1 2 3 Previous Next

Product Blog

34 Posts authored by: nicole pauls Employee

While Alert Central is no longer supported, SolarWinds does offer Pingdom as a great monitoring solution.


| Pingdom

After SolarWinds acquired DNSstuff, we interviewed many long standing, recent, and brand new customers to find out what they did with the site and where it was lacking. We heard loud and clear that Toolset - DNSstuff's toolbox of DNS, network, and mail troubleshooting tools - is where most people spend most of their time, but it was suffering from some long-standing usability issues. People reported:

  1. They frequently ran 1 or 2 of the same tools, sometimes from bookmarks
  2. They had to memorize where the tools were on the page, or CTRL+F to find them every time they visited (especially for the less frequent user)
  3. It wasn't clear when new tools were added, since there were so many things on the page it was hard to tell what was what - people just focused on what they needed to use
  4. Tools were not logically grouped to the way people think


We took your feedback to heart, came up with some new designs, reviewed them with some of those same customers, and went live with the first in a set of changes today. These changes look awesome but more importantly make toolset easier to use.


What's Changed?


Tabbed Categories

We've separated the tools out into their relative categories in tabs, so you can narrow down to just the troubleshooting you're interested in.


Inline Collapsible Categories



Those same categories appear on the page, and you can expand/collapse different sections. Just hit the + or - to expand or collapse. You can also use the grab on the left (the dots) to move the sections around.


You'll also see inline links to SolarWinds tools or products that relate to each section.


Consistent Look & Feel


Each tool has:

  1. A hint to expected input in the input box (does this tool expect a domain, an IP, something else, all of the above?)
  2. Hover help that tells you what each tool does
  3. A "Learn More" link to tell you more about that tool
  4. Grab handles (dots on the left) to rearrange tools
  5. The same size, color, button arrangement, fonts, and other things that probably drove you nuts on the old site.


What We Didn't Change

We have been addressing issues in each tool as we continue to receive feedback, but outside of issues, we did not make major changes to any tools or their output - just how they look on the page. You can still bookmark each tool's results page, the results pages are still formatted the same as they were before, and we didn't change MSTC, RBL Alerts, or Domain Doctor. You'll still need a (free trial) account to run the tools after so many runs.


What's Next?

Here's a peek at where we're going from here with Toolset.


Favorites. In order to make it easy for you to find your most used tools, we're going to add a "favorites" section that lets you pin your frequently used tools to the top.

More page customization. We want you to be able to reorder items on the page, even customize a page theme, and store that in your user settings.

Multi-tools. Some customers frequently run groups of tools and the new DNSstuff architecture makes it possible for us to present to you a "set" of tools that can be ran together.


In addition, we'll keep working on issues you've reported.


Feedback on Toolset, Thoughts on Future Features?

We've put up a survey on SurveyMonkey related to the new toolset features and what you'd like to see next. You can also post over on the DNSstuff forum here on Thwack, where product mangement, development, and support all respond to issues.


If you think you've encountered a bug or issue you can't work around (either with a specific tool or the site in general), or have an idea for a new DNSstuff tool or site feature that would really help you, post it over in the DNSstuff forum here on Thwack, too.

We've been developing our centralized IT alert management/escalation system for a while now (see: Say Goodbye to Your Pager: We’re working on a new, multi-vendor, centralized alert management product) and the good news is we're ready to welcome everyone who's interested in participating in the beta to do so. There's more info in this post, but if you already know you want in, visit the Alert Central website and sign up.


What's Alert Central?

Alert Central is a product intended to help you get the right alerts to the right people at the right time. Core features include:

  • Alert centralization and escalation
  • Group-centric management (with Active Directory integration)
  • Multiple on-call calendars per-group
  • Out of the box two-way integration with Orion alerting
  • Support for almost any third party and non-Orion source via email
  • Acknowledgement and escalation via both email and web interface
  • Advanced routing rules that let you slice and dice routing policies based on properties of the email/alerts
  • A weekly summary report with important stats
  • A web UI that works in browsers and mobile devices (as long as you can reach the AC server via VPN or internal network)
  • Plain text, rich text, and short text (for use with SMS) email templates


It's different than a helpdesk or ticket tracking system in that Alert Central's focus is around On Call management and escalation. When you need to wake someone up to deal with an issue, when you need to be sure that something is handled promptly, when something is affecting business/people, when an issue is time sensitive, it's a good candidate for Alert Central. When you're tracking ongoing issues, requests for help or new equipment, and things that aren't necessarily time-sensitive, a helpdesk system is a great fit (we happen to know of a good one - Web Help Desk).


Alert Central is deployed as a standalone virtual appliance, not an Orion module or add-on. Anyone can download and install it, and integrate it with SolarWinds and non-SolarWinds products alike. As long as your product sends emails and you want to route them to the right people, Alert Central will work for you.


Guess what, it's free!

You heard that right - Alert Central is free. Not just the beta. The product. Free. $0. Also zero in Euros, Canadian dollars, and all other currencies. Except maybe your feedback, that is a currency we really appreciate.


How does it work?

This handy infographic is a great visual of how Alert Central works (borrowed from the Alert Central website).




This video (humorously) shows you why Alert Central is awesome:



These 3 images are also a really good summary of the highlights and top features (also on the Alert Central website) - left side has feature callouts, right side high-res for the curious among you:


Managing Alerts:


On Call Scheduling:

http://content.solarwinds.com/creative/richcontent/alertcentral/images/02-ac-screenshot.jpg AlertCentral-WhosOnCallNowWithGroups.png

Alert Routing:

http://content.solarwinds.com/creative/richcontent/alertcentral/images/03-ac-screenshot.jpg AlertCentral-SourcesWithHelpdeskExample.png


How do I get access to the beta?


Easy! Go to the Alert Central website and click the big "Sign up for the beta" links. Be sure to check out the beta contest, the winner gets a pretty sweet trip to Austin.


Give us feedback - we want to know what you think


Speaking of feedback... Take a look at the website, install the beta, give us your thoughts. Anything got you stumped? Think you ran into a bug? Think this is the best UI since Netscape Navigator busted open the web? Tell us what you think.


To report bugs, issues, confusion, or praise for the beta, use the The specified item was not found. group. There's an important post there with known issues that you should be sure to check first - Alert Central 1/2013 Beta Notes.


If you have a suggestion for something we didn't get in v1/beta that you think would make Alert Central even more awesome for you, please post (and vote) in the Ideas/Feature Requests area of the beta group. A shortcut: http://thwack.solarwinds.com/groups/alert-central-beta/content?filterID=content~objecttype~idea

Good news, everyone! Log & Event Manager 5.5 is now available for download. Existing customers under maintenance for both LEM and SIM can download the upgrade on the Customer Portal, and if you're not yet a LEM customer, download the evaluation from our product page and check it out. There's a ton of changes especially for new and evaluating customers that'll help you get started with LEM.


I'll keep this post relatively short and instead send you to the previous blog post for the release candidate that covers all of the new features in detail: Log & Event Manager 5.5 Release Candidate is Here!


If you're new to LEM, an evaluating customer, or want to try LEM but hesitated before, you should check out version 5.5 because:

  1. You can get LEM installed and showing your syslog data faster than ever with our new connector auto-configuration/discovery
  2. You can spot issues in your data and see trends faster with our new top 10 and health widgets
  3. You can more quickly identify useful filters and track potential issues in real-time with the new default filters
  4. You want to deploy to Hyper-V on Windows 2012


If you've been a LEM (or SIM) customer for a while, you should check out version 5.5 because:

  1. You can mix and match real-time and historical data with the new top 10 widgets and spot agents or nodes that haven't been sending data lately with the new node health widget
  2. You can more quickly add new syslog devices and identify that new devices are logging (new "non-agent nodes" are added) with connector auto-configuration/discovery
  3. You have been confused by language and names within LEM, including things like "what's a tool or connector?" "why is it alert and not event? what's the difference?" and "what the heck is NATO5?", which is much more straightforward and consistent in this version
  4. You have experienced any issues or requested any features that are mentioned in our release notes such as:
    1. SNMP trap actions not working with thresholds
    2. SSL/TLS support for e-mail notifications
    3. Distinguishing between agent/non-agent nodes in the connected/disconnected nodes area
    4. Regularly spiking CPU on the LEM virtual appliance


Here's a couple of quick screenshots of the new features, borrowed from the previous post:


Node Health: see when an agent - or device - last sent events; and Top 10 Users: see the most frequent usernames present in your events (check out the other top 10 widgets for rules, events, and nodes)


Connector Auto-Configuration/Discovery: quickly add new nodes and start receiving data without manual configuration steps:


New Default Filters: find what you're interested in faster, in categories that make sense and came straight from customers like you:



Be sure to check out the release notes and the previous blog post with lots of details.


For customers, you can find the download by going to "Choose Download" next to LEM in the Customer Portal/License Management, then selecting to download "Upgrade Package for Virtual and Hardware Appliance (includes Appliance, Console & Reports Upgrades) v5.5.0" from the grid.


Questions about this release? Comments about a new feature? Post them here as a reply to this post or in our Thwack discussion space: Security Event Manager (SEM) - Formerly Log & Event Manager. Ideas for new features or want to put in your two cents on what you think we should do next? Post, vote, and comment over in our Thwack Ideas space: Security Event Manager Feature Requests.

In case you missed it, the Log & Event Manager team has recently rolled out new pricing related to monitoring workstation nodes. The goal of this addition is to make it much more affordable for you to monitor workstations together with your servers and network devices in LEM - or even by themselves, if you're solely workstation-minded. It's still the same LEM with the same features and functionality, this just makes it much more possible for you to extend your investment.


So, what does that really mean? What would you want to monitor from workstations? And, how do you do that with LEM?


Issues Specific to Workstations

Traditionally we focus a lot on servers, but realistically workstations are both the entry point to the network from a security perspective and more systems that require maintenance. As you think about moving away from reactive network/systems/security management to proactive network/systems/security management, workstations are a critical part of our enterprises.



From a security perspective, workstations do give you an entry point to the network, and can serve as a gateway to a veritable feast of data. Helpful: your customers and users can access the network quickly and easily from their system to do their jobs well. Not helpful: they have access to so much information and systems that they can also do some serious damage.


Things to monitor:

  • Unexpected users logging on to workstations that are more likely to have sensitive information - C-level, VP, and IT administrators. Create a group of users that SHOULD have access to these systems and look for authentication activity (logons and failures) that are to those systems but not from those users.
  • Other forms of unexpected logon activity depending on your environment - logons to workstations after hours if you're in a fairly controlled environment, remote logons if you don't use VPN access or users don't use RDP
  • Changes (create, update, delete) to local accounts and groups, especially Local Admins and accounts that won't inherit your domain policies and settings
  • System changes, like installation of unexpected software and changes to local policies
  • Usage of removable USB disk and networking devices
  • Launch of prohibited applications (IM, games, etc)
  • Patterns of behavior that are not unusual in the one-off case but are in excess, like failed logons


Changes and Issues

Monitoring log data from workstations can also grant you insight into the state of the system - if a user calls and complains about something not working correctly, the event log and recent history of activity can provide a lot of useful data.


Things to monitor:

  • Software installation, successful and failed
  • Installation of Windows/OS updates, especially failed updates
  • Changes to system policies and configurations (enable/disable of Windows Firewall, enable/disable of audit policy)
  • Failures related to services starting/stopping
  • For Windows, "Critical", "Error", and "Warning" events in general in the System and Application logs


Active Responses & Workstations

Useful active responses and scenarios for workstations include:

  • Detecting suspicious (or unapproved) processes and killing them (by name or ID)
  • Disabling networking on a workstation after detecting a malware infection (to isolate from the network)
  • Detaching a USB device that's not approved - this one can be done whether the agent is connected or not with our USB local whitelisting policy
  • Detecting unexpected or inappropriate network, proxy, or file activity and sending a popup to the workstation notifying the user they've been spotted
  • Removing unapproved users from Local Admins automatically, or disabling local users if they are created


Combining Workstation and Network/Server Data

In some cases, data specific to workstations is actually centralized at the server or network device, but you might not have thought about specifics of things to look for for workstations or endpoint issues. There's also some cool things you can do if you correlate activity across multiple sources.


Centralized Events

  • Anti-Virus and DLP: It's most common for your anti-virus and DLP solutions to log centrally, rather than at the endpoint themselves. These events can provide critical insight into security issues directly at the workstation.
    • Look especially for viruses that are "left alone" (not cleaned, not quarantined) and unexpected data that has moved from the endpoint.
  • Look for Firewall/router data that indicates a workstation:
    • attempting to make outbound connections to unexpected ports
    • bypassing your proxy server for port 80 traffic
    • making excessive repeated outbound attempts to a single source/destination/port
  • If you have a web proxy, use that data to monitor repeated attempts to access blocked content, repeated download attempts for viruses or other suspicious content, downloads of executables
  • A fair amount of your domain controller and other server activity is related to access from workstations (since that's where your users are, after all). You can use this to extend your monitoring of certain types of logon activity that comes from clients and software solutions that are not directly logged at the workstation.
  • DHCP/DNS issues can surface at the DHCP/DNS server side, but indicate workstation problems. With DHCP, especially, you can track whether your server has seen a request for a lease and what the response actually was (before you break out the packet capturing tools to dig deeper).


Correlated Activity

  • Correlate authentication activity across servers and other workstations that indicates logon attempts from a single source, which can be symptomatic of an infection or exposure
  • If you monitor file access, monitor for excessive deletes or copies from a single system, and potentially correlate with the USB activity from the workstation itself to indicate files copied from a server all the way to a USB drive
  • Combine suspicious activity to create a more conclusive case that something's wrong - for example, combine excessive logon failures to multiple systems on the network with excessive outbound traffic or combine virus/malware activity with executable downloads


Where to go in LEM

If you want to be alerted when above activity occurs (via e-mail) or automatically respond to the workstation, you need to go to Rules (Build>Rules). Most of the items above are really good candidates for rules. Other areas to look in will be:


  • Rule Library/NATO5 Rules > Agent: Especially "Detach USB" rules, "Windows Disk Nearly Full", "Keylogger Process Launch", "Authentication Traffic but no Agent"
  • Rule Library/NATO5 Rules > Active Responses: Especially "Kill Suspicious Process", "Game Application Launch", "Remote Desktop After Business Hours", "Restart Stopped AV"
  • Rule Library/NATO5 Rules > Authentication: Especially "Logon Attempt outside of Time Restrictions", "User Logon After Hours", "User Logon but no Agent"
  • Rule Library/NATO5 Rules > Change Management: If you're interested in tracking workstation changes, many of the same rules apply here, or will indicate activity coming from workstations.
  • Rule Library/NATO5 Rules > Spyware
  • Rule Library/NATO5 Rules > Virus/Worm: Especially "AV Update Failure" and "Virus Attack - Bad State"



If you want to search for activity that has occurred based on a workstation's name and/or IP address, you want to go to nDepth (Explore>nDepth).

  • To search for any events that contain the workstation's name or IP, just type it in the search box - this searches globally.
  • To search for any events from a specific workstation, use the DetectionIP field (or InsertionIP, they'll usually be the same on workstations)
  • To search for any events that came from, were going to, or were created by, a workstation's name or IP,  use the combined IP Address field



If you want to monitor workstations in real time, you can use the widgets in Ops Center to view trends and anomalies, and you can use filters in Monitor to, well, monitor for different categories of activity. Good candidates for filters are things like:

  • Activity from high-profile workstations
    • Create a Tool/Connector Profile or a User-Defined Group with your workstations in it
    • Build a filter for Any Alert.DetectionIP = <group>
    • This will be fairly high-traffic depending on the number, so you might need to narrow the focus to specific types of events.
  • Logon failures only to workstations
    • Create a Tool/Connector Profile (or multiples) with your workstations grouped together
    • Build a filter for UserLogonFailure.DetectionIP = <group> (if you have more than one, OR them together)
    • If you want to look for workstations generating logon failures on other systems, use UserLogonFailure.SourceMachine = <group>
    • If you only want to monitor interactive logons (RDP or local), use UserLogonFailure.LogonType = *interactive*
  • Workstation change activity
    • Again, Create a Tool/Connector Profile (or multiples) with your workstations grouped together
    • Build a filter for [Change Management Events].DetectionIP = <group?> (if you have more than one, OR them together)




Tips for Managing Workstations in LEM

  1. Deploy agents many at a time using the remote agent installer, by deploying the agent with your workstation image, or by using the local installer in "silent" mode and using it with your software distribution tools.
    1. If you're using the remote agent installer and have remote sites, a helpful tip is to copy the installer to a system (e.g. server) local to that remote site, then push out from there.
    2. KBs: SolarWinds Knowledge Base :: How to include the LEM Agent in a Windows image, SolarWinds Knowledge Base :: Using the SolarWinds LEM Agent Installer non-interactively
  2. Use Tool/Connector Profiles to group agents together. This serves the purpose of grouping AND maintaining a standard configuration template. Configure a single agent, then create a new tool/connector profile and add all of the similar agents with it.
  3. If you have mixed Windows environments, look out for configuring the "wrong" connectors for the Windows Security Log. You'll see Internal alerts that suggest you should configure the opposite connector (there's one for XP/2003 and earlier, and one for Vista and later).
  4. The Manage>Nodes grid can be sorted, sliced, and diced, to take inventory of what's connected and not. The new "Node Health" widget in our upcoming release (RC info available here) will show the last time data was received from nodes, which is helpful. There's also a couple of agent health reports in LEM Reports that can help track down agent connectivity and events.


The recent thwackCamp 2012 presentation on the Top 10 Things Logs Can Do for You might have some additional ideas to help spark your creativity in monitoring workstations and your enterprise holistically with LEM.


What about you? Do you monitor workstations? Is there anything you'd like to monitor but aren't sure how? Haven't heard about LEM Workstation Edition and want to know more about what it means? Drop a comment here or feel free to start your own discussion thread over in the Security Event Manager (SEM) - Formerly Log & Event Manager space.


Shameless Plug: Other SolarWinds Products for Workstations

While we're on the topic, here's some other good stuff for workstations that will help extend what you get with LEM even further:

  • Patch Manager: not just help with managing your windows patches, but helping address third party patching issues. On top of the fact that Acrobat, Flash, and Java have had a ton of security issues, a lot of malware out there still exploits old holes that are fixed with patches. Keep it up to date from one place.
  • DameWare: DameWare is a handy remote management tool. Once you've identified a problem with LEM, if you want to investigate at the endpoint or respond beyond LEM's built-in active responses, DameWare can help.
  • NetFlow Traffic Analyzer: if you've got bandwidth problems with workstations, use NTA to track down who is consuming it. LEM can help on a time & frequency basis and can do some basic top talker stuff with NetFlow/sFlow, but NTA is all flow all the time.
  • User Device Tracker: UDT helps you determine what user owned an IP address/hostname/MAC address over time. If you've found a historical issue on LEM and want to trace that IP back to a user, UDT can tell you where they were.
  • LANsurveyor: map out your network and figure out the logistical layout of devices. If you've got workstations, chances are there's enough of them that you'd like to know what and where they are connected. LEM doesn't have built-in network diagrams itself, but this can help you make sense of what's out there.

It's been a busy week or two here at SolarWinds, another release candidate is heading your way. I know, I know, you're as excited as when the new phonebooks came and your name was in print!


In true "You Asked, We Listened" style, Log & Event Manager (LEM) 5.5 is going to be a release focused almost entirely on YOUR feedback. We did a ton of customer interviews, Q&A, and show and tell, and have been tracking your feedback on Thwack and support cases. We took the top few items and we decided to get something into your hands sooner rather than later.


Spot issues more quickly with new Top 10 and Health widgets on the LEM Ops Center dashboard


We heard from you that you wanted it to be fast and easy to discover issues, spot trends, and have a dashboards that mix in real-time data with other information. What we've done is added new default widgets that let you spot trends and trouble faster by monitoring the most common things - nodes on your networks, users, and events - in more Top 10 and health-oriented way. We've added 5 new widgets that are right up your alley. In no particular order...


Node Health: sometimes it's most useful to know that a node HASN'T sent you data lately. Maybe a remote site dropped off the map, your firewall configuration disabled logging, or something's not quite right. The Node Health widget shows you a summary of node status, when the last event was received from that node, and any version/OS information we might have (from agents).



Top 10 Events, Users by # of Events, Nodes by # of Events, and Rules by # of Rules Fired: these widgets surface information about frequency of events in the big picture, helping you spot trends and potential anomalies. Use the Top 10 widgets to see your most common type of event (filterable by different general types/groups of events), usernames that appear most frequently across events, nodes  that appear most frequently across events, and rules that are being most frequently triggered. These will help you spot items at the top that shouldn't be (why is "administrator" logging on so frequently?), sudden spikes in data (why is my server suddenly generating the most events?), and unexpected high severity events (security issues, scans, or suspicious activity).




Troubleshoot node and user issues with our new Node and User Details Drill-Down Dashboards


We're starting to pull pieces together to enable faster common patterns that our customers use when you want to investigate problems. Those new Health and Top 10 widgets mentioned up above follow a new drill-down pattern that we're introducing on the dashboard by combining info into new dashboards. The Node Details and User Details dashboards will show a summary of the node/user and all events related to that node/user name.


If you've spotted an unexpected trend with a user (say, "Administrator" really is coming up a bunch and you don't know why), click on that user from the Top 10 Users widget to see detail associated with them, and most importantly their most recent events to help troubleshoot the "why". Refine the chart further to find out only certain types of data (say, only changes related to "Administrator" - changes they are making or made to them).




Similarly, if you've spotted a server generating an unexpected amount of error or warning traffic, you might want to check out the last 10 minutes of events to see if there's any commonalities.




Automated configuration for syslog and SNMP-trap based device integrations


Thanks to some great suggestions from you, our support team, and our sales engineering team, we've found a way to make configuring new devices much simpler with some automated configuration. Instead of having to manually configure a connector to match your syslog device up to our connectors, we've made it possible for you to enable syslog (or SNMP trap) forwarding to the appliance and push a button to add the node. But wait, there's more! We've also made it possible for you to scan on-demand for ANY new data, in case you're not sure how many devices or what types have been configured. You'll find these new buttons in Ops Center in the new Node Health widget and in Manage > Nodes.


If a scan is going to take a while, you'll see a notification and the scan will get backgrounded. When new nodes are found, you'll see a handy notification:


When you click the "View Now" you'll be taken to the discovery/scan results, and you have a chance to confirm that you'd like to add new connectors to monitor the detected sources. This summary presents you information about what IP address was generating the data and what vendor/connector will be configured:


After you confirm, magic happens and these connectors are automatically hooked up to those log sources. Note: You won't see new nodes appear until data appears. In the example above, I won't see data from for "Checkpoint Edge-X" until that IP address sends me more data. Nodes appear with the data, but we scan historical data to do the discovery magic. As those nodes appear, you'll see the yellow notification appear with a confirmation as to which IP addresses are now sending data.


Also handy, when new nodes appear for existing connectors, you'll get the same notification that tells you what's happened. This happens if you've already got a connector configured for, say, a Cisco firewall, and you start logging another Cisco firewall to the same facility. You don't need to configure another connector, but LEM will let you know something new is now sending you data.


...and more!


A few other things you'll notice:


  1. New Default Filters: We totally revamped our default filters to match your use cases better. Filters are grouped for Overview, Security, IT Operations, Change Management, Authentication, and Compliance, and all have some handy default widgets.
  2. More Help & Thwack Widgets: We've added a "What's New in LEM" and Thwack feed widget, along with help widget updates to help you find features that lots of people didn't know existed.
  3. Event is the new alert. After listening to you talk about LEM, we've modified our in-product language to match how you think about events. Things that come in to raw logs are called "messages", these get normalized into "events", which you can then trigger rules on, which may cause "alerts" like notifications or incidents to be fired in addition to active responses. There are still a few things that say "Alert" (e.g. SecurityAlert) that we're saving for a future update, but for the most part, Event Event Event.
  4. What the heck is a NATO5? We've also eliminated a few of the things that made your brow wrinkle, including renaming rules that are on by default "Default Rules" and rules that are templates for you to use "Rule Library." Along similar lines, we've made it clear that the thing that connects logs to the system are referred to as "connectors" in LEM as well as elsewhere.
  5. Support for Windows 8/2012, including Hyper-V 2012: We had a compatibility issue with Hyper-V on 2012 that has been resolved. Additionally, we've confirmed you can use the LEM Console in IE 10 on Windows 8, and install the agent in Windows 8 and 2012 (you'll need to run it in compatibility mode for now until we resolve an installation issue, though).
  6. Customer requests & fixes: Common reported issues include the node statusbar showing non-agent nodes as "disconnected" - now they have a separate entry from agents; refresh and edit buttons are more obvious in Ops Center and nDepth; performance improvements in rules; hotfixes from 5.4 rolled in to 5.5; and lots of new connectors. A full list will be included with the release notes.


Notes for Upgrading Customers


We didn't touch your existing filters or dashboard configuration, we didn't want to mess with your feng shui (or your "zen thing, man"). You can always add the new dashboard widgets to Ops Center by going to Ops Center's "Widget Manager" and perusing the "Additional Widgets" section. For filters, if you're interested in the new defaults, the easiest thing to do is create a new user and check them out to see if you're interested. We can either help wipe out your existing settings and revert to the default, or you can export/import only the stuff that looks good.


If you've got existing connectors already configured and want to try out the new connector discovery scan workflows, no worries. Anything you've already got configured will stick around and we won't configure duplicates. A very small number of you who had connectors configured for /var/log/messages or /var/log/syslog will want to run the new node scan after upgrading to pick up the new default configurations.


Lastly, you'll notice in some places where you had items that said "Alert" they now say "Event". We avoided changing some things (like filter names and descriptions), but others (like groups) will be updated.


Download, download, download! And share your feedback


All LEM and SIM customers under active maintenance can download the 5.5 RC by going to the Customer Portal and clicking "Choose Download" next to the RC. If you want to deploy a new system, use the new installers. If you'd like to upgrade, download the upgrade, and be SURE to check out the instructions (you'll need to extract it to a share - generally the root of a share is safest - and then go to the virtual console or SSH to get it installed).




To give us feedback, join the Security Event Manager (SEM) Release Candidate group on Thwack. What do you think about the new widgets? Are there more you'd like to add? How's automated configuration treating you? Anything we missed or is confusing? Would you like to know more!?

Several SolarWinds products can help with various areas of the Payment Card Industry (PCI) Data Security Standards (DSS) requirements. The purpose of the PCI DSS is to set a baseline of minimum security for any vendor that takes credit cards. This is good for the consumer as it (theoretically) institutes best practices that reduce the risk of a security breach that could expose their data, making vendors that are PCI compliant less likely to put you and I at risk for identity theft that way. This is good for IT shops because it's been historically difficult to get IT budget money for security and privacy initiatives, even if you know they are really the right way to do it. PCI is also an ongoing cost for IT, though, because many of the controls are not one-time checkboxes, they are continuous mandates to help you stay out of the headlines.


What Does SolarWinds Do for PCI DSS Compliance?

The PCI DSS is broken down into several sections. These sections cover everything from physical security requirements to secure IT implementation to scanning and monitoring.


SolarWinds Network Configuration Manager (NCM)

NCM is a network configuration management system that provides auditing of network device policies and changes, and allows you to institute change management procedures (including approvals) around device changes. More info about NCM's features as they apply to PCI compliance can be found here, but here's the specific items it can help with:

  • Addressing PCI Requirement 1.1: Establish Firewall and Router Configuration Standards (especially 1.1.1, approval of changes, and 1.1.6, reviewing policies)
  • Auditing your compliance with PCI Requirement 1.2: Building Restrictive Firewall Configurations, 1.3: Prohibit Direct Public Access, 2.1: Change Default Device Passwords & SNMP Communities/Remove Extra Accounts, 2.3: Allowing Only Encrypted Admin Access to Devices


NCM provides specific reports for PCI compliance to make it easy to audit configuration settings and changes.


SolarWinds Patch Manager

Patch Manager provides integration with native Windows patching technology (WSUS/SCCM) AND provides built-in third-party application patching. More info on Patch Manager's features can be found here, but here's the specific items it can help with:

  • Addressing PCI Requirement 6.1: Ensure Software has Latest Patches within 1 Month of Release
  • Assisting with PCI Requirement 6.4: Ensure Patches are Tested/Reviewed (by way of distributing patches to a test environment, providing back-out/uninstallation of patches)

SolarWinds Serv-U Managed File Transfer

Serv-U MFT provides the ability to ensure security of transferred files, supporting configurations that keep your sensitive data from hanging out in the wild. If you use file transfer when it comes to cardholder data, Serv-U is for you. More detail is available here on the Serv-U site: Serv-U FTP Server PCI Compliance, but here's the specific items it can help with:

  • Assisting with PCI Requirement 1.2 and 1.3: Restricting access from the Internet/Untrusted Networks
  • Assisting with PCI Requirement 3: Protect Stored Cardholder Data
  • Assisting with PCI Requirement 4: Encrypt Transmission of Cardholder Data
  • Assisting with PCI Requirement 7: Limit Access to Cardholder Data
  • Assisting with PCI Requirement 8: Use unique access credentials


SolarWinds Log & Event Manager (LEM)

SolarWinds LEM is a Security Information & Event Management (SIEM) and Log Management system that provides capabilities around log collection, real-time correlation/notification/response, flexible and extensive historical search, compliance reporting, and some endpoint security. More info about LEM's features as they apply to PCI compliance can be found here, but here's the specific items it can help with:

  • Addressing PCI Requirement 10.5: Secure Audit Trails, 10.6: Review Logs for All System Components, 10.7: Retain Logs
  • Addressing PCI Requirement 11.5: Use File Integrity Utilities
  • Detecting potential violations to compliance with PCI Requirement 2.1: Usage of Default Accounts, 4.1: Usage of IM/E-Mail with Sensitive Data (by way of IM monitoring and DLP solutions that can log this activity OR usage of IM in general), 5.2: Ensure AV is Generating Log Data, 7.1: Least Privilege Access to Sensitive Data, 8.5: Usage of Inactive/Default/Generic/Shared Accounts and Other Account Policies, 10.2: Logging various audit trails, 10.3: Include Timestamps with Logs, 10.4: Changes to Clock, 11.1: Detect Wireless APs (depending on your detection method), 11.5: Review of File Integrity Monitoring data


LEM provides extensive audit log reporting capabilities for all of the collected log data, whether it's for auditing compliance with any of the standards mentioned above, or the specific items mentioned in 10.6.


Do my SolarWinds Products Need to be "PCI Compliant" Themselves?

No. SolarWinds products do not capture credit card data directly, provide access to card data directly, or authenticate card data directly. Products that are "in scope" for PCI compliance themselves would include things like databases, file servers, firewalls and routers used for networks that store or access cardholder data, user accounts used to directly access cardholder data. Our management products are used to meet specific PCI requirements at what you could think of as a meta level - they aren't providing the cardholder data, they are providing information about access to the cardholder data, networks, and systems.


For LEM, when we collect audit trail data, this data does not include cardholder data, again, only information about access to cardholder data. With NCM, you can approve/modify firewall configurations, but we are not collecting or reviewing network traffic. With other products that monitor or live on the network (like NPM and NTA), we are, again, not collecting or storing actual network traffic that may contain cardholder data, only information ABOUT network traffic. With SAM, we are similarly monitoring system activity, but not directly related to cardholder data itself. With SEUM, your recorded transactions contain the data you choose to submit, which would not be customer cardholder data that they may be submitting to the same site (if you're testing performance on a form related to card number submission). Patch Manager can inform you of missing patches or the state of patching of a system that stores or accesses cardholder data, but never accesses the system for any purpose other than patching.


Even Though my SolarWinds Installs Don't Fall Under PCI, I Want to Implement Some Best Practices. Can I?

Requirements such as default user accounts, SNMP communities, and audit trails are often general security best practices. Some of them can be applied to SolarWinds products, others can't. The answer is a solid "it depends."


Specific configuration changes we've been asked about:

  • SNMP community strings. The big issue with SNMP community strings is where they are used for making configuration changes. Exposing default SNMP read-write communities puts your devices at risk for unexpected changes. The next big issue is SNMP communities for monitoring, which can lead to information exposure. Even with SNMP read-only, you can view device statistics, log data, and configuration settings. The last capability of SNMP is trap sending and receiving, which is generally informational activity, often used for alerting or in place of syslog. In this case, setting default communities is less critical, because it's generally a one-way communication mechanism outbound from your devices to ours.
    • Active SNMP monitoring (not traps) using non-standard communities: all SolarWinds products that collect data via SNMP monitoring (connecting to devices and polling via SNMP) do allow you to specify a non-standard community. You can also set the systems you run on that provide SNMP monitoring themselves to non-standard communities. Some products, such as LEM, do not have SNMP monitoring capabilities and this doesn't apply. The Orion family products live on Windows systems, if you're monitoring those systems with SNMP, the SNMP settings apply to the system, not our products.
    • Active SNMP configuration changes (not traps) using non-standard communities: The good news is no SolarWinds monitoring products modify system configuration settings via SNMP (LEM, NCM, NPM, etc). SNMP, in these cases, is either used for monitoring (NPM, SAM) or only with traps (LEM).
    • SNMP Trap sending: Many SolarWinds products can send alerts via SNMP traps. All products that can submit traps to other systems allow you to specify the address and community to use, if not standard.
    • SNMP Trap receipt: Many SolarWinds products can also receive alerts via SNMP traps. As of today, in some cases including SolarWinds LEM, the community string is the default ("public") and cannot be modified. As mentioned above, these SNMP traps are consumed by SolarWinds systems for storage and search, and do not make direct changes to any of your systems by their nature.
    • SNMP v3/encryption support: Several SolarWinds products do support using SNMPv3 for monitoring activity. Some systems that receive traps, including SolarWinds LEM, do not provide the ability to use SNMPv3 as it stands today (meaning, traps submitted to LEM will not be encrypted, much like syslog data).
  • Admin Credentials and Default Users. Many customers have a desire to apply best practices around default admin credentials, even though our systems do not fall directly under PCI requirements themselves.
    • Changing admin passwords: All SolarWinds products have the ability for customers to change the default administrator user's password.
    • Adding additional admin users (and not using the default): All SolarWinds products have the ability for customers to add more than one administrative user and not use the out-of-the-box administrator. This allows you to use named users for making administrative changes and avoid using a shared admin account.
    • Disabling the out-of-the-box admin user: Some SolarWinds products do not have the ability to delete or disable the default admin user. SolarWinds LEM, for example, does not allow customers to delete the default admin, to ensure that there is always an admin present that can be reset and used in event of administrative turnover. SolarWinds Virtualization Manager, on the other hand, provides the ability to delete the built-in user as long as another administrative user exists.
  • Least Privilege Access/Use
    • Active Directory Integration: Many SolarWinds products allow you to retrieve group information or authenticate against Active Directory. For basic authentication and information, you do not need to use a user with administrative access.
    • Monitoring: For SolarWinds products that do remote polling, it is generally possible to use lower privilege users (i.e. not root or administrator). Specifically, SAM polling can be done against a non-administrative user with these instructions.
    • Installation & Services: In most cases, SolarWinds products do need to have administrative or fairly broad system privileges to install and run due to technical limitations. Where installers require administrative privileges on Windows, generally they will show the UAC prompt for administrative access automatically.


A Quick Note About PCI DSS v3.0

Most of the changes in PCI DSS v3.0 don't affect your SolarWinds implementations, and product changes were not necessary though your implementation and processes might need to be tweaked. Notable changes that can apply to SolarWinds products:

  • In general, the PCI council added guidance about integrating products into ongoing PCI compliance. As a part of this, having a SIEM helps customers be more proactive in this process rather than only looking at logs when an audit comes through – focusing on security, not just compliance. We didn’t have to make product changes here, but it’s noteworthy.
  • Requirement 10 changed slightly to focus more on identifying suspicious activity and more flexibility in reviewing less critical logs. We didn’t have to make product changes here either, but requirement 10 is the one that specifically deals with logs so it’s noteworthy. (Customers may actually have to generate or review fewer reports of “normal” activity for auditors.)
  • Requirement 2 added a specific note about detecting changes to default passwords for service/backup accounts, not just user accounts, which LEM can help monitor (and NCM can help manage as well). We didn’t have to make product changes to help deal with this, but the clarification helps customers implement it properly.


Questions About Implementing or Auditing for PCI DSS?

If you've got questions about how SolarWinds products are used for PCI, what specific reports or features to look for, or how to implement any of the best practices security configurations, leave them in the comments. I'll update this page with any other common questions we get related to PCI configuration and can direct link any features if that's helpful.

For those of you who have been following our On Call Alert Management developments, we've been soliciting your feedback on several topics, which will continue for the next few weeks. As a new product that a lot of customers are really excited about, we want to make sure it hits the mark on all fronts - from what to name the product to its featureset and deployment.


So, about that deployment. Here at SolarWinds we have a large number of products that are deployed as software that you install on a Windows OS, some of which are built on the Orion platform. We also have another set of products that are deployed as virtual appliances, deployed to a VMware ESX/ESXi or Microsoft Hyper-V virtual server. Centralized On Call/Alert Management is something that everyone can benefit from and will be provided as a standalone product, but we recognize a lot of you are coming from the Orion platform products and may have experiences and opinions that sway you for or against software or virtual deployments.


Bottom line: we want to know your thoughts. If we deployed as a virtual appliance, would that make you more or less likely to evaluate? Is there something about deploying software (or Orion products) that you'd sorely miss with a virtual appliance? Or, is a virtual appliance like a load off your back, a system you don't have to configure and maintain? If you've deployed other virtual appliances, what did you love or hate? Any concerns you feel we'll need to alleviate?


First, go vote in this poll and tell us how comfortable you are with virtual appliances - be honest, it really helps: Deploying Virtual Appliances


Then, if you've got more to add about your preference for a virtual appliance, Orion, or other style software deployment when it comes to Centralized On Call/Alert Management in particular, comment in this thread (or in the poll, we'll read them both).


More opportunities for feedback are coming soon! This truly is a software for the people, by the people kind of process.

Last night, we rolled out a significant update to the DNSstuff site infrastructure. These changes are mostly behind the scenes, but represent something that has been under development for quite some time. Before reporting any issues with the site, be sure to read on about what's new, any issues we're already aware of, and what we're working on next.


NOTE: This post was last updated to reflect current issues on September 28, 2012 at 5:00 PM Central Time.


Professional Toolset Version 2.0

The biggest change you'll notice is in Professional Toolset. We've completely revamped the backend of Professional Toolset to be a shiny, new platform that provides us the opportunity for future tool and feature development. (More on that in a bit...)


All of the results pages have been reformatted to make what was mostly pretty cumbersome to wade through into output that you can use to quickly identify key results and values from the different tools and tests. Our development and user interface teams tried to find ways to highlight important information and organize results to make more clear, format key-value pairs more clearly, and other key changes to each page's results.


New Professional Toolset Tools

With the migration came the addition of some new tools, including one new free tool.


  • URI Block List Lookup - looks up blacklist entries based on a URI
  • Vector trace - performs traceroutes from three different locations (currently 3 locations in different parts of the US) to aid in routing and site availability troubleshooting, including a map from all 3 locations
  • Social Media (FREE) – shows social media (facebook, twitter) references to a domain
  • ADR Domain Inspector - displays the A and NS records for each DNS server in your domain
  • WWW cohost - locates multiple domains/sites hosted on the same host
  • Additional Mail Testing Tools:
    • SPF
    • SMTP Banner
    • SMTP Greeting
    • Null Sender
    • Postmaster
    • Abuse
    • Address Literal
    • Open Relay
    • POP Banner
    • POP Authorization
    • POP Status
    • IMAP Banner
    • IMAP Authorization
    • IMAP Status


Site Infrastructure Updates

DNSstuff has been migrated to a different site infrastructure/hosting environment, which affords for better redundancy, management, and monitoring functionality than before. Several tools also rely on these multiple points of redundancy to offer better and more accurate results. Some tools, like Mail Server Test Center, RBL Alerts, and Domain Doctor have not yet been migrated to the new infrastructure, but in coming months will be.


DNS Alerts migration to Domain Doctor

Customers of the old DNS Alerts service should have received both an e-mail and a popup notification recently letting them know that with this migration, we had to phase out support for the old service. Customers of DNS Alerts have long been entitled to Domain Doctor subscriptions, we've just made it official. Based on our records, some people may have still been using the DNS Alerts tool up to the last week, if you didn't get a chance to migrate your alerts and need help, let us know and we'll work with you to sort it out.


Issues, both expected and not

As with all new websites or versions of software, we're aware there are going to be some growing pains with the site. If you've got a feature that you used that was removed, a feature that you'd like to see added, let us know here. If you are having issues with any tool, including results that differ from the previous version or what you'd expect, please be sure to report them to technical support. If you have any account issues (accessing the site, purchasing new tools), please report those to support as well.


Here's what we're currently aware of that falls into the features and changes department:


DNS Report Misc Test Failures and Issues

There are still a few outstanding situations where DNS report may be returning unexpected results. We've resolved a lot of them, but what you might still see out there includes: sometimes MX tests pull in MX records for parent domain; sometimes DNSSEC records don't appear even though they exist on the domain; in very few cases MX records do not appear even though they exist; SPF records are shown for every DNS server in your domain but do not show which server the displayed SPF record came from.


Updated: DNS Report New Results Format is (was) Hard to Read

Several people have commented that they prefer the old format of DNS Report. You asked, we listened. We put up an even better version of DNS Report that incorporated a ton of your feedback about what you do and why you need it. Check it out and if you've got more comments, be sure to post here: DNS Report Feedback & Thoughts! There's still work to be done in the detail of results, so we're still listening.

Updated: Sometimes an Error is Returned when Running Tools

Thanks to customer input, we've dug into the "Sorry,..." messages presented sometimes on results pages. We've determined sometimes these errors are somewhat legitimate (i.e. an A record doesn't exist for a domain, so we can't display results), but the information you get back is clearly not helpful. We're going to fix this so that you get appropriate feedback when something goes wrong, and only see the other message when something unexpected happens. If you aren't sure which case your error message falls into, please continue to report it to our support team. You'll see "Sorry, but these probably aren't the results you're looking for" or "We're sorry, but we're unable to execute your request." Provide the "Test ID" value either in your Thwack post or your support case, that will help us track down where the issue is coming from. We're going to be adding better error reporting in an upcoming site update to help differentiate these cases.


DNS Lookup/Timing/Traversal Tools Aren't Querying SRV Records

We discovered an issue with SRV records that requires some development effort on our end to resolve. We're working on a resolution. As a workaround, if you use the "dig" or "raw" results formats instead of "pretty" in DNS lookup you should see expected results.


RBL Alerts Give Slightly Different Results from the Spam Database Lookup Tool

We've added some additional RBL sources to the Professional Toolset's Spam Database Lookup Tool that hasn't yet propagated back to RBLalerts. We're adding these into RBL alerts as well to make the results a little more fully-functional and consistent.


What's Next?

Here's some of the stuff we're working on (other than the issues above) in the coming weeks and months. Disclaimer: this is not a commitment to release these features on any specific timeframe, this is just intended as a guide to our general priorities.

New Toolset UI!

We're super excited about this one. We're going to revamp the old and busted DNSstuff Professional Toolset page with some New Hotness that's much easier to navigate. Down the road, this will let us add functionality like favorites (so you can "pin" your most used tools) and multi-tools (tools that run a series of tools, so you don't have to run multiple individual tools to perform a series of troubleshooting steps).


MSTC Fully Integrated with Toolset

You probably noticed that a lot of our new Professional Toolset tools are mail-oriented. Our goal is to combine the functionality of Mail Server Test Center with Professional Toolset so that you have a one-stop shop for all testing. We'll break out the mail-specific tools into their own area so they are easy to find and use.


New Site Look & Feel

We couldn't revamp Professional Toolset without looking at the rest of the site, so that's what we're going to do. We want to build a site that you want to visit, so we're going to look at the things that interest you and how best to present them.


Improvements to RBL Alerts and Domain Doctor

We'll be migrating RBL Alerts and Domain Doctor over to the new site infrastructure. This should improve the stability and management of these platforms, similar to what we did with Professional Toolset.


What Do YOU Want to See from DNSstuff?

We've spent some time talking to customers, gathering feedback via surveys, and generally thinking about what's interesting and good for DNSstuff, but if you've got something we missed on the new site, an issue that you've been itching to see addressed, or thoughts on what tools, content, or other features you'd like to see, send them my way!

In case you missed it, the Log & Event Manager team recently released our 5.4 version which was packed with great features. Onward and upward we continue, here's a preview of what's to come.


Disclaimer: this is not a commitment to a timeframe or delivery of any of the features discussed below. This is also not a commitment to deliver all of these features in our next release. This post is intended to give you a rough idea of what we're doing.


Installation, Configuration, & Maintenance

Whether you call it Log & Event Management or Security Information/Event Management (SIEM), there's a lot of moving parts to getting the most value out of your investment. We want to make it faster for you to get to the information that's useful whether it's the first time you're setting up LEM or you need to add something after the fact. Areas that we're looking into include:

  • Navigation and organization of out-of-the-box features
  • Configuration of connectors and other product integrations


Information at your Fingertips

We've had a lot of great LEM feedback around navigating different areas of the system and are going to make some significant improvements to make it faster to get useful insight out of your data quickly. Things we're improving on include:

  • Making it easy to find default rules that suit your specific needs (be it PCI, other compliance, security, etc)
  • Adding more dashboard widgets with historical analysis side by side with what's happening now
  • Adding more dashboard areas that let you drill down into nodes/IP addresses and users on the network to quickly determine if something/someone is an issue
  • Adding dashboard widgets that give you useful information about what's going on here on Thwack, what's new in LEM, and how to use different features


Love for Security and Operations Teams

We've talked to teams that approach LEM from a security need perspective, and teams that approach LEM more operationally with security as either a secondary or separate issue. A lot of the features you see listed above were created with an eye to one or both teams.


For the security teams:

  • Easier identification of critical rules and other content that apply to security
  • Additional details for nodes and users that will make root cause analysis faster


For the more operationally minded:

  • Dashboards and widgets that call out historical trends and help link high level visualizations to data
  • Adding a "Quick Search" to make it faster to, well, do a quick search


...and More

Some other things that are brewing here in the LEM kitchen are:

  • Improvements to LEM database archiving (check out this Thwack feature request post if you'd like to post your comments about what you'd like to see)
  • Improvements to agent installation (and other installers)
  • Extensions to our Windows Event Log integration (native support for "new" style Event Logs and the option of remote Event Log access)
  • Continued support for more product integrations with our connectors


Questions? Comments? Did We Miss Something?

If you've got questions or ideas about how a particular feature would be most useful, or want to take part in a release candidate or beta or any of these features, feel free to comment.


Make sure to file a feature request over in our Security Event Manager Feature Requests forum if you don't see your request. If someone else already posted it, please add your comments so we know there's interest in a particular feature or issue!

In case you missed Brandon 's post on the Blog, the title says it all: Say Goodbye to Your Pager: We’re working on a new, multi-vendor, centralized alert management product. We also need YOUR feedback about what devices you're using, how you manage alerts, and what you're interested in seeing with an alert management product.


The Cliff's Notes version of Alert Management is that you submit your alerts from various products to this system and it crunches the numbers against who is On Call and which group needs to address issues of that type to make sure the right person gets the hot potato. If the first person can't help or doesn't respond, it'll automatically escalate to the next person, or they can reassign to the group or person who might be better suited to help.


We're looking for everything from demographic info (how big is your team?) to how you'd like to receive alerts (smart phone? analog pager with a 4343 at the end for a good laugh? mobile app? just email?) to any thoughts you might have on the subject. We're all about building products for real IT folks, and Thwack is full of you! Those who fill out the whole survey and provide a little contact info will be entered in a drawing for a couple Amazon gift certs.


Here's the link to the survey over on SurveyMonkey: Centralized Alert Management Survey



Microsoft has taken to increasing the complexity of some of their product auditing functions, starting with Exchange and SharePoint's auditing implementations in the 2010 versions. Gone are the days of simple configurations to log to the event log, here are the days of audit tables, databases, and API calls. This makes it difficult if you're someone who is moving content to SharePoint, already has content in SharePoint, or is looking to move toward SharePoint, and have audit or regulatory requirements. We've had a LOT of requests for SharePoint auditing and rather than build something, we've chosen to leave it to the experts.


In case you missed our Unveil SharePoint’s Audit Logs webinar (links to the slides in this post), we've partnered with the fine folks over at the Monterey Technology Group to become one of their SIEM partners with LOGbinder SP, a super useful SharePoint auditing utility. These are the same experts who are also responsible for bringing you Ultimate Windows Security - a site you should surely check out if you're interested in Windows event logs, auditing, and security.


Use LOGbinder SP for:

  • Pulling SharePoint audit activity out of the cryptic database and into the Event Log
  • Providing object & user names in SharePoint audit events
  • Managing SharePoint audit policies


Use LEM with LOGbinder for:

  • Alerting on SharePoint change activity (new administrators, permissions changes)
  • Auditing SharePoint item & object access, deletion, import, and export
  • Reporting on SharePoint activity for compliance
  • Viewing SharePoint audit activity in context with operating system, network device, and other application logs


I just uploaded some rules, filters, and reports for LOGbinder over on the Content Exchange that provides everything you need to get going on the LEM side. There's an integration guide in the Zip file that will explain how to install the files, which are all tailored to the LOGbinder SP event log data. You will need an agent installed on your SharePoint+LOGbinder system, you'll need to make sure you have either LEM version 5.4 or the latest product connectors installed, then it's just a matter of following the guide to get set up and start monitoring.


We're pretty excited about our latest Log & Event Manager release, version 5.4. We've packed a ton of good stuff in this release in typical SolarWinds "You Asked, We Listened" fashion. You can check out the Release Notes for all the details, but here's the slightly more descriptive version. For those of you curious about the picture, it's a shot of the first piloted Mercury spacecraft (just a little less roomy than the Love Boat, only room for a ship's complement of 5).


Appliance Improvements: Hyper-V, Migration, & Resize


We've spent a little time improving our virtual appliance support after tons of great customer feedback. With this release we officially support Hyper-V 2008 R2 and have provided an evaluation download just for Hyper-V.


In addition, we've expanded our migration & restoration capabilities (for both hardware and virtual appliance customers), should you find yourself in the situation where you need to:

  • stand up an entirely new appliance
  • migrate from the TriGeo hardware appliance to the LEM virtual appliance (or a VMware appliance to a Hyper-V appliance)
  • recover settings after an outage


There's a great KB documenting the appliance migration process: SolarWinds Knowledge Base :: How to import settings from a SIM or LEM appliance backup to another appliance


Lastly, we've made it possible to expand the virtual appliance beyond the default 250G, by popular demand. You'll find those instructions in yet another awesome KB: SolarWinds Knowledge Base :: How to resize a LEM virtual appliance


A Browser-Based Console! Hooray!

As we've had our Flex/AIR console in the wild for over 2 years now, we heard from a lot of people who really wanted to run it in the browser. As a part of the SolarWinds family, we've heard this even more, and we put it at the top of our list for this release.




There's only a few differences between the two related to importing/exporting settings, file operation dialogs, popups, and things that in the desktop console are in a separate window, otherwise they are functionally identical. We haven't ended support for the desktop console (and we've included it in the upgrade for those of you that already have it), but response from the RC was that even long-time desktop console users were pretty happy with the move to the browser. Customers interested in moving to the browser-based console from the desktop console should upgrade their desktop console to the new version, Export their desktop settings (all of them!) from Manage > Appliances (gear on the far right), then Import them into the web console from Manage > Appliances (gear on the far right).


Make sure you're running a supported browser AND flash version BEFORE launching the console, there's some misbehavior with older versions of some browsers and Flash. We officially support:

  • Chrome 17+
  • Firefox 10+
  • IE 8+
  • Flash Player 11+


For those of you with NPM, SAM, or other Orion-based products, you can add the LEM console as an External Website view and have them all in one browser tab/window.


Authenticate to LEM via Active Directory

For those of you tired of managing dedicated accounts for your LEM users, we can down pull in those users (or groups) from AD and use them rather than requiring you to manage both places independently. I blogged on this one pretty extensively in the RC Post and there's some instructions/notes on it in the KB: SolarWinds Knowledge Base :: How to create LEM console users with domain credentials.


Send/Receive SNMP Traps from SAM, NPM, Virtualization Manager, and LEM

We've added a new notification to LEM - Send SNMP Trap - to let you correlate data in LEM and pass that on to other systems. We've also added a connector that is designed to gather data generated from NPM, SAM, and Virtualization Manager and present it to you in LEM, so you can correlate and monitor that activity in the context of your other systems & event log data.


Some examples of how this is useful:

  • If LEM correlates an issue, you can send the notification to SAM/NPM, where it'll appear in the SNMP Traps section of the system, and you can perform root cause analysis from the SAM/NPM side to determine if there was a security or other event found in the log data around the time your issue started.
  • Rather than using SAM/NPM to receive ALL your event log, syslog, and other data, use LEM and forward only the critical/useful events on to the teams that need them.
  • Notify and forward events to third party systems (outside of NPM/SAM) to share data across your organization.


There's setup details on this one in the previous RC Post, too.




Videos, Help, & Manuals

We've spent a lot of time listening to customers who have had to spend time wrapping their brain around LEM as a pretty flexible, but naturally complex, system. For a lot of people, this is the first time you're seeing all your log data consolidated in one place and it feels a little (or a lot) overwhelming. Rest assured, you're not alone. We've done our best to add new content that we think will really help.


The first place you want to stop: our new Introductory (SHORT) Videos. These videos are meant to help you understand LEM, identify common tasks and tips, walk you through an example or two end-to-end, and help you decide when to choose one part of the system (or method) over another. Each one is around 5 minutes long. For those of you who want more details, we go through a TON of examples and all of the parts of the system in our Advanced Videos/Tutorials (best enumerated here on Thwack), but those can run more like 20 minutes.


We've also been cooking up a new User Guide (HTML) that has really useful content in it. The "Leveraging" sections will help you implement LEM for common tasks. There's a lot of good troubleshooting content we added based on YOUR feedback, and our InfoDev team did a complete restructure of the organization of the manual - losing 200 pages in the process (more effective than any diet, for sure!).


Fixes & Notes

There are a bunch of specific issues resolved that are noted in the Release Notes. Included in them are:

  • Event Explorer performance improvements. The Event Explorer is a super handy (often overlooked) tool for figuring out events around rules (why did this rule fire? what specifically occurred and when? what actions took place? who was notified?). Previous versions didn't always return results in a timely fashion, so we've spent some time ironing those issues out.
  • nDepth Explorer cancellation issues. Some customers reported the search-oops-cancel-search pattern caused never-ending searches - things weren't getting cancelled. We ironed these out and you shouldn't see any backlogged searches bogging down new ones.
  • Tool Profile synchronization issues. Sometimes the "Agents" list in Tool Profiles would show old hostnames, mismatched hostnames, and cause difficulties when you tried to tweak the profiles.
  • Improved copy/paste! This one probably drove some of you nuts, but we think we've resolved most/all of the copy/paste issues in the alert grids in Monitor.


Thanks & Feedback

We'd like to send a shout out to all of our RC participants - your feedback helped us tie the bow on top of a great release. For anyone who has additional feedback, feel free to post here on the forums or contact me directly.


As always, be sure to check out the Release Notes. There's also some detailed tips (noted above) about implementing several of our new features in the recent Log & Event Manager 5.4 RC Available blog, and be sure to check out the hot off the presses User Guide (HTML) also.

We're Taking You Back to the Basics of Log and Event Management


Everyone in the IT industry seems to talk about log and event management, but what makes it so important?  Is it really something we need to be concerned about?   Join SolarWinds Geeks (a.k.a. Sales Engineers) Chris Jeffreys (chris.jeffreys) and Rob Johnson, as they discuss the importance of log and event management, why it is so vital, pitfalls we’re likely to encounter and some possible solutions available in SolarWinds Log and Event Manager 5.4.  Topics to be covered include:


  • What is Log and Event Management?
  • Why is it so important?
  • What problems does it present?
  • How can we make it more manageable?
  • LEM 5.4 – How it can help


This session will discuss the importance of Log and Event Management, what needs to be done and how we can do it.


Who should attend?

  • Anyone curious about how Log & Event Management can help their IT organization better meet the needs of their business
  • IT organizations with compliance and security mandates that require log & event management
  • People overwhelmed by using event log, syslog, and other log data to help their organization get their jobs done
  • Anyone interested in how Log & Event Manager (and the new features in LEM v5.4) addresses these needs
  • Anyone who wants to learn why Logs truly are Better than Bad, they're Good.




This 60 minute FREE webcast will be offered at three times to accommodate different global regions. Click on "Register Now" to sign up!


North America/Latin America

Tuesday, May 08, 2012

11:00 a.m. CST  




Thursday, 10 May 2012    

11:00 a.m. Singapore     




Thursday, 10 May 2012

2:00 p.m. London          


In case you missed it in our Log & Event Manager Release Roundup: Latest News post, the next release of LEM is now in Release Candidate status. You can join up by filling out the survey over on SurveyMonkey, I'll provision it to your Customer Portal and you can get crackin' on the new features.


LEM 5.4 RC Features: Flexibility!

The "theme" of this release is flexibility - extending the flexibility of your LEM deployment within your organization. We've added several features that make LEM more flexible to deploy, implement, and integrate into your environment.


Virtual Appliance Improvements: Deploy to Microsoft Hyper-V, Export/Import/Migrate Appliances

We've added the ability to deploy our virtual appliance on Hyper-V (instead of just VMware). It's got the same disk/CPU/RAM requirements (250GB disk, at least one 2GHz core preferably 2+, 8GB RAM dedicated) and the same ease of installation.


On all appliances, we've added the ability to export/import/migrate your appliance settings. This is useful in several different ways:

  • Migrating from a legacy TriGeo hardware appliance to the LEM virtual appliance
  • Migrating from one virtual appliance to another virtual appliance (standing up a new appliance and importing your configuration)
  • Disaster recovery scenarios where configuration settings have been lost, a mistake was made, or other unfortunate scenarios occur that make you wish you could go back to yesterday's config


For customers interested in either Hyper-V deployments or the appliance migration functionality, we've got new documentation we can provide that includes extra details if you need them.


Console in your Browser! Awesome!

We've had a lot of requests to not run the LEM Console in AIR, and instead run it in the browser. Good news - we did just that! For the most part, this Console is identical to the AIR console, and you can import/export your settings from your existing AIR install into the web and vice-versa. The browser-based Console does require Flash 11.


To access the LEM console after upgrading, just head to https://<your manager's IP or name>/ and it'll redirect you to the right port and URL. The full URL is actually https://<your manager's IP or name>:8443/lem/ but we put in a couple handy redirects to make it Just Work(tm).


Your settings will now be stored on the manager you're accessing in the URL, so wherever you log in, you'll see the same filters, widgets, saved searches, and customized configuration settings.


Tips & Notes:

  • I'd recommend verifying you're on Flash 11 before you access the Console, just in case. We've had situations where someone upgraded from Flash 9 to Flash 11 and the browser was most unhappy! You can manually download and install the latest flash player here.
  • If you're having issues with Firefox, try IE (seriously) or Chrome. We support Firefox 11, Chrome 16+, and IE9 and have done a cursory pass on Safari, but we found a few browser inconsistencies that generally apply more to Firefox than the other browsers.
  • There shouldn't be cases where you have to close/reopen your browser or tab to fix an issue - if this happens to you (especially consistently), please let us know so we can track down issues where the Console seems to get "stuck" and stops functioning. The same is true of a browser or flash plugin crash, if you see this consistently, let us know.
  • If you've been using the AIR console and want to import your settings to the web, first upgrade your AIR Console to 5.4, then go to Manage > Appliances, then click the rightmost gear (underneath the Help icon) and choose "Export User Settings".  In the web console, do the same thing, but select "Import User Settings". Your settings will be pushed up to the appliance and applied, and viola! Instant customized Console.
  • When reporting issues with the browser Console, be sure to let us know what browser & version you're using, and make sure you're up to date on Flash (Adobe's trying to make it even easier to update Flash, but you never know, you might have hit "stop yelling at me" and not manually upgraded in a while).
  • When building rules & filters, you might notice that the item you're dragging appears away from your mouse cursor; there are some timing issues that we're working on here and may not be able to resolve before release. Follow your mouse cursor arrow, not the item text, to determine where it'll be dropped.


Authenticate to LEM via Active Directory Services

As a bonus management feature, we've added the ability for you to authenticate to LEM via Active Directory (not just a LEM built-in user). You can add AD Groups or individual AD Users and assign them to a LEM Role, then the authentication works like magic.


To Configure:

First, configure the "Directory Service Query" inside of LEM to authenticate to the directory:

  1. Go to Manage > Appliances: 
  2. Click the Gear icon next to your appliance, and click Tools:
  3. Under "System Tools", click the Gear next to "Directory Service Query" and click "New":
  4. Specify the (fully qualified) domain name (e.g. corp.local), the IP of your domain controller (preferably IP, DNS name may work if your appliance is configured with reliable DNS), the service account username & password to use, and whether your DCs require SSL or not. If you don't use a custom port, you can ignore that field (the defaults are 389 for non-SSL and 636 with SSL).
    1. NOTE: If you want to test your connection, you can type in your FQDN in the "Test Domain Connection" box, but don't be alarmed if the button doesn't do anything - it can't actually test until we entirely finish.
  5. Click Save when you're done.
  6. IMPORTANT: To actually start/enable the connection, you need to start the tool/connector. Click on the gear again, and click "Start":
  7. At this point, everything should be configured and running.
    1. NOTE: If you entered your FQDN in the "Test Domain Name" box, you can click the "Test Domain Connection" button now. Success or failure won't be reflected here, you'll find alerts over in the Monitor area that will indicate success or failure. The alert is an "InternalInfo" alert that says "Connection to Directory Service succeeded", or an "InternalWarning" alert that will let you know it failed and give you some idea of why (password failed, timed out, etc).
  8. When you're done, click "Close".


Next, add users in LEM that you want to authenticate with the directory:

  1. Head over to Build > Users:
  2. Click the + icon on the far right hand side and choose the option corresponding to what you'd like to add:
    1. LEM User: adds a new built-in LEM user, using built-in LEM authentication. After adding the user, fill out all the information, including the e-mail address(es).
    2. Directory Service User: lets you specify a new SINGLE user from the directory to add to LEM, using directory authentication.
      1. In the leftmost panel, select the OU you wish to add the user from.
      2. In the center panel, select the Group you want to use to narrow down the user. The group in brackets at the top that mirrors the name of the OU will show ALL members of that OU, which might take a while if you've got a big organization (which is why we let you search using groups, too!).
      3. In the rightmost panel, select the User you want to add to LEM and click "Select User". All of that looks a bit like this (adding the user "npauls" from the "Engineering" OU, using the entire OU to search) - names hidden to protect the innocent:
      4. After you add the user, specify their LEM Role (Administrator/Auditor/Monitor/Contact), click the "Save" button on the bottom right to officially add them to the list.
    3. Directory Service Group: lets you specify a new GROUP (and all members therein) from the directory to add to LEM, using directory authentication.
      1. In the leftmost panel, select the OU you want to view the group in. You might find that your OU contains sub-folders that contain hidden group containers for things like distribution/global groups.
      2. In the rightmost panel, select the Group you want to add (that is, all members in this group should be able to log in to LEM, and be assigned the same LEM role). All of that looks a bit like this (adding the group "Domain Admins" from the parent domain's built-in "Security Groups" area, which would normally appear in the parent domain itself):
      3. After you add the group, specify their LEM Role (Administrator/Auditor/Monitor/Contact), click the "Save" button on the bottom right to officially add them to the list.
  3. Don't forget to hit the "Save" button after you add a group, it's easy to miss!


A few important notes:

  • When using Directory Service users, the email address is imported from the directory and not editable inside of LEM.
  • The same connector/tool that interfaces for Directory Service Groups in LEM (for use with filters, rules, and searches) is used for authentication, so you only have to configure it once.
  • You'll want to set aside a service account that can be used to do this, and you might want to set it to never expire, or suddenly you'll find all your Directory Service users unable to log in.
  • Don't forget your LEM built-in admin user password! You can always get in using this account, even if directory services are down. If you've forgotten it, there's a command at the appliance to reset it back to the default of "password".
  • When logging in, use DOMAIN\user to indicate you're logging in as a Directory Service user.
  • I found it a little confusing at first to have to look in the "Security Groups" folder for my Windows 2003 domain controllers, so don't forget to check there if you don't see the groups you'd expect.


SNMP Notification Support & Integration with NPM/SAM

In LEM 5.4, we've added new connectors to receive data from NPM/SAM and Virtualization Manager. Set up your alerts in the Alert Manager (or via Virtualization Manager's Console) to send to LEM, and use LEM to correlate those events with other events across your enterprise, perform root-cause analysis of problems across systems, and use LEM's active responses to triage or respond to issues.


Receiving SNMP Alerts from NPM/SAM/Virtualization Manager in LEM

Some examples of awesome ways you can use the systems together:

  • NPM detects a device outage or performance issue; use LEM to trace back the issue to its FIRST occurrence and determine the problem may be a DoS attack, virus, or other security issue - possibly even detected on an endpoint.
  • SAM detects an issue with a service, use LEM to determine if there are errors being generated from that service, when the issue started, and respond by restarting the service, and building a rule to detect & notify you future outages before the service actually goes completely down.
  • Build rules inside of LEM that combine data from NPM or SAM with your event log, device log, and application log data, to combine the power of what's happening in the log with the knowledge that something's gone bad.
  • Respond to an event detected from SAM or NPM in the LEM Console to isolate an issue, quarantine a user or system, restart a service, or kill a process, among others.


To send data from NPM/SAM/Virtualization Manager to LEM, first on the LEM side:

  1. Enable SNMP on the appliance, if you don't already have it enabled. From the virtual/hardware appliance "Advanced Configuration" console, type "service" (at the "cmc" prompt) then "enablesnmp" (at the "cmc::scm#" prompt).
  2. Configure the SolarWinds tool on your LEM appliance via Manage > Appliances, then Gear>Tools:
  3. In the "Network Management" category, create a new "SolarWinds Orion" tool/connector by clicking Gear>New (this connector does cover all of NPM, SAM, and Virtualization Manager):
  4. Click "Save" to save the configuration (you can change the default name/alias that appears in all of the messages from these tools, if you'd like).
  5. Click Gear>Start to enable the tool/connector to monitor for incoming data:


On the NPM/SAM side, use Alert Manager to enable SNMP alerts for different settings. For more information on setting up alerts with SAM, check out the "Creating Alerts" section in the SAM User Guide. For more information on setting up alerts with NPM, check out the "Creating & Managing Alerts" section in the NPM User Guide. For more information on setting up alerts with Virtualization Manager, check out the "Alerts" section in the Virtualization Manager User Guide.


Sending SNMP Notifications from LEM to NPM/SAM and Other Systems

We've also added the ability to send SNMP traps to other systems, including NPM/SAM, so that you can correlate data in LEM and notify other departments, systems, and people, via the infrastructure you've already got set up.


Some examples of how this is useful:

  • If LEM correlates an issue, you can send the notification to SAM/NPM, where it'll appear in the SNMP Traps section of the system, and you can perform root cause analysis from the SAM/NPM side to determine if there was a security or other event found in the log data around the time your issue started.
  • Rather than using SAM/NPM to receive ALL your event log, syslog, and other data, use LEM and forward only the critical/useful events on to the teams that need them.
  • Notify and forward events to third party systems (outside of NPM/SAM) to share data across your organization.


To use the SNMP notifications in LEM, first you'll need to enable the SNMP response tool/connector, then you'll need to add the SNMP notification to any rules you want to pass on to another system.

  1. Configure the SNMP Active Response tool/connector via Manage > Nodes, then Gear > Tools:
  2. In the "System Tools" category, click Gear > New next to "SNMP Active Response":
  3. Click "Save" after creating a new item (all of the configuration regarding which host, ports, etc to use is in the action itself, not in the configuration). You can customize the name/alias if you want it to appear differently.
  4. Be sure to click Gear > Start to enable the new connector/tool (or no SNMP notifications will be sent!):
  5. Click "Close" to exit configuration.
  6. Identify or build a rule you wish to add the SNMP notification to over in Build > Rules. I'll use the NATO5 "Critical Server Suspicious Network Traffic" rule as my example (Clone it to Custom Rules first!), since this might be important information about a node that I want to forward over to SAM or NPM so that if that machine begins behaving unexpectedly (consuming excessive bandwidth, performing poorly), that information is present. This rule also has a default Block IP action that you could choose to keep (and would want to let other systems know the action was taken) or remove in favor of only sending a notification.
  7. In "Actions", select and drag over the "Send SNMP Trap Alert" notification to the "Actions" box.
  8. Specify the destination SNMP Trap Host (where you want to send the trap) and port (if you do not specify one, the default of 162 will be used). You'll need to go to "Constants" and drag over a "Text" constant into the "Destination Host" box in order to edit it first.
  9. Specify the category of alert you'd like to escalate. For now, you can pick from the default "Incident" type of alerts. The type of alert will dictate the kinds of fields you can send over - for example, "HostIncident" will contain fields like Source/Destination Account, where "NetworkIncident" will contain fields like Source/DestinationMachine (and "HybridIncident" tries to be the best of both worlds). Pick the one that best suits this type of rule - in my case, I'm going to go with Network Incident (since the events were detected on the network and I'll find the most useful fields there), but if I'm more server minded, I could also go with Host or Hybrid Incident (indicating there's a problem with a host, but it was detected on the network).
  10. Fill out the fields from the alerts that contributed to your rule, just like you would other LEM actions. In this case, I'm going to use the "Network Audit Alerts" Alert Group, since that's what my rule uses, and that's where I want the data to come from in the original event. Here's what it'll look like in the end (it goes on, but you get the idea):
  11. If you want to notify more than one SNMP host, add another "Send SNMP Trap Alert" action and fill it out similarly.
  12. Save the rule, and don't forget to Activate Rules when you're done! It's at the top right, this tells the appliance/manager you're ready to use the new rule you've built:

At this point, when your rule fires, the SNMP Trap will be sent on to the server you specified. In SAM/NPM, you can view this in the SNMP Traps area of the console.


We Want Your Feedback!

If you join the RC, be sure to check out the Log & Event Manager RC group here on thwack. We'll put up any known issues there and are happy to answer questions about the RC or features in the RC.

We're also interested in any RC customers willing to do a quick screen sharing session/phone call with us to talk about the new features and your experience with them. Let me know via comment, e-mail, or Thwack post and I'll get it set up.

Lastly, for those of you already on the RC, we'll be updating to RC2 early next week, with a couple of quick fixes.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.