LEM QuickStart Deployment Guide

QUICK START AND DEPLOYMENT GUIDE
Log & Event Manager

Version 6.3.x
Last Updated: Wednesday, July 19, 2017
Retrieve the latest version from: https://support.solarwinds.com/success_center/Netflow_Traffic_Analyzer_(NTA)/Documentation

© 2016 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published
or distributed, in whole or in part, or translated to any electronic medium or other means without the prior
written consent of SolarWinds. All right, title, and interest in and to the software and documentation are
and shall remain the exclusive property of SolarWinds and its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,

STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING
WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS
BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN
IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds and other SolarWinds marks, identified on the SolarWinds website, as updated from
SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark
Office and may be registered or pending registration in other countries. All other SolarWinds trademarks
may be common law marks or registered or pending registration in the United States or in other countries.
All other trademarks or registered trademarks contained and/or mentioned herein are used for
identification purposes only and may be trademarks or registered trademarks of their respective
companies.
LEM 6.3.x
October 4, 2016
page 2
Table of Contents
Log & Event Manager Quick Start and Deployment Guide 8
Product terminology 8
Plan your deployment 11
Scaling LEM deployments 12
Multi-level deployment scenarios 12
Multiple virtual appliance stack 12
Individual virtual appliances 13
Single location deployment example 14
Multi-location deployment example 15
Licensing 16
Best practices 16
Port requirements 16
Fine tuning 16
Tune your WFP events 16
Review your rule configurations 16
Validate your virtual appliance reservations 17
Install the virtual appliance 18
Installation requirements 18
Virtual appliance 18
Web console 19
LEM agent 19
Oracle Solaris agent upgrades 20
Port requirements 20
Install and set up the hypervisor 21
Prepare the installation files 21
page 3
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Deploy the virtual appliance 23
Before you begin 23
Deploy LEM using VMware vSphere 23
Start the virtual appliance 24
Supported and unsupported URLs 24
Deploy LEM using Microsoft Hyper-V 24
Start the virtual appliance 25
Supported and unsupported URLs 25
Connect to the virtual appliance 26
Connect using the LEM console 26
Connect using the LEM Desktop console 26
Activate the virtual appliance 28
Apply an activation key 28
Apply your activation key online 28
Apply your activation key offline 29
Secure your LEM appliance 29
Set the date and time zone 31
Reserve system resources in the virtual environment 33
Incoming data traffic 33
Viewing virtual appliance resources, reservations, and storage 33
View the reservation settings using the vSphere client 34
Verify the reservations using the SSH client 35
View the reservation settings in the Hyper-V client 36
Memory settings 36
CPU settings (Windows Server 2008) 36
CPU settings (Windows Server 2012, Windows Server 2016) 36
(Optional) Install the LEM Reports Console 37
Connect the console to your LEM database 38
page 4
(Optional) Install the LEM Desktop Console 40
Install Adobe Air Runtime for Windows 40
Install the LEM Desktop Console 40
Import the SSL certificate 41
Resolve the LEM Virtual Appliance host name 41
Collect log data 42
View monitored events and details 42
Filter events 43
Test an event 43
Troubleshoot syslog error messages 43
LEM Console does not display syslog data 44
Identify your syslog data facilities containing log data 44
Configure a connector from the facility to the device 46
View the data from the device 47
Set up your agent nodes 47
LEM agent installation checklist 48
Installation folders 49
Add nodes to monitor 49
Remote installation 50
Local installation 53
Verify the LEM agent connection 53
Add additional log sources 54
View monitored events 54
View event details 55
View the event description 56
Create an event filter 56
Test an event 57
Manage LEM automatic connector updates 57
page 5
Other ways to update connectors 58
Set up your deployment 59
Configure your basic settings 59
Set up email alerting 60
Set up Active Directory integration 61
Add new nodes to monitor 62
Define rules and configuration alerts 63
Learn about advanced LEM tools 64
Get started 65
View real-time data 65
View event details 65
Create a filter 66
View filtered events 68
View historical data 69
Search event logs using Search Builder 71
Search event logs using a keyword 73
Refine your search 74
Save a search 76
Schedule a search 76
Export your search results 77
Export to a PDF file 77
Export to a CSV file 78
Run and schedule reports 78
Run a report 79
Run a custom report 80
Schedule a report 82
Advanced Options 88
Set up File Integrity Monitoring 88
page 6
Add a FIM connector to a node 89
Scan for new nodes 91
Manage your LEM appliance 93
Find LEM support on the Customer Portal and thwack 95
Access the Customer Portal 95
Create your user profile 95
Explore the Customer Portal 95
Set up additional Customer Portal user accounts 97
Engage with the SolarWinds community 97
Create a thwack account 97
Explore the thwack site 98
page 7
Log & Event Manager Quick Start and Deployment

Guide
Welcome to the Log & Event Manager Quick Start and Deployment Guide.
This guide will take you from installation to full implementation of Log & Event Manager. As you work
through the topics in this guide, you will complete the following tasks:
l Plan your deployment

l Gather requirements
l Install Log & Event Manager virtual appliance and perform initial setup
l Deploy the virtual appliance on a supported hypervisor
l Activate and connect to the virtual appliance
l Reserve system resources in the virtual environment
l Install the optional LEM Reports and LEM Desktop consoles
l Set up your syslog server and agent nodes
l Set up your deployment
l View historical and real-time data
l Run and schedule reports
l Set up File and Integrity Monitoring (FIM)
l Scan for new nodes
l Manage your LEM appliance
Existing customers: Access your licensed software from the SolarWinds Customer Portal. If you need any
implementation help, contact our Support Geeks.
Evaluators: Download your free 30-day evaluation here. If you need assistance with your evaluation,
contact sales@solarwinds.com.
Product terminology
The following terms define the components used in Log & Event Manager.
Agent: A software application that collects and normalizes log data before it is sent to the LEM Manager.
Alert: LEM containers used to display events and messages from LEM-monitored devices.
Build view : Provides options for customizing LEM behavior.
Complexity of configured rules: Complex conditions involving multiple types of events, thresholds, and
longer time frames require more resources than rules with simple conditions.
Connector: A software component that converts raw events collected from a network device into
normalized events. Connectors can reside on device agents or the LEM appliance.
page 8
Desktop Console: An application powered by Adobe Air Runtime that monitors your LEM Appliance in
place of the LEM Console. You can use this console if your corporate IT requirements restrict you from
using a web browser-based solution with Adobe Flash,
Event: An unaltered message from a LEM-managed device.
Events per second or Events per day: The total number of distinct events received by the LEM appliance
per second or per day (generally per second is considered an average). For example, the environment with
865 nodes can generate approximately 50 million events per day (or about 550 events per second).
Explore view : Provides access to data analysis utilities to retrieve additional information about the events
you see in the LEM console.
Hypervisor: A software application that runs a virtual appliance on a Windows-based server, such as
VMware® vSphere® and Microsoft® Hyper-V®.
Kerberos: A network authentication protocol used to provide strong authentication in a non-secure

network using secret-key cryptography.
Keytab file: Used by LEM to access Active Directory directly for Kerberos authentication. This file contains
user account credentials, but the password is hashed.
LEM Manager: The deployed virtual appliance that captures syslog data from local network devices. The
LEM Manager includes a syslog server, optimized database, web server, correlation engine, and a
hardened Linux operating system.
Manage view : Provides details about your LEM architecture.
Monitor view : Displays all monitored events on your network in real time. You can create filters and
widgets that group and display different events from your agents, managers, and network devices.
Network device: A log source (such as a firewall, router, switch, or third-party software) that sends log
messages to the LEM Manager.
Nodes. Systems and devices that send data to your LEM appliance, such as servers, workstations, network
devices, and security devices. For example, an environment with 10 routers, 50 switches, 300 servers, five
firewalls, and 500 workstations sending data your LEM appliance is equivalent to 865 nodes.
Normalized vs. original log (raw) storage: By default, all sizing details assume the Log & Event Manager
default normalized data store is the only enabled store. If original log message storage is enabled,
increase your resources accordingly.
OPS Center view : Provides a graphical representation of your log data in the LEM Console. It includes
several widgets that help you identify problem areas and trends in your network. The Monitor view
displays events in real time as they occur in your network. The Explore view provides tools for investigating
events and related details. The Build view creates user components that process data on the
LEM Manager. The Manage view manages properties for appliances and nodes.
Reports Console: A standalone application that schedules and runs preconfigured reports against your
LEM database data. The console is a separate installation on your desktop or laptop system.
page 9
Rules: A LEM appliance component that provides automated actions based on specific alert correlations.
Rules triggered per day or Rules triggered per second. The total number of correlation rules that meet
all criteria and are triggered per second or per day (generally per second is considered an average). For
example, an environment can have 15 different correlation rules configured that fire approximately once
every hour, or approximately 360 rules triggered per day.
Single Sign-on (SSO): Enables the LEM appliance to use LDAP Kerberos-based authentication credentials
to access Active Directory (AD) for user access control to LEM roles and database reports. SolarWinds
deploys SSO in LEM using a keytab generated by Active Directory to enforce user account security.
Syslog server: A software application (such as Kiwi Syslog Server) that collects syslog messages and
SNMP traps from network devices (such as firewalls, routers, and switches).
Virtual Appliance: A virtual image of a Linux-based physical computer that collects and processes log and
event information. You can deploy the virtual appliance using VMware vSphere or Microsoft Hyper-V client.
Web Console (or LEM Console): Provides a browser-based method to monitor your LEM Appliance. The
console is organized into five functional areas called views. These views organize and present different
information about the components that comprise the LEM system.
page 10
Plan your deployment
Use this table to size your SolarWinds environment.
Deployment size is impacted by throughput of events and performance degradation.
Use the largest sizing that reflects your environment. For example, if you are running a small deployment
and begin to notice performance degradation at 300 nodes, move to a medium deployment. As the
number of nodes and data traffic changes over time, move to a deployment that supports your enterprise.
The hard drives are defined when the virtual appliance host is created. Installing LEM in a SAN is
preferred, but high-speed hard drives (such as SSD drives) are required for high-end deployments.
When using original log (raw) storage, increase your CPU and memory resources by 50%. See your
hypervisor documentation for more information.
SIZE OF
HARDWARE DEVICES
DEPLOYMENT
Small l 2 – 4 core processors at 2.0 GHz Fewer than 500 nodes in the
following combinations:
(Receive 5M – 35M l 8 GB RAM
events and trigger up l 250 GB hard drive with 40 – 200 IOPS l 5 – 10 security devices
to 500 rules per day)
l 10 – 250 network devices,
including workstation
endpoints
l 30–150 servers
Medium l 6 – 10 core processors at 2.0 GHz Between 300 and 2,000 nodes in
the following combinations:
(Receive 30M – 100M l 16 GB – 48 GB RAM
events and trigger up l 1 TB hard drive with 200 – 400 IOPS l 10 – 25 security devices
to 1000 rules per day)
l 200 – 1000 network devices,
endpoints
l 50 – 500 servers
Large l 10 – 16 core processors at 2.0 GHz More than 1,000 nodes in the
following combinations:
(Receive 200M – l 48 GB – 256 GB RAM
400M events and l 2 TB hard drive with 400 or more l 25 – 50 security devices
trigger up to 5000 IOPS l 250 – 1000 network devices,
rules per day) *
endpoints
page 11
SIZE OF
HARDWARE DEVICES
DEPLOYMENT
l 500 – 1000 servers
* The most successful large deployments receive up to 250M events per day.
Scaling LEM deployments

While LEM can be deployed with multiple virtual appliances, 98% of all deployments perform well as a
single appliance you can scale using resources available from the virtual host. See the installation
requirements to ensure that your hardware systems meet the minimum software and hardware
requirements.
Multi-level deployment scenarios

To increase your performance, you can deploy multiple virtual appliances to divide the Log & Event
Manager appliance load across your infrastructure.
There are two common multi-level deployment scenarios:
l Multiple virtual appliance stack

l Individual virtual appliances
You can increase your performance if each virtual appliance is deployed on a separate hardware machine.
If your virtual appliances are deployed on the same hardware host, the negative performance impact is
minimal.
MULTIPLE VIRTUAL APPLIANCE STACK

You can use multiple virtual appliances to segment and distribute the load by functional area and physical
location, providing dedicated processing for:
l Management and event analysis

l Database storage, search, and reporting
l Log storage, search, and analysis
l Log collection
Use this configuration to assign appropriate resources in different configurations.
The following illustration shows an example of a multiple virtual appliance stack.
page 12
INDIVIDUAL VIRTUAL APPLIANCES
Multiple appliance deployments provide a consolidated, real-time search and management view in a
single LEM console. This type of deployment is recommended if your corporate enterprise includes logical
divides in management or monitoring responsibilities.
The following illustration shows an example of individual virtual appliances deployed in LEM.
page 13
Single location deployment example

This deployment example uses one syslog server based in one location to collect log data from your
network devices in a local network. The syslog server is installed in a Windows-based system hosting the
LEM Manager, which captures the syslog data from the network devices. You can use this deployment to
collect syslog data from one location.
In this deployment, the network devices send syslog data to the LEM Manager over TCP or UDP.
Workstations and servers hosting applications use LEM agents to initiate TCP connections and push syslog
data to the LEM Manager running on a supported vSphere or Hyper-V hypervisor. The syslog server
receives the logs on port 514 and saves the logs to the LEM Manager /var/log file partition. The log
filename varies, based on the target facility configured on the network device.
If your log sources are located behind firewalls, see SolarWinds LEM port and firewall information
to open the necessary ports or the SolarWinds Port Requirements for SolarWinds Products Guide
for a list of all ports required to communicate with LEM.
page 14
Multi-location deployment example
This deployment example uses two syslog servers based in two locations to collect log data from your
network devices in a wide area network (WAN). The syslog server is installed in two Windows-based
systems hosting the LEM agent, which captures the syslog data from the network devices. You can use this
deployment to collect syslog data from two remote locations.
This architecture detaches and distributes the syslog servers in separate locations, rather than using the
Syslog server in the LEM Manager. Both locations include a local syslog server. The LEM connectors
normalize the original log messages into LEM events. You can implement this scenario when your change
management processes prevent you from adding new logging hosts on your network devices.
If you deploy a detached Syslog server (such as a Kiwi syslog server), install a LEM Agent on both syslog
servers, and then enable the appropriate connectors on the LEM Agent.
Automatic log scanning does not apply to the LEM Agent. However, new nodes can be discovered by
the enabled connectors.
to open the necessary ports or the SolarWinds Port Requirements for SolarWinds Products Guide
for a list of all ports required to communicate with LEM.
page 15
Licensing
Licensing your Log & Event Manager deployment is based on:
l The number of universal nodes (systems running Windows Server or Unix operating systems and
non-agent devices such as switches, routers, and firewalls).
l The number of workstation nodes (systems running Windows and the LEM Agent on desktop
systems).
For example, a Log & Event Manager deployment with a LWE250 for LEM30 license, you can add 250
Windows workstation nodes and 30 universal nodes.
Best practices
When you initiate your Log & Event Manager deployment, SolarWinds recommends applying the correct
port requirements and fine tuning your installation to ensure peak performance.
PORT REQUIREMENTS
See the SolarWinds Port Requirements for SolarWinds Products Guide for the current LEM port
requirements.
FINE TUNING
To minimize processor and memory resources, SolarWinds recommends reviewing your Log & Event
Manager logging resources, fine-tuning your rules, and verifying that your virtual appliance is running
properly.
Windows filtering platform (WFP) events are logged into Windows event logs when specified by
auditing policies.
TUNE YOUR WFP EVENTS

Adjust your Windows filtering platform events and enable WFP logging only on nodes that require that
level of auditing. Windows environments often have WFP logging enabled by default, which may not be
required. See Disable Windows filtering platform alerts using Alert Distribution Policy article for more
information.
REVIEW YOUR RULE CONFIGURATIONS

Ensure that your rules are not triggered too frequently, This can be caused by:
page 16
l Low threshold settings. Consider increasing the threshold for rules that trigger due to network
traffic.
l Broadly-defined conditions. Define rules to apply only to specific user names, IP addresses, or
systems. Consider whether a different set of rules with different conditions could serve two distinct
areas of your environment.
l Rules using event groups instead of a single event or subset of events. Rules that detect
authentication or network traffic may trigger on additional events, but may only apply to a subset
of those events.
VALIDATE YOUR VIRTUAL APPLIANCE RESERVATIONS

Your virtual environment may include adequate system resource reservations, However, system
requirements can change over time, new resource allocations can be applied, or temporary limitations can
become permanent. For optimal performance, ensure that you reserve the required system resources in
your virtual environment. Allocating resources during your deployment may result in intermittent
resource access or system restarts to recognize your deployment.
page 17
Install the virtual appliance
This section provides the system requirements for your LEM manager and information about installing the
hypervisor and preparing the installation files.
Installation requirements
Before you install SolarWinds LEM, ensure that your hardware systems meet the minimum software and
hardware requirements. LEM is only supported on Microsoft Windows-based platforms.
Your deployment may require additional resources. See Plan your deployment for hardware and device
specifications based on your deployment architecture.
In this section:
• Virtual appliance 18
• Web console 19
• LEM agent 19
• Port requirements 20
VIRTUAL APPLIANCE
HARDWARE REQUIREMENTS
CPU Dual Core, 2 GHz*
Memory 8 GB*
Hard drive space 250 GB*
2.0 TB is recommended for larger deployments
* These are the minimum requirements. Depending on your deployment, you may need to add additional
resources for additional log-traffic volume and data retention.
SOFTWARE REQUIREMENTS
Hypervisor VMware vSphere ESX 4.0 and later
VMware vSphere ESXi 4.0 and later
Microsoft Hyper-V Server 2008 Release 2 (R2)
page 18
SOFTWARE REQUIREMENTS
Microsoft Hyper-V Server 2012
Microsoft Hyper-V Server 2012 R2
Microsoft Hyper-V Server 2016
WEB CONSOLE
HARDWARE / SOFTWARE REQUIREMENTS
Adobe Flash Flash Player 15
Web browser Microsoft Internet Explorer® 8 and later
Mozilla Firefox® 10 and later
Google® Chrome™ 17 and later
LEM AGENT
HARDWARE /
REQUIREMENTS
SOFTWARE
Operating System Apple® Macintosh®
HP-UX
IBM AIX
Linux
Oracle® Solaris
Windows Vista
Windows 7
Windows 8
Windows 10
Windows Server 2000
Windows Server 2003
Windows Server 2008
Windows Server 2012
page 19
HARDWARE /
REQUIREMENTS
SOFTWARE
Windows Server 2016
CPU 450 MHz Pentium III or equivalent*
Memory 128 MB*
Hard Drive Space 1 GB*
Environment Variables Administrative access to the device hosting the LEM Agent
* These requirements are the default settings. Depending on your deployment, you may need to add
additional resources for additional log-traffic volume and data retention.
ORACLE SOLARIS AGENT UPGRADES

Beginning with version 6.3, LEM supports the 64-bit Java 8 Runtime Environment (JRE). Since Oracle did not
release a 32-bit version of Java for Solaris, you must manually upgrade the agents running on these
systems.
To upgrade your 32-bit Solaris SPARC and Solaris Intel agents, download the Solaris SPARC Agent and
Solaris Intel Agent installers from the Customer Portal and run these installers on your Solaris systems. In
a future release, the LEM console will support updates for 64-bit Solaris agents when they are available.
PORT REQUIREMENTS
Port requirements are posted to the SolarWinds Success Center. If your log sources are located behind a
firewall, see the following pages for information about the ports to open.
l For LEM, see SolarWinds LEM Port and Firewall Requirements.
https://support.solarwinds.com/Success_Center/Log_Event_Manager_
(LEM)/SolarWinds_LEM_Port_and_Firewall_Requirements
l If you use multiple SolarWinds products, see Port requirements for all SolarWinds products.
https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_
(NPM)/Port_requirements_for_all_SolarWinds_products
page 20
Install and set up the hypervisor

The hypervisor software provides the virtual environment that hosts your LEM deployment.
To get started, download the Microsoft Hyper-V or VMware vSphere software to your host system. When
the download is completed, follow the directions included with your software to configure the software
and associated client (if applicable). See the installation requirements for the supported versions.
See your hypervisor documentation for detailed instructions about the features in both products and
working in the Hyper-V or vSphere interface.
Prepare the installation files

The LEM free trial download is an executable file that contains everything you need to install and begin
working with LEM.
1. Download a free trial of Log & Event Manager.

2. Double-click the evaluation EXE file to extract the necessary files and tools to a folder on your
desktop.
The files in each executable contain the virtual appliance image to deploy Log & Event Manager
using the VMware vSphere or Microsoft Hyper-V hypervisors.
3. Follow the prompts in the Quick Start: Log and Event Manager wizard to complete the installation.
The default deployment uses swi-lem as the host name and attempts to pull network configurations from
the DHCP server. You can change the host name and IP address after you complete the deployment.
page 21
By default, Log & Event Manager deploys with 8GB RAM and 2CPUs on both hypervisor platforms.
page 22
Deploy the virtual appliance
You can deploy Log & Event Manager using the VMware vSphere or Microsoft Hyper-V hypervisor. The
default deployment uses swi-lem as the hostname and pulls the network configurations from the DHCP
server. You can configure a static IP address or hostname after you complete the deployment.
By default, LEM deploys with 8GB RAM and 2 CPUs on the vSphere and Hyper-V hypervisor
platforms.
Before you begin

l Use an account with local administrative rights.
l Review your IT policy and verify the account is not subject to any local or group policy restrictions.
l Use the Run as administrator option when launching the installer on a system running Windows
Server 2008.
Deploy LEM using VMware vSphere

After you deploy your VMware vSphere hypervisor on a supported host system and prepare the
installation files, deploy Log and Event Manager using the Log & Event Manager evaluation file for Hyper-V.
Be sure you have a supported version of Internet Explorer, Firefox, or Chrome to access the LEM console.
If you are using a non-US keyboard to perform the installation, use SSH to input the settings.
1. Start the VMware vSphere Client and log in with VMware administrator privileges.
2. Deploy the open virtualization format (OVF) template.
3. Open the SolarWinds Log & Event Manager folder located on your desktop and double-click:
Deploy First—LEM Virtual Appliance.ova
4. Complete the setup wizard.

When prompted, select the Thin Provisioned disk format.
Thin provisioning offers more performance flexibility than thick provisioning, but requires
more oversight than thick provisioning. Thin provisioning provides increased performance by
dedicating physical storage space.
5. Map the network interface card (NIC) to the appropriate network.
page 23
6. When the OVF deployment is completed, click Finish.
If your LEM deployment receives greater than 15 million events per day, adjust your system
resource reservations to handle the increased load. See Reserve system resources in the
virtual environment for information about configuring resource reservations for a large
deployment.
START THE VIRTUAL APPLIANCE

After you deploy the OVF file, start the virtual appliance.
1. Select the SolarWinds Log and Event Manager virtual appliance and click Play.
2. Click the Console tab.
3. Record the IP address.
4. Connect to the virtual appliance.
SUPPORTED AND UNSUPPORTED URLS

If you are using the host name for the URL, add the LEM host name or IP address into your DNS server.
Port 8080 is not secure and is automatically disabled when the activation process is completed. Port
8443 is always available.
SUPPORTED URLS UNSUPPORTED URLS
http://<your_ip_address> https://<your_ip_address>
http://<your_ip_address>:8080/lem https://<your_ip_address>:8443/lem
http://<your_hostname>
https://<your_hostname>:8080/lem
Deploy LEM using Microsoft Hyper-V

You can download the Log & Event Manager evaluation software from the SolarWinds LEM website. After
you complete the registration, a web page displays where you can download the Log & Event Manager
evaluation file for Hyper-V.
page 24
1. Start the Microsoft Hyper-V Manager and log in with administrator privileges.
2. Select the action to import a virtual machine.
3. In the Import Virtual Machine window, click Browse and select the following fie in the SolarWinds Log
and Event Manager folder:
Deploy First - LEM Virtual Appliance.ova
4. Complete the setup wizard.
5. In the Settings box, select Move or restore the virtual machine (use the existing unique ID).
6. Click Import to install the LEM virtual machine in Hyper-V and complete the deployment.
The OVA file is imported into your virtual machine.
7. In the Hyper-V Manager, configure additional settings (such as Memory, CPU, networking, and
storage space) to complete your configuration.
By default, the virtual machine is configured with the minimum requirements. The resource
reservations will be set automatically to ensure optimal performance.
If you expect your LEM deployment to receive more than 15 million events per day, adjust your
system resource reservations. See Reserve system resources in the virtual environment for
information about configuring resource reservations for a large deployment.
START THE VIRTUAL APPLIANCE

1. Locate SolarWinds Log and Event Manager in the Actions column and click Start.
2. Record the IP address that displays after the virtual appliance starts.
3. Connect to the virtual appliance.
SUPPORTED AND UNSUPPORTED URLS

If you are using the hostname for the URL, add the LEM hostname or IP address into DNS.
Port 8080 is unsecure and is automatically disabled after activation has been completed. Port 8443
is always available.
SUPPORTED URLS UNSUPPORTED URLS
http://<your_ip_address> https://<your_ip_address
http://<your_ip_address>:8080/lem https://<your_ip_address>:8443/lem
http://<your_hostname>
page 25
Connect to the virtual appliance

You can connect to the virtual appliance using the web-based LEM console or the stand-alone LEM Desktop
console.
If your corporate IT requirements restrict you from using a web browser-based solution with Adobe Flash,
consider installing the LEM Desktop Console with Adobe AIR runtime.
Connect using the LEM console

The LEM console requires no additional installation but requires a supported web browser to connect to
the LEM appliance.
1. Open a supported web browser.

2. Enter the IP address you received while configuring your VMware vSphere or Microsoft Hyper-V
software.
The default admin credentials automatically populate the login dialog.
3. Click Connect to log in.

4. Create a new password.
When the LEM console connects to the LEM virtual appliance for the first time, it prompts you
to change your password. Your password must be between 6 and 40 characters and contain
at least one capital uppercase letter and one number.
5. Enter your email address to participate in the SolarWinds Improvement Program and send
anonymous data about your usage to SolarWinds. Clear the check box to decline.
6. Click Save.
The installation is completed.
Connect using the LEM Desktop console

The LEM desktop console requires a separate installation and some configuration to connect to the
LEM Virtual Appliance.
page 26
1. Start the desktop console.
2. In the log in window, click Advanced Properties.
3. Complete the fields and selections as required.
4. Click Connect.
The installation is completed.
page 27
Activate the virtual appliance

After you deploy the OVA vile, activate your appliance by applying an activation key, securing your
LEM appliance, and setting the date and time.
Be sure to activate the appliance after boot-up. Otherwise, you may experience unexpected results with
your appliance.
Apply an activation key

If you are evaluating Log & Event Manager, you do not need to apply an activation key to activate the virtual
appliance. For 30 days, you will have unlimited access to all product features.
If you have not purchased and provided a license key after 30 days, the application will stop collecting
event logs from your syslog and agent devices. You can continue using Log and Event Manager in this
mode and access your saved logs. Applying a license reactivates event log collection so you can continue
monitoring all events in your deployment. If you need to extend your evaluation period, contact Customer
Sales.
You can upgrade to a fully-functional production version by purchasing a new license from Customer Sales
and downloading the license key from the Customer Portal. After you install the new license key, you can
access all features within the LEM appliance.
You cannot upgrade your license using the SolarWinds License Manager.
APPLY YOUR ACTIVATION KEY ONLINE

If your LEM Console is connected to the Internet, you can automatically apply a new license key online
using the LEM Console. Applying a license key reactivates log event collection, restoring full product
functionality.
1. Download your license key from the License Management page in the SolarWinds Customer Portal.
2. Open the LEM Console and log in to your LEM manager with your admin credentials.
3. Click Manage > Appliances.
4. Click License in the Properties pane.
5. Select Automatic in the Type field.
6. Enter the license key in the Key field.
7. Enter your name, email, and telephone number without special characters (such as dashes or
periods) in the appropriate fields.
8. Click Activate.
9. Click OK when the license is activated.
page 28
APPLY YOUR ACTIVATION KEY OFFLINE
If your LEM Console is not connected to the Internet, you can apply a new license key offline using the
LEM Console and a computer with Internet access. Applying a license key reactivates log event collection,
restoring full product functionality.
You cannot upgrade your license using the SolarWinds License Manager.
1. Open the LEM Console and log into your LEM Manager as an administrator.
2. Navigate to Manage > Appliances.
3. Select the License tab on the Properties pane.
4. In the License Activation pane, select Manual in the Type field.
5. Copy the Unique ID of this LEM Virtual Appliance.
If the computer hosting LEM Manager does not have Internet access, manually copy and paste the
Unique ID into a text file and save the file to a shared drive accessible from a computer with Internet
access.
6. On a separate system with Internet access, generate a license file.

a. Navigate to the SolarWinds Customer Portal.
b. Select License Management and then select License Management again.
c. Under the LEM product, select Activate license manually.
d. In the pop-up window, fill in the form and paste the LEM Virtual Appliance's Unique ID in the
form.
e. Click Generate License File to download your license file to your hard drive. If your LEM
installation is on a system without Internet access, save the license file to a shared drive that
your LEM Console can access.
7. In the License Activation pane, click Update License and select the downloaded license file.
8. Click Activate at the bottom of the License tab.
Secure your LEM appliance

After you install your license, complete your appliance configuration by executing the Activate command in
the Appliance menu. This process will help you secure your LEM appliance from unauthorized users.
Be sure to run the Activate command and configure your appliance after boot-up. Otherwise, you
may experience unexpected results with your appliance.
During the activation procedure, you can:
l Configure a static IP address

l Configure a secure password
l Lock down web port 8080 and redirect access to port 80 for increased security
page 29
l Verify your network configurations

l Change your hostname (if desired)
l Restrict access to the Reports applications
l Export a certificate to use the optional LEM Desktop Console
If you plan to use the LEM Desktop Console powered by Adobe AIR Runtime instead of the LEM Console,
import the virtual appliance CA SSL certificate to the certificate store during the activation. When the
activation is completed, the LEM Console connects with the virtual appliance using secure communications
on port 8443.
SolarWinds recommends configuring a static IP address for your LEM appliance. If you run
DHCP and your IP address changes during the evaluation period, your deployed agents may be
disconnected and require additional troubleshooting to resolve.
1. Open a command line interface.

In VMware, click the Console tab.
In Hyper-V Manager, open a PowerShell window.
You can also use PuTTY to activate the appliance. Log in using the appliance IP address and
port 32022 or 22.
2. Log in to the appliance.
a. At the login as prompt, type cmc and press Enter.

b. At the password prompt, type your password and press Enter.
The default password is password.
The cmc> prompt opens with a list of available commands.
page 30
3. Configure the appliance with a static IP address.
a. At the cmc> prompt, type appliance and press Enter.
The prompt changes to cmc::acm#, indicating you are in the appliance configuration menu.
b. At the cmc::acm# prompt, type activate and press Enter.

c. Enter and validate a cmc password.
d. When prompted, select Yes to configure a static IP address for your appliance.
e. At the cmc::acm# prompt, type netconfig and press Enter.

f. At the prompt, type static and press Enter.
g. Follow the steps on your screen to configure the Manager Appliance network parameters.
Be sure to enter a value for each prompt. Leaving blank entries results in a faulty
network configuration that requires you to rerun netconfig.
h. Record the IP address assigned to your appliance. You will use this IP address to log in to the
LEM Console.
4. When prompted, select Yes to specify a hostname or No to accept the default hostname.
To specify a hostname, use the following guidelines:
l Use the standard hostname naming conventions.

l Use hostname labels that only contain the ASCII letters a through z (in a case-insensitive
manner), the digits 0 through 9, and the hyphen (-).
l Do not use hostnames that start with a digit or a hyphen or end with a hyphen.
l Do not include symbols, punctuation characters, or white spaces.
5. When prompted, select Yes to specify a list of IP addresses that can access reports. This is the
recommended setting.
6. Confirm your network configuration.
At the cmc::acm# prompt, enter viewnetconfig, press Enter, and review your network
configuration.
To ensure secure communications between the desktop software and the virtual appliance,
the SSL certificate is automatically exported from the virtual appliance when the activation is
completed.
Set the date and time zone

After you activate and configure your appliance, set the date and time in the appliance.
The LEM virtual appliance is configured to synchronize with the hypervisor date and time by default. If the
time zone is off by more than five minutes, the LEM rules will not operate properly.
page 31
The time zone is set to Pacific Standard Time by default.
1. Return to the cmc> prompt.

2. Update the time zone in your LEM Manager.
a. At the cmc> prompt, enter appliance and press Enter.
b. At the cmc::acm# prompt, enter dateconfig and press Enter.
c. Press enter and update the current time zone.
d. At the cmc::acm# prompt, enter tzconfig and press Enter.
e. Press enter and configure the time zone.
3. Update the time in your hypervisor.
a. At the cmc::acm# prompt, enter manager and press Enter.
b. At the cmc::cmm# prompt, enter viewsysinfo and press Enter.
The system information info displays.
Virtualization Platform: VMware
----------------------------------------
Clock
Synchronization : Enabled
Hypervisor Time : 6 May 2016 09:07:31
Guest Time : Fri May 6 09:07:31 2016
c. Using the space bar, scroll down to Hypervisor Time and change the date and time so they
match the date and time in the LEM Manager.
d. Using the space bar, scroll down to Guest Time and ensure that the date and time matches
the same settings in the LEM appliance.
4. Type Exit and press Enter.
5. Type Exit and press Enter again to exit the CMC interface.
page 32
Reserve system resources in the
virtual environment
Ensure that the system resources in the virtual environment have ample virtual space and memory to
support the Log & Event Manager software and incoming data traffic. For typical deployments, Log & Event
Manager requires 250GB of system resources on the hypervisor. Large deployments may require 2TB of
resources, which you can reserve on the VMware ESX(i) 4/5+ and Microsoft Hyper-V 2008 R-2/2012
hypervisors.
By default, LEM deploys with 8GB of RAM and 2 CPUs on the VMware ESX(i) and Microsoft Hyper-V
platforms.
Log & Event Manager collects data from a continuous stream of traffic that fluctuates based on user,
server, and network activity. The type and volume of traffic varies based on the device sending the traffic
and the audit and log settings on those devices.
Incoming data traffic

Log & Event Manager receives data from syslogs and traps using up to 500 connectors that receive data
traffic from several supported network devices. These connectors translate (or normalize) the data into a
readable and understandable format you can view in the LEM Console.
The connectors display in the Monitor view, pass through the rules engine for specified actions, and move
into a database for retrieval by the LEM Reports or nDepth search function. To process the data in real-
time, Log & Event Manager requires system resource reservations from the virtual appliance host.
When the volume of traffic exceeds 15 million events per day, be sure to reserve additional system
resources to support the additional data traffic.
Viewing virtual appliance resources, reservations, and

storage
You can view your virtual appliance resources, reservations, and storage in the Manage > Appliances view.
The Appliances grid displays the virtual appliances and their corresponding details.
page 33
The Details pane displays information about your selected manager or appliance. This information
includes the platform, CPU reservation, and memory allocation. To view the Details pane, click Manage and
select Appliances. In the Appliances grid, select the manager or appliance you want to view. If the Details
and Properties panes do not appear in the LEM Console, click the Appliances tab at the bottom of the
screen.
FIELD DESCRIPTION
Platform The manager platform name, which can be Trigeo SIM, VMware vSphere, or
Microsoft HyperV.
CPU Reservation The reserved CPU memory. Reserving CPU memory ensures enough system
resources are available for the allocated CPUs.
Number of CPUs The number of processors allocated to the virtual appliance.
Memory Allocation The maximum amount of memory the manager can use. Set this value at or above
the reservation value. You can define this value in the VM configuration. Setting
memory allocation to a greater value than the memory reservation has little effect
on LEM performance.
Memory The amount of memory reserved for this system.

Reservation
Status The current connection status of the selected manager or appliance.
Name The manager or appliance name.
Type The appliance type (Manager, Database Server, nDepth Server, Logging Server, or
Network Sensor).
Version The manager or appliance software version.
IP Address The manager or appliance IP address.
Port The port number used by the LEM Console to communicate with the manager or
appliance.
You can view your reservation settings using vSphere or an SSH client (such as PuTTY). See your VMware
vSphere documentation for details about configuring resources, reservations, and storage on a vSphere
virtual appliance.
VIEW THE RESERVATION SETTINGS USING THE VSPHERE CLIENT

You can view your reservation settings using VMware vSphere. See your VMware vSphere documentation
for details about configuring resources, reservations, and storage on a vSphere virtual appliance.
page 34
1. Log into vSphere.
2. Select the LEM appliance from the list.
3. Click the Summary tab to view the number of CPUs.
The Provisioned Storage value in the Resource area is the total disk space that Log & Event
Manager can use.
At the bottom left, the CPU reservation displays 2.0 GHz.
4. Set the limit to unlimited.

5. Select the Resource Allocation tab.
6. At the bottom right, set the memory reservation to 8MB and the limit to unlimited.
The Configured value must be at least the same value or higher than the reservation. You may see
memory reservations as high as 256GB of RAM for customers over 150 million events per day.
VERIFY THE RESERVATIONS USING THE SSH CLIENT

You can also view your reservation settings using an SSH client (such as PuTTY). The SSH client requires
the hostname of your LEM appliance.
1. Open a PuTTY session.

a. Click Session.
b. In the Host Name field, enter the hostname of your LEM appliance.
c. In the Port field, enter 32022 or 22.
d. Click Open.
After you log in, a session window displays.
2. Enter the Manager menu.

3. Type viewsysinfo and press Enter.
4. View the CPU > Reservation and the Memory > Reservation settings and make adjustments as
required.
5. At the cmc> prompt, type exit to exit the CMC.
page 35
VIEW THE RESERVATION SETTINGS IN THE HYPER-V CLIENT

Use the following tables to verify your Hyper-V client settings. For details about setting resources,
reservations, and storage on a Hyper-V virtual appliance, see your Microsoft Hyper-V documentation.
MEMORY SETTINGS
SETTING VALUE
Static RAM 8GB, 16GB, 24GB, 32GB, 64GB, 128GB, 256GB
Memory Weight High
CPU SETTINGS (WINDOWS SERVER 2008)
SETTING VALUE
Number of processors 2, 4, 6, 8, 10, 12, 14, 16
VM reserve CPU cycles 100%
Limit CPU Cycles 100%
Relative weight for CPU 100%
CPU SETTINGS (WINDOWS SERVER 2012, WINDOWS SERVER 2016)
SETTING VALUE
CPU memory details Click the Advanced tab and set the view and details
CPU Priority High
Reserve CPU cycle 100%
Limit CPU cycles 100%
page 36
(Optional) Install the LEM Reports Console
The LEM Reports Console converts your Log & Event Manager database data into information you can use
to troubleshoot and identify problems in your corporate network. Installed on a separate server or
workstation in a multiple location deployment, you can run over 200 standard and industry-specific
reports that help you make informed decisions about your corporate enterprise.
If your Windows security settings prevent you from installing the LEM Reports Console and the Crystal
Reports Runtime software, download the LEM Reports Console and the Crystal Reports Runtime installers
from the SolarWinds Customer Portal.
After you install the software, install the SolarWinds Log & Event Manager Reports from the Quick
Start: Log and Event Manager splash screen.
1. On the splash screen, scroll down and click Install Desktop Software.
The installer writes to a system folder that is protected by the Windows operating system.
You can also right-click Install Next - LEM Desktop Software in the SolarWinds Log
and Event Manager folder and select Run as administrator.
2. On the Welcome screen, click Next.

3. Verify that you have enough disk space for the installation, and then click Next.
page 37
4. On the Begin Installation screen, click Begin Install.

The Crystal Reports Runtime and the LEM Reports Console are installed.
Command boxes may appear during the installation. This process is normal.
5. When the installation is complete, click Close.

The LEM Reports console is installed on your system.
Connect the console to your LEM database

When you enter your manager IP address into the Reports console, you create a connection between the
Reports console and the LEM database server. You can audit users accessing the reporting server running
on the LEM appliance. Only users with admin, auditor, or reports roles can run reports on the LEM
database.
1. Locate the IP address of your LEM virtual appliance and your LEM console login credentials.
2. Right-click Reports on your desktop and select Run as administrator.
To automatically run Reports as an administrator:
a. Right-click the Reports shortcut and select Properties.

b. Click Advanced and select the Run as administrator check box.
c. Click OK.
d. Click OK in the Reports Properties window.
3. Click Yes in the antivirus dialog box to continue.
4. Click OK in the information box to create a list containing at least one manager.
page 38
5. Enter the hostname or IP address of your LEM appliance in the Manager Name field.
Whenever you see Manager in reference to LEM, it usually refers to the IP address or
hostname of your virtual appliance.
6. Enter the username and password used to log in to the LEM console.

7. (Optional) Select the Use TLS connection check box to use the transport layer security protocol for a
secure connection.
8. Click Test Connection to verify the connection between the LEM database server and the
LEM Reports console.
The Reports console pings the LEM database and verifies the connection. If the ping is successful,
Ping Successful displays in the dialog box.
9. Click to add the IP address to your LEM Manager list, and then click Yes to confirm.
10. Click Close.
The Reports console is connected to your LEM database and displays on your screen.
page 39
(Optional) Install the LEM Desktop Console

The LEM console provides a browser-based method to monitor your LEM appliance. If IT requirements
restrict you from using a browser-based solution, you can install the LEM desktop console. Using the
console, you can monitor your LEM appliance without a web browser.
The LEM desktop console requires Adobe AIR Runtime for Windows.
Install Adobe Air Runtime for Windows

Install this software to monitor your LEM appliance without a web browser.
1. Download Adobe Air Runtime for Windows from your Customer Portal or the Adobe AIR website.
2. Extract the contents of the ZIP file and double-click the installer.
3. Follow the instructions to complete the installation.
Install the LEM Desktop Console

Install this software to monitor your LEM appliance with a web browser.
1. Download the standalone console installer from the SolarWinds Customer Portal.
2. Extract the contents of the ZIP file and double-click the LEM Console installer.
3. Click Install.
4. Select your installation preferences.
5. Click Continue to begin the installation process.
6. If you did not instruct the console to open after the installation, open the desktop console.
7. Accept the End User License Agreement, and click OK.
8. Enter the IP address or hostname of the virtual appliance, and then click Connect.
The computer running the LEM Console must be able resolve the hostname of the appliance
using DNS or a manual entry in the hosts file before you enter the hostname in the desktop
console. See Resolve the LEM virtual appliance hostname for more information.
9. Create a new password.

The LEM desktop console requires you to change your LEM password after the installation. The first
time the LEM console connects to the LEM virtual appliance, it prompts you to change your
password. The password must be between 6 and 40 characters and contain at least one capital letter
and one number.
10. Enter your email address to participate in the SolarWinds Improvement Program. Otherwise, clear
page 40
the check box.
11. Click Save.

The LEM desktop console is installed on your system.
Import the SSL certificate

If you plan to use the LEM desktop console instead of the web-based LEM console, import the virtual
appliance CA SSL certificate to the certificate store when you activate the virtual appliance. When the
activation is completed, the LEM console connects with the virtual appliance using secure communications
on port 8443.
1. Locate and double-click the certificate on the network share.

2. Click Next and select Place all certificates in the following store.
3. Click Browse.
4. Select Trusted Root Certification Authorities, click OK, and then click Next.
5. Click Finish.
6. Click Yes to confirm that you trust the certificate.
Resolve the LEM Virtual Appliance host name

Ensure that the system hosting the LEM desktop console can resolve the appliance host name using DNS
or a manual entry in the hosts file. Otherwise, you cannot connect to the appliance.
Before you edit your hosts file, create a backup copy and save it in a safe place.
Configure forward and reverse DNS entries (which include a HOST and PTR record) for your appliance on
your DNS server. When you create the DNS entries, use the default host name or the host name you chose
during the activation procedure.
If you cannot configure DNS directly on your DNS server, configure a hosts file on your computer by editing
the Windows\System32\drivers\etc\hosts file in a text editor. Add a line space and then a line with
your virtual appliance IP address and host name separated by a tab or space.
page 41
Collect log data

You can configure Log & Event Manager to receive syslog data from non-agent devices (such as switches,
routers, and firewalls) or event log data from Windows servers running the LEM agent. Log & Event
Manager uses the connector to translate (or normalize) the raw log data into a supported format that
displays in the LEM console. You must associate a connector to a support device or log source to collect
syslog data.
to open the necessary ports. See the SolarWinds Port Requirements for SolarWinds Products
Guide for a list of all ports required to communicate with LEM.
View monitored events and details

You can view all monitored events in the All Events grid located in the Monitor view. This view provides
real-time monitoring of all normalized LEM events.
Click Pause in the toolbar to pause the event stream.
When you select an event in the grid, the event details display in the window. You can view information
about the event so you can take the appropriate action.
page 42
FILTER EVENTS
To monitor identical event names (for example, TCPTrafficAudit), select the name in the Event Details
pane and click to create a filter. Log & Event Manager filters all incoming events and displays only the
filtered events in the grid.
Click All Events in the FIlters pane to disable the filter and monitor all incoming events.
TEST AN EVENT
To generate an example event, restart a Windows service (such as Print Spooler) that does not impact a
running application. The event will display in the All Events grid.
Troubleshoot syslog error messages

If a No Device Found error message displays in the widget, make sure you configured the device to send
logs to the correct IP address. See Troubleshooting Unmatched Data or Internal New Tool Data events in
your LEM console for troubleshooting steps.
page 43
LEM CONSOLE DOES NOT DISPLAY SYSLOG DATA

Verify that your devices are configured to forward syslog data to the LEM virtual appliance IP address. If
your appliance cannot receive logs, your device may not be supported.
If your devices are configured correctly and your LEM appliance is still not receiving syslog data, identify
the facilities that are collecting log data. When you complete this process, configure the appropriate
connector from the facility to the log device so Log & Event Manager can normalize and monitor this
information in the LEM manager.
IDENTIFY YOUR SYSLOG DATA FACILITIES CONTAINING LOG DATA

Verify that Log & Event Manager is receiving the raw data from your syslog devices.
See your hypervisor documentation for information about using the virtual console.
1. Open a command line.

In VMware, select SolarWinds Log & Event Manager and then click the Console tab.
In HyperVisor, click Action > Connect to display the Console view.
In PuTTY:
a. Click Session.
b. In the Host Name field, enter the IP address or hostname of your LEM appliance.
c. In the Port field, enter 32022 or 22.
d. Click Open.
e. At the login as: prompt, enter cmc, and then press Enter.
f. At the password prompt, enter your password, and then press Enter.
page 44
2. At the cmc> prompt, enter Appliance.
See "CMC Commands" in the LEM User Guide for a list of all supported commands.
3. At the cmc::acm# prompt, enter checklogs and press Enter.

The appliance displays all facilities receiving logs from syslog devices, such as firewalls, routers, and
switches.
In this example, 1, 12, and 18 are active syslog facilities because they contain stored log data.
Facilities 13, 15, 16, and 17 are inactive because their syslog log files are empty.
page 45
4. Match a facility with a monitored device.

a. Choose a facility number and record the local number (such as local2) for a future step.
b. Enter your chosen facility number (for example, 14 for local2) and press Enter.
c. Enter b or E to view the beginning or end of the log file, respectively, and press Enter.
d. Enter the number of lines to display on your screen, and then press Enter.
Pressing Enter defaults the output to 500 lines.
e. Press Enter again.

The raw data displays on your screen.
f. Review and match the data to a monitored syslog device in your network.
5. Repeat steps 3 and 4 in this section to match additional facilities with log data to a monitored
syslog device in your network.
CONFIGURE A CONNECTOR FROM THE FACILITY TO THE DEVICE

The following table maps each syslog facility to the file name in the LEM manager. The connectors defined
in LEM manager read these logs to normalize the Log & Event Monitor events.
The hardened operating system will prevent you to access the file system.
SYSLOG FACILITY LOG FILE PATH
local0 /var/log/local0.log
After you verify that data is received from a device, manually enable the log connector that supports the
device. The connector maps events from the monitored Windows system event log to a LEM normalized
event.
page 46
1. Match the facility of your monitored device with the corresponding log file path.
2. Open the LEM console and click Manage > Appliances.
3. Click next to the appliance name and select Connectors.

4. In the Refined Results pane search field, enter the brand name of the monitored device and press
Enter.
If your device does not display in the list, contact Customer Sales (for an evaluation license) or
Technical Support (for a production license) for assistance with unsupported devices.
5. Click next to your device and select New.

6. In the Log File field, make sure the localx portion of the path matches the facility number you
configured on your device or the facility you recorded in the previous procedure.
For example, if your recorded facility is local2, enter /var/log/local2.log in the field.
7. Verify that the remaining fields and selections are correct, and then click Save.
The connector displays in the Connectors grid with a gray status icon.
8. Click next to the connector and select Start.

When the status icon turns green, the LEM connector is configured correctly.
VIEW THE DATA FROM THE DEVICE

After you configure a connector to the facility, verify that the LEM appliance is receiving log data from the
device.
You may need to authenticate to the device to generate data, as some devices do not generate a
continuous stream of data.
1. Click the Monitor view in the LEM console.

2. In the Filters pane, expand Overview and click All events.
3. Watch for new events that appear in the grid with the device IP address in the DetectionIP column.
When new events display with your device IP address, the device is sending log data to the LEM
appliance.
Set up your agent nodes

After you configure your syslog server, install the LEM agent on your servers and workstations. Log & Event
Manager will collect the syslog data from the operating system logs and applications running on each
system, normalize the data into readable information, and send it to the LEM manager for processing. All
events received from the LEM agents display in the Monitor view.
Using LEM agents, you can:
page 47
l Capture events in real-time.

l Encrypt and compress the data for efficient and secure transmission to the LEM manager.
l Buffer the events locally if you lose network connectivity to the LEM manager.
The LEM agent runs on your agent nodes until you stop or uninstall the agent.
You can install the LEM agent by clicking Add Nodes to Monitor in the Getting Started widget.
LEM AGENT INSTALLATION CHECKLIST

Before installing your LEM agents, complete the pre-installation checklist below. This checklist helps you:
l Verify that system requirements are met and all required software is installed.
l Gather the information required to complete the installation.
[ ] Verify that you have administrative access to the servers and workstations you plan to monitor
Windows-based systems require Domain or Local administrative privileges. Linux or Unix systems require
root-level access.
[ ] Change the LEM hostname. This will minimize hostname issues before you install the LEM agent.
[ ] Set an exception in your antivirus or antimalware scanning software for the ContegoSPOP folder where
the LEM agents will be installed.
The alerts are stored in queue files, which change constantly as they are normalized and encrypted.
[ ] Turn off any anti-malware or endpoint protection applications on host systems during the installation
process.
These applications can affect the process by which installation files are transferred to the hosts. This will
assist Technical Support if you have issues with your agents.
[ ] Ensure that your target node can support the agent hardware requirements.
[ ] Record the paths to the installation folders on your target server.
page 48
INSTALLATION FOLDERS
LEM agents are installed to the following folders based on the operating system. See the table below.
OPERATING SYSTEM INSTALLATION FOLDER
Windows Server 32-bit C:\Windows\system32\ContegoSPOP
Windows Server 64-bit C:\Windows\sysWOW64\ContegoSPOP
ADD NODES TO MONITOR

You can use the LEM agent installer to install LEM agents locally on a variety of operating systems. When
the installation is completed, the LEM agent then automatically starts and connects to your LEM manager.
You can install the LEM agent on your monitored nodes by:
l Clicking Add Node in the Manage > Nodes view

l Clicking Add Nodes to Monitor in the Getting Started wizard located in the Ops Center view
The following procedure describes how to set up your monitored nodes from the Manage > Nodes view.
1. If you are upgrading a LEM agent, uninstall the current version before you continue.
2. Log in to the LEM console as an administrator.
3. Click Manage > Nodes.
4. In the toolbar, click Add Node.
5. Select Agent node in the Specify Nodes to Add screen.
page 49
6. Install the LEM agent on your servers and workstations using the remote or local installation
procedure listed on your screen.
You can run a remote or a local installation based on your administrator privileges and deployment
needs. See the table below.
REMOTE INSTALLATION LOCAL INSTALLATION
You have administrator rights to run a remote You have administrator rights to log in to a
installer on a server or workstation. server or workstation.
You want to run the installer remotely on multiple You want to run the installer in person on
servers and workstations in your network. each server and workstation in your
network.
You have administrator rights to run a remote You have administrator rights to physically
installation. log in to a server or workstation.
REMOTE INSTALLATION
This procedure describes how to install the LEM agent on multiple managed nodes in your corporate
network at the same time. You must have administrator rights to run a remote installer to perform this
procedure.
page 50
1. Under Remote Installation, click Windows Installer.
2. Double-click the downloaded ZIP file and extract the contents to a local directory. By default, the
ZIP file creates a SolarWinds-LEM-<version>-WindowsRemoteAgentInstaller folder on
your system.
The 80MB ZIP file may require several minutes to download based on your network traffic.
3. Open the SolarWinds Log & Event Manager folder and run the inremagent.exe installer.
The installer uses your existing login privileges for the installation and may prompt you for
additional privileges during setup.
4. Click Next in the Introduction screen.

5. Accept the End User License Agreement, and then click Next.
6. Accept the default temporary folder location or choose another location, and then click Next.
7. Enter the IP address or hostname of your LEM appliance in the Manager Name field.
In LEM, Manager always refers to your appliance IP address or hostname.
8. Complete the remaining fields, and then click Next.

9. Select how to locate and download the hosts in the Get Hosts to Install window.
Select Get hosts automatically to discover your hosts using NetBIOS discovery. If you have a highly-
segmented network, this option may not discover all of your systems.
Select Get hosts from file (One host per line) to download a list of hosts from a text file.
10. Click OK to continue.

11. Select the hosts you want to monitor, and then click Next.
You can install the LEM agent on workstations and server nodes.
12. Review your lists of selected hosts, and then click Next.
13. Enter the default installation paths for the LEM agent, and then click Next.
By default, the installer detects the 32- or 64-bit Windows operating system version.
14. To install USB-Defender, leave the Install USB-Defender check box selected. Otherwise, clear this
check box.
SolarWinds recommends installing USB-Defender on every system. USB-Defender will never

detach a USB device unless you have explicitly enabled a rule. By default, USB-Defender
generates alerts for USB mass storage devices attached to your LEM Agents.
15. Review the installation summary, and then click Install.
page 51
16. After the installer completes the setup process, click Next to install the agents.
This process may require several minutes to complete based on your network traffic.
If the installer does not have sufficient resources to complete the installation process, you will
be prompted to enter a different login account.
17. Review the installation summary, and then click Next.

18. Click Done to complete the installation.
19. Go to Verify the agent connection to the LEM appliance.
page 52
LOCAL INSTALLATION
This procedure describes how to install the LEM agent on each managed node—one at a time. You must
have administrator rights to physically log into each server.
1. Under Local Installation, click the appropriate installer for your LEM agent node.
2. Run setup.exe (for Windows nodes) or setup.bin (for Linux nodes).
3. In the installation wizard, click Next.
4. Accept the End User License Agreement, and then click Next.
5. Enter the hostname or IP address of your LEM appliance in the Manager Name field and click Next.
Do not change the default port values.
If you are deploying the LEM agent on a different domain, use the fully qualified domain name
for your LEM virtual appliance. For example: LEMhostname.SolarWinds.com.
6. Confirm the Manager Communication settings, and then click Next.

If you are installing the LEM Agent on a Linux node, go to step 9.
If you are installing the LEM Agent on a Windows node, you are prompted to install USB Defender.
7. To install USB-Defender, leave the Install USB-Defender check box selected. Otherwise, clear this
check box.
SolarWinds recommends installing USB-Defender on every system. USB-Defender will never

detach a USB device unless you have explicitly enabled a rule. By default, USB-Defender
generates alerts for USB mass storage devices attached to your LEM Agents.
8. Click Next.
9. Confirm the settings on the Pre-Installation Summary and click Install.
The installer installs the LEM agent on your node.
This process may require several minutes to complete based on your network traffic.
10. Inspect the Agent Log for any errors, and then click Next.
11. Click Done to exit the installer.
VERIFY THE LEM AGENT CONNECTION

After you install the LEM agent on your agent nodes, verify that the agent connected to the LEM appliance.
See Troubleshooting LEM agent connections if the LEM agent does not connect to your LEM Appliance.
page 53
1. In the Add Node Wizard, click Go to Manage > Nodes.

2. In the Nodes grid, ensure that all connected nodes include a green status indicator.
ADD ADDITIONAL LOG SOURCES

When you install LEM agents on Windows-based systems, the agents normalize and send syslog data from
the Security, Application, and Event logs by default. Use the following procedure to add additional log
sources to your monitored nodes (if desired).
1. Select the node you want to configure.
2. Click and select Connectors.

3. In the Connectors grid, select a supported device or application to log.
Enter a keyword in the Search field or click the Category drop-down menu for a list of
supported devices and applications.
4. Click next to your selected connector and select Enable.

5. Click Close.
6. Repeat step 1 through 5 to add additional log sources to your nodes.
VIEW MONITORED EVENTS

After your LEM agents are installed on your monitored nodes, you can view all monitored events in the All
Events grid located in the Monitor view. This view provides real-time monitoring of all normalized
LEM events.
In the Monitor view, you can:
l View all monitored events

l View event details
page 54
l View the event description
l Create an event filter
l Test an event
To view all monitored events:
1. Open the LEM Console.

2. Click Monitor.
3. In the Filters pane, click Overview and select All Events.
All monitored events display in the All Events grid. The DetectionIP column lists the device IP address
or hostname that sent the event.
Click Pause in the toolbar to stop the event stream.
VIEW EVENT DETAILS

The Event Details pane lists the descriptions and details for each event. After you view the event details,
you can create a filter that displays all events with the same name in the grid. Use this feature to monitor
similar events that may lead to a problem.
When you select an event in the grid, the event details display in the Event Details window. You can view
information about the event to help you decide if this is a malicious event that requires an event filter for
further investigation.
1. In the All Events toolbar, click Pause to stop the incoming events.
2. Select an event in the All Events grid.
page 55
3. View the event details in the Event Details pane.
VIEW THE EVENT DESCRIPTION

The event description provides an in-depth description of each event and how they can impact your
corporate network.
Click to display the Event Description view. You can use this information to decide whether to set up a
filter for this event for further investigation. Click to return to the Event Details view.
CREATE AN EVENT FILTER

If an event displays in the All Events grid that requires additional research, you can create an event filter
that displays all similar events in the grid. This process can help you decide if an event requires additional
maintenance or security measures to support your corporate IT policy.
page 56
To monitor identical event names (for example, MachineLogon), select the name in the Event Details pane
and click to create a filter. LEM filters all incoming events and displays only the filtered event in the
grid.
To return to viewing all events, click the Overview drop-down menu in the Filters pane and select All
Events.
TEST AN EVENT
After you configure your syslog and agent nodes, you can generate a test event to ensure the event
displays in the All Events grid. This process helps you verify that your LEM deployment is functioning
properly
To generate an example event, restart a Windows service that does not impact a running application (such
as Print Spooler). The event will appear in the All Events grid.
MANAGE LEM AUTOMATIC CONNECTOR UPDATES

Beginning in LEM 6.2.0, you can turn on the automatic connector updates feature. The automatic updates
feature verifies that supported devices have the latest connectors installed. This feature checks
SolarWinds.com every day for new connectors and installs them automatically as needed.
1. Log in to the LEM Console.

3. In the Appliances toolbar, click Connector Updates and choose from the following options:
l To turn on the auto-update feature, select Enable auto updates.
l To update connectors immediately, select Update now.

l To turn off the auto-update feature, select Disable auto updates.
page 57
OTHER WAYS TO UPDATE CONNECTORS
l You can download and apply the LEM connector update package. This package contains the latest
SolarWinds connector updates. See Applying a LEM Connector Update Package for details.
l Occasionally, Technical Support may provide stand-alone connector updates to address
Unmatched Data alerts in your environment.
page 58
Set up your deployment
The LEM Console includes a Getting Started widget in the Ops Center. Using the widget, you can:
l Set up your LEM environment with email alerting and Active Directory integration
l Add additional devices and systems to monitor, such as firewalls and user workstations
You can also add monitored nodes from the Manage > Nodes view.
l Define how the application alerts you when specific conditions occur in your network.
l Learn how to use filters, custom rules, nDepth, and reports to monitor and troubleshoot activity in
your corporate enterprise.
Configure your basic settings

To begin setting up your LEM environment, configure your basic settings, such as email alerting and
Windows Active Directory integration. This helps you identify problem devices and control change
management in your corporate enterprise.
Before you set up email alerting, locate:
l The IP address or hostname of your primary or relay email server

l A valid email address you can use for testing
If you have a secured email server, add the LEM virtual appliance IP address as an authorized source.
page 59
SET UP EMAIL ALERTING

Email alerting sends you an email when a monitored device has a problem. This helps you troubleshoot
and resolve network problems in a timely manner. Log & Event Manager uses your existing email server or
simple mail transfer protocol (SMTP) relay server to forward email notifications.
You can also set up email alerting by configuring an Email Active Response connector in your
appliance located in the Manage > Appliances view.
1. Log in as an administrator.
2. Click the Ops Center View and locate the Getting Started widget.
3. In the widget, click Configure Basic LEM Settings.
4. In the Welcome screen click Next.
page 60
5. Configure your email alert settings as required.
a. Enter your mail server IP address in the Mail Host field.

b. Enter a port number only if you use a port other than port 25.
c. If you are using a third-party email server, click the Transport Protocol drop-down menu and
select SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Be sure to add a
corresponding port number in the Port field.
d. Change the return address to reflect your current domain.
For example, noreply@yourcompanyname.com.
e. Change the return display name if SolarWinds does not provide a complete description for
your needs . For example, you can enter System Alert or Security Alert.
f. Enter an authentication server username and password only if you must authenticate before
you send an email or if you use a third-party tool (such as Google Mail or Microsoft
Office365).
6. Click Text Email.
7. Check your email to ensure you received a SolarWinds test message.
Email alerting is enabled.
8. Click Next to set up Active Directory integration.
SET UP ACTIVE DIRECTORY INTEGRATION

Active Directory integration helps you control Change Management by alerting you when Active Directory
groups and accounts are updated or modified. Using Active Directory, you can implement Directory Groups
instead of User Defined Groups in your filters and rules to reduce the need for ongoing maintenance.
page 61
1. Configure your Active Directory connection settings as required.
a. Enter your domain name.

b. Enter the IP address or host name of your Directory Services server.
This server is commonly a domain controller.
c. Enter an authentication server username and password only if you must authenticate to
connect to your Active Directory server.
d. If your Active Directory server supports encryption, click the Encryption drop-down menu and
select SSL or TLS. Otherwise, select No SSL.
The Custom Port field populates automatically based on your encryption setting.
2. Click Test Domain Connection and verify that your Active Directory settings are correct.
3. Click Finish.
The Active Directory connection is enabled.
Add new nodes to monitor

After you configure Log & Event Manager to collect data from your agent nodes and non-agent devices
during the initial setup, you can add additional network devices, desktop systems, and enterprise servers
to monitor using the Add Nodes to Monitor option in the Getting Started wizard.
When you click this option in the wizard, a dialog box displays prompting you to choose the type of node
you want to add. Click the drop-down menu, select an agent or non-agent node to monitor, and follow the
instructions in the wizard to add the monitored node.
page 62
You can also click Add Node in the Node Health widget to perform the same function.
Define rules and configuration alerts

You can define rules and configuration alerts that alert you when specific conditions occur in your
network. Rules help you to detect operational and compliance issues in your corporate network, such as
external breaches, insider abuse, and policy violations.
Each rule requires you to define three settings:
l Correlation: The number of events that occur within a selected amount of time and the amount of
time allocated to responding to the events.
l Correlation time: The volume of events that match the correlation conditions and the rolling time
window to evaluate the correlation.
l Action: The action that occurs when the rule is triggered.
To define rules and configuration alerts:
page 63
1. In the Getting Started widget, click Define Rules and Configure Alerts.
2. Select the check box next to the types of rules you want to enable, and then click Next.
3. Complete the fields and selections to define the condition, correlation time, and action for each
new rule, and then click Apply.
4. In the console, click Build > Rules.
5. In the Rules grid, locate a new rule, click and select Enable.
A displays next to the enabled rule.
6. Complete step 5 for each additional rule.

7. Click Activate Rules to active all modified and new rules.
Learn about advanced LEM tools

The Getting Started wizard provides built-in videos that describe how to:
l Create custom filters to monitor specific events in your corporate enterprise

l Create custom rules for real-time correlation and response
l Use nDepth Explorer and the Reports Console to analyze your log data and provide ad hoc
reporting
Click Advanced LEM Tools to learn more about these tools.
page 64
Get started
This section contains the following topics:
l View real-time data

l View historical data
l Run and schedule reports
View real-time data

You can view all events in real time as they occur in the Monitor view. All events are collected from agent
devices running the LEM agent and non-agent devices communicating with your syslog server.
Log & Event Manager uses filters to display specific types of events. When you open the Monitor view, the
All Events filter is the default view. To stop the incoming event stream, click Pause in the toolbar.
VIEW EVENT DETAILS

If you see an event that requires your attention, click Pause in the All Events toolbar to freeze all incoming
events. Click the event in the grid to display detail about the event in the Event Details pane.
page 65
For additional information about the event, click to review the event description.
If you decide that the event needs immediate attention, click to create a filter for this event (for
example, MachineLogon). The All Events grid is replaced with a grid that displays all related events.
The filter is automatically saved to the Overview menu in the Filters pane. Log & Event Monitor will
continue collecting all MachineLogon events and increment the count value so you can monitor this event
for further activity.
When you complete your event research, click to return to the Event Details information or click to
toggle between the previous and next event in the grid.
To resume viewing all incoming events, click All Events in the Filters pane and then click Resume in the All
Events toolbar.
CREATE A FILTER
If you want to focus on a specific types of event, you can create a filter. Log & Event Manager includes
several preconfigured filters that organize events into specific groups, which include:
l Security
l IT Operations
l Change Management
l Authentication
l Endpoint Monitoring
l Compliance
See the Log & Event Manager User Guide for filter descriptions included in each group.
page 66
1. Click the Monitor view.
2. Click in the Filters pane and select New Filter.
3. Enter a name and description in the Filter Creation window.
4. Select the number of events to display in the Monitor grid.
The default value is 1000.
5. Locate a preconfigured group that matches the events you want to filter.
6. (Optional) Select a notification in the Notifications group that executes when a filter event is found.
page 67
7. Drag and drop your selected event group filter into the Conditions box.
The filter name displays in the box.
8. (Optional). Drag and drop your selected Notification filter into the Notifications box.
The filter name displays in the box.
9. Click Save at the bottom of the window.

Your filter is saved in the Filters Overview menu.
VIEW FILTERED EVENTS

When you select a filter in the Filters Overview drop-down menu, all filtered events appear in the Monitor
view. If you see an event that requires attention, click Pause and then click an event. The event details
display in the Event Details pane where you can research the event and take the appropriate action based
on your corporate IT policy.
You can use most filter groups to create a visual representation of the filtered data using a widget
included in the Monitor view. These widgets are designed to surface trends or anomalies that may
otherwise go unnoticed. The widget can also be added to your Ops Center dashboard.
For example, in the Authentication group, selecting the FailedLogins filter displays all failed logins by
user account using a bar graph.
page 68
In the widget interface, you can click to create a new widget, click to edit the widget, or click to
configure the existing widget.
View historical data

You can view all historical events using the nDepth search utility. This utility provides a dashboard with
tools to help you search and analyze historical log and event data that pass through a LEM manager.
Using nDepth, you can:
l Search event data and log messages using Search Builder or a keyword search.
l Refine your search to identify activity patterns and unauthorized user access.
l Save your search strings for future use.
l Monitor user activity using a scheduled data search.
l Export your search results to a PDF or CSV file for compliance reporting.
When you start nDepth, the interface presents 10 minutes of log data generated from your agent and non-
agent devices. You can change the time range by clicking the Time drop-down menu in the toolbar and
selecting another time range.
The following illustration provides an overview of the nDepth dashboard.
page 69
NUMBER ITEM DESCRIPTION
1 History Displays links to your recent nDepth search results.
2 Saved Displays links to your saved nDepth search results.

Searches
3 List pane Displays categorized lists of events, event groups, event variables, and
additional options you can use to create conditions for your filters.
4 Search bar Searches all event data or the original log messages that pass through a
LEM manager. Drag the toggle switch to select Drag & Drop or Text
Search mode.
5 Respond Displays a list of corrective actions you can execute when an event
occurs, such as shutting down a workstation or blocking an IP address.
6 Explore Displays several utilities you can use to research an event, including
Whois, Traceroute, and NSlookup.
7 Time Provides a drop-down menu to select the time range for your search.
8 Play Executes the selected search.
9 Histogram Displays the number of events or log messages reported within the
selected search time range.
10 Dashboard Displays the search results in all available widgets. You can change this
view by clicking a widget in the nDepth toolbar.
page 70
NUMBER ITEM DESCRIPTION
11 nDepth Organizes log data into categories to identify activity in your network.
Toolbar Click a selection to display the category below the histogram.
SEARCH EVENT LOGS USING SEARCH BUILDER

Search Builder provides a drag-and-drop method to create complex search queries on your event logs.
Using preconfigured elements such as events, event fields, and specific event values, you can drag a
selected element from the List pane into the Search Builder Conditions box to perform your query. For
example, to search and report activity in your Admin accounts, you can drag a user-defined group or
directory service group into the Conditions box to initiate your search. You can also group search items,
show boolean (AND/OR) relationships between search items, and select specific values for each item.
1. Click the Search Builder icon in the nDepth toolbar.
The Search Builder Conditions box displays in the interface.
2. In the List pane, click the Events menu and locate UserLogonFailure.
You can enter a term in the Search field (as shown below) to narrow your search results.
page 71
3. Drag the event into the Search Builder Conditions box.
Your selection also displays in the Search bar. Drag the toggle switch down to view the event name
in text.
4. (Optional) A second menu may appear that provides additional fields to narrow your search. Drag a
field from the Fields list into Search Builder to narrow your search.
Mouse over for additional information.
page 72
5. (Optional) Click the triangle on the right side of the Conditions box and select the boolean logic for
your search.
The Search box synchronizes with the Search Builder.
6. Click the Time drop-down menu and select a time span for your search.
7. Click to begin your search.
Your search results display in the histogram and your dashboard widgets, such as Word Cloud and
Tree Map. Click the nDepth toolbar options to display your search results in additional formats, such
as line, pie, and bubble charts.
SEARCH EVENT LOGS USING A KEYWORD

If you cannot locate the information you need using Search Builder, you can enter a search term in the
Search field to initiate a keyword search. This method displays all events that include your search term,
such as a user name.
This example searches events that occurred within the last week that include administrator in the
event.
page 73
1. Click in the Search bar to clear an existing search (if applicable).

2. Drag the toggle switch down to enter the Text Input mode.
3. Enter a search term in the Search field.

6. Click Refine Fields in the List pane.
Your search results appear in the histogram and your dashboard widgets, such as Word Cloud and
Tree Map. Click the nDepth toolbar options to display your data in additional formats, such as line,
pie, and bubble charts.
REFINE YOUR SEARCH

The Refine Fields pane organizes your search results into categories that help you surface embedded data
and prompt further investigation. Use this option in conjunction with the Results Details pane to refine
your search.
This example searches all log on failure events that occurred within the last 10 minutes that include
administrator as the user name.
page 74
1. Click Refine Fields in the List pane.
2. Click Results Details in the nDepth toolbar.
The Results Details pane displays in the nDepth interface.
3. In the Refine Fields pane, maximize the User Name menu and double-click administrator.
page 75
nDepth displays the results in the Results Details pane.
To begin a new search, revert to your original search in the History pane to start a new search using your
original search parameters.
SAVE A SEARCH
You can save and reuse any search you create. Saved searches include your entire search string as well as
the selected time frame.
1. Click in the nDepth toolbar and select Save as.

2. Enter a name for your search in the Search Name field.
3. Click OK.
Your saved search displays in the Saved Searches pane.
SCHEDULE A SEARCH
You can schedule a saved search to run automatically based on your schedule parameters. This will help
you monitor your network with minimal administration.
If your virtual appliance is offline for more than 24 hours, all scheduled searches may not run at the
expected time. When the appliance is back online, all scheduled searches return to normal after 24
hours.
page 76
1. Select a saved search in the Save Searches pane.
2. Click in the Saved Searches toolbar and click Schedule.

3. Complete the selections in the dialog box and click OK.
The icon displays next to your scheduled search.
EXPORT YOUR SEARCH RESULTS

You can export your search results to a PDF or CSV based on the number of events or log messages
included in your nDepth search results.
If your search results include up to 25,000 events or log messages, export your search results to a PDF file.
If your search results include more than 25,000 events or log messages, export your search results to a
spreadsheet in CSV format.
EXPORT TO A PDF FILE
1. Click in the nDepth toolbar and click Export.

2. Remove any pages as required.
page 77
3. Click to add a page or click to adjust the page layout to Portrait or Landscape.
4. Click Export to PDF.

nDepth prepares the PDF.
5. Click Yes to confirm the export.
6. Select a file location in the Save As dialog box and click Save.
Your PDF file is saved.
EXPORT TO A CSV FILE
1. Click in the Results Details toolbar and click Export to CSV.

2. Click Yes to confirm your export.
3. Select a file location in the Save As dialog box and click Save.
Your CSV file is saved.
Run and schedule reports

Reports provide a bridge between detailed views (point-in-time information) and events (unaltered
messages from LEM-managed devices). You can run a report on your Log & Event Manager database to
view events and trends and make informed decisions about your network activity. After you create the
report, you can print it or export it to several supported formats, including PDF and Microsoft Word). You
can also run an ad-hoc report or schedule reports to be sent to you automatically to your email address.
SolarWinds recommends identifying who needs to receive performance or status reports, and how
often they should receive them.
Log & Event Manager reports are segregated into three levels:
l Master reports include every type of log in an event category and a graphical summary page.
l Detail reports include all events and event details.
l Top reports include the top events for a selected category.
page 78
Each report level displays in the level column next to the category. Hover your mouse over any column
header row and click to filter your selection. Similar to the LEM Console, all reports are based on events
and fields in your LEM database.
RUN A REPORT
1. Ensure that your Reports console is installed and configured on a network computer.
2. Log in to the Reports console as an administrator.
3. In the Settings tab, click the Data Source drop-down menu and select a manager (the IP address or
hostname of your virtual appliance).
If you are installing Log & Event Manager for the first time, only one manager should appear.
4. (Optional) Click the Category drop-down menu and select a report category filter—for example, Audit.
5. Select a report title and click Run in the toolbar.
page 79
6. Select your start and end date and time parameters, and then click Now.
The report displays in the View tab.
This process may take several minutes to complete.
7. Click Print in the toolbar to send the report to a local or network printer.
Click Export to export the report to the appropriate format (such as a PDF or a Microsoft Word
document).
RUN A CUSTOM REPORT

If you want to report about a specific event (such as a user logon failure), you can create a custom report
that reports on a specific field. Using the left menu in the Reports console to select the field for your
report.
page 80
1. In the left column, select the field you want to query.
2. Click Select Expert > New.

3. Select a field to report on, and then click OK.
4. Click the boolean drop-down menu and select your comparison value.
5. Select or enter a second value. Click New to select or enter additional fields and expand your query.
page 81
6. Click OK.
Select Expert filters out only the information in your query.
All fields are listed as column labels across the top. You can also mouse over data to display the
reported field.
7. Click Print to print your report.

Click Export to export your report to a PDF, Word Document, or other format.
SCHEDULE A REPORT
You can schedule tasks in the Reports console to generate a report based on your criteria. You can
schedule the report to run daily or at specific times that you choose.
After you schedule your report task, you can assign the task to a manager and define the task scope—the
period of time reflected in the report. When the system runs the report, it retrieves all relevant events that
occurred within the scope parameters.
The Reports console works together with Windows Scheduled Tasks for report scheduling.
1. Select a report in the console and click Schedule.
2. Click Add in the Report Scheduler Task dialog box.
page 82
3. Enter a name that distinguishes this task from any existing or future tasks, and click OK.
4. Select your task parameters in the Task tab.
Click Set password to password protect this task.

Select the Run only if logged on check box to run the report only when you are logged on to the
Reports console.
Select the Enabled check box to enable the task.
5. Click the Schedule tab, and then click New.
page 83
6. Set the schedule parameters that describe when your SolarWinds system can run the task, and then
click Apply.
7. Click the Settings tab.
page 84
8. Select the scheduling, idle time, and power management settings for your task, and then click Apply.
9. Enter your Reports console password to schedule the task, and then click OK.
10. Click OK to close the dialog box. If prompted, re-enter your password and click OK.
The scheduled report task displays in the Report Schedule Tasks window.
page 85
11. Click Load to View or Edit to assign the task data source.
12. Click the Select the report data source drop-down menu and select the IP address or hostname of
your Log & Event Manager.
You can assign one report task to one manager. To assign a similar or identical task to another
Log & Event manager, create a new task.
13. Click the Report Scope drop-down menu and select a date range for this task and data source.
14. Select the Start and End data and time for your date range.
Day:Today reports all data from today.
Day:Yesterday reports all data from yesterday.
Week:Current reports all data from seven days ago to the current day.
Week:Previous reports all data from 12:00:00 AM last Monday to 11:59:59 PM last Sunday.
Month:Current reports all data from one month ago to the current time.
Month:Previous reports the last full month of data beginning at 12:00:00 AM on the first of the month
until 11:50:59 PM on the last day of the month.
User:Defined reports all data based on your selected date and time parameters.
15. (Top Level reports only), In the Count Settings box, enter or select the number of items to track in
the report.
page 86
16. (Optional) Select the Export check box to export a scheduled report to a PDF file or send the report to
a printer.
a. Click the Format drop-down menu and select a file format for your report.
b. Enter a report name in the File Name field.
c. Click and select a location for the report.
If the report includes multiple schedules, provide each scheduled report a different name.
Otherwise, new reports will override your existing reports or increment according to the If File
Exists setting.
d. Select an option for similarly-named files in the If File Exists drop-down menu.
17. Click Save.
The scheduled report task displays in the Report Schedule Tasks window.
page 87
Advanced Options
This section contains the following topics:
l Set up File Integrity Monitoring

l Scan for new nodes
l Manage your LEM appliance
Set up File Integrity Monitoring

You can use File Integrity Monitoring (FIM) to monitor system and user file activity to protect your sensitive
information from theft, loss, and malware.
Using log files to record suspicious activity, you can detect changes to critical files and registry keys to
ensure they are not accessed or modified by unauthorized users. FIM also ensures your systems comply
with regulatory regulations, including Payment Card Industry Data Security Standard (PCI DSS), Health
Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley.
After you install and integrate FIM with your LEM appliance, you can:
l Monitor real-time file change and access

l Detect insider abuse using file audits and intelligent correlation rules
l Enhance your anti-virus software capabilities by detecting viruses that mask as similar-named files
l Integrate Active Directory to disable user accounts and change user or group rights
l Track file and directory access to critical files and registry keys
l Identify changes to critical registry keys
l Identify unwarranted file changes from zero-day malware and advanced persistent threat
(APT) attacks
You can enable FIM by adding a FIM connector to a node or adding FIM to an existing connector profile.
Click the video icon to view a tutorial about File Integrity Monitoring in LEM.
For a video presentation about File Integrity Monitoring in LEM, open the following URL in a web
browser:
https://www.youtube.com/watch?v=pBahAJFwiKY
page 88
ADD A FIM CONNECTOR TO A NODE
1. Log in to your LEM console as an administrator.
2. Click Manage > Nodes.
3. Locate your targeted node in the Nodes grid.
Ensure the node has a green status icon.
4. Click next to your targeted node and select Connectors.

5. Enter FIM in the Refine Results search field.
6. In the Connectors grid, click next to your selected connector and click New.
7. Click next to your desired template and select Add to selected monitors.
A template copy is moved to the selected monitors to be applied to the node.
8. Click Save.
page 89
9. (Optional) Add conditions to the template.

a. Click next to the template and select Edit monitor.
b. Select the conditions you want LEM to monitor.
c. Click Edit.
d. In the Add Condition window, click the drop-down menu and select All Keys/Values (recursive)
or Keys/Values (non-recursive).
All Keys/Values (recursive) selects the folder and all sub-folders that match the given mask.
Keys/Values (non-recursive) selects only the files in the selected folders to monitor.
Click Tell me more for information about your configuration options.
e. Enter a mask (for example, *.exe or directory*.
f. Select the actions you want to monitor.
page 90
g. (Optional) Click Add Another Condition.
h. Click Save.
10. Click Save Changes.
The LEM agent on your node installs the FIM driver that collects the file system events. Next,
LEM pushes the configuration you created to the remote agent and into the driver. In the Nodes grid,
the FIM status icon turns green, indicating the driver is working properly.
Scan for new nodes

When you add additional monitored nodes in your network, use the Scan for New Nodes feature in the
Ops Center view to create new connectors for each new syslog source. Using this method, you can
configure and enable multiple connectors simultaneously, minimizing network administration when new
nodes are added in your network.
1. Click the Ops Center view and locate the Node Health widget.
2. Click Scan for New Nodes in the widget toolbar.
LEM begins scanning for new nodes in your network. If new nodes are found, the New Connector(s)
found banner displays in the console. Otherwise, the No nodes found banner displays.
This process may require several minutes to complete. During the scan, a message displays
indicating that the scan is continuing in the background. A progress bar also displays at the
bottom of the console.
3. Click View Now.
page 91
4. Select the recommended connectors you want to install, and then Click Next.
Hover your cursor over the connector name for details.
5. Review the Summary information, and then click Finish.
The Nodes grid displays with the new nodes. Click Monitor to view the events collected from the new
nodes.
7. Click and select Connectors.

8. In the Refine Results pane, enter a keyword for your new connector.
page 92
9. Locate your connector in the list.
10. Click next to the connector and select Edit.

11. Edit your connector settings as required, and then click Save.
The node connector is enabled.
Manage your LEM appliance

You can manage your LEM appliance using the virtual console in your hypervisor client or a Secure Shell
(SSH) client (such as PuTTY).
Using the SSH client and CMC commands, you can:
l Upgrade your LEM Manager software

l Deploy new connector infrastructure to the managers and agents
l Reboot or shut down the network appliance
l Configure trusted reporting hosts
l Configure supplemental services on the manager appliance
l Control your nDepth appliances
l Many apply connector updates.
To establish a secure connection to your LEM appliance using PuTTY:
1. Start a PuTTY session.

2. Click Session.
3. In the Host Name field, enter the IP address or hostname of your LEM appliance.
4. In the Port field, enter 32022 or 22.
5. Click Open.
6. In the login field, enter cmc, and then press Enter.
page 93
7. In the password field, enter your password, and then press Enter.
The session displays on your screen, as shown below.
8. Enter and execute the appropriate command to manage your appliance.
Click Exit to exit the appliance.
See "CMC Commands" in the Log & Event Manager User Guide for a list of supported commands.
See your hypervisor documentation for information about using the virtual console.
page 94
Find LEM support on the Customer Portal and
thwack
This section contains information on accessing the SolarWinds Customer Portal and engaging with thwack,
the SolarWinds community of IT pros:
l Access the Customer Portal

l Set up additional Customer Portal user accounts
l Engage with the SolarWinds community
Access the Customer Portal

The SolarWinds Customer Portal provides access to license and maintenance information, support cases,
and product downloads, as well as live and instructor-led virtual classroom training.
CREATE YOUR USER PROFILE

To create a user profile, you must know the SolarWinds customer ID (SWID) issued to your company. If you
are a SolarWinds customer but do not have a SWID, contact SolarWinds Customer Support.
Users with multiple SWIDs require only one user profile. Your user profile can be linked to multiple
SWIDs.
1. Go to customerportal.solarwinds.com.
2. Click the Register tab.
3. Enter your organization's SWID and your email address.
If you have multiple SWIDs, enter any SWID to create your profile. Later, use the User Profile
menu to link the other SWIDs to your profile.
The account administrator will review the request, and you will receive an email when it is approved.
For more information about creating an account, see this FAQ page.
EXPLORE THE CUSTOMER PORTAL
Manage licenses and access license keys.
Download purchased products.
Open a new support case and monitor existing cases.
page 95
Download free trials of integrated products.
Sign up for instructor-led virtual classroom training.
page 96
Set up additional Customer Portal user accounts
If you have Account Administrator access to the SolarWinds customer portal, you can add additional user
accounts and define each user's access level and contact type.
For more information about user account types and permissions, see this FAQ page.
1. Log in to customerportal.solarwinds.com with your email address.

2. In the user account drop-down menu in the upper-right corner, click Company Account Settings.
3. Click the Add User button.
4. Enter the user's information.
5. Specify the user's access level:
l Account Administrator: Can access all areas of the Customer Portal. Can also add and remove
users, edit user profile information, and assign roles and contact types to users.
l Standard Access: Can access all areas of the Customer Portal.
l No Access: Cannot access the Customer Portal, but is listed as a contact on the account.
6. Specify the user's contact type:
l Primary Contact: Receive all account-related communications.
l Billing Contact: Receive communications relating to billing.
l Partner Contact: Receive communications related to partner support.
l Renewal Contact: Receive communications relating to maintenance renewals and product
maintenance expiration.
l Support Contact: Receive communications related to technical support.
Engage with the SolarWinds community

Use the SolarWinds thwack community website to learn more about SolarWinds products, participate in
discussions, and get help resolving issues.
CREATE A THWACK ACCOUNT

You can read content on thwack without an account. However, having an account allows you to take full
advantage of the site by submitting feature requests, liking or following posts, and contributing content.
When you create a thwack account, SolarWinds will not send you unsolicited emails or add you to
marketing lists.
1. Go to thwack.solarwinds.com.
2. Click Register in the top right.
3. Enter the required information and accept the license agreement.
4. Click Create Account.
page 97
EXPLORE THE THWACK SITE

After you create an account, click this link to begin exploring thwack. Participating in the thwack
community earns points, which you can use to purchase items in the thwack store.
As a member of the thwack community, you can:
l Participate in community discussions and get answers to your questions.

In the product forums, you can post questions and view responses to other users' questions. Advice,
resolutions, and troubleshooting tips are provided by community members and by SolarWinds
employees.
l Extend product capabilities with custom templates, reports, and scripts.

The thwack product forums include thousands of downloadable templates, reports, and scripts you
can use to customize or extend your SolarWinds products. This content is contributed by SolarWinds
employees and by other community members.
l View product roadmaps, which list the features currently being developed for future product
releases.
l Be notified of User Experience sessions where you can share your experiences, and help make
SolarWinds products better.
l Influence the direction of a product by submitting feature requests and voting for other users'
feature requests.
l Read blogs about SolarWinds products and about general IT topics.
page 98

LEM QuickStart Deployment Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

LEM QuickStart Deployment Guide

Hochgeladen von

Copyright:

Verfügbare Formate

QUICK START AND DEPLOYMENT GUIDE

Log & Event Manager

Last Updated: Wednesday, July 19, 2017

Retrieve the latest version from: https://support.solarwinds.com/success_center/Netflow_Traffic_Analyzer_(NTA)/Documentation

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,

Plan your deployment 11

Scaling LEM deployments 12

Multi-level deployment scenarios 12

Multiple virtual appliance stack 12

Individual virtual appliances 13

Single location deployment example 14

Multi-location deployment example 15

Tune your WFP events 16

Review your rule configurations 16

Validate your virtual appliance reservations 17

Install the virtual appliance 18

Oracle Solaris agent upgrades 20

Install and set up the hypervisor 21

Prepare the installation files 21

Deploy the virtual appliance 23

Before you begin 23

Deploy LEM using VMware vSphere 23

Start the virtual appliance 24

Supported and unsupported URLs 24

Deploy LEM using Microsoft Hyper-V 24

Start the virtual appliance 25

Supported and unsupported URLs 25

Connect to the virtual appliance 26

Connect using the LEM console 26

Connect using the LEM Desktop console 26

Activate the virtual appliance 28

Apply an activation key 28

Apply your activation key online 28

Apply your activation key offline 29

Secure your LEM appliance 29

Set the date and time zone 31

Reserve system resources in the virtual environment 33

Incoming data traffic 33

Viewing virtual appliance resources, reservations, and storage 33

View the reservation settings using the vSphere client 34

Verify the reservations using the SSH client 35

View the reservation settings in the Hyper-V client 36

CPU settings (Windows Server 2008) 36

CPU settings (Windows Server 2012, Windows Server 2016) 36

(Optional) Install the LEM Reports Console 37

Connect the console to your LEM database 38

Install Adobe Air Runtime for Windows 40

Install the LEM Desktop Console 40

Import the SSL certificate 41

Resolve the LEM Virtual Appliance host name 41

Collect log data 42

View monitored events and details 42

Troubleshoot syslog error messages 43

LEM Console does not display syslog data 44

Identify your syslog data facilities containing log data 44

Configure a connector from the facility to the device 46

View the data from the device 47

Set up your agent nodes 47

LEM agent installation checklist 48

Add nodes to monitor 49

Verify the LEM agent connection 53

Add additional log sources 54

View monitored events 54

View event details 55