The Appliances view
To add and manage SEM VMs, legacy appliances, and global settings, navigate to Manage > Appliances on the SEM menu bar.
This topic provides page-level help for the Appliances view on the SEM Console.
The following example shows the Appliances view on the SEM Console.
Tasks that you can perform using this view include:
-
Connecting to (or disconnecting from) a particular SEM Manager.
-
Adding a SEM Manager’s Agents.
-
Configuring rules, policies, and network security connectors that apply to each Manager.
Commands in the Appliances view can take a while to execute, because they must remotely access the Manager or network appliance.
The Appliances view is primarily concerned with managing SEM Managers. Customers with large SEM installations that include older SEM appliances may also see other components in the appliance list, including:
- Database servers
- Logging servers
- Network sensors
- nDepth servers
The Appliances main view
The following tables describe the Appliances view elements.
The Appliances menu bar
Name | Description |
---|---|
|
Adds a new Manager or network appliance to the console. |
![]() |
Displays a drop-down menu to copy, import, or export user settings. You can copy grid information about your Manager and paste it to a Microsoft Excel spreadsheet for analysis or to the Remote Agent installer for updates. |
The Appliances grid
The following table describes the columns and selections in the Appliances grid.
Column | Description |
---|---|
![]() |
Displays a list of commands you can perform on the appliance. When you select a Manager in the grid, use Logout, Configure, and Connectors for connecting products to the appliance. Select Policy for assigning an event distribution policy. |
Status |
Displays the connection status of the appliance.
|
Name |
Displays the name of the Manager or appliance. |
Type |
Describes the type of appliance as a Manager, database, logging server, or network sensor. |
Version |
Displays the SEM Manager software version. |
Platform |
Displays the Manager platform name. The platform can be Trigeo SIM, VMware vSphere, or Microsoft Hyper-V. |
IP Address |
Displays the IP address of the Manager or appliance. |
Port |
Displays the port number used by the console to communicate with the Manager, network appliance, or database. |
Connectors Update Enabled | Indicates whether the appliance connectors are configured for automatic updates. If the icon is green, SEM is set up to automatically update whenever SolarWinds updates a connector. If the icon is gray, automatic connector updates are inactive and must be turned on for automatic connector updates. |
User |
Displays the user currently logged on to the Manager. |
To automatically apply connector updates and manually apply individual connector updates, use the Connector Updates menu at the top right of the Appliance grid.
The Details pane
The Details pane displays essential information about a SEM VM or appliance, including the VM's name, connection status, and IP address.
Field | Description |
---|---|
Platform | Displays the name of the Manager platform (VMware vSphere, Microsoft Hyper-V, or Trigeo SIM). |
CPU Reservation | Displays the CPU space reservation. Reserving CPU space ensures you have adequate resources available for the allocated CPUs. |
Number of CPUs | Displays the number of CPUs allocated to this SEM Manager. |
Memory Allocation | Displays the amount of memory allocated to this SEM Manager. |
Memory Reservation | Displays the amount of memory reserved for this system. Reserving memory ensures enough system memory is available when needed. |
Status |
Displays the SEM Manager or SEM appliance connection status. |
Name |
Displays the SEM Manager or SEM appliance name. |
Type |
Displays the appliance type: Manager, Database Server, nDepth, Logging Server, or Network Sensor. |
Version |
Displays the SEM Manager's software version. |
IP Address |
Displays the SEM Manager or SEM appliance IP address. |
Port |
Displays the port number used by the console to communicate with the SEM Manager or SEM appliance. |
The Properties pane
The Properties pane consists of the Login, License, and Settings tabs.
The Properties pane is only used to configure SEM Manager settings. It is not active if you select another type of SEM VM in the Appliances grid.
The Login tab
Field | Description |
---|---|
Username | Enter the user name to log in with if configuring the console to log in automatically. |
Password |
Enter the password if configuring the console to log in automatically. Leave this field empty if you want the console to prompt for a password when logging in. |
Login Automatically Next Time | Automatically log in to the Manager when you open the console. Clear this check box if you prefer to log in manually. |
Save Credentials | Enable the console to save the SEM Manager user name and password locally. If the Login Automatically Next Time check box is selected, the console will automatically log on to the Manager when the console is started. Otherwise, the console automatically provides the user name and password when you manually log in to the Manager. |
Reconnect on disconnection / Try to reconnect every n seconds | Enable the console to reconnect with the SEM Manager when the Manager is disconnected for any reason. |
Timeout reconnection attempts after n tries | Select to have the Console quit its reconnection attempts with the SEM Manager after a given number of tries, especially if the previous connection attempts were unsuccessful. |
The License tab
The License tab summarizes your available and allocated licenses, and activates your SolarWinds SEM license.
Field |
Description |
---|---|
Total Nodes |
Displays the total number of nodes allowed by your SolarWinds SEM license. |
Total Unused Nodes |
Displays the number of unallocated nodes. |
Total Agent Nodes |
Displays the number of nodes allocated to SEM agent devices (such as workstations or servers). |
Total Non-Agent Nodes |
Displays the number of nodes allocated to non-agent devices (such as firewalls and switches). |
Maintenance Expiration Date |
Displays the date your current maintenance contract with SolarWinds Support expires. |
The Settings tab
The Settings tab defines the SEM Manager password policy settings and the global automatic update settings. Global automatic updates allow the SEM Manager to automatically send software updates to Agents as new software becomes available.
Field | Description |
---|---|
Password Policy |
|
Minimum Password Length |
Enter or select the minimum number of required password characters. Passwords must have at least six characters, but no more than 40 characters. |
Must meet complexity requirements |
Select this check box if passwords must meet the following complexity requirements:
|
Remote Updates |
|
Enable Global Automatic Updates |
Select this check box to enable a SEM Manager to update its qualifying Agents with the latest software updates. Clear this check box to disable this feature. Each Agent is also controlled by its Automatic Update settings on the Agents grid. The Agent Automatic Updates setting is disabled if you select the Enable Global Automatic Updates check box. |
Maximum Concurrent Updates |
Select how many Agents the SEM Manager can update at one time. The default value is 10. If the number of Agents that require updates is greater than the value you entered in this field, the remaining Agents are queued for updates when an update slot is available. |
Explorer Command Agent |
|
Current Default Agent |
Select the default Agent for performing SolarWinds explorer functions, such as NSLookup and Whois. For best results, choose an Agent that is normally online and will return the expected results. |
Connection Requests |
|
Minutes |
Set the value for the amount of time before a timeout request is initiated. |
Seconds | Set the value for the amount of time before a timeout request is initiated. |
SolarWinds Improvement Program |
|
Email Address | Enter your email address. |
Send usage statistics to SolarWinds to help us improve our products | Select this check box to send statistics to SolarWinds. |
Threat Intelligence |
|
Allow SEM to detect threats based on list of bad IP addresses | This check box is active by default. Threat intelligence identifies events as threats by matching event IP information against a list of known bad IP addresses. |
Only administrators have permissions to enable or disable the threat intelligence feed. Disabling and reenabling the threat intelligence feed forces a threat intelligence update and creates an InternalAudit
event. Restarting SEM also forces the threat intelligence feed to update.
The Connect to SolarWinds Security Event Manager Appliance form
Field | Description |
---|---|
Name or IP | Enter the SEM VM name or IP address. |
Username | Enter the user name to log in with. |
Password | Enter the password for the account. |
Login on console startup | Select to automatically log in to SEM when the console is started. |
Save Credentials | Select to save the login user name and password. |
Appliance Type | Select the appropriate SEM Manager or server. |
Connection Port |
Enter the port number used by the console to communicate with the Manager network appliance or database. The secure port number is 8443. This value defaults to 8080 for virtual appliances in the evaluation phase. This field only applies when the Appliance Type is Manager. |
Model |
Select Virtual if SEM is deployed as a VM, or select the appropriate appliance model (applies to older versions of SEM). If you don't know the model type, select Unknown. If your model type does not appear in the drop-down list, select Other. Your selection will not impact Manager operations. If you selected a listed model type, an image of the appliance displays in the Details pane. |
Level | This option does not apply if SEM is deployed as a VM. If you are adding a physical appliance, select the appliance level. This value is related to the appliance capacity and performance. If you are not sure which level to choose, select Unknown. |
Service Tag | Enter the SEM appliance serial or registration number. This number uniquely identifies this piece of equipment and its specific configuration properties. |
Icon Color | Select the desired color for your icon. |
See also:
The Configure your SolarWinds Security Event Manager Appliance form
See The Connect to SolarWinds Security Event Manager Appliance form for help.
The Connector Configuration form
The following table describes the key features of the Connector Configuration form.
Name | Description |
---|---|
Sidebar button |
Hides and open the Refine Results pane. |
Refine Results pane |
Displays all supported products. You can apply filters to the grid to reduce the number of displayed products and show only those products configured for use with this Agent. You can also associate a particular product category or status (Running or Stopped). |
Connectors grid |
The Connectors grid lists all the sensor and actor connectors that are available to each Agent. These connectors are what allow SEM to monitor and interact with your network security products and devices. Connectors are organized by category and product name. Each connector is named after the third-party product it is designed to configure for use with SEM. |
|
Click this button to create a new connector instance the sensor or actor that is currently selected in the Connectors grid. |
Properties pane |
This pane displays detailed information about the connector that is currently selected in the Connectors grid.
Whenever you add or edit a connector, this pane turns into an editable form for recording the configuration settings. |
Connectors grid columns
The following table briefly describes the meaning of each column in the Connector Configuration form’s Connectors grid.
Column | Description |
---|---|
|
The gear button opens a menu of commands that apply to the connector that is currently selected in the grid. |
Status |
Shows the connector’s current connection status:
|
Category |
The high-level connector category, such as anti-virus connectors, firewall connectors, operating system connectors, etc. |
Name |
The actor, sensor, or connector instance name. Typically, connectors are named after the third-party products they are designed to configure for use with SEM. |
The Connectors grid icons
The following table describes the icons used in the Connector Configuration utility’s node tree.
Icon | Description |
---|---|
|
A blue connector icon represents a sensor for a particular product. The sensor displays the name of the product it is designed to monitor. Each connector instance (or alias) that is currently configured to monitor that product is listed below the connector. If no connector instances are listed, it means the product, on this Agent computer, has not been configured for use with SEM. Whenever you select a sensor in the grid, the lower pane displays the connector’s name and a description of the sensor, when available. |
|
The orange connector icon represents an actor for a product that can perform an active response. The actor displays the name of the product it is designed to interact with. Each connector instance (or alias) that is currently configured to initiate an active response on that product is listed below the connector. If no connector instances are listed, it means the product, on this Agent computer, has not been configured for use with SEM. Whenever you select an actor in the grid, the lower pane displays the connector’s name and a description of the actor, when available. |
|
This icon represents a configured instance of a sensor connector. Each sensor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured connector instance appears below its connector. Whenever you select a sensor connector instance in the grid, the lower pane displays the sensor connector’s name, and the connector instance’s name (or alias) and configuration settings. The Status column displays each instance’s current status—Stopped ( |
|
This icon represents a configured instance of an actor connector. Each actor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured connector instance appears below its connector. Whenever you select an actor connector instance in the grid, the lower pane displays the actor connector’s name, and the connector instance’s name (or alias) and configuration settings. The Status column displays each instance’s current status—Stopped ( |
Refining the Connectors grid
By default, the Connectors grid shows every connector (sensor and actor) that can be configured for use with a particular Agent or Manager. To help you work more efficiently with a long list of connectors, the Refine Results pane lets you apply filters to the Connectors grid to reduce the number of connectors it shows.
When you select options in the Refine Results pane, the Connectors grid refreshes to show only those sensor and actors that match the options you have selected. The other connectors are still there; however, they are hidden. To restore them to the grid, click the Reset button or select All in the refinement lists you are using.
The following table explains how to use the Refine Results pane.
Field | Description |
---|---|
Reset |
Clears the form and return the Connectors grid to its default state showing all connectors. |
|
Performs keyword searches for specific products. |
Configured Connectors |
Displays instances in the Connectors grid that are configured for your targeted Manager or Agent. Clear this check box to have the grid list both configured and unconfigured connectors. |
Category |
Select a high-level category to list the connectors that are available to support third-party products in that category. Each connector is named after the product it is designed to configure for use with SEM. If you cannot find a particular product, it is either not supported, or it is in a different category. |
Status |
Select Running to list all connectors currently running on your targeted Manager or Agent. Select Stopped to list all connectors that currently stopped on your targeted Manager or Agent. |
The Connector Configuration form fields for data-gathering (sensor) connectors
This section describes each field on the Connector Configuration form when you configure sensors for data-gathering connectors.
Not every field appears with every connector. The fields that appear depend on the connector that you are configuring.
Field | Description |
---|---|
Alias |
Type a name that easily identifies the application or appliance event log file that is being monitored. For active response connectors, we recommend you end the alias with “AR”. For example, an alias for the Cisco PIX Active Response connector might be “Cisco PIX AR”. This allows you to differentiate the active response connector from the data gathering connector. |
Log File / Log Directory |
When you create a new alias for a connector, SEM automatically places a default log file path in the Log File box. This path tells the connector where the operating system stores the product’s event log file. For most connectors, you can change the log file path, as needed. However, some products write events to the Windows Application Log or the Windows System Log. In these cases, you are actually configuring the sensor that monitors events that are written to that log file. For these connectors, the Log File setting is disabled, and the system automatically populates the Log File field with the name of the Windows event log the sensor is monitoring. In most cases, you should be able to use the default log file path that is shown for the connector. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed, type or paste the correct path in the Log File box, or use the Browse button to explore to correct folder or file. If you are uncertain about which file path to use, either refer to your original product documentation, or contact SolarWinds Technical Support. If the product creates separate log files based on the current date or some other fixed interval, you can either select the log directory or any log file in that directory. If you select a log file, SEM reads through the directory’s log files in order, from the file you selected to the most current file. The SEM then reads new files as they are added. |
nDepth Host |
Only change this value if SEM is configured for nDepth log retention. If SEM is not configured to receive and store raw (unnormalized) log data in its own database, changing this value can cause all alert data to queue indefinitely. If you are using a separate nDepth appliance or nDepth VM, type the IP address or host name for the nDepth instance. Generally, the default setting is correct. Only change it if you are advised to do so. |
nDepth Port |
Only change this value if SEM is configured for nDepth log retention. If SEM is not configured to receive and store raw (unnormalized) log data in its own database, changing this value can cause all alert data to queue indefinitely. If you are using a separate nDepth appliance or nDepth VM, type the port number to which the connector is to send nDepth data. Generally, the default setting is correct. Only change it if you are advised to do so. |
New File Name Interval |
Select the interval in which the connector posts and names each new log file. The interval tells the SolarWinds SEM when to begin reading the next log file. The default setting is |
Output |
Only change this value if SEM is configured for nDepth log retention. If SEM is not configured to receive and store raw (unnormalized) log data in its own database, changing this value can cause all alert data to queue indefinitely. Select the appropriate data output option: Event: This is the default option. It sends the connector’s log file data as events to the SolarWinds SEM for processing by your correlation rules, associated active responses, SolarWinds Consoles, and databases. nDepth: This option sends the connector’s log file data to a separate nDepth appliance for archiving. The data does not go to the SolarWinds SEM, so any potential event activity does not appear in the Event Pane. However, you can still use the Console's nDepth explorer to search the data on this appliance. Event, nDepth: SolarWinds recommends that you choose this option if you want to use nDepth to search log messages in addition to events. This option sends the connector’s log file data to the SolarWinds SEM for event processing and to SolarWinds nDepth for data archiving. This means the SEM reports potential event activity in the Event Pane, and nDepth archives the connector’s output data for later reference. Furthermore, you can use the Console's nDepth explorer to search either type of data. |
Server IP Address/ [Product] IP Address/ [Product] Server |
Type the IP address of the router or firewall. Use the following IP address format: |
Sleep Time |
Type or select the time (in seconds) the connector sensor is to wait between event monitoring sessions. The default (and minimum) value for all connectors is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate connectors. Windows NT-based connectors automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time dictates the interval the sensor is to use for monitoring new events. |
Connector Version |
This is the SolarWinds release version for this connector. This is read-only information for reference purposes. |
Wrapper Name |
This is an identification key that the SolarWinds SEM uses to uniquely identify the properties that apply to this particular connector. This is read-only information for SolarWinds reference purposes. |
If the connector settings you need are not shown here, you are probably configuring an active response connector. (See the next section.) When you finish configuring the connector settings, start the connector.
The Connector Configuration form fields for active-response (Actor) connectors
The following table describes fields on the Connector Configuration form when configuring actors for active response connectors.
Not every field appears with every connector. The fields that appear depend on the connector that you are configuring.
Field | Description |
---|---|
Advanced |
These settings are no longer applicable. |
Auth Port |
For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the LEA/OPSEC interface. |
Base URL |
Type the URL to connect to the SonicWALL firewall and perform the login. Include “http://” at the beginning of the URL. SolarWinds does not support HTTPS. Only use this connector for older SonicWALL firmware version. |
Block Timeout |
For CheckPoint OPSEC firewalls, type the timeout in seconds for the blocks to expire from the firewall. A value of zero (0) indicates never expire. |
Client DN |
For CheckPoint OPSEC firewalls, type the client DN string. The CN and O must be uppercase. |
Configuration Mode |
Select either |
Enable Password |
Type the connector’s password for entering Enable mode. |
Enable Windows Active Response |
For the Windows Active Response connector, select this check box to enable active response settings. |
From Zone |
Type the external zone used for configuring restrictions on firewall connections. |
Incoming Interface |
Type the Interface for which the block is to be made effective; that is, the Interface for which incoming traffic will be filtered to prevent traffic from the blocked IP address. |
Password / Login Password |
Type the connector’s login password. For some products, the password name must be the same one that was used when the firewall was installed. |
Port Name / Serial Port Name |
Select a serial port for performing active response via console cable, if applicable. The port name represents the physical communication port on the computer. The port name is only relevant if the Configuration Mode (below) is set to SerialPort.
If the Configuration Mode is set to |
Remote Connection Port |
Type the firewall port used for connecting to and configuring the firewall. |
Server DN |
For CheckPoint OPSEC firewalls, type the server DN string. The “cn” and “o” must be lowercase. |
Server Port |
For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the SAM/OPSEC interface. |
Server / Server Address / IP Address / [Product] IP Address |
Type the IP address of the router or firewall. This address allows SEM to perform active responses to events on that particular router or firewall. Use the following IP address format: 192.123.123.123. |
SSLCA |
For CheckPoint OPSEC firewalls, click Browse to locate the SSL certificate file to upload to the server. If the connector is already configured, then use the existing certificate on the server. You can use the same path for both the LEA (log reading) and SAM (active response) certificates. |
Take Admin Control |
Only one person can configure the firewall at one time. Selecting this check box allows SEM’s active response to take administrative control over the firewall when a user is logged into the WatchGuard Management Console. That is, SEM disconnects the user and takes control over the firewall. |
To Zone |
Type the internal zone used for configuring restrictions on firewall connections. |
Connector Configuration Instance (Alias) |
Type a name that easily identifies the product that SEM is to act on. For active response connectors, we recommend you end the alias with “AR”. For example, an alias for the Cisco PIX Active Response connector might be “Cisco PIX AR”. This allows you to differentiate the active response connector from the data gathering connector. |
User Name / Login User Name |
Type the user name needed to log onto and configure the firewall. For some products, the user name must be the same one that was used when the firewall was installed. |
If the connector settings you need are not shown here, you are probably configuring a connector (data gathering) connector. When you finish configuring the connector settings, start the connector.
The System Tools connector form fields
SEM uses the System Tools connectors to interface with external notification systems.
Field | Description |
---|---|
Append Text to File Active Response |
|
Description |
Use this connector to have the Agent “write” the specified event data or text to the specified file. |
How to append |
Select Newline to write the event data to the file so that each event is on a distinct line (that is, one event per line), by inserting a return or newline character. Select No Newline to stream the event data to the file by appending the new data immediately following any existing data in the file. |
Maximum file size (MB) |
Type the allowable maximum file size for the text file, in Megabytes. |
Directory Service Query |
|
Description |
Use this connector to have the Manager communicate with existing directory services on the network to retrieve and update group information. This allows you to synchronize your existing Directory Service Groups for use with rules and filters. |
User Name |
Type a user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information. |
Directory Service Server |
Type the IP address or host name of your directory services server (commonly, this is a domain controller). |
Domain Name |
Type the fully-qualified domain name of your directory services domain. |
Password |
Type the password for the above user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information. |
Directory Service Server’s Port |
Type the port used to communicate with the directory service server. |
Email Active Response |
|
Description |
Use this connector to have a Manager automatically notify users of events by event policy. The event policy requires configuration. |
Return Display Name |
Type the name that you want to appear in the From field of active response e-mail messages. |
Port |
Type the port used to communicate with the internal email server. |
Return Address |
Type the email address that you want to appear in the From field of active response email messages. |
Mail Host |
Type the IP address or host name of an internal SMTP server that the Manager can use to send email messages through without authentication. |
Authentication Server Username |
Type the user name needed to access the internal email server, if required. |
Authentication Server Password |
Type the password needed to access the internal email server, if required. |
Test E-mail Address |
Type the e-mail address you want to use to test the Mail Host assignment. When you click Test Email, a test message should appear at this email address. |
Test Email button |
This button tests your email notification settings to ensure that you entered the correct e-mail host. Click Test Email. Then check the email address’s in-box. If you entered the correct address, the in-box should receive the test message. |
The Event Distribution Policy form
Configure the event distribution policy to control how events are routed through the SEM system.
Field | Description |
---|---|
Event/Field |
Lists event categories and event types. Click ▼ to expand an event category. |
Console Database Warehouse Rules |
Select a check box to indicate whether an event time or event category is sent to the console or local database. When selected, the event type is routed to that destination. Clear a check box to prevent the event type from being routed to that destination. |
Export |
Exports a Manager event policy to a spreadsheet file. |
![]() |
Click to select the Apply State to Branch command. This command pushes (or propagates) the selected event node check box settings down to the related, lower-level event types in the node tree hierarchy. |
Description |
Provides a description of the event type or event category currently selected in the grid. |
See also:
- Configure the SEM event distribution policy in the legacy Flash console for more information.