Documentation forSecurity Event Manager

How SEM works

SolarWinds SEM collects log data in your corporate network from two resources:

  • Agents – An Agent is a software application that collects and normalizes log data before it is sent to the SEM Console.

  • Non-Agent devices – These are devices that send log data directly to SEM for normalization and processing.

After normalization, SEM processes the data. The SEM policy engine correlates the data based on user-defined rules and local alert filters, and initiates the associated actions when applicable. These actions can include:

  • Notifying users through the console or by email

  • Blocking an IP address

  • Shutting down or rebooting a workstation

  • Passing alerts to the SEM database for future analysis and reporting within the Reports application

You can install Agents on workstations, servers, and other network devices. Agents can send log data from security products (such as antivirus software and network-based intrusion systems) on each device to the SEM virtual appliance. If you cannot install an Agent on a device (such as firewalls and routers), you can configure the device to send log data to the SEM Manager for normalization and processing. If your change management process does not permit adding any additional syslog servers to the network device configurations, you can leverage your existing syslog servers.