New to SEM, need some guidance.

Hello all!

Our organization has currently decided to go ahead and set up SEM in order to increase our log visibility and take advantage of the what the solution offers. Please do bear with me as I am very much so entry-level in the security field and have limited experience in this realm. However, our small IT Department has given me the task of setting up and configuring SEM, which is a responsibility I look forward to in terms of learning and developing my knowledge base.

So far, I've gotten all of our Nodes established and they do appear to be all sending in their logs (thousands of them). Which at least tells me that we're off to a good start. However, I am also trying to forward Syslog stuff from Cisco Meraki and SentinelOne. Both of which I've configured on their end but am unsure if SolarWinds is picking them up (Hard to tell in the thousands of logs).  I also haven't quite yet messed around with the connectors. I suppose my goal in this area is to get an idea of how I should go about cleaning up some of this traffic and build a foundation on the platform. Additionally, I was hoping to find a way to essentially organize the logs that would come from Meraki and SentinelOne into their own 'Node' or Category as well if it is possible. So hopefully someone can educate me a bit on where to go from here. I am continuing to utilize the documentation but find myself scratching my head at times.

I do notice that most of the logs are all within Syslog local0 as well. Which I'm uncertain if that should be the case given the many nodes we have. Alongside the syslogs I am trying to pull from Meraki and SentinelOne..

It's worth noting that other things are working well. The rules I've made work well, our LDAP config is set up and directory service groups are imported. I just am looking to cleanup our mass-ingestion of logs and ensure it is all configured correctly. 

Thanks

Parents Reply
  • When setting up the connection you must make sure the right path is set. 

    /var/log/local0.log  default 

    this is the path in SolarWinds not the endpoint where the logs are being received  if set to different log you must change according to parse.

    if you SSH to SEM and look under appliance check logs there are all the location of where logs can be sent in SEM make sure your have the right folder configured to receive logs 

Children
No Data