Your network is filled with firewalls, servers, and routers that can detect and log security threats. But when a threat comes up, too many admins rely on a slow process of manually wading through tens-of-thousands of log entries to find and correlate a small number of log entries.
The result? Slow detection and response to serious security threats. What if there was a way to take all of that information, and turn it into something useful?
SolarWinds Log and Event Manager (or LEM) may be the answer. It not only centralizes and collects logs, but it also helps to correlate important events, provides advanced searching features, and even takes automatic action against threats, all in real-time! This full range of functions is referred to as SIEM – Security Information and Event Management – and it provides a powerful way to manage events on any network.
Here’s what it does:
Real-Time Event Correlation
LEM is designed to receive and process the tens of thousands of event log messages generated by network devices. Next, it uses a very sophisticated matching engine to instantly correlate events, identifying potential security threats or other issues.
Events are processed in real-time and in memory, meaning that they don’t need to be written to a database and then queried before the system can identify problems. Response is incredibly fast, though obviously higher log volumes could lead to slower processing depending on how powerful your server is.
A monitoring display, like the one below, shows alerts as they flood in. Alerts are generated when conditions match rules defined in LEM. Notifications can be set for alert types that need instant attention.
LEM ships with over 700 built-in event rules that can be used to start monitoring the network out-of-the-box. And, SolarWinds makes it easy for admins to create new rules. A simple graphical drag and drop interface allows admins to build new filters. Say goodbye to complex query languages!
Event correlation rules are very flexible. Rules can be set to correlate events based on times, or transactions that occur, or even groups of events. Thresholds can be specified for number of events in a time period. And, variables can be set for various conditions – for example, enable rules during certain business hours, but disable them outside of business hours.
After an alert is detected, someone needs to do something about it! LEM helps here by being your “someone” and automating response to many situations.
SolarWinds calls this “Active Response,” and LEM includes a large library of possible responses to common situations. You can automate actions like:
- Quarantine infected machines, or force shutdowns and restarts.
- Block IP addresses.
- Disable user accounts.
- Kill processes.
- Restart or stop services.
- Force user log-off.
- Reset passwords.
Admins can still opt to manually respond to specific alerts with a few clicks in the GUI. Just select an event from the monitoring window, then click the “Respond” button to immediately force a specific action.
Some companies are very concerned about large-scale data loss from USB devices. Active Response can help manage data access via USB devices. LEM can identify unauthorized access and copying of sensitive files, and enable actions like automatic ejection of USB devices, or quarantine of workstations using USB devices.
Advanced Search Features
Have you ever tried to mine through a huge log database? It can be pretty hard to find what you’re looking for, and it can be slow to query databases for different event types and IP addresses.
LEM tries to take search to a new level with visual search tools. The search interface is designed to use a similar drag and drop interface as filters and rules. Building a search query quickly becomes intuitive and easy to do.
Visual search tools use a time-window slider near the top of the screen for focusing on specific time periods. The word cloud in the middle of the screen shows which words appear in events, with the most frequently occurring words being the largest. So say a worm outbreak results in many failed logon attempts. The cloud would likely show the event type in large font, indicating that something unusual is happening.
Other graphics slice and display data in different ways, such as the treemap shown on the right-hand side of the screen, as well as bubble-charts and histograms. There’s also a helpful reporting option, so you can dump search data into a convenient export. And, raw data can be accessed for manipulation using other tools.
SolarWinds has included a powerful reporting engine with Log and Event Manager. Over 300 built-in reports help with everything from graphical summaries of activity, to detailed threat reporting and compliance.
Speaking of compliance, many of the reports are designed to show your organization’s compliance with standards and legislation like PCI DSS, Sarbanes-Oxley, HIPAA, and others. And, reports can be customized to meet specific needs.
Reports can be scheduled to run at pre-determined intervals. It’s a great idea for large reports that are needed regularly since scheduling a report to run at night frees up day-time processing power for other needs.
LEM is deployed as a virtual appliance. In theory, installation is as simple as downloading the VMware or Hyper-V file and loading it up. Yes, you read that right – LEM now supports Hyper-V – a feature users have been clamoring for!
SolarWinds likes to refer to this as “live by lunch” installation, since database and web server configuration is eliminated.
In practice it’s a little more complex than that. If you don’t already have VMWare or Hyper-V running in your environment then you’ll need to set those up first. Fortunately the installer is helpful and includes links to the free VMWare ESXi platform. A desktop software package is also required to set up various reporting components.
On the downside, there is no Windows installer version of LEM which removes some flexibility. The only option is to use the virtual appliance. Most organizations looking at a product like this will already be using Virtualization technology, so in reality this isn’t much of a limitation.
The other component required: agents. Agents are needed for systems that don’t support SNMP/Syslog, and to enable some of the more advanced features of the product. Agents add key functionality, and you’ll definitely want them. But, the fact is that successfully installing agents on hundreds or thousands of machines can be an enormous task, even if using automated tools.
The pricing model is notable because it is based on the number of nodes being monitored, as opposed to some software that is priced based on volume of log data. A huge number of factors can influence the amount of data generated – number of devices on the network, types of events, virus outbreaks – the list goes on and on. It can be hard to estimate how much log volume to expect.
SolarWinds has a good solution to provide some certainty around licensing costs. They license by node, providing a predicable cost-model without requiring administrators to try to estimate log volume.
Log and Event Manager pricing starts at $4,495 (USD) to monitor 30 nodes.
Log and Event Manager is a very cool tool! It blends log management with security incident response, delivering a well-priced, versatile, and easy-to-use product. Features like Active Response and the search centre will help to manage threats, and make it easier for administrators to understand what’s really happening on the network. The VM-appliance style of install makes it easy to get up-and-running quickly.
And, as a nice bonus for users of other SolarWinds products, LEM integrates with SolarWinds software like the Network Performance Manager and Server and Application Monitor. Integration allows the ability to send syslog messages to and from the other apps.
On the other hand, having the tool available as a VM-only install removes some flexibility. And the need to install agents adds complexity and increases the work involved in a large deployment.
But overall, the great UI design and rich feature-set of LEM won us over. Log and Event Manager is sure to fill a niche that many businesses are missing. Try it out yourself with a free 30-day trial download, or check out the Live-Demo for a closer look. If you don’t have a log and security response product like this, you’ll be amazed at what you’ve been missing.
Product: SolarWinds Log and Event Manager ♦ Review Date: May 17, 2012
- Easy to deploy VMWare or Hyper-V appliance
- Track, monitor, and respond to network-wide security events
- Well Priced
- No traditional Windows install available – virtual appliance only
- Requires end-point agents in some cases