Beruflich Dokumente
Kultur Dokumente
This document may not be reproduced by any means nor modified, decompiled, disassembled, published
or distributed, in whole or in part, or translated to any electronic medium or other means without the prior
written consent of SolarWinds. All right, title, and interest in and to the software and documentation are
and shall remain the exclusive property of SolarWinds and its respective licensors.
The SolarWinds and other SolarWinds marks, identified on the SolarWinds website, as updated from
SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark
Office and may be registered or pending registration in other countries. All other SolarWinds trademarks
may be common law marks or registered or pending registration in the United States or in other countries.
All other trademarks or registered trademarks contained and/or mentioned herein are used for
identification purposes only and may be trademarks or registered trademarks of their respective
companies.
LEM 6.3.x
October 4, 2016
page 2
Table of Contents
Log & Event Manager Quick Start and Deployment Guide 8
Product terminology 8
Licensing 16
Best practices 16
Port requirements 16
Fine tuning 16
Installation requirements 18
Virtual appliance 18
Web console 19
LEM agent 19
Port requirements 20
page 3
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Memory settings 36
page 4
(Optional) Install the LEM Desktop Console 40
Filter events 43
Test an event 43
Installation folders 49
Remote installation 50
Local installation 53
Test an event 57
page 5
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Get started 65
Create a filter 66
Save a search 76
Schedule a search 76
Export to a CSV file 78
Run a report 79
Schedule a report 82
Advanced Options 88
page 6
Add a FIM connector to a node 89
page 7
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
This guide will take you from installation to full implementation of Log & Event Manager. As you work
through the topics in this guide, you will complete the following tasks:
Existing customers: Access your licensed software from the SolarWinds Customer Portal. If you need any
implementation help, contact our Support Geeks.
Evaluators: Download your free 30-day evaluation here. If you need assistance with your evaluation,
contact sales@solarwinds.com.
Product terminology
The following terms define the components used in Log & Event Manager.
Agent: A software application that collects and normalizes log data before it is sent to the LEM Manager.
Alert: LEM containers used to display events and messages from LEM-monitored devices.
Complexity of configured rules: Complex conditions involving multiple types of events, thresholds, and
longer time frames require more resources than rules with simple conditions.
Connector: A software component that converts raw events collected from a network device into
normalized events. Connectors can reside on device agents or the LEM appliance.
page 8
Desktop Console: An application powered by Adobe Air Runtime that monitors your LEM Appliance in
place of the LEM Console. You can use this console if your corporate IT requirements restrict you from
using a web browser-based solution with Adobe Flash,
Events per second or Events per day: The total number of distinct events received by the LEM appliance
per second or per day (generally per second is considered an average). For example, the environment with
865 nodes can generate approximately 50 million events per day (or about 550 events per second).
Explore view : Provides access to data analysis utilities to retrieve additional information about the events
you see in the LEM console.
Hypervisor: A software application that runs a virtual appliance on a Windows-based server, such as
VMware® vSphere® and Microsoft® Hyper-V®.
Keytab file: Used by LEM to access Active Directory directly for Kerberos authentication. This file contains
user account credentials, but the password is hashed.
LEM Manager: The deployed virtual appliance that captures syslog data from local network devices. The
LEM Manager includes a syslog server, optimized database, web server, correlation engine, and a
hardened Linux operating system.
Monitor view : Displays all monitored events on your network in real time. You can create filters and
widgets that group and display different events from your agents, managers, and network devices.
Network device: A log source (such as a firewall, router, switch, or third-party software) that sends log
messages to the LEM Manager.
Nodes. Systems and devices that send data to your LEM appliance, such as servers, workstations, network
devices, and security devices. For example, an environment with 10 routers, 50 switches, 300 servers, five
firewalls, and 500 workstations sending data your LEM appliance is equivalent to 865 nodes.
Normalized vs. original log (raw) storage: By default, all sizing details assume the Log & Event Manager
default normalized data store is the only enabled store. If original log message storage is enabled,
increase your resources accordingly.
OPS Center view : Provides a graphical representation of your log data in the LEM Console. It includes
several widgets that help you identify problem areas and trends in your network. The Monitor view
displays events in real time as they occur in your network. The Explore view provides tools for investigating
events and related details. The Build view creates user components that process data on the
LEM Manager. The Manage view manages properties for appliances and nodes.
Reports Console: A standalone application that schedules and runs preconfigured reports against your
LEM database data. The console is a separate installation on your desktop or laptop system.
page 9
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Rules: A LEM appliance component that provides automated actions based on specific alert correlations.
Rules triggered per day or Rules triggered per second. The total number of correlation rules that meet
all criteria and are triggered per second or per day (generally per second is considered an average). For
example, an environment can have 15 different correlation rules configured that fire approximately once
every hour, or approximately 360 rules triggered per day.
Single Sign-on (SSO): Enables the LEM appliance to use LDAP Kerberos-based authentication credentials
to access Active Directory (AD) for user access control to LEM roles and database reports. SolarWinds
deploys SSO in LEM using a keytab generated by Active Directory to enforce user account security.
Syslog server: A software application (such as Kiwi Syslog Server) that collects syslog messages and
SNMP traps from network devices (such as firewalls, routers, and switches).
Virtual Appliance: A virtual image of a Linux-based physical computer that collects and processes log and
event information. You can deploy the virtual appliance using VMware vSphere or Microsoft Hyper-V client.
Web Console (or LEM Console): Provides a browser-based method to monitor your LEM Appliance. The
console is organized into five functional areas called views. These views organize and present different
information about the components that comprise the LEM system.
page 10
Plan your deployment
Use this table to size your SolarWinds environment.
Use the largest sizing that reflects your environment. For example, if you are running a small deployment
and begin to notice performance degradation at 300 nodes, move to a medium deployment. As the
number of nodes and data traffic changes over time, move to a deployment that supports your enterprise.
The hard drives are defined when the virtual appliance host is created. Installing LEM in a SAN is
preferred, but high-speed hard drives (such as SSD drives) are required for high-end deployments.
When using original log (raw) storage, increase your CPU and memory resources by 50%. See your
hypervisor documentation for more information.
SIZE OF
HARDWARE DEVICES
DEPLOYMENT
Small l 2 – 4 core processors at 2.0 GHz Fewer than 500 nodes in the
following combinations:
(Receive 5M – 35M l 8 GB RAM
events and trigger up l 250 GB hard drive with 40 – 200 IOPS l 5 – 10 security devices
to 500 rules per day)
l 10 – 250 network devices,
including workstation
endpoints
l 30–150 servers
Medium l 6 – 10 core processors at 2.0 GHz Between 300 and 2,000 nodes in
the following combinations:
(Receive 30M – 100M l 16 GB – 48 GB RAM
events and trigger up l 1 TB hard drive with 200 – 400 IOPS l 10 – 25 security devices
to 1000 rules per day)
l 200 – 1000 network devices,
including workstation
endpoints
l 50 – 500 servers
Large l 10 – 16 core processors at 2.0 GHz More than 1,000 nodes in the
following combinations:
(Receive 200M – l 48 GB – 256 GB RAM
400M events and l 2 TB hard drive with 400 or more l 25 – 50 security devices
trigger up to 5000 IOPS l 250 – 1000 network devices,
rules per day) *
including workstation
endpoints
page 11
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
SIZE OF
HARDWARE DEVICES
DEPLOYMENT
* The most successful large deployments receive up to 250M events per day.
You can increase your performance if each virtual appliance is deployed on a separate hardware machine.
If your virtual appliances are deployed on the same hardware host, the negative performance impact is
minimal.
page 12
INDIVIDUAL VIRTUAL APPLIANCES
Multiple appliance deployments provide a consolidated, real-time search and management view in a
single LEM console. This type of deployment is recommended if your corporate enterprise includes logical
divides in management or monitoring responsibilities.
The following illustration shows an example of individual virtual appliances deployed in LEM.
page 13
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
In this deployment, the network devices send syslog data to the LEM Manager over TCP or UDP.
Workstations and servers hosting applications use LEM agents to initiate TCP connections and push syslog
data to the LEM Manager running on a supported vSphere or Hyper-V hypervisor. The syslog server
receives the logs on port 514 and saves the logs to the LEM Manager /var/log file partition. The log
filename varies, based on the target facility configured on the network device.
If your log sources are located behind firewalls, see SolarWinds LEM port and firewall information
to open the necessary ports or the SolarWinds Port Requirements for SolarWinds Products Guide
for a list of all ports required to communicate with LEM.
page 14
Multi-location deployment example
This deployment example uses two syslog servers based in two locations to collect log data from your
network devices in a wide area network (WAN). The syslog server is installed in two Windows-based
systems hosting the LEM agent, which captures the syslog data from the network devices. You can use this
deployment to collect syslog data from two remote locations.
This architecture detaches and distributes the syslog servers in separate locations, rather than using the
Syslog server in the LEM Manager. Both locations include a local syslog server. The LEM connectors
normalize the original log messages into LEM events. You can implement this scenario when your change
management processes prevent you from adding new logging hosts on your network devices.
If you deploy a detached Syslog server (such as a Kiwi syslog server), install a LEM Agent on both syslog
servers, and then enable the appropriate connectors on the LEM Agent.
Automatic log scanning does not apply to the LEM Agent. However, new nodes can be discovered by
the enabled connectors.
If your log sources are located behind firewalls, see SolarWinds LEM port and firewall information
to open the necessary ports or the SolarWinds Port Requirements for SolarWinds Products Guide
for a list of all ports required to communicate with LEM.
page 15
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Licensing
Licensing your Log & Event Manager deployment is based on:
l The number of universal nodes (systems running Windows Server or Unix operating systems and
non-agent devices such as switches, routers, and firewalls).
l The number of workstation nodes (systems running Windows and the LEM Agent on desktop
systems).
For example, a Log & Event Manager deployment with a LWE250 for LEM30 license, you can add 250
Windows workstation nodes and 30 universal nodes.
Best practices
When you initiate your Log & Event Manager deployment, SolarWinds recommends applying the correct
port requirements and fine tuning your installation to ensure peak performance.
PORT REQUIREMENTS
See the SolarWinds Port Requirements for SolarWinds Products Guide for the current LEM port
requirements.
FINE TUNING
To minimize processor and memory resources, SolarWinds recommends reviewing your Log & Event
Manager logging resources, fine-tuning your rules, and verifying that your virtual appliance is running
properly.
Windows filtering platform (WFP) events are logged into Windows event logs when specified by
auditing policies.
page 16
l Low threshold settings. Consider increasing the threshold for rules that trigger due to network
traffic.
l Broadly-defined conditions. Define rules to apply only to specific user names, IP addresses, or
systems. Consider whether a different set of rules with different conditions could serve two distinct
areas of your environment.
l Rules using event groups instead of a single event or subset of events. Rules that detect
authentication or network traffic may trigger on additional events, but may only apply to a subset
of those events.
page 17
Install the virtual appliance
This section provides the system requirements for your LEM manager and information about installing the
hypervisor and preparing the installation files.
Installation requirements
Before you install SolarWinds LEM, ensure that your hardware systems meet the minimum software and
hardware requirements. LEM is only supported on Microsoft Windows-based platforms.
Your deployment may require additional resources. See Plan your deployment for hardware and device
specifications based on your deployment architecture.
In this section:
• Virtual appliance 18
• Web console 19
• LEM agent 19
• Port requirements 20
VIRTUAL APPLIANCE
HARDWARE REQUIREMENTS
Memory 8 GB*
* These are the minimum requirements. Depending on your deployment, you may need to add additional
resources for additional log-traffic volume and data retention.
SOFTWARE REQUIREMENTS
page 18
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
SOFTWARE REQUIREMENTS
WEB CONSOLE
HARDWARE / SOFTWARE REQUIREMENTS
LEM AGENT
HARDWARE /
REQUIREMENTS
SOFTWARE
HP-UX
IBM AIX
Linux
Oracle® Solaris
Windows Vista
Windows 7
Windows 8
Windows 10
Windows Server 2003
page 19
HARDWARE /
REQUIREMENTS
SOFTWARE
* These requirements are the default settings. Depending on your deployment, you may need to add
additional resources for additional log-traffic volume and data retention.
To upgrade your 32-bit Solaris SPARC and Solaris Intel agents, download the Solaris SPARC Agent and
Solaris Intel Agent installers from the Customer Portal and run these installers on your Solaris systems. In
a future release, the LEM console will support updates for 64-bit Solaris agents when they are available.
PORT REQUIREMENTS
Port requirements are posted to the SolarWinds Success Center. If your log sources are located behind a
firewall, see the following pages for information about the ports to open.
https://support.solarwinds.com/Success_Center/Log_Event_Manager_
(LEM)/SolarWinds_LEM_Port_and_Firewall_Requirements
l If you use multiple SolarWinds products, see Port requirements for all SolarWinds products.
https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_
(NPM)/Port_requirements_for_all_SolarWinds_products
page 20
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
To get started, download the Microsoft Hyper-V or VMware vSphere software to your host system. When
the download is completed, follow the directions included with your software to configure the software
and associated client (if applicable). See the installation requirements for the supported versions.
See your hypervisor documentation for detailed instructions about the features in both products and
working in the Hyper-V or vSphere interface.
3. Follow the prompts in the Quick Start: Log and Event Manager wizard to complete the installation.
The default deployment uses swi-lem as the host name and attempts to pull network configurations from
the DHCP server. You can change the host name and IP address after you complete the deployment.
page 21
By default, Log & Event Manager deploys with 8GB RAM and 2CPUs on both hypervisor platforms.
page 22
Deploy the virtual appliance
You can deploy Log & Event Manager using the VMware vSphere or Microsoft Hyper-V hypervisor. The
default deployment uses swi-lem as the hostname and pulls the network configurations from the DHCP
server. You can configure a static IP address or hostname after you complete the deployment.
By default, LEM deploys with 8GB RAM and 2 CPUs on the vSphere and Hyper-V hypervisor
platforms.
Be sure you have a supported version of Internet Explorer, Firefox, or Chrome to access the LEM console.
If you are using a non-US keyboard to perform the installation, use SSH to input the settings.
1. Start the VMware vSphere Client and log in with VMware administrator privileges.
2. Deploy the open virtualization format (OVF) template.
3. Open the SolarWinds Log & Event Manager folder located on your desktop and double-click:
Deploy First—LEM Virtual Appliance.ova
Thin provisioning offers more performance flexibility than thick provisioning, but requires
more oversight than thick provisioning. Thin provisioning provides increased performance by
dedicating physical storage space.
page 23
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
If your LEM deployment receives greater than 15 million events per day, adjust your system
resource reservations to handle the increased load. See Reserve system resources in the
virtual environment for information about configuring resource reservations for a large
deployment.
1. Select the SolarWinds Log and Event Manager virtual appliance and click Play.
Port 8080 is not secure and is automatically disabled when the activation process is completed. Port
8443 is always available.
http://<your_ip_address> https://<your_ip_address>
http://<your_ip_address>:8080/lem https://<your_ip_address>:8443/lem
http://<your_hostname>
https://<your_hostname>:8080/lem
https://<your_hostname>:8443/lem
page 24
1. Start the Microsoft Hyper-V Manager and log in with administrator privileges.
2. Select the action to import a virtual machine.
3. In the Import Virtual Machine window, click Browse and select the following fie in the SolarWinds Log
and Event Manager folder:
Deploy First - LEM Virtual Appliance.ova
5. In the Settings box, select Move or restore the virtual machine (use the existing unique ID).
6. Click Import to install the LEM virtual machine in Hyper-V and complete the deployment.
The OVA file is imported into your virtual machine.
7. In the Hyper-V Manager, configure additional settings (such as Memory, CPU, networking, and
storage space) to complete your configuration.
By default, the virtual machine is configured with the minimum requirements. The resource
reservations will be set automatically to ensure optimal performance.
If you expect your LEM deployment to receive more than 15 million events per day, adjust your
system resource reservations. See Reserve system resources in the virtual environment for
information about configuring resource reservations for a large deployment.
Port 8080 is unsecure and is automatically disabled after activation has been completed. Port 8443
is always available.
http://<your_ip_address> https://<your_ip_address
http://<your_ip_address>:8080/lem https://<your_ip_address>:8443/lem
http://<your_hostname>
https://<your_hostname>:8080/lem
https://<your_hostname>:8443/lem
page 25
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
If your corporate IT requirements restrict you from using a web browser-based solution with Adobe Flash,
consider installing the LEM Desktop Console with Adobe AIR runtime.
5. Enter your email address to participate in the SolarWinds Improvement Program and send
anonymous data about your usage to SolarWinds. Clear the check box to decline.
6. Click Save.
The installation is completed.
page 26
1. Start the desktop console.
2. In the log in window, click Advanced Properties.
4. Click Connect.
The installation is completed.
page 27
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Be sure to activate the appliance after boot-up. Otherwise, you may experience unexpected results with
your appliance.
If you have not purchased and provided a license key after 30 days, the application will stop collecting
event logs from your syslog and agent devices. You can continue using Log and Event Manager in this
mode and access your saved logs. Applying a license reactivates event log collection so you can continue
monitoring all events in your deployment. If you need to extend your evaluation period, contact Customer
Sales.
You can upgrade to a fully-functional production version by purchasing a new license from Customer Sales
and downloading the license key from the Customer Portal. After you install the new license key, you can
access all features within the LEM appliance.
You cannot upgrade your license using the SolarWinds License Manager.
1. Download your license key from the License Management page in the SolarWinds Customer Portal.
2. Open the LEM Console and log in to your LEM manager with your admin credentials.
3. Click Manage > Appliances.
4. Click License in the Properties pane.
5. Select Automatic in the Type field.
6. Enter the license key in the Key field.
7. Enter your name, email, and telephone number without special characters (such as dashes or
periods) in the appropriate fields.
8. Click Activate.
9. Click OK when the license is activated.
page 28
APPLY YOUR ACTIVATION KEY OFFLINE
If your LEM Console is not connected to the Internet, you can apply a new license key offline using the
LEM Console and a computer with Internet access. Applying a license key reactivates log event collection,
restoring full product functionality.
You cannot upgrade your license using the SolarWinds License Manager.
1. Open the LEM Console and log into your LEM Manager as an administrator.
2. Navigate to Manage > Appliances.
3. Select the License tab on the Properties pane.
4. In the License Activation pane, select Manual in the Type field.
5. Copy the Unique ID of this LEM Virtual Appliance.
If the computer hosting LEM Manager does not have Internet access, manually copy and paste the
Unique ID into a text file and save the file to a shared drive accessible from a computer with Internet
access.
Be sure to run the Activate command and configure your appliance after boot-up. Otherwise, you
may experience unexpected results with your appliance.
page 29
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
If you plan to use the LEM Desktop Console powered by Adobe AIR Runtime instead of the LEM Console,
import the virtual appliance CA SSL certificate to the certificate store during the activation. When the
activation is completed, the LEM Console connects with the virtual appliance using secure communications
on port 8443.
SolarWinds recommends configuring a static IP address for your LEM appliance. If you run
DHCP and your IP address changes during the evaluation period, your deployed agents may be
disconnected and require additional troubleshooting to resolve.
You can also use PuTTY to activate the appliance. Log in using the appliance IP address and
port 32022 or 22.
page 30
3. Configure the appliance with a static IP address.
a. At the cmc> prompt, type appliance and press Enter.
The prompt changes to cmc::acm#, indicating you are in the appliance configuration menu.
g. Follow the steps on your screen to configure the Manager Appliance network parameters.
Be sure to enter a value for each prompt. Leaving blank entries results in a faulty
network configuration that requires you to rerun netconfig.
h. Record the IP address assigned to your appliance. You will use this IP address to log in to the
LEM Console.
4. When prompted, select Yes to specify a hostname or No to accept the default hostname.
To specify a hostname, use the following guidelines:
To ensure secure communications between the desktop software and the virtual appliance,
the SSL certificate is automatically exported from the virtual appliance when the activation is
completed.
The LEM virtual appliance is configured to synchronize with the hypervisor date and time by default. If the
time zone is off by more than five minutes, the LEM rules will not operate properly.
page 31
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Virtualization Platform: VMware
----------------------------------------
Clock
Synchronization : Enabled
Hypervisor Time : 6 May 2016 09:07:31
Guest Time : Fri May 6 09:07:31 2016
c. Using the space bar, scroll down to Hypervisor Time and change the date and time so they
match the date and time in the LEM Manager.
d. Using the space bar, scroll down to Guest Time and ensure that the date and time matches
the same settings in the LEM appliance.
4. Type Exit and press Enter.
5. Type Exit and press Enter again to exit the CMC interface.
page 32
Reserve system resources in the
virtual environment
Ensure that the system resources in the virtual environment have ample virtual space and memory to
support the Log & Event Manager software and incoming data traffic. For typical deployments, Log & Event
Manager requires 250GB of system resources on the hypervisor. Large deployments may require 2TB of
resources, which you can reserve on the VMware ESX(i) 4/5+ and Microsoft Hyper-V 2008 R-2/2012
hypervisors.
By default, LEM deploys with 8GB of RAM and 2 CPUs on the VMware ESX(i) and Microsoft Hyper-V
platforms.
Log & Event Manager collects data from a continuous stream of traffic that fluctuates based on user,
server, and network activity. The type and volume of traffic varies based on the device sending the traffic
and the audit and log settings on those devices.
The connectors display in the Monitor view, pass through the rules engine for specified actions, and move
into a database for retrieval by the LEM Reports or nDepth search function. To process the data in real-
time, Log & Event Manager requires system resource reservations from the virtual appliance host.
When the volume of traffic exceeds 15 million events per day, be sure to reserve additional system
resources to support the additional data traffic.
page 33
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
The Details pane displays information about your selected manager or appliance. This information
includes the platform, CPU reservation, and memory allocation. To view the Details pane, click Manage and
select Appliances. In the Appliances grid, select the manager or appliance you want to view. If the Details
and Properties panes do not appear in the LEM Console, click the Appliances tab at the bottom of the
screen.
FIELD DESCRIPTION
Platform The manager platform name, which can be Trigeo SIM, VMware vSphere, or
Microsoft HyperV.
CPU Reservation The reserved CPU memory. Reserving CPU memory ensures enough system
resources are available for the allocated CPUs.
Memory Allocation The maximum amount of memory the manager can use. Set this value at or above
the reservation value. You can define this value in the VM configuration. Setting
memory allocation to a greater value than the memory reservation has little effect
on LEM performance.
Type The appliance type (Manager, Database Server, nDepth Server, Logging Server, or
Network Sensor).
Port The port number used by the LEM Console to communicate with the manager or
appliance.
You can view your reservation settings using vSphere or an SSH client (such as PuTTY). See your VMware
vSphere documentation for details about configuring resources, reservations, and storage on a vSphere
virtual appliance.
page 34
1. Log into vSphere.
2. Select the LEM appliance from the list.
3. Click the Summary tab to view the number of CPUs.
The Provisioned Storage value in the Resource area is the total disk space that Log & Event
Manager can use.
The Configured value must be at least the same value or higher than the reservation. You may see
memory reservations as high as 256GB of RAM for customers over 150 million events per day.
page 35
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
MEMORY SETTINGS
SETTING VALUE
SETTING VALUE
SETTING VALUE
CPU memory details Click the Advanced tab and set the view and details
CPU Priority High
page 36
(Optional) Install the LEM Reports Console
The LEM Reports Console converts your Log & Event Manager database data into information you can use
to troubleshoot and identify problems in your corporate network. Installed on a separate server or
workstation in a multiple location deployment, you can run over 200 standard and industry-specific
reports that help you make informed decisions about your corporate enterprise.
If your Windows security settings prevent you from installing the LEM Reports Console and the Crystal
Reports Runtime software, download the LEM Reports Console and the Crystal Reports Runtime installers
from the SolarWinds Customer Portal.
After you install the software, install the SolarWinds Log & Event Manager Reports from the Quick
Start: Log and Event Manager splash screen.
1. On the splash screen, scroll down and click Install Desktop Software.
The installer writes to a system folder that is protected by the Windows operating system.
You can also right-click Install Next - LEM Desktop Software in the SolarWinds Log
and Event Manager folder and select Run as administrator.
page 37
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Command boxes may appear during the installation. This process is normal.
1. Locate the IP address of your LEM virtual appliance and your LEM console login credentials.
2. Right-click Reports on your desktop and select Run as administrator.
To automatically run Reports as an administrator:
c. Click OK.
d. Click OK in the Reports Properties window.
3. Click Yes in the antivirus dialog box to continue.
4. Click OK in the information box to create a list containing at least one manager.
page 38
5. Enter the hostname or IP address of your LEM appliance in the Manager Name field.
Whenever you see Manager in reference to LEM, it usually refers to the IP address or
hostname of your virtual appliance.
9. Click to add the IP address to your LEM Manager list, and then click Yes to confirm.
10. Click Close.
The Reports console is connected to your LEM database and displays on your screen.
page 39
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
1. Download Adobe Air Runtime for Windows from your Customer Portal or the Adobe AIR website.
2. Extract the contents of the ZIP file and double-click the installer.
3. Follow the instructions to complete the installation.
1. Download the standalone console installer from the SolarWinds Customer Portal.
2. Extract the contents of the ZIP file and double-click the LEM Console installer.
3. Click Install.
4. Select your installation preferences.
5. Click Continue to begin the installation process.
6. If you did not instruct the console to open after the installation, open the desktop console.
7. Accept the End User License Agreement, and click OK.
8. Enter the IP address or hostname of the virtual appliance, and then click Connect.
The computer running the LEM Console must be able resolve the hostname of the appliance
using DNS or a manual entry in the hosts file before you enter the hostname in the desktop
console. See Resolve the LEM virtual appliance hostname for more information.
10. Enter your email address to participate in the SolarWinds Improvement Program. Otherwise, clear
page 40
the check box.
Before you edit your hosts file, create a backup copy and save it in a safe place.
Configure forward and reverse DNS entries (which include a HOST and PTR record) for your appliance on
your DNS server. When you create the DNS entries, use the default host name or the host name you chose
during the activation procedure.
If you cannot configure DNS directly on your DNS server, configure a hosts file on your computer by editing
the Windows\System32\drivers\etc\hosts file in a text editor. Add a line space and then a line with
your virtual appliance IP address and host name separated by a tab or space.
page 41
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
If your log sources are located behind firewalls, see SolarWinds LEM port and firewall information
to open the necessary ports. See the SolarWinds Port Requirements for SolarWinds Products
Guide for a list of all ports required to communicate with LEM.
When you select an event in the grid, the event details display in the window. You can view information
about the event so you can take the appropriate action.
page 42
FILTER EVENTS
To monitor identical event names (for example, TCPTrafficAudit), select the name in the Event Details
pane and click to create a filter. Log & Event Manager filters all incoming events and displays only the
filtered events in the grid.
Click All Events in the FIlters pane to disable the filter and monitor all incoming events.
TEST AN EVENT
To generate an example event, restart a Windows service (such as Print Spooler) that does not impact a
running application. The event will display in the All Events grid.
page 43
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
If your devices are configured correctly and your LEM appliance is still not receiving syslog data, identify
the facilities that are collecting log data. When you complete this process, configure the appropriate
connector from the facility to the log device so Log & Event Manager can normalize and monitor this
information in the LEM manager.
See your hypervisor documentation for information about using the virtual console.
a. Click Session.
b. In the Host Name field, enter the IP address or hostname of your LEM appliance.
c. In the Port field, enter 32022 or 22.
d. Click Open.
e. At the login as: prompt, enter cmc, and then press Enter.
f. At the password prompt, enter your password, and then press Enter.
page 44
2. At the cmc> prompt, enter Appliance.
See "CMC Commands" in the LEM User Guide for a list of all supported commands.
In this example, 1, 12, and 18 are active syslog facilities because they contain stored log data.
Facilities 13, 15, 16, and 17 are inactive because their syslog log files are empty.
page 45
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
f. Review and match the data to a monitored syslog device in your network.
5. Repeat steps 3 and 4 in this section to match additional facilities with log data to a monitored
syslog device in your network.
The hardened operating system will prevent you to access the file system.
local0 /var/log/local0.log
local1 /var/log/local1.log
local2 /var/log/local2.log
local3 /var/log/local3.log
local4 /var/log/local4.log
local5 /var/log/local5.log
local6 /var/log/local6.log
local7 /var/log/local7.log
After you verify that data is received from a device, manually enable the log connector that supports the
device. The connector maps events from the monitored Windows system event log to a LEM normalized
event.
page 46
1. Match the facility of your monitored device with the corresponding log file path.
2. Open the LEM console and click Manage > Appliances.
7. Verify that the remaining fields and selections are correct, and then click Save.
The connector displays in the Connectors grid with a gray status icon.
You may need to authenticate to the device to generate data, as some devices do not generate a
continuous stream of data.
page 47
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
The LEM agent runs on your agent nodes until you stop or uninstall the agent.
You can install the LEM agent by clicking Add Nodes to Monitor in the Getting Started widget.
l Verify that system requirements are met and all required software is installed.
l Gather the information required to complete the installation.
[ ] Verify that you have administrative access to the servers and workstations you plan to monitor
Windows-based systems require Domain or Local administrative privileges. Linux or Unix systems require
root-level access.
[ ] Change the LEM hostname. This will minimize hostname issues before you install the LEM agent.
[ ] Set an exception in your antivirus or antimalware scanning software for the ContegoSPOP folder where
the LEM agents will be installed.
The alerts are stored in queue files, which change constantly as they are normalized and encrypted.
[ ] Turn off any anti-malware or endpoint protection applications on host systems during the installation
process.
These applications can affect the process by which installation files are transferred to the hosts. This will
assist Technical Support if you have issues with your agents.
[ ] Ensure that your target node can support the agent hardware requirements.
page 48
INSTALLATION FOLDERS
LEM agents are installed to the following folders based on the operating system. See the table below.
The following procedure describes how to set up your monitored nodes from the Manage > Nodes view.
1. If you are upgrading a LEM agent, uninstall the current version before you continue.
2. Log in to the LEM console as an administrator.
3. Click Manage > Nodes.
4. In the toolbar, click Add Node.
page 49
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
6. Install the LEM agent on your servers and workstations using the remote or local installation
procedure listed on your screen.
You can run a remote or a local installation based on your administrator privileges and deployment
needs. See the table below.
You have administrator rights to run a remote You have administrator rights to log in to a
installer on a server or workstation. server or workstation.
You want to run the installer remotely on multiple You want to run the installer in person on
servers and workstations in your network. each server and workstation in your
network.
You have administrator rights to run a remote You have administrator rights to physically
installation. log in to a server or workstation.
REMOTE INSTALLATION
This procedure describes how to install the LEM agent on multiple managed nodes in your corporate
network at the same time. You must have administrator rights to run a remote installer to perform this
procedure.
page 50
1. Under Remote Installation, click Windows Installer.
2. Double-click the downloaded ZIP file and extract the contents to a local directory. By default, the
ZIP file creates a SolarWinds-LEM-<version>-WindowsRemoteAgentInstaller folder on
your system.
The 80MB ZIP file may require several minutes to download based on your network traffic.
3. Open the SolarWinds Log & Event Manager folder and run the inremagent.exe installer.
The installer uses your existing login privileges for the installation and may prompt you for
additional privileges during setup.
12. Review your lists of selected hosts, and then click Next.
13. Enter the default installation paths for the LEM agent, and then click Next.
By default, the installer detects the 32- or 64-bit Windows operating system version.
14. To install USB-Defender, leave the Install USB-Defender check box selected. Otherwise, clear this
check box.
page 51
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
16. After the installer completes the setup process, click Next to install the agents.
This process may require several minutes to complete based on your network traffic.
If the installer does not have sufficient resources to complete the installation process, you will
be prompted to enter a different login account.
page 52
LOCAL INSTALLATION
This procedure describes how to install the LEM agent on each managed node—one at a time. You must
have administrator rights to physically log into each server.
1. Under Local Installation, click the appropriate installer for your LEM agent node.
2. Run setup.exe (for Windows nodes) or setup.bin (for Linux nodes).
3. In the installation wizard, click Next.
4. Accept the End User License Agreement, and then click Next.
5. Enter the hostname or IP address of your LEM appliance in the Manager Name field and click Next.
Do not change the default port values.
If you are deploying the LEM agent on a different domain, use the fully qualified domain name
for your LEM virtual appliance. For example: LEMhostname.SolarWinds.com.
7. To install USB-Defender, leave the Install USB-Defender check box selected. Otherwise, clear this
check box.
8. Click Next.
9. Confirm the settings on the Pre-Installation Summary and click Install.
The installer installs the LEM agent on your node.
This process may require several minutes to complete based on your network traffic.
10. Inspect the Agent Log for any errors, and then click Next.
See Troubleshooting LEM agent connections if the LEM agent does not connect to your LEM Appliance.
page 53
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Enter a keyword in the Search field or click the Category drop-down menu for a list of
supported devices and applications.
page 54
l View the event description
l Create an event filter
l Test an event
When you select an event in the grid, the event details display in the Event Details window. You can view
information about the event to help you decide if this is a malicious event that requires an event filter for
further investigation.
1. In the All Events toolbar, click Pause to stop the incoming events.
2. Select an event in the All Events grid.
page 55
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Click to display the Event Description view. You can use this information to decide whether to set up a
filter for this event for further investigation. Click to return to the Event Details view.
page 56
To monitor identical event names (for example, MachineLogon), select the name in the Event Details pane
and click to create a filter. LEM filters all incoming events and displays only the filtered event in the
grid.
To return to viewing all events, click the Overview drop-down menu in the Filters pane and select All
Events.
TEST AN EVENT
After you configure your syslog and agent nodes, you can generate a test event to ensure the event
displays in the All Events grid. This process helps you verify that your LEM deployment is functioning
properly
To generate an example event, restart a Windows service that does not impact a running application (such
as Print Spooler). The event will appear in the All Events grid.
page 57
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
l You can download and apply the LEM connector update package. This package contains the latest
SolarWinds connector updates. See Applying a LEM Connector Update Package for details.
l Occasionally, Technical Support may provide stand-alone connector updates to address
Unmatched Data alerts in your environment.
page 58
Set up your deployment
The LEM Console includes a Getting Started widget in the Ops Center. Using the widget, you can:
l Set up your LEM environment with email alerting and Active Directory integration
l Add additional devices and systems to monitor, such as firewalls and user workstations
You can also add monitored nodes from the Manage > Nodes view.
l Define how the application alerts you when specific conditions occur in your network.
l Learn how to use filters, custom rules, nDepth, and reports to monitor and troubleshoot activity in
your corporate enterprise.
If you have a secured email server, add the LEM virtual appliance IP address as an authorized source.
page 59
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
You can also set up email alerting by configuring an Email Active Response connector in your
appliance located in the Manage > Appliances view.
1. Log in as an administrator.
2. Click the Ops Center View and locate the Getting Started widget.
3. In the widget, click Configure Basic LEM Settings.
page 60
5. Configure your email alert settings as required.
e. Change the return display name if SolarWinds does not provide a complete description for
your needs . For example, you can enter System Alert or Security Alert.
f. Enter an authentication server username and password only if you must authenticate before
you send an email or if you use a third-party tool (such as Google Mail or Microsoft
Office365).
6. Click Text Email.
7. Check your email to ensure you received a SolarWinds test message.
Email alerting is enabled.
page 61
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
c. Enter an authentication server username and password only if you must authenticate to
connect to your Active Directory server.
d. If your Active Directory server supports encryption, click the Encryption drop-down menu and
select SSL or TLS. Otherwise, select No SSL.
The Custom Port field populates automatically based on your encryption setting.
2. Click Test Domain Connection and verify that your Active Directory settings are correct.
3. Click Finish.
The Active Directory connection is enabled.
When you click this option in the wizard, a dialog box displays prompting you to choose the type of node
you want to add. Click the drop-down menu, select an agent or non-agent node to monitor, and follow the
instructions in the wizard to add the monitored node.
page 62
You can also click Add Node in the Node Health widget to perform the same function.
l Correlation: The number of events that occur within a selected amount of time and the amount of
time allocated to responding to the events.
l Correlation time: The volume of events that match the correlation conditions and the rolling time
window to evaluate the correlation.
l Action: The action that occurs when the rule is triggered.
page 63
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
1. In the Getting Started widget, click Define Rules and Configure Alerts.
2. Select the check box next to the types of rules you want to enable, and then click Next.
3. Complete the fields and selections to define the condition, correlation time, and action for each
new rule, and then click Apply.
4. In the console, click Build > Rules.
5. In the Rules grid, locate a new rule, click and select Enable.
page 64
Get started
This section contains the following topics:
Log & Event Manager uses filters to display specific types of events. When you open the Monitor view, the
All Events filter is the default view. To stop the incoming event stream, click Pause in the toolbar.
page 65
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
For additional information about the event, click to review the event description.
If you decide that the event needs immediate attention, click to create a filter for this event (for
example, MachineLogon). The All Events grid is replaced with a grid that displays all related events.
The filter is automatically saved to the Overview menu in the Filters pane. Log & Event Monitor will
continue collecting all MachineLogon events and increment the count value so you can monitor this event
for further activity.
When you complete your event research, click to return to the Event Details information or click to
toggle between the previous and next event in the grid.
To resume viewing all incoming events, click All Events in the Filters pane and then click Resume in the All
Events toolbar.
CREATE A FILTER
If you want to focus on a specific types of event, you can create a filter. Log & Event Manager includes
several preconfigured filters that organize events into specific groups, which include:
l Security
l IT Operations
l Change Management
l Authentication
l Endpoint Monitoring
l Compliance
See the Log & Event Manager User Guide for filter descriptions included in each group.
page 66
1. Click the Monitor view.
2. Click in the Filters pane and select New Filter.
5. Locate a preconfigured group that matches the events you want to filter.
6. (Optional) Select a notification in the Notifications group that executes when a filter event is found.
page 67
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
7. Drag and drop your selected event group filter into the Conditions box.
The filter name displays in the box.
8. (Optional). Drag and drop your selected Notification filter into the Notifications box.
The filter name displays in the box.
You can use most filter groups to create a visual representation of the filtered data using a widget
included in the Monitor view. These widgets are designed to surface trends or anomalies that may
otherwise go unnoticed. The widget can also be added to your Ops Center dashboard.
For example, in the Authentication group, selecting the FailedLogins filter displays all failed logins by
user account using a bar graph.
page 68
In the widget interface, you can click to create a new widget, click to edit the widget, or click to
configure the existing widget.
l Search event data and log messages using Search Builder or a keyword search.
l Refine your search to identify activity patterns and unauthorized user access.
l Save your search strings for future use.
l Monitor user activity using a scheduled data search.
l Export your search results to a PDF or CSV file for compliance reporting.
When you start nDepth, the interface presents 10 minutes of log data generated from your agent and non-
agent devices. You can change the time range by clicking the Time drop-down menu in the toolbar and
selecting another time range.
page 69
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
3 List pane Displays categorized lists of events, event groups, event variables, and
additional options you can use to create conditions for your filters.
4 Search bar Searches all event data or the original log messages that pass through a
LEM manager. Drag the toggle switch to select Drag & Drop or Text
Search mode.
5 Respond Displays a list of corrective actions you can execute when an event
occurs, such as shutting down a workstation or blocking an IP address.
6 Explore Displays several utilities you can use to research an event, including
Whois, Traceroute, and NSlookup.
7 Time Provides a drop-down menu to select the time range for your search.
9 Histogram Displays the number of events or log messages reported within the
selected search time range.
10 Dashboard Displays the search results in all available widgets. You can change this
view by clicking a widget in the nDepth toolbar.
page 70
NUMBER ITEM DESCRIPTION
11 nDepth Organizes log data into categories to identify activity in your network.
Toolbar Click a selection to display the category below the histogram.
Using preconfigured elements such as events, event fields, and specific event values, you can drag a
selected element from the List pane into the Search Builder Conditions box to perform your query. For
example, to search and report activity in your Admin accounts, you can drag a user-defined group or
directory service group into the Conditions box to initiate your search. You can also group search items,
show boolean (AND/OR) relationships between search items, and select specific values for each item.
2. In the List pane, click the Events menu and locate UserLogonFailure.
You can enter a term in the Search field (as shown below) to narrow your search results.
page 71
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Your selection also displays in the Search bar. Drag the toggle switch down to view the event name
in text.
4. (Optional) A second menu may appear that provides additional fields to narrow your search. Drag a
field from the Fields list into Search Builder to narrow your search.
page 72
5. (Optional) Click the triangle on the right side of the Conditions box and select the boolean logic for
your search.
6. Click the Time drop-down menu and select a time span for your search.
Your search results display in the histogram and your dashboard widgets, such as Word Cloud and
Tree Map. Click the nDepth toolbar options to display your search results in additional formats, such
as line, pie, and bubble charts.
This example searches events that occurred within the last week that include administrator in the
event.
page 73
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
4. Click the Time drop-down menu and select a time span for your search.
This example searches all log on failure events that occurred within the last 10 minutes that include
administrator as the user name.
page 74
1. Click Refine Fields in the List pane.
3. In the Refine Fields pane, maximize the User Name menu and double-click administrator.
4. Click the Time drop-down menu and select a time span for your search.
page 75
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
To begin a new search, revert to your original search in the History pane to start a new search using your
original search parameters.
SAVE A SEARCH
You can save and reuse any search you create. Saved searches include your entire search string as well as
the selected time frame.
3. Click OK.
Your saved search displays in the Saved Searches pane.
SCHEDULE A SEARCH
You can schedule a saved search to run automatically based on your schedule parameters. This will help
you monitor your network with minimal administration.
If your virtual appliance is offline for more than 24 hours, all scheduled searches may not run at the
expected time. When the appliance is back online, all scheduled searches return to normal after 24
hours.
page 76
1. Select a saved search in the Save Searches pane.
If your search results include up to 25,000 events or log messages, export your search results to a PDF file.
If your search results include more than 25,000 events or log messages, export your search results to a
spreadsheet in CSV format.
page 77
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
3. Click to add a page or click to adjust the page layout to Portrait or Landscape.
6. Select a file location in the Save As dialog box and click Save.
Your PDF file is saved.
EXPORT TO A CSV FILE
SolarWinds recommends identifying who needs to receive performance or status reports, and how
often they should receive them.
Log & Event Manager reports are segregated into three levels:
l Master reports include every type of log in an event category and a graphical summary page.
l Detail reports include all events and event details.
l Top reports include the top events for a selected category.
page 78
Each report level displays in the level column next to the category. Hover your mouse over any column
header row and click to filter your selection. Similar to the LEM Console, all reports are based on events
and fields in your LEM database.
RUN A REPORT
1. Ensure that your Reports console is installed and configured on a network computer.
2. Log in to the Reports console as an administrator.
3. In the Settings tab, click the Data Source drop-down menu and select a manager (the IP address or
hostname of your virtual appliance).
If you are installing Log & Event Manager for the first time, only one manager should appear.
4. (Optional) Click the Category drop-down menu and select a report category filter—for example, Audit.
page 79
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
6. Select your start and end date and time parameters, and then click Now.
7. Click Print in the toolbar to send the report to a local or network printer.
Click Export to export the report to the appropriate format (such as a PDF or a Microsoft Word
document).
page 80
1. In the left column, select the field you want to query.
4. Click the boolean drop-down menu and select your comparison value.
5. Select or enter a second value. Click New to select or enter additional fields and expand your query.
page 81
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
6. Click OK.
Select Expert filters out only the information in your query.
All fields are listed as column labels across the top. You can also mouse over data to display the
reported field.
SCHEDULE A REPORT
You can schedule tasks in the Reports console to generate a report based on your criteria. You can
schedule the report to run daily or at specific times that you choose.
After you schedule your report task, you can assign the task to a manager and define the task scope—the
period of time reflected in the report. When the system runs the report, it retrieves all relevant events that
occurred within the scope parameters.
The Reports console works together with Windows Scheduled Tasks for report scheduling.
page 82
3. Enter a name that distinguishes this task from any existing or future tasks, and click OK.
page 83
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
6. Set the schedule parameters that describe when your SolarWinds system can run the task, and then
click Apply.
page 84
8. Select the scheduling, idle time, and power management settings for your task, and then click Apply.
9. Enter your Reports console password to schedule the task, and then click OK.
10. Click OK to close the dialog box. If prompted, re-enter your password and click OK.
The scheduled report task displays in the Report Schedule Tasks window.
page 85
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
11. Click Load to View or Edit to assign the task data source.
12. Click the Select the report data source drop-down menu and select the IP address or hostname of
your Log & Event Manager.
You can assign one report task to one manager. To assign a similar or identical task to another
Log & Event manager, create a new task.
13. Click the Report Scope drop-down menu and select a date range for this task and data source.
14. Select the Start and End data and time for your date range.
Day:Today reports all data from today.
Day:Yesterday reports all data from yesterday.
Week:Current reports all data from seven days ago to the current day.
Week:Previous reports all data from 12:00:00 AM last Monday to 11:59:59 PM last Sunday.
Month:Current reports all data from one month ago to the current time.
Month:Previous reports the last full month of data beginning at 12:00:00 AM on the first of the month
until 11:50:59 PM on the last day of the month.
User:Defined reports all data based on your selected date and time parameters.
15. (Top Level reports only), In the Count Settings box, enter or select the number of items to track in
the report.
page 86
16. (Optional) Select the Export check box to export a scheduled report to a PDF file or send the report to
a printer.
a. Click the Format drop-down menu and select a file format for your report.
b. Enter a report name in the File Name field.
c. Click and select a location for the report.
If the report includes multiple schedules, provide each scheduled report a different name.
Otherwise, new reports will override your existing reports or increment according to the If File
Exists setting.
d. Select an option for similarly-named files in the If File Exists drop-down menu.
17. Click Save.
The scheduled report task displays in the Report Schedule Tasks window.
page 87
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
Advanced Options
This section contains the following topics:
Using log files to record suspicious activity, you can detect changes to critical files and registry keys to
ensure they are not accessed or modified by unauthorized users. FIM also ensures your systems comply
with regulatory regulations, including Payment Card Industry Data Security Standard (PCI DSS), Health
Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley.
After you install and integrate FIM with your LEM appliance, you can:
You can enable FIM by adding a FIM connector to a node or adding FIM to an existing connector profile.
Click the video icon to view a tutorial about File Integrity Monitoring in LEM.
For a video presentation about File Integrity Monitoring in LEM, open the following URL in a web
browser:
https://www.youtube.com/watch?v=pBahAJFwiKY
page 88
ADD A FIM CONNECTOR TO A NODE
1. Log in to your LEM console as an administrator.
2. Click Manage > Nodes.
3. Locate your targeted node in the Nodes grid.
Ensure the node has a green status icon.
7. Click next to your desired template and select Add to selected monitors.
8. Click Save.
page 89
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
c. Click Edit.
d. In the Add Condition window, click the drop-down menu and select All Keys/Values (recursive)
or Keys/Values (non-recursive).
All Keys/Values (recursive) selects the folder and all sub-folders that match the given mask.
Keys/Values (non-recursive) selects only the files in the selected folders to monitor.
page 90
g. (Optional) Click Add Another Condition.
h. Click Save.
10. Click Save Changes.
The LEM agent on your node installs the FIM driver that collects the file system events. Next,
LEM pushes the configuration you created to the remote agent and into the driver. In the Nodes grid,
the FIM status icon turns green, indicating the driver is working properly.
1. Click the Ops Center view and locate the Node Health widget.
2. Click Scan for New Nodes in the widget toolbar.
LEM begins scanning for new nodes in your network. If new nodes are found, the New Connector(s)
found banner displays in the console. Otherwise, the No nodes found banner displays.
This process may require several minutes to complete. During the scan, a message displays
indicating that the scan is continuing in the background. A progress bar also displays at the
bottom of the console.
page 91
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
4. Select the recommended connectors you want to install, and then Click Next.
Hover your cursor over the connector name for details.
The Nodes grid displays with the new nodes. Click Monitor to view the events collected from the new
nodes.
page 92
9. Locate your connector in the list.
page 93
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
7. In the password field, enter your password, and then press Enter.
The default password is password.
See "CMC Commands" in the Log & Event Manager User Guide for a list of supported commands.
See your hypervisor documentation for information about using the virtual console.
page 94
Find LEM support on the Customer Portal and
thwack
This section contains information on accessing the SolarWinds Customer Portal and engaging with thwack,
the SolarWinds community of IT pros:
Users with multiple SWIDs require only one user profile. Your user profile can be linked to multiple
SWIDs.
1. Go to customerportal.solarwinds.com.
2. Click the Register tab.
3. Enter your organization's SWID and your email address.
If you have multiple SWIDs, enter any SWID to create your profile. Later, use the User Profile
menu to link the other SWIDs to your profile.
The account administrator will review the request, and you will receive an email when it is approved.
For more information about creating an account, see this FAQ page.
page 95
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
page 96
Set up additional Customer Portal user accounts
If you have Account Administrator access to the SolarWinds customer portal, you can add additional user
accounts and define each user's access level and contact type.
For more information about user account types and permissions, see this FAQ page.
1. Go to thwack.solarwinds.com.
2. Click Register in the top right.
3. Enter the required information and accept the license agreement.
4. Click Create Account.
page 97
QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER
l View product roadmaps, which list the features currently being developed for future product
releases.
l Be notified of User Experience sessions where you can share your experiences, and help make
SolarWinds products better.
l Influence the direction of a product by submitting feature requests and voting for other users'
feature requests.
page 98