ADMINISTRATOR GUIDE

Security Event Manager

Version 2020.4

Last Updated: Monday, November 9, 2020

ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled,
published or distributed, in whole or in part, or translated to any electronic medium or other means
without the prior written consent of SolarWinds. All right, title, and interest in and to the software,
services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates,
and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR

IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT
LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY
INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS
LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY
OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of
SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office,
and may be registered or pending registration in other countries. All other SolarWinds trademarks,
service marks, and logos may be common law marks or are registered or pending registration. All
other trademarks mentioned herein are used for identification purposes only and are trademarks of
(and may be registered trademarks) of their respective companies.

page 2
Table of Contents
Get started with SolarWinds Security Event Manager (SEM) 4

Who should use this guide? 4

Checklist to get started with SolarWinds SEM 5

Determine which logs to monitor with SEM 6

Install and configure SEM 8

Configure your devices to send events to SEM 9

About syslog local facilities 9

Verify that events are being sent to SEM 10

Configure an agent in SEM 13

Add a syslog device to SEM 14

SEM Console 16

Dashboard 16

Live and Historical Events 16

Rules 16

Nodes 17

Configuration 17

User-defined groups and email templates 17

SEM Legacy Flash Console 18

page 3
ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

Get started with SolarWinds Security Event

Manager (SEM)
SolarWinds Security Event Manager (formerly Log & Event Manager), is a security information and
event management (SIEM) virtual appliance that adds value to existing security products and
increases efficiencies in administering, managing, and monitoring security policies and safeguards
on your network.

SEM provides access to log data for forensic and troubleshooting purposes, and tools to help you
manage log data. SEM leverages collected logs, analyzes them in real time, and notifies you of a
problem before it causes further damage.

For example, advanced persistent threats can come from a combination of network events such as
software installations, authentication events, and inbound and outbound network traffic. Log files
contain all information about these events. The SEM correlation engine identifies advanced threat
activity, and then notifies you of any anomalies.

Who should use this guide?

This guide is for SolarWinds customers or prospects who have purchased or want to evaluate
SolarWinds SEM.

If you are interested in evaluating SolarWinds SEM, you can download the product, fully-functional
for 30 days. After the evaluation period, you can convert your evaluation license to a production
license by obtaining and applying a license key.

The purpose of this guide is to familiarize you with commonly used features of SolarWinds SEM that
will allow you to begin detecting suspicious activity, mitigate security threats, achieve auditable
compliance, and maintain continuous security.

 l If you are a customer and need implementation help, search the SolarWinds Customer Success
Center, or contact our Support Team. Read SolarWinds Customer Support Information to learn
how to open a support case.
 l If you are evaluating this product and need assistance, contact sales@solarwinds.com.

page 4
Checklist to get started with SolarWinds SEM
Complete the following tasks to get started with SolarWinds SEM:

Determine which logs to monitor in SEM

Before you begin, decide which logs you want to monitor. If you monitor too many logs,
working on the SEM Console can be overwhelming.

Install, configure and log in to the SEM Console.

These procedures guide you in installing SEM.

Configure the audit policy on your device to send events to SEM

Only events that you have designated to be sent to SEM are visible on the SEM Console.

Verify that events are being sent to SEM

Learn how to use the SEM Contego Management Console (CMC) to verify that syslog event
data is being sent to SEM.

Configure an agent in SEM

Learn how to add your first Microsoft Windows computer to SEM.

Add a syslog device to SEM

Learn how to add a Cisco® Adaptive Security Appliance (ASA) firewall to SEM.

Navigate the SEM Console

After SEM is receiving log data, use the SEM Console to search, view, and filter the data.

page 5
ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

Determine which logs to monitor with SEM

Before you begin monitoring logs with Security Event Manager, SolarWinds recommends that you
decide which logs to monitor. You should avoid an everything, all at once approach as it is easy to
become overwhelmed when all log data is sent to SEM. This section outlines strategies to determine
which logs to monitor.

 l Identify your goals by listing what you want to accomplish with your log data. Consider the
business drivers that require you to monitor logs. If you have a compliance-related goal, you
could focus on your data center and monitor security events. If your goal is to monitor logs for
outages, you could verify that your servers are sending logs, and that you are receiving events
from Microsoft Windows® Event Logs.
 l Identify the systems that have the log data you want to monitor: If your goal is to monitor logs
so you are PCI-compliant, identify the systems and network devices that are in scope for
compliance. For each identified system and network device, identify which specific logs are in
scope, and the level of logging, if applicable.
 l Begin with what you know: Another strategy for determining which logs to monitor is to begin
with what you know so that you can avoid learning about SEM and your logs at the same time.
Monitor the logs with which you are familiar, and scale from there. For example, if you are most
familiar with your Windows security, application, and system event logs, begin monitoring those
logs first. SEM also provides connectors to read many other different types of logs.

Use the following table to identify the logs to collect:

If You Need To Track... Collect These Kinds Of Logs

Changes User/Groups: Windows security logs

Systems: Windows system and application logs

Application-specific logs

Network devices (firewalls, routers, switches, etc): syslogs

Authentication failures and successes Windows security logs

Application-specific logs

Authentication logs on other platforms

Internal and external unexpected Proxy server logs

network activity
Network device logs (syslog)

page 6
 If You Need To Track... Collect These Kinds Of Logs

Service and system activity Windows systems logs

Application logs

Compliance Core operating system logs

Application logs

page 7
ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

Install and configure SEM

After you determine your logging strategy, install SolarWinds SEM. Use the resource links in the SEM
Installation Guide to install and configure SEM in your environment.

You may find the following topics of the SEM Installation Guide helpful:

 l How SEM works

 l SEM deployment examples
 l SEM system requirements
 l Install the SEM license using the web console
 l Run the activate command to secure SEM and configure network settings

Be sure to reserve memory and CPU resources for SEM, and not just allocate these resources.
For more information on reserving resources for SEM, see The Reason why SEM Needs Memory
and CPU Resource Reservations.

After you have installed SEM, return to this guide and continue to the next section.

page 8
Configure your devices to send events to SEM
After you install SEM and determine the types of log files to monitor, ensure your devices are
configured to send log data to SEM. SEM does not automatically scan your environment for network
devices and systems and start collecting and analyzing log files. You must configure identified
devices and systems to send log data of interest, and then add those devices to SEM.

If you are seeing so much data coming into SEM that it seems meaningless, or you are not seeing
data at all, then ensure you have:

 1. Determined which logs are important for you to monitor.

 2. Verified that the devices and systems have been configured to send that data.

For example, the following graphic shows a section of a sample audit policy for a workstation. If you
are expecting Plug and Play events to be written to the log file and the policy is set to No Auditing,
then those events are not sent to SEM.

Find information on adding a syslog device to SEM here, and configuring the corresponding
connector here. For additional guidance, refer to your vendor documentation or contact
SolarWinds Customer Support.

See Audit Policies and Best Practices for SEM for more information on Windows audit policies.

About syslog local facilities

When you configure the events and logging level on a syslog device, you may have the option to
specify the local facility that receives the log data. While all syslog devices have default facilities
defined for logs, the option to specify the local facility depends on the device. Check with the device
vendor for information on how to configure your network device. Make note of the local facility
because you need it when you configure a connector to read the applicable syslog file. If you are
unsure of which local facility is receiving log data, check your device.

See Understanding syslog in SEM for more information on configuring your syslog device to send log
data to SEM.

page 9
ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

Verify that events are being sent to SEM

After you configure your device to send events to SEM, use the check logs tool to verify that SEM is
receiving the data. You can access the SEM command line via VMware® vSphere® or Microsoft
HyperV® Manager virtualization consoles. You can also use an SSH tool to verify that the raw syslog
data is received by the SEM syslog server.

Raw syslog data is not yet parsed or normalized by SEM.

The following example shows how to use PuTTY to verify that SEM is receiving events.

 1. Open an SSH tool (such as PuTTY).

 2. Enter the IP address and port number (port 22) of the SEM virtual appliance.
 3. Log in with username cmc.
If you are using an evaluation copy of SEM, enter password as the password.
 4. Open the appliance menu and run the checklogs command.
 5. Determine which local facilities are receiving traffic.
In the following example, local facility 4 has received 972 kilobytes of traffic while all other
facilities are empty.

page 10
  6. Open the local facility to determine if it is receiving the logs you are expecting.
In this example, local facility 4 is receiving traffic from the Cisco ASA firewall that was
configured to send logs.

page 11
ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

If you are not seeing the log data that you expect to see:

 l Check the network device vendor documentation for instructions on configuring your device.
 l See How to Troubleshoot Syslog Nodes in SolarWinds Security Event Manager for guidance on
troubleshooting situations when SEM is not receiving log data.

page 12
Configure an agent in SEM
For non-network devices, you can install the SEM agent on workstations and servers to collect and
normalize log data before it is sent to SEM. The SEM Agent also collects security data from each
device (such as Windows event logs, database logs, and local antivirus logs) and transmits this data
to SEM. The SEM Agent has a small footprint on the device and prevents log tampering during data
collection and transmission.

The SEM Agent provides the following benefits:

 l Captures events in real-time

 l Encrypts and compresses the data for efficient and secure transmission to SEM
 l Buffers the events locally if you lose network connectivity to SEM

SEM provides access to the most frequently installed agents. See Additional SEM downloads for in
the SolarWinds Customer Portal for a comprehensive list of agents.

The following example describes how to install a Windows agent on a workstation.

 1. Review the SEM agent pre-installation checklist.

 2. Log in to the SEM Console, and then click Nodes > Nodes.
 3. Click Add agent node.
 4. Follow the on-screen instructions to install an agent.
 a. Place the agent installation file (local installer or remote installer) on the local hard drive.
 b. Right-click the installation file, and then select Run as administrator.
 c. In the Manager Host field, enter the SEM IP address.
 5. Verify that the node and the status is Connected.
To verify that SEM is receiving agent data, go to Nodes > Nodes and select the Agent and
Connected check boxes under Refine Results.

page 13
ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

Add a syslog device to SEM

After you configure your syslog device to send events to SEM and verify that SEM is receiving the
events, add the syslog device to SEM.

When you add a syslog device to SEM, select a connector that is specific to the network device you
are adding. The connector normalizes the log data into a standard format that can be compared with
logs received from other vendors' devices. See SEM Connector List for a list of supported connectors.

The following example describes how to add a Cisco ASA firewall to SEM. See Integrate Cisco
network devices with SolarWinds SEM for more information on adding Cisco devices to SEM.

After you configure your firewall to log to your SEM appliance, configure the corresponding connector
on your SolarWinds SEM Manager. Many of the firewall connectors are similar, and some will include
unique settings.

This example describes how to configure a Cisco PIX and IOS connector on your SEM Manager.

 1. On the SEM Console, navigate to Node > Manager Connectors.

page 14
  2. Find the connector to configure. Type part of the connector name (Cisco PIX) in the search box,
or use the filter menus in the Refine Results pane.
 3. Select the connector, and then click Add Connector.

 4. Complete the connector configuration form. The following fields are common across most
connectors:
 l Name: Enter a user-friendly label for your connectors.
 l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
 l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
 5. Click Add.
 6. Under Configured connectors, select your connector, and then click Start.

page 15
ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

SEM Console
The SEM Console is presented in HTML5 format, which means there is no requirement for Adobe
Flash or other third-party media players. This update also results in a more robust console that can
run on any computer operating system as well as most web browsers. As SolarWinds continues to
transition existing SEM legacy functionality from Adobe Flash to HTML5, the following features are
currently available in the HTML5 SEM Console.

Dashboard
Access the SEM Dashboard (formerly SEM Ops Center) to highlight and summarize trends and
suspicious activity through a series of interactive widgets. You can create, edit, and arrange widgets
to display log data in a variety of tables and graphs based on filters within your Events viewer. Upon
initial login, the SEM Dashboard appears by default. Learn more here.

Live and Historical Events

Live and Historical Events provides instant access to live event monitoring and filtering as well as
historical record archives for in-depth analysis and troubleshooting. Within the console view, you can
quickly switch between real-time event streaming and historical log views based on user-defined date
and time parameters. In addition to live and historical keyword search options, all established SEM
Monitor filters are accessible on the SEM Console Filters pane. Learn more here.

Rules
Rules monitor event traffic and automatically respond to security events in real time, whether you are
monitoring the console or not. When an event (or a series of events) meets a rule condition, the rule
prompts the SEM manager to act. A response action can be discreet (for example, sending a
notification to select users by email), or active (for example, blocking an IP address or stopping a
process). Learn more here.

page 16
Nodes
Through the HTML5-based node management feature, you can add agent nodes, configure
connectors and connector profiles, and then monitor activity on the SEM Console. Upon node and
connector configuration, click the Events tab to view your network activity, and then create and apply
filters to tailor your log feed to view event logs vital to maintaining the health of your network
environment. Learn more here.

Configuration
Rules monitor event traffic and automatically respond to security events in real time, whether you are
monitoring the console or not. When an event (or a series of events) meets a rule condition, the rule
prompts the SEM manager to act. A response action can be discreet (for example, sending a
notification to select users by email), or active (for example, blocking an IP address or stopping a
process). Learn more here.

User-defined groups and email templates

From the Groups tab, create user-defined groups to organize related elements for use with rules and
filters. Groups can contain elements such as events, IP addresses, computer names, and user
accounts. After a group is defined, it can be referenced from multiple rules and filters. Learn more
here.

You can use email templates to customize your email notifications when triggered as responses in
your custom rules. An email template includes static and dynamic text (or parameters). The static
text lets you customize the message body of the email. The dynamic text is filled in from the original
event that caused the rule to fire. Learn more here.

page 17
ADMINISTRATOR GUIDE: SECURITY EVENT MANAGER

SEM Legacy Flash Console

Adobe will stop distributing and updating Flash Player after December 31, 2020. Please visit
the Adobe Flash Player EOL General Information Page (Copyright © 2020 Adobe, retrieved
November 5, 2020) for information.

The SEM Legacy Flash Console is a browser-based interface for monitoring your SEM appliance. The
console is organized into functional areas called views. Views organize and present different
information about the components that comprise the SEM system. The SEM Console provides the
views listed below.

The majority of SEM Legacy Flash Console functionality can now be accomplished in the HTML5-
based SEM Console. For more information, review the feature comparison.

 l Ops Center: Provides a graphical representation of your log data. It includes several widgets
that help you identify problem areas and show trends in your network. You can select additional
widgets from the widget library or add custom widgets that reflect your log activity.
 l Monitor: Displays events in real time in your network. You can view the details of a specific
event or focus on specific types of events. This view also includes several widgets to help you
identify trends or anomalies that occur in your network.
 l Explore: Provides tools for investigating events and related details. Select nDepth to search or
view event data or log messages. Select Utilities to view additional utilities.
 l Build: Create user components that process data on the SEM Manager. Select Groups to build
and manage groups. Select Rules to build and manage policy rules. Select Users to add and
manage console users.
 l Manage: Manages properties for appliances and nodes. Select Appliances to add and manage
appliances. Select Nodes to manage agents, and to view syslog devices & agents.
 l Analyze: Provides an overview of the Reports feature that extracts and presents data from the
database. You must install this feature separately.

Number Item Description

1 History Displays recent nDepth search results.

2 Saved Displays saved nDepth search results.

Searches

3 List pane Displays categorized lists of events, event groups, event variables,
and additional options you can use to create conditions for your
filters.

page 18
 Number Item Description

4 Search bar Searches all event data or the original log messages that pass
through SEM. Switch to select Drag & Drop or Text Search mode.

5 Respond Displays a list of corrective actions you can execute when an event
occurs, such as shutting down a workstation or blocking an IP
address.

6 Explore Displays several utilities you can use to research an event, including
Whois, Traceroute, and NSlookup.

7 Time A drop-down list to select the time range for your search.

8 Play Executes the selected search.

9 Histogram Displays the number of events or log messages reported within the
selected search time range.

10 Dashboard Displays the search results in all available widgets. You can change
this view by clicking a widget in the nDepth toolbar.

The icon indicates you are exploring event data. The icon
indicates you are exploring log messages.

11 nDepth Organizes log data into categories to identify activity in your

Toolbar network. Click a selection to display the category below the
histogram.
 

page 19