Log & Event Manager
SolarWinds Log & Event Manager (LEM) is a state-of-the-art virtual appliance that adds value to existing security products and increases efficiencies in administering, managing and monitoring security policies and safeguards on your network. SolarWinds LEM is based on brand new concepts in security. You can think of it as an immunity system for computers. It is a system that is distributed throughout your network to several “points of presence” that work together to protect and defend your network. SolarWinds LEM responds effectively with focus and speed to a wide variety of threats, attacks, and other vulnerabilities.
SolarWinds LEM collects, stores and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response. Data is also available for scheduled and ad hoc reporting from both the LEM Console and standalone LEM Reports console.
Some common use cases for SolarWinds LEM include the following:
> Correlating network traffic from a variety of sources using filters and rules.
> Visualizing log data in dynamic graphs, charts and other widgets. l Monitoring USB mass storage device activity on network Agents.
> Responding to countless threats, attacks and other vulnerabilities with easy to use point-and-click and automated active responses.
> Searching normalized log data for events of interest.
> Change Management and other security-related reporting for management and auditors.
How LEM Works
The SolarWinds LEM system is based on software modules called Agents, which collect and normalize log data in real time before it’s processed by the virtual appliance, and other non-Agent devices, which send their log data directly to the Manager for both normalization and processing.
Agents are installed on workstations, servers, and other network devices where possible. Agents communicate the log data from each device’s security products to the LEM virtual appliance. These security products include anti-virus software, network-based intrusion detection systems, and logs from operating systems. When an Agent cannot be installed on a device, that device can be set to send its log data to the LEM Manager for normalization and processing. Examples of devices that cannot host Agent software include firewalls, routers, and other networking devices.
LEM accepts normalized data and raw data from a variety of devices. LEM agent connectors normalize the data before sending the data to the LEM manager. Nonagent devices send their log data in raw form to the LEM manager. The following diagram shows this flow of data and the ports involved. Once normalized, log data is processed by the LEM Manager, which provides a secure management clearinghouse for normalized data. The Manager’s policy engine correlates data based on user defined rules and local alert filters, and initiates the associated actions when applicable. These actions can include notifying users both locally in the Console and by email, blocking an IP address, shutting down or rebooting a workstation, and passing the alerts on to the LEM database for future analysis and reporting within the Reports application.
The LEM architecture is uniquely designed for gathering and correlating logs and events in real-time at network speed and further defend the network using LEM’s Active Response Technology. The figure below illustrates the typical log sources and LEM software components. It also illustrates the direction in which communication is initiated and the network protocols use.
The LEM Manager is a result of the Virtual Appliance that is deployed, it consists of the following key components:
>Hardened Linux® OS
>Syslog Server and SNMP Trap Receiver
> High compression, search optimized database
> Web server
> Correlation engine
For Network Device log sources such as routers, firewalls, and switches, LEM relies on these devices sending Syslog messages to the Syslog server running on the LEM appliance.
For Servers and Applications LEM largely relies on a LEM Agent installed on these servers. The LEM Agent has a negligible footprint on the server itself, and provides a number of benefits to ensure logs are not tampered with during collection or transmission while being extremely bandwidth friendly. For Workstations, the LEM Agent used on Windows® workstations is the same as the one used for Windows servers. Other SolarWinds solutions like Network Performance Monitor (NPM), Server & Application Monitor (SAM) and Virtualization Manager (VMan) can send performance alerts as SNMP Traps to LEM. LEM can correlate these performance alerts with LEM events. You can install the LEM Reports Console on any number of servers to schedule the execution of over 300 audit-proven reports. From a security standpoint, the command service > restrictreports can be used to limit the IPs that can run these reports.
Protocols and Communication Direction
Below is a summary of the protocols and communication direction.
> Network devices can send Syslogs to LEM Manager over TCP or UDP. The direction of this communication is from the network device to the LEM Manager.
> LEM Agents installed on servers and workstations initiate TCP connections to the LEM Manager, so the Agents push data to the LEM Manager.
Normalize log data to quickly spot security incidents and make troubleshooting easy.
Log & Event Manager normalizes logs so your rules and reports work regardless of the source. For example, see all logon failures regardless of the original log structure.
Out of the box rules and reports make it easy to meet industry compliance requirements.
Node based licensing
Licensing based on number of nodes, such as servers and network devices, with special pricing for endpoints.
Real-time event correlation
In memory, cross platform event processing for instant notification and remediation without waiting on data queries.
Search log data
Simple keyword search or powerful custom queries using drag-and-drop interface. Save, share, and schedule searches for efficient forensics.
Mitigate issues in real-time with Active Responses that will Block IPs, change privileges, disable accounts, block USB devicesand kill applications.
Monitor and alert on registry, file and folder activity to detect suspicious and malicious behavior.
High data compression
Average data compression of 95%. Simply provision more storage to the virtual appliance to expand data retention as needed.
Detach unauthorized USB devices and monitor file activity for potential data theft.
Schedule an automatic search and receive an email with the results attached.
Custom Email Templates
Customize email alerts with additional text and formatting.
Threat Intelligence Feed
Find evidence of malicious activity via an automatically updated list of bad IPs.
Create and customize widgets to display critical events across your IT environment.
User Defined Groups
Add UDGs as white or black lists in filters, rules, and searches.
Use Event Explorer for extended correlation rule analysis.
Single Sign-On/Smart Card Integration
Easy single sign-on via user ID and password, smart card, one-time password or biometric device.