Glossary of LEM terms

Active response – An action that you or a LEM rule can take in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Log off User active response, the Kill Process active response, the Detach USB Device active response, and so on.

Actor – A connector sub-type that can perform an active response. The actor connector allows the Agent to receive instructions from the LEM Manager and perform active responses locally on the Agent computer, for example, sending pop-up messages or detaching USB devices. In the LEM console, an orange connector icon represents an actor connector. Also see sensor.

Agent – In LEM, a software application that collects and normalizes log data before it is sent to the LEM Manager. The Agent runs as a standalone service and provides additional event alerting on workstations and servers. An Agent is required for some active responses, including logging off a user, shutting down a computer, and detaching a USB device. LEM Agents use Secure Socket Layer/Transport Layer Security (SSL/TLS) to securely transmit log data. Also see connector.

Agent node – In LEM, a single Agent, syslog, or SMTP instance that sends events to LEM. For example, an environment with 10 routers, 50 switches, 5 firewalls, 300 servers, and 500 workstations has 865 nodes sending data to LEM Manager.

Alert – See event.

Appliance – Originally, LEM was sold as a physical appliance that you deployed on your network. Today, LEM is the virtual image of a Linux-based appliance.

CMC – A command-line interface you can use to interact with the LEM Manager VM to perform routine administrative tasks without root access.

Connector – In LEM, a connector is a stand-alone file that allows LEM to monitor and interact with third-party vendor products, for example a firewall, an anti-virus application, a router, and so on. Each connector is named after the specific product that it is designed to support.
Connectors can reside either on a LEM Agent, or on the LEM VM. Connectors installed on an Agent monitor local log files, but they can also monitor events sent from remote devices that cannot run an Agent. Connectors can intercept syslog events sent by third-party network devices and translate them into normalized events. Whereas LEM Agents actively send normalized log events to the LEM Manager, connectors rely on the host system to send syslog events to the LEM Manager.
Connectors have two subtypes: sensors and actors. A sensor retrieves data from the product that the connector supports, whereas an actor carries out active responses.

Console – See desktop console or web console.

Correlation – See event correlation.

Desktop console – The optional LEM desktop console lets you manage and monitor LEM without a web browser. The desktop console provides the same functionality as the LEM web console, but as a Windows-only native app.

Directory service group – In LEM, directory service groups are Windows users and computer accounts that LEM pulls from Active Directory. You can associate directory service groups with rules and filters. Use directory service groups if Active Directory is available so that you do not have to manually update lists of user and computer accounts in user-defined groups.

Event – Any alert or notification written to a log that is monitored by LEM. In LEM, the terms event and alert are interchangeable.

Event correlation – The process of extracting useful and/or significant information from the large number of events flowing in to LEM. Event correlation works by looking for and analyzing relationships between different event sources.

Event distribution policy – LEM's event distribution policy controls how events are routed through the system. By configuring the event distribution policy, you can disable (or exclude) specific event types at the event level from being sent to the LEM console and/or the LEM database. Use the event distribution policy to prevent events of little or no value from being processed by the console or stored in the database.

Event group – A group type used to organize events for use with rules and filters. If you use an event group in a rule, LEM fires the rule when any event in the group triggers an alert.

Event response – See active response.

Facility code – A numeric code specified by the syslog protocol to identify the type of program that is logging the message. Sixteen facility codes, ranging from 0 (kernel messages) to 15 (clock daemon), are reserved for known program types, whereas facility codes 16 through 23 are reserved for local use (local use 0 up to local use 7). In LEM, facility codes are used to route vendor-specific events to designated log files.

Filters – Filters capture events and alerts that take place on your network. Filter conditions can be broad or specific. For example, you can create a filter without conditions that captures all events, regardless of the source or event type, or you can create a filter that has one specific condition, such as UserLogon Exists, which only captures user logon events. LEM ships with filters that support best practices in the security industry. You can modify these filters to meet your needs.

Filter groups – Also called filter categories. Filter categories are used to organize filters in LEM. LEM installs with seven default categories in the Filters pane: Overview, Security, IT Operations, Change Management, Authentication, Endpoint Monitoring, and Compliance. Administrators can remove or rename these categories, or add new categories as needed.

File Integrity Monitoring – Also called FIM. A LEM feature that monitors system and user file activity to protect sensitive information from theft, loss, and malware. FIM detects changes to critical files and registry keys to ensure that they are not accessed or modified by unauthorized users. FIM ensures systems comply with regulatory regulations, including Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley. FIM is enabled either by adding a FIM connector to a node, or by adding FIM to an existing connector profile.

Flat file log – Any log output to one or more ASCII-based text files. Systems that write to flat file logs include Linux system logs, web server logs, DNS server logs, custom application logs, and others.

Groups – In LEM, groups organize related elements into logical units so that they can be used in rules and filters. Various group types are used to group events, data elements (such as IP addresses, user names, web site URLs, and so on), Active Directory users and computers, email templates, Agents and connectors, and time-of-day sets.

Hypervisor – Computer software that runs virtual machines. The LEM VM can be installed on two hypervisors: Microsoft Hyper-V Server, and VMware vSphere ESX 4.0 or ESXi 4.0 and later.

LEM console – See desktop console or web console.

LEM Events Console - An HTML5 console that provides instant access to live event monitoring and filtering as well as historical record archives for in-depth analysis and troubleshooting.

LEM Manager – The LEM component that collects and processes log messages sent by one or more network systems. The LEM Manager consists of a syslog server, an optimized database, a web server, a correlation engine, and a hardened Linux operating system. LEM Manager is deployed as a single VM to a hypervisor (either Hyper-V or vSphere) running on Windows Server.

Local Agent Installer – A standalone installer that you or another administrator runs on a local host system to install the LEM Agent. The Local Agent Installer can be used for attended or unattended LEM Agent installations. Also see Remote Agent Installer.

Manager – See LEM Manager.

NCR – An initialism for New Connector Request. An NCR is a request for SolarWinds to create a connector for a system or application that does not have one.

NCD – An initialism for New Connector Data. An NCD is a request for SolarWinds to update an existing connector to receive data that is either being missed or is coming in as unmatched.

nDepth log retention – The nDepth log retention component in LEM is a separate data store to which you can send raw (unnormalized) log messages. The nDepth database is an optional component that is disabled by default. To save raw log messages, you need to enable it. Note that, other than the name, the nDepth log retention component is unrelated to the nDepth search engine.

nDepth search engine – The nDepth search engine can locate any event data, or any original log message that passes through a particular LEM Manager instance. The log data is stored in real time as it occurs from each host (network device) and source (application or tool) that is monitored by the LEM Manager. You can use nDepth to conduct custom searches, investigate your search results with graphical tools, investigate event data in other LEM explorer utilities, and take action on your findings.

Node – An Agent instance monitored by LEM. In the LEM console, navigate to Manage > Nodes to display the Agents monitored by each of your LEM Managers.

Normalization – The process by which LEM translates raw log data into a standard format prior to storing the message in the database. The LEM Manager component and the LEM Agent component are both capable of normalizing raw event messages received from devices on a network. If the nDepth log retention feature is enabled, LEM also saves raw (unnormalized) log messages in a separate nDepth data store.

Ops Center – See Ops Center view.

Ops Center view – In the web console, the user interface view that provides a dashboard made up of multiple widgets to help identify trends and problem areas in the network. Administrators can customize the dashboard by adding, editing, and removing widgets.

Remote Agent Installer – A standalone installer that pushes LEM Agents to Microsoft Windows hosts across your network without the need to step through an installation wizard. The installer unzips the installation files to a temporary folder of your choice, searches for Windows systems across the network, and installs the LEM Agent one at a time to the targeted systems. Also see Local Agent Installer.

Reports application – An optional LEM component that can schedule and execute over 300 audit-proven reports. Install the reports application on either a workstation or a separate networked server. The LEM reports application requires the free Crystal Reports runtime application.

Roles – LEM uses roles to restrict user access to sensitive data. Each LEM user account must be assigned to one of six LEM role types: Administrator, Auditor, Monitor, Contact, Guest, and Reports.

Rules – Rules monitor event traffic and automatically respond to events in real time. When an event (or a series of events) meets a rule condition, the rule prompts the LEM Manager to carry out a response action. A response action can be discreet, such as sending notifications to the appropriate users by email; or it can be active, for example blocking an IP address or stopping a process.

Sensor – A connector sub-type that cannot perform an active response. In the LEM console, a blue connector icon represents a sensor connector. See also actor.

Severity – In the syslog protocol, severity is a numeric code used to specify the urgency of the notification. Severity ranges from 0 (emergency: system is unusable) to 7 (debug: debug-level messages).

SIEM – A category of software products and services that monitor and analyze security events generated by applications and hardware devices on a network and send notifications when a set threshold is reached. Log & Event Manager (LEM) is a fully-featured SIEM solution. SIEM is an initialism for security information and event management.

Single sign-on – LEM supports Active Directory single sign-on (SSO). When enabled, LEM does not request a user name and password if the user is already logged in to Active Directory (AD). Instead, AD authenticates the user in the background, and automatically logs the user in to LEM with the appropriate user access rights.

SNMP, SNMP monitoring – Simple Network Management Protocol is used to collect information from network devices. LEM can receive SNMP traps from SolarWinds solutions to correlate performance alerts with LEM events. LEM can also send SNMP traps to SolarWinds solutions to enable NPM to monitor CPU, memory, and other critical LEM components. Versions of LEM older than 6.3.0 do not support sending health or status updates to other devices over SNMP. LEM versions older than 6.3.0 can only send SNMP traps to devices when rules fire.

SSO – See single sign-on.

Syslog – A message logging protocol used by a wide range of devices, including most network devices, such as routers, switches, and firewalls. Devices send event notification messages to a central logging server (a syslog server) that consolidates logs from multiple sources. Syslog messages have a numeric facility code that LEM uses to route messages to a log. to specify the type of program that is logging the message, and a numeric severity level to specify the urgency of the notification.

Syslog server – A software application (such as Kiwi Syslog Server) that collects syslog messages and SNMP traps from network devices (such as routers, switches, and firewalls).

USB defender – A free add-on for all LEM Agents installed on Windows computers. USB defender tracks events related to USB mass storage devices like flash drives and smart phones, and allows the LEM Manager to send commands to detach offending devices both manually and automatically.

User-defined group – User-defined groups are groups of data elements that can be used in rules and filters to match, include, or exclude events, information, and data fields. Data elements can be IP addresses, user names, email addresses, web site URLs, and so on.

Virtual appliance – A type of virtual machine that hosts a single application on a hypervisor. To keep things simple, the LEM documentation refers to the LEM virtual appliance as the LEM virtual machine (or the LEM VM). The LEM virtual appliance runs on a hardened, Linux-based software stack that includes a database, a web server, a correlation engine, a syslog server and a SNMP trap receiver.

vSphere – A hypervisor distributed by VMware. The LEM virtual machine can be deployed on vSphere.

Web console – The primary LEM user interface that runs in a web browser. Use the web console to manage and monitor the LEM application. The web console has five views: Ops Center (provides a dashboard made up of widgets that display a graphical representation of your log data), Monitor (displays events in real time as they occur on your network), Explore (provides tools for investigating events and related details), Build (creates user components that process data in LEM Manager), and Manage (manages properties for appliances and nodes). See also: desktop console.

Widget – A user interface component that provides special dashboard functionality, such as displaying real-time information about network activity, or providing tools for investigating events and related details. In the LEM console, widgets are displayed in OpsCenter view, Monitor view, and nDepth view. Use Widget Manager to select and add a widget to the dashboard. Use Widget Builder to create a new widget or edit an existing widget. Master widgets are widget templates located in the Widget Manager categories list (in Ops Manager view), in the Widgets pane based on the filter you select as a data source (in Monitor view), or in the nDepth toolbar (in nDepth view). Copy a master widget to the OpsCenter dashboard or to Monitor view to create a dashboard widget.