Log & Event Manager

Log & Event Manager Copyright © 1995-2012 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, the SolarWinds & Design, ipMonitor, LANsurveyor, Orion, and other SolarWinds marks, identified on the SolarWinds website, as updated from SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark Office and may be registered or pending registration in other countries. All other SolarWinds trademarks may be common law marks or registered or pending registration in the United States or in other countries. All other trademarks or registered trademarks contained and/or mentioned herein are used for identification purposes only and may be trademarks or registered trademarks of their respective companies. Microsoft®, Windows®, and SQL Server® are registered trademarks of Microsoft Corporation in the United States and/or other countries. LEM User Guide

Chapter 1: Introduction 1

Chapter 2: Installing and Configuring 3

Requirements 3

LEM Port and Firewall Information 4

Preparing the Installation Files 5

Installing the Virtual Appliance 6

Installing the LEM Reports 7

Connecting to the Web Console 7

Installing the LEM Desktop Console Software 8

Installing the Agent 9

Configuring Non-Agent Devices 11

Configuring Manager Tools 13

Chapter 3: Useful Tasks with LEM 17

Tour Log & Event Manager 17

Ops Center 17

Monitor 18

Explore 19

Build 20

Rules – Additional Details 20

Manage 20

Analyze 21

Additional Information 22

Adding Devices 22

Which Do I Pick? 22

Agent Installation 23

Configuring Non-Agent Devices 24

Configuring Connectors for Agent and Non-Agent Devices 24

i LEM User Guide

Troubleshooting 25

Additional Information 26

Verifying Data 27

Which Do I Pick? 27

nDepth: A Fully Integrated IT Search Solution 28

LEM Reports: For Compliance and Historical Reporting Needs 29

Troubleshooting 30

Additional Information – nDepth 31

External resources: 31

Additional Information – LEM Reports 31

Adding Filters 32

Which Do I Pick? 32

Use the Default Filters as Examples 33

Other Filter Scenarios 33

Example: Change Management 34

Troubleshooting 34

Additional Information 35

Adding Rules 36

Use Pre-configured Rules to Get Started 36

Example: Change Management 37

Other Rule Scenarios 39

Troubleshooting 39

Additional Information 40

Analyzing Data 41

Analyze Data 41

Which Do I Pick? 41

nDepth: A Fully Integrated IT Search Solution 42

LEM Reports: For Compliance and Historical Reporting Needs 43

Troubleshooting 44

ii Table of Contents

Additional Information – nDepth 45

Additional Information – LEM Reports 45

Chapter 4: Leveraging LEM 47

Monitoring Windows Domain Controllers for Brute Force Hacking Attempts 47

Configuring the SolarWinds LEM Agent 48

Monitoring Firewalls for Port Scans and Malformed Packets 55

Monitoring Antivirus Software for Viruses that are Not Cleaned 59

Setting Antivirus Software to Log to a LEM Appliance 60

Configuring the Antivirus Tool on a LEM Manager 60

Creating a LEM Rule to Track When Viruses Are Not Cleaned 61

Monitoring Proxy Servers for Suspicious URL Access 62

Monitoring Microsoft SQL Databases for Changes to Tables and Schema 65

Leveraging the Incidents Report in Security Audits 68

Chapter 5: Introduction to the Console 70

Starting the LEM Consoles 70

Opening Views in the Console 71

Working with Grids 72

Rearranging Grid Columns 72

Sorting a Grid by its Columns 72

Logging In and Out of Managers 73

Logging Into a Manager 74

Logging Out of a Manager 74

iii LEM User Guide

Exiting the LEM Console 74

Chapter 6: Ops Center 75

Ops Center Features 76

Widgets 77

Widget Manager 77

Using the Widget Builder 79

Viewing Specific Widget Data 84

Refreshing a Widget’s Data 85

Opening a Filter From a Widget 85

Editing a Widget’s Chart Presentation 87

Resizing a Widget 88

Viewing a Widget’s Legend 88

Widget Storage 89

Chapter 7: Monitor 90

Monitor View Features 90

Filters and Filter Groups 92

Standard LEM Filters 93

Filter Creation 96

Features of Filter Creation 97

Alerts 98

Applying a Filter to the Alert Grid 98

Sorting the Alert Grid 99

Highlighting Alerts 99

Copying Alert Data to the Clipboard 101

Marking Alerts as Read and Unread 102

Removing Alerts 103

iv Table of Contents

Using the Alert Details/Alert Description Pane 103

Alert Severity Levels 105

Chapter 8: Explore 107 nDepth 107

nDepth's visual tools 108

nDepth's Primary Uses 108

Exploring Alerts vs. Log Messages 109

Opening nDepth 109

Opening nDepth From Another Data Source 110

nDepth key features 110

nDepth's Search Bar 112

nDepth Explorer Toolbar 114

nDepth's History Pane 116

Using the nDepth Histogram 117

Histogram Features 117

Searching the Activity Associated with a Particular Histogram Bar 119

Moving the Search Period 119

Changing the Period's Start and End Time 120

Using Result Details 121

Interpreting Search Results in Alerts Mode 122

Interpreting Search Results in Log Messages Mode 122

Adding Search Strings from Result Details 124

Using Explorers with Result Details 125

Responding to Result Details 126

Exporting Result Details Data to a Spreadsheet 127

Common nDepth Data Fields 127

Common Data Fields Categories in Alerts Mode 127

Common Data Field Categories in Log Messages Mode 128

v LEM User Guide

Using the Word Cloud 129

Opening the Word Cloud 130

Viewing Statistics in the Word Cloud 130

Filtering the contents of the Word Cloud 130

Exploring Items in the Word Cloud 131

Using the Tree Map 132

Opening the Tree Map 133

Resizing Tree Map Categories 133

Exploring items in the Tree Map 133

Using nDepth widgets 134

Default nDepth chart widgets 134

nDepth explorer and widget icons 135

Viewing a widget's details 136

Creating a search string from a widget item 136

Adding new nDepth Widgets 137

Editing nDepth idgets 138

Adding a chart widget to the nDepth Dashboard 138

Adding a main nDepth view to the nDepth Dashboard 139

Using Search Builder 139

Opening Search Builder 141

Switching from the search bar to Search Builder 141

Search Builder features 142

Configuring a Search with Search Builder 145

Utilities 147

Explorer Types 147

NSLookup Explorer 149

Traceroute Explorer 150

Whois Explorer 151

Manually Exploring an Item 151

vi Table of Contents

Chapter 9: Build 153

Groups 153

Group types 153

Groups View Features 155

Refining the Groups Grid 156

Rules 157

Rules View Features 157

Rules Grid Columns 157

Refine Results Form 159

Users 160

Users View Features 160

Users Grid Columns 161

Refining the Users Grid 161

Viewing a User’s System Privileges 162

Chapter 10: Manage 164

Appliances View Features 164

Appliances Grid Columns 165

Details Pane 167

Configuring Alert Distribution Policy 168

Practical Uses for Alert Distribution Policy 168

Opening the Alert Distribution Policy Window 169

About the Alert Distribution Policy Window 170

Configuring Alert Distribution Policy 172

Pushing alert policy to lower-level alert types 173

Exporting a Manager’s Alert Policy 174

Nodes 175

Nodes View Features 175

Nodes Grid Columns 177

vii LEM User Guide

Refining the Agents Grid 179

Chapter 11: Access Controls 181

Adding New Users 181

Editing User Settings 186

Deleting Users 187

Restrict and Unrestrict LEM Reports 187

Chapter 12: Utilizing the Console 189

Filters 189

Creating Filters for Real-time Monitoring 189

Features of the List Pane 191

Features of the Conditions Box 195

199

Creating a New Filter 199

Editing an existing filter 200

Cloning an Existing Filter 200

Pausing Filters 202

Resuming Paused Filters 203

Turning Filters On and Off 204

Copying a Filter 204

Importing a Filter 205

Exporting a Filter 206

Deleting a Filter 206

Managing Filter Groups 207

Adding a New Filter Group 207

Renaming a Filter Group 208

Rearranging Filter Groups 208

Moving a Filter From One Group to Another 208

viii Table of Contents

Deleting a Filter Group 209

Responding to Alerts 210

Using the Respond Form’s Drag and Drop Functionality 211

Event Explorer 213

Opening the Event Explorer 213

Event Explorer Features 214

Exploring Alerts 215

Using the Event Map 216

Reading an Event Map 216

Event Map Legend 217

Using the Event Grid 218

Viewing information in the event grid 218

Exploring From the Event Grid 219

Using the Alert Details Pane 219

Opening and Closing the Alert Details Pane 220

Viewing an Event’s Alert Details 220

Exploring From the Alert Details Pane 221

Performing nDepth Searches 222

Creating Search Conditions 224

Deleting Items From Search Strings 225

Creating Custom Timeframes 226

Saving a Search 227

Using a Saved Search 228

Making Changes to a Saved Search 228

Exporting nDepth Search Results to PDF 229

Exploring Search Results from Graphical Views 230

Taking Action on Alert Details 231

Deleting a Saved Search 231

Creating Search Conditions 232

ix LEM User Guide

Deleting Items From Search Strings 234

Creating Custom Timeframes 234

Managing Tools 236

Opening the Tool Configuration Form 236

Adding new tool instances 237

Starting a Tool Instance 239

Stopping a Tool Instance 240

Editing a Tool Instance 240

Deleting a Tool Instance 241

Creating Tool Profiles to Manage and Monitor LEM Agents 242

Managing Widgets 243

Opening and Closing the Widget Manager 243

Creating New Master Widgets 244

Editing Master Widgets 244

Adding Widgets to the Dashboard 245

Deleting Master Widgets 246

Editing a Dashboard Widget 247

Deleting Dashboard Widgets 247

Chapter 13: Advanced Configurations 249

Managing Appliances 249

Setting up an Appliance 249

Adding Appliances to the Console 249

Removing an appliance 251

Managing Connectors 252

Configuring Manager tools (general procedure) 252

Configuring Agent tools (general procedure) 253

Using Tool Profiles to Configure Multiple Agents 253

x Table of Contents

Managing Groups 254

Adding a new Group 254

Editing a Group 254

Cloning a Group 255

Importing a Group 256

Exporting a Group 257

Deleting a Group 258

Configuring Alert Groups 258

Configuring an Alert Group 258

Alert List Features 259

Configuring Directory Services Groups 261

How to use Directory Services Groups 261

Synchronizing Directory Service Groups with LEM 261

Viewing a Directory Services Group members 263

Directory Services Group Grid Columns 264

Deleting DS Groups 264

Configuring Email Templates 264

Step 1: Creating the email template 265

Step 2: Adding message parameters 266

Step 3: Creating the message 267

Managing email template folders 267

Configuring State Variables 268

Adding new State Variable fields 268

Editing State Variable fields 270

Deleting State Variable fields 270

Managing State Variable Folders 271

Configuring Time of Day Sets 271

Configuring a Time of Day Set 271

Selecting periods in the time grid 273

xi LEM User Guide

Configuring User-Defined Groups 273

Examples of User-Defined Groups 274

Configuring a User-Defined Group 274

Adding data elements to a User-Defined Group 275

Editing a data element in a User-Defined Group 277

Deleting a data element from a User-Defined Group 277

Configuring Tool Profiles 279

Tool Profile rules 280

Creating a Tool Profile (general procedure) 280

Step 1: Selecting a template for the profile 280

Step 2: Selecting the Agents that are members of the profile 282

Editing a Tool Profile’s Tool Settings 283

Opening a Tool Profile’s tool settings 284

Adding a new tool instance 284

Editing a Tool Profile’s tool settings 285

Managing Rules 286

Rule Creation 286

Rule Creation Features 287

Advanced Thresholds 288

Opening the Set Advanced Threshold form 288

Setting an advanced threshold 289

Adding a threshold field 289

Editing threshold fields 290

Deleting a threshold field 291

Using the Actions box 291

Using constants and fields to make actions flexible 291

Configuring a rule’s actions 292

Adding a New Rule 293

Rule Window Features 294

xii Table of Contents

Correlations box features 299

Editing Rules 301

Subscribing to a rule 302

Enabling a rule 304

Placing rules in test mode 305

Activating rules 308

Disabling a rule 309

Cloning rules 310

Importing a rule 311

Exporting rules 311

Deleting Rules 313

Tool Configuration features 313

Tools Grid Columns 315

Tools grid icons 315

Refining the Tools grid 317

Chapter 14: Reports 319

Chapter 15: Scalability 321

Setting up an Addition nDepth Appliance 321

Using a separate nDepth appliance 321

Installing a Separate nDepth Appliance 322

Configuring Network Tools for Use with nDepth 322

Alternate Storage Methods 322

Where to Find the Numbers 323

Disk Usage Summary 323

Log Storage Maintenance Report 324

Alternate Storage Methods 325

xiii LEM User Guide

Chapter 16: Troubleshooting 326

Troubleshooting the LEM Agent 326

Disconnected or Missing LEM Agents 326

Connected LEM Agents 327

Contacting Support 328

Troubleshooting Network Devices 328

Troubleshooting Network Devices Logging to LEM 329

Devices Not Logging to a Log File on the Appliance 329

Devices Logging to a Log File on the Appliance 330

Contacting Support 331

xiv Table of Contents

Appendix A: Standard Widget Tables 332

xv LEM User Guide

Appendix B: Alerts 336

Types of Alerts 336

Asset Alerts 337

Audit Alerts 341

Incident Alerts 359

Internal Alerts 360

Security Alerts 365

Appendix C: Appendix Alert Data Fields 411

Appendix D: Connector Categories 414

Appendix E: CMC Commands 429

Logging on to CMC 429

Using the CMC 'appliance' menu 431

Using the CMC 'manager' menu 432

Using the CMC 'ndepth' menu 434

Using the CMC 'service' menu 435

Appendix F: Report Tables 438

Table of Audit reports 438

Table of Security reports 458

Table of Support Reports 474

Report schedule definitions 476

Appendix G: Tool Configuration Tables 477

Tool configuration tables 477

Tool categories 477

Configuring sensors 482

xvi Table of Contents

Configuring actors 486

Setting up a notification system 488

Appendix H: Filter Configuration Tables 491

Filter condition table 491

Comparing values with operators 493

Selecting a new operator 494

Operator tips 495

Table of operators 495

Examples of AND and OR conditions 498

Configuring alert filter notifications 498

Selecting the notification method 499

Notifications table 499

Appendix I: Rule Configuration Tables 503

Rule correlation table 503

Selecting a new operator 506

Operator tips 506

Table of operators 507

Examples of AND and OR conditions 509

Actions table 509

Index 523

xvii Chapter 1: Introduction

SolarWinds Log & Event Manager (LEM) is a state-of-the-art virtual appliance that adds value to existing security products and increases efficiencies in administering, managing and monitoring security policies and safeguards on your network.

SolarWinds LEM is based on brand new concepts in security. You can think of it as an immunity system for computers. It is a system that is distributed throughout your network to several “points of presence” that work together to protect and defend your network. SolarWinds LEM responds effectively with focus and speed to a wide variety of threats, attacks, and other vulnerabilities.

SolarWinds LEM collects, stores and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response. Data is also available for scheduled and ad hoc reporting from both the LEM Console and standalone LEM Reports console.

Some common use cases for SolarWinds LEM include the following:

l Correlating network traffic from a variety of sources using filters and rules.

l Visualizing log data in dynamic graphs, charts and other widgets.

l Monitoring USB mass storage device activity on network Agents.

l Responding to countless threats, attacks and other vulnerabilities with easy to use point-and-click and automated active responses.

l Searching normalized log data for events of interest.

l Change Management and other security-related reporting for management and auditors. How SolarWinds LEM Works

The SolarWinds LEM system is based on software modules called Agents, which collect and normalize log data in real time before it’s processed by the virtual appliance, and other non-Agent devices, which send their log data directly to the Manager for both normalization and processing.

Agents are installed on workstations, servers, and other network devices where possible. Agents communicate the log data from each device’s security products to the LEM virtual appliance. These

1 Chapter 1: Introduction

security products include anti-virus software, network-based intrusion detection systems, and logs from operating systems.

When an Agent cannot be installed on a device, that device can be set to send its log data to the LEM Manager for normalization and processing. Examples of devices that cannot host Agent software include firewalls, routers, and other networking devices.

Once normalized, log data is processed by the LEM Manager, which provides a secure management clearinghouse for normalized data. The Manager’s policy engine correlates data based on user defined rules and local alert filters, and initiates the associated actions when applicable.

These actions can include notifying users both locally in the Console and by email, blocking an IP address, shutting down or rebooting a workstation, and passing the alerts on to the LEM database for future analysis and reporting within the Reports application.

The following diagram illustrates the basic flow of data from Node and non-Node devices to the LEM Manager and, finally, to the LEM database and desktop console for storage and monitoring, respectively.

2 Chapter 2: Installing and Configuring

SolarWinds Log & Event Manager is a two-part installation requiring you to separately install its two components. Install the virtual appliance first, followed by the desktop software component.

A complete LEM installation includes the following components:

l The virtual appliance to collect and process log and event information

l The desktop software which allows you to view the information from a desktop or laptop

Requirements

This section discusses software and hardware requirements. Before installing, make sure your hardware and software meet these minimum requirements.

The following table provides the minimum installation requirements for the SolarWinds LEM virtual appliance:

Software/Hardware Requirements

Virtualization Platform n vSphere 4 or later

n Microsoft Hyper V 2008 R2

CPU Speed 2 GHZ

Memory 8 GB

Hard Drive Space 250 GB

3 Chapter 2: Installing and Configuring

The following table provides the minimum installation requirements for the SolarWinds LEM desktop console software and reports:

Software/Hardware Requirements

Operating System - n Windows XP n Windows Vista

Desktop Console & n Windows 7 n Windows Server 2003

Reports n Windows Server 2008 n Windows Server 2008R2

CPU Speed 1 GHz Pentium III or equivalent

Memory 1 GB

Hard Drive Space 5GB

Environment Variables The ability to install all software with administrator rights

The following table provides the minimum installation requirements for the SolarWinds LEM web console:

Software/Hardware Requirements

Adobe Flash Flash Player 11

Supported Browsers n Internet Explorer 8 and later

n Mozila Firefox 10 and later

n Google Chrome 17 and later

LEM Port and Firewall Information

The following table provides a list of all of the ports needed for communication with LEM. Any firewalls that stand between any two points of communication detailed below must have the requisite ports open to inbound and/or outbound traffic according to the relative direction of the communication traffic.

Note: Unless otherwise stated, all ports must be open for return communication on established connections.

4 Preparing the Installation Files

Port Type Description

25 TCP Traffic from the virtual appliance to your email server for automated email notifications

139, 445 TCP Standard Windows file sharing ports used for the LEM Remote Agent Installer and traffic from the virtual appliance to a Windows destination for exporting functions

162 TCP Traffic from devices sending SNMP trap messages to the virtual appliance

389 TCP Traffic -from the virtual appliance to a designated server (usually a domain con- troller) for use with the Directory Service tool

514 TCP Traffic from devices sending syslog to the virtual appliance or UDP

2100 UDP Traffic from devices sending NetFlow to the virtual appliance

5433 TCP Traffic from LEM Reports to the virtual appliance

8080 TCP Non-secure traffic from the LEM Console to the LEM appliance; used during the evaluation period

8443 TCP Secure traffic from the LEM Console to the virtual appliance; used once LEM is activated

32022 TCP Non-standard port for SSH traffic to the virtual appliance

37890 - TCP Traffic from LEM Agents to the virtual appliance 37892

37893 - TCP Return traffic from the virtual appliance to LEM Agents 37896

Preparing the Installation Files

Double-click the SolarWinds Log and Event Manager.exe file to extract the application files to a folder on your desktop. Follow the prompts shown in the Quick Start: Log and Event Manager splash screen.

5 Chapter 2: Installing and Configuring

Installing the Virtual Appliance

This section discusses installing the SolarWinds LEM virtual appliance. The files in each executable contain the virtual appliance image to deploy SolarWinds Log & Event Manager using either:

l VMware vSphere

l Microsoft Hyper-V Deploying LEM Using VMware vSphere

Deploy LEM using VMware vSphere version 4 or higher.

To install the virtual appliance using the vSphere Client:

1. Start the VMware vSphere Client and log on with VMware administrator privileges.

2. Click File > Deploy OVF Template.

3. Click Browse to select the Deploy First – LEM Virtual Appliance.ova file in the SolarWinds Log & Event Manager folder on your desktop, and then click Next.

4. Complete the setup wizard.

5. Select Thin provisioned as the disk format, and then click Next.

6. Click Close after the OVF deployment completes successfully.

7. Select the SolarWinds Log and Event Manager virtual appliance and then click Play.

8. Click the Console tab.

9. To start the LEM web console, launch a web browser and enter the Web Console URL shown in the Console tab. Deploying LEM Using Microsoft Hyper-V

Deploy LEM using Microsoft Hyper-V 2008 R2.

To install the virtual appliance using Hyper-V:

1. Open Hyper-V Manager.

2. Click Action > Import Virtual Machine.

6 Installing the LEM Reports

3. Click Browse to open the SolarWinds Log and Event Manager folder extracted to the desktop during installation.

4. Select the SolarWinds Log & Event Manager folder.

5. Click Select Folder.

6. Select Copy the virtual machine (create a new unique ID) and Duplicate all files so the same virtual machine can be imported again on the Import Virtual Machine window and then click Import.

7. Select the newly created SolarWinds Log & Event Manager virtual appliance and then click Action > Connect.

8. In the virtual console window, click Action > Start and wait for the virtual appliance to start.

9. To start the LEM web console, launch a web browser and enter the Web Console URL shown in the Virtual Machine Connection screen.

Installing the LEM Reports

After installing the virtual appliance, install the SolarWinds Log & Event Manager Reports from the Quick Start: Log and Event Manager splash screen.

To install the SolarWinds LEM Reports:

1. Click the Install Desktop Software button

2. Click Run.

3. Click Next.

4. Review the Requirements for Installation information and then click Next.

5. Click Begin Install to begin the installation process.

6. Click Next.

7. Click Finish.

Connecting to the Web Console

When you have installed the LEM Reports, you are ready to connect to the LEM web console.

7 Chapter 2: Installing and Configuring

To access the web console:

1. To start the LEM web console, launch a web browser and enter the Web Console URL provided during the configuration of VMware vSphere or Microsoft Hyper-V.

2. Click Connect.

Note: The default credentials are admin and password.

3. Accept the End User License Agreement, and then click OK.

4. After logging in, the LEM web console requires that you change your LEM password after installation.

Note: This password must be between 6 and 40 characters, and must contain at least one capital letter and one number.

5. Click OK

Installing the LEM Desktop Console Software

If you do not wish to use the LEM web console, you can install the LEM desktop console software.The LEM desktop console software is a Windows application that you can install on any computer that meets the system requirements.

To install the SolarWinds LEM desktop software:

1. Download the Adobe AIR Runtime for Windows and Log & Event Manager Console zip files from the Downloads section of the Customer Portal on Solarwinds.com.

2. Extract the contents of SolarWinds-LEM-v5.4-Console.zip and double-click the LEM Console installer.

3. Click Install.

4. Specify your installation preferences.

5. Click Continue to begin the installation process.

6. If you did not instruct the console to open after installation, open the desktop console.

7. Accept the End User License Agreement, and then click OK.

8. Enter the IP Address of the virtual appliance and then click Connect.

8 Installing the Agent

Note: The LEM desktop software requires that you change your LEM password after installation. This password must be between 6 and 40 characters, and must contain at least one capital letter and one number.

9. Click OK. Resolving the Hostname

The computer running the LEM desktop software must be able resolve the hostname of the appliance via DNS or a manual entry in the hosts file. Failing to resolve the hostname results in an inability to connect, or an unreliable communication.

Configure forward and reverse DNS entries (a HOST and PTR record) for your appliance on your DNS server. When creating the DNS entries, use the default hostname or the hostname you specified when the virtual appliance was imported. If you cannot configure DNS directly on your DNS server, configure a hosts file on the computer by editing Windows\System32\drivers\etc\hosts in a text editor and adding a line with your virtual appliance’s IP address and hostname (space or tab separated).

Installing the Agent

The following table provides the installation requirements for the LEM Agent:

Software/Hardware Requirements

Operating System Windows XP, Windows Vista, Windows 7, Windows Server 2000, Windows Server 2003, Windows Server 2008

CPU Speed 450 MHz Pentium III or equivalent

Memory 512 MB RAM

Hard Drive Space 1 GB

Environment Var- The ability to install all software with administrator rights iables

9 Chapter 2: Installing and Configuring

The following table provides a list of all of the ports needed for communication with the LEM Agent:

Port Type Description

139, TCP Standard Windows file sharing ports used for the LEM Remote Agent Installer and 445 traffic from the virtual appliance to a Windows destination for exporting functions

37890 TCP Traffic from LEM Agents to the virtual appliance -37892

37893 TCP Return traffic from the virtual appliance to LEM Agents - 37896 Downloading the Agent

1. Download the Agent from the SolarWinds Customer Portal.

2. Navigate to the downloaded folder, and double-click the executable file.

3. Complete the setup wizard. Installation

For best results, close all other programs on the workstation before you proceed with this installation.

If needed, you can exit this installer at any time during the installation by clicking Cancel. You can also use the Previous button to go back to prior pages of the installer to verify or change your settings.

To install a LEM Agent:

1. Download the SolarWinds LEM Agent installer for Windows.

a. If you are a licensed LEM customer, download the installer from the SolarWinds customer portal.

b. If you are an evaluation LEM customer, see the "Additional Evaluation Downloads" KB article.

2. Extract the contents of the installer ZIP file to a local or network location.

3. Run Setup.exe.

10 Configuring Non-Agent Devices

4. Click Next to start the installation wizard.

5. Accept the End User License Agreement and click Next.

You cannot continue with the installer until you accept the License Agreement.

6. Enter the hostname of your LEM Manager in the Manager Name field and click Next. Do not change the default port values.

7. Confirm the Manager Communication settings and click Next.

Configuring Non-Agent Devices

Cisco PIX and ASA firewalls can be configured to log to the LEM appliance and the Cisco PIX and IOS tool on the LEM Manager.

To configure your Cisco PIX or ASA firewall, complete the following procedure:

1. Connect to your firewall using an SSH or Telnet client.

2. Login using administrative credentials for the firewall.

3. Enter enable.

4. Reenter the administrative password for the firewall.

5. Enter config term.

6. Enter logging host inside XX.XXX.X.XX.

Note: XX.XXX.X.XX is the IP address of your LEM virtual appliance.

7. Enter logging facility 18. This defines where the LEM virtual appliance looks for the firewall logs.

8. Enter the logging trap level. Choose one of the logging trap levels listed below . You can use either the Trap Level or Code for this value. The debug logging level is the recommended level.

Trap Level Code Description

Emergency 0 Forwards only the highest priority messages, usually indicating failure or panic scenarios that must be addressed immediately

11 Chapter 2: Installing and Configuring

Trap Level Code Description

Alert 1 Forwards messages that require immediate attention.

Critical 2 Forwards messages that should be reviewed as soon as possible and might be early warning signs of further problems.

Error 3 Forwards messages that might indicate a problem.

Warning 4 Forwards messages that should receive attention and might be errors.

Notification 5 Forwards messages that are considered to be important information, but that are not error conditions.

Informational 6 Forwards most messages.

Debug 7 Forwards all messages, including IDS messages.

9. Enter logging on to enable logging with these settings.

10. Enter exit to return to the previous prompt.

11. Enter copy run start to ensure the firewall reboots with the new configuration.

To configure the Cisco PIX and IOS tool:

1. Navigate to the Manage > Appliances view in the LEM Console and log onto the LEM Manager on which you want to configure the tool.

2. Click the gear button next to the LEM Manager, and select Tools. 3. In the Tool Configuration window, enter Cisco in the search box at the top of the Refine Results pane.

4. Click the gear button next to the Cisco PIX and IOS tool, and select New. 5. Replace the Alias value with a more descriptive tool alias. For example, PIX Firewall.

6. Verify the Log File value matches the local facility defined in Step 7 above.

7. Click Save when you are finished configuring the tool.

8. Click the gear button next to the new tool, and select Start. The Status icon turns green to indicate the tool has started.

9. Click Close to close the Tool Configuration window.

12 Configuring Manager Tools

10. Once the tool is running, the default Firewall filter displays alerts from your Cisco PIX or ASA firewall.

Note: The conditions for the default firewall filter read, Any Alert.ToolAlias = *Firewall*, where the asterisks serve as wildcard characters. If the tool alias does not contain the word "firewall," the default filter will not work until it has been edited to match the alias you defined.

Configuring Manager Tools

After installing LEM, customize LEM to optimize its automated features through the Manager Tools. Manager Tools receive data from anything logging to the appliance and also interface with network devices (for example, email or Active Directory servers) to perform certain tasks. Email Active Response Tool

Configure the Email Active Response tool on your LEM Manager to enable the LEM Manager to send automated emails to Console users in response to rules firing. This tool specifies the mail host that your Manager uses to send emails and provides the requisite server credentials.

Requirements

l An email server that allows the LEM Manager to relay email messages through it

l IP address or hostname of your email server

l A return email address for bounced messages and replies

l User credentials for your email server only if your email server requires internal users to authenticate to send email

To configure the Email Active Response tool:

1. Log into the LEM Manager to be configured.

2. Select Manage > Appliance from your LEM Console.

3. Click the gear button next to your LEM Manager and select Tools. 4. Enter Email Active Response in the search box on the Refine Results pane.

5. Click the gear button next to the master tool and select New. 6. Complete the Email Active Response tool form.

13 Chapter 2: Installing and Configuring

1. Log into the LEM Manager to be configured.

2. Select Manage > Appliance from your LEM Console.

3. Click the gear button next to your LEM Manager and select Tools. 4. Enter Email Active Response in the search box on the Refine Results pane.

5. Click the gear button next to the master tool and select New. 6. Complete the Email Active Response tool form.

Note: If you use a hostname for the Mail Host value, your Manager must be able to resolve it.

6. Enter a valid email address in the Test E-mail Address field. Once the tool is saved and started, the button next to this field generates a test email to be sent to this address from your Manager.

7. Click Save.

8. Locate the new instance of the tool. It will have a grey icon in the Status column.

9. Select Start from the gear button next to the new tool. A green icon in the Status column indicates that the tool is running and the Test Email button can be used to test your settings. Directory Service Query Tool

Configure the Directory Service Query tool on your LEM Manager to enable the LEM Manager to establish an LDAP connection to your Active Directory server to import your organizational groups. Once the tool is running on your LEM Manager, complete the second procedure to specify the groups you want to import for use in your filters, rules and searches.

Requirements

l Fully qualified domain name of your directory service server

l IP address or hostname of your directory service server

l Domain credentials for an account that can be used by the Directory Service Query tool

l Fully qualified domain name of your directory service server

l IP address or hostname of your directory service server

l Domain credentials for an account that can be used by the Directory Service Query tool

14 Configuring Manager Tools

To configure the Directory Service Query tool:

1. Log into the LEM Manager on which you want to configure the tool from the Manage > Appliance view of your LEM Console.

2. Click the gear button next to your LEM Manager and select Tools. 3. Enter Directory Service Query in the search box on the Refine Results pane.

4. Click the gear button next to the master tool and select New. 5. Complete the Directory Service Query tool form.

6. Enter the fully qualified domain name for your directory service server in the Domain Name field. For example, solarwinds.com.

7. Enter the IP address or hostname of your directory service server in the Directo ry Service Server field.

8. Enter the domain credentials for a user account that is not under password requirements. We recommend using a service account. This account does not need elevated privileges.

Note: The Test Domain Connection button only works once the tool has been configured and started.

9. Click Save.

10. Locate the new instance of the tool. It will have a grey icon in the Status column.

11. Click the gear button next to the new tool and select Start. A green icon in the Status column indicates that the tool is running and the Test Domain Connection button can be used to test your settings. This operation displays its results as an alert in the SolarWinds Alerts filter. Importing Groups Using the Directory Service Query Tool

This procedure is not necessary when importing Active Directory users as LEM users.

To import your organizational groups using the Directory Service Query tool:

1. Open the Build > Groups view of your LEM Console.

2. Click the plus button in the upper right corner and select Directory Service Group.

15 Chapter 2: Installing and Configuring

3. In the details pane at the bottom of the LEM Console window, select a group category from the folder tree on the left to populate the Available Groups pane on the right.

4. Select the boxes next to the groups you want to import into your LEM Manager.

5. Repeat Steps 3 and 4 until you have selected all of the groups you want to import into your Manager.

6. Click Save.

7. The system synchronizes your directory service groups with the LEM Manager and continues to do so every 5 minutes as long as the tool is running.

16 Chapter 3: Useful Tasks with LEM

Tour Log & Event Manager

Click the video icon to view the corresponding tutorial.

Access your log and event data using the LEM web console or local desktop console. Both interfaces allow you to monitor your data in real time with filters, respond automatically to specific events with rules, and analyze events on your network with the nDepth search utility. Access all of these features and more on the navigation bar at the top of the LEM Console window.

Ops Center

Use the Ops Center tab as a real-time graphical overview of the events on your network. The Ops Center includes the following useful components:

l A customizable dashboard with several default charts and graphs, called widgets

l The Widget Manager to browse, edit, add, and pin widgets

l Informational widgets with links to videos, documents, and other resources

To add a widget to the Ops Center dashboard:

1. In the LEM Console, click the Ops Center tab.

2. Click Widget Manager in the upper-left corner.

3. Find and select the filter on which the widget is based in the Categories list.

4. In the Widgets pane, scroll through the available widgets to put the widget you want in the main preview position.

5. Click Add to Dashboard in the upper-right corner.

6. To re-position the widgets on the dashboard, drag and drop them into a new position.

17 Chapter 3: Useful Tasks with LEM

To create a new widget using Widget Manager:

1. In the LEM Console, select the Ops Center tab.

2. Click Widget Manager in the upper-left corner.

3. Click the plus button at the top of the Categories list.

4. Complete the Widget Builder form.

5. To pin the new widget to the dashboard, select Save to Dashboard.

6. Click Save.

Monitor

Use the Monitor tab to view all of the monitored events on your network in real time. Monitor includes the following useful components:

l A real-time alert stream to which you can apply alert filters

l The Alert Details pane, which displays the details for any alert you highlight in the alert stream

l A Widgets pane, which displays a graphical representation of the current filter, if available

l Several default filters to refine the data you see in the alert stream

l A GUI filter editor, called Filter Creation, to create and edit alert filters

To apply a filter to the Monitor alert stream, select a default or custom filter from the Filters list.

To view the Alert Details for a specific alert in the alert stream, select the alert in the alert stream.

To change the widget the Widgets pane displays for a filter:

1. In the LEM Console, select the Monitor tab.

2. Select the filter you want to modify in the Filters pane.

3. Click the menu at the top of the Widgets pane, and then select the widget you want that filter to display.

18 Explore

Explore

Use the Explore tab menu to access several analysis utilities to get additional information about the events you see in the LEM Console. Use the nDepth option in the Explore menu to search and analyze the events on your network. nDepth includes the following useful components:

l A variety of clickable charts and utilities to view and refine search results

l A comprehensive toolbar to switch between multiple utilities and views

l A Result Details utility to view all of your search results in text format

l A PDF export utility to configure and export custom reports

Use the Utilities option in the Explore menu to access several IT analysis utilities, including:

l WhoIs

l NSLookup

l Traceroute

l Flow (sFlow and NetFlow)

To execute a WhoIs, NSLookup, or Traceroute task from an alert or search result in the LEM Console:

1. Find the alert or search result you want to explore further, and then select it.

2. Click the Explore menu on the Alert Grid or nDepth title bar (next to Respond), and then select the utility you want to use.

To execute a blank WhoIs, NSLookup, or Traceroute task in the LEM Console:

1. Click the Explore tab on the navigation bar, and then select Utilities.

2. Click the Explore menu on the Utilities title bar (next to Respond), and then select the utility you want to use.

3. Complete the form for the utility, and then click Search.

For information about using the Flow task in the Explore > Utilities view, see the KB article, "Use your LEM appliance as a Flow collector".

19 Chapter 3: Useful Tasks with LEM

Build

Use the Build tab menu options to customize LEM behavior. The Build menu consists of the following options:

l Groups: Create and manage lists of users, computers, and information.

l Users: Create and manage LEM Console users.

l Rules: Create and manage rules that correlate events from different systems and instruct the LEM appliance to respond accordingly.

For additional information about the Users and Groups options in the Build menu, see the following KB articles:

l "Getting Started with User-Defined Groups"

l "Creating Users in the LEM Console"

Rules – Additional Details

View custom and pre-configured rules in the Rules view under the Build menu. The Rules view consists of the following useful components:

l A GUI editor, just like Filter Creation

l A community rule set, organized by event-centric categories

l 35 active responses to assign to custom or pre-configured rules

Manage

Use the Manage tab menu to access details about your LEM architecture. The Manage menu consists of the following options:

l Appliances: Add LEM appliances to monitor in the LEM Console, view your LEM license details, and configure global settings.

l Nodes: View and manage LEM nodes, including remote logging devices and LEM Agents.

20 Analyze

To set your LEM Console authentication preferences:

1. In the LEM Console, click the Manage tab, and then select Appliances.

2. Click the Login tab on the Properties pane.

3. If you want your LEM Console to authenticate to your LEM appliance upon launch, enter your LEM Username and Password.

4. If you want your LEM Console to ask you for your LEM Password upon launch, enter just your LEM Username.

5. Select Login Automatically Next Time.

6. Select Save Credentials.

7. Click Save.

To set the global password policy for LEM users:

1. In the LEM Console, click the Manage tab, and then select Appliances.

2. Click the Settings tab on the Properties pane.

3. Adjust the Minimum Password Length according to your preference.

4. If you want to require complex passwords for LEM users, select Must Meet Complexity Requirements.

Note: Complex passwords must include any three of the following four character types:

l Capital letters

l Lower-case letters

l Numerals (0-9)

l Symbols (!, @, #, etc.)

5. Click Save.

Analyze

The Analyze tab is a placeholder for things to come. Additional functionality will be integrated into this area of the LEM Console in a future release.

21 Chapter 3: Useful Tasks with LEM

Additional Information

For additional information about how to use the LEM Console, consult the following resources:

l "Introduction to the Console" on page 70.

l "Ops Center" on page 75.

l "Monitor" on page 90.

l "Explore" on page 107

l "Build" on page 153.

l "Manage" on page 164.

Adding Devices

Click the video icon to view the corresponding tutorial.

Configure your IT devices to work with LEM using one of two options:

l Install the LEM Agent and connectors directly on the device

l Set the device to log to LEM and then configure the appropriate connectors directly on the LEM appliance.

Which Do I Pick?

Install the LEM Agent on computers that allow third party software. SolarWinds provides LEM Agents for these operating systems:

l Microsoft Windows (local and remote installers)

l Linux

l Mac OS X

l Solaris on Intel

l Solaris on Sparc

l HPUX on PA

22 Agent Installation

l HPUX on Itanium

l AIX

Configure other devices, such as firewalls, routers, or switches to send logs directly to the LEM appliance using syslog or SNMP traps. For a complete list of supported devices, see the "Comprehensive Data Source Support for All Your Logs & Events" page.

Agent Installation

The LEM Agent is a necessary component to monitor local events on the computers on your network. Install the LEM Agent on servers, domain controllers, and workstations. The LEM Agent then captures log information from sources such as Windows Event Logs, a variety of database logs, and local antivirus logs. The LEM Agent also allows LEM to take specific actions that you use rules to define. You can also trigger actions manually from the LEM Console using the Respond menu.

To install a LEM Agent:

1. Click the DOWNLOAD: Agents link in the LEM Console Getting Started widget, or visit the SolarWinds Customer Portal for a complete list of available downloads.

2. Download the appropriate installer, and then run it on the computer(s) you want to monitor

Note: If you are deploying LEM Agents to Windows computers, you can use the Remote Agent Installer for a faster deployment.

View and manage installed LEM Agents in the Nodes view of the LEM Console. The LEM Agent for Windows includes several pre-configured connectors (also called "tools") so you immediately start to see data from these computers after you have installed the LEM Agent. By default, the LEM Agent for Windows includes the following pre-configured connectors:

l Windows Security Log (for the host OS version)

l Windows Active Response

l Windows Application Log

l Windows System Log

For other operating systems, or for broader coverage on your Windows computers, configure specific connectors to get exactly what you are looking for.

23 Chapter 3: Useful Tasks with LEM

Configuring Non-Agent Devices

Non-Agent devices include any supported network or security device on which you cannot install a LEM Agent. Some common examples are firewalls, routers, and switches. To monitor these devices with LEM, configure each device to log to the LEM appliance using syslog or SNMP traps. Then, configure the appropriate connector on the LEM appliance using the LEM Console.

Configuring Connectors for Agent and Non-Agent Devices

The procedure for configuring connectors for Agent and non-Agent devices is generally the same. The major difference is where you find the configuration forms in the LEM Console. Complete the following procedure to configure connectors for all the devices you want to monitor with LEM.

To configure connectors in the LEM Console:

1. In the LEM Console, click the Manage tab, and the select Nodes (for Agent connectors) or Appliances (for non-Agent connectors).

2. Click the gear button next to the LEM Agent or Manager you want to configure, and then select Tools.

3. If you want to view or modify the configured connectors, select Configured in the Refine Results pane.

4. To find the connectors you need, use the search box and filter menus on the Refine Results pane.

5. After you've identified the connector to be configured, click the gear button next to it, and then select New.

6. Complete the Tool Configuration form according to the device you're configuring. The following fields/descriptions are common for most connectors:

l Alias: a "user friendly" label for your connectors

l Log File: the location of the log file the connector will normalize; this is a location on either the local computer (Agents) or LEM appliance (non-Agent devices)

24 Troubleshooting

l Output, nDepth Host, and nDepth Port: values used specifically for LEM environments that are configured to store original log messages; for additional information, consult the resources at the end of this section

7. After completing the form, click Save.

8. In the Tools list, click the gear button next to the new connector (denoted by an icon in the Status column), and then select Start.

9. After starting the connector, verify that it is working by checking for alerts on the Monitor tab:

a. Click the Monitor tab on the Console navigation bar.

b. Check the SolarWinds Alerts filter to verify the connector started.

c. Check or create a relevant filter for alerts corresponding to the new connector. For example, check the default Firewall filter after configuring a connector for your firewall. Note: The default Firewall filter is based on an Alias containing the word, "firewall." If you designate a non-conforming alias in your connector, modify the default filter accordingly.

Troubleshooting

If you have configured a device to log to the LEM appliance, but you cannot determine the exact logging location, check the logging facilities on the LEM appliance to determine where your data is going.

To check the logging facilities on the LEM appliance:

1. Connect to your LEM appliance using the VMware console view, or an SSH client such as PuTTY.

2. If you are connecting to your appliance through SSH, log in as the CMC user, and provide the appropriate password.

3. If you are connecting to your appliance using VMware, select Advanced Configuration on the main console screen, and then press Enter to get to the command prompt.

25 Chapter 3: Useful Tasks with LEM

4. At the cmc> prompt, enter appliance.

5. At the cmc::acm# prompt, enter checklogs.

6. Enter an item number to select a local facility to view.

7. Look for indications of specific devices logging to this facility, such as the product name, device name, or IP address.

8. After you have determined the facility your device is logging to, configure the connector with the corresponding Log File value.

For additional troubleshooting tips related to LEM Agents or remote logging devices, see the following KB articles:

l "Troubleshooting LEM Agent Connections"

l "Troubleshooting 'Unmatched Data' or 'Internal New Tool Data' alerts in your LEM Console"

Additional Information

For additional information about configuring devices to monitor with LEM, consult the following resources.

Agent Installation Requirements

"Leveraging LEM" on page 47.

For additional information about installing LEM Agents on a variety of operating systems, see the following KB articles:

l "Using the SolarWinds LEM Agent Installer for Windows"

l "Using the SolarWinds LEM Remote Agent Installer"

l "Using the SolarWinds LEM Agent Installer non-interactively"

l "Using the SolarWinds LEM Agent Installer for Linux"

l "Using the SolarWinds LEM Agent Installer for Mac OS X"

For additional information about how to tune Windows logging for your LEM deployment, see the following KB articles:

26 Verifying Data

l "Audit Policy and Best Practice"

l "LEM Manager crashes after receiving a high number of alerts from Windows 7 or Windows Server 2008"

l "How to enable file auditing in Windows"

l "Monitoring Account Lockout Events"

For additional information about how to monitor and configure groups of LEM Agents using Tool Profiles, see the KB article, "How to create Tool Profiles to manage and monitor LEM Agents."

For a list of supported Agent and non-Agent devices, see the "Comprehensive Data Source Support for All Your Logs & Events."

For additional information about configuring connectors for specific devices, search the "Connectors" category of the LEM Knowledge Base.

For additional information about configuring LEM and your connectors to store original log messages, see the following KB articles:

l "Configuring Your LEM Appliance for Log Message Storage and nDepth Search"

l "Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data"

For additional information about creating filters for specific devices, see the KB article, "How can I see all traffic from a specific device in my LEM Console?"

Verifying Data

Click the video icon to view the corresponding tutorial.

Now that LEM is collecting your log data, use nDepth and LEM Reports to search, analyze, and report on that data. In most cases, use the nDepth Explorer in the LEM Console to search and analyze your data. Use the stand-alone LEM Reports application to report on your data.

Which Do I Pick?

Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to:

27 Chapter 3: Useful Tasks with LEM

l Search your log data interactively

l Search for specific variables, such as user names, IP addresses, or specific events

l Perform root-cause analysis

l Troubleshoot specific issues

l Explore data and produce custom PDF reports

Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes or to:

l Automate reporting

l Produce compliance reports

l View reports based on specific regulatory compliance initiatives

l Provide proof that you are auditing log and event data to auditors

l Schedule formatted reports for LEM Reports to run and export automatically nDepth: A Fully Integrated IT Search Solution

Open nDepth in the LEM Console in any of these three ways:

1. Select an alert on the Monitor tab, click the Explore menu, and then select nDepth.

2. Select a filter in the Filters pane on the Monitor tab, click the gear button at the top of the Filters pane, and then select Send to nDepth.

3. Click the Explore tab from anywhere in the LEM Console, and then select nDepth.

Consult nDepth for several analytical tools that it summarizes on both its dashboard and toolbar. Use this view to:

l Search original log messages (AKA "raw logs") or normalized alerts

l View search results in several charts and graphs, and add values from these visuals directly to your search just by clicking them

l Refine the timeframe of your searches using pre-defined or custom ranges

l View the text output of your search results using the Result Details tool on the nDepth toolbar

28 LEM Reports: For Compliance and Historical Reporting Needs

l Export your search results in CSV or fully-customizable PDF format

l Save searches for future use

LEM Reports: For Compliance and Historical Reporting Needs

LEM Reports is a stand-alone application that you install separately from the LEM Console. Access LEM Reports using a shortcut, if available, or by navigating to the SolarWinds Log and Event Manager application group in your Windows Start menu.

Use LEM Reports to:

l Run hundreds of pre-configured compliance and security reports

l Schedule reports for LEM Reports to run automatically

l Filter the reports list by industry or requirement

l Run Master, Detail, or Top level reports according to how much information you need

l Use Select Expert to filter your report data by specific values, such as computer name, IP address, or user name

l Export reports into several formats, including PDF, CSV, and RPT

To get started with LEM Reports, filter the reports listing by the industries or requirements relevant to your network. Then, the next time you open LEM Reports, access your custom list of reports by clicking Industry Reports on the main view.

To filter the reports list by industry or requirement:

1. Open LEM Reports.

2. On the Settings tab, click Manage, and then select Manage Categories.

3. Select your industries and requirements in the left pane. Mix and match as necessary. For example, if you are a school that accepts credit card payments, select Education, FERPA, and PCI.

4. Click OK.

5. To view the filtered list of reports, click the Category menu back on the Settings tab, and then select Industry Reports.

Select which reports to run based on their values in the Level column on the Settings tab:

29 Chapter 3: Useful Tasks with LEM

l Master: Reports at this level contain all of the data for their category. For example, the master-level Authentication report contains all authentication-related data.

l Detail: Reports at this level contain information related to a specific type of event. For example, the Authentication – Failed Authentications detail-level report only contains data related to "Failed Authentication" events.

l Top: Reports at this level display the top number of occurrences for a specific type of event. Use the default top number, or Top N, of 10, or customize this when you run the report.

Troubleshooting

If you have installed LEM Reports, but are unable to open the application or run reports, complete the following procedures to troubleshoot the issue.

To troubleshoot application launch errors on computers running Windows Vista, Windows 7, and Windows Server 2008:

1. Uninstall LEM Reports and Crystal Reports v11 Runtime.

2. Reinstall both components as Administrator.

3. Adjust the LEM Reports properties to run the program in Windows XP compatibility mode and as an administrator:

a. Right-click the LEM Reports shortcut on your desktop or in the SolarWinds Log and Event Manager program group in your Windows Start menu, and then select Properties.

b. Click the Compatibility tab.

c. Select Run this program in compatibility mode for, and then select Windows XP (Service Pack 3).

d. Select Run this program as an administrator.

e. Click OK.

4. Launch LEM Reports.

30 Additional Information – nDepth

To address "Logon failed. Database Vendor Code 210" errors:

Add the computer running LEM Reports to the list of authorized reporting computers. By default, the LEM appliance restricts all access to LEM Reports. To allow specific computers to run LEM Reports or remove all reporting restrictions, complete the procedures in the KB article, "Configuring Report Restrictions."

Additional Information – nDepth

For additional information about how to use nDepth to search and analyze your data in the LEM Console, consult the following resources.

l "Explore" on page 107.

l "Utilizing the Console" on page 189.

External resources:

For examples of how to execute nDepth searches, see the following KB articles:

l "How to create an nDepth query for all activity by a single user"

l "Sending Filters to nDepth for Historical Search"

For additional information about how to save nDepth searches for future use, see the KB article, "Save nDepth searches to quickly execute frequent queries."

For additional information about how to export nDepth search results in CSV or PDF format, see the KB article, "Export nDepth results in custom or text formats for retention and ad hoc reporting."

For additional information about configuring your LEM appliance to store and search original log data, see the following KB articles:

l "Configuring Your LEM Appliance for Log Message Storage and nDepth Search"

l "Using your LEM Console to view and search original log messages"

l "Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data"

Additional Information – LEM Reports

For additional information about how to run, schedule, and configure formatted compliance and

31 Chapter 3: Useful Tasks with LEM

security reports using LEM Reports, consult the following resources.

l "Reports" on page 319.

l "Report Tables" on page 438.

For information about how to install LEM Reports on computers without the LEM Console, see the KB article, "Configuring LEM Reports on Computers Without the LEM Console."

For information about how to schedule several best practice compliance and security reports, see the following KB articles:

l "Configuring Default Batch Reports on XP/2003 Computers"

l "Configuring Default Batch Reports on Vista/7/2008 Computers"

l "Report Formats and their corresponding numbers listed in a LEM scheduled report ini file"

For additional information about working with individual reports in LEM Reports, see the following KB article

l "Filtering and Exporting LEM Reports"

l "Creating a Custom Filtered Report"

Adding Filters

Click the video icon to view the corresponding tutorial.

Filters group and display events that your LEM Agents and remote logging devices send to LEM. They are based on alerts, which are the normalized version of these network events. For LEM, the terms "events" and "alerts" are interchangeable. View these alerts in real time on the Monitor tab in the LEM Console.

Which Do I Pick?

Create filters when you want to group a particular type of event. The following are just a few examples of what you might create a filter to catch:

l All events from your firewalls

l All events from your domain controllers

32 Use the Default Filters as Examples

l All events for a specific type of user

l All events except for recurring, expected events

Create rules when you want LEM to take some kind of action in response to one or more events. In many cases, you base rules on several alerts that LEM correlates to trigger an action, but you can also configure a rule to look for a single event. Rule actions include, but are not limited to:

l Sending an email

l Logging a user off

l Shutting down a computer

l Deleting an Active Directory group

l Blocking an IP address

Use the Default Filters as Examples

The LEM Console includes several pre-configured filters on the Monitor tab. Examine the conditions of these filters to get a sense of how broad or specific filters can be. The following are two examples of these extremes:

l All Alerts: This filter does not have any specific conditions, so it captures all events, regardless of the source or alert type.

l User Logons: This filter has a single condition that means, "UserLogon Exists." It captures all events with the alert type "UserLogon" and nothing else – not user log offs, not user logon failures.

To view the conditions of a default filter:

1. In the LEM Console, click the Monitor tab.

2. Select the filter you want to examine in the Filters pane.

3. Click the gear button at the top of the Filters pane, and then select Edit. 4. If you make any changes to the filter, click Save. Otherwise, click Cancel.

Other Filter Scenarios

Some scenarios may warrant a filter so you can monitor them more closely:

33 Chapter 3: Useful Tasks with LEM

l Change management events: Monitor configuration changes made to your network.

l High volume events: Watch for spikes of traffic, or unexpected off-peak traffic.

l Events of general interest: Keep track of logon failures and failed authentications.

Note: A failed authentication is an alert triggered by three logon failures by the same account within an extremely short period of time.

l Rule scenarios: Determine whether you have the right alerts to create a rule for a specific scenario.

l Daily problems: Get a head start on operational problems like account lockouts by seeing the alerts in real time.

Example: Change Management

Create a change management filter to monitor configuration changes users make to your network. Keep this filter general, as illustrated here, or refine it to show you only certain changes or changes made by certain users.

To create a filter for all change management events:

1. In the LEM Console, click the Monitor tab.

2. Click the plus button at the top of the Filters pane, and then select New Filter.

3. Enter an appropriate name for the filter, such as Change Management Events.

4. Fill the filter's Conditions box with an appropriate alert or alert group. For this example, use an Alert Group Exists condition to capture all events from a certain group:

a. Click Alert Groups on the left pane.

b. Find the Change Management Events alert group, and drag it into the Conditions box.

5. Click Save.The LEM Console takes you to the new filter on the Monitor tab. Examine the alerts here, and click an alert to see more information in the Alert Details pane.

Troubleshooting

If you have created a filter, but it is not capturing the expected alerts, check the All Alerts filter to

34 Additional Information

ensure the alerts are making it to the LEM Console.

To use the All Alerts filter to troubleshoot custom filters:

1. In the LEM Console, click the Monitor tab.

2. Click All Alerts in the Filters pane.

3. Locate an alert you expected to see in your custom filter. If necessary, pause the filter and sort it by any of the column headers.

4. If you locate a related alert, verify the field-value combinations in the alert match the ones you used in your filter. For example, if your filter is looking for *firewall* in the ToolAlias field, ensure the Tool Alias field in your alert contains the word firewall.

5. If you cannot locate a related alert, verify one of your monitored devices is logging the event, and that the device is sending its events to LEM. For example, create another filter to show all events from the specific device using the ToolAlias or DetectionIP alert field, as illustrated in the KB article, "How can I see all traffic from a specific device in my LEM Console?".

Additional Information

For additional information about how to create filters in the LEM Console to monitor events of interest, consult the following resources.

l [cross reference to Monitor chapter]"Monitor" on page 90.

l [cross reference to Filters topic]

l [cross reference to Alert Types appendix]"Appendix Alert Data Fields" on page 411.

l [cross reference to Alert Field appendix]

For a general procedure and video addressing how to create filters in the LEM Console, see the KB article, "Creating Filters for Real-time Monitoring in Your LEM Console."

For additional information about how to create filters for specific alerts, devices, or time frames, see the following KB articles:

l "Quickly Creating a Filter for a Specific Alert Type"

l "How can I see all traffic from a specific device in my LEM Console?"

35 Chapter 3: Useful Tasks with LEM

l "Use Time of Day Sets to pinpoint specific time frames in filters and rules"

For additional information about advanced options related to filters and the Monitor view, see the following KB articles:

l "Disabling Windows Noise Alerts Using Alert Distribution Policy "

l "Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy"

l "Modifying Filters for 'Monitor' Users"

l "Modifying AND and OR Relationships in Filters and Rules Using Nested Groups"

l "Filters with an AND relationship between conditions with different alert types do not return any results"

Adding Rules

Click the video icon to view the corresponding tutorial.

Rules correlate events that your LEM Agents and remote logging devices send to LEM, and assign automatic actions or responses to those events. These actions differentiate filters from rules: filters only display events, while rules instruct LEM to take action. Rule actions include, but are not limited to:

l Sending an email

l Logging a user off

l Shutting down a computer

l Deleting an Active Directory group

l Blocking an IP address

Use Pre-configured Rules to Get Started

The LEM appliance includes hundreds of pre-configured rules. Use these rules to instruct LEM to respond to specific events on your network. We call these pre-configured rules NATO5 Rules, because they're based on the concept behind the fifth article of NATO: "An attack on one is an attack on all."

Note: SolarWinds does not enable any rules to take action on your network by default. If there is a

36 Example: Change Management

rule that you want to utilize, clone it from the NATO5 Rules library, and then enable to take its specific action.

To clone and enable a NATO5 Rule for use on your network:

1. In the LEM Console, click the Build tab, and then select Rules.

2. Click NATO5 Rules in the Folders pane in the lower-left corner.

3. Use the Folders list or the Refine Results pane to browse, search, or filter for specific rules or scenarios.

4. After you find a rule you want to clone, click the gear button next to it, and then select Clone.

5. On the Clone Rule dialog, select a Custom Rules folder and rename the rule if you wish, and then click OK.

6. In the Rule Creation view, customize the rule further if necessary, select Enable at the top of the form, and then click Save.

7. Back in the main Rules view, click Activate Rules to sync your local changes with the LEM appliance.

For more detailed information about how to clone and enable NATO5 Rules, see the KB article, "Cloning, Enabling, and Activating NATO5 Rules."

Example: Change Management

Create a change management rule to notify you anytime a user makes any kind of change to your network configurations. Examples of such network changes include:

l Adding, changing, or deleting users in Active Directory

l Installing software on monitored computers

l Changing firewall policy

Create a general change management rule, similar to the filter illustrated in the previous section, to instruct LEM to notify you anytime any user makes a configuration change, or create a more specific rule to only fire for specific users, groups, or types of changes.

37 Chapter 3: Useful Tasks with LEM

Note: An important rule of thumb is, "If you can see it in your LEM Console, you can build a rule for it." Remember to use your filters as a starting-place as you consider creating custom rules.

To create a rule that sends you an email anytime someone adds a user to an administrative group:

1. In the LEM Console, click the Build tab, and then select Rules.

2. Click the plus button in the upper-right corner.

3. Enter an appropriate name for the rule, such as New Admin User.

4. Populate the rule's Correlations box with an appropriate alert or alert group. For this example, use a NewGroupMember.EventInfo Equals *admin* condition to fire anytime LEM gets a NewGroupMember alert with the text, "admin" anywhere in the EventInfo field:

a. Click Alerts on the left pane.

b. At the top of the Alerts list, enter NewGroupMember to search for that alert, and then select it in the list.

c. In the Fields: NewGroupMemeber list, find EventInfo, and then drag it into the Correlations box.

d. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account for all variations on the word "administrator."

5. Leave the Correlation Time box as-is so your rule fires anytime LEM captures this type of event.

6. Add the Send Email Message action to the Actions box:

a. Click Actions on the left pane.

b. Find Send Email Message, and then drag it into the Actions box.

c. Select a template from the Email Template menu.

d. Select a LEM user from the Recipients menu.

38 Other Rule Scenarios

e. Drag and drop alert fields or constants from the left pane into the Send Email Message form to complete the action.

Note: Always use alert fields for the alert(s) present in the Correlations box. For example, use NewGroupMember.DetectionTime to populate the DetectionTime field in this example.

7. Select Enable at the top of the Rule Creation form, and then click Save.

8. To sync your local changes with the LEM appliance, click Activate Rules back in the main Rules view.

After you enable and activate this rule, the LEM appliance sends an email anytime someone adds a user to any group in Active Directory that contains the text, "admin" in its name.

For more detailed information about how to create LEM rules to take action on your network, see the KB article, "Creating Rules from Your LEM Console to Take Automated Action."

Other Rule Scenarios

Countless scenarios may warrant a rule. Consider these combinations of rules and actions:

l Respond to other change management events with the Send Email Message action.

l Respond to port scanning events with the Block IP action.

l Respond to isolated spikes in network traffic with the Send Email Message or Disable Networking action.

l Respond to users playing games on monitored computers with the Send Popup Message or Kill Process action.

l Respond to users attaching unauthorized USB devices to monitored computers using the Detach USB Device action.

Basically, any activity or event that can pose a threat to your network might warrant a LEM rule.

Troubleshooting

If you have created a rule, but you are not getting the expected results, verify the following to track down the root cause:

39 Chapter 3: Useful Tasks with LEM

1. Check for the requisite alerts on the Monitor tab. For example, if your rule is based on the NewGroupMember alert, see if you can find one in the All Alerts or default Change Management filter.

2. If you do not see the requisite alerts, troubleshoot your devices and connectors to get the events into LEM. Otherwise, continue troubleshooting here.

3. Check for an InternalRuleFired alert in the SolarWinds Alerts filter.

4. If you do not see an InternalRuleFired alert for your rule, check the following to continue troubleshooting. Otherwise, skip to Step 5 to continue.

1. Is your rule enabled?

2. Did you modify the Correlation Time or Response Window in your rule?

3. Did you click Activate Rules after saving your rule?

4. Is the time on your device more than 5 minutes off from the time on your LEM appliance?

5. If you see an InternalRuleFired alert for your rule, but the rule LEM does not respond as expected, check the following, according to the action you configured:

1. Send Email Message: Verify you have configured and started the Email Active Response connector on the LEM appliance.

2. Send Email Message: Verify you have associated an email address for the LEM user you selected as your email recipient.

3. Agent-based Actions: Verify you have installed the LEM Agent on the computer you want LEM to respond to.

4. Block IP: Verify you have configured the active response connector for the firewall you want to use to take this action. The active response connector is separate from the data gathering connector.

For more detailed information about how to troubleshoot LEM rules and active responses, see the KB article, "Troubleshooting LEM Rules and Email Responses."

Additional Information

For a general procedure and video addressing how to create and clone rules in the LEM Console, see

40 Analyzing Data

the following KB articles:

l "Creating Rules from Your LEM Console to Take Automated Action"

l "Cloning, Enabling, and Activating NATO5 Rules"

For additional information about the active responses available for LEM rules, see the following KB articles:

l "How does the Block IP active response work?"

l "How does the Detach USB Device active response work?"

l "How does the Append Text To File active response work?"

l "How do the computer-based active responses work?"

l "How do the user-based active responses work?"

l "How do the Kill Process active responses work?"

l "How does the Disable Networking active response work?"

Analyzing Data

Analyze Data

Click the video icon to view the corresponding tutorial.

Which Do I Pick?

Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to:

l Search your log data interactively

l Search for specific variables, such as user names, IP addresses, or specific events

l Perform root-cause analysis

41 Chapter 3: Useful Tasks with LEM

l Troubleshoot specific issues

l Explore data and produce custom PDF reports

Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes. Use LEM Reports to: