7 Replies Latest reply on Jun 11, 2014 12:07 PM by unodostres

    LEM 6.0 RC - NOTES & INFO

    cobrien

      As mentioned in the Product Blog post, the LEM 6.0 Release Candidate is up on the portal. Check out that post if you'd like to see some screenshots.

       

      WHAT'S NEW IN LEM 6.0

       

      • File Integrity Monitoring for Windows
        • Real-time monitoring of your files and folders including file reads, writes, deletes, permissions changes, and more
        • Real-time monitoring of your registry settings including key and value creates and deletes
        • A simple, intuitive interface that allows you to configure directories to watch, filename masks, and which types of events you want to monitor
        • Built-in templates to jump start your use of FIM to bolster compliance with PCI DSS, HIPAA, SOX, and many other compliance standards
      • New connectors for LOGbinder EX, Cisco®, VMware® and more
      • Significant performance enhancements for specific types of rules
      • Bug fixes, of course!

       

      Full release notes will be up with the official release. You can find FIM documentation on pages 38 and 268 to 274 of the User Guide. If you have a question about a specific issue/feature, let me know.

       

      WHAT TO TEST IN LEM 6.0 RC

       

      We're interested in testing of all new features and any of you that have had issues resolved. Specifically:

      • Deploying FIM
      • Any differences you notice in rule performance
      • Using any of the new connectors

       

      WHAT COMPONENTS WERE UPDATED IN LEM 6.0 RC

       

      • Appliances of all types (manager/single appliance, database server, logging server, etc)
      • Console (web and AIR)
      • Reports
      • Agents

       

      SQL Auditor was not changed.

       

      HOW TO UPGRADE

       

      All of these details and more are in the Upgrade Guide. This is the same procedure as previous LEM upgrades.

       

      NOTE: You must first be running LEM version 5.6 or later before upgrading to 6.0. You should also wait until data migration has completed, to be safe.

       

      To upgrade:

      1. Download the upgrade zip file from the Customer Portal (you'll see an RC listed, then the first download will be the Upgrade zip file).
      2. Extract it somewhere.
      3. Create a network share and copy/move the "TriGeo" and "Upgrade" files to the root of the share.
      4. Log in to your LEM appliance(s) and run the "upgrade" command in the Advanced Configuration/CMC.
        1. If you have multiple appliances, upgrade the core manager appliance first, the rest in any order.
        2. You will be prompted for two possible scenarios: if you don't have enough space for us to guarantee all data will migrate; and to make an archive or take a snapshot since the upgrade is irreversible.

       

      CAVEATS & NOTES

       

      • Upgrading agents:
        • If you don't want agents to automatically upgrade, you can disable global automatic updates from Manage>Appliances, or individual agents from Manage>Nodes. You can always push out agents manually from the Console even if you disable automatic updates, just go to Manage>Nodes, select the agent, and push.
        • Agents running on Solaris 9 and AIX 5.3 and earlier may automatically upgrade but fail to start. We're working on a way to prevent those agents from upgrading, but if this happens, you'll need to go back to the LEM 5.3.1 agent version. If you can catch them before upgrading, you can disable automatic updates to those agents from Manage>Nodes in the console.
      • If you're using the AIR Console, there might be certificate warnings that prevent you from installing. The workaround is to uninstall/reinstall the AIR console.
      • As always, if you encounter any issues with the upgrade, are confused by the prompts, or wish the documentation included something, please let us know.
        • Re: LEM 6.0 RC - NOTES & INFO
          unodostres

          Can you provide some key benefits on how using FIM on LEM 6.0 would be better than using OSSEC for file integrity monitoring?

            • Re: LEM 6.0 RC - NOTES & INFO
              byrona

              If you are already using LEM then you can consolidate functions to use less tools.  Of course this is assuming that you would no longer need OSSEC if you moved FIM to LEM.

              • Re: LEM 6.0 RC - NOTES & INFO
                cobrien

                I think the biggest differences you'll see with FIM are the same differences you would see with most features compared to OSSEC.  OSSEC is primarily configured through CLI, including the FIM feature.  It's powerful, but there is a heck of a learning curve and ongoing effort.  The OSSEC web console is simple and secondary.  It's not really intended to be the way you interact with the application.  LEM is built to be powerful and easy to use.  All functionality including FIM is configured in the web UI.  You'll likely have FIM up and functioning in a few minutes.  When you want to analyze the data, you do so in the web UI which works with you to bubble up important events.  Building correlation rules with automated responses is a couple of clicks.

                 

                Hope that helps.

                  • Re: LEM 6.0 RC - NOTES & INFO
                    unodostres

                    How about ease of deployment onto to windows PC's? I found a couple of ways to deploy the windows agents:

                     

                    Mass deployment of LEM via Remote Agent Installer:

                    http://knowledgebase.solarwinds.com/kb/questions/3222/Using+the+SolarWinds+LEM+Remote+Agent+Installer

                     

                     

                    OSSEC mass deployment:

                    https://groups.google.com/forum/#!topic/ossec-list/F8PwED83B28

                     

                    Let me know if there is an easier way than using the Remote agent installer. Also, the Ossec windows agent does a lot better job at monitoring registry keys without having to add an additional connector for registry keys.  Is there a way to configure the agents so that they can all be monitoring with those connectors via a file instead of manually going to hundreds of newly installed agents and adding the connectors manually?

                     

                    Thank you for your help - I am glad that 6.0 has come out with FIM, it looks like the tool has some great potential, it simply is not as seasoned and widely used as its so new compared to Ossec.

                      • Re: LEM 6.0 RC - NOTES & INFO
                        qle

                        unodostres wrote:

                         

                        Is there a way to configure the agents so that they can all be monitoring with those connectors via a file instead of manually going to hundreds of newly installed agents and adding the connectors manually?

                         

                         

                        I believe this is the purpose of connector profiles. Configure one and apply it to all of the nodes that need to have the same connector configuration.

                        • Re: LEM 6.0 RC - NOTES & INFO
                          cobrien

                          The KB you linked to is a bit long for the sake of completeness, but is basically just running an executable, plugging in the location of your LEM manager, and providing a list of IPs to install agents on.  Looks like the OSSEC post you linked to is a bash script that also requires a list of system IPs.  Seems like a very similar process, but one uses an install wizard and the other uses a community created bash script.  Maybe I'm missing something?

                           

                          Most large environments I've seen use software distribution platforms like SCCM.  In such cases, you'd want to leverage that platform to deploy the agent non-interactively:

                          SolarWinds Knowledge Base :: Using the SolarWinds LEM Local Agent Installer non-interactively

                           

                          There is no way in LEM to configure FIM via a text file or configure registry monitoring within the FIM connector for files.  We've tried to avoid working in text files to configure LEM.  Adding a FIM file connector and a FIM registry connector and a several other connectors to a single node is pretty easy.  To scale that out, you can copy that agent's configuration to a connector profile, then apply that connector profile to tens or hundreds or thousands of nodes.

                           

                          This is definitely FIM 1.0 for LEM.  We think we've captured the key functionality though and we hope that we're exposing that functionality with a very easy to use interface.  That's been the feedback we've gotten so far during beta.  Have you had a chance to download the RC and try it?

                            • Re: LEM 6.0 RC - NOTES & INFO
                              unodostres

                              Oh yes, we are using LEM 6.0 installed it several weeks ago and I deployed FIM on a couple of nodes - looks like I'm going to have to purchase several hundred workstation LEM licenses in order to deploy to hundreds of systems where we need file integrity monitoring.

                               

                              I like that you can fairly easily modify what directories or files you want to monitor.

                               

                              As far as software distribution - do you know many customers that have had good Dell Kace deployments with LEM for workstations?