Documentation forSecurity Event Manager

Introduction to SEM

SolarWinds Security Event Manager (SEM) is a security information and event management (SIEM) virtual appliance that collects and normalizes log data generated across an entire network into one central location. After the log data is collected, you can use the SEM Console to:

  • Identify patterns displayed in the dashboard that may indicate suspicious activity.

  • View live events in real time.

  • View historical events for forensic analysis and troubleshooting.

  • Create a rule to monitor event traffic and trigger an automated action when a defined event or events occur. These automated actions can include stopping processes, detaching USB devices, blocking IP addresses, logging off users, and sending emails to support teams.

SEM collects log data in a network from two resources:

  • Agents

  • Non-agent devices

Agents

Agents are software applications that gather hardware and software information. This information is sent back to a monitoring system to track these assets.

Similarly, the SEM Agent collects log data on devices that cannot send their own logs to SEM. The agent normalizes the log data into a format that SEM can understand. When normalization is completed, the data is processed and converted to charts and graphs in the SEM Console.

See About the SEM Agent for more information.

You can use SolarWinds Patch Manager to schedule patching for your SEM agents. See How to Schedule Patching for Security Event Manager Agents for details.

Non-agent devices

Non-agent devices collect and send log data directly to SEM for normalization and processing. This data is converted to charts and graphs in the SEM Console. Because the log data is in a format that SEM can understand, no agent is required.

SEM policy engine

When the normalization is completed, SEM processes the data. The SEM policy engine correlates the data based on user-defined rules and local alert filters, and then initiates the associated actions when applicable. These actions can include:

  • Notifying users through the console or by email

  • Blocking an IP address

  • Shutting down or rebooting a workstation

  • Passing alerts to the SEM database for future analysis and reporting within the Reports application

Agent installation

You can install agents on workstations, servers, and other network devices. Agents can send log data from security products (such as antivirus software and network-based intrusion systems) on each device to the SEM virtual appliance.

If you cannot install an agent on a device (such as firewalls and routers), you can configure the device to send log data to the SEM Manager for normalization and processing. If your change management process does not permit adding any additional syslog servers to the network device configurations, you can leverage your existing syslog servers.