The Appliances view

Adds a new Manager or network appliance to the console.

Displays a list of commands you can perform on the appliance.

When you select a Manager in the grid, use Logout, Configure, and Connectors for connecting products to the appliance. Select Policy for assigning an event distribution policy.

Displays the connection status of the appliance.

indicates connected and logged in.

indicates disconnected and logged off.

Displays the name of the Manager or appliance.

Describes the type of appliance as a Manager, database, logging server, or network sensor.

Displays the SEM Manager software version.

Displays the Manager platform name. The platform can be Trigeo SIM, VMware vSphere, or Microsoft Hyper-V.

Displays the IP address of the Manager or appliance.

Displays the port number used by the console to communicate with the Manager, network appliance, or database.

Displays the SEM Manager or SEM appliance connection status.

Displays the SEM Manager or SEM appliance name.

Displays the appliance type: Manager, Database Server, nDepth, Logging Server, or Network Sensor.

Displays the SEM Manager's software version.

Displays the SEM Manager or SEM appliance IP address.

Enter the password if configuring the console to log in automatically.

Leave this field empty if you want the console to prompt for a password when logging in.

Displays the total number of nodes allowed by your SolarWinds SEM license.

Displays the number of nodes allocated to SEM agent devices (such as workstations or servers).

Displays the number of nodes allocated to non-agent devices (such as firewalls and switches).

Password Policy

Enter or select the minimum number of required password characters. Passwords must have at least six characters, but no more than 40 characters.

Select this check box if passwords must meet the following complexity requirements:

• Passwords must not match or contain part of the user’s user name.
• Passwords must be at least six characters long.
• Passwords must contain characters from three of the following four categories:
  • English uppercase characters (A through Z).
  • English lowercase characters (a through z).
  • Base 10 digits (0 through 9).
  • Non-alphanumeric characters (!, $, #, %, ^, etc.).

Remote Updates

Select this check box to enable a SEM Manager to update its qualifying Agents with the latest software updates. Clear this check box to disable this feature.

Each Agent is also controlled by its Automatic Update settings on the Agents grid. The Agent Automatic Updates setting is disabled if you select the Enable Global Automatic Updates check box.

Select how many Agents the SEM Manager can update at one time. The default value is 10.

If the number of Agents that require updates is greater than the value you entered in this field, the remaining Agents are queued for updates when an update slot is available.

Explorer Command Agent

Select the default Agent for performing SolarWinds explorer functions, such as NSLookup and Whois. For best results, choose an Agent that is normally online and will return the expected results.

Connection Requests

Set the value for the amount of time before a timeout request is initiated.

SolarWinds Improvement Program

Threat Intelligence

Enter the port number used by the console to communicate with the Manager network appliance or database.

The secure port number is 8443. This value defaults to 8080 for virtual appliances in the evaluation phase. This field only applies when the Appliance Type is Manager.

Select Virtual if SEM is deployed as a VM, or select the appropriate appliance model (applies to older versions of SEM).

If you don't know the model type, select Unknown. If your model type does not appear in the drop-down list, select Other. Your selection will not impact Manager operations. If you selected a listed model type, an image of the appliance displays in the Details pane.

Hides and open the Refine Results pane.

Displays all supported products. You can apply filters to the grid to reduce the number of displayed products and show only those products configured for use with this Agent. You can also associate a particular product category or status (Running or Stopped).

The Connectors grid lists all the sensor and actor connectors that are available to each Agent. These connectors are what allow SEM to monitor and interact with your network security products and devices.

Connectors are organized by category and product name. Each connector is named after the third-party product it is designed to configure for use with SEM.

Click this button to create a new connector instance the sensor or actor that is currently selected in the Connectors grid.

The gear button opens a menu of commands that apply to the connector that is currently selected in the grid.

Shows the connector’s current connection status:

indicates the connector is connected and running.

indicates the connector is disconnected and not running.

The high-level connector category, such as anti-virus connectors, firewall connectors, operating system connectors, etc.

A blue connector icon represents a sensor for a particular product. The sensor displays the name of the product it is designed to monitor.

Each connector instance (or alias) that is currently configured to monitor that product is listed below the connector. If no connector instances are listed, it means the product, on this Agent computer, has not been configured for use with SEM.

Whenever you select a sensor in the grid, the lower pane displays the connector’s name and a description of the sensor, when available.

The orange connector icon represents an actor for a product that can perform an active response. The actor displays the name of the product it is designed to interact with.

Each connector instance (or alias) that is currently configured to initiate an active response on that product is listed below the connector. If no connector instances are listed, it means the product, on this Agent computer, has not been configured for use with SEM.

Whenever you select an actor in the grid, the lower pane displays the connector’s name and a description of the actor, when available.

This icon represents a configured instance of a sensor connector. Each sensor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured connector instance appears below its connector.

Whenever you select a sensor connector instance in the grid, the lower pane displays the sensor connector’s name, and the connector instance’s name (or alias) and configuration settings. The Status column displays each instance’s current status—Stopped () or Running ().

Clears the form and return the Connectors grid to its default state showing all connectors.

Performs keyword searches for specific products.

Displays instances in the Connectors grid that are configured for your targeted Manager or Agent.

Clear this check box to have the grid list both configured and unconfigured connectors.

Select a high-level category to list the connectors that are available to support third-party products in that category. Each connector is named after the product it is designed to configure for use with SEM.

If you cannot find a particular product, it is either not supported, or it is in a different category.

Type a name that easily identifies the application or appliance event log file that is being monitored.

For active response connectors, we recommend you end the alias with “AR”. For example, an alias for the Cisco PIX Active Response connector might be “Cisco PIX AR”. This allows you to differentiate the active response connector from the data gathering connector.

When you create a new alias for a connector, SEM automatically places a default log file path in the Log File box. This path tells the connector where the operating system stores the product’s event log file.

For most connectors, you can change the log file path, as needed. However, some products write events to the Windows Application Log or the Windows System Log. In these cases, you are actually configuring the sensor that monitors events that are written to that log file. For these connectors, the Log File setting is disabled, and the system automatically populates the Log File field with the name of the Windows event log the sensor is monitoring.

In most cases, you should be able to use the default log file path that is shown for the connector. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed, type or paste the correct path in the Log File box, or use the Browse button to explore to correct folder or file.

If you are uncertain about which file path to use, either refer to your original product documentation, or contact SolarWinds Technical Support.

If the product creates separate log files based on the current date or some other fixed interval, you can either select the log directory or any log file in that directory. If you select a log file, SEM reads through the directory’s log files in order, from the file you selected to the most current file. The SEM then reads new files as they are added.

Only change this value if SEM is configured for nDepth log retention. If SEM is not configured to receive and store raw (unnormalized) log data in its own database, changing this value can cause all alert data to queue indefinitely.

If you are using a separate nDepth appliance or nDepth VM, type the IP address or host name for the nDepth instance. Generally, the default setting is correct. Only change it if you are advised to do so.

Only change this value if SEM is configured for nDepth log retention. If SEM is not configured to receive and store raw (unnormalized) log data in its own database, changing this value can cause all alert data to queue indefinitely.

If you are using a separate nDepth appliance or nDepth VM, type the port number to which the connector is to send nDepth data. Generally, the default setting is correct. Only change it if you are advised to do so.

Select the interval in which the connector posts and names each new log file. The interval tells the SolarWinds SEM when to begin reading the next log file. The default setting is Daily: yymmdd.

Only change this value if SEM is configured for nDepth log retention. If SEM is not configured to receive and store raw (unnormalized) log data in its own database, changing this value can cause all alert data to queue indefinitely.

Select the appropriate data output option:

Event: This is the default option. It sends the connector’s log file data as events to the SolarWinds SEM for processing by your correlation rules, associated active responses, SolarWinds Consoles, and databases.

nDepth: This option sends the connector’s log file data to a separate nDepth appliance for archiving. The data does not go to the SolarWinds SEM, so any potential event activity does not appear in the Event Pane. However, you can still use the Console's nDepth explorer to search the data on this appliance.

Event, nDepth: SolarWinds recommends that you choose this option if you want to use nDepth to search log messages in addition to events. This option sends the connector’s log file data to the SolarWinds SEM for event processing and to SolarWinds nDepth for data archiving. This means the SEM reports potential event activity in the Event Pane, and nDepth archives the connector’s output data for later reference. Furthermore, you can use the Console's nDepth explorer to search either type of data.

Type the IP address of the router or firewall. Use the following IP address format: 192.123.123.123.

Type or select the time (in seconds) the connector sensor is to wait between event monitoring sessions. The default (and minimum) value for all connectors is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate connectors.

Windows NT-based connectors automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time dictates the interval the sensor is to use for monitoring new events.

This is the SolarWinds release version for this connector. This is read-only information for reference purposes.

These settings are no longer applicable.

For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the LEA/OPSEC interface.

Type the URL to connect to the SonicWALL firewall and perform the login. Include “http://” at the beginning of the URL.

SolarWinds does not support HTTPS. Only use this connector for older SonicWALL firmware version.

For CheckPoint OPSEC firewalls, type the timeout in seconds for the blocks to expire from the firewall. A value of zero (0) indicates never expire.

For CheckPoint OPSEC firewalls, type the client DN string. The CN and O must be uppercase.

Select either telnet or SerialPort.

Type the connector’s password for entering Enable mode.

For the Windows Active Response connector, select this check box to enable active response settings.

Type the external zone used for configuring restrictions on firewall connections.

Type the Interface for which the block is to be made effective; that is, the Interface for which incoming traffic will be filtered to prevent traffic from the blocked IP address.

Type the connector’s login password. For some products, the password name must be the same one that was used when the firewall was installed.

Select a serial port for performing active response via console cable, if applicable. The port name represents the physical communication port on the computer. The port name is only relevant if the Configuration Mode (below) is set to SerialPort.

/dev/ttyS0 = serial port 1, and

/dev/ttyS1 = serial port 2.

If the Configuration Mode is set to telnet, then this field is disabled and the Port Name box reads: There are no ports available.

Type the firewall port used for connecting to and configuring the firewall.

For CheckPoint OPSEC firewalls, type the server DN string. The “cn” and “o” must be lowercase.

For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the SAM/OPSEC interface.

Type the IP address of the router or firewall. This address allows SEM to perform active responses to events on that particular router or firewall. Use the following IP address format: 192.123.123.123.

For CheckPoint OPSEC firewalls, click Browse to locate the SSL certificate file to upload to the server. If the connector is already configured, then use the existing certificate on the server. You can use the same path for both the LEA (log reading) and SAM (active response) certificates.

Only one person can configure the firewall at one time. Selecting this check box allows SEM’s active response to take administrative control over the firewall when a user is logged into the WatchGuard Management Console. That is, SEM disconnects the user and takes control over the firewall.

Type the internal zone used for configuring restrictions on firewall connections.

Type a name that easily identifies the product that SEM is to act on. For active response connectors, we recommend you end the alias with “AR”. For example, an alias for the Cisco PIX Active Response connector might be “Cisco PIX AR”. This allows you to differentiate the active response connector from the data gathering connector.

Append Text to File Active Response

Use this connector to have the Agent “write” the specified event data or text to the specified file.

Select Newline to write the event data to the file so that each event is on a distinct line (that is, one event per line), by inserting a return or newline character.

Select No Newline to stream the event data to the file by appending the new data immediately following any existing data in the file.

Type the allowable maximum file size for the text file, in Megabytes.

Directory Service Query

Use this connector to have the Manager communicate with existing directory services on the network to retrieve and update group information. This allows you to synchronize your existing Directory Service Groups for use with rules and filters.

Type a user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information.

Type the IP address or host name of your directory services server (commonly, this is a domain controller).

Type the fully-qualified domain name of your directory services domain.

Type the password for the above user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information.

Type the port used to communicate with the directory service server.

Email Active Response

Use this connector to have a Manager automatically notify users of events by event policy. The event policy requires configuration.

Type the name that you want to appear in the From field of active response e-mail messages.

Type the port used to communicate with the internal email server.

Type the email address that you want to appear in the From field of active response email messages.

Type the IP address or host name of an internal SMTP server that the Manager can use to send email messages through without authentication.

Type the user name needed to access the internal email server, if required.

Type the password needed to access the internal email server, if required.

Type the e-mail address you want to use to test the Mail Host assignment. When you click Test Email, a test message should appear at this email address.

Lists event categories and event types. Click ▼ to expand an event category.

Select a check box to indicate whether an event time or event category is sent to the console or local database.

When selected, the event type is routed to that destination. Clear a check box to prevent the event type from being routed to that destination.

Exports a Manager event policy to a spreadsheet file.

Click to select the Apply State to Branch command. This command pushes (or propagates) the selected event node check box settings down to the related, lower-level event types in the node tree hierarchy.