22 Replies Latest reply on Apr 18, 2016 4:30 PM by whpd

    LEM - NetFlow & sFlow

    byrona

      I noticed in the Port Requirement guide that ports are specifically noted for NetFlow and sFlow with regard to LEM.  Could somebody please explain or point me to a document that explains how that works and exactly what type of additional visibility that would provide?  Based on many other posts I was under the impression that LEM didn't really support either of these.

        • Re: LEM - NetFlow & sFlow
          curtisi

          If you enable the flow collection service on the LEM:

          1. SSH into the LEM
          2. Go to the Service menu
          3. Run "EnableFlow"

           

          In the manager console, in the "Explore" menus that appear in the Monitor and nDepth screens, you'll see a new "Flow" option.

           

          2015-09-21 07_55_07-SolarWinds Log & Event Manager.png

          Clicking it will get you to a new search dialogue that'll make graphs and lists:

          2015-09-21 07_55_26-SolarWinds Log & Event Manager.png

          This data isn't used in Reports, Rules or Filters, but you can search it.  That's about it.

          2 of 2 people found this helpful
          • Re: LEM - NetFlow & sFlow
            familyofcrowes

            I am now running the flow module, and all I can do is get a graph of top talkers (IP or Port)...  I cant find the data in nDepth so this graph is the only data that seems to be useful...

              • Re: LEM - NetFlow & sFlow
                byrona

                From what I could tell, that is all you get!

                • Re: LEM - NetFlow & sFlow
                  curtisi

                  I did warn that was the case...

                   

                  "This data isn't used in Reports, Rules or Filters, but you can search it.  That's about it."

                    • Re: LEM - NetFlow & sFlow
                      byrona

                      Yes, curtisi in your defense, you did warn about this and Nicole had pointed this out to me much earlier on as well.  With that being said this is one of the unfortunate limitations of LEM that is keeping it from being as robust of a SIEM as many of the competing solutions in the market.

                       

                      We just went though the process of evaluating several different SIEM products and what I found is that LEM is one of the nicest looking and easiest to use solutions out there and we all know it's backed by a great community.  The only thing I feel is holding it back are a few features, a few performance issues, and a more scalable design.  Nothing that seemed like a huge stretch from where it is now.

                        • Re: LEM - NetFlow & sFlow
                          curtisi

                          Yeah, that's not an uncommon comment.  We're well aware of the scalability issues, and I know our dev team is working on it.  I guess the larger picture for Solarwinds is LEM handles logs, NTA handles flow.

                            • Re: LEM - NetFlow & sFlow
                              byrona

                              I guess the larger picture for Solarwinds is LEM handles logs, NTA handles flow.

                              curtisi While I understand this approach, this will continue to limit LEM as a SIEM solution when compared to just about everything else on the market.  LEM is presented as a stand-alone SIEM solution so your audience is going to compare it as such.  I realize that you don't have direct control over what LEM is and what features it will have.

                               

                              I point these things out because I see the potential in what LEM could be with minimal effort.  I really like working with SolarWinds, the community and the products so, I am trying to advocate for LEM for both the sake of the product and for me as a client that would like to continue to use it but may end up ultimately having to go with something else due to silly limitations that just shouldn't exist in an otherwise great product.

                              1 of 1 people found this helpful
                                • Re: LEM - NetFlow & sFlow
                                  familyofcrowes

                                  ditto....  My security team wants splunk....  loss of features like this are making me lose the battle.

                                  • Re: LEM - NetFlow & sFlow
                                    nicole pauls

                                    The key for the perspective that LEM is responsible for handling logs and NTA is responsible for handling flow is that they get integrated, and a security use case layer gets applied on the NTA side.

                                     

                                    I can tell you the NTA and DPI product management folks ARE aware of the security value of that data (thresholds/alerting from flow/DPI data, being able to go back into flow/DPI data during an investigation, a security dashboard, etc) . Many of these use cases can be furthered if/when LEM data gets more of a presence in Orion.

                                     

                                    Since NTA is purpose-built for flow data we didn't really want to re-invent the wheel, but like I said, for that to work in the long term, the dots have to get connected.

                                     

                                    What kind of use cases do you see yourself using flow data for? I guess I seeded that with thresholds/alerting, being able to go back during an investigation, and a security dashboard... maybe the next step is correlating those flow alerts with log data, which would be the ultimate endgame.

                                      • Re: LEM - NetFlow & sFlow
                                        byrona

                                        I both understand and can see the value in the eventual connecting of the dots between LEM and NTA/Orion.  The value is for the correlation/thresholds/alerting of such data.  However, with that said I think there is also significant value in having LEM be a stand-alone virtual appliance.  We have and use Orion and it's not an insignificant product to manage requiring multiple windows systems, SQL Server, etc.  LEM is a self-contained appliance and having it remain a self contained security appliance represents a significant value; even if it were eventually to be of a more modular design where you had multiple virtual-appliances where some of the roles were broken out.

                                         

                                        On a separate note: I also see this being a more difficult pitch to people that don't already have Orion in place because you need NPM to have NTA so now to get flow data into your security solution you would need to purchase two more products not to mention SQL Server (which is not cheap); as a consumer I would likely look for a different solution in this situation.

                                          • Re: LEM - NetFlow & sFlow
                                            nicole pauls

                                            True. It is technically possible to create a "stack" of LEM appliances for different roles, so flow could be one of those roles, if the use cases matured.

                                             

                                            The other honest side to that coin is that after deploying the top talkers functionality, we didn't see a lot of customers who were at the point where they were ready to see security value from flow data - they could barely keep on top of their log data. Regardless of whether it was within LEM or NTA, it would behoove us (them) to SolarWinds-ify the use cases

                                              • Re: LEM - NetFlow & sFlow
                                                byrona

                                                I am certainly on-board with the integrated vision and think it would be great.  I just try to look at it from all angles.  I still think LEM is a great product and hope that I will be able to continue working with it.

                                                • Re: LEM - NetFlow & sFlow
                                                  whpd

                                                  I'm just going to throw in my $0.02 and say I think it would be awesome to have Orion/LEM integration.  I'm not much of a fan of using Flash, so if you could just throw a hook into Orion (an LEM tab) and use HTML5 or something similar to essentially display the same type of information, it would seem to work pretty well for those who only have LEM (keep using flash) and for those who have Orion and want to integrate that in.  I also understand that it isn't anywhere near as simple as I have just said.  In either case it's pretty cool that LEM does have NetFlow capabilities.  At my current job we don't have NTA and I don't see us looking to acquire it any time soon.  I also don't see a lot of need for NetFlow analysis, but good to see there is (somewhat of) an ability for LEM to monitor that.