SolarWinds Log & Event Manager (LEM) is a security information and event management (SIEM) system. SolarWinds LEM is an end-to-end SIEM that groups, correlates and normalizes data events and logs in a centralized repository that can be easily managed by an IT team. With LEM functionality, the IT team can quickly scan or search historical event data and put them on a report for further analysis and forensics.
LEM virtual appliances can be deployed in a VMware ESX or Microsoft Hyper-V virtual environment, providing insights into security events and helping with performance monitoring and compliance management.
Figure 1 below illustrates the typical log sources and LEM software’s components. The directions in which communication is initiated and network protocols are used are also presented.
Figure 1: LEM architecture – typical data sources, LEM software components, protocols and communication direction
This system has the capacity to respond to a great variety of events. Some noteworthy aspects of the tool:
- Allows a real-time event correlation
- Allows active response through their agents installed in remote devices
- IT teams can perform advanced search and forensic analysis
- Provides USB device monitoring
- Offers IT compliance reporting
Notice that LEM agents are the primary means used for data collection from remote devices, such as servers, applications and workstations. These agents are responsible for gathering any type of information but also have to promptly respond to an incident when it occurs. This is called Active Response technology.
SolarWinds LEM — Technology Overview
Ops Center Dashboard
This screen provides a completely customizable dashboard which can easily identify trends, node health and alerts in a single place. By clicking on any item, we can obtain more detailed information about it.
Figure 2: Ops Center Dashboard
Real-Time Event Correlation
LEM is designed to receive and process thousands of event log messages generated by network devices. Potential threats or other security issues are identified by applying sophisticated matching engines to correlate events in real-time.
The dashboard presented in Figure 3 displays the alerts as they flood in. They are generated when conditions match the previously-defined rules in the LEM. Thus, notifications can be set for alert types that need instant attention by the security team.
Figure 3: Real-time event correlation (monitor dashboard)
The correlation rules are very flexible and uncomplicated. Rules can be set to correlate events based on time, transactions that occur or even groups of events.
Figure 4: Left side: Rules listing dashboard; Right side: Rule creation dashboard
LEM allows the configuration of several automated responses performed by agents when an alert is detected. SolarWinds calls this “Active Response,” and LEM includes a large library of possible responses to common situations. These include:
- Quarantine infected machines, or force shutdowns and restarts
- Block IP addresses
- Disable user accounts
- Kill processes
- Restart or stop services
- Force user log-off
- Reset passwords
However, IT teams can still opt to manually respond to particular alerts with a few clicks on the dashboard. They can select an event from the monitoring windows and click on the “Respond” button to immediately force a specific action.
Figure 5: Automatic response configuration in LEM
USB devices remain a major problem for many organizations. A great amount of sensitive data can be stolen by hackers, as many users aren’t aware of the dangers associated with these devices. Fortunately, LEM can identify unauthorized access and copying of sensitive files and enable actions like automatic ejection of USB devices, or quarantine of workstations using USB devices.
Figure 6: LEM can display a message when a USB device is detected (and potentially blocked)
Advanced Search Features
nDepth is a powerful search engine used with the LEM console that allows users to search all of the alert data or the original log messages that pass through a particular agent. nDepth, available in the option “Explore” in LEM, conducts custom searches, allows to users investigate search results with graphical tools and take action for their findings.
The search interface is designed with a drag-and-drop interface such as filters and rules. Executing a search query is now more intuitive.
Figure 7: Advanced search console in LEM
This dashboard presents some visual analytics tools such as:
- Word Clouds: Keyword phrases that appear in the alert data.
Figure 8: Word Clouds
- Tree map: Shows the items that frequently appear in the data as a series of categorized boxes.
Figure 9: Tree map.
Other visual widgets are also presented, such as bar, line, pie and bubble charts. It’s possible to configure a histogram that summarizes alert activity within a particular period.
SolarWinds technology has included a powerful reporting engine with Log and Event Manager. It has over 300 built-in reports that can help to reproduce any type of results, from graphical summaries of activities to detailed threat reporting and compliance.
Compliance reports are specifically designed to show organization’s compliance with standards and legislation, like PCI DSS, Sarbanes-Oxley, HIPAA and others. On the other hand, reports can be fully customized to meet the organization’s needs.
Figure 10: SolarWinds LEM reports
SolarWinds LEM is a powerful security and compliance operations and reporting system. It provides a log management with security incident response options, delivering a well-priced, versatile and easy-to-use product. Features like Active Response and the search center are excellent tools for administrators as it will help to manage threats in an easy manner.
Free SolarWinds Training Videos, SolarWinds
SolarWinds Log and Event Manager, SC Media
SolarWinds Log and Event Manager: One Powerful Tool, Network Management Software
SolarWinds Network Performance Manager, SolarWinds