Welcome to SolarWinds Security Event Manager

Step Two: Starting Data Collection

Devices like switches, routers, and firewalls, can send Syslog data to LEM, or you can install agents on Windows and Linux servers to send SEM log events from servers, workstations, and applications. SEM uses connectors to translate (or normalize) raw log data into standard messages for use within the SEM console. To collect logs, SEM must correctly associate the connector to a device or another log source.

1. STOP : Did you complete the Install steps?

Before continuing, verify that you have:

  • Turned on the SEM VM
  • Configured the IP address
  • Logged in to the web console
  • Installed the reporting tool

If not, go back and complete the steps on the Install page.

2. Configure your network equipment to forward logs to LEM.

Network equipment (such as switches, routers, and firewalls) typically use the Syslog message logging standard.

Follow these steps:
  1. Configure your devices to forward logs to the SEM virtual appliance IP address.
  2. Log in to the SEM web console and navigate to the Ops Center Dashboard. In the top left corner, find the Node Health widget and click Add Node.
  3. Select Syslog node.
  4. In Step 1, enter the IP address of the device that will be sending logs to LEM, and then select the device vendor.
  5. In Step 2, select the check box to confirm that the device is configured to send logs to the SEM virtual appliance, then click Next.
  6. When the SEM virtual appliance receives logs from the device, it automatically detects and displays the device name or IP address. Confirm that SEM has correctly identified the device by clicking Finish.

If you see an error that says "No Device Found," make sure that the device is configured to send logs to the correct IP address. For help, see these troubleshooting steps. If you are still unable to receive logs, the device may not be supported.

To understand how SEM processes log data, watch this video.

3. Do you need to collect logs from servers, workstations, and applications?

If the answer is yes, follow these steps:
  1. Log in to the SEM web console and choose Manage > Nodes at the top of the page.
  2. On the "Nodes" screen, click Add Node. Then, on the "Specify Nodes to Add" screen, select Agent Node.
  3. There are two ways to install Windows agents: remotely or locally.
    • Remote installation is typically used for bulk agent installations. For detailed steps on remote deployments, please see this KB article.
    • For local installation or for non-Windows installs, click the appropriate installer under Local Installation. Download the agent ZIP file, and go to the next step.
  4. Extract the contents of the installer ZIP file to a local or network location.
  5. Run setup.exe on Windows, or setup.bin for Linux machines.
  6. Click Next to start the installation wizard.
  7. Accept the End User License Agreement and click Next.
  8. Enter the hostname or IP address of your SEM virtual appliance in the "Manager Name" field, and then click Next. Do not change the default port values.

    Note: Use a fully-qualified domain name for your SEM virtual appliance when you deploy SEM Agents in a different domain. For example, enter LEMhostname.SolarWinds.com.

  9. Confirm the Manager Communication settings, and click Next.
  10. For Windows nodes, you are prompted to install USB Defender. Choose if you want to install USB-Defender with the SEM Agent and click Next.

    Note: SolarWinds recommends installing USB-Defender on every system. USB-Defender will never detach a USB device unless you have explicitly enabled a rule to do so. By default, USB-Defender simply generates alerts for USB mass storage devices attached to your SEM Agents.

  11. Confirm the settings on the Pre-Installation Summary and click Install. When the installer finishes, click Next to start the SEM Agent service.
  12. Inspect the Agent Log for errors, and then click Next.
  13. Click Done to exit the installer.
  14. Return to the SEM virtual appliance web console and choose Go To Manage > Nodes. If you closed the web console, you can navigate to this screen by choosing Manage > Nodes.
  15. Verify your node is shown in the node list. By default, Windows agents immediately collect log messages from the System, Security, and Application event logs. To configure Linux and other server and application logs, see this KB article.

4. Are you able to see the logs?

If the answer is no, follow these steps:
  1. In the SEM web console, click Monitor, expand the Overview category, and select All Events. You should see scrolling events, and, if you view the Detection IP column, you should see the IP addresses or host names of the devices sending logs.
  2. If you do not see any data but have followed ALL of the previous instructions, refer to this KB article for troubleshooting steps. If you need further assistance, send an email to the Sales Engineering team so that we can help you with your evaluation.

Additional Resources