Sie sind auf Seite 1von 629
ADMINISTRATOR GUIDE Log & Event Manager Version 6.3.1 Last Updated: Thursday, October 19, 2017 Retrieve

ADMINISTRATOR GUIDE

Log & Event Manager

Version 6.3.1

ADMINISTRATOR GUIDE Log & Event Manager Version 6.3.1 Last Updated: Thursday, October 19, 2017 Retrieve the

Last Updated: Thursday, October 19, 2017

Retrieve the latest version from: https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/LEM_Documentation

Copyright © 2017 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document

Copyright © 2017 SolarWinds Worldwide, LLC. All rights reserved worldwide.

No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC and its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered trademarks of their respective companies.

Table of Contents

Table of Contents LEM set-up, configuration, and maintenance   3 0 Logging in to LEM  

LEM set-up, configuration, and maintenance

 

30

Logging in

to LEM

 

31

Log in to the LEM web console

 

31

To log in to the LEM Manager

 

31

Supported and unsupported URLs

 

32

To log out of a LEM Manager

 

33

Log in to the LEM desktop console

 

33

To log in to the LEM desktop console

 

33

Log in to the LEM admin user interface

 

34

To log in to the LEM admin user interface:

 

34

Log in to the LEM CMC command line interface

 

34

CMC Access Restrictions

 

35

Log in to the CMC command-line interface using the hypervisor virtual console

 

35

Log in to the CMC command-line interface using SSH

 

36

Setting up a new LEM installation

 

38

Set up the first LEM Manager instance in the web console

 

38

Install the LEM license using the web console

 

38

Verify that the LEM desktop console can connect after you activate the license

 

39

Run the activate command to secure LEM and configure network settings

 

39

To run the Activate command:

 

40

Use the LEM Getting Started wizards

 

41

Open the Getting Started wizards

 

42

Use the Configure Basic LEM Settings wizard to set up Active Directory monitoring and email alerts

42

Use the Add Nodes wizard to add a syslog node to LEM

 

45

Use the Add Rules wizard to set up LEM rules

 

46

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER Configuring LEM settings and services   4 8 Starting and

Configuring LEM settings and services

 

48

Starting and Stopping LEM components

 

48

Stop or restart the LEM Manager

 

49

Start and stop the LEM Agent on Windows

 

49

Set the date, time, and time zone on your LEM VM

 

49

Managing LEM VMs and appliances in the LEM console

 

51

View LEM license information

 

51

Enable LEM license recycling

 

52

Configure the settings used to log in to the LEM VM

 

52

Add another LEM VM or appliance to the console

 

53

Copy data about a LEM VM or appliance

 

56

Remove a LEM VM or appliance from the console

 

56

Configure the Email Active Response connector in LEM

 

57

Requirements

57

Configure the Email Active Response connector

 

57

Test the Email Active Response connector

 

59

Configure Active Directory and LEM to work with LEM rules and filters

 

60

Configure the Directory Service Query Connector

 

60

Enable LEM to receive SNMP traps by turning on the SNMP Trap Logging Service

 

61

To enable or disable the LEM SNMP Trap Logging Service:

 

62

Send SNMP traps from LEM to other applications by turning on the SNMP Request Service

64

To enable or disable the SNMP Request Service

 

64

Configure LEM to store original log messages (nDepth log retention)

 

66

About nDepth log retention

 

67

Configure LEM Manager to store original log files in their own database

 

68

Configure connectors

to send original log data to LEM

 

68

View and search your original log messages

 

69

Configure the LEM event distribution policy

 

69

Practical uses for event distribution policy   6 9 Open the Event Distribution Policy window

Practical uses for event distribution policy

 

69

Open the Event Distribution Policy window

 

70

Configure the event distribution policy

 

71

Push event policy to lower-level event types

 

71

Export a Manager event policy

72

Collecting Windows Filtering Platform (WFP) events in LEM

 

73

About Windows WFP events and LEM performance

 

73

Configure LEM to collect WFP events (Optional)

 

73

Securing LEM

 

75

LEM security checklist: Ensure that only authorized users can access LEM

75

General security tasks

75

Securing the CMC command-line interface

 

76

Securing the LEM reports application

 

76

Restrict SSH access to the LEM CMC interface

 

76

To remove access restrictions from the CMC interface

 

77

Restrict access to the LEM reports application

 

77

Understand your options for securing LEM reports

 

77

Restrict access to LEM reports to specific computers

 

78

Remove all LEM reports access restrictions

 

78

Enable transport layer security (TLS) in the LEM reports application

 

78

Enable TLS on a standalone LEM VM or appliance

 

79

Set up a dedicated LEM user for accessing reports

 

80

Configure the Reports application to use TLS

80

Enable TLS on a LEM Manager with a separate database appliance

 

81

Import certificates into the LEM Manager and database

 

82

Import a self-signed certificate into the LEM Manager

 

82

Managing LEM system resources

 

83

Allocate CPU and memory resources to the LEM VM

 

83

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER About incoming data traffic 84 Use the LEM console to
About incoming data traffic 84 Use the LEM console to view resource allocations and VM
About incoming data traffic
84
Use the LEM console to view resource allocations and VM details
84
View vSphere reservation settings for LEM
85
To change vSphere reservations for LEM
86
View reservations settings using the CMC command-line
86
View Hyper-V reservation settings for LEM
87
Manage LEM data storage
87
About the three LEM data stores
88
Strategies for managing your LEM data storage needs
88
Viewing LEM database usage numbers
89
Create a disk usage alert in LEM to warn you when a disk reaches a set limit
90
LEM tuning and periodic maintenance tasks
93
Integrating LEM with other SolarWinds products
95
Monitor LEM from NPM and the Orion Web Console using SNMP
96
Step 1: Enable the SNMP Request Service
96
Step 2: Set up the Orion Console for SNMP monitoring
96
Troubleshooting your Orion connection
98
Managing users in LEM
99
Adding and managing LEM users
100
About LEM roles
100
About LEM user accounts
101
How Active Directory accounts work in LEM
102
Import an Active Directory user into LEM
102
Create a local LEM user account
103
The "User information for
"
form
103
View user accounts in the LEM console
105
View the system privileges associated with a role
106
Edit user account settings
107
Delete a user account from a LEM Manager instance   1 0 7 Set the

Delete a user account from a LEM Manager instance

 

107

Set the global password policy for LEM users

 

108

Set up Active Directory authentication in LEM

 

109

Gather some required information

 

109

Create a user in Active Directory that LEM can use to log in

 

109

Create custom security groups in Active Directory for LEM to use

 

110

Configure or view Active Directory authentication settings in LEM

 

111

Add an Active Directory user to LEM

 

114

Set up Active Directory authentication in LEM 6.3.0 and older

 

116

Configure the Directory Service Query connector

 

116

Test the Directory Service Query connector settings

 

117

Import your Active Directory organizational groups into LEM

 

117

Import an Active Directory user and assign the user LEM login rights

 

118

Set up single sign-on (SSO) in LEM

 

119

Set up Active Directory authentication in LEM

 

119

Generate a keytab file using Ktpass

 

119

Configure SSO settings in LEM using the Admin web console

 

121

Configure web browser settings for SSO

 

122

Internet Explorer

 

122

Mozilla Firefox

 

123

Google Chrome and Opera

 

123

Configure LEM for either SSO-only authentication, or SSO and local authentication

124

Configure SSO settings in LEM using the command-line

 

125

Change the LEM CMC password

128

Recover a lost CMC password

 

128

Specify the filters that users assigned the Monitor role can use in the LEM console

129

Sending event data to LEM via Agents, syslog, and SNMP

 

130

Get started adding systems and devices to LEM

 

131

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER About the LEM Agent   1 3 1 About sending

About the LEM Agent

 

131

About sending log events directly to LEM

 

132

Configure LEM Agents after they are installed

 

133

View the LEM Agents monitored by each LEM Manager

 

133

About the LEM Agent for Windows connectors

 

133

Enable additional connectors to add extra log sources to LEM

 

134

Create connector profiles to manage and monitor LEM Agents

 

135

About connector profiles

 

135

About the connector-profile group type

 

136

Connector profile guidelines

 

136

Creating a connector profile: process overview

 

136

Create a connector profile:detailed steps

 

137

Step 1: Configure the Agent that will serve as a template for your connector profile

137

Step 2: Select the Agents that are members of the profile

 

139

Step 3: Verify the connector status

 

139

Edit LEM Agent connector-profile settings

 

140

Open the connector profile settings for editing

 

140

Clone a connector-profile instance

 

140

Editing a connector profile instance

 

141

Edit the connector-profile settings

 

141

Add

additional connectors

to a connector profile

 

144

Add syslog and Agent nodes to LEM

 

145

Add a syslog node to LEM using the "Add Node" wizard

 

145

Use "Scan for new nodes" to find new syslog sources and add connectors

 

145

Manually add a new Agent or syslog node connector

 

147

Other ways to add nodes to LEM

 

147

Updating LEM Agents

 

149

Manually update LEM Agents on Windows installations using the LEM Local Agent Installer

149

Manually upgrade LEM Agents on Unix, Linux, Mac, and Windows hosts using LEM Remote Agent

Manually upgrade LEM Agents on Unix, Linux, Mac, and Windows hosts using LEM Remote Agent Installers

150

Download the LEM Remote Agent Installer 150 Run the LEM Remote Agent installer 150 Set
Download the LEM Remote Agent Installer
150
Run the LEM Remote Agent installer
150
Set up a separate syslog server for use with LEM
153
LEM connectors: Normalize events sent from specific products on your network
155
Configuring LEM connectors for Agent and non-Agent devices
156
Configure connectors for the devices that you want to monitor with LEM
156
Configure LEM Manager connectors
157
Configure the sensor and actor connectors for each LEM Agent
157
Connectors grid icons
157
Configure Agent connectors
158
Use connector profiles to configure multiple Agents
158
Manage LEM connectors Start stop edit and more
159
Open a connector configuration form
159
Open a Manager connector configuration form
159
Open an Agent’s connector configuration form
160
Find a connector
160
Add a new connector instance
160
Start a connector instance
162
Stop a connector instance
162
Edit a connector instance
162
Delete a connector instance
163
Apply a LEM connector update package
164
Enable global automatic connector updates
164
Update connectors on-demand
164
Update LEM connectors manually using the CMC interface
165
Troubleshooting LEM connector upgrades
165

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER LEM connector categories   1 6 7 Configure LEM to

LEM connector categories

 

167

Configure LEM to monitor firewalls, proxy servers, domain controllers, and more

 

172

Configure LEM to monitor firewalls for unauthorized access

 

173

Configure a firewall

to log to a LEM appliance

 

173

Configure a firewall connector on a LEM Manager

 

173

View network traffic from specific computers

 

174

Clone and enable a LEM rule to identify port scanning traffic

 

175

Configure LEM to monitor proxy servers for suspicious URL access in LEM

 

176

Set your proxy server to log to a virtual appliance

 

176

Configure a proxy server connector on a LEM Manager

 

176

Clone and enable the Known Spyware Site traffic rule

 

177

Configure LEM to monitor anti-virus software for viruses that are not cleaned

 

178

Configure antivirus software to Log to a LEM appliance

 

178

Configure the antivirus connector on the LEM Manager

 

178

Creating a LEM rule to track when viruses are not cleaned

 

179

Configure LEM File Integrity Monitoring (FIM) to monitor Windows files, folders, and registry keys

180

Features of FIM

180

Add a FIM connector to an Agent to monitor a node

 

180

Step 1: Add a FIM connector to a node

 

181

Step 2: Configure rules and specific actions for your monitored files

 

181

Editing Monitors

 

181

Promoting a Monitor to a Template

 

182

Deleting a Monitor

 

182

Add conditions to a directory that FIM is watching

 

182

Editing Conditions

 

182

Deleting Conditions

 

183

FIM connector advanced settings

 

183

Enable Windows file auditing for use with LEM

 

186

To enable object auditing in Windows   1 8 6 To enable file auditing on

To enable object auditing

in Windows

 

186

To enable file auditing on a file or folder in Windows

 

186

Configure Windows audit policy for use with LEM

 

188

Requirements

 

188

Windows Audit Policy

 

188

Best practice

 

189

Set the Windows audit policy

 

189

Default Domain Controllers Policy

 

190

Default Domain Policy

 

190

Configure the USB Defender local policy connector in LEM

 

194

Configure LEM to monitor Microsoft SQL databases for changes to tables and schemas

195

Configure your database servers

 

195

Install MSSQL Auditor on a LEM Agent

 

195

Configure MSSQL Auditor on your servers

 

196

Configure the MSSQL Auditor Connector on a LEM Agent

 

196

Send notifications of Microsoft SQL database change attempts

 

197

Configure LEM to monitor Windows domain controllers for brute force hacking attempts

198

Install and configure the LEM Agent

 

198

Install a LEM Agent on a single Windows domain controller

 

199

Configure additional connectors on your LEM Agent

 

199

Create a filter for all activity in a Connector Profile

 

200

Clone and enable the Critical Logon Failures rule

 

201

Tune Windows Logging for LEM implementation

 

201

Configure LEM to track Cisco buildup and teardown events

 

202

Tracking Buildup Events

 

202

Tracking tear-down Events

 

202

Enabling LEM to track buildup and teardown events

 

203

LEM groups: Organize data elements for use with rules and filters

 

204

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER About LEM groups 205 About LEM Group Types 205 User-defined
About LEM groups 205 About LEM Group Types 205 User-defined groups 205 Event groups 206
About LEM groups
205
About LEM Group Types
205
User-defined groups
205
Event groups
206
Directory Service groups
206
Time-of-day sets
206
Connector profiles
206
Email template
206
State variables
207
How groups are added to filters and rules in the LEM console
207
Manage LEM groups: Add, edit, view, and more
209
Open the Groups View in the LEM console
209
Find a group with the Refine Results pane
210
Add a new group
212
Edit a group
212
Clone a group
212
Export a group
213
Import a group
213
Delete a group
214
Configure user-defined groups in LEM
215
How rules and filters use user-defined groups
215
Create or edit a user-defined group
216
Customize the blank and sample user-defined groups included with LEM
217
Customize user-defined groups
218
Configure event groups in LEM
220
Create or edit an event group
220
Configure directory service (DS) groups in LEM
222
About directory service (DS) groups
222
Create a directory service group and synchronize it with Active Directory   2 2 3

Create a directory service group and synchronize it with Active Directory

 

223

View a directory service group member in the LEM console

 

224

Directory service group grid columns

 

224

Remove a directory service group from LEM

 

224

Configure the connector-profile group type in LEM

 

225

Configure state variables in LEM

 

226

Add a new state variable field

 

227

Edit a state variable field

 

227

Delete a state variable field

 

228

Manage state variable folders

 

228

Configure Time of Day Sets in LEM

 

229

Create or edit a Time of Day Set

 

229

Use a Time of Day Set in a filter or rule

 

230

LEM filters: Capture real-time events and historical data with filter criteria

 

232

About LEM filters and filter categories

 

233

Use filters to group a particular type of event or to monitor specific events

233

About the default filters included with LEM

234

Finding and viewing filters in Monitor view

 

234

About LEM filter categories

 

235

About the Filters sidebar

 

235

Default filters included with LEM

 

235

Overview Filters

236

Security Filters

236

IT Operations Filters

 

237

Change Management Filters

 

238

Authentication Filters

 

239

Endpoint Monitoring Filters

 

239

Compliance Filters

 

240

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER Create a new LEM filter for real-time monitoring   2

Create a new LEM filter for real-time monitoring

 

241

Create a new LEM filter

 

241

Create a LEM filter from a specific event

 

243

Manage LEM

filter categories: Add, edit, view, and more

 

244

Add a new filter category

 

244

Rename a filter category

 

244

Move a filter category up in the list

 

245

Move a filter to another category

 

245

Move a filter category to another workstation

 

245

Create a backup copy of a filter category for archival purposes

246

Export a filter or filter category

246

Import a filter or filter category

 

246

Delete a filter category

 

247

Manage LEM filters: Add, edit, view, and more

 

248

Open filters in the LEM console

 

248

Manage filter-based widgets in Monitor view

 

249

Create a new filter

 

249

Edit an existing filter

 

250

Share a filter with another user

 

251

Clone a filter

 

251

Copy a filter

 

251

Create a backup copy of a filter for archival purposes

 

251

Export a filter

 

252

Import a filter

 

252

Delete a filter

 

252

Send a filter to nDepth

 

252

Start, stop, and pause filters in LEM

 

253

About starting, stopping, and pausing filters

 

253

Turn a LEM filter on   2 5 3 Turn a LEM filter off  

Turn a LEM filter on

 

253

Turn a LEM filter off

 

253

Pause one LEM filter

 

254

Pause all LEM filters

 

254

LEM widgets and the Ops Center: Visually monitor network events in LEM

255

About LEM widgets

256

Widget icons

 

257

View specific widget data

 

257

Refresh widget data

 

258

View a widget legend

 

258

Widgets that ship with the LEM console

 

258

Manage LEM widgets with Widget Manager: Add, edit, and more

 

261

About the Widget Manager

 

261

Locate widgets

 

262

Add

a master widget to the dashboard

 

262

Edit a dashboard widget

 

263

Delete a dashboard widget

 

263

Open a filter from a widget

 

263

Move (relocate) a widget

 

264

Resize a widget

 

264

Create and edit widgets with Widget Builder

 

265

Create a new widget

 

265

Edit a master widget

 

266

Edit a dashboard widget

 

266

Configure the Widget Builder form

 

267

Enter the general widget settings

 

267

Enter the visual configuration settings

 

268

Enter the data configuration settings

 

268

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER Using nDepth widgets in LEM 270 About nDepth widgets 270
Using nDepth widgets in LEM 270 About nDepth widgets 270 View nDepth widget details 271
Using nDepth widgets in LEM
270
About nDepth widgets
270
View nDepth widget details
271
Create a search string from a widget item
271
Add a new nDepth widget
271
Edit an nDepth widget
272
Add a chart widget to the nDepth dashboard
272
LEM rules: Automate how LEM responds to events
273
About LEM rules
274
LEM rule scenarios
274
View rules, rule categories, and rule templates in the LEM console
275
Rule configuration requirements and best practices
275
Use descriptive rule names
275
Set the Correlation, Correlation time, and Action
275
Activate a rule to upload local changes
275
Check the rule status for errors
276
Verify that a rule fired
276
Test new rules before putting them into production
276
Create email templates for use with LEM rules
277
About LEM email templates
277
Managing email templates and template folders
277
Best practices
to keep rules, events, and emails simple to manage
278
Create or edit an email template
278
Find and add LEM rules
281
Find and add rules based on categories of interest
281
Clone, customize, and enable a specific preconfigured rule
282
Change Management rule example
282
Create a new LEM rule to monitor and respond to events
284
Create a new rule   2 8 4 Example: Create a Change Management rule  

Create a new rule

 

284

Example: Create a Change Management rule

 

287

About the Change Management rule example

 

287

Create the example Change Management rule

 

288

Manage LEM rules: Edit, view, export, and more

 

290

Activate a rule

 

290

Add

tags to a rule

 

290

Edit a rule

 

291

Edit a locked rule

 

291

Clone a rule

 

291

Share a rule with another user

 

292

Create a backup copy of a rule for archival purposes

 

292

Export a rule

 

292

Import a rule

 

293

Delete a rule

 

293

Test, enable, and disable rules in LEM

 

294

About selecting multiple rules to test, enable, or disable

294

Enable and activate rules prior to testing

294

Enable rules from the Rules grid

 

294

Enable rules from the Rule Creation screen

 

295

Testing rules in LEM

 

295

Enable test mode in the Rules grid

 

295

Disable test mode in the Rules grid

 

296

Enable test mode from the Rule Creation screen

 

296

Disable test mode from the Rule Creation screen

 

297

Disable rules in LEM to stop them from processing

 

297

Disable rules from the Rules grid

 

297

Disable rules from the Rule Creation screen

 

298

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER Use the Send Email Message action in LEM rule creation

Use the Send Email Message action in LEM rule creation

 

299

Add or edit a Send Email Message action

 

299

Notify a LEM user when a rule triggers an alert (Subscribe a user to a rule)

 

301

Subscribe users from the Rules grid

 

301

Subscribe users from the Rule Creation screen

 

301

LEM response actions: Respond to network and system events in LEM

 

303

About LEM response actions

304

About LEM active response

 

304

Select an event response

 

304

Select an event response using drag-and-drop text

 

305

Use LEM active responses to perform Windows actions related to users, groups, and domains

306

Configure an active response connector on a LEM Agent

 

307

Actions LEM can take to respond to events

 

307

Use the Computer-based active responses in LEM

 

317

Requirements

 

317

To configure the Windows active response connector on a LEM Agent

 

318

Create or clone rules to perform the action:

 

318

Use the Append Text to File active response in LEM

 

319

Requirements

 

319

To configure the Windows active response connector on a LEM Agent:

 

320

Auto-populate user-defined groups using a LEM rule

 

321

Use the Block IP active response in LEM

 

323

Requirements

 

323

Configure the Detach USB Device active response in LEM

 

325

Verify that USB Defender is installed on a LEM Agent

 

325

Configure the Windows Active Response connector on a LEM Agent

 

325

Detach USB devices

 

326

Configure the Disable Networking active response in LEM

 

327

Re-enable networking on a computer affected by the active response 327 Configure the Kill Process
Re-enable networking on a computer affected by the active response 327 Configure the Kill Process
Re-enable networking on a computer affected by the active response
327
Configure the Kill Process active response in LEM
328
Configure a Kill Process active response rule
328
Building custom filter and rule expressions in LEM
330
Comparing values with operators in LEM filters and rules
331
About operators in LEM
331
Select a new operator
331
Operator tips
332
Table of operators
332
Examples of AND and OR conditions
333
Get started building custom filter expressions in LEM
335
About custom filter expressions
335
Examine the default filters included with LEM
336
Create conditions to filter event reporting
337
Configure event filter notifications in LEM
339
Selecting the notification method
339
Notifications table
339
Get started building custom rule expressions in LEM
342
About custom rule expressions
342
Use the ToolAlias field in LEM rules and filters to capture traffic from a specific device
343
Create a filter to capture events from a specific device
343
Verify that the correct Alias value is associated with the connector
344
nDepth search: Explore event history using nDepth and other LEM utilities
345
About LEM nDepth search
346
nDepth visual tools
346
nDepth primary uses
346
Events and Log Messages
347
Common data fields in nDepth search
347

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER Open nDepth search in LEM 348 Open nDepth search 348
Open nDepth search in LEM 348 Open nDepth search 348 Open nDepth from another data
Open nDepth search in LEM
348
Open nDepth search
348
Open nDepth from another data source
349
Search normalized data using nDepth search in LEM
351
Create an nDepth query
351
Choose an event in Monitor view to send to nDepth for historical search
351
Choose a filter in Monitor view to send to nDepth for historical search
352
Create an nDepth query for all activities by a single user
352
Delete items from search strings
353
Adjust the time frame for your nDepth query
353
Search raw log messages using nDepth search in LEM
354
To view and search original log messages using nDepth
354
Manage nDepth search queries in LEM: Save, schedule, run on-demand, and more
355
Save an nDepth search query
355
Edit a saved nDepth search query
356
Run a saved nDepth search query on-demand
356
Schedule a saved nDepth search query
356
Delete a saved nDepth search query
357
Export nDepth search results in CSV format
357
Export nDepth search results in PDF format
358
Visualize search results and take action with nDepth widgets and the Respond menu in LEM
359
About the Explore and Respond menus
359
Respond to an event with the nDepth Respond menu
359
About nDepth widgets
360
View widget details
361
Create a search string from a widget item
361
Create a new nDepth widget with nDepth Widget Builder
361
Edit an nDepth widget
362
Add a chart widget to the nDepth dashboard 362 Use the explorer utilities in LEM
Add a chart widget to the nDepth dashboard 362 Use the explorer utilities in LEM
Add a chart widget to the nDepth dashboard
362
Use the explorer utilities in LEM to search or analyze nDepth query results
363
About the Explorer utilities
363
Open the explorer utilities from the nDepth view to investigate event details
363
Open the explorer utilities from Monitor view or the Utilities view
364
Collect and view NetFlow and sFlow data in LEM
365
About the Flow explorer
365
Enable Flow collection and analysis in LEM
365
View Flow data in the LEM console
366
LEM reports: Create reports for regulatory and compliance purposes
367
About LEM reports
368
LEM reports overview
368
About Report Categories
368
About report Levels
368
About scheduled and on-demand reports
369
Open the LEM reports application
369
To automatically Run as administrator every time you run Reports
369
Setting up the LEM reports application
370
Configure the LEM reports application to communicate with the LEM database
370
Secure the LEM reports application
371
Select a default primary data source
372
Configure a syslog server (Optional)
372
The LEM reports application interface
374
The Reports application features
374
Menu button
376
Quick Access toolbar
377
Default commands
377
Customize the Quick Access Toolbar
377

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER Move the Quick Access Toolbar 378 Minimize the ribbon 379
Move the Quick Access Toolbar 378 Minimize the ribbon 379 The Preferences group 379 Find,
Move the Quick Access Toolbar
378
Minimize the ribbon
379
The Preferences group
379
Find, filter, and group LEM reports
381
Find a LEM report by title
381
Find reports for specific industries
381
Industry Options
382
View LEM report properties
384
Filter and sort LEM report lists in the reports application
384
Filter the report list to reduce the number of listed reports
385
Change a filter setting
385
Sort the report list
386
Turn off report filters
386
Manage report categories
386
Create a list of favorite LEM reports
387
Step 1: Search the reports
388
Step 2: Add a report to your Favorites tab
388
Remove a report from the Favorites tab
389
Search LEM reports for specific text
389
View the text-based details of a report
390
Use the Search tool
390
Customize and share report filters in the LEM reports application
390
Create a custom report filter in the LEM reports application
391
Save a custom report filter in the LEM reports application
392
Open a saved custom report filter in the LEM reports application
393
Categorize and display LEM reports by group
393
Create a report group in the LEM reports application
394
View the reports within a group in the LEM reports application
395
Create a sub-group in the LEM reports application   3 9 6 Run a LEM

Create a sub-group in the LEM reports application

 

396

Run a LEM report on-demand or schedule a LEM report to run later

 

397

Run an on-demand report in the LEM reports application

 

397

Create a scheduled report in the LEM reports application

 

398

Step 1: Selecting the report you want to schedule

 

399

Step 2: Add a new scheduled report task

 

401

Step 3: Schedule the report

 

401

Step 4: Select the advanced scheduling options

 

403

Step 5: Stating when the system can or cannot run the task

 

405

Step 6: Assign the data source and scope

 

406

Assign the task scope

 

407

Step 7: Export a scheduled report

 

408

Remove a report from the report scheduler

 

408

Configure Windows Task Scheduler to run the default LEM Batch Reports

409

Prepare the INI file

409

Schedule the Reports to Run using Windows Task Scheduler

 

409

Default Report Schedules

 

411

Edit a scheduled report in the Task Scheduler

 

411

Create a custom LEM report

 

413

Create a custom report in the LEM reports application

 

413

Export and save a copy of the filtered LEM report with a new name

 

415

Open a custom report in the LEM reports application

 

416

Use the Select Expert tool to create a more focused LEM report

 

417

View the text-based details of a report

 

417

Run a report query using the Select Expert tool

 

417

Restore the original report after using the Select Expert tool

 

419

Manage LEM reports: Open, print, and more

 

420

Open your saved reports

 

420

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER View the master report sections   4 2 1 Hide

View the master report sections

 

421

Hide and show a master report sub-topic pane

 

422

View the report pages

 

423

Magnify and reducing report pages

 

424

Stop a report in progress

 

424

Edit a scheduled report task

 

424

Export a report

 

425

Print reports

 

426

Set up your printer preferences

 

427

Set up your printer preferences

 

427

Default reports included with LEM

 

428

Scheduling terminology used in this topic

 

428

Audit reports included with LEM

 

428

Security reports included with LEM

 

454

Support reports included with LEM

 

475

The LEM command-line interface: Using the CMC

 

478

About the CMC command line

 

479

Special characters allowed in CMC commands and passwords

479

LEM CMC main menu

480

Top-Level CMC commands

 

480

LEM CMC appliance menu

 

481

LEM CMC manager menu

 

484

LEM CMC nDepth menu

 

487

LEM CMC service menu

 

488

LEM console help

 

491

About the LEM console

 

492

Console Views

 

492

Grids

493

Rearrange grid columns   4 9 3 Sort a grid by columns   4 9

Rearrange grid columns

 

493

Sort a grid by columns

 

493

LEM console grid column and data field descriptions

494

Ops Center view in the LEM console

497

The Ops Center view

 

497

The User Details widgets

 

498

The Node Details widgets

 

499

The Widget Manager and Widget Builder

 

499

The Widget Manager UI

 

500

The Widget Builder UI

 

501

Monitor view in the LEM console

 

503

The Monitor view

 

503

The Filters pane

 

505

The Filter Notifications pane

 

505

The Events grid

 

506

The Widget pane

 

507

The Event Details window

 

508

The Respond menu

 

510

The Explore menu

 

512

Notifications

 

512

Nodes

512

Appliances

 

512

The Filter Creation form

 

512

The Filter Creation form

 

513

The filters and groups list pane

 

514

Managing events in Monitor view

 

516

Review an event

 

517

To apply a filter to the Monitor event stream

 

517

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER To view the event details for a specific event in

To view the event details for a specific event in the event stream

 

517

Change the widget display for a selected filter

 

517

To edit a widget chart presentation in Monitor view

 

518

Sort the events grid

 

518

Highlight events

 

518

Copy event data to the clipboard

 

519

Tag events as Read or Unread

 

520

Remove events

 

520

Explore view in the LEM console

 

521

The nDepth view

 

521

The nDepth search view

 

522

The nDepth history pane

 

523

The nDepth filters and groups list pane

 

524

The nDepth search bar

 

525

The nDepth histogram

 

528

The nDepth explorer toolbar

 

531

The nDepth word cloud

 

532

The nDepth tree map

 

533

The Result Details view

 

534

Search Builder

538

The Utilities view

540

The Event explorer utility

 

542

The Whois explorer utility

 

544

nDepth explorer

 

545

The NSLookup explorer utility

 

545

The Traceroute explorer utility

 

546

The Flow explorer utility

 

546

Execute a Whois, NSLookup, or Traceroute task from an event or search result

546

Execute a blank Whois, NSLookup, or Traceroute task   5 4 7 Display flow data

Execute a blank Whois, NSLookup, or Traceroute task

 

547

Display flow data

 

547

Common data field categories in LEM nDepth search

 

547

Common data field categories in Events Mode

 

547

Common data field categories in Log Messages mode

 

548

Build view in the LEM console

 

549

The Groups view

 

550

The Refine Results form in the Groups sidebar

 

551

The Rules view

 

553

The Rules grid

 

554

The Refine Results form in the Rules sidebar

 

555

The Rule Categories & Tags pane in the Rules sidebar

 

556

Rule Creation screen and the Rule Builder form

 

557

Rule Creation screen

 

557

The Rule Builder form

 

559

The Correlations box

562

About advanced thresholds

 

564

The Actions box

 

566

Users view in the LEM console

 

568

Users view main page elements

 

569

The Users grid

 

570

The Refine Results form

 

570

The "User Information for" form

 

571

The Privileges screen

 

572

Manage view in the LEM console

 

573

The Appliances view

 

573

The Appliances main view

 

575

The "Connect to SolarWinds Log & Event Manager Appliance" form

580

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER The "Configure your SolarWinds Log & Event Manager Appliance"

The "Configure your SolarWinds Log & Event Manager Appliance" form

 

581

The Connector Configuration form

 

581

The Event Distribution Policy form

 

594

Nodes view

 

595

The Nodes main view

 

596

Nodes grid columns

 

596

The Connector Configuration form

 

599

LEM troubleshooting

 

600

Troubleshoot alerts in the LEM console

 

601

Step 1: Troubleshoot syslog devices

 

601

Step 2: Troubleshoot device logging

602

Troubleshoot conflicting devices

603

Step 3: Troubleshoot Agent devices and connectors

 

603

Step 4: Apply the latest connector update package

604

Step 5: Contact SolarWinds Technical Support

 

604

Generate a syslog sample from the LEM appliance

 

605

Troubleshoot the LEM desktop console

 

606

The LEM desktop console cannot resolve the LEM VM hostname

 

606

The LEM desktop console cannot connect after you activate the license or change the LEM VM hostname

606

Troubleshoot LEM Agents and network devices

 

608

Determine if LEM is receiving data from the device that you are troubleshooting

 

608

Troubleshoot devices not logging to a log file

 

609

Troubleshoot devices logging to a log file

 

609

Troubleshoot a LEM Agent

 

609

Troubleshoot a missing LEM Agent

 

610

Troubleshoot a disconnected LEM Agent

 

610

Edit or delete the spop.conf file

 

610

Troubleshoot a connected LEM Agent   6 1 1 Contact SolarWinds Customer Support   6

Troubleshoot a connected LEM Agent

 

611

Contact SolarWinds Customer Support

 

611

Troubleshoot syslog error messages in LEM

 

612

LEM console does not display syslog data

 

612

Identify your syslog data facilities containing log data

 

612

Configure a connector from the facility to the device

614

View the data from the device

 

615

Troubleshoot LEM rules and email responses

 

616

General rule troubleshooting

 

616

The rule fires but you do not receive an email

 

617

The rule does not fire and expected alerts do not display

 

617

Alerts display but the rule does not fire

 

619

The rule fires but the email is blank

 

620

View and modify the time on your LEM appliance

 

620

The rule is not triggered when it should be

 

621

Troubleshoot the LEM reports application

 

622

Troubleshoot the LEM reports application database connection

622

Repair the LEM reports application

623

Glossary of LEM terms

 

624

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER LEM set-up, configuration, and maintenance This chapter describes how to

LEM set-up, configuration, and maintenance

This chapter describes how to set up LEM following installation, and how to configure LEM to interact with other services in your IT environment.

In this chapter:

• Logging in to LEM

31

• Setting up a new LEM installation

38

• Configuring LEM settings and services

48

• Securing LEM

75

• Managing LEM system resources

83

• Integrating LEM with other SolarWinds products

95

Logging in to LEM

Logging in to LEM This section describes how to log in to the various user interfaces

This section describes how to log in to the various user interfaces that you will need to work with LEM.

In this section:

 

• Log in to the LEM web console

31

• Log in to the LEM desktop console

33

• Log in to the LEM admin user interface

34

• Log in to the LEM CMC command line interface

34

Log in to the LEM web console

 

Use the web console to manage and monitor the LEM application.

In this topic:

 

• To log in to the LEM Manager

31

• Supported and unsupported URLs

32

• To log out of a LEM Manager

33

l If this is the first time you are opening the console, see "Set up

l

If this is the first time you are opening the console, see "Set up the first LEM Manager instance in the web console" on page 38 on page 1.

l

After logging in, see "About the LEM console" on page 492 for additional console help.

To log in to the LEM Manager

1. Open a web browser and enter the web console URL that was provided when you configured the LEM VM on either VMware vSphere or Microsoft Hyper-V, for example:

http(s)://<IP address of LEM VM>:8080/lem/

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

2. Enter your user name and password.

& EVENT MANAGER 2. Enter your user name and password. Only existing administrator, auditor, and monitor
& EVENT MANAGER 2. Enter your user name and password. Only existing administrator, auditor, and monitor
Only existing administrator, auditor, and monitor users can log in to LEM. Contacts cannot log

Only existing administrator, auditor, and monitor users can log in to LEM. Contacts cannot log

in. See "About LEM roles" on page 100 for details.

3. Click Connect.

The connected icon Manager.

for details. 3. Click Connect. The connected icon Manager. displays in the Status column to indicate

displays in the Status column to indicate that you are logged in to the selected

The console restores the view that was open the last time you closed the console.

l To add an additional LEM Manager instance to the console, see "Add another LEM

l To add an additional LEM Manager instance to the console, see "Add another LEM VM or appliance to the console" on page 53.

When you connect to the web console for the first time, LEM prompts you to authenticate to the host Manager. If you have additional Managers associated with the console, log in to configure each Manager or view their events. When you log out, you are disconnected from additional Managers in the web console. To disconnect from the host Manager, close the browser window.

Supported and unsupported URLs

If you are using the hostname for the URL, add the LEM hostname or IP address into DNS.

Port 8080 is unsecure and is automatically disabled after activation has been completed. Port 8443 is always available.and unsupported URLs If you are using the hostname for the URL, add the LEM hostname

S UPPORTED URL S U NSUPPORTED URL S http://<your_ip_address> https://<your_ip_address>

SUPPORTED URLS

UNSUPPORTED URLS

http://<your_ip_address>

https://<your_ip_address>

http://<your_ip_address>:8080/lem

https://<your_ip_address>:8443/lem

http://<your_hostname>

https://<your_hostname>:8080/lem

https://<your_hostname>:8443/lem

To log out of a LEM Manager

1. In the toolbar, choose Manage > Appliances.

2. In the Appliances grid, click

The disconnected icon selected Manager.

grid, click The disconnected icon selected Manager. next to the appliance and select Log out. displays

next to the appliance and select Log out.

displays in the Status column to indicate that you are logged out of the

Log in to the LEM desktop console

The optional desktop console provides the same functionality of the LEM web console in a Windows-only native app. The desktop console is used to manage and monitor LEM (same as the web console), however, the desktop console requires that you install the free Adobe AIR runtime on your computer. To learn how to install the LEM desktop console and the Adobe AIR runtime, see "Install the LEM desktop console" in the

LEM Installation Guide.

l To learn more about Adobe AIR, visit the "What is Adobe AIR?" page:

l

To learn more about Adobe AIR, visit the "What is Adobe AIR?" page:

l

After logging in, see "About the LEM console" on page 492 for additional console help.

To log in to the LEM desktop console

1. Open the console application on your local system.

2. Enter your user name and password.

Only existing administrator, auditor, and monitor users can log in to LEM. Contacts cannot log

Only existing administrator, auditor, and monitor users can log in to LEM. Contacts cannot log

in. See "About LEM roles" on page 100 for details.

3. Click Connect.

The console restores the view that was open the last time you closed the console.

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER Log in to the LEM admin user interface Use the

Log in to the LEM admin user interface

Use the LEM admin user interface to perform the following administrator functions:

l

Configure and manage LDAP and SSO settings

l

Look up which Active Directory group are mapped to LEM roles.

l

Enable or disable user access to the console

Use a login account in the Admin Group to log in to the LEM admin

Use a login account in the Admin Group to log in to the LEM admin user interface.

To log in to the LEM admin user interface:

1. Open a web browser and connect to the LEM admin user interface using the following URL:

https://<lem_manager_IP_address>:8443/mvc/login

If you have not yet activated LEM, or if you reopened port 8080, use the following URL:

http://<lem_manager_IP_address>:8080/mvc/login

You can use the command line to configure these settings by entering admin at the cmc> prompt. admin at the cmc> prompt.

2. Log in using your Active Directory credentials, or enter administrator credentials in the user name and password fields, and then click Login. The default user name and password is admin.

click Login. The default user name and password is admin . Your login screen will vary

Your login screen will vary depending on the options you selected during setup.click Login. The default user name and password is admin . Log in to the LEM

Log in to the LEM CMC command line interface

In this topic:

• CMC Access Restrictions

35

• Log in to the CMC command-line interface using the hypervisor virtual console 3 5

• Log in to the CMC command-line interface using the hypervisor virtual console

35

• Log in to the CMC command-line interface using SSH

36

Use the CMC command-line interface (CLI) to perform administrative tasks such as:

l

Rebooting or shutting down the LEM VM

l

Upgrading the LEM Manager software

l

Applying connector updates

l

Deploying new connector infrastructure to LEM Managers and Agents

l

And more

There are two ways to log in to the CMC CLI:

l

Connect using the console provided with your hypervisor

l

Connect using a secure shell (SSH) client such as PuTTY

CMC Access Restrictions

The following access restrictions apply to the CMC command-line interface:

l

You do not need an account with root access to administer LEM from the CMC command line.

l

You do not need to enter the CMC user name and password to log in to the CMC command line using the hypervisor virtual console.

l

You do need to enter the CMC user name and password to log in to the CMC command line using SSH. The user name is cmc and the default CMC password is password. See "Change the LEM CMC password" on page 128 to change it.

l

SSH access to the CMC interface can be restricted by IP address or host name. If enabled, this security feature blacklists everyone from logging in to the CMC interface except those users who connect from an explicitly allowed IP address or host name. See "Restrict SSH access to the LEM CMC

interface" on page 76 for details.

Log in to the CMC command-line interface using the hypervisor virtual console

1. Open your hypervisor and connect to the LEM VM:

l

For VMware vSphere, click the Console tab, select Advanced Configuration on the main console screen, and press Enter to access the command prompt.

l

For Hyper-V, click Action > Connect, and then click the Console tab.

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER

ADMINISTRATOR GUIDE: LOG & EVENT MANAGER 2. Use the arrow keys to navigate to Advanced Configuration

2. Use the arrow keys to navigate to Advanced Configuration and press Enter. The CMC menu displays with a cmc> prompt.

Next steps:

l See "The LEM command-line interface: Using the CMC" on page 478 for a list of supported commands.

Log in to the CMC command-line interface using SSH

See "CMC Access Restrictions" on the previous page for information about credentials and SSH access

See "CMC Access Restrictions" on the previous page for information about credentials and SSH

access restrictions.

You can connect to LEM using a secure shell (SSH) client (such as PuTTY). The following steps show how to configure PuTTY to open the CMC command line, but these settings will work in any SSH client.

1. Open PuTTY and verify that Session is selected in the Category section.

and verify that Session is selected in the Category section. 2. Enter the following: l Host

2. Enter the following:

l

Host Name (or IP address) – Enter the IP address of the LEM VM. In this example, the IP address is 10.1.1.200.

l

Port – Enter 32022 or 22.

l

Protocol – Select SSH.

l

Saved Sessions – Enter LEM Manager, and then click Save.

3.

Click Open.

3. Click Open. Next time double-click LEM Manager in the Saved Session box to open the
Next time double-click LEM Manager in the Saved Session box to open the connection.

Next time double-click LEM Manager in the Saved Session box to open the connection.

4. Log in to the appliance:

a. At the log in as prompt, type cmc and press Enter.

b. At the password prompt, type your password and press Enter.

The default CMC password is password . See "Change the LEM CMC password" on page

The default CMC password is password. See "Change the LEM CMC password" on

page 128 to change it. For help recovering a lost CMC password, contact SolarWinds Support.

The