Copyright © 2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or
translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF
SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC and its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered
trademarks of their respective companies. LEM 6.2
Chapter 1: Introduction 1
How LEM Works 1
LEM Architecture 2
LEM Manager 3
Protocols and Communication Direction 4
What is New in LEM 6.2.0 4
Chapter 2: Requirements 6
Virtual appliance minimum resource requirements 6
Desktop and reports consoles software requirements 7
Web console software requirements 7
Chapter 3: Introduction to the Console 8
Opening Views in the Console 8
Working with Grids 9
Rearranging Grid Columns 9
Sorting a Grid by its Columns 10
Logging In and Out of Managers 11
Logging Into a Manager 11
Logging Out of a Manager 12
Logging Out of the LEM Console 12
Chapter 4: Basic LEM Procedures 13
Ops Center 13
Monitor 14
Explore 14
Collecting and displaying flow data 15
Build 17
Rules – Additional Details 17
Manage 17
Adding Devices 18
Agent Installation 19
Configuring Connectors for Agent and Non-Agent Devices 20
Troubleshooting 22
Additional Information 22
Creating Connector Profiles to manage LEM Agents: 23
Verifying Data 24
Which Do I Pick? 24
nDepth: A Fully Integrated IT Search Solution 25
Additional Information 25
LEM Reports: For Compliance and Historical Reporting Needs 26
Troubleshooting 27
Additional Information 28
Adding Filters 29
Which Do I Pick? 29
Use the Default Filters as Examples 29
Other Filter Scenarios 30
Example: Change Management 30
Troubleshooting 31
Additional Information 32
Adding Rules 32
Use Pre-configured Rules to Get Started 32
Example: Change Management 33
Other Rule Scenarios 34
Troubleshooting 35
Additional Information 36
Analyzing Data 36
Which Do I Pick? 37
nDepth: A Fully Integrated IT Search Solution 37
Additional Information – nDepth 38
LEM Reports: For Compliance and Historical Reporting Needs 38
Troubleshooting 40
Additional Information – LEM Reports 41
Chapter 5: Leveraging LEM 42
Monitoring Windows Domain Controllers for Brute Force Hacking Attempts 42
Configuring the SolarWinds LEM Agent 42
Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts 46
Monitoring Firewalls for Port Scans and Malformed Packets 48
Setting a Firewall to Log to a LEM Appliance 48
Configuring a Firewall Connector on a LEM Manager 49
Viewing Network Traffic from Specific Computers 50
Creating a LEM Rule to Notify of Potential Port Scanning Traffic 50 Monitoring Antivirus Software for Viruses that are Not Cleaned 52
Setting Antivirus Software to Log to a LEM Appliance 52
Configuring the Antivirus Connector on a LEM Manager 52
Creating a LEM Rule to Track When Viruses Are Not Cleaned 53
Monitoring Proxy Servers for Suspicious URL Access 54
Setting Proxy Server to Log to a SolarWinds LEM Virtual Appliance 54 Configuring a Proxy Server Connector on a SolarWinds LEM Manager 54 Monitoring Microsoft SQL Databases for Changes to Tables and Schema 56
Leveraging the Incidents Report in Security Audits 59
Chapter 6: Ops Center 60
Widgets 60
User Details 62
User: Details Widget 62
User: All Events Widget 62
Node Details 62
Node: Details Widget 62
Node:Connectors Applied Widget 63
Node: All Events Widget 63
Widget Manager 63
Viewing specific widget data 68
Refreshing widget data 69
Opening a filterfrom a widget 69
Editing a widget’s chart presentation 70
Resizing a widget 72
Viewing a widget’s legend 72
Where to find widgets 73
Chapter 7: Monitor 74
Monitor View Features 74
Filters and Filter Groups 76
Standard LEM Filters 78
Filter Creation 80
Features of Filter Creation 81
Events 82
Applying a Filter to the Events Grid 83
Sorting the Events Grid 83
Highlighting Events 84
Copying Event Data to the Clipboard 85
Marking Events as Read and Unread 86
Removing Events 87
Using the Event Details/Event Description Pane 88
Event Severity Levels 90
Chapter 8: Explore 91
nDepth 91
nDepth's Visual Tools 92
nDepth's Primary Uses 92
Exploring Events vs. Log Messages 93
Opening nDepth 93
Opening nDepth From Another Data Source 94
Scheduled Saved Searches 96
nDepth's Search Bar 97
nDepth Explorer Toolbar 99
nDepth's History Pane 101
Using the nDepth Histogram 101
Histogram Features 102
Searching the Activity Associated with a Particular Histogram Bar 103
Moving the Search Period 104
Changing the Period's Start and End Time 105
Using Result Details 106
Interpreting Search Results in Events Mode 106
Interpreting Search Results in Log Messages Mode 107
Adding Search Strings from Result Details 108
Using Explorers with Result Details 110
Responding to Result Details 110
Exporting Result Details Data to a Spreadsheet 111
Common nDepth Data Fields 111
Common Data Fields Categories in Events Mode 112
Common Data Field Categories in Log Messages Mode 113
Using the Word Cloud 113
Opening the Word Cloud 114
Viewing Statistics in the Word Cloud 114
Filtering the Contents of the Word Cloud 114
Exploring Items in the Word Cloud 115
Using the Tree Map 116
Opening the Tree Map 116
Resizing Tree Map Categories 117
Exploring items in the Tree Map 117
Using nDepth widgets 117
Default nDepth Chart Widgets 118
Viewing a widget's details 119
Creating a search string from a widget item 120
Adding new nDepth Widgets 120
Editing nDepth Widgets 120
Adding a Chart Widget to the nDepth Dashboard 121
Adding a main nDepth view to the nDepth Dashboard 121
Using Search Builder 122
Opening Search Builder 123
Switching from the Search Bar to Search Builder 123
Search Builder features 124
Configuring a Search with Search Builder 127
Utilities 129
Explorer Types 130
NSLookup Explorer 132
Traceroute Explorer 132
Whois Explorer 133
Manually Exploring an Item 134
Chapter 9: Build 135
Groups 135
Group types 135
Groups View Features 137
Refining the Groups Grid 137
Rules 139
Rules View Features 139
Rules Grid Columns 139
Refine Results Form 140
Rule Categories and Tags 142
Rule Tagging 142
Users 143
Users View Features 143
Users Grid Columns 143
Refining the Users Grid 144
Viewing a User’s System Privileges 145
Chapter 10: Manage 146
Appliances View Features 147
Appliances Grid Columns 147
Details Pane 149
Configuring a Manager's Properties 150
The Login Tab 150
The License Tab 152
License Recycling 153
The Settings Tab 153
Configuring Event Distribution Policy 156
Practical Uses for Event Distribution Policy 156
Opening the Event Distribution Policy Window 156
About the Event Distribution Policy Window 157
Configuring Event Distribution Policy 158
Pushing event policy to lower-level event types 159
Exporting a Manager’s Event Policy 160
Improving performance with event filtering (Windows only) 161 Table of Alerts with Windows Security Auditing Provider SIDs 162
Adding and Editing Nodes 163
Nodes View Features 163
Nodes Grid Columns 164
Adding a Syslog Node 167
Scan for New Nodes 168
Adding Nodes Manually 169
Refining the Agents Grid 169
Chapter 11: Adding and controlling users and groups 171
Editing User Settings 176
Deleting Users 176
Restricting LEM Reports 177
Chapter 12: Utilizing the Console 179
Creating filters for real-time monitoring 179
Creating conditions to filter event reporting 184
Creating a New Filter 187
Editing an Existing Filter 188
Cloning an Existing Filter 189
Pausing Filters 190
Resuming Paused Filters 190
Turning Filters On and Off 191
Copying a Filter 192
Importing a Filter 193
Exporting a Filter 193
Deleting a Filter 194
Managing Filter Groups 195
Adding a New Filter Group 195
Renaming a Filter Group 195
Rearranging Filter Groups 195
Moving a Filter From One Group to Another 196
Deleting a Filter Group 197
Responding to Events 197
Using the Respond Form’s Drag and Drop Functionality 198
Review events with the Event explorer 200
Opening the Event explorer 200
Event Explorer features 200
Exploring events 202
Using the Event Map 202
Reading an Event Map 203
Event Map Legend 204
Using the Event Grid 204
Viewing information in the event grid 205
Exploring From the Event Grid 205
Using the Event Details Pane 205
Opening and Closing the Event Details Pane 206
Viewing an Event’s Event Details 206
Exploring From the Event Details Pane 206
Performing nDepth Searches 208
Creating Search Conditions 210
Deleting Items From Search Strings 211
Creating Custom time frames 212
Saving a Search 213
Using a Saved Search 214
Making Changes to a Saved Search 214
Exporting nDepth Search Results to PDF 215
Exploring Search Results from Graphical Views 216
Taking Action on Event Details 216
Deleting a Saved Search 217
Creating Search Conditions 217
Deleting Items From Search Strings 219
Creating Custom time frames 220
Managing Connectors 221
Adding New Connector Instances 222
Starting a Connector Instance 224
Stopping a Connector Instance 225
Editing a Connector Instance 225
Deleting a Connector Instance 226
Creating Connector Profiles to Manage and Monitor LEM Agents 227
Features of FIM 229
What can FIM detect? 229
Adding a FIM Connector 230
Monitors 231
Adding Custom Monitors 231
Editing Monitors 231
Promoting a Monitor to a Template 231
Deleting a Monitor 231
Adding Conditions 232
Editing Conditions 232
Deleting Conditions 233
FIM Connector Advanced Settings 233
Managing Widgets 235
Opening and Closing the Widget Manager 235
Creating New Master Widgets 235
Editing Master Widgets 236
Adding Widgets to the Dashboard 237
Deleting Master Widgets 238
Editing a Dashboard Widget 239
Deleting Dashboard Widgets 239
Chapter 13: Advanced Configurations 240
Setting up an Appliance 240
Adding Appliances to the Console 240
Copying Appliance Data 242
Removing an Appliance 242
Managing Connectors 243
Configuring Manager Connectors (general procedure) 243
Configuring Agent Connectors (general procedure) 243
Using Connector Profiles to Configure Multiple Agents 244
Configuring email active response connectors 245
Requirements 245
Configuring the email active response connector 245
Testing the Email Active Response Connector 246
Managing Groups 246
Adding a New Group 246
Editing a Group 247
Cloning a Group 247
Importing a Group 248
Exporting a Group 249
Deleting a Group 249
Configuring Event Groups 250
Event List Features 251
Configuring Directory Services Groups 253
How to Use Directory Services Groups 253
Synchronizing Directory Service Groups with LEM 253
Viewing a Directory Services Group Members 255
Directory Services Group Grid Columns 255
Deleting DS Groups 256
Configuring Email Templates 256
Step 1: Creating the Email Template 257
Step 2: Adding Message Parameters 258
Step 3: Creating the message 259
Managing email template folders 259
Configuring State Variables 259
Adding new State Variable fields 260
Editing State Variable fields 262
Deleting State Variable fields 262
Managing State Variable Folders 263
Configuring Time of Day Sets 263
Selecting periods in the time grid 265
Configuring User-Defined Groups 265
Examples of User-Defined Groups 265
Configuring a User-Defined Group 266
Adding data elements to a User-Defined Group 267
Editing a data element in a User-Defined Group 268
Deleting a data element from a User-Defined Group 269
Configuring Connector Profiles 270
Connector Profile Rules 270
Creating a Connector Profile (general procedure) 271
Step 1: Selecting a template for the profile 271
Step 2: Selecting the Agents that are members of the profile 272
Editing a Connector Profile’s Connector Settings 274
Opening a Connector Profile’s Settings 274
Adding a New Connector Instance 275
Editing a Connector Profile’s Connector Settings 275
Managing Rules 276
Creating Rules 276
Rule Creation Features 277
Advanced Thresholds 278
Editing threshold fields 280
Deleting a threshold field 280
Using the Actions box 281
Using constants and fields to make actions flexible 281
Configuring a Rule’s Actions 281
Adding a New Rule 282
Rule Window Features 284
Correlations Box Features 287
Editing Rules 290
Subscribing to a rule 291
Enabling a rule 293
Placing rules in test mode 294
Activating rules 297 Disabling a rule 297 Cloning rules 299 Importing a rule 299 Exporting rules 300 Deleting Rules 301
Connector Configuration Features 302
Connectors Grid Columns 303
Connectors Grid Icons 304
Refining the Connectors Grid 305
Chapter 14: Reports 307
About Reports 308
Opening Reports 309
Using the Quick Access Toolbar 309
Default commands 310
Customizing the Quick Access Toolbar 310
Moving the Quick Access Toolbar 311
Minimizing the Ribbon 312
Configuring Report Preferences 313
Table of preferences 313
Selecting a (default) Primary Data Source 314
Configuring a syslog server 315
Configuring a Data Warehouse 317
Troubleshooting Database Connections 319
Managing report categories 321
Manage Categories form 321
Selecting reports for specific industries 322
Creating a list of favorite reports 326
Removing a report from the Favorite Reports tab 327
Viewing Historical Reports 329
Working with report lists 329
Viewing lists of reports by category 329
Locating a report by title 330
Viewing a report’s properties 331
Creating a list of favorite reports 332
Custom report filters 333
Creating a custom report filter 333
Saving a custom report filter 334
Opening a saved custom report filter 335
Exporting a report 336
Reports features 337
Key features of the Reports window 338
Using the Menu Button 340
Grouping reports 341
Creating a report group 342
Viewing the reports within a group 343
Creating a sub-group 343
Managing reports 345
Editing a scheduled report task 345
Deleting a schedule from a task 346
Deleting a scheduled report task 346
Printing reports 347
Printing a report 347
Setting up printer preferences 348
Filtering report lists 349
Filtering a report list 350
Changing a filter setting 350
Turning off report filters 350
Running and Scheduling Reports 351
Running Reports on Demand 351
Report Errors 354
Scheduling Reports (process overview) 354
Step 1: Selecting the report you want to schedule 355
Step 2: Adding a new scheduled report task 356
Step 3: Scheduling the Report 358
Step 4: Selecting Advanced Scheduling Options 360
Step 5: Stating when the system can or cannot run the task 362
Step 6: Assigning the data source and scope 365
Step 7: Exporting a scheduled report 368
Searching reports for specific text 370
Viewing the text-based details of a report 370
Using the Search tool 370
Using the Select Expert tool 371
Running a query with the Select Expert tool 372
Restoring the original report 374
Sorting, filtering, and grouping report lists 374
Sorting the report list 374
Viewing reports 375
Opening your saved reports 375
Viewing the sections of a master report 376
Hiding and showing a master report’s sub-topic pane 377
Viewing the pages of a report 379
Magnifying and reducing report pages 380
Stopping a report in progress 381
Chapter 15: Setting up an nDepth Appliance 383
Using a separate nDepth appliance 383
Configuring Network Connectors for Use with nDepth 384
Alternate Storage Methods 384
Where to Find the Numbers 385
Disk Usage Summary 385
Log Storage Maintenance Report 386
Alternate Storage Methods 386
Chapter 16: Enabling Transport Layer Security 388
Enabling Standalone LEM Appliance 388
Setting up a Dedicated LEM User for Reports Accessing 389
Configuring Reports Application 390
Enabling TLS on a LEM Manager with a Dedicated Database Appliance 390
Enabling TLS on LEM Database 391
Importing Certificates into the Manager and Database 392
Chapter 17: Troubleshooting 394
Troubleshooting Disconnected or Missing LEM Agents 394
Troubleshooting Connected LEM Agents 395
Troubleshooting Network Devices Logging to LEM 396
Troubleshooting Devices Logging to a Log File on the Appliance 398
Contacting Support 398
Appendix A: Standard Widget Tables 399
Appendix B: Events 402 Event types 403 Asset Events 403 Audit Events 407 Incident Events 425 Internal Events 426 Security Events 431
Appendix C: Appendix Event Data Fields 482
Appendix D: Connector Categories 485
Appendix E: CMC Commands 513
Logging on to CMC 513
Using the CMC 'appliance' menu 515
Using the CMC 'manager' Menu 516
Using the CMC 'ndepth' menu 518
Using the CMC 'service' Menu 519
Upgrading LEM Connectors 522
Updating connectors using the LEM Console 522
Updating connectors using the CMC interface 522
Appendix F: Report Tables 524
Table of Audit reports 524
Table of Security reports 551
Table of Support Reports 581
Report schedule definitions 583
Appendix G: Connector Configuration Tables 584
Connector Categories 584
Configuring Sensors 590
Configuring Actors 593
Setting up a Notification System 596
Appendix H: Filter Configuration Tables 599
Comparing Values with Operators 601
Selecting a new operator 601
Operator tips 602
Table of operators 602
Examples of AND and OR conditions 603
Configuring event filter notifications 604
Selecting the notification method 604
Notifications table 605
Appendix I: Rule Configuration Tables 608
Appendix J: Additional Configuration and Troubleshooting Information 626
Additional Information 629 Configuring Default Batch Reports on Windows 7, 8 and Windows Server 2008, 2012
Computers 630
Choosing a Reports Computer 630
INI File Preparation 630
Scheduling the Reports to Run 631
Default Report Schedules 632
Daily Reports 633
Weekly Reports 633
Configuring LEM Reports on Computers without the LEM Console 634
Configuring Report Restrictions 635
Configuring the USB Defender Local Policy Connector 636
Configuring your LEM Appliance Log Message Storage and nDepth Search 638
Creating a Custom Filtered Report 640
Creating a Filter for a Specific Event Type 641
Creating Connector Profiles to Manage and Monitor LEM Agents 642
Creating Email Templates in the LEM Console 644
Creating Rules from your LEM Console to Take Automated Action 647
Creating Users in the LEM Console 650
Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy 652
Table of Descriptions by Event ID 654
Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM con-nectors unless your appliance is set up to store original log data 655
Enabling Windows File Auditing in Windows 656
Enabling LEM to Track Events 659
Filtering and Exporting LEM Reports 661
Getting Started with User-Defined Groups 663
Using Directory Service Groups to account for Windows users, groups, and computer
accounts. 665
Extended Description 665
Uses 666
Filters 666
Rules 666
Modifying Filters for Users with the Monitor Role 667
Output, nDepth Host, nDepth Port Fields 668
Report Formats and their Corresponding Numbers Listed in a LEM Scheduled Report INI
File 669
Troubleshooting LEM Agent Connections 671
Troubleshooting LEM Rules and Email Responses 676
Additional Information 681
Troubleshooting Unmatched Data or Internal New Connector Data Alerts in the
LEM Console 683
Troubleshooting Syslog Devices 683
Table of Conflicting Devices 685
Troubleshooting Agent Devices/Connectors 685
Contacting Support 686
Using the Append Text to File Active Reponse 688
Using the Block IP Active Response 691
Additional Information 692
Using the Computer-based Active Response 693
Using the Detach USB Device Active Response 695
Using the Disable Networking Active Response 697
Using the Kill Process Active Response 699
Using the SolarWinds LEM Local Agent Installer Non-interactively 701
Using the SolarWinds LEM Remote Agent Installer 704
Using Time of Day Sets to Pinpoint Specific Time Frames in Filters and Rules 708
Using the User-based Active Response 711
Viewing All Traffic from a Specific Device in the LEM Console 713
Windows Audit Policy and best practice 715
Chapter 1: Introduction
SolarWinds Log & Event Manager (LEM) is a state-of-the-art virtual appliance that adds value to existing security products and increases efficiencies in
administering, managing and monitoring security policies and safeguards on your network.
SolarWinds LEM is based on brand new concepts in security. You can think of it as an immunity system for computers. It is a system that is distributed throughout your network to several “points of presence” that work together to protect and defend your network. SolarWinds LEM responds effectively with focus and speed to a wide variety of threats, attacks, and other vulnerabilities.
SolarWinds LEM collects, stores and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response. Data is also available for scheduled and ad hoc reporting from both the LEM Console and standalone LEM Reports console.
Some common use cases for SolarWinds LEM include the following:
l Correlating network traffic from a variety of sources using filters and rules. l Visualizing log data in dynamic graphs, charts and other widgets.
l Monitoring USB mass storage device activity on network Agents.
l Responding to countless threats, attacks and other vulnerabilities with easy
to use point-and-click and automated active responses.
l Searching normalized log data for events of interest.
l Change Management and other security-related reporting for management
and auditors.
How LEM Works
The SolarWinds LEM system is based on software modules called Agents, which collect and normalize log data in real time before it’s processed by the virtual appliance, and other non-Agent devices, which send their log data directly to the Manager for both normalization and processing.
Agents are installed on workstations, servers, and other network devices where possible. Agents communicate the log data from each device’s security products to the LEM virtual appliance. These security products include anti-virus software, network-based intrusion detection systems, and logs from operating systems. When an Agent cannot be installed on a device, that device can be set to send its log data to the LEM Manager for normalization and processing. Examples of devices that cannot host Agent software include firewalls, routers, and other networking devices.
LEM accepts normalized data and raw data from a variety of devices. LEM agent connectors normalize the data before sending the data to the LEM manager. Non-agent devices send their log data in raw form to the LEM manager. The following diagram shows this flow of data and the ports involved. Once normalized, log data is processed by the LEM Manager, which provides a secure management
clearinghouse for normalized data. The Manager’s policy engine correlates data based on user defined rules and local alert filters, and initiates the associated actions when applicable.
These actions can include notifying users both locally in the Console and by email, blocking an IP address, shutting down or rebooting a workstation, and passing the alerts on to the LEM database for future analysis and reporting within the Reports application.
LEM Architecture
The LEM architecture is uniquely designed for gathering and correlating logs and events in real-time at network speed and further defend the network using LEM’s Active Response Technology. The figure below illustrates the typical log sources and LEM software components. It also illustrates the direction in which
LEM Manager
The LEM Manager is a result of the Virtual Appliance that is deployed, it consists of the following key components:
l Hardened Linux® OS
l Syslog Server and SNMP Trap Receiver l High compression, search optimized database l Web server
l Correlation engine
For Network Device log sources such as routers, firewalls, and switches, LEM relies on these devices sending Syslog messages to the Syslog server running on the LEM appliance.
For Servers and Applications LEM largely relies on a LEM Agent installed on these servers. The LEM Agent has a negligible footprint on the server itself, and provides a number of benefits to ensure logs are not tampered with during collection or transmission while being extremely bandwidth friendly.
For Workstations, the LEM Agent used on Windows® workstations is the same as the one used for Windows servers.
Other SolarWinds solutions like Network Performance Monitor (NPM), Server & Application Monitor (SAM) and Virtualization Manager (VMan) can send
performance alerts as SNMP Traps to LEM. LEM can correlate these performance alerts with LEM events.
You can install the LEM Reports Console on any number of servers to schedule the execution of over 300 audit-proven reports. From a security standpoint, the command service > restrictreports can be used to limit the IPs that can run these reports
Protocols and Communication Direction
Below is a summary of the protocols and communication direction.l Network devices can send Syslogs to LEM Manager over TCP or UDP. The
direction of this communication is from the network device to the LEM Manager.
l LEM Agents installed on servers and workstations initiate TCP connections
to the LEM Manager, so the Agents push data to the LEM Manager.
What is New in LEM 6.2.0
l Threat intelligence feed
o Automatically evaluate your traffic against a comprehensive,
open-source database of malicious IP addresses
o Get real-time historical visibility of traffic from known bad actors using
rules, filters, and search
l Automatic connector updates
o Enable automatic connector updates through the LEM Console. o Ensure you always the newest, most up-to-date connectors for all
l Customer-requested improvements
o LEM Virtual Appliance details from the LEM Console for effective
resource allocation
o NTLMv2 authentication support for backup and archive functionality o FileAudit Event report bug fixes and enhancements
o New connectors for Kareio, Blue Coat, Proofpoint, GENE6, and more
Chapter 2: Requirements
Different sized installations may require greater or fewer resources. For detailed information on sizing and resource requirements, refer to the "Requirements" section of theLog & Event Manager Deployment Guide.
Before installing, always make sure your hardware and software meet the minimum requirements.
Virtual appliance minimum resource requirements
Software/Hardware Requirements Virtualization platform
l VMware vSphere Hypervisor ESX/ESXi 4.0 or
later
l Microsoft Hyper-V Server 2008 R2, 2012, and
2012 R2
CPU speed 2 GHz
Memory 8 GB
Hard drive space
l 250 GB is advised for smaller deployments. l 2.0 TB is advised for larger deployments.
Chapter 2: Requirements
Desktop and reports consoles software
requirements
Software/Hardware Requirements
Operating system, and
desktop and reports consoles
l Windows Vista
l Windows Server 2008 and
2008 R2
l Windows 7
l Windows Server 2012 and
2012 R2
l Windows 8 l Windows 10
CPU Speed 1 GHz Pentium III or equivalent
Memory 1 GB
Hard Drive Space 5 GB Environment
Variables
Ability to install all software with administrator rights
Desktop console Adobe Air 18
Web console software requirements
Software/Hardware Requirements
Adobe Flash Flash Player 15 Supported browsers
l Internet Explorer 8 and later
The web console does not run on Internet Explorer 10 on Windows Server 2012.
l Mozilla Firefox 10 and later l Google Chrome 17 and later
Console
The LEM Console is organized into different functional areas, called views. These views organize and present different information about the components that make up the LEM system.
l In Ops Center, you'll find a dashboard view that presents visual
representations of your data.
l In Monitor, you'll filter and view event details.
l In Explore, you'll find utilities for investigating events and their details. l In Build, you'll create critical components of LEM that function on a
Manager for processing process data.
l In Manage, you'll manage properties associated with Agents and
Managers, and configure data sources to integrate your network security data with LEM.
l Reports is a separate application. Its reporting tools let you run or schedule
reports about the data that is stored in your LEM database.
The following topics briefly explain the role of each view of the Console, the view’s primary uses, and where to get information on performing key tasks within that view. Topics are arranged here in an order that will help you understand the most fundamental items first, such as events, event filters, and widgets. They then progress to more advanced features, such as exploring events, and creating Groups and rules.
Opening Views in the Console
The Console is made up of multiple views, where each view has a special function.
Chapter 3: Introduction to the Console
To open a view:
l To open the Ops Center view (to work with widgets), click Ops Center . l To open the Monitor view (to view, manage, and create filters), click
Monitor.
l To open the Explore view (to work with explorers), click Explore .
l To open the Explore view (to search or view event data or log messages),
click Explore and then select nDepth.
l To open the Explore view (to view additional utilities), click Explore and
then select Utilities.
l To open the Groups view (to build and manage Groups), click Build and
then select Groups.
l To open the Rules view (to build and manage policy rules), click Build and
then select Rules.
l To open the Users view (to add and manage Console users), click Build
and then select Users.
l To open the Appliances view (to add and manage appliances), click
Manage and then select Appliances.
l To open the Nodes view (to add and manage Agents), click Manage and
then select Nodes.
Working with Grids
Grids are used throughout the Console. The following topics explain how to perform common tasks with grids, such as selecting rows and grid cells, resizing grid columns, rearranging grid columns, and sorting a grid by its columns.
Rearranging Grid Columns
When needed, you can rearrange the order in which grid columns appears. The columns will stay in their rearranged order until you exit the Console. Upon reopening the Console, the columns revert to their default order.
To rearrange grid columns:
Click the header of the column you want to move; then drag it to the right or left and drop it into the desired position.
Sorting a Grid by its Columns
You can sort the data in a grid by clicking its column headers. You can sort each column in ascending (alphabetical) order, or in descending (reverse alphabetical) order. In many cases, you can sort a grid by more than one column by using the Ctrl+click method.
Note: Before sorting the Monitor view’s event grid, you must first click the grid’s Pause button to stop the incoming event traffic. When you are done, click
Resume to continue receiving event traffic. To sort a grid:
l Click one of the grid’s column headers to sort the grid by that column. If the
column header shows an upward ▲ arrow, it means the column data is sorted in ascending order (alphabetically, or from lowest to highest: A to Z, 1 to 0).
If the column header shows a downward ▼ arrow, it means the column data is sorted in descending order (reverse alphabetical, or from highest to
lowest: Z to A, 0 to 1).
l Click the column header again to sort the grid by the same column, but in
reverse order.
To sort a grid by multiple columns:
l Press and hold the Ctrl key; then click another column header. You can tell
how the table is sorted by the small ▲ and ▼ arrows in the column headers, and by the little numbers (1 and 2) that appear next to them. An “up” ▲ arrow means the column is sorted in ascending order. A “down” ▼ arrow means it is sorted in descending order. Then numbers state the column sort order. 1 is the first sort, 2 is the second sort, and so on.
Chapter 3: Introduction to the Console
l If a secondary column’s sort order is in the wrong direction, press the Ctrl
key and click the column header again. This will reverse the column’s sort order.
By pressing Ctrl and then clicking the Name column, you can also sort the tool names in ascending or descending order. In the example shown here, the Name column was sorted in ascending order, so the specific tools would appear in alphabetical order within each tool category.
Logging In and Out of Managers
When first connecting to the web console, you are prompted to authenticate to the host manager. If you have additional managers associated with that console, log in to configure them or view their events. Logging out will disconnect you from additional managers in the web console. To disconnect from the host manager, close the browser window.
Note: Only existing Administrator, Auditor, and Monitor Users can log on to the system. Contacts cannot log on to LEM.
Logging Into a Manager
1. At the top of the LEM Console, click Manage and then click Appliances. 2. In the Appliances grid, click to select the appliance you want to work with. 3. Click the gear button and then select Login. Depending on the
Manager’s Login tab settings (in the Properties pane), the LEM Console may automatically log you on to the appliance. Otherwise, the Login form appears.
4. In the Username box, type user name for this Manager. 5. In the Password box, type password for this Manager.
6. Click OK or press Enter to log on. A icon appears in the Manager’s Status column, indicating that you are logged on to that Manager.
Logging Out of a Manager
1. At the top of the Console, click Manage and then click Appliances.
2. In the Appliances grid, click the gear button for the Manager you want to log out of, and then select Logout. After a moment, a icon appears in the Manager’s Status column, indicating that you are no longer logged on to that Manager.
Logging Out of the LEM Console
Clicking the Logout button closes the Console window and disconnects the Console from any connected Managers. Logging out of the Console causes it to disappear to the Managers, but the Managers continue to gather information from their Agents. However, when you reopen the Console, it will not display the Manager and Agent event traffic that occurred when it was closed. Instead, the event grid will be blank.
It is recommended that you keep the Console running either on your workstation or a secondary workstation to best monitor events on a daily basis.
Chapter 4: Basic LEM Procedures
Click the video icon to view the corresponding tutorial, which introduces LEM and its basic tasks.
Access your log and event data using the LEM web console or local desktop console. Both interfaces allow you to monitor your data in real time with filters, respond automatically to specific events with rules, and analyze events on your network with the nDepth search utility. Access all of these features and more on the navigation bar at the top of the LEM Console window.
Ops Center
Use the Ops Center tab as a real-time graphical overview of the events on your network. The Ops Center includes the following useful components:
l A customizable dashboard with several default charts and graphs,
called widgets
l The Widget Manager to browse, edit, add, and pin widgets l Informational widgets with links to videos, documents, and other
resources
To add a widget to the Ops Center dashboard:
1. In the LEM Console, click the Ops Center tab. 2. Click Widget Manager in the upper-right corner. 3. Find and select a filter from the Categories list.
4. In the Widgets pane, scroll through the available widgets to put the widget you want in the main preview position.
5. Click Add to Dashboardin the upper-right corner.
6. To re-position the widgets on the dashboard, drag and drop them into a new position.
To create a new widget using Widget Manager:
2. Click Widget Manager in the upper-left corner.
3. Click the plus button ( + ) at the top of the Categories list. 4. Complete the Widget Builder form.
5. To pin the new widget to the dashboard, select Save to Dashboard. 6. Click Save.
Monitor
Use the Monitor tab to view all of the monitored events on your network in real time. Monitor includes the following useful components:
l A real-time event stream to which you can apply event filters l The Event Details pane, which displays the details for any event
you highlight in the event stream
l A Widgets pane, which displays a graphical representation of the
current filter, if available
l Several default filters to refine the data you see in the event stream l A GUI filter editor, called Filter Creation, to create and edit event
filters
To apply a filter to the Monitor event stream, select a default or custom filter from the Filters list.
To view the Event Details for a specific event in the event stream, select the event in the event stream.
To change the widget the Widgets pane displays for a filter:
1. In the LEM Console, select the Monitor tab.
2. Select the filter you want to modify in the Filters pane.
3. Click the menu at the top of the Widgets pane, and then select the widget you want that filter to display.
Explore
Use the Explore tab menu to access several analysis utilities to get additional information about the events you see in the LEM Console. Use the nDepth option
in the Explore menu to search and analyze the events on your network. nDepth includes the following useful components:
l A variety of clickable charts and utilities to view and refine search
results
l A comprehensive toolbar to switch between multiple utilities and
views
l A Result Details utility to view all of your search results in text
format
l A PDF export utility to configure and export custom reports
Use the Utilities option in the Explore menu to access several IT analysis utilities, including:
l Whois l NSLookup l Traceroute
l Flow (sFlow and NetFlow)
To execute a Whois, NSLookup, or Traceroute task from an event or search
result in the LEM Console:
1. Find the event or search result you want to explore further, and then select it. 2. Click the Explore menu on the Event Grid or nDepth title bar (next to
Respond), and then select the utility you want to use.
To execute a blank Whois, NDLookup, or Traceroute task in the LEM Console:
1. Click the Explore tab on the navigation bar, and then select Utilities. 2. Click the Explore button on the Utilities title bar , and select the utility you
want to use.
3. Complete the form for the utility, and then click Search. Collecting and displaying flow data
LEM supports flow exports from both NetFlow and sFlow devices. Use the Flow Explorer in the LEM Console to viewgraphs, charts, and grids, including the following.
l Top Talkers by IANA-based Protocol l Top Talkers by Port
l Top Talkers by Source/Destination Address l Top Talkers by Total Bytes
l Top Talkers by Total Packets
Refer to the manufacturer specifications to configure your devices to send Flow data to your LEM appliance. The LEM appliance supports data on the •
2100/UDP for NetFlow devices and 6343/UDP for sFlow devices. To enable flow collection and analysis on the LEM appliance:
1. Connect to your LEM virtual appliance using either the vSphere console view, or an SSH client like PuTTY.
2. If you are using an SSH client, log in to your LEM virtual appliance using your CMC credentials.
3. At the cmc> prompt, enter service.
4. At the cmc::scm# prompt, enter enableflow.
5. Enter y to confirm your entry.This command automatically restarts the Manager service on the LEM appliance.
6. To enable Flow analysis for Flow data collected on another computer, enter n and follow the prompts to specify the Flow collector. Otherwise, enter y. 7. Enter exit to return to the cmc> prompt.
8. Enter exit to log out of your LEM virtual appliance. To view Flow data in the LEM Console:
1. Open your LEM Console and log in to the LEM Manager as an administrator.
2. Open the Monitor, Utilities, or nDepth view.
3. Click the Explore menu, and then select Flow. The Flow Explorer presents data in graph, chart, or grid formats
Build
Use the Build tab menu options to customize LEM behavior. The Build menu consists of the following options:
l Groups: Create and manage lists of users, computers, and
information.
l Rules: Create and manage rules that correlate events from different
systems and instruct the LEM appliance to respond accordingly.
l Users: Create and manage LEM Console users.
For additional information about the Users and Groups options in the Build menu, see:
l Getting Started with User-Defined Groups l Creating Users in the LEM Console
Rules – Additional Details
View custom and pre-configured rules in the Rules view under the Build menu. The Rules view consists of the following useful components:
l A GUI editor, just like Filter Creation
l A community rule set, organized by event-centric categories l 35 active responses to assign to custom or pre-configured rules
Manage
Use the Manage tab menu to access details about your LEM architecture. The Manage menu consists of the following options:
l Appliances: Add LEM appliances to monitor in the LEM Console,
view your LEM license details, and configure global settings.
l Nodes: View and manage LEM nodes, including remote logging
devices and LEM Agents.
To set your LEM Console authentication preferences:
1. In the LEM Console, click the Manage tab, and then select Appliances. 2. Click the Login tab on the Properties pane.
3. To enable the LEM Console to authenticate to your LEM appliance upon launch, enter your LEM Username and Password.
4. To enable the LEM Console to ask you for your LEM password upon launch, enter your LEM Username only.
5. Select Login Automatically Next Time. 6. Select Save Credentials.
7. Click Save.
To set the global password policy for LEM users:
1. In the LEM Console, click the Manage tab, and then select Appliances. 2. Click the Settings tab on the Properties pane.
3. Adjust the Minimum Password Length according to your preference.
4. To require complex passwords for LEM users, select Must Meet Complexity Requirements.
Note: Complex passwords must include any three of the following four character types: l Capital letters l Lower-case letters l Numerals (0-9) l Symbols (!, @, #, etc.) 5. Click Save.
Adding Devices
Click the video icon to view the corresponding tutorial.
Configure your IT devices to work with LEM using one of two options:
l Install the LEM Agent and connectors directly on the device
l Set the device to log to LEM and then configure the appropriate connectors
directly on the LEM appliance.
Install the LEM Agent on computers that allow third party software. SolarWinds provides LEM Agents for these operating systems:
l Microsoft Windows (local and remote installers) l Linux l Mac OS X l Solaris on Intel l Solaris on Sparc l HPUX on PA l HPUX on Itanium l AIX
Configure other devices, such as firewalls, routers, or switches to send logs directly to the LEM appliance using syslog or SNMP traps.
Agent Installation
The LEM Agent is a necessary component to monitor local events on the
computers on your network. Install the LEM Agent on servers, domain controllers, and workstations. The LEM Agent then captures log information from sources such as Windows Event Logs, a variety of database logs, and local antivirus logs. The LEM Agent also allows LEM to take specific actions that you use rules to define. You can also trigger actions manually from the LEM Console using the Respond menu.
Installing a LEM Agent:
1. Click the Add Nodes to Monitor link in the LEM Console Getting Started wizard, or visit the SolarWinds Customer Portal for a complete list of available downloads.
2. Download the appropriate installer, and then run it on the computer(s) you want to monitor.
Note: If you are deploying LEM Agents to Windows computers, you can use the Remote Agent Installer for a faster deployment.
View and manage installed LEM Agents in the Nodes view of the LEM Console. The LEM Agent for Windows includes several pre-configured connectors so you immediately start to see data from these computers after you have installed the LEM Agent. By default, the LEM Agent for Windows includes the following pre-configured connectors:
l Windows Security Log (for the host OS version) l Windows Active Response
l Windows Application Log l Windows System Log
For other operating systems, or for broader coverage on your Windows
computers, configure specific connectors to get exactly what you are looking for.
Configuring Non-Agent Devices
Non-Agent devices include any supported network or security device on which you cannot install a LEM Agent. Some common examples are firewalls, routers, and switches. To monitor these devices with LEM, configure each device to log to the LEM appliance using syslog or SNMP traps. Then, configure the appropriate connector on the LEM appliance using the LEM Console.
Configuring Connectors for Agent and Non-Agent Devices
The procedure for configuring connectors for Agent and non-Agent devices is generally the same. The major difference is where you find the configuration forms in the LEM Console. Complete the following procedure to configure connectors for all the devices you want to monitor with LEM.To configure connectors in the LEM Console:
1. In the LEM Console, click the Manage tab, and the select Appliances (for non-Agent connectors).
2. Click the gear button next to the LEM Node or Manager you want to configure, and then select Connectors.
3. To view or modify the configured connectors, select Configured in the Refine Results pane.
4. To find the connectors you need, use the search box and filter menus on the Refine Results pane.
5. After you've identified the connector to be configured, click the gear button next to it, and then select New.
6. Complete the Connector Configuration form according to the device you're configuring. The following fields/descriptions are common for most
connectors:
l Alias: a "user friendly" label for your connectors
l Log File: the location of the log file the connector will normalize; this is a
location on either the local computer (Agents) or LEM appliance (non-Agent devices)
l Output, nDepth Port: values used specifically for LEM environments that
are configured to store original log messages; for additional ixxnformation, consult the resources at the end of this section
7. After completing the form, click Save.
8. In the Connectors list, click the gear icon next to the new connector (in the Status column), and then select Start.
9. After starting the connector, verify it is working by checking for events on the Monitor tab.
To configure FIM connectors in the LEM Console:
1. In the LEM Console, click the Manage tab, and the select Nodes.
2. Click the gear icon next to the LEM Node you want to configure, and then select Connectors.
3. To find the connectors you need, enter FIM in the Refine Results search box. 4. Click the gear icon next to the connector to be configured, and then select
New.
5. In the Monitor Templates area, click the gear icon next to the desired Monitor Template and select Add to selected monitors. The Monitor template moves to the Selected Monitors area.
6. After completing the form, click Save.
7. In the Connectors list, click the gear icon next to the new connector (denoted by an icon in the Status column), and then select Start.
8. After starting the connector, verify that it is working by checking for events on the Montior tab.
Troubleshooting
If you have configured a device to log to the LEM appliance, but you cannot determine the exact logging location, check the logging facilities on the LEM appliance to determine where your data is going.
To check the logging facilities on the LEM appliance:
1. Connect to your LEM appliance using the VMware console view, or an SSH client such as PuTTY.
2. To connect your appliance through SSH, log in as the CMC user, and provide the appropriate password.
3. To connect your appliance using VMware, select Advanced
Configuration on the main console screen, and then press Enter to get to the command prompt.
4. At the cmc> prompt, enter appliance. 5. At the cmc::acm# prompt, enter checklogs.
6. Enter an item number to select a local facility to view.
7. Look for indications of specific devices logging to this facility, such as the product name, device name, or IP address.
8. After you have determined the facility your device is logging to, configure the connector with the corresponding Log File value.
For additional troubleshooting tips related to LEM Agents or remote logging devices, see:
l Troubleshooting LEM Agent Connections
l Troubleshooting Unmatched Dataor Internal New Tool Data events
in your LEM Console Additional Information
For additional information about configuring devices to monitor with LEM, see See "Leveraging LEM" on page 42
For additional information about installing LEM Agents on a variety of operating systems, see the local and remote installations in Additional configuration and integration information.
For additional information about how to tune Windows logging for your LEM deployment, see the following:
l Windows Audit Policy and best practice l How to enable file auditing in Windows
Creating Connector Profiles to manage LEM Agents:
Create Connector Profiles to manage and monitor similar LEM Agents across your network. Two common use cases for creating Connector Profiles are.
l Configure and manage tools at the profile level to reduce the amount of
work you have to do for large LEM Agent deployments.
l Create filters, rules, and searches using your Connector Profiles as Groups
of LEM Agents. For example, create a filter to show you all Web traffic from computers in your Domain Controller Connector Profile.
Complete the two procedures below to create a Connector Profile using a single LEM Agent as its template.
To create a Connector Profile using a LEM Agent as a template:
1. Configure the tools on the LEM Agent to be used as the template for your new Connector Profile. These tools will be applied to any LEM Agents that are later added to the Connector Profile.
2. Click the Build menu, and then select Groups.
3. Click the + menu, and then select Connector Profile.
4. Name the new Connector Profile and enter a profile description.
5. Select the LEM Agent you want to use as your template from the Template list next to the Description field.
6. Click Save.
To add LEM Agents to your new Connector Profile:
1. Locate the new Connector Profile in the Build > Groups view.
2. Click the gear icon next to your Connector Profile, and then select Edit. 3. Move LEM Agents from the Available Agents list to the Connector Profile by
clicking the arrow next to them.
4. Click Save to finish adding LEM Agents to your Tool Profile.
The connector configurations set for the template agent can now be applied to any agent added to the Connector Profile.
For a list of supported Agent and non-Agent devices, seethis comprehensive list of data sources for all your Logs & Events.
For additional information about configuring LEM and your connectors to store original log messages, see the following:
l Configuring Your LEM Appliance for Log Message Storage and
nDepth Search
l Do not modify the Output, nDepth Host, or nDepth Port fields when
configuring LEM connectors unless your appliance is set up to store original log data
Verifying Data
Click the video icon to view the corresponding tutorial.
Now that LEM is collecting your log data, use nDepth and LEM Reports to search, analyze, and report on that data. In most cases, use the nDepth Explorer in the LEM Console to search and analyze your data. Use the stand-alone LEM Reports application to report on your data.
Which Do I Pick?
Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to:
l Search your log data interactively
l Search for specific variables, such as user names, IP addresses, or specific
events
l Perform root-cause analysis l Troubleshoot specific issues
l Explore data and produce custom PDF reports
Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes or to:
l Automate reporting
l Produce compliance reports
l View reports based on specific regulatory compliance initiatives l Provide proof that you are auditing log and event data to auditors
l Schedule formatted reports for LEM Reports to run and export automatically
nDepth: A Fully Integrated IT Search Solution
Open nDepth in the LEM Console in any of these three ways:1. Select an event on the Monitor tab, click the Explore menu, and then select nDepth.
2. Select a filter in the Filters pane on the Monitor tab, click the gear icon at the top of the Filters pane, and then select Send to nDepth.
3. Click the Explore tab from anywhere in the LEM Console, and then select nDepth.
Consult nDepth for several analytical connectors that it summarizes on both its dashboard and toolbar. Use this view to:
l Search original log messages (AKA "raw logs") or normalized events l View search results in several charts and graphs, and add values from
these visuals directly to your search just by clicking them
l Refine the time frame of your searches using pre-defined or custom ranges l View the text output of your search results using the Result Details
connector on the nDepth toolbar
l Export your search results in CSV or fully-customizable PDF format l Save searches for future use
Additional Information
For additional information about how to use nDepth to search and analyze your data in the LEM Console, consult the following resources.
For examples of how to execute nDepth searches, see the following:
l How to create an nDepth query for all activity by a single user l Sending Filters to nDepth for Historical Search
For additional information about how to save nDepth searches for future use, see Save nDepth searches to quickly execute frequent queries.
For additional information about how to export nDepth search results in CSV or PDF format, seeExport nDepth results in custom or text formats for retention and ad hoc reporting.
For additional information about configuring your LEM appliance to store and search original log data, see:
l Configuring Your LEM Appliance for Log Message Storage and nDepth
Search
l Using your LEM Console to view and search original log messages
LEM Reports: For Compliance and Historical
Reporting Needs
LEM Reports is a stand-alone application that you install separately from the LEM Console. Access LEM Reports using a shortcut, if available, or by navigating to the SolarWinds Log and Event Manager application group in your Windows Start menu.
Use LEM Reports to:
l Run hundreds of pre-configured compliance and security reports l Schedule reports for LEM Reports to run automatically
l Filter the reports list by industry or requirement
l Run Master, Detail, or Top level reports according to how much information
you need
l Use Select Expert to filter your report data by specific values, such as
computer name, IP address, or user name
l Export reports into several formats, including PDF, CSV, and RPT
To get started with LEM Reports, filter the reports listing by the industries or requirements relevant to your network. Then, the next time you open LEM
Reports, access your custom list of reports by clicking Industry Reports on the main view.
To filter the reports list by industry or requirement: 1. Open LEM Reports.
2. On the Settings tab, click Manage, and then select Manage Categories. 3. Select your industries and requirements in the left pane. Mix and match as
necessary. For example, if you are a school that accepts credit card payments, select Education, FERPA, and PCI.
4. Click OK.
5. To view the filtered list of reports, click the Category menu back on the Settings tab, and then select Industry Reports.
Select which reports to run based on their values in the Level column on the Settings tab:
l Master: Reports at this level contain all of the data for their category. For
example, the master-level Authentication report contains all authentication-related data.
l Detail: Reports at this level contain information related to a specific type of
event. For example, the Authentication – Failed Authentications detail-level report only contains data related to "Failed Authentication" events.
l Top: Reports at this level display the top number of occurrences for a
specific type of event. Use the default top number, or Top N, of 10, or customize this when you run the report.
Troubleshooting
If you have installed LEM Reports, but are unable to open the application or run reports, complete the following procedures to troubleshoot the issue.
To troubleshoot application launch errors on computers running Windows Vista, Windows 7, and Windows Server 2008:
1. Uninstall LEM Reports and Crystal Reports v11 Runtime. 2. Reinstall both components as Administrator.
3. Adjust the LEM Reports properties to run the program in Windows XP compatibility mode and as an administrator:
a. Right-click the LEM Reports shortcut on your desktop or in the SolarWinds Log and Event Manager program group in your Windows Start menu, and then select Properties.
b. Click the Compatibility tab.
c. Select Run this program in compatibility mode for, and then select Windows XP (Service Pack 3).
d. Select Run this program as an administrator. e. Click OK.
4. Launch LEM Reports.
To address "Logon failed. Database Vendor Code 210" errors:
Add the computer running LEM Reports to the list of authorized reporting
computers. By default, the LEM appliance restricts all access to LEM Reports. To allow specific computers to run LEM Reports or remove all reporting restrictions, complete the procedures inConfiguring Report Restrictions.
Additional Information
For additional information about how to run, schedule, and configure formatted compliance and security reports using LEM Reports, consult the following resources.
l See "Reports" on page 307
l See "Report Tables" on page 524
For information about installing LEM Reports on computers without the LEM Console, seeConfiguring LEM Reports on Computers without the LEM Console. For information about how to schedule several best practice compliance and security reports, see:
l Configuring Default Batch Reports
l Report Formats and their Corresponding Numbers listed in a LEM
scheduled report .ini file
For additional information about working with individual reports in LEM Reports, see:
l Filtering and Exporting LEM Reports l Creating a Custom Filtered Report
Adding Filters
Click the video icon to view the corresponding tutorial.
Filters group and display events that your LEM Agents and remote logging devices send to LEM. They are based on events, which are the normalized version of these network events. For LEM, the terms "events" and "alerts" are interchangeable. View these events in real time on the Monitor tab in the LEM Console.
Which Do I Pick?
Create filters when you want to group a particular type of event. The following are just a few examples of what you might create a filter to catch:
l All events from your firewalls
l All events from your domain controllers l All events for a specific type of user
l All events except for recurring, expected events
Create rules when you want LEM to take some kind of action in response to one or more events. In many cases, you base rules on several events that LEM
correlates to trigger an action, but you can also configure a rule to look for a single event. Rule actions include, but are not limited to:
l Sending an email l Logging a user off
l Shutting down a computer
l Deleting an Active Directory group l Blocking an IP address
Use the Default Filters as Examples
The LEM Console includes several pre-configured filters on the Monitor tab. Examine the conditions of these filters to get a sense of how broad or specific filters can be. The following are two examples of these extremes:
l All Events: This filter does not have any specific conditions, so it captures
all events, regardless of the source or event type.
l User Logons: This filter has a single condition that means, "UserLogon
Exists." It captures all events with the event type "UserLogon" and nothing else – not user log offs, not user logon failures.
To view the conditions of a default filter:
1. In the LEM Console, click the Monitor tab.
2. Select the filter you want to examine in the Filters pane.
3. Click the gear button at the top of the Filters pane, and then select Edit. 4. If you make any changes to the filter, click Save. Otherwise, click Cancel.
Other Filter Scenarios
Some scenarios may warrant a filter so you can monitor them more closely:
l Change management events: Monitor configuration changes made to
your network.
l High volume events: Watch for spikes of traffic, or unexpected off-peak
traffic.
l Events of general interest: Keep track of logon failures and failed
authentications.
Note: A failed authentication is an event triggered by three logon failures by the same account within an extremely short period of time.
l Rule scenarios: Determine whether you have the right events to create a
rule for a specific scenario.
l Daily problems: Get a head start on operational problems like account
lockouts by seeing the events in real time. Example: Change Management
Create a change management filter to monitor configuration changes users make to your network. Keep this filter general, as illustrated here, or refine it to show you only certain changes or changes made by certain users.
1. In the LEM Console, click the Monitor tab.
2. Click the plus button at the top of the Filters pane, and then select New Filter.
3. Enter an appropriate name for the filter, such as Change Management Events.
4. Fill the filter's Conditions box with an appropriate event or event group. For this example, use an Event Group Exists condition to capture all events from a certain group:
a. Click Event Groups on the left pane.
b. Find the Change Management Events event group, and drag it into the Conditions box.
5. Click Save.The LEM Console takes you to the new filter on the Monitor tab. Examine the events here, and click an event to see more information in the Event Details pane.
Troubleshooting
If you have created a filter, but it is not capturing the expected events, check the All Events filter to ensure the events are making it to the LEM Console.
To use the All Events filter to troubleshoot custom filters: 1. In the LEM Console, click the Monitor tab.
2. Click All Events in the Filters pane.
3. Locate an event you expected to see in your custom filter. If necessary, pause the filter and sort it by any of the column headers.
4. If you locate a related event, verify the field-value combinations in the event match the ones you used in your filter. For example, if your filter is looking for *firewall* in the ConnectorAlias field, ensure the Connector Alias field in your event contains the word firewall.
5. If you cannot locate a related event, verify one of your monitored devices is logging the event, and that the device is sending its events to LEM. For example, create another filter to show all events from the specific device using the ConnectorAlias or DetectionIP event field.
