ebook img

Log & Event Manager Administrator Guide PDF

607 Pages·2017·7.91 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Log & Event Manager Administrator Guide

ADMINISTRATOR GUIDE Log & Event Manager Version 6.6 LastUpdated:Wednesday,February27,2019 © 2019 SolarWinds Worldwide, LLC. All rights reserved. This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies. page2 Table of Contents LEM setup, configuration, and maintenance 29 Log in to LEM 29 Log in to the LEM web console 29 Supported and unsupported URLs 30 To log out of a LEM Manager 30 Log in to the LEM desktop console 30 Log in to the LEM admin user interface 31 Log in to the LEM CMC command line interface 32 CMC Access Restrictions 32 Log in to the CMC command-line interface using the hypervisor virtual console 32 Log in to the CMC command-line interface using SSH 33 Log in to the LEM Events Console 34 Set up a new LEM installation 36 Set up the first LEM Manager instance in the web console 36 Install the LEM license using the web console 36 Verify that the LEM desktop console can connect after you activate the license 37 Run the activate command to secure LEM and configure network settings 37 Prepare to run the Activate command 37 Run the Activate command 38 Use the LEM Getting Started wizards 39 Open the Getting Started wizards 39 Use the Configure Basic LEM Settings wizard to set up Active Directory monitoring and email alerts 40 Use the Add Nodes wizard to add a syslog node to LEM 42 Use the Add Rules wizard to set up LEM rules 43 Configure LEM settings and services 45 Start and Stop LEM components 45 Stop or restart the LEM Manager 45 page3 ADMINISTRATOR GUIDE: LOG&EVENT MANAGER Start and stop the LEM Agent on Windows 45 Set the date, time, and time zone on your LEM VM 45 Manage LEM VMs and appliances in the LEM console 47 View LEM license information 47 Enable LEM license recycling 47 Configure the settings used to log in to the LEM VM 48 Add another LEM VM or appliance to the console 49 Copy data about a LEM VM or appliance 51 Remove a LEM VM or appliance from the console 51 Configure the Email Active Response connector in LEM 51 Requirements 51 Configure the Email Active Response connector 52 Test the Email Active Response connector 53 Configure Active Directory and LEM to work with LEM rules and filters 53 Configure the Directory Service Query Connector 54 Enable LEM to receive SNMP traps by turning on the SNMP Trap Logging Service 55 To enable or disable the LEM SNMP Trap Logging Service: 55 Send SNMP traps from LEM to other applications by turning on the SNMP Request Service 56 To enable or disable the SNMP Request Service 57 Configure LEM to store original log messages (nDepth log retention) 58 About nDepth log retention 58 Configure LEM Manager to store original log files in their own database 59 Configure connectors to send original log data to LEM 60 View and search your original log messages 60 Configure the LEM event distribution policy 61 Practical uses for event distribution policy 61 Open the Event Distribution Policy window 61 Configure the event distribution policy 62 Push event policy to lower-level event types 63 Export a Manager event policy 63 page4 Collect Windows Filtering Platform (WFP) events in LEM 64 About Windows WFP events and LEM performance 64 Configure LEM to collect WFP events (Optional) 64 Manage LEM system resources 66 Allocate CPU and memory resources to the LEM VM 66 About incoming data traffic 66 Use the LEM console to view resource allocations and VM details 66 View vSphere reservation settings for LEM 68 Change vSphere reservations for LEM 68 View reservations settings using the CMC command-line 69 View Hyper-V reservation settings for LEM 69 Manage LEM data storage 70 About the three LEM data stores 70 Strategies for managing your LEM data storage needs 70 View LEM database usage numbers 71 Create a disk usage alert in LEM to warn you when a disk reaches a set limit 72 LEM tuning and periodic maintenance tasks 74 Integrate LEM with other SolarWinds products 76 Monitor LEM from NPM and the Orion Web Console using SNMP 76 Enable the SNMP Request Service 76 Set up the Orion Web Console for SNMP monitoring 76 Troubleshooting your Orion connection 78 Secure LEM 79 LEM security checklists: Ensure that only authorized users can access LEM 79 General security tasks 79 Secure the LEM Manager and the LEM consoles 79 Secure the CMC command-line interface 79 Secure the LEM reports application 79 Restrict SSH access to the LEM CMC interface 80 To remove access restrictions from the CMC interface 80 page5 ADMINISTRATOR GUIDE: LOG&EVENT MANAGER Restrict access to the LEM reports application 80 Understand your options for securing LEM reports 80 Restrict access to LEM reports to specific computers 81 Remove all LEM reports access restrictions 81 Enable transport layer security (TLS) in the LEM reports application 82 Enable TLS on a standalone LEM VM or appliance 82 Set up a dedicated LEM user for accessing reports 82 Configure the Reports application to use TLS 83 Enable TLS on a LEM Manager with a separate database appliance 84 Import certificates into the LEM Manager and database 84 Import a self-signed certificate into the LEM Manager 85 Manage users in LEM 86 Add LEM users 86 About LEM roles 86 About LEM user accounts 87 How Active Directory accounts work in LEM 87 Import an Active Directory user into LEM 88 Create a local LEM user account 88 View user accounts in the LEM console 90 View the system privileges associated with a role 90 Edit user account settings 91 Delete a user account from a LEM Manager instance 91 Set the global password policy for LEM users 92 Set up Active Directory authentication in LEM 92 Gather required information 92 Create a user in Active Directory that LEM can use to log in 93 Create custom security groups in Active Directory for LEM to use 93 Configure or view Active Directory authentication settings in LEM 94 Add an Active Directory user to LEM 97 Set up Active Directory authentication in LEM 6.3.0 and older 97 page6 Configure the Directory Service Query connector 97 Test the Directory Service Query connector settings 99 Import your Active Directory organizational groups into LEM 99 Import an Active Directory user and assign the user LEM login rights 99 Set up single sign-on in LEM 100 Set up Active Directory authentication in LEM 100 Generate a keytab file using Ktpass 100 Configure SSO settings in LEM using the Admin web console 102 Configure web browser settings for SSO 103 Internet Explorer 103 Mozilla Firefox 104 Google Chrome and Opera 104 Configure LEM for either SSO-only authentication, or SSO and local authentication 105 Configure SSO settings in LEM using the command-line 106 Change the LEM CMC password 108 Recover a lost CMC password 108 Specify the filters that users assigned the Monitor role can use in the LEM console 108 Send event data to LEM via Agents, syslog, and SNMP 111 Get started adding systems and devices to LEM 111 About the LEM Agent 111 About sending log events directly to LEM 112 Configure LEM Agents after they are installed 112 View the LEM Agents monitored by each LEM Manager 112 About the LEM Agent for Windows connectors 112 Enable additional connectors to add extra log sources to LEM 113 Create connector profiles to manage and monitor LEM Agents 113 About connector profiles 113 About the connector-profile group type 114 Connector profile guidelines 114 Create a connector profile: process overview 114 page7 ADMINISTRATOR GUIDE: LOG&EVENT MANAGER Create a connector profile: detailed steps 115 Task 1: Configure the Agent that will serve as a template for your connector profile 115 Task 2: Select the Agents that are members of the profile 116 Task 3: Verify the connector status 116 Edit LEM Agent connector-profile settings 117 Open the connector profile settings for editing 117 Clone a connector-profile instance 117 Editing a connector profile instance 117 Edit the connector-profile settings 118 Add additional connectors to a connector profile 120 Add syslog and Agent nodes to LEM 120 Add a syslog node to LEM using the Add Node wizard 120 Use Scan for New Nodes to find new syslog sources and add connectors 120 Manually add a new Agent or syslog node connector 122 Other ways to add nodes to LEM 122 Update LEM Agents 123 Manually update LEM Agents on Windows installations using the LEM Local Agent Installer 123 Manually upgrade LEM Agents on Unix, Linux, Mac, and Windows hosts using LEM Remote Agent Installers 124 Download the LEM Remote Agent Installer 124 Run the LEM Remote Agent installer 124 Set up a separate syslog server for use with LEM 126 LEM connectors: Normalize events sent from specific products on your network 129 Configure LEM connectors for Agent and non-Agent devices 129 Configure connectors for the devices that you want to monitor with LEM 129 Configure LEM Manager connectors 130 Configure the sensor and actor connectors for each LEM Agent 130 Connectors grid icons 130 Configure Agent connectors 131 Use connector profiles to configure multiple Agents 131 page8 Manage LEM connectors 131 Open a connector configuration form 132 Open a Manager connector configuration form 132 Open an Agent’s connector configuration form 132 Find a connector 132 Add a new connector instance 133 Start a connector instance 134 Stop a connector instance 134 Edit a connector instance 134 Delete a connector instance 135 Apply a LEM connector update package 135 Enable global automatic connector updates 135 Update connectors on-demand 135 Update LEM connectors manually using the CMC interface 136 Troubleshooting LEM connector upgrades 137 LEM connector categories 137 Configure LEM to monitor firewalls, proxy servers, domain controllers, and more 143 Configure LEM to monitor firewalls for unauthorized access 143 Configure a firewall to log to a LEM appliance 143 Configure a firewall connector on a LEM Manager 143 View network traffic from specific computers 144 Clone and enable a LEM rule to identify port scanning traffic 145 Configure LEM to monitor proxy servers for suspicious URL access in LEM 145 Set your proxy server to log to a virtual appliance 145 Configure a proxy server connector on a LEM Manager 146 Clone and enable the Known Spyware Site traffic rule 146 Configure LEM to monitor anti-virus software for viruses that are not cleaned 147 Configure antivirus software to Log to a LEM appliance 147 Configure the antivirus connector on the LEM Manager 147 Create a LEM rule to track when viruses are not cleaned 147 page9 ADMINISTRATOR GUIDE: LOG&EVENT MANAGER Configure LEM File Integrity Monitoring (FIM) to monitor Windows files, folders, and registry keys 148 Features of FIM 148 Add a FIM connector to an Agent to monitor a node 148 Task 1: Add a FIM connector to a node 149 Task 2: Configure rules and specific actions for your monitored files 149 Edit a Monitor 149 Promote a Monitor to a Template 149 Delete a Monitor 150 Add conditions to a directory that FIM is watching 150 Edit Conditions 150 Delete Conditions 151 FIM connector advanced settings 151 Enable Windows file auditing for use with LEM 152 Enable object auditing in Windows 152 Enable file auditing on a file or folder in Windows 153 Configure Windows audit policy for use with LEM 153 Requirements 154 Windows Audit Policy 154 Best practice 155 Set the Windows audit policy 155 Default Domain Controllers Policy 155 Default Domain Policy 155 Configure the USB Defender local policy connector in LEM 158 Configure LEM to monitor Microsoft SQL databases for changes to tables and schemas 159 Configure your database servers 159 Install MSSQL Auditor on a LEM Agent 160 Configure MSSQL Auditor on your servers 160 Configure the MSSQL Auditor Connector on a LEM Agent 160 Send notifications of Microsoft SQL database change attempts 161 Configure LEM to monitor Windows domain controllers for brute force hacking attempts 161 page10

Description:
ADMINISTRATOR GUIDE: LOG & EVENT MANAGER page 4 . Configure LEM File Integrity Monitoring (FIM) to monitor Windows files, folders, and registry keys. 180. Features of If you are installing LEM Agents on the far end of a WAN link, copy the Remote Agent Installer executable to the end of
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.