Documentation forSecurity Event Manager

LEM 6.6 release notes

This document summarizes new features, improvements, and fixed issues in LEM 6.6, additional features, and upgrade notes and workarounds for known issues.

New in LEM 6.6

New HTML5 features

The new Node Management and Create Filter features continue the LEM transition from flash-based software to HTML5.

Node Management

Through the new LEM Node Management feature, you can now add agent nodes, configure connectors, and then monitor activity in the LEM Events Console. Upon node and connector configuration, click the Monitor tab to view your network activity, and then create and apply filters to tailor your log feed to view event logs vital to maintaining the health of your network environment.

Create filters in the LEM Events Console

In the LEM Events Console, you can create custom filters for your event log stream to complement existing LEM Monitor filters. On the Add New Filter page, create filters by dragging and dropping default filter values, or by adding your own custom filter values. The filter builder also guides you through selecting operators and conditions to group a particular type of event, or to monitor specific events and activity.

Additional features and improvements

This section describes features in LEM 6.4 and 6.5.

LEM Events Console

The LEM Events Console provides instant access to live event monitoring and filtering as well as historical record archives for in-depth analysis and troubleshooting. Within the console view, you can quickly switch between real-time event streaming and historical log views based on user-defined date and time parameters. In addition to live and historical keyword search options, all established LEM Monitor filters are accessible in the LEM Events Console Filters pane. You can access the console view by clicking Visit LEM Events Console in the top-right section of the LEM console.

View the LEM Events Console in HTML5

The LEM Events Console view is presented in HTML5 format, which means no requirement for Adobe® Flash® or other third-party media players. This update also results in a more robust console that can run on any computer operating system as well as most web browsers.

Enable log forwarding

On the LEM Events Console Settings page, enable log forwarding to direct your raw (unnormalized) log messages to a dedicated server. This option allows you to forward log data to third-party systems and other SIEM tools.

When you configure connectors to send original log data to LEM, the messages are then auto-forwarded to the designated location. To use this feature, configure nDepth log retention and applicable connectors accordingly.

Deploy LEM to Microsoft Azure

With version 6.5 and later, you can now deploy LEM to Microsoft Azure. To get started, download the installation package from the SolarWinds Customer Portal and review the deployment guide here.

Filter and monitor events in Live Mode

Switch the LEM Events Console to Live Mode to monitor events as they occur in your environment. This is particularly useful when troubleshooting active network problems. You can apply "live" filters to target and identify issues using the Filters pane and Live filter keywords, and then conduct a historical log search for additional event analysis.

Live Mode also reconciles device polling gaps by processing and correlating a consistent stream of log event data.

Search and filter historical event logs

The LEM Events Console includes an advanced search capability to access your aggregated event logs based on existing Live Mode filters and a specified time range. To set your search parameters, click Historical Search, enter a specific keyword, and then open the custom time picker to set your time frame. You can further refine your search by changing the keyword in the search field.

Monitor multiple console tabs

You can open and monitor multiple LEM Events Console tabs in your web browser. You can also apply the same filters simultaneously in Live and Paused Modes, and initiate multiple search queries.

Running multiple searches simultaneously can negatively impact LEM performance due to hardware resource limitations.

Remote database (L4) configuration

Configuring the LEM Events Console with a remote database limits available console functionality. You can still search, filter, and monitor live events, but historical records and event details are not accessible. In this instance, a remote database notification appears in the top-right of the console reminding you of the limited functionality.

CMC command updates

In LEM 6.4 and later, some CMC commands are deprecated, merged, or modified. See the LEM Administrator Guide for a current list of CMC commands.

LEM Debian version upgrade

Debian version 9.4 (codename stretch) is currently installed on LEM 6.4 and later. This version eliminates the 2TB data storage restriction applicable to previous LEM releases, and significantly reduces potential security risks and vulnerabilities.

Exceeding the previous 2TB limit requires a fresh deployment based off the new OVA template. Please contact SolarWinds support for assistance with migrating your data and settings.

LEM SMB version support

LEM 6.6 currently supports all versions of Microsoft Windows SMB.

New customer installation

For information about installing LEM, see the SolarWinds Log & Event Manager Installation Guide and the SolarWinds Log & Event Manager Getting Started Guide.

How to upgrade

If you are upgrading from a previous version, use the following resources to plan and implement your upgrade:

Use the LEM Upgrade Guide to help you plan and execute your upgrade.

Download the upgrade package from the SolarWinds Customer Portal.

If you are using multimanager, LEM Managers are disconnected after the upgrade to 6.4. To reconnect, set multimanagerconfig to True (enabled). Clear your Flex cache (F12 hotkey) to see the change.

Find which Apache Tomcat version corresponds with your SEM version here.

File system consistency check (fsck)

During your upgrade, the system may run a fsck check during reboot. This can last 30 or more minutes depending on the quantity of data in the data partition. With the Debian version upgrade, the file system is configured to initiate the check when certain conditions are met:

  • 21 mounts since the last check (during the 22nd reboot). -or-
  • Six months since the last check.

Oracle Solaris Agent upgrades

Beginning with version 6.3, LEM supports the 64-bit Java 8 Runtime Environment (JRE). Since Oracle did not release a 32-bit version of Java for Solaris, you must manually upgrade the agents running on these systems.

To upgrade your 32-bit Solaris SPARC and Solaris Intel agents, download the Solaris SPARC Agent and Solaris Intel Agent installers from the Customer Portal and run these installers on your Solaris systems. In a future release, the LEM console will support updates for 64-bit Solaris agents when they are available.

LEM Agent installers

Oracle intends to discontinue support for their 32-bit Java Runtime Environment (JRE). Therefore, SolarWinds will no longer provide 32-bit LEM Agent installers for future LEM releases. Since IBM and HP provide their own customized Java implementations, this may impact their JRE support as well.

Supported connectors

Find LEM connector information on Thwack.

Fixed issues

LEM 6.6 fixes the following issues:​

case Number description
N/A Threat Feeds cannot be updated.
N/A Broken ToolIndex.xml.

Known issues

Case Number Description
N/A CMC - exportcert returns wrong cert when other than self-signed cert is used.
N/A Issues with routing on web UI.
N/A Open on new tab (middle mouse button) is not working on menu or in settings links to Admin UI.
N/A It's not possible to copy values from node details popup.
N/A Editing a deleted connector Save button causes exception.
N/A User can add connector again after timeout with error.
N/A Can't change operand by drag and drop.
N/A Reload button on error page does not reload data.
N/A Nodes - IP address sort does not sort.
N/A It is possible to run commands on a deleted node.
N/A MSSQL Profiler template for SQL 2016 is only showing up as a 2014 template.
N/A Scroll bar should be inside the node list.
N/A Changing timezone using the Blue screen doesn't restart services.

Additional known issues

Issue: After upgrading LEM 6.3.1.hf7 to, the blue screen incorrectly indicates that no IP address is assigned when connected directly from a Hyper-V or vSphere window.

Workaround: To find the IP address:

  1. Open your hypervisor and connect to the LEM VM:
    • For VMware vSphere, click the Console tab, select Advanced Configuration on the main console screen, and then press Enter to access the command prompt.
    • For Hyper-V, click Action > Connect, and then click the Console tab.
  2. Use the arrow keys to navigate to Advanced Configuration, and then press Enter.

    The CMC menu appears with a cmc> prompt.

  3. If the machine has an assigned IP address, you can find it in the menu next to the admin option.


LEM 6.5 Hotfix 1

Version History

LEM Release Notes Version 6.5

LEM Release Notes Version 6.4

LEM Release Notes Version 6.3.1

LEM Release Notes Version 6.3.0

Legal notices

© 2019 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.


The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.