Getting started with log data can be pretty overwhelming. Learn how to approach log monitoring tasks and turn your list of log monitoring goals into actual alerts and reports with SolarWinds Log & Event Manager.

1. I've Got Logs and LEM, Now What?
Pro tips for Security, Compliance, and all around Monitoring with LEM
SolarWinds® thwackCamp 2013
© 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

2. Quick Overview: Discussion Points
» What log sources to collect/consolidate
» How to decide what approach to take to your log data
» Common most important things to look for
» How to link what you’re looking for to actual filters, rules, and searches in LEM
 Learning to speak “event”
 Finding the LEM events for what you want
» Common pitfalls
© 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

3. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Starting at the Beginning: What to Collect
1. Make a list of what you want to accomplish
a. What are your monitoring goals? What got you here?
b. Prioritize your list. What’s most important to get right first?
c. Identify which things need alerting vs. after-the-fact reporting
2. Identify what logs will help you get there
a. For compliance, identify systems and sources in scope first.
b. For other purposes, identify systems and applications that have the logs you’re interested in.
3. Start with something you already know
a. Learn the platform without learning your logs at the same time.
b. Windows® Event Logs (Security/Application/System) are usually most familiar.
4. Don’t do too much at once
a. It’s easy to get overwhelmed and frustrated when you sip from the firehose.
5. Rinse and repeat down your list

4. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Approaches to Log Data: What goes on your List?
» Log source-based approach
 “I need to alert/report on logon failures to Windows systems.” (Windows Event Logs)
 “I am interested in monitoring IIS™ logs from my servers for SQL injection attempts.” (IIS)
 “I want to monitor access to my core banking system.” (Banking OS/Application)
 “I want to look for unexpected patterns in network traffic.” (Firewall/Router)
 Challenge: translating tools and logs you know to LEM.
» Objective-based approach
 “I need to address PCI compliance in my datacenter.”
 “I want to track changes made on all devices/systems in the network.”
 “I want to be able to search for user activity on workstations.”
 Challenge: breaking down the problem.

5. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
What’s on Everyone Else’s List?
» Tracking changes
 Users/Groups: Windows Security Logs
 Systems: Windows System/Application Log
 Application-specific logs
 Devices (firewalls, routers, etc): syslogs
» Tracking authentication failures (and successes)
 Windows Security Log, application-specific logs, authentication logs on other platforms
» Internal/external unexpected network activity
 Proxy server logs (often syslog), network devices
» Service/system activity
 Windows System/Application Logs
» Compliance
 Variety of core operating system and application logs

6. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Linking what you’re Looking for to LEM: Events 101+
Gather Data
• Connectors monitor log data sources on appliances and agents (files, databases)
• Connectors combine HOW to read logs with WHAT is in the log (CSV, plain text, CEF, query)
Normalize
Events
• Connectors act as a universal translator from all log sources to put data in common fields and event categories
(normalization)
• Events have a type (or name) and a set of fields specific to what data is available
Aggregate on
Appliance
• Events are compressed, encrypted, and collected on the appliance
Process
Events
• Correlation engine processes any of your rules for real-time alerting and response
• Console receives a copy of events for real-time monitoring and database stores a copy for search/reporting

7. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Linking Part 2: Finding Events from Data (with Demo Example)
1. Verify data is coming from that source
a. Use an existing filter/search or build a filter/search for that device’s IP or name
2. Narrow down to event type and criteria you want to look for
a. Identify events of interest from event stream, OR
b. Use data you know to find event types (e.g. Event IDs)
3. For alerting: Identify data you want to look for or alert on
a. What do you want to include in the alert (if emailing)?
b. What do you want to trigger the alert on?
4. Build rules for alerts and/or schedule reports for those events
a. Look for existing content first! Save yourself time.

8. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Common Pitfalls/Questions
» It’s not necessarily good to turn on the firehose and audit at maximum levels
 Start with what you need, then ratchet up from there.
 More log data IS good for troubleshooting, but as you start, err on the side of less is more.
» Shortcut configuring many agents consistently by using Tool Profiles
 Profiles group agents (useful in rules/filters/searches!) and push out a common/standard
configuration
» Why am I not seeing the fields I want to include in this email/alert?
 Generic event types or groups – selecting two events selects lowest common denominator fields
» I can’t figure out how to get LEM to send email!
 Configure the email active response connector on the appliance first!
» How do I change what’s in the email template?
 Edit templates in Build>Groups. Add your own values, then use fields to fill in dynamically.

9. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Resources
» Check out last year’s thwack® Camp presentation for more ideas on what to monitor
 http://www.youtube.com/watch?v=afZWCLz4RPc
» Thwack Forum for LEM
 http://thwack.solarwinds.com/community/log-and-event_tht/log-and-event-manager
» LEM Videos! Both Quick and Advanced/Extensive
 Intro: http://www.solarwinds.com/resources/tags/lem-intro.aspx (linked in your LEM Console
Getting Started area, too)
 Advanced: http://www.solarwinds.com/resources/tags/lem-advanced.aspx
» One-Stop Help: Links to How-Tos, KBs, Docs, & More
 http://thwack.solarwinds.com/docs/DOC-1097

10. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Questions?

11. © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
Thank You!
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds
Worldwide, LLC, are registered with the U.S. Patent and Trademark Office, and may be registered or
pending registration in other countries. All other SolarWinds trademarks, service marks, and logos
may be common law marks, registered or pending registration in the United States or in other
countries. All other trademarks mentioned herein are used for identification purposes only and
may be or are trademarks or registered trademarks of their respective companies.