Skip navigation
1 2 3 4 5 Previous Next

Product Blog

645 posts

We’ve all been there. Your day has been going swimmingly– until suddenly – it’s not. Something’s gone wrong, your CIO is bearing down on you like his hair caught fire, and you need Support pronto.

Well, first up – we’re here to help. It’s a point of pride for us Support Geeks (and we know you love it too), that when you need to contact SolarWinds Support, you’re directly on to a Technical Engineer.

I’d like to briefly explain our support structure, give you a better understanding of what we do, how we can help you, and how you can get the best support experience. For full detailed information on our Support Team and your entitlements as a customer, please see our reference guide here: SolarWinds Customer Support Information - SolarWinds Worldwide, LLC. Help and Support


So, who are we?

SolarWinds Support is made up of two teams:


Customer ServiceTechnical Support
SolarWinds Customer Service is available to assist you with the general operation of your account, 24 hours a day, 5 days a week (Monday - Friday).SolarWinds Technical Support is available to assist you with technical product issues 24 hours a day, 7 days a week, 365 days of the year.
  • Any license related issues: resets, registration, merging
  • Logging into your customer portal
  • Updating customer account information, contact information or billing address
  • Checking the status of orders or invoices
  • Reporting issues with the website
  • Follow-the-sun model – cases can be transferred to a close geographic location to best match your work hours
  • Assist with any Technical Product related issues
  • Specialized in a number of products


First off, there are two ways to contact Support – you can Call our Support Line, or you can submit an Online Support Ticket. We ask that you use your judgment here and reserve calls for when you have an urgent issue, or when your system is down. This in turn helps to keep the queue clearer – so when you do have an urgent issue or your system is down, we can get to you faster.


Speaking of case priorities – we allow for five different priority levels when you create a ticket with us, outlined in the table below. If you need to increase the ticket priority after submitting it, you can easily do so by responding to the case to let your Support Engineer know, by calling us, or by mailing where a Technical Support Manager will action your request.


PriorityBusiness Impact
System DownProduct is nonfunctional and/or has unrecoverable service failure. Critical Business Impact.
UrgentProduct is functional but with major issues. Significant business impact.
HighProduct is functional but with consistent issues or one product area is nonfunctional. Functionality is degraded. Some business impact.
MediumProduct is functional with minor or intermittent issues. Occasional functionality degradation. Minimal business impact.
LowProduct is functional with no apparent issues. Requests for upgrade documentation, feature requests, technical information, how to questions, product use questions. No business impact.


Before opening a case with us, check out the wide range of self-help options we have available. You may find yourself pleasantly surprised by how quickly your issue gets resolved this way!

  • The SolarWinds Success Center contains all documentation, knowledge base articles, training videos, getting started guides and more, and it is easy to search.
  • Don’t forget the fine folks of Thwack, in particular, the Alert Lab and Report Lab denizens who are nothing short of logic gurus – no matter how awkward your alert or report requirements, they’ll probably have figured that logic out for someone else already.


Before you submit the ticket, please gather the following details for us, as it will help us to resolve your issue as quickly as possible:

  1. Clearly define the issue, providing symptoms, screenshots, how often the issue occurs, steps to reproduce the issue, any recent changes made, any steps you’re already tried when troubleshooting this yourself, and the business impact this has for you (if any). The more information you can provide, the faster we can get to the root cause - and to a solution.
  2. Provide environmental and product information, including the product version you are running, whether you are using multiple pollers or not, OS version, server details such as CPU & RAM, and any infrastructure details you believe may be relevant.
  3. For Orion products gather diagnostics and any other relevant logging (error details, memory dumps, trace files – whatever is relevant to that particular issue)
    1. To gather diagnostics, open SolarWinds Orion -> Documentation and Support -> Orion Diagnostics in the Start Menu. Click Start to kick it off, and it will produce a zip file.
    2. If you’re concerned that your issue could be environmental or permissions related, run the Orion Permission Checker tool as a Local Administrator – this checks a list of system folders to ensure the system accounts we’re using have the correct level of access. Click Check, and click Repair if you spot any failures.
  4. When you submit the ticket, you’ll get an automated email response with your ticket number. You can reply back to this to attach any small files to the case (<5MB), but anything larger, you’ll need to upload them to us:
    1. Open LeapFile and upload your file (or files), using your ticket number as the subject and as the recipient.
    2. Ping an email through to your support ticket to let us know you’ve got files uploaded already for us – we’re not automatically notified. It will make your Support Engineer’s day.

Once you’ve submitted your case, you can check its status and update it from the Customer Portal. Log in, and click Support Cases, then ‘Review all Cases’ to view and update your ticket. You’ll also receive our responses to your case by email, directly to your inbox.


How to Upgrade to SAM 6.2.1

Posted by cdoyle Support Sep 21, 2015

Interested in upgrading to SAM 6.2.1? Here’s all the information you might need to upgrade, and the steps you’ll need to take to do it quickly and easily.


Prepare your Upgrade

1. Check the Release Notes for Orion SAM 6.2.1

2. Review the system requirements and ensure your server is up to spec.

3. Back Up your Database (Microsoft KB Links: 2005, 2008, 2008 R2, 2012)

4. Check your upgrade path

    • For a quick shortcut if you have only SAM installed, this is the standard upgrade path:  SAM 5.0 SAM 6.1 SAM 6.2
    • To confirm which version of SAM you’re currently running, check the footer of any page on your Orion SAM Web Console.
    • If you’re running NPM or any other modules with SAM, use the Product Upgrade Advisor tool to get an exact upgrade path to ensure you maintain compatibility while you upgrade.

5. Download the required versions from the customer portal


To download the current version, and any previous versions you require, you’ll need to log into the customer portal. Once you’ve logged in, use the License management menu to select ‘My Downloads’.


Next, select the product you want to download


And under the Server Downloads section, you’ll see the latest release selected by default. If you need an earlier version for your upgrade path, you can select it from the drop-down menu.




Complete your Upgrade

  1. Log into your Orion SAM server using the Local Administrator account to perform the upgrade.
  2. Run the installations, in order, to upgrade your product - the upgrade can be installed 'on top' of your existing older version.
    1. If you’re unsure of what order to use for the upgrade use the Product Upgrade Advisor tool for guidance.
    2. You’ll find the upgrade instructions for Orion SAM here, and a wealth of documentation, including upgrade and installation guides for all our products here.
  3. Always complete the configuration wizard before moving on to the next step!
  4. Got additional polling engines? You'll need to upgrade each of them at each step in the upgrade path to ensure they maintain compatibility. Make sure you upgrade your main poller at each step first, then update the additional pollers to match, for that step of the upgrade. Again, always complete the configuration wizard before moving on to the next step or the next polling engine.



If you run into any trouble during your upgrade, call us in Support on our toll-free numbers or submit a ticket – we’re happy to help!




Got a question that wasn’t covered here? Try these resources for help:

Orion SAM Product Page

Orion SAM Product Training

Upgrading SolarWinds Orion when FailOver Engine is installed

Migrating SAM to another server

Manual License Registration

I'm happy to announce that Storage Resource Monitor (SRM) v6.2 is now available in the SolarWinds Customer Portal for customers on Active Maintenance. This version includes the following new features and improvements:


  • Additional Device Support for Storage Resource Monitor's Orion Module :
    • EMC® Isilon®
    • Hitachi® Data Systems AMS, USP VM, USPV, VSP G1000, G200/400/600, HUS 100 Block-Side, HUS VM
    • HP® StorageWorks XP
    • IBM® Spectrum™ Virtualize (Vxxx and SVC)
  • Hierarchical Storage Pools


More details can be found in the Release Notes and in the RC blog post: More array support for Storage Resource Monitor in 6.2 RC.

We have all been waiting for this, and now it's here: the Dameware 12.0 Release Candidate is now ready for you on the Customer Portal! Don’t wait, just download it while it’s still fresh and hot. However, if you want to learn a bit more about the new features, continue reading.


This release brings several bigger and smaller improvements, so let me highlight a few of them:


  • Over the Internet (OTI) unattended sessions for Dameware Centralized users
    • Allows you to remotely support users on the move, and assist remotely without the presence of the end user
    • Deploy agents with OTI unattended support to end-points
    • Manage agents for OTI unattended sessions to maintain high security and control
  • Search Hosts in Mini Remote Control
  • Support for Windows 10
  • Ability to switch between the Standalone and Centralized versions without reinstallation
  • And many other improvements and bug fixes


The #1 feature which I want to talk about is the ability to use unattended over the Internet sessions. You already have been able to remotely connect to a computer, but it required the assistance of the end-user, and she might not have always been available or you simply didn’t want to bother the user. Now you can connect to her computer anytime.


To start off, deploy a new agent with unattended OTI capabilities to the computer. The agent will register itself automatically with the proxy. The deployment is as easy as it always has been. The new version of the agent contains support for unattended OTI. It can be configured in the General tab of agent settings, where you can limit the agent only to local connections, or direct and remote connections. These settings can be found for example during agent deployment when you are prompted to confirm the deployment under Install Options… > Configure > General.




Right after deploying the agent, it will be visible on the Admin Console for the Central Server, and will be waiting for your approval (if you have just upgraded and are not using an evaluation copy, which has auto-approvals enabled). This gives you control over who can use remote unattended sessions, but it also gives you control in case you have several thousands end-points and you don’t want to remote to them all over the internet.


As soon as you approve the agent, it becomes available for remote sessions.


Another option is to configure auto-approvals under Central Server > Settings by setting the value of the Remote Host Auto-approve property to true. This setting will automatically display a notification banner in the admin console.



After the approval of the agent for Internet sessions, it will also appear in the new Remote Host List of the MRC console, so any technician can start to make unattended connections from this list right away.

You can also drag & drop the host from Remote Host List to your Personal Host List or Saved Host List (see below screenshot). From any of these lists you can initiate unattended OTI connections. If you already have the computer in the Personal Host List before, it will appear in the list twice and its icon will indicate direct LAN connection (red arrow in the screenshot) or unattended OTI connection (green arrow on the screenshot).


You are probably also curious about searching for a host in MRC. Simply click on Find icon in Remote Connect menu of MRC console and type hostname or IP address.



I’d love to hear from you, so if you have any feedback, please let me know in a comment or use DameWare DRS Release Candidate forum.

Now go to your customer portal and download new installer!

One of the things that we wanted to do for this release was to split out the Windows Filtering Platform (WFP) from the Windows Security log connector.


Why are we splitting this out into a separate connector?

This is being split out because customers frequently call into support after being completely overwhelmed with the sheer volume of data upon enabling the Windows Security Log connector. While on the other hand some customers still want to collect this data.


What does this mean?

It means that upon connector upgrade this behaviors will change. Anyone that wants to collect Windows Filtering Platform events will need to configure that connector specifically once they get the latest connector update.

To receive updates on the Engineers Toolset roadmap, JOIN thwack and BOOKMARK this page.


When the v11.0 with new Toolset on the Web was introduced, it brought some fresh air to the Engineer’s must-to-have collection of tools and therefore we decided to continue with this trend also in the upcoming v11.1.

Out of all changes planned for the v11.1, a native web-based SSH client tool is the most significant addition so here is a small summary what it can do.



Web-based SSH client


Included in the Toolset drop down and available for every Orion managed Node/Element, SSH tool is available within a click anytime you need it.


Focusing on the simplicity, the main SSH client page allows you to connect to any Orion managed node and utilize the existing connection profiles created in toolset or NCM (if installed on the same server). Naturally, you can connect also to non-managed devices and specify your own credentials.



Natively supporting colors, exit characters and basically everything you would expect from the SSH client…

To simplify the credential management and keep everything under your control, administrators are allowed to create, manage Connection Profiles and assign them to devices globally but also individually to each and every user. This way, new users can have SSH access to some of the devices even without a need to know the password.


For more security sensitive organizations and/or troubleshooting purposes, auditing will be enabled by default so you can see when and who connected to what device using which credentials. When installed on the same machine with NCM, Toolset SSH client respects the more granular NCM roles of admin/engineer/uploader/etc and adjusts who can use pre-defined connection profiles.

Unlike with other real-time tools on the Web, there won't be limitation of 3 active tabs per browser so you will be able to connect to as many devices as you will need to.


Looking forwards to hear your feedback

Peter Ksenzsigh

Toolset team



To receive updates on the WPM roadmap, JOIN thwack and BOOKMARK this page.


With the official release of WPM 2.0.1 the WPM team is working hard to build several new and exciting features including:


  • Improvements in integration with Orion based products to improve ease of troubleshooting
    • Linking of Transaction to Application(s), which are providing services to monitored web application
    • Linking of Transaction to Nodes(s) on which is the web application running
  • Simple Conditional logic in transactions
    • Handling of random pop-ups
  • Improved recognition of node status
  • Positive and Negative matches (for text and images)
  • Adopting new reporting engine
  • Allow change of user agent string
  • Ability to inject cookies into transaction
  • Custom properties for transactions
  • Allow users multi-select steps in recorder for easier editing
  • Multi-variant text input
  • Support for IE 11

Server & Application Monitor 6.2 included a boatload of great new features that are going to be difficult to top, but that isn't going to stop us from trying. Here is a sneak peek at just a few of the items the team is diligently plugging away on.


  • Cloud Infrastructure Monitoring
    • Amazon AWS
  • Optional Agent for Linux Applications and Servers
    • Allows for polling host and applications behind firewall NAT or proxies
    • Polling node and applications across multiple discrete networks that have overlapping IP address space
    • Allow for reliable and secure encrypted polling over a single port
    • Support low bandwidth, high latency connections
    • Full end to end encryption between the monitored host and the Orion poller
    • Store and forward capabilities allowing the agent to operate independently of the Polling engine when network connectivity is lost
  • Numerous AppStack Environment enhancements
  • Real-Time Performance Analysis
  • Native Log File Monitoring
  • Web Interface design improvements
  • Active Directory Discovery
  • Application Template Assignment to Groups (Static or Dynamic)
  • Automated Network Sonar Discovery Import
    • Automatic monitoring of newly found nodes, interfaces, volumes, and applications based on discovery profile criteria
  • Web Based SSH Client

I'm excited to announce that the Log & Event Manager (LEM) 6.2 Release Candidate is now available for download by customers on active maintenance! If you're too eager to read the entirety of this post and want to jump right in, head on over to your customer portal to get started. The LEM team has been hard at work on features that will make your lives both safer and easier, and we can't wait to see what you think of them. So, with that, here's a quick overview of what goodness LEM 6.2 is delivering.



New Feature: Threat Intelligence Feed


I already wrote a lengthier blog post about this feature, so I won't go too much into the details, but I will say that this a feature that we're really excited about. You asked for it and now we have it ready for you. With this new feature, we focused on ease of implementation and immediate value, and we hope you'll agree that a check box to get it up and running is pretty good. It's as easy as the screenshot below.


LEM sources its threat intelligence feed data from command and control lists such as Zeus and Freodo, and drop nets such as Spamhaus and Dshield top attackers, among other sources.



New Feature: Automatic Connector Updates


LEM's connectors are one of its greatest assets. However, we realize that in the past we have made it somewhat cumbersome to get the newest connectors for the newest devices. So with LEM 6.2, we have created a feature that we're really excited about - automatic connector updates. With this feature enabled, you will no longer have to worry about manual updates - and you can rest assured that your LEM will always be up to date with the newest connectors.


Best of all, it's easy to use. Just enable it in Manage Appliances, and you'll be kept up to date. And if you want to force an update at any time, you're just another click away. See below.

enable auto updates.png


Improvement: Virtual Appliance Details from LEM Manager


For the purpose of ensuring reliable performance and simplifying troubleshooting, it's important for LEM users to be able to view their host appliances' resource settings. Because we know how important this information is, we wanted to ensure that LEM users have easy access to it. So with LEM 6.2, you now have access to this critical information directly from your LEM Manager. You'll be able to quickly view details regarding CPU, memory, and more.

vm details.png


And of course -- bug fixes!


We make sure that every release addresses your customer issues, and LEM 6.2 is no exception. To name a few:

  • NTLMv2 authentication support for effective resource allocations
  • File Audit Event report bug fixes and enhancements
  • New connectors for Kerio, Blue Coat, Proofpoint, GENE6, and more!


So what do you do next?


Head over to your customer portal to download and get started.


Once you have it up and running, if you have any questions/comments/concerns/feedback, head over to the LEM RC forum and let us know!


- the LEM Product Team


Disclaimer: Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are based on the product team's intentions, but those plans can change at any time.

I'm excited to announce general availability of  Kiwi Syslog Server 9.5! The new Kiwi Syslog version is packed with great new features and improvements.


This release contains various improvements such as


  • SNMP v3 Trap support
  • SNMP Trap Forwarding (with ability to retain source address for IPv4)
  • Trap fields to VarBinds Elements in Output
  • Logging to Papertrail cloud
  • IPv6 Support
  • Statistics email reports based on different interval
  • Ability to create more than five web console users


Kiwi Syslog v9.5 is available for download in your customer portal for those customers under current Kiwi Syslog maintenance.


If you are not a Kiwi Syslog user yet, now go and download new version from now!

Storage Resource Monitor (SRM) v6.2 Release Candidates is now available in the SolarWinds Customer Portal for customers on Active Maintenance.  Release Candidates can be installed on your production systems and are fully supported. The Product Team is eagerly awaiting your feedback in the Storage RC Forum.


Additional Device Support for Storage Resource Monitor's Orion Module :

This release adds additional device support to the Orion Module, allowing customers to monitor more devices on the Orion Core Platform and take advantage of the AppStack Environment View.

  • EMC® Isilon®
  • Hitachi® Data Systems AMS, USP VM, USPV, VSP G1000, G200/400/600, HUS 100 Block-Side, HUS VM
  • HP® StorageWorks XP
  • IBM® Spectrum™ Virtualize (Vxxx and SVC)


Hierarchical Storage Pools:

In addition to more device support in the Orion Module, we are adding support for Hierarchical Storage Pools.  This allows customers to see multiple pool layers when a storage array has more than one logical storage container (pool) from which a LUN can be created.  This is possible with HP 3PAR and EMC VMAX.  Following are some screenshots showing Hierarchical Storage Pools and a *couple of new arrays supported. 


Srm62RcObjectsTreev2.jpgEMC Isilon - File Share Details - Summary.pngHDS(AMS2100) - Array Details - Summary.png


Devices Supported by SRM Orion Module in Previous Releases of Storage Resource Monitor

  • SRM 6.1
    • EMC VMAX
    • Dell Compellent
    • HP StoreServ 3PAR
    • HP P2xxx/MSA
    • Dot Hill AssuredSAN 4xxx/5xxx
  • SRM 6.0 - first release with the SRM Orion Module
    • EMC VNX / CLARiiON family
    • EMC VNX NAS Stand-alone Gateway / Celerra
    • Dell EqualLogic PS Series
    • NetApp E-Series (LSI)
    • IBM DS 3xxx / 4xxx / 5xxx
    • Dell MD3xxx
    • NetApp Filers running Data OnTAP 8 in:
      • 7-mode
      • Cluster-mode (aka Clustered Data OnTAP)

I am excited to say that Database Performance Analyzer 10.0, with MySQL support, is now available.  For the Orion users out there we have also extended the DPA data for MySQL into the integration. DPA 10.0 is now available in the customer portal to download for customers on active maintenance.  If you are new to DPA and want to try it, you can download an evaluation from the SolarWinds website.

New Features in 10.0


  • Support monitoring MySQL in DPA
    • Register and monitor your on-premise, cloud, and RDS MySQL instances.
    • Multi-Dimensional Monitoring of MySQL
    • Advisors for MySQL
    • Metrics for MySQL
    • Integration between DPA and Orion for MySQL instances
  • Baselines for Resource page
  • Updated Resource collection for SQL Server, No More WMI!!!

Note: DPA 9.5 was renamed to 10.0 before release.  If you are running the release candidate DPA 9.5, no need to rush to upgrade to 10.0.



Register MySQL Instances


Register MySQL on-premise and in the cloud (RDS &  EC2). Whether your MySQL instance is on RDS, EC2, or on-premise, the data shown in DPA is the same!  Register a MySQL instance the same as you would for any other supported database in DPA. Have several instances to register no problem, use the Mass Registration wizard that can be found in Options.




Multi-dimensional Monitoring of MySQL


MySQL DBA's have never really had a tool that could show them their problem SQL Statements.  A lot of tuning work comes from the slow query log and monitoring metrics. While this can be important, this tuning path often misses the SQL that most effects the user.  You certainly can't find a query in the slow query log if it runs in .01 seconds.  However if that query is now running in .1 seconds and it runs thousands of times in an hour, it is most definitely the biggest pain point for your users.


In the screen capture below, you can see I have drilled into the familiar 'Time' dimension.  From here, you can see that  I can easily click to the Database tab to select and isolate SQLs that are coming from 1 specific database.  This isolation can be done the for any of the dimensions.



The new dimensions for MySQL are 'Wait Instruments' and 'Operations'.

  • Use the Wait Instruments dimension to drill into the granual detail of what a specific wait is doing, as an example I can drill into the 'updating' wait and then choose to find out just the query's that are in the 'io/file/innodb/innodb_log_file' wait instrument vs the 'lock/table/sql/handle' instrument.
    • Wait Instruments are exposed by MySQL if the MySQL Performance Schema is enabled. Wait Instruments are based on instrumented portions of the DB engine that you can enable at startup or during run-time via the Performance Schema configuration


  • Using the example mentioned above, once I select the 'io/file/innodb/innodb_log_file' wait instrument, I can go to the Operations tab I can see the SQL that are either performing sync or write operations.
    • Operations are exposed by MySQL if the MySQL Performance Schema is enabled. Operations are based on instrumented portions of the DB engine that are enabled by enabling Wait Instruments.





You may say 'Ok Kathy, that is a lot of information and all of this data is great, but what do I do with it?'.  That is where the Advisors, Query Advice, and wait advice in general comes in.  Let's say we saw a lot of blocking with a SQL. I click on the Query Advice and select the SQL I am concerned with.


Below is an example of the Query Advisor in DPA.  You can see the highest hours that had blocking, an explanation of what Blocking is, and other areas to look in DPA to troubleshoot this problem further.





Resource Metrics


DPA has added more out of the box metrics for MySQL than we have for any other database we support.  The good news is you get all these metrics PLUS, you still can create a custom resource metric just like you can for the other monitored instances



Note:This is one area of DPA that provides more detail for InnoDB than other engines.


Integration with Orion


We are building on what we did in the previous 9.2 release by giving SAM and Orion users the ability to see MySQL in Orion.

  • Dashboard views for NOC teams.
  • Publish response time analysis data to application monitors used by development and support teams.
  • See what is happening on your hosts and be able to correlate host activity to database activity


To see the full integration with Orion, go here Announcing DPA 9.2 GA : Is it the Application or the Database?



Baselines for Metrics Page


Let's go back to that Resource (metrics) page for a moment.  you may notice something new.  Yep, that is the same 'Show Baselines' button that is on the Resources tab. When there is  a metric that is in alarm on the home page, here the Memory 'Warning alarm is circled', you want to click on that alarm to find out more details.




You can see that clicking on that warning icon brings you to the memory tab on the metrics page.  However once we got to the Resource Metric page, you noticed that there is a critical issue with Sorts and the Memory issue has resolved itself.  Here you can see a short snippet of what this Metric means as well as the Baseline for the metric. You can easily see that the Row Sort Rate is higher than the baseline for this hour.  This would call for more investigate in DPA.



So the obvious next question is 'How I can download the DPA 10'?


For current customers, just log into the Customer Portal to download DPA 10.0.

If you want to try out DPA for the first time, download it from the SolarWinds website


What's next for DPA?  You can review our What We Are Working on post  What We Are Working On for DPA (Updated Aug 4, 2016)

(updated on November 12, 2015)


As a part of helping untangle compliance initiatives, a popular request on the federal side is FISMA (Federal Information Systems Management Act) Compliance and support for the Risk Management Framework (RMF). In this post, I'll outline what FISMA compliance is, we'll walk through FISMA bit-by-bit, and we'll talk about where SolarWinds products can help.


FIS-WHAT? What is FISMA AND RMF? And how does NIST play into it? And FIPS?


What it actually means to take on what's commonly referred to as "FISMA Compliance" is described in several NIST (National Institute of Standards and Technology) publications. It's pretty impressive the amount of NIST publications out there, but there's really only a few we're interested in. A couple of these are FIPS (Federal Information Processing Standard) publications - usually when we think of FIPS we think of encryption, but here we're mostly focused on risk analysis.

  1. NIST 800-37: Establishes the Risk Management Framework as the security life cycle approach.

  2. NIST 800-53: This is the main "FISMA Compliance" publication. This describes what controls need to be applied to different systems.
  3. FIPS 199 and
  4. FIPS 200: These two documents describe how to perform risk analysis and categorization for systems on the network. You'll need this categorization when you actually go to implement 800-53.


Here's a great summary, though wordy, of how all of that fits together:

FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations follow the Risk Management Framework to determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations


Okay, okay, how about the super simple version? In order to implement FIPS 200 with NIST 800-53, you have to first do the risk categorization in FIPS 199. Whew!


Navigating and Implementing NIST 800-53 - High Level


We'll leave the whole exercise of assigning risk up to you, since it'll be different for each environment. Once you've done that, as you walk through the 800-53 requirements, you'll see different controls that need to be applied at different levels. Generally, you'll have to comply with the "document" and "policy" controls across all risk levels, but some of the finer controls may not need to be applied to all risk levels.


NIST 800-53 and the RMF provide a great breakdown of the steps that need to be applied. Of interest to us when it comes to where SolarWinds products can help are:

  • Step 3: Implement controls
  • Step 4: Assess controls are working correctly
    • Our security product portfolio, including NCM, and Log & Event Manager (LEM), can be used to make sure controls have been implemented correctly.
  • Step 6: Monitor
    • Lastly, several products, including LEM, Network Performance Monitor (NPM), and NCM, can be used to make sure that controls are working as expected, bypasses aren't attempted, and produce reports that can be used to prove it.


I'll walk through each control and identify relevant products for each category as I go, so you don't have to memorize them all just yet.


Key Out of the Box Content for NCM and LEM


Before we dig into implementing key controls (Step 3), as a part of assessing and monitoring controls (Step 4 & Step 6), there is out of the box content included in NCM and LEM that is designed to help:

  1. For LEM:
    1. There are hundreds of out of the box reports, many of which are categorized for FISMA specifically. These reports really help address the Assess/Monitor by helping look for exceptions to controls, unexpected changes or activity, or attempts to bypass controls. In the LEM Reports Console, navigate to Configure > Manage Categories, select FISMA, then click OK. To see the list, go to View > Industry Reports.
      1. LEM-industry-reports.png
    2. In addition, LEM includes dozens of correlation rules categorized for different compliance initiatives that can help - and be quickly enabled. From the LEM Console, navigate to Build > Rules, and either launch the Add Rule Wizard or navigate to the categories on the bottom left. I'd recommend starting with General Best Practice, but as we go through the actual controls you should find relevant correlation rules where real-time notifications are useful.
  2. For NCM:
    1. There are several templates included to help (starting with NCM 7.4 - DISA STIG and NIST FISMA Reports Now Shipping with NCM! - earlier versions can download from the Content Exchange):
      1. NIST - Services: identify services exposed on network devices
      2. NIST - Remote Access: identify remote access enabled on network devices
      3. NIST - Management: identify management protocols used on network devices
      4. NIST - Access Lists: identify key access control lists that should be present
    2. In the NCM web console, under CONFIGS, then Compliance, you should see them listed under the NIST category.
      1. NCM-FISMA.png


Control-by-Control Details


You might want to get a cup of coffee (or tea) while you read through this, as there's a lot here. The entirety of Appendix F of 800-53 actually describes the controls and implementing them in detail. I'm going to skip over a lot of them since they don't apply to implementing SolarWinds products, but I'll include a description for each and more details where they are especially relevant. Got your warm beverage? Let's get going.


  • AC-X: Access Control
    • General Notes: In general, there's a few areas our products can help, but a lot of these controls will be implemented at the policy or device level. For some of these, NCM can help you distribute configuration or identify violations where it comes to network devices; LEM can help audit and monitor for potential changes.
    • Of interest:
      • AC-2: Account Management:
        • You could use LEM to identify accounts that are created outside of these controls - e.g. service accounts being added to unexpected groups - either in real-time or via reports.
        • You could use LEM to audit when passwords were changed on accounts, when users were added to groups, etc - either in real-time or via reports.
        • LEM can help satisfy AU-2(2): Automated Auditing for creation, modification, enabling, disabling, and removal, either in real-time or via reports.
        • LEM can assist with AU2(12): Atypical Usage by looking for logon activity or patterns that are outside your environment norms, either in real-time or via reports.
      • AC-4: Information Flow Enforcement
        • LEM can help with AC-4(17) - ensure local authentication is not used by auditing for local authentication activity on systems (logons not to the domain), either in real-time or via reports.
      • AC-6: Least Privilege
        • LEM can help audit where things deviate from least privilege - e.g. when an unexpected user accesses certain files, systems, or commands, either in real-time or via reports.
        • NCM can help audit device policies for existing privileged users as things change, and roll out configuration changes if necessary.
      • AC-7: Unsuccessful Logon Attempts
        • Usually this is implemented in IAM/Domain/system policy, but you can use LEM to confirm this policy is being enforced and see how frequently it is used, generally via reports/historical analysis.
      • AC-8: System Use Notification
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-9: Previous Logon (Access) Notification
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-10: Concurrent Session Control
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-11: Session Lock
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-12: Session Termination
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-16: Security Attributes
        • Depending on how controls are implemented, it's possible that LEM can help identify when things deviate from expected policy, either in real-time or via reports.
      • AC-17: Remote Access
        • LEM can help audit/monitor remote access, but not implement controls. LEM can also help audit where remote access is being used outside of expected controls (e.g. controls are being bypassed, or attempts to bypass are being made). As usual, this can be done either in real-time or via reports.
          • Explicitly, LEM can help with AC-17(1) - automated monitoring / control
        • NCM can help audit where and how remote access is being used across network devices, identify violations, and potentially roll out policy changes if necessary.
      • AC-19: Access Control for Mobile Devices
        • You may be able to use User Device Tracker (UDT) to detect usage of devices that are in those classified networks/facilities, and possibly also use LEM to identify authentication from unexpected users or devices.
      • AC-20: Use of External Information Systems
        • LEM can help audit AC-20(2) and AC-20(3) - use of portable storage devices and personal devices with USB-Defender when policy is bypassed/ignored.
      • AC-23: Data Mining Protection
        • You may be able to use LEM with SQL Auditor or Database Performance Analyzer (DPA) to identify when large queries or unexpected activity is being done to a database.
  • AT-X: Awareness Training
  • AU-X: Audit and Accountability
    • General Notes: A lot of this set of controls is about what data you might feed into a system like LEM and how that data needs to be preserved. LEM can help satisfy some controls directly. Some of the comments below are about how LEM treats relevant data within the controls, should be implemented to satisfy the controls, or satisfies these requirements specifically.
      • A really good note from AU-6(10) to keep in mind: remember that you can adjust audit levels depending on organizational needs and risks changing! You don't have to just enable the firehose.
    • Of Interest:
      • AU-2: Audit Events
        • LEM helps serve this, but this control is about what you feed into LEM.
      • AU-3: Content of Audit Records
        • Again, LEM stores this data, but generally this is up to logging sources. Where we normalize data, we preserve these fields.
        • AU-3(2) - Centralized Management of Planned Audit Record Content - about automation. At a low level, you would serve with tools like NCM (for devices), or Group Policy, but LEM can play a factor in automating configuration to ensure the right data is captured from similar systems with connector profiles.
      • AU-4: Audit Storage Capacity
        • Depending on your storage requirements you would need to ensure LEM has enough storage capacity to meet your needs, and can implement archiving as well.
      • AU-5: Audit Processing Failures
        • LEM can generate events when agents go offline, when there's an issue storing or processing data, when running out of disk space, and on behalf of other systems when audit logs are cleared, when there are hardware issues we can detect via log data
      • AU-6: Audit Review, Analysis, and Reporting
        • LEM satisfies this requirement, up to you to decide which systems need to be audited and for what, and ensure the required data is logged for collection
        • Correlation with some data sources (e.g. "non-technical sources" in AU-6(9)) may have to be a manual process done as a part of investigation.
      • AU-7: Audit Reduction and Report Generation
        • LEM satisfies this requirement
      • AU-8: Time Stamps
        • LEM satisfies this requirement (note - we will use timestamps provided by log sources as well, but may only be down to the second)
      • AU-9: Protection of Audit Information
      • AU-10: Non-repudiation
        • For data stored and accessed in LEM, LEM satisfies this requirement
      • AU-11: Audit Record Retention
        • Depending on your retention requirements, you'd need to ensure LEM has enough storage capacity to meet your needs
      • AU-12: Audit Generation
        • LEM helps satisfy this requirement
      • AU-14: Session Audit
        • With AU-14(3), you may be able to satisfy some requirements with DameWare.
      • AU-15: Alternate Audit Capability
        • You may want to set up backup logging for devices that syslog, or architect LEM in such a way that you can go to point systems or syslog servers or servers directly to ensure (prove) you can still access data.
      • AU-16: Cross-Organizational Auditing
        • Potentially, you can use LEM to foster cross-organizational auditing (exporting, providing limited access, etc)
  • CA-X: Security Assessment and Authorization
    • General Notes: for the most part, this isn't an area we can help support, but Continuous Monitoring does fall under this area.
    • Of Interest:
      • CA-7: Continuous Monitoring
        • LEM can help facilitate continuous monitoring (correlating security data, alerting, reporting). We also find many federal government customers utilizing NPM, Server & Application Monitor (SAM), and other parts of our monitoring suite to support enterprise-wide continuous monitoring.
  • CM-X: Configuration Management
    • General Notes: A few products can help here, but primarily NCM when it comes to network devices. Patch Manager and LEM can also pitch in in a few key areas.
    • Of Interest:
      • CM-2: Baseline configuration
        • For devices, NCM (and partially FSM) can help establish and automate comparing configs to a baseline, and retaining configs.
      • CM-3: Configuration Change Control
        • For devices, NCM (and partially FSM) can help test/validate/document, automate changes
      • CM-5: Access Restrictions for Change
        • You may be able to use LEM to audit when changes are made depending on components and policies actually changed. NCM for devices and things like dual authorization.
      • CM-6: Configuration Settings
        • CM-6(1) - automated central management - use NCM for network devices.
        • CM-6(2) - NCM can help for devices, and LEM can potentially alert on relevant events in real-time.
      • CM-7: Least Functionality
        • LEM can help audit when unauthorized software and programs are being executed.
      • CM-8: Information System Component Inventory
        • Patch Manager can help audit software and system status.
      • CM-10: Software Usage Restrictions
        • You can use LEM to audit when P2P and other software is used in general, and Patch Manager to audit what's installed on a system, but it may not ultimately be perfect.
      • CM-11: User Installed Software
        • You can use LEM to audit when much software is being installed, and Patch Manager to know what's on a system.
  • CP-X: Contingency Planning
  • IA-X: Identification and Authentication
  • IR-X: Incident Response
    • General Notes: For the most part, LEM can help when it comes to incident generation and investigation, and also leveraging active response can provide you in-the-moment capabilities to deal with incidents as they occur.
    • Of Interest:
      • IR-4: Incident Handling
        • LEM can support this - including IR-4(4) information correlation, IR-4(5) automatic disabling of information system, and IR-4(9) dynamic response capability.
      • IR-5: Incident Monitoring
        • LEM may generate incidents from correlated activity, and this information can be tracked and stored (reports produced, alerts sent, etc).
      • IR-6: Incident Reporting
        • LEM can help support IR-6(1) - automated reporting to report correlated incidents detected from within LEM. (Where other SW products are used to detect and generate incidents, this is also generally true of them.)
  • MA-X: System Maintenance
    • General Notes: NCM is a key player here to help with controlling and managing approvals where it comes to network devices. LEM can help alert when stuff just doesn't seem according to expected maintenance policies.
    • Of Interest:
      • MA-2: Controlled Maintenance
        • NCM can help with MA-2(2) automated maintenance for network devices, and LEM can help audit when maintenance is taking place outside of expected maintenance windows.
      • MA-4: Nonlocal Maintenance
        • LEM can help audit MA-4(1) - auditing and review of nonlocal maintenance.
        • NCM can help with MA-4(5) - approvals and notifications - when it comes to network devices.
  • MP-X: Media Protection
    • General Notes: Most of this isn't relevant when it comes to SolarWinds products, but there's one area when it comes to removable devices where LEM's USB-Defender can help.
    • Of Interest:
      • MP-2: Media Access
        • LEM's USB-Defender can help with the USB removable media component of this.
  • PE-X: Physical & Environmental Protection
  • PL-X: Security Planning
    • General Notes: Several of the mentioned controls are those which may be supported by LEM, which can be used to centrally manage auditing and monitoring, especially within PL-9. Also interesting when it comes to PL-8 is mention of defense-in-depth techniques.
  • PS-X: Personnel Security
    • General Notes: A lot of this is external and policy-related, but think about using LEM to ensure what should happen did (i.e. Trust, But Verify).
    • Of Interest:
      • PS-4: Personnel Termination
        • May use LEM to audit usage of credentials and ensure attempts to use them do not continue after users are terminated.
      • PS-7: Third Party Personnel Security
        • May use LEM to audit usage of third party credentials and ensure attempts to use them do not continue after users are terminated
  • RA-X: Risk Assessment
    • General Notes: There's a lot of policy and procedure here, and really only one area where LEM and Patch Manager especially can help.
    • Of Interest:
      • RA-5: Vulnerability Scanning
        • Can use Patch Manager to assess vulnerable systems by missing patches
          • RA-5(1) Update Tool Capability and RA-5(2) Update by Frequency/Prior to New Scan/When Identified - Patch Manager is automatically updated with new patches
          • RA-5(6) - automated trend analysis - Patch Manager can report on patch status over time
          • RA-5(8) - review historic audit logs - Patch Manager will include audit activity of what is being patched and tracked
        • Also, you can use LEM with a vulnerability scanner to support RA-5(6) and RA-5(8) as well, along with RA-5(10) correlate scanning information.
  • SA-X: System & Services Acquisition
    • General Notes: There's not a lot that applies here to us, but it's worth mentioning that SA-4(8) speaks to ensuring new systems/apps include activity that can be monitored as part of continuous monitoring planning. Think about how you're going to monitor systems as you implement them, rather than after the fact.
  • SC-X: System & Communications Protection
    • General Notes: SC is a pretty fascinating set of controls, with everything from cryptography, to honeypots, to detonation chambers. There's a few places I made notes where SolarWinds products are relevant.
    • Of Interest:
      • SC-5: Denial of Service Protection
      • SC-7: Boundary Protection
        • Monitoring communications with LEM, NTA/NPM, and NCM/FSM for the configuration side.
        • SC-7(8) - you can also use LEM to monitor attempts to bypass proxy server.
        • SC-7(10) - you can generally use LEM for monitoring here.
      • SC-19: Voice Over Internet Protocol
      • SC-29: Heterogeneity
        • Where you have a heterogenous environment, third party monitoring and management tools like SW (e.g. Virtualization Manager, SAM, NPM, and LEM) are more important!
  • SI-X: System & Information Integrity
    • General Notes: There's a big section for LEM in here specific to auditing (aside from the normal steps for compliance), but also a couple of other smaller areas of note.
    • Of Interest:
      • SI-2: Flaw Remediation
        • Patching - Patch Manager can help with SI-2(1) central management, SI-2(5) automatic software updates, and SI-2(6) removal of previous versions
      • SI-4: Information System Monitoring
        • This is all about LEM - also especially SI-4(2) automated tools for real-time analysis , SI-4(4) inbound and outbound communications traffic, SI-4(5) system-generated alerts, SI-4(7) automated response to suspicious events, SI-4(11) analyze communications traffic anomalies, SI-4(12) automated alerts, SI-4(13) analyze traffic/event patterns, SI-4(16) correlate monitoring information, SI-4(17) integrated situational awareness, SI-4(19) individuals posing greater risk, SI-4(20) privileged users, SI-4(22) unauthorized network services, SI-4(23) host-based devices, and SI-4(24) indicators of compromise.
        • You could also use NPM/NTA where traffic comes into play to potentially detect unexpected traffic patterns or performance issues that indicate security issues
      • SI-7: Software, firmware, and information integrity
        • Can use LEM to detect some unexpected changes, e.g. windows does a system file check initially which can create events, and can also use LEM's FIM to detect critical system changes (files, registry keys).
          • LEM would also support SI-7(5) automated response, SI-7(7) integration of detection and response, and SI-7(8) auditing capability for significant events
      • SI-15: Information Output Filtering
        • You would want to integrate these into LEM, and consider something like LEM's SQL Auditor to detect failures when it comes to databases.


Double whew! I bet your hot beverage cup is empty at this point, perhaps I should have warned you to use the large one.




Hopefully at this point we've given you a lot more info on how we can help you get moving with FISMA compliance. If you've got questions, feel free to post them and we'll update the post as things change or more details are necessary.

Now that Virtualization Manager (VMAN) 6.3 includes new management actions, alert remediation, and more, we’ve moved full steam ahead on the next release. We are continuing the evolution into a complete monitoring and management tool for virtualization environment. Here are the highlights of what we have we are currently working on:


  • Continued integration into the SolarWinds Orion platform
  • Orion Global Search
  • Recommendations - Recommended actions to take to ensure performance, optimal capacity, avoid potential issues, and improve uptime.
  • Red Hat Enterprise Virtualization (KVM) support
  • Citrix XenServer Support
  • Cloud Monitoring and Management
  • VMware vCenter and Microsoft Hyper-V Events


Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.


If you don't see what you are looking for here, you can always add your idea(s) and vote on features in our Virtualization Manager Feature Requests forum.

Over the last few months, the Log & Event Manager (LEM) team has been working hard on a not so short list of features. I'm excited to announce that a major feature of the upcoming release of LEM 6.2 will be something that you all have asked for time and again: Threat Intelligence Feed integration. And so, I decided to take a moment to show off a bit of what the feature will look like and provide a chance to test the new functionality.


So before I get started, feel free to click below to be included in the LEM 6.2 beta program to test out new features such as the Threat Intelligence Feed and more.


download button.png


What's in the Threat Intelligence Feed for me?

The concept of Threat Intelligence is one that has been covered in the world of security news for some time now. Problem is that, generally speaking, the term opens itself to a broad range of implementations and thus can mean something different to any vendor. So why should you care about the feature as it applies to SolarWinds? LEM 6.2's Threat Intelligence Feed will allow your organization to be prepared to recognize and handle already known and proven threats. With LEM analyzing your environment for activity against a list of known malicious threats, you will be able to easily incorporate the shared knowledge of top, reputable threat lists into your own workflows to prevent yourself from the risk these threats pose. Since that is a lot of words, let's jump into some screenshots that will help to better clarify what the new feature brings.



From Reactive to Proactive

LEM's new Threat Intelligence Feed is what allows your organization to move from reactive detection, looking around your environment as best you can hoping to surface suspicious activity, to the world of proactive detection - creating workflows that will ensure you know right away when known bad actors have made the way to your own environment.


We've all been there before - pulling down a list of threat indicators and manually searching for traces of them throughout our environment. Well with the Threat Intelligence Feed, that won't be necessary because the part that we know our customers will delight in most is the ease of implementation. All you have to do is check a box in your LEM console's Appliances Properties screen and you've enabled automatic coverage of some of the top threat lists available today.




Search and Filters and Rules - Oh my!

Once enabled, LEM will automatically begin detecting threats in your environment. And if it finds something, it's readily available to you throughout LEM. The first place you'll be able to find it is through an nDepth search (see below - the highlighted event has been flagged by LEM as a known threat).



Of course we know that search isn't the ideal way to consume such critical security information, so of course we will include out-of-the-box functionality that will help you get the most value out of this feature. This includes pre-built Filters, such as the one for All Threat Events seen in the screenshot below.



And, finally, who would we be if we didn't provide out-of-the-box correlation rules, allowing you to take action and alert whenever a threat event is found in your environment (just in case you don't spend your whole day in the LEM console - which is how I spend mine). See the image below for a rule to take action on a potential threat flagged by the Threat Intelligence Feed.

ootb correlation rule.png


In summary

While there's more in store for the release of LEM 6.2, the Threat Intelligence Feed is a feature we are excited about and hope that you are excited about too. As such, we want to get this into your hands ASAP so we can get your thoughts on it while we still have time to make fixes and improvements.


So if you're a current LEM customer interested in testing out LEM 6.2 and getting your hands on new features such as the Threat Intelligence Feed, sign up for the beta here.

Filter Blog

By date:
By tag: