10 Replies Latest reply on Jun 14, 2012 10:45 AM by phil3

    LEM Documentation?

    byrona

      I am new to LEM which seems to have a bit of a steep learning curve.  I have watched the videos and gone through parts of the Administrators guide but am still having trouble understanding several aspects of the product such as the following...

       

      • Advanced LEM architecture for long term retention of Syslog data
        • Setting up a separate LEM syslog server
        • Setting up a separate LEM database server
      • How to tell what the different tools/connectors are actually watching for
      • How to tell what different alerts do
        • Many of the Alerts that can be used in the Correlations section of the rules are not clear to me as to what they are looking for
          • For example I can put TCPPortScan as a Correlation for a rule but I have no idea to tell what will actually match this or what it's looking for
      • How to make any syslogs that are forwarded to LEM viewable and searchable in the LEM dashboard

       

      I imagine this stuff is documented and I just haven't found it yet; however, I have a very short period of time to come up to speed and evaluate the product for a possible service offering that our company is putting together for Log management so any help would be much appreciated!

       

      P.S.  If the service offering comes together as we would like I imagine we could be purchasing a lot of LEM in the future. 

        • Re: LEM Documentation?
          phil3

          Hi, byrona.

           

          First, let me say that we are still in the process of updating and enhancing the LEM documentation, so much of the documentation you're looking for today will be available in the future if it's not already. That said, here's what I can say about each of your questions:

           

          Setting up additional appliances

          Currently, this is something that requires assistance from Support. The good news is that we've been working for a while now to reduce that load on Support, so there's a good chance functionality like this will be made accessible to customers in a later release. For example, with the most recent release, we enabled customers to migrate and resize their LEM appliances themselves, where before those processes required Support intervention.

           

          Getting to know connectors

          This is tricky because the connector templates are only stored on the appliance and not (that I know of) available to customers. Sometimes a knowledge base article about a connector specifies what it looks for, but most often the name of the connector is where you'll find the most information. If you have specific questions about a connector or product you're trying to integrate, search for it in our KB, and then contact Support or Sales (as appropriate) if you can't find what you need.

           

          Getting to know alerts

          I can recommend two documentation sources for this: 1. Appendix B in the User Guide, which defines all available alert types; and 2. The LEM Filters & Alerts Technical Reference.

          Regarding the TCPPortScan example you provided, that alert is generated by a pre-built LEM rule, and you can identify the source for that and similarly-generated alerts in the InferenceRule field in the Alert Details. In this instance, the rule is TCPTrafficAudit with possible TCP PortScan Inference. If you want to customize if/when these alerts show up, go to the rule that generates the alert and either disable or customize it. If you choose to customize the rule, disable the pre-built rule, and then clone/customize it as described in the following article: SolarWinds Knowledge Base :: Cloning, Enabling, and Activating NATO5 Rules.

           

          Getting syslog to show up in the LEM console

          If I understand what you're looking for here, you'll need two things: 1. The appropriate connector; and 2. nDepth. You'll configure the connector on the appliance based on the device that's logging to it to normalize the syslog, and then you'll use nDepth to search the LEM database. The main dashboard you see on the Ops Center tab does not currently support search; it just shows graphs related to the filters you have set up on the Monitor tab. All three areas (nDepth, Ops Center, and Monitor) display the same data -- the differences are how the data is displayed and whether or not that data is current or historical.

           

          Let me know if you have any other questions.

           

          Thanks.

           

          Phil

            • Re: LEM Documentation?
              byrona

              Firstly I want to say that I am glad to hear you are working on putting together more and better documentation.

               

              After posting this I did check out the LEM Filters & Alerts Technical Reference and thought it was very helpful, keep this kind of product documentation coming!

               

              Getting syslog to show up in the LEM console

              If I understand what you're looking for here, you'll need two things: 1. The appropriate connector; and 2. nDepth. You'll configure the connector on the appliance based on the device that's logging to it to normalize the syslog, and then you'll use nDepth to search the LEM database. The main dashboard you see on the Ops Center tab does not currently support search; it just shows graphs related to the filters you have set up on the Monitor tab. All three areas (nDepth, Ops Center, and Monitor) display the same data -- the differences are how the data is displayed and whether or not that data is current or historical.

               

              My understanding is connectors look for specific syslog messages (typically change or security related events) that have been sent to the LEM system.  I was hoping for a way to display all of the raw syslog messages in some sort of searchable view like nDepth, is this possible?

               

              One other silly question; what does "NATO5" mean?

               

              The product clearly has a steep learning curve (and I may also be a bit slow); however I like what I see thus far and just want to know all details as we move forward developing a possible service with this product at the center.  Ultimately it sounds like I should work with my sales rep to schedule some time with one of your solutions engineers to go through a "soup to nuts" demonstration/explanation of the product and it's full capabilities.

               

              Thanks again for your responses!

            • Re: LEM Documentation?
              byrona

              Thanks for the additional info, now that I know what the NATO5 means it makes a lot more sense... I like it.

               

              Just wanted to circle back on the connectors bit for one sec...

              Getting to know connectors

              This is tricky because the connector templates are only stored on the appliance and not (that I know of) available to customers. Sometimes a knowledge base article about a connector specifies what it looks for, but most often the name of the connector is where you'll find the most information. If you have specific questions about a connector or product you're trying to integrate, search for it in our KB, and then contact Support or Sales (as appropriate) if you can't find what you need.

               

              How are other customers successfully using the connectors if they don't have a good way to tell what they are actually doing?  I am really struggling with how to handle this and would really like some pointers and to know how others handle this lack of clarity.

                • Re: LEM Documentation?
                  phil3

                  I hope some customers will chime in here with their experiences, but I'd just like to offer that the process looks something like this:

                   

                  1. Decide what you want to monitor with LEM. For example, let's say a Cisco PIX firewall.
                  2. Configure the firewall to syslog to LEM.
                  3. Open the LEM console and go to Manage > Appliances.
                  4. Click the gear button next to your appliance and then select Tools (that's what we used to call connectors).
                  5. In the search box on the left, enter PIX.
                  6. In the right pane, click the gear button next to the Cisco PIX and IOS connector, and then select New.
                  7. Enter a custom name for the connector in the Alias field, or accept the default. If you want the traffic to show up in the default Firewall filter, make sure "firewall" is in the alias.
                  8. Click Save.
                  9. Back at the list of connectors, click the gear button next to the new connector, and then select Start.
                  10. Click Close to exit the configuration window.

                   

                  So the take-away is that you configure connectors according to what you have and what we support. After the device is logging to LEM and the connector is set up, you'll start seeing normalized traffic from the device in your filters immediately. If you find something is missing or inaccurate in the alerts, contact Support and we'll forward your feedback to our Connectors team. In the past, TriGeo focused solely on security events, so some of our connectors may still have that narrow of a scope; however, as colby mentioned in a recent blog post, we're moving more into the operations realm with every release, so you're likely to see this changing as LEM matures.

                   

                  Here's a link to a KB article that discusses this Cisco example in a little more detail: SolarWinds Knowledge Base :: Integrating Cisco PIX and Cisco ASA Firewalls with SolarWinds LEM.

                   

                  Here's a link to a web page that lists all of the third-party products we currently support: http://www.solarwinds.com/log-event-manager/log-data-sources.aspx.

                   

                  I hope this helps.

                   

                  Phil

                    • Re: LEM Documentation?
                      byrona

                      Thanks, this helps provide a framework for me to follow and I would still love to hear from others as well.

                       

                      The same thing with alerts, I would love to know how people decide which correlations to use when it's not necessarily clear what they are looking for.