SolarWinds LEM

SolarWinds Log & Event Manager (LEM) is a security information and event management (SIEM) system. SolarWinds LEM is an end-to-end SIEM that groups, correlates and normalizes data events and logs in a centralized repository that can be easily managed by an IT team. With LEM functionality, the IT team can quickly scan or search historical event data and put them on a report for further analysis and forensics.

LEM virtual appliances can be deployed in a VMware ESX or Microsoft Hyper-V virtual environment, providing insights into security events and helping with performance monitoring and compliance management.

Figure 1 below illustrates the typical log sources and LEM software’s components. The directions in which communication is initiated and network protocols are used are also presented.

Figure 1: LEM architecture – typical data sources, LEM software components, protocols and communication direction

This system has the capacity to respond to a great variety of events. Some noteworthy aspects of the tool:

  • Allows a real-time event correlation
  • Allows active response through their agents installed in remote devices
  • IT teams can perform advanced search and forensic analysis
  • Provides USB device monitoring
  • Offers IT compliance reporting

Notice that LEM agents are the primary means used for data collection from remote devices, such as servers, applications and workstations. These agents are responsible for gathering any type of information but also have to promptly respond to an incident when it occurs. This is called Active Response technology.

Ops Center Dashboard

This screen provides a completely customizable dashboard which can easily identify trends, node health and alerts in a single place. By clicking on any item, we can obtain more detailed information about it.

Figure 2: Ops Center Dashboard

Real-Time Event Correlation

LEM is designed to receive and process thousands of event log messages generated by network devices. Potential threats (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pedro Tavares. Read the original post at: