Most RecentProducts Articles
SHARE |
Hi, our server team is currently evaluating APM on top of our NPM installation. They're pretty taken with the system at the moment but want to be able to monitor windows event logs with the 'Windows Event Log Monitor' component and exclude events from being monitored based on their Event ID.(Current functionality only allows only inclusion based on Event ID). Security Event Manager is designed to easily forward raw event log data with syslog protocols (RFC3164 and RFC 5244) to an external application for further use or analysis. Additionally, with one click, you can export your filtered or searched log data to CSV, making it incredibly fast and easy to share log data with other teams or vendors.
based on nearly 300 real user experiences.
Bottom Line
SolarWinds is ranked by Gartner in the Niche Players section of its latest Magic Quadrant for SIEM. It lacks the full security suite presence of some competitors, but is well-integrated across a variety of IT operation capabilities, making it a good fit for SMEs who may lack their own internal security teams. The company targets tightly resourced, budget-conscious security teams, in organizations with up to 10,000 employees, and often cites compliance as a driver.
Company Description
Since 1999, SolarWinds has been providing management and monitoring software for security, networks, servers, applications, storage, databases, virtualization and the cloud. It is a private company.
Product Description
SolarWinds Log & Event Manager (LEM) is composed of several elements:
- Manager for central management, log and event management, and
- storage
- Console and user interface
- LEM Agents for real-time event collection from endpoints, encryption and compression of data
Network traffic, application and virtualized platform monitoring can be tied into LEM through SolarWinds Virtualization Manager, Network Performance Monitor, and Server & Application Monitor. Multifactor authentication is a relatively new feature. SolarWinds Log & Event Manager (LEM) 6.5 has been recently released, with features that include support for log forwarding to other applications, as well as SolarWinds LEM deployments on Azure. The company is working on a new UI and events console. Other improvements over the last 12 months include an increase to the SolarWinds LEM appliance storage limit, an update to LEM's underlying DebianOS, and support for SQL Server 2016 auditing.
See our complete list of Top 10 SIEM Products.
See .
See .
SolarWinds SIEM Features Rated
Threats Blocked: Good.LEM ships with hundreds of predefined correlation rules, including authentication, change management, network attacks, and more. SolarWinds LEM also integrates with online threat feeds and can notify and respond to inbound/outbound traffic and authentication attempts with known bad IP addresses for threats such as ransomware, malware, spam, phishing, and more.
Breadth of Sources: Very good. SolarWinds LEM includes seven hundred log parsers. There is a process in place for users to request new connectors or updates to existing connectors. Gartner added that SolarWinds LEM supports a variety of event sources, including nonevent data sources that can be integrated into its analytics and correlation rules.
Throughput: Good. While SolarWinds LEM can support several thousand nodes, it rarely sees users exceed 2,000 EPS. Most customers store between 2 to 8 TB of data, but users have the option of scaling beyond 8 TB.
Value: Good. SolarWinds provides good value in overall cost and time to implement.
Implementation: Best. Users praise the product's ease of implementation. SolarWinds LEM is deployed as a self-contained virtual appliance, which includes the SolarWinds LEM database, correlation engine, and all other components required. It can be deployed typically within minutes. Gartner complimented SolarWinds on its simple architecture, easy licensing, and robust out-of-the-box content and features.
Management: Good. Ease of use is an area of frequent praise, but Gartner notes that as a closed system, SolarWinds LEM is limited in its ability to integrate with third-party advanced threat detection, threat intelligence feeds and User Behavior Analytics (UBA) tools.
Support: Very good. SolarWinds has been recognized for its technical support and customer success programs globally. The company recently deployed Smart Start. This assisted onboarding program provides access to implementation experts who work with users to understand their goals, assist in installing and configuring the product, and help optimize their environments based on business needs.
Scalability: Good. LEM's architecture scales horizontally to support thousands of nodes, but it doesn't scale as well vertically according to Gartner.
Top 10 SIEM Products.
See .
See .
Security Qualifications
CC certified at assurance level (EAL) 2+. Department of Defense (DoD) agency-specific certifications for the U.S. Army and Navy.
Solarwinds Event Manager
Intelligence
SolarWinds Log & Event Manager customers leverage pre-defined correlation rules targeted at user and system change monitoring. These rules include direct change auditing (user permission, metadata, group memberships, etc.) and system change auditing (policies, files, etc.). Thresholds for behavior can be applied to differentiate normal from abnormal behavior.
Delivery
Virtual appliance for VMware and Hyper-V platforms, plus a deployment option for Azure.
Agents
The SolarWinds SIEM platform employs agents.
Pricing
SolarWinds LEM is priced in an all-inclusive per-node model, starting at $4,585 for 30 nodes. License costs includes log management, agents, connectors, file integrity monitoring, USB Defender, SQL auditing, and all SIEM components. A workstation edition license enables SolarWinds LEM customers to extend deployments to Windows workstations. The first year of maintenance is included in the license cost. Consulting and professional services are typically not required.
For more analysis of SolarWinds Log & Event Manager, see SolarWinds vs Splunk: Top SIEM Solutions Compared.
Sizing Your SolarWinds Log and Event Manager Appliance
Monalytic provides a simple overview on right sizing your SolarWinds Log and Event Manager implementation to best fit your environment.
Existing Environment Review
- Number of Security Devices: _____
- Number of Network Devices: _____
- Number of Workstations: _____
- Number of Servers: _____
- Note – SolarWinds Log and Event Manager (LEM) has agents available for Windows, Linux, AIX, HPUX, Solaris, and Mac OS X.
Overview of SolarWinds Log and Event Manager Licensing
- Universal Nodes – anything that feeds LEM event data via Syslog.
- Workstation/Agent Nodes – any node that can accept a LEM agent.
Conveying this information to an authorized SolarWinds reseller will allow them to quote the license that’s right for your environment. Tiered licenses are issued in the following formats “LEM100” and “LWE250 for LEM100”. These licenses can be read as being able to accommodate 100 Universal Nodes and 250 Workstation/Agent Nodes.
Licensing is acknowledged as being in-use on the appliance based on each unique IP address that sends it data. Deployed agents have logic built in to accommodate for dynamic IP addressing (DHCP) but other devices that do not operate an agent have the potential to consume more than one license if/when their address changes. These can be pruned from the LEM appliance manually or automatically if needed. To setup automatic recycling within the appliance you would check the box illustrated below and set a frequency.
Deployment Tiers and Recommendations
SolarWinds has three general tiers when it comes to sizing (Small, Medium, or Large).
Image Source
This is where it gets a bit interesting; taking the data obtained from the “Existing Environment Review” you will have to determine a deployment level to go with. All monitored systems have the ability to adjust the verbosity of logging from low level basic events to highly verbose “catch everything” logging. Unless you perform sampling of each device and define time study statistical calculation it’s difficult to say (for example) that 100 devices will generate five million events per day. You could essentially have 100 devices with the verbosity turned all the way up or 100 with it turned down, or most likely a mix of both. Generally, the column on the right of the table is of most value. Start with the raw number of endpoints and scale the appliance to the bracket that best fits; always leaning on the heavier resource side. For example, if you have 5x security devices, 250x network devices, and 151x servers it mightrun on the “small” tier deployment but the appliance would be very stressed. For that scenario we would suggest moving to the “medium” tier of the matrix and starting with something like 6 cores, 16GB RAM, and 1TB storage.
Once the appliance is in operation and you have the ability to analyze the actual log ingest rate adjusting resources becomes a bit easier. Simply run an nDepth report for the past hour, multiply the total events by 24 to get a per hour log count and then refer to the matrix below as guide:
Best Practices and Areas to Watch Out For
- Always statically allocate/reserve resources on your virtual environment for the LEM appliance.
- The faster the storage the better! RAID-10 and/or solid-state disks (SSDs) are highly recommended.
- If/when performance issues arise; check your memory/RAM usage. Due to the real-time nature of LEM it runs very heavily on memory consumption.
- There is a 2TB storage limit for event data retention. The appliance will continue to grow until it reaches this limit and then use circular logging methods, dropping the oldest data to make room for new events.
Monalytic is an authorized SolarWinds reseller. For more information on product licensing, maintenance renewals, training, or professional services, please contact us at www.monalytic.com.
Solarwinds Log Event Manager
Suggested Post – How to Deploy SolarWinds Log and Event Manager Agent via Group Policy