In this short video hosted by SolarWinds Trainer Cheryl Nomanson, you will learn how to configure your network devices (syslog, SNMP trap, and other log formats), servers and workstations (Windows, Linux, and Unix systems), and applications for analysis with SolarWinds Security Event Manager.
SolarWinds Security Event Manager (SEM) delivers powerful Security Information and Event Management (SIEM) capabilities in a highly affordable, easy-to-deploy virtual appliance. It combines real-time log analysis, event correlation, and a groundbreaking approach to IT search to deliver the visibility, security, and control you need to overcome everyday IT challenges. SIEM software has never been easier to use or more affordable.
This video will demonstrate how to use the Add Node Wizard within SolarWinds Security Event Manager to monitor a network device. To manage a node, we'll begin in the Ops Center. Here, we have the Node Health widget which helps us monitor the status of nodes on the network. To start the wizard and add a new Node, click on the "Add Node" button on the toolbar. If you have not added any nodes yet, this button will be prominent in the middle of the widget. The wizard will now prompt you to select which type of node you wish to add and monitor. Syslog nodes are for routers, switches, firewalls and other network devices or an agent node for Windows desktops and servers, Linux, HPUX and AIX devices. The specific procedures will vary, depending upon the type of device you wish to add, but the wizard will walk you through the basic steps. Simply follow the prompts.
For this demonstration, let's add a firewall. Start by clicking the radio button next to syslog node. Enter the IP address or the hostname of the node that you wish to monitor. Next, select the vendor from the drop-down list. LEM supports a number of vendor-specific devices. Follow the instructions in Step 2 to configure your device to forward logs to the SEM appliance.
If you are unfamiliar with how to configure your device, there are instructions here on the right. If you don't see your vendor listed, clicking "Other Vendors" will take you to the Knowledge Base for further information. You will need the name and IP address of the SEM appliance when you enable logging. This information is provided within the wizard. Be sure to set the appropriate logging level of the device, then save your changes and exit.
Once you have enabled logging on your device, click the checkbox next to the text "I have configured this node so that SEM can receive its Syslog Messages." Then click "Next." The wizard locates the new node and then recommends an appropriate connector. Connectors allow SEM to parse messages from Syslog. Assigning the proper connector to the node is critical to allow correlation across the network and normalization of the data, so that SEM can read and display the events properly. Clicking
"Finish" will return you to the Ops Center. Events from the new node will appear in the SEM console as they are received from the device.
The "Scan for New Nodes" feature scans syslog data that has been sent to LEM. You can use this if you have enabled many devices to send syslog to SEM and want to add and configure them all at once. Note that scanning for new nodes may take a few minutes. If it does, you'll get a message that the scan is continuing in the background. The progress bar at the bottom of the window will also be active. As data is found from new devices a "New Connector(s) Found" message appears. You can click the "View Now" link to quickly add recommended connectors for these devices. Click "Next" to add the recommended connectors. Clicking "Finish" will take you to ManageNodes.
Events from the new nodes will appear in the SEM console as they are received from the devices. For Agent Nodes, the wizard will walk you through the process of installing the agent software. Certain
connectors, such as Event log monitoring on Windows agents, are enabled by default. To configure
additional connectors, go to the Manage -- Nodes area of the console. Here, you will see a listing of all of the nodes being monitored by LEM. Locate your node, and from the gear button next to it, select "Connectors." Here you can search agent connectors by category or use the search box to find a connector by keyword, such as DNS. Click "New" from the gear button to create a new connector. Configure your connector and be sure to save the settings. Be sure to start the connector from the gear menu once configured.
You can also manage Agent Connectors by clicking on an agent node in the Node Health widget. This takes you to the Node Details page. In the Node: Connectors Applied widget, click "Manage Connectors." This opens the Connector Configuration window for that node, and shows the connectors already configured. To add additional connectors, clear the Configure checkbox and search for additional connectors for that node. Now, events from these sources will appear in the SEM console as they are generated on the devices.
For more information on the hundreds of different devices, applications, and systems SEM supports, go to www.solarwinds.com. To take the next step with your data in the Ops Center dashboards, filters and Monitor, or by building rules to automatically alert you when events occur, check out our training videos in the Getting Started widget or in the videos section on www.solarwinds.com.