SolarWinds Log and Event Manager (LEM) is a Security Information and Event Management (SIEM) solution. With it, you will be able to monitor your network and devices, as well as detect and respond to security threats.
How it works?
The solution consists of a number of components. The main component is a virtual appliance that runs the LEM.
LEM
Various devices and network appliances are configured to send logs to the LEM. After consolidating all the logs in a database, the LEM serves up these data on a web console. Users may utilise the web console to run analysis on the data and set automated responses to stop any security threats detected.
LEM Agents
The agents are software installed on servers and devices that you would like to monitor. These agents are responsible for sending the event logs generated by the devices to the LEM virtual appliance, and also effecting any actions to eliminate security threats on the devices when they receive instructions from the LEM. As for network appliances, most of them are capable of forwarding logs to the LEM without the help of this agents.
LEM Report Generator
This report generator is a software installed on a server or workstation, that pulls the data from LEM and generate customised report based on a schedule you have fixed.
Putting all these components together, logs from the various agents and appliances are collected and sent to the LEM continuously. Analysis of the data is performed in real-time, and the LEM is able to trigger any immediate response to security threats detected.
Key Characteristics
After using SolarWinds LEM (v 6.2) for some time, these are the key points I have gathered, which I think all of you should consider before adopting it as your SIEM solution.
Virtual Appliance
The LEM will be as powerful as your virtual capabilities, which is really advantageous if you already have existing infrastructure and resources to support it.
Value for Dollar
SolarWinds had priced this product in the affordable range, and more importantly it offers most of the features you need for a SIEM.
Events Correlation
The LEM allows you to establish correlation rules. The product comes with a number of in-built rule templates, but the effectiveness of this feature really depends on your knowledge and expertise. You will need to clearly know the threats you are targeting and the events that are triggered by those threats. Once you are able to declare that correlation between certain distinct events imply the emergent of certain threats, LEM will be able to alert you of such occurances as it analyses the logs in real-time. Therefore, you and your security team will have to make the design decisions in planning correlation rules.
nDepth Tool
Most of the tools within the LEM are built to leverage on correlation rules. Once you are comfortable with the rules, you will be able to use most of the tools with ease. nDepth is a very powerful tool for you to sieve through all the data to derive insights. Although it comes with visualisation widgets, most of the time they might not meet your needs as they are based on certain parameters fixed by SolarWinds. Thankfully you can export the data in CSV format and run further analysis with your own software.
Log Traffic Limit
There is an implicit limit on the rate at which LEM can receive logs from all of the corresponding agents and network appliances. I have personally encountered this problem during times when my proxy simply generates too much logs during peak hours. The LEM will start to malfunction and even hangs. Till date, there is no solution to this issue and SolarWinds had responded that they will be looking to come up with a long term solution, so let us stay hopeful.
Responsive Support
SolarWinds support is responsive and helpful. However there are certain confounding elements in LEM that even their support cannot explain fully but these are small issues that do not affect the performance of the product. Overall, they have provided me with pretty good experiences.
Other Considerations
Alongside implementing any SIEM solutions, I feel that you must address the following questions in order to ensure that these solutions are implemented to be as effective as they are meant to.
- Does the solution fit your needs and capabilities?
It is not necessary to implement a costly solution with a lot of obscure features that you would never use. It is also not optimal to run the solution on minimum system specifications just to save on resources. - Do you have the expertise to remedy any security problems detected by SIEM solutions?
SIEM solutions are ultimately just monitoring tools, even if they are able generate automated responses, you would still need a strong security team to tailor your IT infrastructure and policies to solve security problems at its root. - Are you ready to integrate SIEM into your workflow and your overall security strategy?
It would be a waste if you and your team cannot fully utilise the solutions and merely implement them to satisfy the auditors.
Find out more
I hope you find my introduction useful. You can find out more from the following resources.
- SolarWinds Log and Event Manager Documentaion
http://www.solarwinds.com/documentation/lem/lemdoc.aspx - SolarWinds Knowledge Base
http://knowledgebase.solarwinds.com/kb/categories/log+and+event+manager+(lem)/
Do check out other posts on SolarWinds LEM.
coming soon…
wyon technology 