Log & Event Manager QUICK START AND DEPLOYMENT GUIDE. Version 6.3.x. Last Updated: Wednesday, July 19, 2017

Transcription

1 QUICK START AND DEPLOYMENT GUIDE Log & Event Manager Version 6.3.x Last Updated: Wednesday, July 19, 2017 Retrieve the latest version from:

2 2016 SolarWinds Worldwide, LLC. All rights reserved. This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The SolarWinds and other SolarWinds marks, identified on the SolarWinds website, as updated from SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark Office and may be registered or pending registration in other countries. All other SolarWinds trademarks may be common law marks or registered or pending registration in the United States or in other countries. All other trademarks or registered trademarks contained and/or mentioned herein are used for identification purposes only and may be trademarks or registered trademarks of their respective companies. LEM 6.3.x October 4, 2016 page 2

3 Table of Contents Log & Event Manager Quick Start and Deployment Guide 8 Product terminology 8 Plan your deployment 11 Scaling LEM deployments 12 Multi-level deployment scenarios 12 Multiple virtual appliance stack 12 Individual virtual appliances 13 Single location deployment example 14 Multi-location deployment example 15 Licensing 16 Best practices 16 Port requirements 16 Fine tuning 16 Tune your WFP events 16 Review your rule configurations 16 Validate your virtual appliance reservations 17 Install the virtual appliance 18 Installation requirements 18 Virtual appliance 18 Web console 19 LEM agent 19 Oracle Solaris agent upgrades 20 Port requirements 20 Install and set up the hypervisor 21 Prepare the installation files 21 page 3

4 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Deploy the virtual appliance 23 Before you begin 23 Deploy LEM using VMware vsphere 23 Start the virtual appliance 24 Supported and unsupported URLs 24 Deploy LEM using Microsoft Hyper-V 24 Start the virtual appliance 25 Supported and unsupported URLs 25 Connect to the virtual appliance 26 Connect using the LEM console 26 Connect using the LEM Desktop console 26 Activate the virtual appliance 28 Apply an activation key 28 Apply your activation key online 28 Apply your activation key offline 29 Secure your LEM appliance 29 Set the date and time zone 31 Reserve system resources in the virtual environment 33 Incoming data traffic 33 Viewing virtual appliance resources, reservations, and storage 33 View the reservation settings using the vsphere client 34 Verify the reservations using the SSH client 35 View the reservation settings in the Hyper-V client 36 Memory settings 36 CPU settings (Windows Server 2008) 36 CPU settings (Windows Server 2012, Windows Server 2016) 36 (Optional) Install the LEM Reports Console 37 Connect the console to your LEM database 38 page 4

5 (Optional) Install the LEM Desktop Console 40 Install Adobe Air Runtime for Windows 40 Install the LEM Desktop Console 40 Import the SSL certificate 41 Resolve the LEM Virtual Appliance host name 41 Collect log data 42 View monitored events and details 42 Filter events 43 Test an event 43 Troubleshoot syslog error messages 43 LEM Console does not display syslog data 44 Identify your syslog data facilities containing log data 44 Configure a connector from the facility to the device 46 View the data from the device 47 Set up your agent nodes 47 LEM agent installation checklist 48 Installation folders 49 Add nodes to monitor 49 Remote installation 50 Local installation 53 Verify the LEM agent connection 53 Add additional log sources 54 View monitored events 54 View event details 55 View the event description 56 Create an event filter 56 Test an event 57 Manage LEM automatic connector updates 57 page 5

6 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Other ways to update connectors 58 Set up your deployment 59 Configure your basic settings 59 Set up alerting 60 Set up Active Directory integration 61 Add new nodes to monitor 62 Define rules and configuration alerts 63 Learn about advanced LEM tools 64 Get started 65 View real-time data 65 View event details 65 Create a filter 66 View filtered events 68 View historical data 69 Search event logs using Search Builder 71 Search event logs using a keyword 73 Refine your search 74 Save a search 76 Schedule a search 76 Export your search results 77 Export to a PDF file 77 Export to a CSV file 78 Run and schedule reports 78 Run a report 79 Run a custom report 80 Schedule a report 82 Advanced Options 88 Set up File Integrity Monitoring 88 page 6

7 Add a FIM connector to a node 89 Scan for new nodes 91 Manage your LEM appliance 93 Find LEM support on the Customer Portal and thwack 95 Access the Customer Portal 95 Create your user profile 95 Explore the Customer Portal 95 Set up additional Customer Portal user accounts 97 Engage with the SolarWinds community 97 Create a thwack account 97 Explore the thwack site 98 page 7

8 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Log & Event Manager Quick Start and Deployment Guide Welcome to the Log & Event Manager Quick Start and Deployment Guide. This guide will take you from installation to full implementation of Log & Event Manager. As you work through the topics in this guide, you will complete the following tasks: Plan your deployment Gather requirements Install Log & Event Manager virtual appliance and perform initial setup Deploy the virtual appliance on a supported hypervisor Activate and connect to the virtual appliance Reserve system resources in the virtual environment Install the optional LEM Reports and LEM Desktop consoles Set up your syslog server and agent nodes Set up your deployment View historical and real-time data Run and schedule reports Set up File and Integrity Monitoring (FIM) Scan for new nodes Manage your LEM appliance Existing customers: Access your licensed software from the SolarWinds Customer Portal. If you need any implementation help, contact our Support Geeks. Evaluators: Download your free 30-day evaluation here. If you need assistance with your evaluation, contact sales@solarwinds.com. Product terminology The following terms define the components used in Log & Event Manager. Agent: A software application that collects and normalizes log data before it is sent to the LEM Manager. Alert: LEM containers used to display events and messages from LEM-monitored devices. Build view: Provides options for customizing LEM behavior. Complexity of configured rules: Complex conditions involving multiple types of events, thresholds, and longer time frames require more resources than rules with simple conditions. Connector: A software component that converts raw events collected from a network device into normalized events. Connectors can reside on device agents or the LEM appliance. page 8

9 Desktop Console: An application powered by Adobe Air Runtime that monitors your LEM Appliance in place of the LEM Console. You can use this console if your corporate IT requirements restrict you from using a web browser-based solution with Adobe Flash, Event: An unaltered message from a LEM-managed device. Events per second or Events per day: The total number of distinct events received by the LEM appliance per second or per day (generally per second is considered an average). For example, the environment with 865 nodes can generate approximately 50 million events per day (or about 550 events per second). Explore view: Provides access to data analysis utilities to retrieve additional information about the events you see in the LEM console. Hypervisor: A software application that runs a virtual appliance on a Windows-based server, such as VMware vsphere and Microsoft Hyper-V. Kerberos: A network authentication protocol used to provide strong authentication in a non-secure network using secret-key cryptography. Keytab file: Used by LEM to access Active Directory directly for Kerberos authentication. This file contains user account credentials, but the password is hashed. LEM Manager: The deployed virtual appliance that captures syslog data from local network devices. The LEM Manager includes a syslog server, optimized database, web server, correlation engine, and a hardened Linux operating system. Manage view: Provides details about your LEM architecture. Monitor view: Displays all monitored events on your network in real time. You can create filters and widgets that group and display different events from your agents, managers, and network devices. Network device: A log source (such as a firewall, router, switch, or third-party software) that sends log messages to the LEM Manager. Nodes. Systems and devices that send data to your LEM appliance, such as servers, workstations, network devices, and security devices. For example, an environment with 10 routers, 50 switches, 300 servers, five firewalls, and 500 workstations sending data your LEM appliance is equivalent to 865 nodes. Normalized vs. original log (raw) storage: By default, all sizing details assume the Log & Event Manager default normalized data store is the only enabled store. If original log message storage is enabled, increase your resources accordingly. OPS Center view: Provides a graphical representation of your log data in the LEM Console. It includes several widgets that help you identify problem areas and trends in your network. The Monitor view displays events in real time as they occur in your network. The Explore view provides tools for investigating events and related details. The Build view creates user components that process data on the LEM Manager. The Manage view manages properties for appliances and nodes. Reports Console: A standalone application that schedules and runs preconfigured reports against your LEM database data. The console is a separate installation on your desktop or laptop system. page 9

10 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Rules: A LEM appliance component that provides automated actions based on specific alert correlations. Rules triggered per day or Rules triggered per second. The total number of correlation rules that meet all criteria and are triggered per second or per day (generally per second is considered an average). For example, an environment can have 15 different correlation rules configured that fire approximately once every hour, or approximately 360 rules triggered per day. Single Sign-on (SSO): Enables the LEM appliance to use LDAP Kerberos-based authentication credentials to access Active Directory (AD) for user access control to LEM roles and database reports. SolarWinds deploys SSO in LEM using a keytab generated by Active Directory to enforce user account security. Syslog server: A software application (such as Kiwi Syslog Server) that collects syslog messages and SNMP traps from network devices (such as firewalls, routers, and switches). Virtual Appliance: A virtual image of a Linux-based physical computer that collects and processes log and event information. You can deploy the virtual appliance using VMware vsphere or Microsoft Hyper-V client. Web Console (or LEM Console): Provides a browser-based method to monitor your LEM Appliance. The console is organized into five functional areas called views. These views organize and present different information about the components that comprise the LEM system. page 10

11 Plan your deployment Use this table to size your SolarWinds environment. Deployment size is impacted by throughput of events and performance degradation. Use the largest sizing that reflects your environment. For example, if you are running a small deployment and begin to notice performance degradation at 300 nodes, move to a medium deployment. As the number of nodes and data traffic changes over time, move to a deployment that supports your enterprise. The hard drives are defined when the virtual appliance host is created. Installing LEM in a SAN is preferred, but high-speed hard drives (such as SSD drives) are required for high-end deployments. When using original log (raw) storage, increase your CPU and memory resources by 50%. See your hypervisor documentation for more information. SIZE OF DEPLOYMENT HARDWARE DEVICES Small (Receive 5M 35M events and trigger up to 500 rules per day) Medium (Receive 30M 100M events and trigger up to 1000 rules per day) Large (Receive 200M 400M events and trigger up to 5000 rules per day) * 2 4 core processors at 2.0 GHz 8 GB RAM 250 GB hard drive with IOPS 6 10 core processors at 2.0 GHz 16 GB 48 GB RAM 1 TB hard drive with IOPS core processors at 2.0 GHz 48 GB 256 GB RAM 2 TB hard drive with 400 or more IOPS Fewer than 500 nodes in the following combinations: 5 10 security devices network devices, including workstation endpoints servers Between 300 and 2,000 nodes in the following combinations: security devices network devices, including workstation endpoints servers More than 1,000 nodes in the following combinations: security devices network devices, including workstation endpoints page 11

12 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER SIZE OF DEPLOYMENT HARDWARE DEVICES servers * The most successful large deployments receive up to 250M events per day. Scaling LEM deployments While LEM can be deployed with multiple virtual appliances, 98% of all deployments perform well as a single appliance you can scale using resources available from the virtual host. See the installation requirements to ensure that your hardware systems meet the minimum software and hardware requirements. Multi-level deployment scenarios To increase your performance, you can deploy multiple virtual appliances to divide the Log & Event Manager appliance load across your infrastructure. There are two common multi-level deployment scenarios: Multiple virtual appliance stack Individual virtual appliances You can increase your performance if each virtual appliance is deployed on a separate hardware machine. If your virtual appliances are deployed on the same hardware host, the negative performance impact is minimal. MULTIPLE VIRTUAL APPLIANCE STACK You can use multiple virtual appliances to segment and distribute the load by functional area and physical location, providing dedicated processing for: Management and event analysis Database storage, search, and reporting Log storage, search, and analysis Log collection Use this configuration to assign appropriate resources in different configurations. The following illustration shows an example of a multiple virtual appliance stack. page 12

13 INDIVIDUAL VIRTUAL APPLIANCES Multiple appliance deployments provide a consolidated, real-time search and management view in a single LEM console. This type of deployment is recommended if your corporate enterprise includes logical divides in management or monitoring responsibilities. The following illustration shows an example of individual virtual appliances deployed in LEM. page 13

14 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Single location deployment example This deployment example uses one syslog server based in one location to collect log data from your network devices in a local network. The syslog server is installed in a Windows-based system hosting the LEM Manager, which captures the syslog data from the network devices. You can use this deployment to collect syslog data from one location. In this deployment, the network devices send syslog data to the LEM Manager over TCP or UDP. Workstations and servers hosting applications use LEM agents to initiate TCP connections and push syslog data to the LEM Manager running on a supported vsphere or Hyper-V hypervisor. The syslog server receives the logs on port 514 and saves the logs to the LEM Manager /var/log file partition. The log filename varies, based on the target facility configured on the network device. If your log sources are located behind firewalls, see SolarWinds LEM port and firewall information to open the necessary ports or the SolarWinds Port Requirements for SolarWinds Products Guide for a list of all ports required to communicate with LEM. page 14

15 Multi-location deployment example This deployment example uses two syslog servers based in two locations to collect log data from your network devices in a wide area network (WAN). The syslog server is installed in two Windows-based systems hosting the LEM agent, which captures the syslog data from the network devices. You can use this deployment to collect syslog data from two remote locations. This architecture detaches and distributes the syslog servers in separate locations, rather than using the Syslog server in the LEM Manager. Both locations include a local syslog server. The LEM connectors normalize the original log messages into LEM events. You can implement this scenario when your change management processes prevent you from adding new logging hosts on your network devices. If you deploy a detached Syslog server (such as a Kiwi syslog server), install a LEM Agent on both syslog servers, and then enable the appropriate connectors on the LEM Agent. Automatic log scanning does not apply to the LEM Agent. However, new nodes can be discovered by the enabled connectors. If your log sources are located behind firewalls, see SolarWinds LEM port and firewall information to open the necessary ports or the SolarWinds Port Requirements for SolarWinds Products Guide for a list of all ports required to communicate with LEM. page 15

16 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Licensing Licensing your Log & Event Manager deployment is based on: The number of universal nodes (systems running Windows Server or Unix operating systems and non-agent devices such as switches, routers, and firewalls). The number of workstation nodes (systems running Windows and the LEM Agent on desktop systems). For example, a Log & Event Manager deployment with a LWE250 for LEM30 license, you can add 250 Windows workstation nodes and 30 universal nodes. Best practices When you initiate your Log & Event Manager deployment, SolarWinds recommends applying the correct port requirements and fine tuning your installation to ensure peak performance. PORT REQUIREMENTS See the SolarWinds Port Requirements for SolarWinds Products Guide for the current LEM port requirements. FINE TUNING To minimize processor and memory resources, SolarWinds recommends reviewing your Log & Event Manager logging resources, fine-tuning your rules, and verifying that your virtual appliance is running properly. Windows filtering platform (WFP) events are logged into Windows event logs when specified by auditing policies. TUNE YOUR WFP EVENTS Adjust your Windows filtering platform events and enable WFP logging only on nodes that require that level of auditing. Windows environments often have WFP logging enabled by default, which may not be required. See Disable Windows filtering platform alerts using Alert Distribution Policy article for more information. REVIEW YOUR RULE CONFIGURATIONS Ensure that your rules are not triggered too frequently, This can be caused by: page 16

17 Low threshold settings. Consider increasing the threshold for rules that trigger due to network traffic. Broadly-defined conditions. Define rules to apply only to specific user names, IP addresses, or systems. Consider whether a different set of rules with different conditions could serve two distinct areas of your environment. Rules using event groups instead of a single event or subset of events. Rules that detect authentication or network traffic may trigger on additional events, but may only apply to a subset of those events. VALIDATE YOUR VIRTUAL APPLIANCE RESERVATIONS Your virtual environment may include adequate system resource reservations, However, system requirements can change over time, new resource allocations can be applied, or temporary limitations can become permanent. For optimal performance, ensure that you reserve the required system resources in your virtual environment. Allocating resources during your deployment may result in intermittent resource access or system restarts to recognize your deployment. page 17

18 Install the virtual appliance This section provides the system requirements for your LEM manager and information about installing the hypervisor and preparing the installation files. Installation requirements Before you install SolarWinds LEM, ensure that your hardware systems meet the minimum software and hardware requirements. LEM is only supported on Microsoft Windows-based platforms. Your deployment may require additional resources. See Plan your deployment for hardware and device specifications based on your deployment architecture. In this section: Virtual appliance 18 Web console 19 LEM agent 19 Port requirements 20 VIRTUAL APPLIANCE HARDWARE CPU Memory Hard drive space REQUIREMENTS Dual Core, 2 GHz* 8 GB* 250 GB* 2.0 TB is recommended for larger deployments * These are the minimum requirements. Depending on your deployment, you may need to add additional resources for additional log-traffic volume and data retention. SOFTWARE Hypervisor REQUIREMENTS VMware vsphere ESX 4.0 and later VMware vsphere ESXi 4.0 and later Microsoft Hyper-V Server 2008 Release 2 (R2) page 18

19 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER SOFTWARE REQUIREMENTS Microsoft Hyper-V Server 2012 Microsoft Hyper-V Server 2012 R2 Microsoft Hyper-V Server 2016 WEB CONSOLE HARDWARE / SOFTWARE REQUIREMENTS Adobe Flash Flash Player 15 Web browser Microsoft Internet Explorer 8 and later Mozilla Firefox 10 and later Google Chrome 17 and later LEM AGENT HARDWARE / SOFTWARE REQUIREMENTS Operating System Apple Macintosh HP-UX IBM AIX Linux Oracle Solaris Windows Vista Windows 7 Windows 8 Windows 10 Windows Server 2000 Windows Server 2003 Windows Server 2008 Windows Server 2012 page 19

20 HARDWARE / SOFTWARE REQUIREMENTS Windows Server 2016 CPU Memory Hard Drive Space Environment Variables 450 MHz Pentium III or equivalent* 128 MB* 1 GB* Administrative access to the device hosting the LEM Agent * These requirements are the default settings. Depending on your deployment, you may need to add additional resources for additional log-traffic volume and data retention. ORACLE SOLARIS AGENT UPGRADES Beginning with version 6.3, LEM supports the 64-bit Java 8 Runtime Environment (JRE). Since Oracle did not release a 32-bit version of Java for Solaris, you must manually upgrade the agents running on these systems. To upgrade your 32-bit Solaris SPARC and Solaris Intel agents, download the Solaris SPARC Agent and Solaris Intel Agent installers from the Customer Portal and run these installers on your Solaris systems. In a future release, the LEM console will support updates for 64-bit Solaris agents when they are available. PORT REQUIREMENTS Port requirements are posted to the SolarWinds Success Center. If your log sources are located behind a firewall, see the following pages for information about the ports to open. For LEM, see SolarWinds LEM Port and Firewall Requirements. (LEM)/SolarWinds_LEM_Port_and_Firewall_Requirements If you use multiple SolarWinds products, see Port requirements for all SolarWinds products. (NPM)/Port_requirements_for_all_SolarWinds_products page 20

21 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Install and set up the hypervisor The hypervisor software provides the virtual environment that hosts your LEM deployment. To get started, download the Microsoft Hyper-V or VMware vsphere software to your host system. When the download is completed, follow the directions included with your software to configure the software and associated client (if applicable). See the installation requirements for the supported versions. See your hypervisor documentation for detailed instructions about the features in both products and working in the Hyper-V or vsphere interface. Prepare the installation files The LEM free trial download is an executable file that contains everything you need to install and begin working with LEM. 1. Download a free trial of Log & Event Manager. 2. Double-click the evaluation EXE file to extract the necessary files and tools to a folder on your desktop. The files in each executable contain the virtual appliance image to deploy Log & Event Manager using the VMware vsphere or Microsoft Hyper-V hypervisors. 3. Follow the prompts in the Quick Start: Log and Event Manager wizard to complete the installation. The default deployment uses swi-lem as the host name and attempts to pull network configurations from the DHCP server. You can change the host name and IP address after you complete the deployment. page 21

22 By default, Log & Event Manager deploys with 8GB RAM and 2CPUs on both hypervisor platforms. page 22

23 Deploy the virtual appliance You can deploy Log & Event Manager using the VMware vsphere or Microsoft Hyper-V hypervisor. The default deployment uses swi-lem as the hostname and pulls the network configurations from the DHCP server. You can configure a static IP address or hostname after you complete the deployment. By default, LEM deploys with 8GB RAM and 2 CPUs on the vsphere and Hyper-V hypervisor platforms. Before you begin Use an account with local administrative rights. Review your IT policy and verify the account is not subject to any local or group policy restrictions. Use the Run as administrator option when launching the installer on a system running Windows Server Deploy LEM using VMware vsphere After you deploy your VMware vsphere hypervisor on a supported host system and prepare the installation files, deploy Log and Event Manager using the Log & Event Manager evaluation file for Hyper-V. Be sure you have a supported version of Internet Explorer, Firefox, or Chrome to access the LEM console. If you are using a non-us keyboard to perform the installation, use SSH to input the settings. 1. Start the VMware vsphere Client and log in with VMware administrator privileges. 2. Deploy the open virtualization format (OVF) template. 3. Open the SolarWinds Log & Event Manager folder located on your desktop and double-click: Deploy First LEM Virtual Appliance.ova 4. Complete the setup wizard. When prompted, select the Thin Provisioned disk format. Thin provisioning offers more performance flexibility than thick provisioning, but requires more oversight than thick provisioning. Thin provisioning provides increased performance by dedicating physical storage space. 5. Map the network interface card (NIC) to the appropriate network. page 23

24 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 6. When the OVF deployment is completed, click Finish. If your LEM deployment receives greater than 15 million events per day, adjust your system resource reservations to handle the increased load. See Reserve system resources in the virtual environment for information about configuring resource reservations for a large deployment. START THE VIRTUAL APPLIANCE After you deploy the OVF file, start the virtual appliance. 1. Select the SolarWinds Log and Event Manager virtual appliance and click Play. 2. Click the Console tab. 3. Record the IP address. 4. Connect to the virtual appliance. SUPPORTED AND UNSUPPORTED URLS If you are using the host name for the URL, add the LEM host name or IP address into your DNS server. Port 8080 is not secure and is automatically disabled when the activation process is completed. Port 8443 is always available. SUPPORTED URLS UNSUPPORTED URLS Deploy LEM using Microsoft Hyper-V You can download the Log & Event Manager evaluation software from the SolarWinds LEM website. After you complete the registration, a web page displays where you can download the Log & Event Manager evaluation file for Hyper-V. page 24

25 1. Start the Microsoft Hyper-V Manager and log in with administrator privileges. 2. Select the action to import a virtual machine. 3. In the Import Virtual Machine window, click Browse and select the following fie in the SolarWinds Log and Event Manager folder: Deploy First - LEM Virtual Appliance.ova 4. Complete the setup wizard. 5. In the Settings box, select Move or restore the virtual machine (use the existing unique ID). 6. Click Import to install the LEM virtual machine in Hyper-V and complete the deployment. The OVA file is imported into your virtual machine. 7. In the Hyper-V Manager, configure additional settings (such as Memory, CPU, networking, and storage space) to complete your configuration. By default, the virtual machine is configured with the minimum requirements. The resource reservations will be set automatically to ensure optimal performance. If you expect your LEM deployment to receive more than 15 million events per day, adjust your system resource reservations. See Reserve system resources in the virtual environment for information about configuring resource reservations for a large deployment. START THE VIRTUAL APPLIANCE 1. Locate SolarWinds Log and Event Manager in the Actions column and click Start. 2. Record the IP address that displays after the virtual appliance starts. 3. Connect to the virtual appliance. SUPPORTED AND UNSUPPORTED URLS If you are using the hostname for the URL, add the LEM hostname or IP address into DNS. Port 8080 is unsecure and is automatically disabled after activation has been completed. Port 8443 is always available. SUPPORTED URLS UNSUPPORTED URLS page 25

26 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Connect to the virtual appliance You can connect to the virtual appliance using the web-based LEM console or the stand-alone LEM Desktop console. If your corporate IT requirements restrict you from using a web browser-based solution with Adobe Flash, consider installing the LEM Desktop Console with Adobe AIR runtime. Connect using the LEM console The LEM console requires no additional installation but requires a supported web browser to connect to the LEM appliance. 1. Open a supported web browser. 2. Enter the IP address you received while configuring your VMware vsphere or Microsoft Hyper-V software. The default admin credentials automatically populate the login dialog. 3. Click Connect to log in. 4. Create a new password. When the LEM console connects to the LEM virtual appliance for the first time, it prompts you to change your password. Your password must be between 6 and 40 characters and contain at least one capital uppercase letter and one number. 5. Enter your address to participate in the SolarWinds Improvement Program and send anonymous data about your usage to SolarWinds. Clear the check box to decline. 6. Click Save. The installation is completed. Connect using the LEM Desktop console The LEM desktop console requires a separate installation and some configuration to connect to the LEM Virtual Appliance. page 26

27 1. Start the desktop console. 2. In the log in window, click Advanced Properties. 3. Complete the fields and selections as required. 4. Click Connect. The installation is completed. page 27

28 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Activate the virtual appliance After you deploy the OVA vile, activate your appliance by applying an activation key, securing your LEM appliance, and setting the date and time. Be sure to activate the appliance after boot-up. Otherwise, you may experience unexpected results with your appliance. Apply an activation key If you are evaluating Log & Event Manager, you do not need to apply an activation key to activate the virtual appliance. For 30 days, you will have unlimited access to all product features. If you have not purchased and provided a license key after 30 days, the application will stop collecting event logs from your syslog and agent devices. You can continue using Log and Event Manager in this mode and access your saved logs. Applying a license reactivates event log collection so you can continue monitoring all events in your deployment. If you need to extend your evaluation period, contact Customer Sales. You can upgrade to a fully-functional production version by purchasing a new license from Customer Sales and downloading the license key from the Customer Portal. After you install the new license key, you can access all features within the LEM appliance. You cannot upgrade your license using the SolarWinds License Manager. APPLY YOUR ACTIVATION KEY ONLINE If your LEM Console is connected to the Internet, you can automatically apply a new license key online using the LEM Console. Applying a license key reactivates log event collection, restoring full product functionality. 1. Download your license key from the License Management page in the SolarWinds Customer Portal. 2. Open the LEM Console and log in to your LEM manager with your admin credentials. 3. Click Manage > Appliances. 4. Click License in the Properties pane. 5. Select Automatic in the Type field. 6. Enter the license key in the Key field. 7. Enter your name, , and telephone number without special characters (such as dashes or periods) in the appropriate fields. 8. Click Activate. 9. Click OK when the license is activated. page 28

29 APPLY YOUR ACTIVATION KEY OFFLINE If your LEM Console is not connected to the Internet, you can apply a new license key offline using the LEM Console and a computer with Internet access. Applying a license key reactivates log event collection, restoring full product functionality. You cannot upgrade your license using the SolarWinds License Manager. 1. Open the LEM Console and log into your LEM Manager as an administrator. 2. Navigate to Manage > Appliances. 3. Select the License tab on the Properties pane. 4. In the License Activation pane, select Manual in the Type field. 5. Copy the Unique ID of this LEM Virtual Appliance. If the computer hosting LEM Manager does not have Internet access, manually copy and paste the Unique ID into a text file and save the file to a shared drive accessible from a computer with Internet access. 6. On a separate system with Internet access, generate a license file. a. Navigate to the SolarWinds Customer Portal. b. Select License Management and then select License Management again. c. Under the LEM product, select Activate license manually. d. In the pop-up window, fill in the form and paste the LEM Virtual Appliance's Unique ID in the form. e. Click Generate License File to download your license file to your hard drive. If your LEM installation is on a system without Internet access, save the license file to a shared drive that your LEM Console can access. 7. In the License Activation pane, click Update License and select the downloaded license file. 8. Click Activate at the bottom of the License tab. Secure your LEM appliance After you install your license, complete your appliance configuration by executing the Activate command in the Appliance menu. This process will help you secure your LEM appliance from unauthorized users. Be sure to run the Activate command and configure your appliance after boot-up. Otherwise, you may experience unexpected results with your appliance. During the activation procedure, you can: Configure a static IP address Configure a secure password Lock down web port 8080 and redirect access to port 80 for increased security page 29

30 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Verify your network configurations Change your hostname (if desired) Restrict access to the Reports applications Export a certificate to use the optional LEM Desktop Console If you plan to use the LEM Desktop Console powered by Adobe AIR Runtime instead of the LEM Console, import the virtual appliance CA SSL certificate to the certificate store during the activation. When the activation is completed, the LEM Console connects with the virtual appliance using secure communications on port SolarWinds recommends configuring a static IP address for your LEM appliance. If you run DHCP and your IP address changes during the evaluation period, your deployed agents may be disconnected and require additional troubleshooting to resolve. 1. Open a command line interface. In VMware, click the Console tab. In Hyper-V Manager, open a PowerShell window. You can also use PuTTY to activate the appliance. Log in using the appliance IP address and port or Log in to the appliance. a. At the login as prompt, type cmc and press Enter. b. At the password prompt, type your password and press Enter. The default password is password. The cmc> prompt opens with a list of available commands. page 30

31 3. Configure the appliance with a static IP address. a. At the cmc> prompt, type appliance and press Enter. The prompt changes to cmc::acm#, indicating you are in the appliance configuration menu. b. At the cmc::acm# prompt, type activate and press Enter. c. Enter and validate a cmc password. d. When prompted, select Yes to configure a static IP address for your appliance. e. At the cmc::acm# prompt, type netconfig and press Enter. f. At the prompt, type static and press Enter. g. Follow the steps on your screen to configure the Manager Appliance network parameters. Be sure to enter a value for each prompt. Leaving blank entries results in a faulty network configuration that requires you to rerun netconfig. h. Record the IP address assigned to your appliance. You will use this IP address to log in to the LEM Console. 4. When prompted, select Yes to specify a hostname or No to accept the default hostname. To specify a hostname, use the following guidelines: Use the standard hostname naming conventions. Use hostname labels that only contain the ASCII letters a through z (in a case-insensitive manner), the digits 0 through 9, and the hyphen (-). Do not use hostnames that start with a digit or a hyphen or end with a hyphen. Do not include symbols, punctuation characters, or white spaces. 5. When prompted, select Yes to specify a list of IP addresses that can access reports. This is the recommended setting. 6. Confirm your network configuration. At the cmc::acm# prompt, enter viewnetconfig, press Enter, and review your network configuration. To ensure secure communications between the desktop software and the virtual appliance, the SSL certificate is automatically exported from the virtual appliance when the activation is completed. Set the date and time zone After you activate and configure your appliance, set the date and time in the appliance. The LEM virtual appliance is configured to synchronize with the hypervisor date and time by default. If the time zone is off by more than five minutes, the LEM rules will not operate properly. page 31

32 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER The time zone is set to Pacific Standard Time by default. 1. Return to the cmc> prompt. 2. Update the time zone in your LEM Manager. a. At the cmc> prompt, enter appliance and press Enter. b. At the cmc::acm# prompt, enter dateconfig and press Enter. c. Press enter and update the current time zone. d. At the cmc::acm# prompt, enter tzconfig and press Enter. e. Press enter and configure the time zone. 3. Update the time in your hypervisor. a. At the cmc::acm# prompt, enter manager and press Enter. b. At the cmc::cmm# prompt, enter viewsysinfo and press Enter. The system information info displays. Virtualization Platform: VMware Clock Synchronization : Enabled Hypervisor Time : 6 May :07:31 Guest Time : Fri May 6 09:07: c. Using the space bar, scroll down to Hypervisor Time and change the date and time so they match the date and time in the LEM Manager. d. Using the space bar, scroll down to Guest Time and ensure that the date and time matches the same settings in the LEM appliance. 4. Type Exit and press Enter. 5. Type Exit and press Enter again to exit the CMC interface. page 32

33 Reserve system resources in the virtual environment Ensure that the system resources in the virtual environment have ample virtual space and memory to support the Log & Event Manager software and incoming data traffic. For typical deployments, Log & Event Manager requires 250GB of system resources on the hypervisor. Large deployments may require 2TB of resources, which you can reserve on the VMware ESX(i) 4/5+ and Microsoft Hyper-V 2008 R-2/2012 hypervisors. By default, LEM deploys with 8GB of RAM and 2 CPUs on the VMware ESX(i) and Microsoft Hyper-V platforms. Log & Event Manager collects data from a continuous stream of traffic that fluctuates based on user, server, and network activity. The type and volume of traffic varies based on the device sending the traffic and the audit and log settings on those devices. Incoming data traffic Log & Event Manager receives data from syslogs and traps using up to 500 connectors that receive data traffic from several supported network devices. These connectors translate (or normalize) the data into a readable and understandable format you can view in the LEM Console. The connectors display in the Monitor view, pass through the rules engine for specified actions, and move into a database for retrieval by the LEM Reports or ndepth search function. To process the data in realtime, Log & Event Manager requires system resource reservations from the virtual appliance host. When the volume of traffic exceeds 15 million events per day, be sure to reserve additional system resources to support the additional data traffic. Viewing virtual appliance resources, reservations, and storage You can view your virtual appliance resources, reservations, and storage in the Manage > Appliances view. The Appliances grid displays the virtual appliances and their corresponding details. page 33

34 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER The Details pane displays information about your selected manager or appliance. This information includes the platform, CPU reservation, and memory allocation. To view the Details pane, click Manage and select Appliances. In the Appliances grid, select the manager or appliance you want to view. If the Details and Properties panes do not appear in the LEM Console, click the Appliances tab at the bottom of the screen. FIELD Platform CPU Reservation Number of CPUs Memory Allocation Memory Reservation Status Name Type Version IP Address Port DESCRIPTION The manager platform name, which can be Trigeo SIM, VMware vsphere, or Microsoft HyperV. The reserved CPU memory. Reserving CPU memory ensures enough system resources are available for the allocated CPUs. The number of processors allocated to the virtual appliance. The maximum amount of memory the manager can use. Set this value at or above the reservation value. You can define this value in the VM configuration. Setting memory allocation to a greater value than the memory reservation has little effect on LEM performance. The amount of memory reserved for this system. The current connection status of the selected manager or appliance. The manager or appliance name. The appliance type (Manager, Database Server, ndepth Server, Logging Server, or Network Sensor). The manager or appliance software version. The manager or appliance IP address. The port number used by the LEM Console to communicate with the manager or appliance. You can view your reservation settings using vsphere or an SSH client (such as PuTTY). See your VMware vsphere documentation for details about configuring resources, reservations, and storage on a vsphere virtual appliance. VIEW THE RESERVATION SETTINGS USING THE VSPHERE CLIENT You can view your reservation settings using VMware vsphere. See your VMware vsphere documentation for details about configuring resources, reservations, and storage on a vsphere virtual appliance. page 34

35 1. Log into vsphere. 2. Select the LEM appliance from the list. 3. Click the Summary tab to view the number of CPUs. The Provisioned Storage value in the Resource area is the total disk space that Log & Event Manager can use. At the bottom left, the CPU reservation displays 2.0 GHz. 4. Set the limit to unlimited. 5. Select the Resource Allocation tab. 6. At the bottom right, set the memory reservation to 8MB and the limit to unlimited. The Configured value must be at least the same value or higher than the reservation. You may see memory reservations as high as 256GB of RAM for customers over 150 million events per day. VERIFY THE RESERVATIONS USING THE SSH CLIENT You can also view your reservation settings using an SSH client (such as PuTTY). The SSH client requires the hostname of your LEM appliance. 1. Open a PuTTY session. a. Click Session. b. In the Host Name field, enter the hostname of your LEM appliance. c. In the Port field, enter or 22. d. Click Open. After you log in, a session window displays. 2. Enter the Manager menu. 3. Type viewsysinfo and press Enter. 4. View the CPU > Reservation and the Memory > Reservation settings and make adjustments as required. 5. At the cmc> prompt, type exit to exit the CMC. page 35

36 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER VIEW THE RESERVATION SETTINGS IN THE HYPER-V CLIENT Use the following tables to verify your Hyper-V client settings. For details about setting resources, reservations, and storage on a Hyper-V virtual appliance, see your Microsoft Hyper-V documentation. MEMORY SETTINGS SETTING Static RAM Memory Weight VALUE 8GB, 16GB, 24GB, 32GB, 64GB, 128GB, 256GB High CPU SETTINGS (WINDOWS SERVER 2008) SETTING VALUE Number of processors 2, 4, 6, 8, 10, 12, 14, 16 VM reserve CPU cycles 100% Limit CPU Cycles 100% Relative weight for CPU 100% CPU SETTINGS (WINDOWS SERVER 2012, WINDOWS SERVER 2016) SETTING CPU memory details CPU Priority VALUE Click the Advanced tab and set the view and details High Reserve CPU cycle 100% Limit CPU cycles 100% page 36

37 (Optional) Install the LEM Reports Console The LEM Reports Console converts your Log & Event Manager database data into information you can use to troubleshoot and identify problems in your corporate network. Installed on a separate server or workstation in a multiple location deployment, you can run over 200 standard and industry-specific reports that help you make informed decisions about your corporate enterprise. If your Windows security settings prevent you from installing the LEM Reports Console and the Crystal Reports Runtime software, download the LEM Reports Console and the Crystal Reports Runtime installers from the SolarWinds Customer Portal. After you install the software, install the SolarWinds Log & Event Manager Reports from the Quick Start: Log and Event Manager splash screen. 1. On the splash screen, scroll down and click Install Desktop Software. The installer writes to a system folder that is protected by the Windows operating system. You can also right-click Install Next - LEM Desktop Software in the SolarWinds Log and Event Manager folder and select Run as administrator. 2. On the Welcome screen, click Next. 3. Verify that you have enough disk space for the installation, and then click Next. page 37

38 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 4. On the Begin Installation screen, click Begin Install. The Crystal Reports Runtime and the LEM Reports Console are installed. Command boxes may appear during the installation. This process is normal. 5. When the installation is complete, click Close. The LEM Reports console is installed on your system. Connect the console to your LEM database When you enter your manager IP address into the Reports console, you create a connection between the Reports console and the LEM database server. You can audit users accessing the reporting server running on the LEM appliance. Only users with admin, auditor, or reports roles can run reports on the LEM database. 1. Locate the IP address of your LEM virtual appliance and your LEM console login credentials. 2. Right-click Reports on your desktop and select Run as administrator. To automatically run Reports as an administrator: a. Right-click the Reports shortcut and select Properties. b. Click Advanced and select the Run as administrator check box. c. Click OK. d. Click OK in the Reports Properties window. 3. Click Yes in the antivirus dialog box to continue. 4. Click OK in the information box to create a list containing at least one manager. page 38

39 5. Enter the hostname or IP address of your LEM appliance in the Manager Name field. Whenever you see Manager in reference to LEM, it usually refers to the IP address or hostname of your virtual appliance. 6. Enter the username and password used to log in to the LEM console. 7. (Optional) Select the Use TLS connection check box to use the transport layer security protocol for a secure connection. 8. Click Test Connection to verify the connection between the LEM database server and the LEM Reports console. The Reports console pings the LEM database and verifies the connection. If the ping is successful, Ping Successful displays in the dialog box. 9. Click to add the IP address to your LEM Manager list, and then click Yes to confirm. 10. Click Close. The Reports console is connected to your LEM database and displays on your screen. page 39

40 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER (Optional) Install the LEM Desktop Console The LEM console provides a browser-based method to monitor your LEM appliance. If IT requirements restrict you from using a browser-based solution, you can install the LEM desktop console. Using the console, you can monitor your LEM appliance without a web browser. The LEM desktop console requires Adobe AIR Runtime for Windows. Install Adobe Air Runtime for Windows Install this software to monitor your LEM appliance without a web browser. 1. Download Adobe Air Runtime for Windows from your Customer Portal or the Adobe AIR website. 2. Extract the contents of the ZIP file and double-click the installer. 3. Follow the instructions to complete the installation. Install the LEM Desktop Console Install this software to monitor your LEM appliance with a web browser. 1. Download the standalone console installer from the SolarWinds Customer Portal. 2. Extract the contents of the ZIP file and double-click the LEM Console installer. 3. Click Install. 4. Select your installation preferences. 5. Click Continue to begin the installation process. 6. If you did not instruct the console to open after the installation, open the desktop console. 7. Accept the End User License Agreement, and click OK. 8. Enter the IP address or hostname of the virtual appliance, and then click Connect. The computer running the LEM Console must be able resolve the hostname of the appliance using DNS or a manual entry in the hosts file before you enter the hostname in the desktop console. See Resolve the LEM virtual appliance hostname for more information. 9. Create a new password. The LEM desktop console requires you to change your LEM password after the installation. The first time the LEM console connects to the LEM virtual appliance, it prompts you to change your password. The password must be between 6 and 40 characters and contain at least one capital letter and one number. 10. Enter your address to participate in the SolarWinds Improvement Program. Otherwise, clear page 40

41 the check box. 11. Click Save. The LEM desktop console is installed on your system. Import the SSL certificate If you plan to use the LEM desktop console instead of the web-based LEM console, import the virtual appliance CA SSL certificate to the certificate store when you activate the virtual appliance. When the activation is completed, the LEM console connects with the virtual appliance using secure communications on port Locate and double-click the certificate on the network share. 2. Click Next and select Place all certificates in the following store. 3. Click Browse. 4. Select Trusted Root Certification Authorities, click OK, and then click Next. 5. Click Finish. 6. Click Yes to confirm that you trust the certificate. Resolve the LEM Virtual Appliance host name Ensure that the system hosting the LEM desktop console can resolve the appliance host name using DNS or a manual entry in the hosts file. Otherwise, you cannot connect to the appliance. Before you edit your hosts file, create a backup copy and save it in a safe place. Configure forward and reverse DNS entries (which include a HOST and PTR record) for your appliance on your DNS server. When you create the DNS entries, use the default host name or the host name you chose during the activation procedure. If you cannot configure DNS directly on your DNS server, configure a hosts file on your computer by editing the Windows\System32\drivers\etc\hosts file in a text editor. Add a line space and then a line with your virtual appliance IP address and host name separated by a tab or space. page 41

42 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Collect log data You can configure Log & Event Manager to receive syslog data from non-agent devices (such as switches, routers, and firewalls) or event log data from Windows servers running the LEM agent. Log & Event Manager uses the connector to translate (or normalize) the raw log data into a supported format that displays in the LEM console. You must associate a connector to a support device or log source to collect syslog data. If your log sources are located behind firewalls, see SolarWinds LEM port and firewall information to open the necessary ports. See the SolarWinds Port Requirements for SolarWinds Products Guide for a list of all ports required to communicate with LEM. View monitored events and details You can view all monitored events in the All Events grid located in the Monitor view. This view provides real-time monitoring of all normalized LEM events. Click Pause in the toolbar to pause the event stream. When you select an event in the grid, the event details display in the window. You can view information about the event so you can take the appropriate action. page 42

43 FILTER EVENTS To monitor identical event names (for example, TCPTrafficAudit), select the name in the Event Details pane and click to create a filter. Log & Event Manager filters all incoming events and displays only the filtered events in the grid. Click All Events in the FIlters pane to disable the filter and monitor all incoming events. TEST AN EVENT To generate an example event, restart a Windows service (such as Print Spooler) that does not impact a running application. The event will display in the All Events grid. Troubleshoot syslog error messages If a No Device Found error message displays in the widget, make sure you configured the device to send logs to the correct IP address. See Troubleshooting Unmatched Data or Internal New Tool Data events in your LEM console for troubleshooting steps. page 43

44 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER LEM CONSOLE DOES NOT DISPLAY SYSLOG DATA Verify that your devices are configured to forward syslog data to the LEM virtual appliance IP address. If your appliance cannot receive logs, your device may not be supported. If your devices are configured correctly and your LEM appliance is still not receiving syslog data, identify the facilities that are collecting log data. When you complete this process, configure the appropriate connector from the facility to the log device so Log & Event Manager can normalize and monitor this information in the LEM manager. IDENTIFY YOUR SYSLOG DATA FACILITIES CONTAINING LOG DATA Verify that Log & Event Manager is receiving the raw data from your syslog devices. See your hypervisor documentation for information about using the virtual console. 1. Open a command line. In VMware, select SolarWinds Log & Event Manager and then click the Console tab. In HyperVisor, click Action > Connect to display the Console view. In PuTTY: a. Click Session. b. In the Host Name field, enter the IP address or hostname of your LEM appliance. c. In the Port field, enter or 22. d. Click Open. e. At the login as: prompt, enter cmc, and then press Enter. f. At the password prompt, enter your password, and then press Enter. The default password is password. page 44

45 2. At the cmc> prompt, enter Appliance. See "CMC Commands" in the LEM User Guide for a list of all supported commands. 3. At the cmc::acm# prompt, enter checklogs and press Enter. The appliance displays all facilities receiving logs from syslog devices, such as firewalls, routers, and switches. In this example, 1, 12, and 18 are active syslog facilities because they contain stored log data. Facilities 13, 15, 16, and 17 are inactive because their syslog log files are empty. page 45

46 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 4. Match a facility with a monitored device. a. Choose a facility number and record the local number (such as local2) for a future step. b. Enter your chosen facility number (for example, 14 for local2) and press Enter. c. Enter b or E to view the beginning or end of the log file, respectively, and press Enter. d. Enter the number of lines to display on your screen, and then press Enter. Pressing Enter defaults the output to 500 lines. e. Press Enter again. The raw data displays on your screen. f. Review and match the data to a monitored syslog device in your network. 5. Repeat steps 3 and 4 in this section to match additional facilities with log data to a monitored syslog device in your network. CONFIGURE A CONNECTOR FROM THE FACILITY TO THE DEVICE The following table maps each syslog facility to the file name in the LEM manager. The connectors defined in LEM manager read these logs to normalize the Log & Event Monitor events. The hardened operating system will prevent you to access the file system. SYSLOG FACILITY local0 local1 local2 local3 local4 local5 local6 local7 LOG FILE PATH /var/log/local0.log /var/log/local1.log /var/log/local2.log /var/log/local3.log /var/log/local4.log /var/log/local5.log /var/log/local6.log /var/log/local7.log After you verify that data is received from a device, manually enable the log connector that supports the device. The connector maps events from the monitored Windows system event log to a LEM normalized event. page 46

47 1. Match the facility of your monitored device with the corresponding log file path. 2. Open the LEM console and click Manage > Appliances. 3. Click next to the appliance name and select Connectors. 4. In the Refined Results pane search field, enter the brand name of the monitored device and press Enter. If your device does not display in the list, contact Customer Sales (for an evaluation license) or Technical Support (for a production license) for assistance with unsupported devices. 5. Click next to your device and select New. 6. In the Log File field, make sure the localx portion of the path matches the facility number you configured on your device or the facility you recorded in the previous procedure. For example, if your recorded facility is local2, enter /var/log/local2.log in the field. 7. Verify that the remaining fields and selections are correct, and then click Save. The connector displays in the Connectors grid with a gray status icon. 8. Click next to the connector and select Start. When the status icon turns green, the LEM connector is configured correctly. VIEW THE DATA FROM THE DEVICE After you configure a connector to the facility, verify that the LEM appliance is receiving log data from the device. You may need to authenticate to the device to generate data, as some devices do not generate a continuous stream of data. 1. Click the Monitor view in the LEM console. 2. In the Filters pane, expand Overview and click All events. 3. Watch for new events that appear in the grid with the device IP address in the DetectionIP column. When new events display with your device IP address, the device is sending log data to the LEM appliance. Set up your agent nodes After you configure your syslog server, install the LEM agent on your servers and workstations. Log & Event Manager will collect the syslog data from the operating system logs and applications running on each system, normalize the data into readable information, and send it to the LEM manager for processing. All events received from the LEM agents display in the Monitor view. Using LEM agents, you can: page 47

48 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Capture events in real-time. Encrypt and compress the data for efficient and secure transmission to the LEM manager. Buffer the events locally if you lose network connectivity to the LEM manager. The LEM agent runs on your agent nodes until you stop or uninstall the agent. You can install the LEM agent by clicking Add Nodes to Monitor in the Getting Started widget. LEM AGENT INSTALLATION CHECKLIST Before installing your LEM agents, complete the pre-installation checklist below. This checklist helps you: Verify that system requirements are met and all required software is installed. Gather the information required to complete the installation. [ ] Verify that you have administrative access to the servers and workstations you plan to monitor Windows-based systems require Domain or Local administrative privileges. Linux or Unix systems require root-level access. [ ] Change the LEM hostname. This will minimize hostname issues before you install the LEM agent. [ ] Set an exception in your antivirus or antimalware scanning software for the ContegoSPOP folder where the LEM agents will be installed. The alerts are stored in queue files, which change constantly as they are normalized and encrypted. [ ] Turn off any anti-malware or endpoint protection applications on host systems during the installation process. These applications can affect the process by which installation files are transferred to the hosts. This will assist Technical Support if you have issues with your agents. [ ] Ensure that your target node can support the agent hardware requirements. [ ] Record the paths to the installation folders on your target server. page 48

49 INSTALLATION FOLDERS LEM agents are installed to the following folders based on the operating system. See the table below. OPERATING SYSTEM Windows Server 32-bit Windows Server 64-bit INSTALLATION FOLDER C:\Windows\system32\ContegoSPOP C:\Windows\sysWOW64\ContegoSPOP ADD NODES TO MONITOR You can use the LEM agent installer to install LEM agents locally on a variety of operating systems. When the installation is completed, the LEM agent then automatically starts and connects to your LEM manager. You can install the LEM agent on your monitored nodes by: Clicking Add Node in the Manage > Nodes view Clicking Add Nodes to Monitor in the Getting Started wizard located in the Ops Center view The following procedure describes how to set up your monitored nodes from the Manage > Nodes view. 1. If you are upgrading a LEM agent, uninstall the current version before you continue. 2. Log in to the LEM console as an administrator. 3. Click Manage > Nodes. 4. In the toolbar, click Add Node. 5. Select Agent node in the Specify Nodes to Add screen. page 49

50 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 6. Install the LEM agent on your servers and workstations using the remote or local installation procedure listed on your screen. You can run a remote or a local installation based on your administrator privileges and deployment needs. See the table below. REMOTE INSTALLATION You have administrator rights to run a remote installer on a server or workstation. You want to run the installer remotely on multiple servers and workstations in your network. You have administrator rights to run a remote installation. LOCAL INSTALLATION You have administrator rights to log in to a server or workstation. You want to run the installer in person on each server and workstation in your network. You have administrator rights to physically log in to a server or workstation. REMOTE INSTALLATION This procedure describes how to install the LEM agent on multiple managed nodes in your corporate network at the same time. You must have administrator rights to run a remote installer to perform this procedure. page 50

51 1. Under Remote Installation, click Windows Installer. 2. Double-click the downloaded ZIP file and extract the contents to a local directory. By default, the ZIP file creates a SolarWinds-LEM-<version>-WindowsRemoteAgentInstaller folder on your system. The 80MB ZIP file may require several minutes to download based on your network traffic. 3. Open the SolarWinds Log & Event Manager folder and run the inremagent.exe installer. The installer uses your existing login privileges for the installation and may prompt you for additional privileges during setup. 4. Click Next in the Introduction screen. 5. Accept the End User License Agreement, and then click Next. 6. Accept the default temporary folder location or choose another location, and then click Next. 7. Enter the IP address or hostname of your LEM appliance in the Manager Name field. In LEM, Manager always refers to your appliance IP address or hostname. 8. Complete the remaining fields, and then click Next. 9. Select how to locate and download the hosts in the Get Hosts to Install window. Select Get hosts automatically to discover your hosts using NetBIOS discovery. If you have a highlysegmented network, this option may not discover all of your systems. Select Get hosts from file (One host per line) to download a list of hosts from a text file. 10. Click OK to continue. 11. Select the hosts you want to monitor, and then click Next. You can install the LEM agent on workstations and server nodes. 12. Review your lists of selected hosts, and then click Next. 13. Enter the default installation paths for the LEM agent, and then click Next. By default, the installer detects the 32- or 64-bit Windows operating system version. 14. To install USB-Defender, leave the Install USB-Defender check box selected. Otherwise, clear this check box. SolarWinds recommends installing USB-Defender on every system. USB-Defender will never detach a USB device unless you have explicitly enabled a rule. By default, USB-Defender generates alerts for USB mass storage devices attached to your LEM Agents. 15. Review the installation summary, and then click Install. page 51

52 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 16. After the installer completes the setup process, click Next to install the agents. This process may require several minutes to complete based on your network traffic. If the installer does not have sufficient resources to complete the installation process, you will be prompted to enter a different login account. 17. Review the installation summary, and then click Next. 18. Click Done to complete the installation. 19. Go to Verify the agent connection to the LEM appliance. page 52

53 LOCAL INSTALLATION This procedure describes how to install the LEM agent on each managed node one at a time. You must have administrator rights to physically log into each server. 1. Under Local Installation, click the appropriate installer for your LEM agent node. 2. Run setup.exe (for Windows nodes) or setup.bin (for Linux nodes). 3. In the installation wizard, click Next. 4. Accept the End User License Agreement, and then click Next. 5. Enter the hostname or IP address of your LEM appliance in the Manager Name field and click Next. Do not change the default port values. If you are deploying the LEM agent on a different domain, use the fully qualified domain name for your LEM virtual appliance. For example: LEMhostname.SolarWinds.com. 6. Confirm the Manager Communication settings, and then click Next. If you are installing the LEM Agent on a Linux node, go to step 9. If you are installing the LEM Agent on a Windows node, you are prompted to install USB Defender. 7. To install USB-Defender, leave the Install USB-Defender check box selected. Otherwise, clear this check box. SolarWinds recommends installing USB-Defender on every system. USB-Defender will never detach a USB device unless you have explicitly enabled a rule. By default, USB-Defender generates alerts for USB mass storage devices attached to your LEM Agents. 8. Click Next. 9. Confirm the settings on the Pre-Installation Summary and click Install. The installer installs the LEM agent on your node. This process may require several minutes to complete based on your network traffic. 10. Inspect the Agent Log for any errors, and then click Next. 11. Click Done to exit the installer. VERIFY THE LEM AGENT CONNECTION After you install the LEM agent on your agent nodes, verify that the agent connected to the LEM appliance. See Troubleshooting LEM agent connections if the LEM agent does not connect to your LEM Appliance. page 53

54 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 1. In the Add Node Wizard, click Go to Manage > Nodes. 2. In the Nodes grid, ensure that all connected nodes include a green status indicator. ADD ADDITIONAL LOG SOURCES When you install LEM agents on Windows-based systems, the agents normalize and send syslog data from the Security, Application, and Event logs by default. Use the following procedure to add additional log sources to your monitored nodes (if desired). 1. Select the node you want to configure. 2. Click and select Connectors. 3. In the Connectors grid, select a supported device or application to log. Enter a keyword in the Search field or click the Category drop-down menu for a list of supported devices and applications. 4. Click next to your selected connector and select Enable. 5. Click Close. 6. Repeat step 1 through 5 to add additional log sources to your nodes. VIEW MONITORED EVENTS After your LEM agents are installed on your monitored nodes, you can view all monitored events in the All Events grid located in the Monitor view. This view provides real-time monitoring of all normalized LEM events. In the Monitor view, you can: View all monitored events View event details page 54

55 View the event description Create an event filter Test an event To view all monitored events: 1. Open the LEM Console. 2. Click Monitor. 3. In the Filters pane, click Overview and select All Events. All monitored events display in the All Events grid. The DetectionIP column lists the device IP address or hostname that sent the event. Click Pause in the toolbar to stop the event stream. VIEW EVENT DETAILS The Event Details pane lists the descriptions and details for each event. After you view the event details, you can create a filter that displays all events with the same name in the grid. Use this feature to monitor similar events that may lead to a problem. When you select an event in the grid, the event details display in the Event Details window. You can view information about the event to help you decide if this is a malicious event that requires an event filter for further investigation. 1. In the All Events toolbar, click Pause to stop the incoming events. 2. Select an event in the All Events grid. page 55

56 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 3. View the event details in the Event Details pane. VIEW THE EVENT DESCRIPTION The event description provides an in-depth description of each event and how they can impact your corporate network. Click to display the Event Description view. You can use this information to decide whether to set up a filter for this event for further investigation. Click to return to the Event Details view. CREATE AN EVENT FILTER If an event displays in the All Events grid that requires additional research, you can create an event filter that displays all similar events in the grid. This process can help you decide if an event requires additional maintenance or security measures to support your corporate IT policy. page 56

57 To monitor identical event names (for example, MachineLogon), select the name in the Event Details pane and click to create a filter. LEM filters all incoming events and displays only the filtered event in the grid. To return to viewing all events, click the Overview drop-down menu in the Filters pane and select All Events. TEST AN EVENT After you configure your syslog and agent nodes, you can generate a test event to ensure the event displays in the All Events grid. This process helps you verify that your LEM deployment is functioning properly To generate an example event, restart a Windows service that does not impact a running application (such as Print Spooler). The event will appear in the All Events grid. MANAGE LEM AUTOMATIC CONNECTOR UPDATES Beginning in LEM 6.2.0, you can turn on the automatic connector updates feature. The automatic updates feature verifies that supported devices have the latest connectors installed. This feature checks SolarWinds.com every day for new connectors and installs them automatically as needed. 1. Log in to the LEM Console. 2. Click Manage > Appliances. 3. In the Appliances toolbar, click Connector Updates and choose from the following options: To turn on the auto-update feature, select Enable auto updates. To update connectors immediately, select Update now. To turn off the auto-update feature, select Disable auto updates. page 57

58 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER OTHER WAYS TO UPDATE CONNECTORS You can download and apply the LEM connector update package. This package contains the latest SolarWinds connector updates. See Applying a LEM Connector Update Package for details. Occasionally, Technical Support may provide stand-alone connector updates to address Unmatched Data alerts in your environment. page 58

59 Set up your deployment The LEM Console includes a Getting Started widget in the Ops Center. Using the widget, you can: Set up your LEM environment with alerting and Active Directory integration Add additional devices and systems to monitor, such as firewalls and user workstations You can also add monitored nodes from the Manage > Nodes view. Define how the application alerts you when specific conditions occur in your network. Learn how to use filters, custom rules, ndepth, and reports to monitor and troubleshoot activity in your corporate enterprise. Configure your basic settings To begin setting up your LEM environment, configure your basic settings, such as alerting and Windows Active Directory integration. This helps you identify problem devices and control change management in your corporate enterprise. Before you set up alerting, locate: The IP address or hostname of your primary or relay server A valid address you can use for testing If you have a secured server, add the LEM virtual appliance IP address as an authorized source. page 59

60 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER SET UP ALERTING alerting sends you an when a monitored device has a problem. This helps you troubleshoot and resolve network problems in a timely manner. Log & Event Manager uses your existing server or simple mail transfer protocol (SMTP) relay server to forward notifications. You can also set up alerting by configuring an Active Response connector in your appliance located in the Manage > Appliances view. 1. Log in as an administrator. 2. Click the Ops Center View and locate the Getting Started widget. 3. In the widget, click Configure Basic LEM Settings. 4. In the Welcome screen click Next. page 60

61 5. Configure your alert settings as required. a. Enter your mail server IP address in the Mail Host field. b. Enter a port number only if you use a port other than port 25. c. If you are using a third-party server, click the Transport Protocol drop-down menu and select SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Be sure to add a corresponding port number in the Port field. d. Change the return address to reflect your current domain. For example, noreply@yourcompanyname.com. e. Change the return display name if SolarWinds does not provide a complete description for your needs. For example, you can enter System Alert or Security Alert. f. Enter an authentication server username and password only if you must authenticate before you send an or if you use a third-party tool (such as Google Mail or Microsoft Office365). 6. Click Text Check your to ensure you received a SolarWinds test message. alerting is enabled. 8. Click Next to set up Active Directory integration. SET UP ACTIVE DIRECTORY INTEGRATION Active Directory integration helps you control Change Management by alerting you when Active Directory groups and accounts are updated or modified. Using Active Directory, you can implement Directory Groups instead of User Defined Groups in your filters and rules to reduce the need for ongoing maintenance. page 61

62 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 1. Configure your Active Directory connection settings as required. a. Enter your domain name. b. Enter the IP address or host name of your Directory Services server. This server is commonly a domain controller. c. Enter an authentication server username and password only if you must authenticate to connect to your Active Directory server. d. If your Active Directory server supports encryption, click the Encryption drop-down menu and select SSL or TLS. Otherwise, select No SSL. The Custom Port field populates automatically based on your encryption setting. 2. Click Test Domain Connection and verify that your Active Directory settings are correct. 3. Click Finish. The Active Directory connection is enabled. Add new nodes to monitor After you configure Log & Event Manager to collect data from your agent nodes and non-agent devices during the initial setup, you can add additional network devices, desktop systems, and enterprise servers to monitor using the Add Nodes to Monitor option in the Getting Started wizard. When you click this option in the wizard, a dialog box displays prompting you to choose the type of node you want to add. Click the drop-down menu, select an agent or non-agent node to monitor, and follow the instructions in the wizard to add the monitored node. page 62

63 You can also click Add Node in the Node Health widget to perform the same function. Define rules and configuration alerts You can define rules and configuration alerts that alert you when specific conditions occur in your network. Rules help you to detect operational and compliance issues in your corporate network, such as external breaches, insider abuse, and policy violations. Each rule requires you to define three settings: Correlation: The number of events that occur within a selected amount of time and the amount of time allocated to responding to the events. Correlation time: The volume of events that match the correlation conditions and the rolling time window to evaluate the correlation. Action: The action that occurs when the rule is triggered. To define rules and configuration alerts: page 63

64 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 1. In the Getting Started widget, click Define Rules and Configure Alerts. 2. Select the check box next to the types of rules you want to enable, and then click Next. 3. Complete the fields and selections to define the condition, correlation time, and action for each new rule, and then click Apply. 4. In the console, click Build > Rules. 5. In the Rules grid, locate a new rule, click and select Enable. A displays next to the enabled rule. 6. Complete step 5 for each additional rule. 7. Click Activate Rules to active all modified and new rules. Learn about advanced LEM tools The Getting Started wizard provides built-in videos that describe how to: Create custom filters to monitor specific events in your corporate enterprise Create custom rules for real-time correlation and response Use ndepth Explorer and the Reports Console to analyze your log data and provide ad hoc reporting Click Advanced LEM Tools to learn more about these tools. page 64

65 Get started This section contains the following topics: View real-time data View historical data Run and schedule reports View real-time data You can view all events in real time as they occur in the Monitor view. All events are collected from agent devices running the LEM agent and non-agent devices communicating with your syslog server. Log & Event Manager uses filters to display specific types of events. When you open the Monitor view, the All Events filter is the default view. To stop the incoming event stream, click Pause in the toolbar. VIEW EVENT DETAILS If you see an event that requires your attention, click Pause in the All Events toolbar to freeze all incoming events. Click the event in the grid to display detail about the event in the Event Details pane. page 65

66 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER For additional information about the event, click to review the event description. If you decide that the event needs immediate attention, click to create a filter for this event (for example, MachineLogon). The All Events grid is replaced with a grid that displays all related events. The filter is automatically saved to the Overview menu in the Filters pane. Log & Event Monitor will continue collecting all MachineLogon events and increment the count value so you can monitor this event for further activity. When you complete your event research, click to return to the Event Details information or click to toggle between the previous and next event in the grid. To resume viewing all incoming events, click All Events in the Filters pane and then click Resume in the All Events toolbar. CREATE A FILTER If you want to focus on a specific types of event, you can create a filter. Log & Event Manager includes several preconfigured filters that organize events into specific groups, which include: Security IT Operations Change Management Authentication Endpoint Monitoring Compliance See the Log & Event Manager User Guide for filter descriptions included in each group. page 66

67 1. Click the Monitor view. 2. Click in the Filters pane and select New Filter. 3. Enter a name and description in the Filter Creation window. 4. Select the number of events to display in the Monitor grid. The default value is Locate a preconfigured group that matches the events you want to filter. 6. (Optional) Select a notification in the Notifications group that executes when a filter event is found. page 67

68 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 7. Drag and drop your selected event group filter into the Conditions box. The filter name displays in the box. 8. (Optional). Drag and drop your selected Notification filter into the Notifications box. The filter name displays in the box. 9. Click Save at the bottom of the window. Your filter is saved in the Filters Overview menu. VIEW FILTERED EVENTS When you select a filter in the Filters Overview drop-down menu, all filtered events appear in the Monitor view. If you see an event that requires attention, click Pause and then click an event. The event details display in the Event Details pane where you can research the event and take the appropriate action based on your corporate IT policy. You can use most filter groups to create a visual representation of the filtered data using a widget included in the Monitor view. These widgets are designed to surface trends or anomalies that may otherwise go unnoticed. The widget can also be added to your Ops Center dashboard. For example, in the Authentication group, selecting the FailedLogins filter displays all failed logins by user account using a bar graph. page 68

69 In the widget interface, you can click to create a new widget, click to edit the widget, or click to configure the existing widget. View historical data You can view all historical events using the ndepth search utility. This utility provides a dashboard with tools to help you search and analyze historical log and event data that pass through a LEM manager. Using ndepth, you can: Search event data and log messages using Search Builder or a keyword search. Refine your search to identify activity patterns and unauthorized user access. Save your search strings for future use. Monitor user activity using a scheduled data search. Export your search results to a PDF or CSV file for compliance reporting. When you start ndepth, the interface presents 10 minutes of log data generated from your agent and nonagent devices. You can change the time range by clicking the Time drop-down menu in the toolbar and selecting another time range. The following illustration provides an overview of the ndepth dashboard. page 69

70 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER NUMBER ITEM DESCRIPTION 1 History Displays links to your recent ndepth search results. 2 Saved Searches Displays links to your saved ndepth search results. 3 List pane Displays categorized lists of events, event groups, event variables, and additional options you can use to create conditions for your filters. 4 Search bar Searches all event data or the original log messages that pass through a LEM manager. Drag the toggle switch to select Drag & Drop or Text Search mode. 5 Respond Displays a list of corrective actions you can execute when an event occurs, such as shutting down a workstation or blocking an IP address. 6 Explore Displays several utilities you can use to research an event, including Whois, Traceroute, and NSlookup. 7 Time Provides a drop-down menu to select the time range for your search. 8 Play Executes the selected search. 9 Histogram Displays the number of events or log messages reported within the selected search time range. 10 Dashboard Displays the search results in all available widgets. You can change this view by clicking a widget in the ndepth toolbar. page 70

71 NUMBER ITEM DESCRIPTION 11 ndepth Toolbar Organizes log data into categories to identify activity in your network. Click a selection to display the category below the histogram. SEARCH EVENT LOGS USING SEARCH BUILDER Search Builder provides a drag-and-drop method to create complex search queries on your event logs. Using preconfigured elements such as events, event fields, and specific event values, you can drag a selected element from the List pane into the Search Builder Conditions box to perform your query. For example, to search and report activity in your Admin accounts, you can drag a user-defined group or directory service group into the Conditions box to initiate your search. You can also group search items, show boolean (AND/OR) relationships between search items, and select specific values for each item. 1. Click the Search Builder icon in the ndepth toolbar. The Search Builder Conditions box displays in the interface. 2. In the List pane, click the Events menu and locate UserLogonFailure. You can enter a term in the Search field (as shown below) to narrow your search results. page 71

72 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 3. Drag the event into the Search Builder Conditions box. Your selection also displays in the Search bar. Drag the toggle switch down to view the event name in text. 4. (Optional) A second menu may appear that provides additional fields to narrow your search. Drag a field from the Fields list into Search Builder to narrow your search. Mouse over for additional information. page 72

73 5. (Optional) Click the triangle on the right side of the Conditions box and select the boolean logic for your search. The Search box synchronizes with the Search Builder. 6. Click the Time drop-down menu and select a time span for your search. 7. Click to begin your search. Your search results display in the histogram and your dashboard widgets, such as Word Cloud and Tree Map. Click the ndepth toolbar options to display your search results in additional formats, such as line, pie, and bubble charts. SEARCH EVENT LOGS USING A KEYWORD If you cannot locate the information you need using Search Builder, you can enter a search term in the Search field to initiate a keyword search. This method displays all events that include your search term, such as a user name. This example searches events that occurred within the last week that include administrator in the event. page 73

74 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 1. Click in the Search bar to clear an existing search (if applicable). 2. Drag the toggle switch down to enter the Text Input mode. 3. Enter a search term in the Search field. 4. Click the Time drop-down menu and select a time span for your search. 5. Click to begin your search. 6. Click Refine Fields in the List pane. Your search results appear in the histogram and your dashboard widgets, such as Word Cloud and Tree Map. Click the ndepth toolbar options to display your data in additional formats, such as line, pie, and bubble charts. REFINE YOUR SEARCH The Refine Fields pane organizes your search results into categories that help you surface embedded data and prompt further investigation. Use this option in conjunction with the Results Details pane to refine your search. This example searches all log on failure events that occurred within the last 10 minutes that include administrator as the user name. page 74

75 1. Click Refine Fields in the List pane. 2. Click Results Details in the ndepth toolbar. The Results Details pane displays in the ndepth interface. 3. In the Refine Fields pane, maximize the User Name menu and double-click administrator. 4. Click the Time drop-down menu and select a time span for your search. page 75

76 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 5. Click to begin your search. ndepth displays the results in the Results Details pane. To begin a new search, revert to your original search in the History pane to start a new search using your original search parameters. SAVE A SEARCH You can save and reuse any search you create. Saved searches include your entire search string as well as the selected time frame. 1. Click in the ndepth toolbar and select Save as. 2. Enter a name for your search in the Search Name field. 3. Click OK. Your saved search displays in the Saved Searches pane. SCHEDULE A SEARCH You can schedule a saved search to run automatically based on your schedule parameters. This will help you monitor your network with minimal administration. If your virtual appliance is offline for more than 24 hours, all scheduled searches may not run at the expected time. When the appliance is back online, all scheduled searches return to normal after 24 hours. page 76

77 1. Select a saved search in the Save Searches pane. 2. Click in the Saved Searches toolbar and click Schedule. 3. Complete the selections in the dialog box and click OK. The icon displays next to your scheduled search. EXPORT YOUR SEARCH RESULTS You can export your search results to a PDF or CSV based on the number of events or log messages included in your ndepth search results. If your search results include up to 25,000 events or log messages, export your search results to a PDF file. If your search results include more than 25,000 events or log messages, export your search results to a spreadsheet in CSV format. EXPORT TO A PDF FILE 1. Click in the ndepth toolbar and click Export. 2. Remove any pages as required. page 77

78 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 3. Click to add a page or click to adjust the page layout to Portrait or Landscape. 4. Click Export to PDF. ndepth prepares the PDF. 5. Click Yes to confirm the export. 6. Select a file location in the Save As dialog box and click Save. Your PDF file is saved. EXPORT TO A CSV FILE 1. Click in the Results Details toolbar and click Export to CSV. 2. Click Yes to confirm your export. 3. Select a file location in the Save As dialog box and click Save. Your CSV file is saved. Run and schedule reports Reports provide a bridge between detailed views (point-in-time information) and events (unaltered messages from LEM-managed devices). You can run a report on your Log & Event Manager database to view events and trends and make informed decisions about your network activity. After you create the report, you can print it or export it to several supported formats, including PDF and Microsoft Word). You can also run an ad-hoc report or schedule reports to be sent to you automatically to your address. SolarWinds recommends identifying who needs to receive performance or status reports, and how often they should receive them. Log & Event Manager reports are segregated into three levels: Master reports include every type of log in an event category and a graphical summary page. Detail reports include all events and event details. Top reports include the top events for a selected category. page 78

79 Each report level displays in the level column next to the category. Hover your mouse over any column header row and click to filter your selection. Similar to the LEM Console, all reports are based on events and fields in your LEM database. RUN A REPORT 1. Ensure that your Reports console is installed and configured on a network computer. 2. Log in to the Reports console as an administrator. 3. In the Settings tab, click the Data Source drop-down menu and select a manager (the IP address or hostname of your virtual appliance). If you are installing Log & Event Manager for the first time, only one manager should appear. 4. (Optional) Click the Category drop-down menu and select a report category filter for example, Audit. 5. Select a report title and click Run in the toolbar. page 79

80 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 6. Select your start and end date and time parameters, and then click Now. The report displays in the View tab. This process may take several minutes to complete. 7. Click Print in the toolbar to send the report to a local or network printer. Click Export to export the report to the appropriate format (such as a PDF or a Microsoft Word document). RUN A CUSTOM REPORT If you want to report about a specific event (such as a user logon failure), you can create a custom report that reports on a specific field. Using the left menu in the Reports console to select the field for your report. page 80

81 1. In the left column, select the field you want to query. 2. Click Select Expert > New. 3. Select a field to report on, and then click OK. 4. Click the boolean drop-down menu and select your comparison value. 5. Select or enter a second value. Click New to select or enter additional fields and expand your query. page 81

82 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 6. Click OK. Select Expert filters out only the information in your query. All fields are listed as column labels across the top. You can also mouse over data to display the reported field. 7. Click Print to print your report. Click Export to export your report to a PDF, Word Document, or other format. SCHEDULE A REPORT You can schedule tasks in the Reports console to generate a report based on your criteria. You can schedule the report to run daily or at specific times that you choose. After you schedule your report task, you can assign the task to a manager and define the task scope the period of time reflected in the report. When the system runs the report, it retrieves all relevant events that occurred within the scope parameters. The Reports console works together with Windows Scheduled Tasks for report scheduling. 1. Select a report in the console and click Schedule. 2. Click Add in the Report Scheduler Task dialog box. page 82

83 3. Enter a name that distinguishes this task from any existing or future tasks, and click OK. 4. Select your task parameters in the Task tab. Click Set password to password protect this task. Select the Run only if logged on check box to run the report only when you are logged on to the Reports console. Select the Enabled check box to enable the task. 5. Click the Schedule tab, and then click New. page 83

84 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 6. Set the schedule parameters that describe when your SolarWinds system can run the task, and then click Apply. 7. Click the Settings tab. page 84

85 8. Select the scheduling, idle time, and power management settings for your task, and then click Apply. 9. Enter your Reports console password to schedule the task, and then click OK. 10. Click OK to close the dialog box. If prompted, re-enter your password and click OK. The scheduled report task displays in the Report Schedule Tasks window. page 85

86 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 11. Click Load to View or Edit to assign the task data source. 12. Click the Select the report data source drop-down menu and select the IP address or hostname of your Log & Event Manager. You can assign one report task to one manager. To assign a similar or identical task to another Log & Event manager, create a new task. 13. Click the Report Scope drop-down menu and select a date range for this task and data source. 14. Select the Start and End data and time for your date range. Day:Today reports all data from today. Day:Yesterday reports all data from yesterday. Week:Current reports all data from seven days ago to the current day. Week:Previous reports all data from 12:00:00 AM last Monday to 11:59:59 PM last Sunday. Month:Current reports all data from one month ago to the current time. Month:Previous reports the last full month of data beginning at 12:00:00 AM on the first of the month until 11:50:59 PM on the last day of the month. User:Defined reports all data based on your selected date and time parameters. 15. (Top Level reports only), In the Count Settings box, enter or select the number of items to track in the report. page 86

87 16. (Optional) Select the Export check box to export a scheduled report to a PDF file or send the report to a printer. a. Click the Format drop-down menu and select a file format for your report. b. Enter a report name in the File Name field. c. Click and select a location for the report. If the report includes multiple schedules, provide each scheduled report a different name. Otherwise, new reports will override your existing reports or increment according to the If File Exists setting. d. Select an option for similarly-named files in the If File Exists drop-down menu. 17. Click Save. The scheduled report task displays in the Report Schedule Tasks window. page 87

88 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER Advanced Options This section contains the following topics: Set up File Integrity Monitoring Scan for new nodes Manage your LEM appliance Set up File Integrity Monitoring You can use File Integrity Monitoring (FIM) to monitor system and user file activity to protect your sensitive information from theft, loss, and malware. Using log files to record suspicious activity, you can detect changes to critical files and registry keys to ensure they are not accessed or modified by unauthorized users. FIM also ensures your systems comply with regulatory regulations, including Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley. After you install and integrate FIM with your LEM appliance, you can: Monitor real-time file change and access Detect insider abuse using file audits and intelligent correlation rules Enhance your anti-virus software capabilities by detecting viruses that mask as similar-named files Integrate Active Directory to disable user accounts and change user or group rights Track file and directory access to critical files and registry keys Identify changes to critical registry keys Identify unwarranted file changes from zero-day malware and advanced persistent threat (APT) attacks You can enable FIM by adding a FIM connector to a node or adding FIM to an existing connector profile. Click the video icon to view a tutorial about File Integrity Monitoring in LEM. For a video presentation about File Integrity Monitoring in LEM, open the following URL in a web browser: page 88

89 ADD A FIM CONNECTOR TO A NODE 1. Log in to your LEM console as an administrator. 2. Click Manage > Nodes. 3. Locate your targeted node in the Nodes grid. Ensure the node has a green status icon. 4. Click next to your targeted node and select Connectors. 5. Enter FIM in the Refine Results search field. 6. In the Connectors grid, click next to your selected connector and click New. 7. Click next to your desired template and select Add to selected monitors. A template copy is moved to the selected monitors to be applied to the node. 8. Click Save. page 89

90 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 9. (Optional) Add conditions to the template. a. Click next to the template and select Edit monitor. b. Select the conditions you want LEM to monitor. c. Click Edit. d. In the Add Condition window, click the drop-down menu and select All Keys/Values (recursive) or Keys/Values (non-recursive). All Keys/Values (recursive) selects the folder and all sub-folders that match the given mask. Keys/Values (non-recursive) selects only the files in the selected folders to monitor. Click Tell me more for information about your configuration options. e. Enter a mask (for example, *.exe or directory*. f. Select the actions you want to monitor. page 90

91 g. (Optional) Click Add Another Condition. h. Click Save. 10. Click Save Changes. The LEM agent on your node installs the FIM driver that collects the file system events. Next, LEM pushes the configuration you created to the remote agent and into the driver. In the Nodes grid, the FIM status icon Scan for new nodes turns green, indicating the driver is working properly. When you add additional monitored nodes in your network, use the Scan for New Nodes feature in the Ops Center view to create new connectors for each new syslog source. Using this method, you can configure and enable multiple connectors simultaneously, minimizing network administration when new nodes are added in your network. 1. Click the Ops Center view and locate the Node Health widget. 2. Click Scan for New Nodes in the widget toolbar. LEM begins scanning for new nodes in your network. If new nodes are found, the New Connector(s) found banner displays in the console. Otherwise, the No nodes found banner displays. This process may require several minutes to complete. During the scan, a message displays indicating that the scan is continuing in the background. A progress bar also displays at the bottom of the console. 3. Click View Now. page 91

92 QUICK START AND DEPLOYMENT GUIDE: LOG & EVENT MANAGER 4. Select the recommended connectors you want to install, and then Click Next. Hover your cursor over the connector name for details. 5. Review the Summary information, and then click Finish. The Nodes grid displays with the new nodes. Click Monitor to view the events collected from the new nodes. 6. Click Manage > Appliances. 7. Click and select Connectors. 8. In the Refine Results pane, enter a keyword for your new connector. page 92

93 9. Locate your connector in the list. 10. Click next to the connector and select Edit. 11. Edit your connector settings as required, and then click Save. The node connector is enabled. Manage your LEM appliance You can manage your LEM appliance using the virtual console in your hypervisor client or a Secure Shell (SSH) client (such as PuTTY). Using the SSH client and CMC commands, you can: Upgrade your LEM Manager software Deploy new connector infrastructure to the managers and agents Reboot or shut down the network appliance Configure trusted reporting hosts Configure supplemental services on the manager appliance Control your ndepth appliances Many apply connector updates. To establish a secure connection to your LEM appliance using PuTTY: 1. Start a PuTTY session. 2. Click Session. 3. In the Host Name field, enter the IP address or hostname of your LEM appliance. 4. In the Port field, enter or Click Open. 6. In the login field, enter cmc, and then press Enter. page 93