cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

What We're Working On - Security Event Manager (Updated Nov 7th 2019)

Now that SEM 2019.4 has shipped, we are already working hard on the next release. You can now perform most of the common SEM tasks within our HTM5 interface, including log filtering, searching, visualization, export and correlation rules but we're by no means done yet. There is still valuable functionality within the Flash console which are working hard to migrate to the new UI. Here's what we're working on, in no particular order:

  • Refine Fields: Summarise search results based on fields such as event name, IP address, hostname and username.
  • Histogram: Visualize log volume, search results and refine time frames via an interactive chart.
  • Scheduled Search: Save, load and schedule your most commonly used searches.
  • Connector Profiles: Maintain SEM agents that share a common connector configuration within the HTML5 UI.
  • Office 365 Events: Support for Office 365 audit logs from sources including Azure Active Directory, Exchange Online and Sharepoint Online.
  • OS Upgrade: Update SEM's underlying OS is up to date to ensure it's as secure and performant as possible.

I hope you’ll be happy with the direction we are going, especially with our HTML5 migration. We are actively looking for existing customers to give feedback. If you are interested, we’d love to hear from you!

Be sure to let us know here, and in the Security Event Manager Feature Requests forum if there are features you're really keen on. This list doesn't enumerate a lot of the features we're looking into for long term development and further releases, but we continually use Thwack as our biggest source of feedback.

Comments

As has been mentioned in the LEM forum, please move away from Flash and to something like HTML5. Flash is severely insecure, bloated and slow.

I would love to see an updated road-map since 6.2 has been released.  While I love working with LEM we are in the process of re-evaluating our InfoSec road-map and I am not sure how well LEM is going to fit in going forward.  I would love to see the road-map to help with these decisions; thanks!

All,

Please Please, work on a better reporting mechanism. Clients have wanted to use the reserved tab in the console or enhanced functionality from nDepth and move away from the current external  Report Application.

Best Regards,

Derik Pfeffer

Loop1 Systems: SolarWinds Training and Professional Services

Hear hear. I still can't get the Repoting application to work. (Error -214xxxxxxx)

derik.pfeffer‌ I can't agree more.  I opened a feature request for that HERE for anybody interested in promoting it.

Same here..all kinds of errors from the Reporting console.  If you get it figured out, please let me know!

Yea no doubt. I keep getting this error overnight, and see it when I get back in the office. Any ideas?

Exception Error Screenshot.jpg

Any help is appreciated!

I haven't received that one in particular.  I did work with tech support on another issue and asked about it on the side..they had me reinstall and it worked afterwards, but as soon as I closed out and re-opened it I started getting the error again.  Uninstall/reinstall fixes it, but it's a one time shot   Error I'm getting is:

Capture.PNG

I get this one, slightly different, but still completely unusable.

pastedImage_0.png

Did you just install the Reports application?

No. I worked on installing it for an hour or so several weeks ago... getting Crystal installed, installing reports only to find out that it had to be installed under my admin account, trying to run it only to find that it had to be run under my admin account, getting the error I posted, trying various and sundry workarounds.

I think I was getting a similar error when installing it and attempting to connect to the appliance. My fix was that the reports application tried to connect to the default hostname of the appliance (swi-lem), when I actually have to use the IP of the appliance to connect as I changed the hostname and it wouldn't connect to what I changed it to. Not sure if this helps at all, but I had to reconfigure the Reports app to connect to the IP, not hostname(manager name).

- Swift

Holy shnikies, it worked... !

YAY!!!!! Now if somebody could give me a fix for mine that'd be great! lol.

I'd strongly recommend opening a support ticket, they should be able to assist you with fixing this issue.

Regarding the 12/3 update post... #3 most requested Feature Request is

Where is this on the roadmap?

We are actually in the process of evaluating SIEM systems to decide on what our Next-Gen SIEM will be for the security platform we are creating.  I think LEM is a great product and has a great framework to carry it into the future; however, when comparing it to some of the more robust products on the market I feel like it needs to improve in the following areas:

  • More flexible log ingestion
    • Include a universal log connector
  • Anomaly detection engine to alleviate the need for so many manually managed rules
  • Faster searches
  • Location/Region based data
  • Netflow/Flow data
    • There is a ton of good security information to be gleaned here
  • More threat feed capabilities
  • Better high level dashboards that highlight threats with quick and easy drill down to source data

VERY much looking forward to: Connector building, generic connectors, and general data integration (Build Your Own Syslog Connectors, among others)

We need this very badly ASAP.

It has recently come to my attention as we use LEM more and more that the FIM component doesn't support exclusions.  With that being said I have opened a feature request for FIM File Exclusions and would love to see that considered.

Yes, PLEASE. LEM is painfully slow. We so not have a large system or dataset, but it takes seconds for the GUI to respond to each click . I like the product, but am looking for other solutions that have a usable GUI. Please find another interface, Flash is just bad for so many reasons.

How about Node identification using a static parameter like device name or appliance key as IP address based detection doesn't help in a dynamic scenario of DHCP/PPPOE. It would be great if this can be taken care in roadmap. If its already supported do let me know how it can be done.

Now that 6.3 has released I would love to see an update to the roadmap!

My wishlist ....

1. Make the LEM OPs Center widgets available in Orion. This would be huge.

2. The ability to report from Orion as well. The reporting in LEM leaves a lot to be desired.

3. A more automated way to deploy agents. Would love a way to perform a sweep of a network and deploy agents automatically.

The one thing I would like to add to my wish list above would be

#1 MASSIVELY agree: 

#2 I'll take any improvement....  

                                                      

I'll add Log retention control: 

plus better/easier alerting....  not sure how but my little pea brain always has a hard time creating alerts...   DOH!

To add to #1, We have a dashboard in Orion for the security team.....  they are begging me to get some of the LEM data in that dashboard.

Plus some of these graphs tell a great story for the exec's....

How about   ?

Short but Sweet! We realize that you guys inherited the Flash interface. It had to be a huge undertaking to move away from it. Thanks for allowing us to be so vocal in its development.

Daniel Bryan: YES! YES! YES! - YouTube

I think the new items on the roadmap are great; however, the one thing that is right up there that is killing our ability to fully utilize this SIEM solution is the inability to create our own connectors.  I can't keep telling clients that we can't support their logs because they are not on the "supported list" for LEM.  I fear that at some point we are going to have to move to a new solution if this doesn't change.

Also, THIS seems like a simple basic request; let me exclude items in the FIM rules.

Uninstall the Log and Event Manager Reports and Crystal software, go delete the Program files (x86) directory for both software.  Then go to link below and download both and run both as Administator by Right clicking on them.

Additional LEM downloads for version 6.3 - SolarWinds Worldwide, LLC. Help and Support

An integrated report engine instead of standalone crystal reports client would be awesome.  Being able to create reports on the fly within the web ui would make LEM more compliance friendly.  Other SIEMs like LogRhythm have this feature already.   

There is a feature request for that HERE, go vote for it if you haven't already. 

Doesn't seem to be monitored, but is there ANY update from Solar Winds for the removal of Flash?  Really need Flash to die (2 years and counting).

At Feature request you say you are working on Support for SQL 2016 and 2017 for auditing. May you tell us when this might be in an beta/release stadium?

My LEM clients are exited to see FLASH go away! Can't wait for the change.

Hi,

Is there any updates on the product ? Could we expect a new version in 2018 ?

- better Reporting engine / Orion engine ?

- no more Flash

- connector creation available on customer side

Cheers

We gave up and went to another product. The Please Move Away From Flash idea was created almost 5 YEARS ago and is still vaporware.

Unfortunately, we are about ready to cut LEM loose and move to something else as well. The same question has been asked more than a few times and there is no response from SW. Other products seem to have quite a bit of development. LEM seems to be a second thought. Too bad really.

Hi All, apologies for the lack of communication with regards to the next LEM release. I can assure you that the contents of the What We're Working On post are accurate and we are working on the HTML5 Events Console, Debian Upgrade, increased storage limit and improved SMB support. I'll be able to share more information soon - thank you all for your patience.

LEM 6.4.0 is out today with the updates that jhynds​ mentioned (Debian OS update, removal of 2TB limit, improved SMB support, and they made the first step away from Flash with the HTML5 Event Viewer console)

Thanks kellytice​ for the update!  At this point do you know if LEM is supported in Azure?

As far as I am aware, nothing's changed in that regard.
I've heard tell of some people running it in such environments as AWS or Azure with some success, but it seems it would still be unsupported in such an environment.

We are currently working on support for LEM deployment in Azure.

I saw and voted on the banners needed everywhere.  This is a DoD requirement that we need a banner on every access point to the LEM that we can customize as needed to say what our customer requires.

Also the VM Console interface should have at least a username and password or CAC if possible to make changes.

Thank You

I just got LEM1000 and I hope it was the right choice after touting SW for so many years... it sounds great but I'm already running into some issue like how to setup logging on linux and solaris so the agent picks them up correctly?  I  had previously had a custom script cron job way of logging for linux and solaris to our NetApp filer but now need to put it back to normal so I can use the agents.  I had thought that using the agents would be the easiest part... I suppose I just need the logs in the path the connector expects it to be and hopefully it will start working.

Also I agree with sosborne99​ we need the ability to put banners on the login page.

ecklerwr1​ I certainly hope you confirmed that LEM supports all of your devices/vendors before you purchased it.  While I absolutely loved the LEM product, I found the most limiting part of it was that if they didn't support a device/vendor it didn't give me any option but to find a different solution.  They REALLY need to be make the product more flexible so that it supports other stuff, even if it's at a diminished level.

I can probably live without the NetApp being in LEM and I do have SRM now in my Orion environment.  So far I like some of the things with LEM a lot.  Since this is on one of my smaller networks (less than 1000 nodes) I think it may work well.  I really like the USB Defender part of the product and the windows agents seem to have installed with relative ease using the remote agent installer.  My linux and solaris agents also installed easily but now I need to change my linux and Solaris so they log the traditional way again so the agents pick up the correct log files to monitor.  I currently have a cron job and logs going to a netapp for parsing.  I'll get there I think... it's a big undertaking bringing in LEM for the first time.  I appreciate your comments.

Version history
Revision #:
1 of 1
Last update:
‎04-01-2015 12:51 PM