other Orion-based products, you can add the LEM console as an External Website view and have them all in one browser tab/window.
For those of you tired of managing dedicated accounts for your LEM users, we can down pull in those users (or groups) from AD and use them rather than requiring you to manage both places independently. I blogged on this one pretty extensively in the RC Post and there's some instructions/notes on it in the KB: SolarWinds Knowledge Base :: How to create LEM console users with domain credentials.
We've added a new notification to LEM - Send SNMP Trap - to let you correlate data in LEM and pass that on to other systems. We've also added a connector that is designed to gather data generated from NPM, SAM, and Virtualization Manager and present it to you in LEM, so you can correlate and monitor that activity in the context of your other systems & event log data.
Some examples of how this is useful:
There's setup details on this one in the previous RC Post, too.
We've spent a lot of time listening to customers who have had to spend time wrapping their brain around LEM as a pretty flexible, but naturally complex, system. For a lot of people, this is the first time you're seeing all your log data consolidated in one place and it feels a little (or a lot) overwhelming. Rest assured, you're not alone. We've done our best to add new content that we think will really help.
The first place you want to stop: our new Introductory (SHORT) Videos. These videos are meant to help you understand LEM, identify common tasks and tips, walk you through an example or two end-to-end, and help you decide when to choose one part of the system (or method) over another. Each one is around 5 minutes long. For those of you who want more details, we go through a TON of examples and all of the parts of the system in our Advanced Videos/Tutorials (best enumerated here on Thwack), but those can run more like 20 minutes.
We've also been cooking up a new User Guide (HTML) that has really useful content in it. The "Leveraging" sections will help you implement LEM for common tasks. There's a lot of good troubleshooting content we added based on YOUR feedback, and our InfoDev team did a complete restructure of the organization of the manual - losing 200 pages in the process (more effective than any diet, for sure!).
There are a bunch of specific issues resolved that are noted in the Release Notes. Included in them are:
We'd like to send a shout out to all of our RC participants - your feedback helped us tie the bow on top of a great release. For anyone who has additional feedback, feel free to post here on the forums or contact me directly.
As always, be sure to check out the Release Notes. There's also some detailed tips (noted above) about implementing several of our new features in the recent Log & Event Manager 5.4 RC Available blog, and be sure to check out the hot off the presses User Guide (HTML) also.
Everyone in the IT industry seems to talk about log and event management, but what makes it so important? Is it really something we need to be concerned about? Join SolarWinds Geeks (a.k.a. Sales Engineers) Chris Jeffreys (chris.jeffreys) and Rob Johnson, as they discuss the importance of log and event management, why it is so vital, pitfalls we’re likely to encounter and some possible solutions available in SolarWinds Log and Event Manager 5.4. Topics to be covered include:
This session will discuss the importance of Log and Event Management, what needs to be done and how we can do it.
This 60 minute FREE webcast will be offered at three times to accommodate different global regions. Click on "Register Now" to sign up!
North America/Latin America
Tuesday, May 08, 2012
11:00 a.m. CST
Thursday, 10 May 2012
11:00 a.m. Singapore
Thursday, 10 May 2012
2:00 p.m. London
In case you missed it in our Log & Event Manager Release Roundup: Latest News post, the next release of LEM is now in Release Candidate status. You can join up by filling out the survey over on SurveyMonkey, I'll provision it to your Customer Portal and you can get crackin' on the new features.
The "theme" of this release is flexibility - extending the flexibility of your LEM deployment within your organization. We've added several features that make LEM more flexible to deploy, implement, and integrate into your environment.
We've added the ability to deploy our virtual appliance on Hyper-V (instead of just VMware). It's got the same disk/CPU/RAM requirements (250GB disk, at least one 2GHz core preferably 2+, 8GB RAM dedicated) and the same ease of installation.
On all appliances, we've added the ability to export/import/migrate your appliance settings. This is useful in several different ways:
For customers interested in either Hyper-V deployments or the appliance migration functionality, we've got new documentation we can provide that includes extra details if you need them.
We've had a lot of requests to not run the LEM Console in AIR, and instead run it in the browser. Good news - we did just that! For the most part, this Console is identical to the AIR console, and you can import/export your settings from your existing AIR install into the web and vice-versa. The browser-based Console does require Flash 11.
To access the LEM console after upgrading, just head to https://<your manager's IP or name>/ and it'll redirect you to the right port and URL. The full URL is actually https://<your manager's IP or name>:8443/lem/ but we put in a couple handy redirects to make it Just Work(tm).
Your settings will now be stored on the manager you're accessing in the URL, so wherever you log in, you'll see the same filters, widgets, saved searches, and customized configuration settings.
Tips & Notes:
As a bonus management feature, we've added the ability for you to authenticate to LEM via Active Directory (not just a LEM built-in user). You can add AD Groups or individual AD Users and assign them to a LEM Role, then the authentication works like magic.
First, configure the "Directory Service Query" inside of LEM to authenticate to the directory:
Next, add users in LEM that you want to authenticate with the directory:
A few important notes:
In LEM 5.4, we've added new connectors to receive data from NPM/SAM and Virtualization Manager. Set up your alerts in the Alert Manager (or via Virtualization Manager's Console) to send to LEM, and use LEM to correlate those events with other events across your enterprise, perform root-cause analysis of problems across systems, and use LEM's active responses to triage or respond to issues.
Some examples of awesome ways you can use the systems together:
To send data from NPM/SAM/Virtualization Manager to LEM, first on the LEM side:
On the NPM/SAM side, use Alert Manager to enable SNMP alerts for different settings. For more information on setting up alerts with SAM, check out the "Creating Alerts" section in the SAM User Guide. For more information on setting up alerts with NPM, check out the "Creating & Managing Alerts" section in the NPM User Guide. For more information on setting up alerts with Virtualization Manager, check out the "Alerts" section in the Virtualization Manager User Guide.
We've also added the ability to send SNMP traps to other systems, including NPM/SAM, so that you can correlate data in LEM and notify other departments, systems, and people, via the infrastructure you've already got set up.
Some examples of how this is useful:
To use the SNMP notifications in LEM, first you'll need to enable the SNMP response tool/connector, then you'll need to add the SNMP notification to any rules you want to pass on to another system.
At this point, when your rule fires, the SNMP Trap will be sent on to the server you specified. In SAM/NPM, you can view this in the SNMP Traps area of the console.
If you join the RC, be sure to check out the Log & Event Manager RC group here on thwack. We'll put up any known issues there and are happy to answer questions about the RC or features in the RC.
We're also interested in any RC customers willing to do a quick screen sharing session/phone call with us to talk about the new features and your experience with them. Let me know via comment, e-mail, or Thwack post and I'll get it set up.
Lastly, for those of you already on the RC, we'll be updating to RC2 early next week, with a couple of quick fixes.