Documentation forSecurity Event Manager

LEM 6.5 release notes

This document summarizes new features, improvements, and fixed issues in LEM 6.5, additional features, and upgrade notes and workarounds for known issues.

New in LEM 6.5

Enable log forwarding

On the LEM Events Console Settings page, enable log forwarding to direct your raw (unnormalized) log messages to a dedicated server. This option allows you to forward log data to third-party systems and other SIEM tools.

When you configure connectors to send original log data to LEM, the messages are then auto-forwarded to the designated location. To use this feature, configure nDepth log retention and applicable connectors accordingly.

Deploy LEM to Microsoft Azure

With version 6.5 and later, you can now deploy LEM to Microsoft Azure. To get started, download the installation package from the SolarWinds Customer Portal and review the deployment guide here.

Additional features and improvements

This section describes features in LEM 6.4.

LEM Events Console

The LEM Events Console provides instant access to live event monitoring and filtering as well as historical record archives for in-depth analysis and troubleshooting. Within the console view, you can quickly switch between real-time event streaming and historical log views based on user-defined date and time parameters. In addition to live and historical keyword search options, all established LEM Monitor filters are accessible in the LEM Events Console Filters pane. You can access the console view by clicking Visit LEM Events Console in the top-right section of the LEM console.

View the LEM Events Console in HTML5

The LEM Events Console view is presented in HTML5 format, which means no requirement for Adobe® Flash® or other third-party media players. This update also results in a more robust console that can run on any computer operating system as well as most web browsers.

Filter and monitor events in Live Mode

Switch the LEM Events Console to Live Mode to monitor events as they occur in your environment. This is particularly useful when troubleshooting active network problems. You can apply "live" filters to target and identify issues using the Filters pane and Live filter keywords, and then conduct a historical log search for additional event analysis.

Live Mode also reconciles device polling gaps by processing and correlating a consistent stream of log event data.

Search and filter historical event logs

The LEM Events Console includes an advanced search capability to access your aggregated event logs based on existing Live Mode filters and a specified time range. To set your search parameters, click Historical Search, enter a specific keyword, and then open the custom time picker to set your time frame. You can further refine your search by changing the keyword in the search field.

Monitor multiple console tabs

You can open and monitor multiple LEM Events Console tabs in your web browser. You can also apply the same filters simultaneously in Live and Paused Modes, and initiate multiple search queries.

Running multiple searches simultaneously can negatively impact LEM performance due to hardware resource limitations.

Remote database (L4) configuration

Configuring the LEM Events Console with a remote database limits available console functionality. You can still search, filter, and monitor live events, but historical records and event details are not accessible. In this instance, a remote database notification appears in the top-right of the console reminding you of the limited functionality.

CMC command updates

In LEM 6.4 and later, some CMC commands are deprecated, merged, or modified. See the LEM Administrator Guide for a current list of CMC commands.

LEM Debian version upgrade

Debian version 9.4 (codename stretch) is currently installed on LEM 6.4 and later. This version eliminates the 2TB data storage restriction applicable to previous LEM releases, and significantly reduces potential security risks and vulnerabilities.

Exceeding the previous 2TB limit requires a fresh deployment based off the new OVA template. Please contact SolarWinds support for assistance with migrating your data and settings.

LEM SMB version support

LEM 6.5 currently supports all versions of Microsoft Windows SMB.

End of life, end of support, and deprecation notices

End of life

Version

EOL

Announcements

EOE Effective

dates

Eol effective dates
6.2 September 12, 2018: End-of-Life (EoL) announcement – Customers on SEM version 6.2 should begin transitioning to the latest version of SEM. December 12, 2018: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SEM version 6.2 will no longer be actively supported by SolarWinds. December 12, 2019: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SEM version 6.2.

New customer installation

For information about installing LEM, see the SolarWinds Log & Event Manager Installation Guide and the SolarWinds Log & Event Manager Getting Started Guide.

How to upgrade

If you are upgrading from a previous version, use the following resources to plan and implement your upgrade:

Use the LEM Upgrade Guide to help you plan and execute your upgrade.

Download the upgrade package from the SolarWinds Customer Portal.

If you are using multimanager, LEM Managers are disconnected after the upgrade to 6.4. To reconnect, set multimanagerconfig to True (enabled). Clear your Flex cache (F12 hotkey) to see the change.

Find which Apache Tomcat version corresponds with your SEM version here.

File system consistency check (fsck)

During your upgrade, the system may run a fsck check during reboot. This can last 30 or more minutes depending on the quantity of data in the data partition. With the Debian version upgrade, the file system is configured to initiate the check when certain conditions are met:

  • 21 mounts since the last check (during the 22nd reboot). -or-
  • Six months since the last check.

Oracle Solaris Agent upgrades

Beginning with version 6.3, LEM supports the 64-bit Java 8 Runtime Environment (JRE). Since Oracle did not release a 32-bit version of Java for Solaris, you must manually upgrade the agents running on these systems.

To upgrade your 32-bit Solaris SPARC and Solaris Intel agents, download the Solaris SPARC Agent and Solaris Intel Agent installers from the Customer Portal and run these installers on your Solaris systems. In a future release, the LEM console will support updates for 64-bit Solaris agents when they are available.

LEM Agent installers

Oracle intends to discontinue support for their 32-bit Java Runtime Environment (JRE). Therefore, SolarWinds will no longer provide 32-bit LEM Agent installers for future LEM releases. Since IBM and HP provide their own customized Java implementations, this may impact their JRE support as well.

Supported connectors

Find LEM connector information on Thwack.

Fixed issues

LEM 6.5 fixes the following issues.​

case Number description
  Active Response fails when customers connect to CISCO PIX device using the serial port.
  The last character in SOLR raw logs is removed.
  A directory traversal flaw exists in the Pearl Archive::Tar module.
  GnuPG performs insufficient sanitization of file names displayed in status messages.
  A Libgcrypt security vulnerability exists.
  Vista Security text should be changed to Windows Security.
  Vulnerabilities exist in CUPS, the Common UNIX Printing System (libcups2 package).
  Update Java to latest version.
  Upgrade vulnerable Spring library.
  Update Java on non-Oracle agents.
  Upgrade fuse and libfuse2 packages to correct flaw in the fusermount utility.
  Update libmspack package to resolve security vulnerabilities.
  Upgrade vulnerable PostgreSQL package to resolve security vulnerabilities.
  Upgrade Samba to resolve security vulnerabilities.

Known issues

Issue: After upgrading LEM 6.3.1.hf7 to 6.4.0.1500, the blue screen incorrectly indicates that no IP address is assigned when connected directly from a Hyper-V or vSphere window.

Workaround: To find the IP address:

  1. Open your hypervisor and connect to the LEM VM:
    • For VMware vSphere, click the Console tab, select Advanced Configuration on the main console screen, and then press Enter to access the command prompt.
    • For Hyper-V, click Action > Connect, and then click the Console tab.
  2. Use the arrow keys to navigate to Advanced Configuration, and then press Enter.

    The CMC menu appears with a cmc> prompt.

  3. If the machine has an assigned IP address, you can find it in the menu next to the admin option.

Hotfixes

LEM 6.5 Hotfix 1

Version History

LEM Release Notes Version 6.4

LEM Release Notes Version 6.3.1

LEM Release Notes Version 6.3.0

Legal notices

© 2019 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.