1 2 3 Previous Next

Product Blog

34 Posts authored by: nicole pauls Employee

The Log & Event Manager team has been busy lately with both maintenance to our current version and, of course, an upcoming release. In this Release Roundup, I'll bring you up to speed on what's been going on lately in the Land of LEM.

Maintenance Release: 5.3.1

We received a lot of good feedback after our 5.3 release and rolled  up those changes into a 5.3.1 maintenance release, available on the  SolarWinds Customer Portal to all customers under active maintenance.  This includes:

  • Resolved reported difficulty configuring USB-Defender Local Policy and several database-reading connectors
  • Updated Console filter functionality to allow toggling of the outer  grouping and resolved reported issues with unexpected filter conversion
  • Improved USB-Defender Report to capture all expected USB-Defender data based on customer feedback
  • Added a herd of new connectors (43 in total), including support for  SmoothWall, Cisco IronPort, Sophos Email/Web Security, Websense 7.0+,  and McAfee IntruShield, among others

You'll notice when you go to download the 5.3.1 update that the  Customer Portal looks a little different. We've made it easier for us to  get releases to you faster by streamlining some of the behind the  scenes work. To download the appliance update for all virtual/hardware  appliances, first click on the  button next to your SIM/LEM product listing, then click "Download" next to the  "Appliance Upgrade" download. It's not always easy to find, so here's a  picture that might help:

 

We've also released a hotfix to 5.3.1 that resolves difficulty  customers were having configuring our Check Point integration. Only  customers affected by that issue will need to download and apply it.  It's located in the "Hotfixes" section on the portal, and included in  the hotfix are instructions on how to apply.

New: Download Connector Updates from the Portal

We've improved the distribution of connector updates to regularly  update the SolarWinds Customer Portal as we support new connectors and  maintain our existing connectors. Anyone who's under maintenance can go  download the connector update package and apply it to their SIM or LEM  appliance. Back on the multiple downloads page, you can find the  Connector Package listed separately, and instructions for applying it  are in this (always awesome) SolarWinds Knowledge Base article.

Upcoming Releases

You can check out the full detail of this in our What We're Working On in the Land of Log & Event Manager post, but for those of you that prefer "Executive Summaries" here's what we're up to (disclaimer: this is not a commitment to these features on any timeline, it's just an idea of what's in our priority queue):

  • Hyper-V Appliance Deployment
  • Active Directory Authentication
  • Outbound SNMP Trap alerts - send notifications from LEM to Orion and other SolarWinds products
  • Inbound SNMP Trap integration - support for receiving data from SolarWinds products in LEM
  • Browser-based Console - access LEM from your browser!

If you're an active customer interested in testing any of these features when they become available, you can sign up by filling out this survey and you'll get an email when something is available.

And, Finally... Videos!

If you're new to LEM and still trying to find your way around, be sure to check out our AWESOME new LEM Intro video series! This series was prepared as a part of our upcoming release and should hit the sweet spot of trying to find your way around. There's 5 videos and they are all around 5 minutes long.

For a taste, here's our video on filters and real-time data:

 

Watch the rest here on the LEM Resource Center. There's a bunch of more advanced videos on the LEM videos area in the Resource Center as well, you can see a quick list here on Thwack.

Apollo Lunar Excursion ModuleThe Log & Event Manager team is proud to announce General Availability of our 5.3 version. All customers can download the upgrade via the SolarWinds Portal. We think there's a bunch of features that make LEM 5.3 as cool as a Lunar Excursion Module, but here's the rundown so you can decide for yourself!

Download a Free and Fully-functional 30-Day Evaluation!

One of the cool new features of LEM is the ability to download a trial and see it for yourself. The evaluation of LEM is 30 days of 100% fully featured Log & Event Management goodness, packed into the exact same virtual appliance you deploy in production.

  • Guided setup, an awesome Quick Start Guide, and in-product Getting Started content helps walk you through the appliance deployment, software installation, and first time use. 
  • Simulated data gives you the ability to see what Log & Event Manager's all about before you decide to deploy to your own environment. Simply turn it off and disable it when you're ready to see some of your own data.
  • Simplified deployment to first logon process makes it easy for you to try LEM without jumping through hoops.

Keep Track of All Data Sources

We've added the ability to see all your data sources in the LEM Console, rather than just agent nodes. This makes it easy for you to keep track of additional devices and get an accurate count of your license. And, for existing customers, we've made it so that you don't have to mess around with "Open Licenses" anymore, things Just Work(tm). When you get close to your expiration date or license limit, you'll see warnings in the Console that let you know.

For all LEM customers, when you upgrade you'll want to download your new license from the Portal and apply it. Legacy TriGeo SIM customers are grandfathered using their legacy SIM node licenses and the same enforcement policy.

Updates for Agents

By popular demand from current LEM customers, we've done a bit of a facelift for our agent, rolling up several improvements into a single update. This update includes:

  • An updated Java Runtime Environment
  • Improvements to Windows Event Log SID/GUID processing on Windows Vista/7/2008
  • CPU utilization improvements for virtual and lower resource environments
  • Improved support for agent-based connectors, including extended database-driven collection
  • Support for a native 64-bit (x86-64) Linux installer

Configurable nDepth Export Formatting

Our initial nDepth Export release was functional, but pretty fixed - it wasn't possible to change the layout or control which items appeared in the export. The new export lets you:

  • Customize and save different export layouts
  • Rearrange and select different graphs, charts, and detailed content for inclusion in exports
  • Drag and drop components from available options
  • Change pages from portrait to landscape

Support for Kiwi Syslog Server

We've extended our support for Kiwi to allow customers to use Kiwi as a syslog collector. Instead of forwarding from Kiwi to LEM and duplicating data across the network, you can deploy a LEM Agent to your Kiwi server and pick up the syslog data using existing LEM connectors directly from the Kiwi-formatted files on disk. Syslog collectors are often useful to offload processing from the LEM appliance and to extend your LEM installation into remote networks where sending syslog data over the WAN/VPN would be unreliable or insecure.

Repackaged Downloads

Previously, we provided the LEM upgrade as a single downloadable zip file or ISO, which was nearly 1.2 GB in size. We've taken a different approach this time, and that's to separate all the downloads into individual components. The upgrade download includes the appliance upgrade, Console, and upgrade documentation - the minimum needed to get you going on the new version. For agent upgrades or new installs, you can download individual agents from the Portal, or distribute the upgrade from the appliance. We're still thinking about offering a full packaged download after hearing customer feedback, so if you prefer it one way or the other, that feedback will definitely help!

LEM Downloads

The LEM upgrade will only take a few minutes to install, but customers should be sure they're running at least version 5.2 first. If you need assistance upgrading, we're happy to help; if you've got any questions, feel free to post them!

Hey All,

With the recent release of Log & Event Manager 5.3 (read more about that on the blog Log & Event Manger: LEM 5.3 has Landed), our development team is working on some pretty great features requested by a lot of customers.

Hyper-V Virtual Appliance Support

It's hard to ignore Microsoft's increased presence in the virtualization market, and Hyper-V is starting to pick up some great marketshare as it's evolved from what was Virtual PC. With Microsoft planning on including Hyper-V support natively in Windows 8, it's just going to get more and more common.

We're planning on providing our virtual appliance evaluation for Hyper-V and fully supporting it in production, including the ability to synchronize time with the host, take snapshots, and perform clean shutdowns (similar to VMware).

SolarWinds Orion Platform Product Integration: Raising Events to LEM for Correlation & Response

We'll be adding a couple of features related to extending our integration with other SolarWinds products - thanks to customer feedback and input. The first of these features will be receiving SNMP trap alerts from your Orion platform products, enabling you to:

  • Correlate those events with other LEM log & event data and using additional LEM real-time correlation features - time & frequency, field-based correlation, multiple-event correlation, and more.
  • Search events in the context of other LEM data for troubleshooting - sometimes performance and availability data can provide the missing key to a security or operations issue, being able to see that data in context together could bring something to light that you might not have otherwise noticed.
  • Respond with your LEM active responses - restart a service, disable an account, block an IP, or just send a popup message in response to correlated data OR interactively.
  • Report on events enterprise-wide for compliance, auditing, and peace of mind.

SolarWinds Orion Platform Product Integration: Escalating Events from LEM to Orion via SNMP Traps

Since we're in the business of what makes sense to customers, we're also adding the ability to go the other direction and share events from LEM upstream to Orion via SNMP traps. This feature can also be use to escalate to non-SolarWinds products - if you've got a trouble ticketing system or other network management system that accepts SNMP traps as alerts, you can escalate LEM events up to those systems as well. Some of the ways this can be useful are:

  • Use log data to detect a problem, and automatically raise a condition in Orion to take advantage of workflow you've already built.
  • Share knowledge from LEM to Orion without providing access to all of your sensitive security and operations log data. 
  • Take advantage of LEM's log data parsing to forward only log events of interest to Orion, instead of asking Orion to store 100% of log data for that one or two events you're interested in in that context.

Active Directory Authentication

We'll be extending our integration with Active Directory to authentication, allowing you to use your existing domain credentials to log in to the LEM console rather than just the built-in LEM users.

Improved Documentation

We're investing in our Log & Event Manager Knowledgebase, releasing articles that help you get LEM deployed and solve problems easier. We've also added a bunch of videos to the Resource Center, and improved the LEM Documentation Page on Thwack. These efforts will continue, along with a revamped Admin Guide that's more oriented around how you get tasks done than the pure reference manual that it is today.

And, finally.....

Access the Log & Event Manager Console from your Browser

While we'll continue to offer the Log & Event Manager Console as an installable AIR package for customers that want to take advantage of the desktop experience, we'll also offer the ability for you to access the SAME Console from inside your browser. With the popularity of laptops in the workplace and systems that aren't "always on" sometimes a web accessible Console makes the most sense. The new LEM browser-enabled Console will let you:

  • Access LEM from Flash-enabled browsers and devices (primarily IE 7+ and Firefox 4+)
  • Monitor, configure, search, and respond over HTTPS (HTTP for evaluation customers) from anywhere you can connect to the appliance
  • Quickly evaluate or get LEM up and running from anywhere, without worrying about administrative credentials to install software

It's worth noting that LEM Reports will still be an installed desktop application, but many customers have chosen to install reports on a single always-on system for scheduling and running reports, while the Console is accessed by multiple team members.

And Beyond....

Some of the other items on our roadmap include:

  • Simplifying product implementation - helping you get value out of your investment quickly

And, for our standard disclaimer: The LEM team continues to work on additional features that we think will help improve our customers' day to day Log & Event Manager needs, and while these are generally our "highest priority" features, this is not a commitment or guarantee that these will be released in the next revision. Sometimes priorities shift or customer feedback encourages a change in direction.

Questions about how these features would work? Willing to participate in a release candidate of any of these features? Any other comments or feedback? Let us know with a reply here, or feel free to contact me directly.


Some say they can secure the unsecureable,
manage the unmanageable,
and that even Chuck Norris is forced to be compliant.

 

All we know is, they are called… the STIGs.

 

Updated June 29, 2015

 

The Department of Defense’s Defense Information Systems Agency (DISA) has a set of security regulations that help set a baseline standard for DoD networks, systems, and applications. If you’re responsible for a DoD network, these STIGs (Security Technical Implementation Guides) will help guide your network management, configuration, and monitoring strategies across access control, operating systems, applications, network devices, and even physical security.

 

SolarWinds Log & Event Manager can help with DISA STIG compliance via our real-time monitoring of related events across systems, network devices, applications, and security tools. Use LEM to address DISA STIG requirements for both log analysis and broader network security.


For configuration auditing, be sure to check out The specified item was not found. about NCM’s DISA STIG resources as well.

 

At a high level related to STIGs, you can use SolarWinds Log & Event Manger to monitor and audit:

  • Logs relevant to STIG best practices auditing (across OS, applications, and devices)
  • Changes to device, system, and user account configuration settings
  • Installation of unapproved software
  • Access and changes to sensitive/classified files
  • Creation/deletion/modification of user accounts
  • Modifications to databases and possible attack indicators
  • Access and usage of USB storage (including file/process information) and USB network devices
  • Successful and failed authentication attempts
  • Authentication from unapproved guest/anonymous accounts
  • Authentication to/from unexpected accounts/locations/machines (or using unexpected authentication methods)
  • Network access via VPN and other remote access methods
  • Data from firewalls, routers, and intrusion detection systems that can indicate out of compliance protocols and ports are being accessed
  • Alerts from firewalls, anti-virus, intrusion detection systems, and other security monitoring tools that can indicate attacks, vulnerabilities, scans, and other network security issues
  • Vulnerability assessment tool reports

 

LEM includes out of the box reports and rules that directly address DISA STIGs. You can also customize your LEM Console to monitor different types of data in real-time, and use the Console to search for historical events.


Rules

 

Many of LEM’s out of the box rules can be used to address STIGs, especially anything related to monitoring for change activity and security events. You’ll need to create and customize copies specific to your environment; check out this video in the resource center about creating and using out of the box rules for more detail on how. It’s important to remember that LEM’s correlation engine is flexible, so just because you don’t see something you’re interested in doesn’t mean it can’t be done, as long as what you’re looking for is reported in the log data.

LEM-rule-templates.png


Specific rules and groups of rules of interest:

  • Compliance > DISA STIG: this category groups together STIG rules of interest into one easy category
  • Activity Types > Active Responses: these rules provide examples of automated detection and response.
  • Endpoint Monitoring: these rules include detection of issues on the workstation/server level using the LEM Agent. Most useful here will be security processes and USB device access.
  • Security > Vulnerability: these rules integrate with your vulnerability assessment reporting, to alert on new vulnerabilities/issues being found.
  • Authentication: these rules monitor authentication-related activity, including duplicate logons, logon failures to critical accounts, and unauthorized logons.
  • Change Management: these rules monitor for all kinds of change management activity (accounts, users, groups, policies) and include many rules specific to active directory. There are also reports that cover these same categories, so you’ll want to focus on what’s of most use to you in real time (generally, anything that’s operationally valuable like account lockouts, or high priority like device configuration changes).
  • Activity Types > Database Auditing: these rules will monitor certain types of database activity, including changes and errors. If you’re using a separate database activity monitoring tool, use these as examples of things to look for.
  • Activity Types > Network: these rules monitor every day network activity for anomalies, such as port scans, SQL injection, and suspicious network traffic.
  • Security > Malware : these rules monitor for traditional AV issues like left alone (uncleaned) viruses and AV update failures, along with worm detection from other network activity.


Reports

 

With LEM Reports, you can run reports interactively, schedule reports to run unattended, and open, filter, and save filtered reports (including saving a filtered report as a new custom report). For auditing, you’ll generally want to schedule reports, and use Rules and the Console to do most of your day to day time-sensitive monitoring.


We've created a Category of reports that will show only the STIG reports. To see reports most related to STIGs:

  1. Go to Manage > Categories
  2. Check off DISA STIG on the left (you'll see a preview of the included reports on the right)
  3. Click OK
  4. In the Category dropdown on the top right, select "Industry Reports" to filter your view only to the selected Categories (i.e. STIG).

 

LEM-industry-reports.png

 

Within the STIG industry category, you'll see these general categories and types of reports:

 

  • Event Summary reports. These statistical reports will help you identify anomalies more quickly, whether they be quantity or type of alert.
  • Incident, Inferred Alerts, and SolarWinds Actions. The Incident/Inferred reports are used to document events that you’ve chosen to escalate within the LEM correlation engine, and commonly used for reporting issues that need to be identified and tracked. The Actions report will document any responses you’ve taken, automatically or interactively.
  • Authentication master and/or associated detailed reports. These reports will show all authentication related events including logon, logoff, logon failure, guest account access, and access to LEM itself.  The Master report will include everything, but if you choose to run the detailed reports, be sure to include User Log On AND Log On Failure along with Guest Login. You may also want to create a customized version of these reports that only show administrative access accounts, to audit and monitor them separately.
  • Change Management reports. These reports break down change management events, with a lot of attention paid to specific Active Directory account/domain modifications. Almost everything here is relevant to the STIGs, including creation, deletion, enable, disable of accounts and groups. The Resource Configuration reports may be an all-encompassing alternative if you don’t want to see everything broken out individually.
  • File Audit Events master and/or detail reports. These reports will show file and object access, generally provided by Windows file auditing or host-based intrusion detection tools. If you choose not to run the master report (which is inclusive of all file access reported), you will definitely want to pay close attention to the File Audit, Delete, Move, Read, and Write reports. Since these reports can be quite large and file auditing quite noisy, you may also want to customize these reports to only monitor for access to specific sensitive or system files, accounts, or devices.
  • Machine Audit master and/or detail reports. These reports will show process and service tracking, along with software installation/updates, and system status information. If you choose not to run the master report, you’ll definitely want to run the software install/update, system status, USB-Defender, and File System Audit reports, and possibly the Service Audit reports.
  • Malicious Code master and/or detail reports. These reports will show activity primarily from anti-virus and anti-malware software. Since these should be limited, the master report is the simplest way to go.
  • Network Events master and/or detail reports. These reports will show security attack and scan-related activity. There are a lot of detailed reports, but you’ll especially want to run the Attack Behavior – Access, Attack Behavior – Denial/Relay, and Suspicious Behavior reports.
  • Network Traffic Audit master and/or detail reports. These reports will probably be your most noisy (next to Authentication), but will show all firewall/router ACL traffic, proxy/web server traffic, and potentially other traffic depending on sources. The Network Traffic Audit master report is going to be pretty busy, so if you choose to run detail reports, you may want to also create versions that audit for specific issues – unexpected ports, specific IP addresses, etc.
  • Resource Configuration master and/or detail reports. These reports will overlap with the Change Management Reports in many cases, so if you schedule those, these may be redundant for your needs. Here, you’ll find policy and change management oriented data.

 

If anything changes regarding DISA STIGs, this post will be updated.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.