SolarWinds LEM

This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references. You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum. HelloWe have our Network team asking these questions, can you please help with specifics.Thanks How does it communicate?Agents push to the virtual appliance using the ports listed hereSolarWinds Knowledge Base :: SolarWinds LEM Port and Firewall Informationspecifically,32022TCPNon-standard port for SSH traffic to the SolarWinds LEM appliance37890-37892TCPTraffic from SolarWinds LEM Agents to the SolarWinds LEM applianceFrequency?By default each enabled connector has a sleep time of 1 second. The frequency is configurable. So, it is real-time for all practical purposes.Logging activities and amount of log data?It depends on the connectors enabled. By default, connectors for Security, System and Application event logs are enabled. The communication is encrypted and compressed. In most cases, it is a steady trickle roughly equivalent to an LDAP request (i.e., negligible network overhead) Thanks, further on from this our operations guys are blaming network bandwidth congestions on the amount of data being sent from agents to the LEM Appliance.1. Does the LEM agent send the complete log data to LEM?2. Or does the agent just send the data what I have configured in the LEM Policy? If you enabled the connectors with the default output type (which is Alert, not nDepth or Alert,nDepth), then only the normalized events are sent. The normalized events are sent only for the enabled connectors. Is the "excessive" bandwidth coming from 1 agent or multiple agents combined? Where are your agents relative to the LEM appliance - all in the same location or another location? You can check which connectors are turned on for a particular node from MANAGE > Nodes and the Gear icon > Connectors next to the agent node. You can change the sleep time from 1 (second) to say 10 (seconds) to see if it helps

SolarWinds Log & Event Manager (LEM) is a security information and event management (SIEM) system. SolarWinds LEM is an end-to-end SIEM that groups, correlates and normalizes data events and logs in a centralized repository that can be easily managed by an IT team. With LEM functionality, the IT team can quickly scan or search historical event data and put them on a report for further analysis and forensics.LEM virtual appliances can be deployed in a VMware ESX or Microsoft Hyper-V virtual environment, providing insights into security events and helping with performance monitoring and compliance management. Learn Network Security Fundamentals Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more. Figure 1 below illustrates the typical log sources and LEM software's components. The directions in which communication is initiated and network protocols are used are also presented.Figure 1: LEM architecture – typical data sources, LEM software components, protocols and communication directionKey FeaturesThis system has the capacity to respond to a great variety of events. Some noteworthy aspects of the tool:Allows a real-time event correlationAllows active response through their agents installed in remote devicesIT teams can perform advanced search and forensic analysisProvides USB device monitoringOffers IT compliance reportingNotice that LEM agents are the primary means used for data collection from remote devices, such as servers, applications and workstations. These agents are responsible for gathering any type of information but also have to promptly respond to an incident when it occurs. This is called Active Response technology.SolarWinds LEM — Technology OverviewOps Center DashboardThis screen provides a completely customizable dashboard which can easily identify trends, node health and alerts in a single place. By clicking on any item, we can obtain more detailed information about it.Figure 2: Ops Center DashboardReal-Time Event CorrelationLEM is designed to receive and process thousands of event log messages generated by network devices. Potential threats or other security issues are identified by applying sophisticated matching engines to correlate events in real-time.The dashboard presented in Figure 3 displays the alerts as they flood in. They are generated when conditions match the previously-defined rules in the LEM. Thus, notifications can be set for alert types that need instant attention by the security team.Figure 3: Real-time event correlation (monitor dashboard)The correlation rules are very flexible and uncomplicated. Rules can be set to correlate events based on time, transactions that occur or even groups of events.Figure 4: Left side: Rules listing dashboard; Right side: Rule creation dashboardActive ResponseLEM allows the configuration of several automated responses performed by agents when an alert is detected. SolarWinds calls this "Active Response," and LEM includes a large library of possible responses to common situations. These include:Quarantine

Infected machines, or force shutdowns and restartsBlock IP addressesDisable user accountsKill processesRestart or stop servicesForce user log-offReset passwordsHowever, IT teams can still opt to manually respond to particular alerts with a few clicks on the dashboard. They can select an event from the monitoring windows and click on the "Respond" button to immediately force a specific action.Figure 5: Automatic response configuration in LEMUSB devices remain a major problem for many organizations. A great amount of sensitive data can be stolen by hackers, as many users aren't aware of the dangers associated with these devices. Fortunately, LEM can identify unauthorized access and copying of sensitive files and enable actions like automatic ejection of USB devices, or quarantine of workstations using USB devices.Figure 6: LEM can display a message when a USB device is detected (and potentially blocked)Advanced Search FeaturesnDepth is a powerful search engine used with the LEM console that allows users to search all of the alert data or the original log messages that pass through a particular agent. nDepth, available in the option "Explore" in LEM, conducts custom searches, allows to users investigate search results with graphical tools and take action for their findings.The search interface is designed with a drag-and-drop interface such as filters and rules. Executing a search query is now more intuitive.Figure 7: Advanced search console in LEMThis dashboard presents some visual analytics tools such as:Word Clouds: Keyword phrases that appear in the alert data.Figure 8: Word CloudsTree map: Shows the items that frequently appear in the data as a series of categorized boxes.Figure 9: Tree map.Other visual widgets are also presented, such as bar, line, pie and bubble charts. It's possible to configure a histogram that summarizes alert activity within a particular period.ReportingSolarWinds technology has included a powerful reporting engine with Log and Event Manager. It has over 300 built-in reports that can help to reproduce any type of results, from graphical summaries of activities to detailed threat reporting and compliance.Compliance reports are specifically designed to show organization's compliance with standards and legislation, like PCI DSS, Sarbanes-Oxley, HIPAA and others. On the other hand, reports can be fully customized to meet the organization's needs.Figure 10: SolarWinds LEM reportsConclusionSolarWinds LEM is a powerful security and compliance operations and reporting system. It provides a log management with security incident response options, delivering a well-priced, versatile and easy-to-use product. Features like Active Response and the search center are excellent tools for administrators as it will help to manage threats in an easy manner. SourcesSolarWinds Log and Event Manager (Evaluators' Guide), SolarWindsHow to use nDepth in SolarWinds Log and Event Manager, SolarWindsFree SolarWinds Training Videos, SolarWindsSolarWinds Log and Event Manager, SC MediaSolarWinds Log and Event Manager: One Powerful Tool,

This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references. You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum. Hello ,,Kiwi syslog can handle 2 millions syslog message an hour(without any rules) so does any limitation has been marked for LEM ? There is no explicit limit on the amount of syslog/SNMP trap volume per hour with LEM. Without any correlation rules and only storing in the raw log store, we're talking tens of thousands per second. With correlation rules and using connectors to parse the data, we're still talking hundreds on the low end to thousands per second depending on available resources (CPU, memory, disk space). Thanks Nicole for the detail.I am planning to configure security devices to send syslog to LEM which sends 2.5millions syslog messages/hour so I am wondering whether LEM will be able to handle or not?I am looking for any recommendation from Solarwinds on volume of acceptable messages per hour without any rules. It's a relatively high volume, but not unheard of for LEM. With rules/alerts you'll probably have to assign more RAM/CPU. You might want to even just to collect it, but it's hard to say, if you're just storing those events the default allocations might be fine. You could likely increase that by 50-100% and still be fine. It's look LEM can handle plenty of event. Do we have any internal tool in LEM to monitor the RAM/CPU resource rater than using Orion? For data storage, seem LEM is using the FILO method to store the log and event. How much event or log will use 1 GB space on the storage? I know this question might be base on lots of assumption.However, having a maximum size of a event will be useful to calculate how much storage is require for my LEM for long term event storage. You can access top under the appliance menu, when using the console with the cmc account, to get a