Beyond Getting Started with LEM

At this point, you have configured at least one network device and system to send logs to LEM. This section provides you links to sections of the LEM Administrator Guide, knowledge base articles, and videos to explore.

Product documentation

The following table provides links to sections of the LEM Administrator Guide.

See To Learn About

Filters and filter categories

This topic introduces filters and briefly describes the default filters included with LEM. Filters capture events and alerts that take place on your network.
nDepth search The nDepth search engine can locate any event data that passes through a particular LEM Manager instance. You can use nDepth to conduct custom searches, investigate your search results with a graphical tools, investigate event data in other explorers, and take action on your findings.
LEM rules

Rules monitor event traffic and automatically respond to security events in real time, whether you are monitoring the console or not. When an event (or a series of events) meets a rule condition, the rule prompts the LEM Manager to take action.

A response action can be discreet (for example, sending a notification to select users by email), or active (for example, blocking an IP address or stopping a process).

LEM active responses An active response (also called an event response) in LEM is an action that LEM takes in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Log off User active response, the Kill Process active response, the Detach USB Device active response, and so on.

The LEM reports application converts LEM database data into information that can be used to troubleshoot and identify network problems. Run reports on your Log & Event Manager database to view events and trends and make informed decisions about your network activity.

You can run over 200 standard and industry-specific reports that can help you make informed decisions about your network security.

LEM users

Access to LEM data requires a user account. Even basic access, such as receiving notifications sent by LEM through email or text message, requires a user account.

To restrict user access to sensitive data, user accounts need to be assigned to a LEM role. There are six LEM role types: Administrator, Auditor, Monitor, Contact, Guest, and Reports.

Knowledge base articles

The following table contains links to the most highly rated LEM knowledge base articles. See Log & Event Manager on the SolarWinds Customer Success Center for access to all knowledge base articles.

Knowledge base article Contains
Configure Backups on your LEM Appliance This article describes how to configure the LEM appliance to run scheduled backups according to your requirements and preferences. Use these backups for data retention and disaster recovery.
SolarWinds LEM Agent Installer for Mac OS X 10.7 and later This article outlines installation procedures for using LEM on Mac OS X 10.7 and later.
Integrate NetApp or EMC SAN with SolarWinds LEM This article provides steps on integrating SolarWinds LEM with NetApp 7 to audit files. These steps also apply to EMC SAN.
Configure the Email Active Response Connector Learn how to configure the Email Active Response connector, which sends automated email messages to LEM Console users when rules fire on LEM Manager.
LEM appliance security information Log and Event Manager is delivered as a virtual appliance with several related security features and functionality. This article lists appliance and console security features that are common information requests from customers.
Using Multiple LEM Appliances on a Single Console Learn how to add a LEM appliance to an existing LEM appliance and view all events from one LEM Console.
Use the LEM Database Maintenance Report to See Retention and Volume of Traffic This article documents the LEM Database Maintenance Report, which shows a snapshot of your current database utilization. Use this report to determine the amount of data is stored in your LEM database.
Tune out Windows Filtering Platform on LEM and on Windows agent This article describes how to tune out Windows Filtering Platform (WFP) on LEM and on a Windows agent. WFP is a new application in Windows 7 and Windows 8 and Server 2008/2012 that logs firewall and IPsec related events to the System Security Log. These alerts represent accepted background alerts on LEM and consume additional resources on LEM while it processes these events. They are not necessary in an optimized LEM deployment.
Troubleshoot agent connections, 32-bit This article helps you troubleshoot issues with agent connections in Log and Event Manager when installed on a 32-bit system.
Troubleshoot agent connections, 64-bit This article provides troubleshooting steps to help you work around the most common causes when a LEM Agent cannot connect to your LEM appliance.
Installing reports in LEM This article provides information about installing reports as part of the initial LEM deployment.

Training and community resources

Follow the links below to explore LEM training opportunities.