Skip navigation
1 2 3 4 5 Previous Next

Product Blog

638 posts

Server & Application Monitor 6.2 included a boatload of great new features that are going to be difficult to top, but that isn't going to stop us from trying. Here is a sneak peek at just a few of the items the team is diligently plugging away on.


  • Cloud Infrastructure Monitoring
    • Amazon AWS
  • Optional Agent for Linux Applications and Servers
    • Allows for polling host and applications behind firewall NAT or proxies
    • Polling node and applications across multiple discrete networks that have overlapping IP address space
    • Allow for reliable and secure encrypted polling over a single port
    • Support low bandwidth, high latency connections
    • Full end to end encryption between the monitored host and the Orion poller
    • Store and forward capabilities allowing the agent to operate independently of the Polling engine when network connectivity is lost
  • Numerous AppStack Environment enhancements
  • Real-Time Performance Analysis
  • Native Log File Monitoring
  • Web Interface design improvements
  • Active Directory Discovery
  • Application Template Assignment to Groups (Static or Dynamic)
  • Automated Network Sonar Discovery Import
    • Automatic monitoring of newly found nodes, interfaces, volumes, and applications based on discovery profile criteria

I'm excited to announce that the Log & Event Manager (LEM) 6.2 Release Candidate is now available for download by customers on active maintenance! If you're too eager to read the entirety of this post and want to jump right in, head on over to your customer portal to get started. The LEM team has been hard at work on features that will make your lives both safer and easier, and we can't wait to see what you think of them. So, with that, here's a quick overview of what goodness LEM 6.2 is delivering.



New Feature: Threat Intelligence Feed


I already wrote a lengthier blog post about this feature, so I won't go too much into the details, but I will say that this a feature that we're really excited about. You asked for it and now we have it ready for you. With this new feature, we focused on ease of implementation and immediate value, and we hope you'll agree that a check box to get it up and running is pretty good. It's as easy as the screenshot below.


LEM sources its threat intelligence feed data from command and control lists such as Zeus and Freodo, and drop nets such as Spamhaus and Dshield top attackers, among other sources.



New Feature: Automatic Connector Updates


LEM's connectors are one of its greatest assets. However, we realize that in the past we have made it somewhat cumbersome to get the newest connectors for the newest devices. So with LEM 6.2, we have created a feature that we're really excited about - automatic connector updates. With this feature enabled, you will no longer have to worry about manual updates - and you can rest assured that your LEM will always be up to date with the newest connectors.


Best of all, it's easy to use. Just enable it in Manage Appliances, and you'll be kept up to date. And if you want to force an update at any time, you're just another click away. See below.

enable auto updates.png


Improvement: Virtual Appliance Details from LEM Manager


For the purpose of ensuring reliable performance and simplifying troubleshooting, it's important for LEM users to be able to view their host appliances' resource settings. Because we know how important this information is, we wanted to ensure that LEM users have easy access to it. So with LEM 6.2, you now have access to this critical information directly from your LEM Manager. You'll be able to quickly view details regarding CPU, memory, and more.

vm details.png


And of course -- bug fixes!


We make sure that every release addresses your customer issues, and LEM 6.2 is no exception. To name a few:

  • NTLMv2 authentication support for effective resource allocations
  • File Audit Event report bug fixes and enhancements
  • New connectors for Kerio, Blue Coat, Proofpoint, GENE6, and more!


So what do you do next?


Head over to your customer portal to download and get started.


Once you have it up and running, if you have any questions/comments/concerns/feedback, head over to the LEM RC forum and let us know!


- the LEM Product Team


Disclaimer: Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are based on the product team's intentions, but those plans can change at any time.

I'm excited to announce general availability of  Kiwi Syslog Server 9.5! The new Kiwi Syslog version is packed with great new features and improvements.


This release contains various improvements such as


  • SNMP v3 Trap support
  • SNMP Trap Forwarding (with ability to retain source address for IPv4)
  • Trap fields to VarBinds Elements in Output
  • Logging to Papertrail cloud
  • IPv6 Support
  • Statistics email reports based on different interval
  • Ability to create more than five web console users


Kiwi Syslog v9.5 is available for download in your customer portal for those customers under current Kiwi Syslog maintenance.


If you are not a Kiwi Syslog user yet, now go and download new version from now!

Storage Resource Monitor (SRM) v6.2 Release Candidates is now available in the SolarWinds Customer Portal for customers on Active Maintenance.  Release Candidates can be installed on your production systems and are fully supported. The Product Team is eagerly awaiting your feedback in the Storage RC Forum.


Additional Device Support for Storage Resource Monitor's Orion Module :

This release adds additional device support to the Orion Module, allowing customers to monitor more devices on the Orion Core Platform and take advantage of the AppStack Environment View.

  • EMC® Isilon®
  • Hitachi® Data Systems AMS, USP VM, USPV, VSP G1000, G200/400/600, HUS 100 Block-Side, HUS VM
  • HP® StorageWorks XP
  • IBM® Spectrum™ Virtualize (Vxxx and SVC)


Hierarchical Storage Pools:

In addition to more device support in the Orion Module, we are adding support for Hierarchical Storage Pools.  This allows customers to see multiple pool layers when a storage array has more than one logical storage container (pool) from which a LUN can be created.  This is possible with HP 3PAR and EMC VMAX.  Following are some screenshots showing Hierarchical Storage Pools and a *couple of new arrays supported. 


Srm62RcObjectsTreev2.jpgEMC Isilon - File Share Details - Summary.pngHDS(AMS2100) - Array Details - Summary.png


Devices Supported by SRM Orion Module in Previous Releases of Storage Resource Monitor

  • SRM 6.1
    • EMC VMAX
    • Dell Compellent
    • HP StoreServ 3PAR
    • HP P2xxx/MSA
    • Dot Hill AssuredSAN 4xxx/5xxx
  • SRM 6.0 - first release with the SRM Orion Module
    • EMC VNX / CLARiiON family
    • EMC VNX NAS Stand-alone Gateway / Celerra
    • Dell EqualLogic PS Series
    • NetApp E-Series (LSI)
    • IBM DS 3xxx / 4xxx / 5xxx
    • Dell MD3xxx
    • NetApp Filers running Data OnTAP 8 in:
      • 7-mode
      • Cluster-mode (aka Clustered Data OnTAP)

I am excited to say that Database Performance Analyzer 10.0, with MySQL support, is now available.  For the Orion users out there we have also extended the DPA data for MySQL into the integration. DPA 10.0 is now available in the customer portal to download for customers on active maintenance.  If you are new to DPA and want to try it, you can download an evaluation from the SolarWinds website.

New Features in 10.0


  • Support monitoring MySQL in DPA
    • Register and monitor your on-premise, cloud, and RDS MySQL instances.
    • Multi-Dimensional Monitoring of MySQL
    • Advisors for MySQL
    • Metrics for MySQL
    • Integration between DPA and Orion for MySQL instances
  • Baselines for Resource page
  • Updated Resource collection for SQL Server, No More WMI!!!

Note: DPA 9.5 was renamed to 10.0 before release.  If you are running the release candidate DPA 9.5, no need to rush to upgrade to 10.0.



Register MySQL Instances


Register MySQL on-premise and in the cloud (RDS &  EC2). Whether your MySQL instance is on RDS, EC2, or on-premise, the data shown in DPA is the same!  Register a MySQL instance the same as you would for any other supported database in DPA. Have several instances to register no problem, use the Mass Registration wizard that can be found in Options.




Multi-dimensional Monitoring of MySQL


MySQL DBA's have never really had a tool that could show them their problem SQL Statements.  A lot of tuning work comes from the slow query log and monitoring metrics. While this can be important, this tuning path often misses the SQL that most effects the user.  You certainly can't find a query in the slow query log if it runs in .01 seconds.  However if that query is now running in .1 seconds and it runs thousands of times in an hour, it is most definitely the biggest pain point for your users.


In the screen capture below, you can see I have drilled into the familiar 'Time' dimension.  From here, you can see that  I can easily click to the Database tab to select and isolate SQLs that are coming from 1 specific database.  This isolation can be done the for any of the dimensions.



The new dimensions for MySQL are 'Wait Instruments' and 'Operations'.

  • Use the Wait Instruments dimension to drill into the granual detail of what a specific wait is doing, as an example I can drill into the 'updating' wait and then choose to find out just the query's that are in the 'io/file/innodb/innodb_log_file' wait instrument vs the 'lock/table/sql/handle' instrument.
    • Wait Instruments are exposed by MySQL if the MySQL Performance Schema is enabled. Wait Instruments are based on instrumented portions of the DB engine that you can enable at startup or during run-time via the Performance Schema configuration


  • Using the example mentioned above, once I select the 'io/file/innodb/innodb_log_file' wait instrument, I can go to the Operations tab I can see the SQL that are either performing sync or write operations.
    • Operations are exposed by MySQL if the MySQL Performance Schema is enabled. Operations are based on instrumented portions of the DB engine that are enabled by enabling Wait Instruments.





You may say 'Ok Kathy, that is a lot of information and all of this data is great, but what do I do with it?'.  That is where the Advisors, Query Advice, and wait advice in general comes in.  Let's say we saw a lot of blocking with a SQL. I click on the Query Advice and select the SQL I am concerned with.


Below is an example of the Query Advisor in DPA.  You can see the highest hours that had blocking, an explanation of what Blocking is, and other areas to look in DPA to troubleshoot this problem further.





Resource Metrics


DPA has added more out of the box metrics for MySQL than we have for any other database we support.  The good news is you get all these metrics PLUS, you still can create a custom resource metric just like you can for the other monitored instances



Note:This is one area of DPA that provides more detail for InnoDB than other engines.


Integration with Orion


We are building on what we did in the previous 9.2 release by giving SAM and Orion users the ability to see MySQL in Orion.

  • Dashboard views for NOC teams.
  • Publish response time analysis data to application monitors used by development and support teams.
  • See what is happening on your hosts and be able to correlate host activity to database activity


To see the full integration with Orion, go here Announcing DPA 9.2 GA : Is it the Application or the Database?



Baselines for Metrics Page


Let's go back to that Resource (metrics) page for a moment.  you may notice something new.  Yep, that is the same 'Show Baselines' button that is on the Resources tab. When there is  a metric that is in alarm on the home page, here the Memory 'Warning alarm is circled', you want to click on that alarm to find out more details.




You can see that clicking on that warning icon brings you to the memory tab on the metrics page.  However once we got to the Resource Metric page, you noticed that there is a critical issue with Sorts and the Memory issue has resolved itself.  Here you can see a short snippet of what this Metric means as well as the Baseline for the metric. You can easily see that the Row Sort Rate is higher than the baseline for this hour.  This would call for more investigate in DPA.



So the obvious next question is 'How I can download the DPA 10'?


For current customers, just log into the Customer Portal to download DPA 10.0.

If you want to try out DPA for the first time, download it from the SolarWinds website


What's next for DPA?  You can review our What We Are Working on post  What We Are Working On for DPA (Updated May 11, 2016)

(updated on November 12, 2015)


As a part of helping untangle compliance initiatives, a popular request on the federal side is FISMA (Federal Information Systems Management Act) Compliance and support for the Risk Management Framework (RMF). In this post, I'll outline what FISMA compliance is, we'll walk through FISMA bit-by-bit, and we'll talk about where SolarWinds products can help.


FIS-WHAT? What is FISMA AND RMF? And how does NIST play into it? And FIPS?


What it actually means to take on what's commonly referred to as "FISMA Compliance" is described in several NIST (National Institute of Standards and Technology) publications. It's pretty impressive the amount of NIST publications out there, but there's really only a few we're interested in. A couple of these are FIPS (Federal Information Processing Standard) publications - usually when we think of FIPS we think of encryption, but here we're mostly focused on risk analysis.

  1. NIST 800-37: Establishes the Risk Management Framework as the security life cycle approach.

  2. NIST 800-53: This is the main "FISMA Compliance" publication. This describes what controls need to be applied to different systems.
  3. FIPS 199 and
  4. FIPS 200: These two documents describe how to perform risk analysis and categorization for systems on the network. You'll need this categorization when you actually go to implement 800-53.


Here's a great summary, though wordy, of how all of that fits together:

FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations follow the Risk Management Framework to determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations


Okay, okay, how about the super simple version? In order to implement FIPS 200 with NIST 800-53, you have to first do the risk categorization in FIPS 199. Whew!


Navigating and Implementing NIST 800-53 - High Level


We'll leave the whole exercise of assigning risk up to you, since it'll be different for each environment. Once you've done that, as you walk through the 800-53 requirements, you'll see different controls that need to be applied at different levels. Generally, you'll have to comply with the "document" and "policy" controls across all risk levels, but some of the finer controls may not need to be applied to all risk levels.


NIST 800-53 and the RMF provide a great breakdown of the steps that need to be applied. Of interest to us when it comes to where SolarWinds products can help are:

  • Step 3: Implement controls
  • Step 4: Assess controls are working correctly
    • Our security product portfolio, including NCM, and Log & Event Manager (LEM), can be used to make sure controls have been implemented correctly.
  • Step 6: Monitor
    • Lastly, several products, including LEM, Network Performance Monitor (NPM), and NCM, can be used to make sure that controls are working as expected, bypasses aren't attempted, and produce reports that can be used to prove it.


I'll walk through each control and identify relevant products for each category as I go, so you don't have to memorize them all just yet.


Key Out of the Box Content for NCM and LEM


Before we dig into implementing key controls (Step 3), as a part of assessing and monitoring controls (Step 4 & Step 6), there is out of the box content included in NCM and LEM that is designed to help:

  1. For LEM:
    1. There are hundreds of out of the box reports, many of which are categorized for FISMA specifically. These reports really help address the Assess/Monitor by helping look for exceptions to controls, unexpected changes or activity, or attempts to bypass controls. In the LEM Reports Console, navigate to Configure > Manage Categories, select FISMA, then click OK. To see the list, go to View > Industry Reports.
      1. LEM-industry-reports.png
    2. In addition, LEM includes dozens of correlation rules categorized for different compliance initiatives that can help - and be quickly enabled. From the LEM Console, navigate to Build > Rules, and either launch the Add Rule Wizard or navigate to the categories on the bottom left. I'd recommend starting with General Best Practice, but as we go through the actual controls you should find relevant correlation rules where real-time notifications are useful.
  2. For NCM:
    1. There are several templates included to help (starting with NCM 7.4 - DISA STIG and NIST FISMA Reports Now Shipping with NCM! - earlier versions can download from the Content Exchange):
      1. NIST - Services: identify services exposed on network devices
      2. NIST - Remote Access: identify remote access enabled on network devices
      3. NIST - Management: identify management protocols used on network devices
      4. NIST - Access Lists: identify key access control lists that should be present
    2. In the NCM web console, under CONFIGS, then Compliance, you should see them listed under the NIST category.
      1. NCM-FISMA.png


Control-by-Control Details


You might want to get a cup of coffee (or tea) while you read through this, as there's a lot here. The entirety of Appendix F of 800-53 actually describes the controls and implementing them in detail. I'm going to skip over a lot of them since they don't apply to implementing SolarWinds products, but I'll include a description for each and more details where they are especially relevant. Got your warm beverage? Let's get going.


  • AC-X: Access Control
    • General Notes: In general, there's a few areas our products can help, but a lot of these controls will be implemented at the policy or device level. For some of these, NCM can help you distribute configuration or identify violations where it comes to network devices; LEM can help audit and monitor for potential changes.
    • Of interest:
      • AC-2: Account Management:
        • You could use LEM to identify accounts that are created outside of these controls - e.g. service accounts being added to unexpected groups - either in real-time or via reports.
        • You could use LEM to audit when passwords were changed on accounts, when users were added to groups, etc - either in real-time or via reports.
        • LEM can help satisfy AU-2(2): Automated Auditing for creation, modification, enabling, disabling, and removal, either in real-time or via reports.
        • LEM can assist with AU2(12): Atypical Usage by looking for logon activity or patterns that are outside your environment norms, either in real-time or via reports.
      • AC-4: Information Flow Enforcement
        • LEM can help with AC-4(17) - ensure local authentication is not used by auditing for local authentication activity on systems (logons not to the domain), either in real-time or via reports.
      • AC-6: Least Privilege
        • LEM can help audit where things deviate from least privilege - e.g. when an unexpected user accesses certain files, systems, or commands, either in real-time or via reports.
        • NCM can help audit device policies for existing privileged users as things change, and roll out configuration changes if necessary.
      • AC-7: Unsuccessful Logon Attempts
        • Usually this is implemented in IAM/Domain/system policy, but you can use LEM to confirm this policy is being enforced and see how frequently it is used, generally via reports/historical analysis.
      • AC-8: System Use Notification
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-9: Previous Logon (Access) Notification
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-10: Concurrent Session Control
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-11: Session Lock
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-12: Session Termination
        • Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.
      • AC-16: Security Attributes
        • Depending on how controls are implemented, it's possible that LEM can help identify when things deviate from expected policy, either in real-time or via reports.
      • AC-17: Remote Access
        • LEM can help audit/monitor remote access, but not implement controls. LEM can also help audit where remote access is being used outside of expected controls (e.g. controls are being bypassed, or attempts to bypass are being made). As usual, this can be done either in real-time or via reports.
          • Explicitly, LEM can help with AC-17(1) - automated monitoring / control
        • NCM can help audit where and how remote access is being used across network devices, identify violations, and potentially roll out policy changes if necessary.
      • AC-19: Access Control for Mobile Devices
        • You may be able to use User Device Tracker (UDT) to detect usage of devices that are in those classified networks/facilities, and possibly also use LEM to identify authentication from unexpected users or devices.
      • AC-20: Use of External Information Systems
        • LEM can help audit AC-20(2) and AC-20(3) - use of portable storage devices and personal devices with USB-Defender when policy is bypassed/ignored.
      • AC-23: Data Mining Protection
        • You may be able to use LEM with SQL Auditor or Database Performance Analyzer (DPA) to identify when large queries or unexpected activity is being done to a database.
  • AT-X: Awareness Training
  • AU-X: Audit and Accountability
    • General Notes: A lot of this set of controls is about what data you might feed into a system like LEM and how that data needs to be preserved. LEM can help satisfy some controls directly. Some of the comments below are about how LEM treats relevant data within the controls, should be implemented to satisfy the controls, or satisfies these requirements specifically.
      • A really good note from AU-6(10) to keep in mind: remember that you can adjust audit levels depending on organizational needs and risks changing! You don't have to just enable the firehose.
    • Of Interest:
      • AU-2: Audit Events
        • LEM helps serve this, but this control is about what you feed into LEM.
      • AU-3: Content of Audit Records
        • Again, LEM stores this data, but generally this is up to logging sources. Where we normalize data, we preserve these fields.
        • AU-3(2) - Centralized Management of Planned Audit Record Content - about automation. At a low level, you would serve with tools like NCM (for devices), or Group Policy, but LEM can play a factor in automating configuration to ensure the right data is captured from similar systems with connector profiles.
      • AU-4: Audit Storage Capacity
        • Depending on your storage requirements you would need to ensure LEM has enough storage capacity to meet your needs, and can implement archiving as well.
      • AU-5: Audit Processing Failures
        • LEM can generate events when agents go offline, when there's an issue storing or processing data, when running out of disk space, and on behalf of other systems when audit logs are cleared, when there are hardware issues we can detect via log data
      • AU-6: Audit Review, Analysis, and Reporting
        • LEM satisfies this requirement, up to you to decide which systems need to be audited and for what, and ensure the required data is logged for collection
        • Correlation with some data sources (e.g. "non-technical sources" in AU-6(9)) may have to be a manual process done as a part of investigation.
      • AU-7: Audit Reduction and Report Generation
        • LEM satisfies this requirement
      • AU-8: Time Stamps
        • LEM satisfies this requirement (note - we will use timestamps provided by log sources as well, but may only be down to the second)
      • AU-9: Protection of Audit Information
      • AU-10: Non-repudiation
        • For data stored and accessed in LEM, LEM satisfies this requirement
      • AU-11: Audit Record Retention
        • Depending on your retention requirements, you'd need to ensure LEM has enough storage capacity to meet your needs
      • AU-12: Audit Generation
        • LEM helps satisfy this requirement
      • AU-14: Session Audit
        • With AU-14(3), you may be able to satisfy some requirements with DameWare.
      • AU-15: Alternate Audit Capability
        • You may want to set up backup logging for devices that syslog, or architect LEM in such a way that you can go to point systems or syslog servers or servers directly to ensure (prove) you can still access data.
      • AU-16: Cross-Organizational Auditing
        • Potentially, you can use LEM to foster cross-organizational auditing (exporting, providing limited access, etc)
  • CA-X: Security Assessment and Authorization
    • General Notes: for the most part, this isn't an area we can help support, but Continuous Monitoring does fall under this area.
    • Of Interest:
      • CA-7: Continuous Monitoring
        • LEM can help facilitate continuous monitoring (correlating security data, alerting, reporting). We also find many federal government customers utilizing NPM, Server & Application Monitor (SAM), and other parts of our monitoring suite to support enterprise-wide continuous monitoring.
  • CM-X: Configuration Management
    • General Notes: A few products can help here, but primarily NCM when it comes to network devices. Patch Manager and LEM can also pitch in in a few key areas.
    • Of Interest:
      • CM-2: Baseline configuration
        • For devices, NCM (and partially FSM) can help establish and automate comparing configs to a baseline, and retaining configs.
      • CM-3: Configuration Change Control
        • For devices, NCM (and partially FSM) can help test/validate/document, automate changes
      • CM-5: Access Restrictions for Change
        • You may be able to use LEM to audit when changes are made depending on components and policies actually changed. NCM for devices and things like dual authorization.
      • CM-6: Configuration Settings
        • CM-6(1) - automated central management - use NCM for network devices.
        • CM-6(2) - NCM can help for devices, and LEM can potentially alert on relevant events in real-time.
      • CM-7: Least Functionality
        • LEM can help audit when unauthorized software and programs are being executed.
      • CM-8: Information System Component Inventory
        • Patch Manager can help audit software and system status.
      • CM-10: Software Usage Restrictions
        • You can use LEM to audit when P2P and other software is used in general, and Patch Manager to audit what's installed on a system, but it may not ultimately be perfect.
      • CM-11: User Installed Software
        • You can use LEM to audit when much software is being installed, and Patch Manager to know what's on a system.
  • CP-X: Contingency Planning
  • IA-X: Identification and Authentication
  • IR-X: Incident Response
    • General Notes: For the most part, LEM can help when it comes to incident generation and investigation, and also leveraging active response can provide you in-the-moment capabilities to deal with incidents as they occur.
    • Of Interest:
      • IR-4: Incident Handling
        • LEM can support this - including IR-4(4) information correlation, IR-4(5) automatic disabling of information system, and IR-4(9) dynamic response capability.
      • IR-5: Incident Monitoring
        • LEM may generate incidents from correlated activity, and this information can be tracked and stored (reports produced, alerts sent, etc).
      • IR-6: Incident Reporting
        • LEM can help support IR-6(1) - automated reporting to report correlated incidents detected from within LEM. (Where other SW products are used to detect and generate incidents, this is also generally true of them.)
  • MA-X: System Maintenance
    • General Notes: NCM is a key player here to help with controlling and managing approvals where it comes to network devices. LEM can help alert when stuff just doesn't seem according to expected maintenance policies.
    • Of Interest:
      • MA-2: Controlled Maintenance
        • NCM can help with MA-2(2) automated maintenance for network devices, and LEM can help audit when maintenance is taking place outside of expected maintenance windows.
      • MA-4: Nonlocal Maintenance
        • LEM can help audit MA-4(1) - auditing and review of nonlocal maintenance.
        • NCM can help with MA-4(5) - approvals and notifications - when it comes to network devices.
  • MP-X: Media Protection
    • General Notes: Most of this isn't relevant when it comes to SolarWinds products, but there's one area when it comes to removable devices where LEM's USB-Defender can help.
    • Of Interest:
      • MP-2: Media Access
        • LEM's USB-Defender can help with the USB removable media component of this.
  • PE-X: Physical & Environmental Protection
  • PL-X: Security Planning
    • General Notes: Several of the mentioned controls are those which may be supported by LEM, which can be used to centrally manage auditing and monitoring, especially within PL-9. Also interesting when it comes to PL-8 is mention of defense-in-depth techniques.
  • PS-X: Personnel Security
    • General Notes: A lot of this is external and policy-related, but think about using LEM to ensure what should happen did (i.e. Trust, But Verify).
    • Of Interest:
      • PS-4: Personnel Termination
        • May use LEM to audit usage of credentials and ensure attempts to use them do not continue after users are terminated.
      • PS-7: Third Party Personnel Security
        • May use LEM to audit usage of third party credentials and ensure attempts to use them do not continue after users are terminated
  • RA-X: Risk Assessment
    • General Notes: There's a lot of policy and procedure here, and really only one area where LEM and Patch Manager especially can help.
    • Of Interest:
      • RA-5: Vulnerability Scanning
        • Can use Patch Manager to assess vulnerable systems by missing patches
          • RA-5(1) Update Tool Capability and RA-5(2) Update by Frequency/Prior to New Scan/When Identified - Patch Manager is automatically updated with new patches
          • RA-5(6) - automated trend analysis - Patch Manager can report on patch status over time
          • RA-5(8) - review historic audit logs - Patch Manager will include audit activity of what is being patched and tracked
        • Also, you can use LEM with a vulnerability scanner to support RA-5(6) and RA-5(8) as well, along with RA-5(10) correlate scanning information.
  • SA-X: System & Services Acquisition
    • General Notes: There's not a lot that applies here to us, but it's worth mentioning that SA-4(8) speaks to ensuring new systems/apps include activity that can be monitored as part of continuous monitoring planning. Think about how you're going to monitor systems as you implement them, rather than after the fact.
  • SC-X: System & Communications Protection
    • General Notes: SC is a pretty fascinating set of controls, with everything from cryptography, to honeypots, to detonation chambers. There's a few places I made notes where SolarWinds products are relevant.
    • Of Interest:
      • SC-5: Denial of Service Protection
      • SC-7: Boundary Protection
        • Monitoring communications with LEM, NTA/NPM, and NCM/FSM for the configuration side.
        • SC-7(8) - you can also use LEM to monitor attempts to bypass proxy server.
        • SC-7(10) - you can generally use LEM for monitoring here.
      • SC-19: Voice Over Internet Protocol
      • SC-29: Heterogeneity
        • Where you have a heterogenous environment, third party monitoring and management tools like SW (e.g. Virtualization Manager, SAM, NPM, and LEM) are more important!
  • SI-X: System & Information Integrity
    • General Notes: There's a big section for LEM in here specific to auditing (aside from the normal steps for compliance), but also a couple of other smaller areas of note.
    • Of Interest:
      • SI-2: Flaw Remediation
        • Patching - Patch Manager can help with SI-2(1) central management, SI-2(5) automatic software updates, and SI-2(6) removal of previous versions
      • SI-4: Information System Monitoring
        • This is all about LEM - also especially SI-4(2) automated tools for real-time analysis , SI-4(4) inbound and outbound communications traffic, SI-4(5) system-generated alerts, SI-4(7) automated response to suspicious events, SI-4(11) analyze communications traffic anomalies, SI-4(12) automated alerts, SI-4(13) analyze traffic/event patterns, SI-4(16) correlate monitoring information, SI-4(17) integrated situational awareness, SI-4(19) individuals posing greater risk, SI-4(20) privileged users, SI-4(22) unauthorized network services, SI-4(23) host-based devices, and SI-4(24) indicators of compromise.
        • You could also use NPM/NTA where traffic comes into play to potentially detect unexpected traffic patterns or performance issues that indicate security issues
      • SI-7: Software, firmware, and information integrity
        • Can use LEM to detect some unexpected changes, e.g. windows does a system file check initially which can create events, and can also use LEM's FIM to detect critical system changes (files, registry keys).
          • LEM would also support SI-7(5) automated response, SI-7(7) integration of detection and response, and SI-7(8) auditing capability for significant events
      • SI-15: Information Output Filtering
        • You would want to integrate these into LEM, and consider something like LEM's SQL Auditor to detect failures when it comes to databases.


Double whew! I bet your hot beverage cup is empty at this point, perhaps I should have warned you to use the large one.




Hopefully at this point we've given you a lot more info on how we can help you get moving with FISMA compliance. If you've got questions, feel free to post them and we'll update the post as things change or more details are necessary.

Now that Virtualization Manager (VMAN) 6.3 includes new management actions, alert remediation, and more, we’ve moved full steam ahead on the next release. We are continuing the evolution into a complete monitoring and management tool for virtualization environment. Here are the highlights of what we have we are currently working on:


  • Continued integration into the SolarWinds Orion platform
  • Orion Global Search
  • Recommendations - Recommended actions to take to ensure performance, optimal capacity, avoid potential issues, and improve uptime.
  • Red Hat Enterprise Virtualization (KVM) support
  • Citrix XenServer Support
  • Cloud Monitoring and Management
  • VMware vCenter and Microsoft Hyper-V Events


Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.


If you don't see what you are looking for here, you can always add your idea(s) and vote on features in our Virtualization Manager Feature Requests forum.

Over the last few months, the Log & Event Manager (LEM) team has been working hard on a not so short list of features. I'm excited to announce that a major feature of the upcoming release of LEM 6.2 will be something that you all have asked for time and again: Threat Intelligence Feed integration. And so, I decided to take a moment to show off a bit of what the feature will look like and provide a chance to test the new functionality.


So before I get started, feel free to click below to be included in the LEM 6.2 beta program to test out new features such as the Threat Intelligence Feed and more.


download button.png


What's in the Threat Intelligence Feed for me?

The concept of Threat Intelligence is one that has been covered in the world of security news for some time now. Problem is that, generally speaking, the term opens itself to a broad range of implementations and thus can mean something different to any vendor. So why should you care about the feature as it applies to SolarWinds? LEM 6.2's Threat Intelligence Feed will allow your organization to be prepared to recognize and handle already known and proven threats. With LEM analyzing your environment for activity against a list of known malicious threats, you will be able to easily incorporate the shared knowledge of top, reputable threat lists into your own workflows to prevent yourself from the risk these threats pose. Since that is a lot of words, let's jump into some screenshots that will help to better clarify what the new feature brings.



From Reactive to Proactive

LEM's new Threat Intelligence Feed is what allows your organization to move from reactive detection, looking around your environment as best you can hoping to surface suspicious activity, to the world of proactive detection - creating workflows that will ensure you know right away when known bad actors have made the way to your own environment.


We've all been there before - pulling down a list of threat indicators and manually searching for traces of them throughout our environment. Well with the Threat Intelligence Feed, that won't be necessary because the part that we know our customers will delight in most is the ease of implementation. All you have to do is check a box in your LEM console's Appliances Properties screen and you've enabled automatic coverage of some of the top threat lists available today.




Search and Filters and Rules - Oh my!

Once enabled, LEM will automatically begin detecting threats in your environment. And if it finds something, it's readily available to you throughout LEM. The first place you'll be able to find it is through an nDepth search (see below - the highlighted event has been flagged by LEM as a known threat).



Of course we know that search isn't the ideal way to consume such critical security information, so of course we will include out-of-the-box functionality that will help you get the most value out of this feature. This includes pre-built Filters, such as the one for All Threat Events seen in the screenshot below.



And, finally, who would we be if we didn't provide out-of-the-box correlation rules, allowing you to take action and alert whenever a threat event is found in your environment (just in case you don't spend your whole day in the LEM console - which is how I spend mine). See the image below for a rule to take action on a potential threat flagged by the Threat Intelligence Feed.

ootb correlation rule.png


In summary

While there's more in store for the release of LEM 6.2, the Threat Intelligence Feed is a feature we are excited about and hope that you are excited about too. As such, we want to get this into your hands ASAP so we can get your thoughts on it while we still have time to make fixes and improvements.


So if you're a current LEM customer interested in testing out LEM 6.2 and getting your hands on new features such as the Threat Intelligence Feed, sign up for the beta here.


What We're Working on for NPM

Posted by cobrien Employee Jul 28, 2015

Since the release on NPM 11.5 we've been hard at working building the next round of exciting functionality and improvements in existing functionality.  I'm excited to share the following list of items we're working on:


Ongoing Initiatives:

  • Increased scalability per SolarWinds instance (target of 250k elements / instance)
  • Improved performance and decreased resource load times via analysis with SolarWinds DPA
  • Increased number of pollers possible per instance


You can always access the most up to date version of this information here: What We're Working on for NPM (Updated April 21st, 2016)


Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

I’ve got a question for you:  "If Orion were a car, what kind of car would it be?"



We recently asked customers this question during feedback sessions.  The responses were quite consistent, and very telling. One user said:


“A Ram 1500 work truck; it’s got lots of compartments for tools but sometimes I just can’t find that wrench I need even though I know it’s in there somewhere! It’s not as luxurious or attractive as some of its competitors”


Agreed - Orion certainly is a workhorse! In addition to comments about the attractiveness of the design, there is a deeper theme in this quote that many other users echoed.  We can do better in terms of findability and usability. To address these concerns, we are working on a series of user experience (UX) improvements that we plan to release in addition to our normal features and functionality.


Catching up with the times


As a first step, we've been working to modernize and refresh the UI.  While these changes may appear to be a basic facelift, our primary goal is to set the stage for the future.


We focused on a few key areas that we've heard loud and clear from you:

  • Minimize space used by the header and make more room for data.  The current header takes up a lot of space, the tabs can be difficult to navigate (try hovering over a tab and then clicking on the last item in the menu bar), and that big yellow notification banner? No, thank you. The content on the page should be front-and-center.
  • Eliminate visual noise to help you focus on what is important.  The current visual design uses a mixture of colors, styles and iconography which are pretty on their own, but make it hard to parse the UI when they are shown all together. Taking a step back, the UI should highlight status, exceeded thresholds and alerts.  The big red things should draw your attention.
  • Simplify, but support density of information. There is a delicate balance between creating a roomy, clean visual design and showing data in proximity with other necessary pieces of information. Our goal is to stop the "pogo stick" effect, which requires you to jump around the page to find what you need. We haven't fully addressed this issue with the UI refresh, but we have taken baby steps.


You tell us, "If this version of Orion was a car, what kind of car would it be?"


Rome Wasn’t Built in a Day!


We’re putting the final touches on the modern UI, and now we’re kicking off deeper UX improvements.  Joel Dolisy, our CTO, recently referenced these efforts during the thwackCamp keynote address (1min 26sec).


Here is a sneak-peek at some the ideas we’re investigating:

  • Re-building the front-end using browser UI frameworks and HTML5 - AngularJS, CSS3, and some cool visualization engines for those of your who really want to geek out. Here’s looking at you, wanine39!
  • Pulling data from multiple sources to create powerful visualizations.  For example, stacking performance metrics on a single timeline for easy correlation (see a conceptual design below).
  • Improving user interactions to keep up with excellent browser applications - Google Maps, Photos, etc. More exciting interactions should take our products beyond useful, and in to the realm of delightful.




Become an active partner in UI and UX design


Input from you, our users, has helped to shape the direction we’ve taken.  Keep the feedback coming to ensure that we stay on track! There are a couple ways to stay involved:


  • Get a sneak peak and share feedback on the UI refresh through the SAM 6.3 beta


  • Give us early feedback on ideas, designs and builds by signing up to participate in walkthroughs and feedback sessions with our research team (Hi Kellie!):



SolarWinds Time Machine

And now, for some fun, here's a brief history of the Orion UI! Which is the earliest version that you remember?










Disclaimer:  Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

It's been a while since we talked SolarWinds Patch Manager and patching in general here on the Product Blog, but with VMWorld 2015 right around the corner all things virtual are on our minds. Here's a few quick considerations to make when thinking about patching and maintaining virtual systems.


Is patching virtual (guest) systems really different? Yes, and no.


At the most fundamental level, patching virtual guest systems isn't really different than patching physical systems. You back the system up (hopefully), you install patches (which you tested first, right?), and if necessary, finish with a reboot. Seems simple enough, but there's points along the way where we can really take advantage of virtual systems - and virtual systems can help back us up when we're being lazy (or hasty).


  1. Backing up the system: here we can take advantage of the virtual environment's ability to take snapshots, either by integration with our backup system, integration with our patching system, or by hand. Snapshots can really cover your assets when it comes to making a mistake, or if a patch has unintended consequences (not that vendors ever make a mistake, right?). If a system fails to come back after a patch or you need time to diagnose an issue, reverting to snapshot while you clone and re-test is much more simple than the old school "revert from a backup? sigh..." or relying on Windows' ability to take reliable system restore points.
  2. Testing patches: with snapshots and a virtual environment (or even a hybrid or cloud environment), you can clone a live system into a testbed relatively easily. Gone are the days of drive imaging and system cloning, or having standby hardware in a test environment just because it's identical to production. Now, you can clone a snapshot of a production system, tweak its network and VM configuration to move it over to your test environment, and install and test patches pretty easily.
  3. Installing and rebooting: while systems are patching and rebooting, virtual environment HA configurations can help plug some of the holes of down systems without dealing with operating system clustering technologies directly. Both can be admittedly cumbersome to set up the first time, but virtual HA can save your bacon and minimize impact to your downstream users.


Don't forget your hypervisor!


When it comes to Hyper-V, patching your hypervisor really is all about patching your OS. Tools like Patch Manager are going to make it easy to stay up to date with Windows patches (AND third party patches, too). With Patch Manager on top of WSUS or SCCM, you can make intelligent groupings of systems, both for status and reporting details and for patching.


For vSphere (ESXi)-based systems, patching your hypervisor is a little more complex, and patches have been coming about monthly. There's actually a handy table of build numbers to patches published in their Knowledgebase that shows the patch history, and VMware has a Patch Portal to help you find and download updates that apply to you, plus see which KB articles patches resolve. I'd recommend showing the "Severity", "Category", and "System Impact" columns to help you understand which patches are most critical (keep a keen eye on security updates) and what the impact will be to running systems.





Patching utilities for host<->guest communication is important, too


Within virtual guest systems, there are usually utilities that establish good host to guest (and vice versa) communication. These tools let you perform clean maintenance tasks like shutdown, reboot, and snapshot; provide time synchronization (very useful if you're doing any log analysis, troubleshooting, or anything certificate-based where time can matter a lot); and provide insight into what's on a guest or host OS.


When it comes to VMware Tools specifically, you won't get the tools "for free" when you bring up a clean guest OS until you install them, though thankfully most modern Linux distributions include open-vm-tools by default (or easily added). For those of you tired of this deployment process on Windows, though, we've got good news! Patch Manager now includes VMware Tools packages in our third party update catalog.  With Patch Manager, you can now automatically download and deploy VMware Tools updates just like Windows (and other third party) updates.


For existing Patch Manager customers, you can add the VMware Tools library to your patching catalog by following a few steps:

1. Use the Third Party Updates Configuration Wizard to synchronize available updates from SolarWinds

Administration & Reporting > Software Publishing > Patch Manager Update Configuration Wizard


2. Click "Next" when the Wizard completes to see the full list of available updates from all vendors.

3. Scroll down and make sure "VMware Tools" and "VMware Tools (Upgrade)" are selected from the list of subscriptions.SelectWizard.PNG
4. Click next and finish to confirm your package synchronization schedule, then Finish.PackageSynchronizationSchedule.PNG
5. To see the available packages and versions, go to Administration and Reporting > Software Publishing, then right click and select "Refresh". After doing so, you should see "VMware, Inc" appear in the list, and see the respective packages.PackagesinList.PNG
6. From here, you can select to publish the packages to your WSUS/SCCM server (click "Publish Packages" on the right). Select x86 if you've got any 32-bit systems out there, otherwise select x64, then click Next.PublishingWizard.PNG
7. You'll watch an awesome progress bar for a little bit as it downloads and pushes the packages... then click Next to continue.DownloadingPackages.PNG
8. What do you know, more awesome progress bars as it pushes the packages to the Patch Manager server... (there will be two at first as it pushes the files, then one warning you to be patient as it publishes.). Once it's done, you can hit "finish" to finish the publishing step.



9. If you head back up to your Updates view, you'll see the new packages in the list.

Update Services > <your server> > Updates > Third Party Updates (you might have to right click on "Updates" and click "Refresh" first).

10. From here, you can do your standard Patch Manager tasks, such as Approve the package for distribution and decide which systems should receive the package/update. Click "Approve", then click on each group to approve to and click the "Approved for Install" button (in my example, I approved the update for my Servers group), then click OK. You'll see another fancy progress bar while things finish, then confirm.ApproveUpdate.PNG

You can also automatically download and approve future versions with the new-in-Patch Manager 2.1 auto-approval feature, if you check out our GA blog post there's a bunch of details on that feature - Announcing General Availability of Patch Manager v2.1 - Automated 3rd Party Patches & More!.


What's Next for Patching Virtual Systems?


If you check out the Patch Manager What We're Working On, you'll see specific mention of more features we're looking at adding regarding patching virtual systems - including the automated snapshotting (and potentially reverting) mentioned above.


What big issues do you have with patching virtual systems? What can we do to help?

Since the release of Server & Application Monitor (SAM) 6.2, the team has been busily plugging away on a long list of new features and general product enhancements.  Chief among them are improvements to the aesthetics and overall design of the Orion web interface. While not the primary focus of this blog post, it is near impossible to post screenshots for some of what we've been working on without divulging some sneak peeks into the very early stages of this interface design refresh. A follow-up blog post is currently in the works that will go into detail and explain our multi-phased approach for delivering a fresh, clean, and modernized interface for all products that run atop the Orion platform. Suffice it to say, it is our aim to accelerate overall Orion web interface performance, dramatically improve usability for many of the most common tasks, as well as refine and enhance the product's visual appearance as part of this endeavor. Continue watching the Product Blog for more specifics surrounding the Orion UI redesign, as well as opportunities to provide feedback to members of our user experience team regarding these improvements. Your feedback might just earn you some much deserved Thwack points that can be redeemed for some cool SolarWinds SWAG!


With that prologue out of the way, it's time to run through a few notable new features we've been working on that are sure to put a smile on your face. As always, your feedback on features such as these is essential; and the absolute best time to provide that feedback is during betas. So if you're anything like me and would rather try out the new features yourself rather than simply read about them, then short circuit this post entirely and click the big red button below. Otherwise strap in, adorn your reading glasses (if you need them) and soak in the geek goodness below as I walk through some of the new features planned for this release and expose a few glimpses of the web interface redesign.


SAM 6.3 Beta button.png


Active Directory Discovery

One of the many aspects we wanted to focus our attention on improving within this release is how servers are discovered in SAM. Network subnets, IP address ranges, and lists of individual IP addresses might seem like natural options for those of us who come from a network centric background. However, for those possibly unfamiliar with the networks design or IP addressing schema, Active Directory in many instances provides much or all of the information needed about the servers residing on the network.

Active Directory discovery can be added as an additional discovery method to any new or previously existing discovery profile and used in conjunction with the three previously available methods for complete coverage across the environment. 

Similar to the other three methods of discovery, multiple Active Directory domains may be used in the discovery profile. This is especially handy for large organizations that may have multiple domains running in their environment due to mergers and acquisitions, separation of internal business units, or even lab vs. production systems. Also, unlike Active Directory authentication to the Orion web console, there is no requirement for the Orion server to be in the same Active Directory domain as the domain controllers used for discovery.

Discovery 2 - Add Domain Controller.png

Active Directory has the distinct advantage of allowing for more precise and targeted discovery within the environment. Instead of using a very broad discovery technique such as subnets or IP address ranges, you can more surgically discover only those items you wish to monitor, such as servers and/or workstations. This is particularly useful for organizations using class B "/16" (65,534 IP address) or class A "/8" (16,277,214 ip addresses) subnets, where sequential network scanning techniques may take hours or even days to complete successfully. In environments such as these, much of that IP address space is unused, but it still must be swept to determine which IP addresses are in use and are not part of the discovery process. Active Directory however, has a complete database of all hosts on the network which are members of the domain. Leveraging that database allows for a much more rapid scan of servers and workstations running on the network that could be monitored by SAM.

Discovery 3 - Add Domain Controller.png

Discovery 4 - Select OUs.png

Once you've added the Active Directory domain you wish to discover and click "Next" you are shown a complete listing of all Containers and Organizational Units (OUs) in the domain hierarchy. By default all OUs and Containers are selected, including any future Organizational Units that may be created after the discovery profile creation process is complete. Selecting the root level domain object toggles between select/deselect all, and the individual checkboxes on the left allow you to select the specific OUs to include or exclude from this discovery profile. The checkbox to the right of each OU listed designates whether to include any sub-OUs that may be created under that Organizational Unit in the future. For example: you have a root level Organizational Unit named "California" because you have only one office in that region today, located in Los Angeles. Later a new office is brought online in San Francisco. As a result you may decide to create two sub-OUs under California named "LA" and "SF" to manage group policy separately for each of those offices. The "Include Future OUs" option allows for these types of changes to occur within an OU, sub-OU, or domain without the need to update SAM's discovery profiles that are used for recurring nightly scheduled rediscovery of new devices in the environment. If not applicable or desirable in your organization, this option can of course be disabled.


Automatic Monitoring

Another primary area we focused on for this release is reducing or outright eliminating the maintenance overhead required to keep SAM up to date as new systems are brought online. Too many of us have been in similar situations where a new critical business system is brought up in the environment, and the first time there's a reported problem or issue with the system there's immediately an exchange of finger pointing that occurs amongst the responsible parties attempting to assign blame for why the system wasn't being monitored. As a result many organizations have implemented rigid policies and processes surrounding the provisioning of new systems in an attempt to mitigate these blind spots on the network. Unfortunately even the best laid plans aren't immune from human fallacy, even those with the best of intentions.


With that in mind we aimed to provide a mechanism that would ensure that as new systems were brought up in the environment that they would be monitored without relying on someone in the organization to manually add them to SAM for monitoring; or dig through the nightly Network Sonar Discovery Results to select which new items should be monitored. If adding individual devices manually is more your speed, or thumbing through the Network Discovery Results is how you enjoy spending your morning "me" time, those options continue to remain intact and unchanged in this release.

Discovery 5 - Automatic Monitoring.png


When selecting "Automatically Monitor" from the "Monitoring Settings" step of the Network Sonar Discovery Wizard you may continue on by clicking "Next" and accept the recommended defaults (only "Up" interfaces, non-removable media volumes, etc.) or use your own preferences by clicking the "Define Monitoring Settings" button. Clicking this button takes you through a mini-wizard where you are given the ability to define what you'd like automatically monitored should they be found during the Sonar discovery process. These options include, but are not limited to, interface type (trunk, non-trunk) , state (up/down/shutdown/etc.) upon discovery, interface name (contains, does not contain), interface description (contains, does not contain), volume type (Fixed Disk, Mount Points, etc), and AppInsight Applications. Additional steps may appear within the mini-wizard depending upon which Orion modules are also installed alongside SAM.


The next time the Network Sonar Discovery runs, either at the completion of creating the new Discovery Profile or its next scheduled run, any items found meeting the criteria defined within the profile not already monitored in Orion, will be automatically monitored by SAM.


For nodes managed via the optional Agent that was included as part of the SAM 6.2 release, these automatically become managed nodes in Orion by default when they first register with the Orion server or additional polling engine using Agent Initiated mode. Monitoring of these hosts however is limited to status, response time, CPU, and memory, without taking some additional step to select the specific items you'd like monitored on those hosts. The new automatic monitoring option shown here allows you to predefine those items just for agent managed nodes, agentlessly managed nodes, or all nodes in the environment depending upon the settings defined within the discovery profile.

Discovery 6 - Automatic Monitoring - Select Volumes.png


There's still more in store for this release, but we are eager and anxious to get your feedback on some of the features already starting to near completion. Please note that the absolute best time to provide feedback is during the beta, as things are still very fluid and there's plenty of time to fix bugs, make adjustments, and alter the design before release. That's right, betas are intended not only as a mechanism for finding bugs, visual defects, or other things broken in the code, but also to address usability issues and design flaws as well. If you are interested in taking SAM 6.3 for a spin and kicking the tires on some of these (and other) features, simply sign-up here. The only requirement for participation in the beta is that you own an existing license of Server & Application Monitor which is currently under active maintenance.

We've seen time and again that dividing your security attention between the inside and the outside threat (and unfortunately the blend of both - when outsider leverages or becomes an insider) is an ongoing challenge. If you check out our last 1-2 years of Federal IT Security Surveys, you'll see the insider is still a pretty big concern that's far less understood and harder to solve (more on that - Internal Federal Cybersecurity Threats Nearly as Prevalent as External, SolarWinds Survey Reveals), spreading from training to actual technical controls to the challenges of monitoring. In the interest of giving you a bit of a head start, here's some insight into some ways you can monitor for malicious insiders with Log & Event Manager (LEM).


(Note: Anywhere you see a screenshot below, be sure to click to see a full version - they might look fuzzy otherwise.)

Endpoint Monitoring with File Integrity Monitoring (FIM) and USB-Defender

Out of the box, LEM includes both built-in File Integrity Monitoring (FIM) - which can audit for file and registry access/changes - and USB-Defender - which monitors USB device access. On systems where you may have potential exposure - think kiosks, systems with access to confidential data, servers, and shared workstations - deploying FIM and USB-Defender will allow you to:

  • Monitor for unexpected copying of files and data to USB devices that can indicate data is being exfiltrated
  • Attempts to bypass application installation and access policies by running applications directly from USB devices that can put systems at risk
  • Changes to system settings and files that can indicate potential unexpected modifications, either due to malware, policy bypassing, or intentional abuse


Out of the box, you'll want to look at the following LEM content:

  • Default FIM Monitors - the Windows Server template can also be applied to workstations as a place to start

FIM Monitors.PNG

  • Filters of interest:
    • Endpoint Monitoring > USB-Defender
    • Change Management > USB File Auditing, All File Audit Activity


  • Rules of interest can be found in the categories:
    • Activity Types > USB Device Monitoring, File Auditing


System and Endpoint Monitoring for Authentication and Change Events

Beyond tracking files and USB Devices, on servers and workstations alike authentication and changes can offer unique insights into what's happening on the network, and provide critical clues when it comes time to investigate. Windows does not audit the mechanism a user used to log on, or changes made to local system accounts, at a domain controller, so without insight into the actual workstations and member servers directly you'll be missing pieces of the puzzle. Deploy agents to all your critical member servers and that same pool of workstations you need insight into and get to tracking the local Event Logs. With this data, you can see:

  • Users logging on unexpectedly - unused accounts suddenly being used, service accounts being used to access the wrong systems, admin accounts being used incorrectly
  • Remote access - usage of remote desktop vs. interactive logins, access from VPN accounts/addresses, contractors authenticating to unexpected systems
  • Additional users & privileges - users being added to local or domain admins, local users being created


Out of the box, you'll want to look for the following LEM content:

  • Filters of interest in these categories:
    • Change Management
    • Authentication
    • Endpoint Monitoring


  • Rules of interest in the following categories:
    • Change Management
    • Authentication
    • Activity Types > Inappropriate Usage


Network Device Traffic Monitoring

If we move off of the systems themselves, we should also be able to detect behavior patterns that look abnormal using network traffic events, too. Sometimes putting agents on all workstations is infeasible, not to mention accounting for transient or new devices, and BYOD if you've got that in the mix as well. Log activity from all the devices you can that can monitor traffic patterns and connectivity - IDS/IPS, firewalls, wireless APs/WLAN controllers, routers, switches, VPNs, etc. With network traffic data, we can look for:

  • If you've got a proxy or similar policy in place, users attempting to bypass proxy policies with direct communication on port 80 (i.e. network traffic that's not outbound from your proxy server)
  • Network traffic to/from unexpected hosts or ports - your servers/workstations will generally communicate to a smaller subset of known hosts, traffic outside of this pattern would be unexpected
  • Excessive network traffic - sometimes traffic patterns can become clear without utilizing netflow or deep packet inspection based on sheer event numbers, types, or behavior patterns alone


Out of the box, you'll want to look for the following LEM content:

  • Filters of interest:
    • Start from the out of the box filters in IT Operations and Security and build from them, especially the traffic filters


  • Rules of interest in the following categories:
    • Activity Types > Network
    • Devices > Firewalls



Check out our thwackCamp session on using firewall log data, too - thwackCamp 2015 - Digging for Security Gold: Using Firewall Logs to Find Security Issues.

Traditional Malware and Security Event Detection

You can definitely put your existing investments in pure security technology to work for you here, too. The name of the game is defense in depth, and while traditional malware detection, IDS and IPS, and other tools might not be enough alone, each one of them can play an important part in helping detect potential abuse or piecing together fingerprints during an investigation. Infected endpoints are a gateway to the interior of the network and not all of us are victims of zero-days but rather some kind of combination of existing malware and other techniques that gives us a good chance of detecting it somewhere along the way. With these feeds, you'll see things like:

  • Antivirus/anti-malware technology cleaning or having trouble cleaning potential infections
  • IDS and IPS systems detecting potentially unwanted payloads or symptoms of infections or even exfiltration
  • Triggers from any other security systems you've got to put to work for you that generate event streams - wireless security, data leak prevention, etc
  • System errors and crash reports - potential malware causing leaks to affect the system in unexpected ways


Out of the box, you'll want to look for the following LEM content:

  • Filters of interest include:
    • Security > Virus Attacks, IDS
    • IT Operations > Windows Error Events


  • Rules of interest in the following categories:
    • Security > Malware
    • Devices > IDS and IPS (and related device types for your systems)


Threat Intelligence and Dynamic Feeds to Detect Malicious Traffic

Thinking forward, if you've seen our LEM What We're Working on page, you'll note we're talking a little bit about Threat Intelligence Feeds. We're working on adding the capability for LEM to dynamically download a list of known bad actors - potentially infected hosts, botnets, command and control networks, spammers, and general IPs up to no good - and automatically use that to detect communication on your network. This will be a really good way to see:

  • When someone internal is communicating with a potentially malicious host, which can indicate they've already been infected
  • When you're being probed, attacked, or otherwise communicated with externally by a potentially malicious host, which can indicate an incoming attempt
  • Communication to/from spam, denial of service, or similar hosts that can indicate phishing attempts, zombies on your network, or other security issues


Watch for more on that here - when we've got more to discuss we'll update this post with how to use it to detect malicious insiders more specifically.


Manually, you can create and import lists of potentially unwanted IPs and ports and compare those to traffic as well. If you've got a list of known good ports that should be used to communicate on your network (especially inside>outside), or known applications if you're using Next-Gen firewalls, or known IP addresses when we're talking servers and controlled communication, build User-Defined Groups and rules/filters that compare to them.

What About Other SolarWinds Products? How Can They Help, Too?

Sure! Here are some ideas on using other products to help you detect potential malicious behavior internally:

  • Network Performance Monitor: monitor for unexpected firewall/network performance issues and high bandwidth utilization that can indicate an outbreak or single host is infected
  • Netflow Traffic Analyzer: building on the above unknown traffic patterns, look for possible unexpected hosts, ports, or communication patterns that might give you an idea something is wrong
  • User Device Tracker: useful when tracking and potentially detecting issues at endpoints - the "who" to go with the "where"
  • Server & Application Monitor and even Virtualization Manager: look for systems & applications performing unexpectedly or becoming unstable, these can be early warnings for security issues, too
  • Database Performance Analyzer: building on that, look for batch transactions, long-running queries, and sudden performance issues, identify their sources
  • Network Configuration Manager and Firewall Security Manager: as always, cover your bases with configuration first!
  • Patch Manager: track systems out of compliance with patching policies, out of date systems are MUCH more likely to be victims of malware and other security issues


Feel free to let us know if you've got any content you're interested in seeing around detecting malicious insiders, any ideas or successful stories yourselves, or any other questions we can help with in the comments!

We are happy to announce that version 7.4 of SolarWinds Network Configuration Manager ships the DISA STIG, NIST FISMA, and PCI DSS compliance reports out of the box. Wait -- that's not all! For DISA STIGs, we now support Brocade, Dell, Cisco, Juniper, and Palo Alto. The NIST FISMA and PCI reports have been developed for Cisco.

Simply select any of these new report(s) that you wish to run and “enable” them by following the steps outlined below.


Corresponding instructions for older versions of NCM can be found here: DISA STIG Resources for SolarWinds NCM (Now also for Juniper!). Also, don't miss a similar post for LEM: DISA STIG Compliance with Log & Event Manager.


How to enable the new compliance checks?


  1. Enter the compliance management interface: Configs tab / Compliance view / Manage Policy Reports.


  2. Select the reports you are interested in and enable them.


  3. Update the reports.


  4. Compliance status of your network is ready!


Further recommendations

  • Make sure the reports you are interested in are displayed in the Policy Violations summary resource. (Policy Violations resource / Edit)

    Edit-Violations-Resource.png  Violations-Resource.png

  • Customize the violation severity labels to match your needs. (Settings / NCM Settings / Manage Violation Levels)

    Manage-Violation-Levels.png  Violations-Resource-CAT.png

  • Look for Cisco firmware vulnerabilities.
    If network security is a concern in your organization, you should definitely use this new capability of NCM -- run a nightly vulnerability assessment based on recent CVE data provided by the National Vulnerability Database -- NVD (by NIST). NCM will download and process the CVE data in a SCAP-compatible way and will notify you of potential vulnerabilities, provide detailed information and let you take an appropriate action. This security scan works even if your NCM server is not connected to the Internet -- you just have to download the datafiles manually.

    Wait for the nightly update or force the scan manually in Settings / NCM Settings / Firmware Vulnerability Settings / Run Now
    (See the below referenced NCM 7.4 RC blog post for more screenshots and details.)


  • Check other new features of NCM 7.4
    All details are available here: Network Configuration Manager v7.4 Release Candidate is Available!
    Quick start:



  • Please note that the US Army has granted a Certificate of Networthiness (CoN) to NCM V 6.0. CERT-201109082. CoN has also been granted to NPM, SAM (APM), NTA and Engineer's Toolset.
  • The following SolarWinds products are Common Criteria EAL 2 certified by the NIAP: NPM, SAM (APM), IPAM, NTA, VNQM, NCM, EOC. Our Validation ID is 10453
  • You can also find Federal Information Security Management Act (FISMA) / NIST reports for NCM 6.1, on (same installation procedure applies)
  • Did you know that Gartner positions NCM in their research “MarketScope for Network Configuration and Change Management”, Deb Curtis, David Williams, 31 March 2010, ID Number: G00175140, as follows:
    • NCM is the most widely deployed of the products meeting Gartner’s criteria for evaluation (except CiscoWorks)
    • NCM is rated in the top tier (Positive / Strong positive) with the “Big-4”
  • A reference to SolarWinds (NPM) in the SIGNAL Online article “Marines Revolutionize Network In Southwest Afghanistan

I am happy to announce General Availability (GA) of SolarWinds Network Configuration Manager (NCM) v7.4. This version includes the following new features and improvements:


  • Cisco IOS and ASA Vulnerability Reporting
    NCM uses Cisco IOS and ASA firmware and configuration vulnerability data from the National Vulnerability Database to record which nodes in NCM are vulnerable. This information is available in a new Firmware Vulnerability resource and as a report.
  • NCM Entirely Web-based
    The NCM desktop application is no longer available and all functionality has migrated to the SolarWinds Orion Web Console.
  • New Compliance Reports
    • You can run over 60 Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) policy reports, preconfigured with the necessary rules and policies.
    • You can run National Institute of Standards and Technology Federal Information Security Management Act (NIST FISMA) and Payment Card Industry Data Security Standard (PCI DSS) reports.
  • Device Template Wizard
    • Create and edit device templates using the new, web-based Device Template Wizard in the SolarWinds Orion Web Console.
    • All templates from previous versions of NCM are migrated to the SolarWinds Orion database during an upgrade.
    • Access templates that other SolarWinds users share through thwack directly in Device Template Management.
  • Enhanced Change Approval Workflow
    The NCM approval system allows three different workflows:
    • Use a one-tier approval workflow to submit configuration changes to an NCM administrator.
    • Use a non-privileged, two-tier approval workflow to require non-privileged users (any user with the WebUploader role) to submit configuration changes to two different approval groups.
    • Use an inclusive, two-tier approval workflow to require all users to submit configuration changes to two different approval groups.
  • Web-based Reports
    • Create and edit reports using new, web-based reports.
    • NCM now uses Orion Platform reports (HOME > Reports) instead of the NCM reporting pages (CONFIGS > Reports).
    • Previous reports are not migrated to the web-based reports system and can no longer be edited after an upgrade.
    • Schedule reports with the Orion Report Schedulers instead of the NCM Run Report job.
  • Policy Violation Remediation
    You can automatically remediate violations in a device configuration on multiple nodes using a script.
  • Web-based Alerts
    • Create and manage alerts using the web-based alerting engine.
    • Alerts created using the desktop-based alerting engine are automatically migrated to the web-based alerting engine.


More details can be found in the Release Notes and in the RC blog post: Network Configuration Manager v7.4 Release Candidate is Available!.

Filter Blog

By date:
By tag: