SolarWinds Security Event Manager (SEM), is a security information and event management (SIEM) virtual appliance that adds value to existing security products and increases efficiencies in administering, managing, and monitoring security policies and safeguards on your network. SEM previously know as Log & Event Manager.
SEM provides access to log data for forensic and troubleshooting purposes, and tools to help you manage log data. SEM leverages collected logs, analyzes them in real time, and notifies of a problem before it causes further damage. For example, advanced persistent threats can come from a combination of network events such as software installations, authentication events, and inbound and outbound network traffic. Log files contain all information about these events. The SEM correlation engine identifies advanced threat activity, and then notifies of any anomalies.
Generating reports with SolarWinds Security Event Manager is simple and reliable. SEM includes built-in report templates for internal and external regulatory compliance, including PCI DSS, GLBA, SOX, NERC CIP, HIPAA, and more. Or, you can create a custom report using the intuitive reporting console.
SEM includes the following features:
There’s an increase in the volume of DDoS, botnet, and malware attacks happening every day. In this era, implementing a robust cyber threat intelligence framework for collecting, consolidating, and analyzing all your log data and threat intelligence feeds in one place is a smart move for data security and the company’s bottom line.
SolarWinds Security Event Manager (SEM) is an on-premise, advanced SIEM tool built with an active threat intelligence management system in the form of threat feeds designed to automatically detect and respond to user, application, and network threats.
Imagine that abnormal privileged user activity occurs outside of the usual working hours, which can be a sign of malicious internal behavior. Using its integrated threat intelligence, SEM is built to compare security events against threat feeds that are updated daily, and alert when one of the source or destination fields hit a blacklist IP address or domain to automatically pinpoint potential security issues like phishing attempts, malware infections, and external cyberattacks.
Security Event Manager also comes with over 700 built-in correlation rules and hundreds of active responses that admins can configure to automatically trigger to respond to security events in real time. You can select from predefined rules or manually define rules to set operational thresholds, easily automating how SEM mitigates immediate threats and generates relevant notifications in response to defined conditions.
You may not be able to respond to threats at scale if you subscribe to the prehistoric method of manual research, validation, and remediation. New threats are developed and deployed every day, and existing threats we thought we’d handled are evolving to cause greater damage. You could invest an entire day in the manual response method, and you’d still be behind due to the sheer volume of potential threats in the queue still needing to be investigated. Respond to threats at scale using SolarWinds® Security Event Manager (SEM) security incident management software with Active Response.
Active Response provides preconfigured, customizable actions for incident response based on which trigger conditions are satisfied, enabling you to proactively hunt and stop threats. Security Event Manager incident response solutions are designed to ingest threat intelligence findings and act on unique user-defined actions. Simply kick off an automated email to your team, actively block a threat detected at your firewall, disable an Active Directory account whose actions may place your enterprise at risk, and more.
Manual response can be a task requiring a certain level of technical breadth to understand the risks and consequences of the selected remediation path. By the time IT professionals have thoroughly researched a potential threat, it may have already escalated into something more serious. Remove the manual research involved in incident response and let the security incident management software in Security Event Manager with Active Response do the heavy lifting.
The SIEM management capabilities of Security Event Manager help accelerate threat detection and empower your IT team to analyze SIEM log data in real-time. With integrated threat detection capabilities, SEM is designed to help you dig deep into security event logs and investigate incidents faster. SEM is built to help you easily ascertain the cause and effect of events generated across the network infrastructure. The advanced search and event-time correlation capabilities in SEM can help simplify and expedite forensic analysis and network security audits. Also, its SIEM log analyzer tool is designed to easily forward correlated log data to an external source for further analysis if and when required.
Security Event Manager is built to provide continuous SIEM monitoring to handle security breaches and incidents better. You can constantly monitor your files and folders with its SIEM capabilities to track any permission changes or data modification to identify suspicious activities. SEM’s USB security software provides proactive USB device monitoring to avert IT security risks like data leaks or other malicious threats. The SIEM monitoring tool capabilities of SEM helps to optimize security threat resolution with automated responses. You can also initiate real-time threat remediation by configuring threshold-based alarms and notifications.
SolarWinds Security Event Manager is built to provide an integrated compliance reporting tool for simplified and faster compliance audits. SEM’s standardized reports available out-of-the-box can assist you in demonstrating various industry-specific regulations like HIPAA, PCI DSS, SOX, FISMA, NERC CIP, FERPA, GLBA, GPG13, DISA STIG, and more. You can easily conduct forensic investigations with SEM’s detailed drill-down reports. In addition to industry regulation compliance, the compliance reporting can also help you demonstrate and ensure that any internal security policies are effectively implemented at all times.
Malware and advanced persistent threats (APTs) often access and modify local files. Security Event Manager file integrity monitoring software is built to correlate logs from anti-virus tools and IDS/IPS with file audit events to more easily detect APTs, malware, and improve FIM security.
You can also configure Security Event Manager’s integrated incident response actions to trigger when certain conditions exist that can kill a malicious process or quarantine systems for complete endpoint protection.
Many industry compliance standards—like PCI DSS, SOX, HIPAA, NERC CIP, FISMA, and SANS Critical Security Controls—require you to both secure sensitive data and demonstrate how you’ve secured it.
Security Event Manager file integrity monitoring is built to help you more easily demonstrate these requirements. You can use built-in file integrity monitoring templates to audit key files, folders, and generate out-of-the box reports to help demonstrate compliance.
With a simple configuration process, you can integrate Security Event Manager into your Microsoft OS by following steps from SolarWinds Customer Success here.
In line with the SolarWinds commitment to customization, you have the option to set up your Windows FIM tool to monitor either individual nodes or an entire connector profile. During the configuration process, you can customize the files, folders, or access criteria you want to monitor. You can also specify the conditions for the FIM security monitoring, so highly critical data can be scrutinized more thoroughly than less sensitive files.
Data aggregation and visibility
Visibility into your entire IT environment is one of the biggest benefits of SIEM. This visibility goes hand in hand with the way that logs are normalized and correlated in a SIEM tool. No matter the size of a business, there are likely a variety of different components in the IT environment, each of which is generating, formatting, and sending huge amounts of data.
Incident detection
Many of the hosts on your system that log security breaches don’t include built-in incident detection capabilities. That means they can observe events and produce log entries, but can’t analyze them for potential suspicious activity. However, because SIEM tools correlate and analyze the log data that’s produced across hosts, they’re able to detect the incidents that might otherwise be missed—either because the relevant logs were not analyzed or because they were too widely separated between hosts to be detected.
Improved efficiency
SIEM tools can significantly improve your efficiency when it comes to understanding and handling events in your IT environment. With SIEM tools, you can view the security log data from the many different hosts in your system from a single interface. This expedites the incident handling process in several ways. First, the ability to easily see log data from the hosts in your environment allows your IT team to quickly identify an attack’s route through your business. Second, the centralized data lets you easily identify the hosts that were affected by an attack.
Simplified compliance reporting
Practically every business, no matter the size or the industry, has at least some regulations that it needs to comply with. Ensuring that you’re abiding by those regulations and that you can prove your compliance can be a difficult and time-consuming task. Luckily, thanks to the collection, normalization, and organization of log data, SIEM tools can help simplify the compliance reporting process. In fact, the benefits of SIEM tools as centralized logging solutions for compliance reporting are so significant that some businesses deploy SIEMs primarily to streamline their compliance reporting.
Release date: November 7, 2019
SEM continues the transition from Flash-based software to HTML5 by adding the following features to the SEM Events Console:
Access the SEM Dashboard to highlight and summarize trends and suspicious activity through a series of interactive widgets. You can create, edit, and arrange widgets to display network data in a variety of tables and graphs according to pre-defined and user-defined filter sets.
From the Filters pane, you can create a new rule based on any existing filter with a single click. This allows you to set alerts for specific event activity without manually duplicating filter values in the custom rule builder.
You can use email templates to customize your email notifications when triggered as responses in your custom rules. An email template includes static and dynamic text (or parameters). The static text lets you customize the message body of the email. The dynamic text is filled in from the original event that caused the rule to fire.
Create user-defined groups to organize related elements for use with rules and filters. Groups can contain elements such as events, IP addresses, computer names, and user accounts. After a group is defined, it can be referenced frommultiple rules and filters.
On the SEM Events Console Settings page, you can enable automatic updates for SEM agents and connectors.
SEM simplifies the network troubleshooting process by offering a one-click debug log download feature which no longer requires a third-party application and additional configuration steps. On the SEM Events Console Settings System Resources tab, click Download debug logs, and then forward them to SolarWinds Customer Support for assistance.
On the SEM Events Console Settings page, you can set minimum password requirements for local SEM user accounts.
On the SEM Events Console Settings page, you can enable the Threat Intelligence feed, which enables SEM to detect threats based on lists of known malicious IP addresses.
On the SEM Events Console Settings page, enter your email address to send usage statistics to SolarWinds to help us improve our products.
SEM streamlines the FIM inclusion configuration process by allowing you to navigate to and choose specific files, directories, and registries. This enhancement eliminates the requirement to manually enter specific navigation paths.
You can set the maximum number of events that populate the filters in your SEM Events viewer. The default setting is 10,000 events. This means SEM will store up to 10,000 events in memory for each filter. This setting also applies to the maximum number of events that can populate each filter-based dashboard widget.
Starting with SEM 2019.4, the SEM agent installer supports Windows 2019.
With version 6.7 and later, you can deploy SEM to Amazon Web Services (AWS). To get started, contact your SolarWinds Sales or Customer Support representative to request access to SEM on AWS.
| Version | EOL
Announcements |
EOE Effective
dates |
EOL Effective dates |
|---|---|---|---|
| 6.3.1 | May 23, 2019: End-of-Life (EoL) announcement – Customers on SEM version 6.3.1 should begin transitioning to the latest version of SEM. | August 21, 2019: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM version 6.3.1 will no longer be actively supported by SolarWinds. | August 21, 2020: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version 6.3.1. |
| Type | Details |
|---|---|
| Windows Server 2008 | As of SEM 2019.4, Windows Server 2008 is no longer supported. SEM still supports Windows Server 2008 R2. |
| Type | details |
|---|---|
| VMware vSphere 5.5 | Beyond SEM 6.7, releases will no longer support vSphere 5.5. |
March 26, 2020
Use the following tables to plan your Security Event Manager (SEM) deployment to suit your network environment.
Server sizing is impacted by:
Use the following table to determine if a small, medium, or large deployment is best suited to supporting your environment.
| Sizing Criteria | Small | Medium | Large |
|---|---|---|---|
| Number of nodes | Fewer than 500 nodes in the following combinations:
|
Between 300 and 2,000 nodes in the following combinations:
|
More than 1,000 nodes in the following combinations:
|
| Events received per day | 5M – 35M events | 30M – 100M events | Up to 215m events (2,500 EPS) |
| Rules fired per day | Up to 500 | Up to 1,000 | Up to 5,000 |
| Hardware on the VM host | Small | Medium | Large |
|---|---|---|---|
| CPU | 2 – 4 core processors at 2.0 GHz | 6 – 10 core processors at 2.0 GHz | 10 – 16 core processors at 2.0 GHz |
|
If you will be storing original log messages in addition to normalized log messages, increase the CPU and memory resource requirements by 50%. |
|||
| Memory | 8 GB RAM | 16 GB – 48 GB RAM | 48 GB – 256 GB RAM |
| Hard drive storage | 250GB, 15k hard drives (RAID 1/mirrored settings) | 500GB, 15K hard drives (RAID 1/mirrored settings) | 1TB, 15k hard drives (RAID 1/mirrored settings) |
|
|||
| Input/output operations per second (IOPS) | 40 – 200 IOPS | 200 – 400 IOPS | 400 or more IOPS |
| NIC | 1 GBE NIC | 1 GBE NIC | 1 GBE NIC |
| Hardware on the VM host | Small
Standard_DS3_v2 |
Medium
Standard_DS4_v2 |
Large
Standard_D32s_v3 |
|---|---|---|---|
| CPU [cores] | 4 | 8 | 32 |
| RAM [GB] | 14 | 28 | 128 |
| IOPs | 12800 | 25600 | 51200 |
| Software | Requirements |
|---|---|
| Hypervisor (required on the VM host) | One of the following:
|
| Microsoft Azure | Learn about Microsoft Azure requirements here. |
| Amazon Web Services | Learn about Amazon Web Services requirements here. |
| Web browser (required on a remote computer to run the web console) | Current and later versions of the following:
|
| Adobe Flash (browser plug-in required on a remote computer to run the web console) | Adobe Flash Player 15 |
| Hardware and Software | Requirements |
|---|---|
| Operation System (OS) | The SEM agent is compatible with the following operating systems:
|
|
The requirements specified below are minimum requirements. Depending on your deployment, you may need additional resources to support increased log-traffic volume and data retention. |
|
| Memory | 512 MB RAM |
| Hard Drive Space | 1 GB |
| Other requirements | Administrative access to the device hosting the SEM Agent.
The SEM agent for Mac OS X requires Java Runtime Environment (JRE) 8 or later. |
| Hardware and Software | Requirements |
|---|---|
| Operation System (OS) | The SEM reports application is Windows only. The following Windows versions are supported:
|
| Memory | 512 MB RAM minimum.
SolarWinds recommends using a computer with 1 GB of RAM or more for optimal reports performance. |
| Other requirements | Install the SEM reports application on a system that runs overnight. This is important because the daily and weekly start time for these reports is 1:00 AM and 3:00 AM, respectively.
Ensure the Reports Console version matches your version of the SEM appliance. Incompatible versions may result in installation or login failures.See the following articles in the Customer Success Center for troubleshooting tips:
|
This page lists the firewall ports that you need to open to allow network communication with SolarWinds SEM. Configure any firewall that stands between any two points of communication to allow traffic to reach SEM.
In the table, “inbound” assumes that the SEM VM is behind the firewall, and that firewall rules allow network traffic through the firewall to the SEM VM.
ENVIRONMENT
| PORT # | PROTOCOL | SERVICE | DIRECTION | DESCRIPTION |
|---|---|---|---|---|
| 22, 32022 | TCP | SSH | Bidirectional | SSH traffic to the SolarWinds SEM VM. (Port 22 is not used prior to version 6.3.x.)
If you need to close either ports 22 or 32022, contact SolarWinds Support. |
| 25 | TCP | SMTP | Outbound | SMTP traffic from the SolarWinds SEM VM to your email server for automated email notifications. |
| 80, 8080 | TCP | HTTP | Bidirectional | Non-secure HTTP traffic from the SolarWinds SEM console to the SolarWinds SEM VM. (SEM closes this port when activation completes, but you can re-open it with the CMC togglehttp command.) |
| 139, 445 | TCP | NetBIOS, SMB | Bidirectional | Standard Windows file sharing ports (NetBIOS Session Service, Microsoft SMB) that SEM uses to export debug files, syslog messages, and backup files.
The SEM Remote Agent Installer also uses these ports to install Agents on Microsoft Windows hosts across your network. |
| 161, 162 | TCP | SNMP | Bidirectional | SNMP trap traffic received from devices, and used by the Orion platform to monitor SEM. (Monitoring SEM on port 161 is not used prior to version 6.3.x.) |
| 389, 636 | TCP | LDAP | Outbound | LDAP ports that the SEM Directory Service Connector tool uses to communicate with a designated Active Directory domain controller.
The SEM Directory Service Connector tool uses port 636 for SSL communications to a designated Active Directory domain controller. |
| 443, 8443 | TCP | HTTPS | Bidirectional | HTTPS traffic from the SolarWinds SEM console to the SEM VM.
SEM uses these secure HTTP ports after SEM is activated. |
| (445) | TCP | See entry for port 139. | ||
| 514 | TCP or UDP | Syslog | Inbound | Syslog traffic from devices sending syslog event messages to the SolarWinds SEM VM. |
| (636) | TCP | See entry for port 389. | ||
| 2100 | UDP | NetFlow | Inbound | NetFlow traffic from devices sending NetFlow to the SolarWinds SEM VM. |
| 6343 | UDP | sFlow | Inbound | sFlow traffic from devices sending sFlow to the SolarWinds SEM VM. |
| (8080) | TCP | See entry for port 80. | ||
| (8443) | TCP | See entry for port 443. | ||
| 8983 | TCP | nDepth | Inbound | nDepth traffic sent from nDepth to the SEM VM containing raw (original) log data. |
| 9001 | TCP | SEM reports application | Bidirectional | SEM reports application traffic used to gather SEM teports data on the SEM VM. |
| (32022) | TCP | See entry for port 22. | ||
| 37890-37892 | TCP | SEM Agents | Inbound | SEM Agent traffic sent from SolarWinds SEM Agents to the SolarWinds SEM VM. (These ports correspond to the destination ports on the SEM VM.) |
SEM no longer uses the port listed in the following table.
| PORT # | PROTOCOL | SERVICE | DIRECTION | DESCRIPTION |
|---|---|---|---|---|
| 5433 | TCP | SEM Reports | Inbound | Port 5433 is no longer used. Previously, this port carried traffic from the SolarWinds SEM reports application to the SolarWinds SEM VM. This was used by versions prior to LEM 5.6, for which support ended December 2015. |
