Documentation forSecurity Event Manager

SEM 2023.4 System Requirements

Release date: October 18, 2023

SolarWinds strongly recommends that you install Security Event Manager on a server that is neither public, nor internet-facing. To learn about best practices for configuring your Security Event Manager installation securely, see Best practices to secure SolarWinds Products.

These system requirements will help you plan your Security Event Manager (SEM) deployment for your specific network environment.

Server sizing

Server sizing is impacted by:

  • Number of nodes

  • Network traffic

  • Storing original (raw) and normalized log messages

Consider event throughput and performance degradation when planning the size of your deployment. As the number of nodes and network traffic increase, the size of your deployment will need to grow as well. For example, if you are running a small deployment and begin to notice performance degradation at 300 nodes, move to a medium deployment.

If you will be storing original log messages, increase the CPU and memory resource requirements by 50 percent. See your hypervisor documentation for more information.

Sizing criteria

Use the following table to determine if a small, medium, or large deployment is best suited to supporting your environment.

Sizing Criteria Small Medium Large
Number of nodes

Fewer than 500 nodes in the following combinations:

  • 5 – 10 security devices
  • 10 – 250 network devices, including workstations
  • 30–150 servers

Between 300 and 2,000 nodes in the following combinations:

  • 10 – 25 security devices
  • 200 – 1,000 network devices, including workstations
  • 50 – 500 servers

More than 1,000 nodes in the following combinations:

  • 25 – 50 security devices
  • 250 – 1,000 network devices, including workstations
  • 500 – 1,000 servers
Events received per day 5M – 35M events 30M – 100M events

Up to 216m events (2,500 EPS)

Rules fired per day Up to 500 Up to 1,000 Up to 5,000

SEM VM hardware requirements

See Allocate CPU and memory resources to the SEM VM in the SEM Administrator Guide for information about how to manage SEM system resources.

Hardware on the VM host Small Medium Large
CPU

2 – 4 core processors at 2.0 GHz

6 – 10 core processors at 2.0 GHz

10 – 16 core processors at 2.0 GHz

If you will be storing original log messages in addition to normalized log messages, increase the CPU and memory resource requirements by 50%.

Memory 8 GB RAM 16 GB – 48 GB RAM 48 GB – 256 GB RAM
Hard drive storage 250 GB, 15k hard drives (RAID 1/mirrored settings) 500 GB, 15K hard drives (RAID 1/mirrored settings)

1TB, 15k hard drives (RAID 1/mirrored settings)

  • Installing SEM in a SAN is preferred.
  • High-speed hard drives (such as SSD drives) are required for high-end deployments.
  • Large deployments may require 1 to 2TB of storage, which you can reserve on VMware ESXi 6.0 (and later) and Microsoft Hyper-V 2012 R2 or 2016.
Input/output operations per second (IOPS) 40 – 200 IOPS 200 – 400 IOPS 400 or more IOPS
NIC 1 GBE NIC 1 GBE NIC 1 GBE NIC

SEM Azure hardware requirements

Hardware on the VM host

Small

(Standard_DS3_v2)

Medium

(Standard_DS4_v2)

Large

(Standard_D32s_v3)

CPU [cores]

4

8

32

RAM [GB] 14 28 128
IOPs 12800 25600 51200

SEM AWS hardware requirements

Instance size

m5.xlarge / m5a.xlarge

m5.2xlarge / m5a.2xlarge

m5.8xlarge / m5a.8xlarge

vCPU

4 8 16
Memory (GiB) 16 32 128
Instance Storage EBS-Only EBS-Only EBS-Only

SEM software requirements

Software Requirements
Hypervisor (required on the VM host)

One of the following:

  • VMware vSphere ESXi 6.0 or ESXi 6.0 and later
  • Microsoft Hyper-V Server 2012 R2, 2016, and 2019
Microsoft Azure Learn about Microsoft Azure requirements here.
Amazon Web Services Learn about Amazon Web Services requirements here.
Web browser
  • Google Chrome 77 or newer
  • Mozilla Firefox 70 or newer
  • Microsoft Edge v79 or newer

SEM agent hardware and software requirements

Hardware and Software Requirements
Operation System (OS)

The SEM agent is compatible with the following operating systems:

  • HPUX on Itanium

  • IBM AIX 7.1 TL3, 7.2 TL1 and later
  • Linux

  • macOS 10.12 (Sierra), 10.13 (High Sierra), and 10.14 (Mojave)

  • Oracle Solaris 10 and later

  • Windows 10, 11

  • Windows Server 2012, 2016, 2019, and 2022

    Windows Server 2022 supports SEM 2022.4 and later.

The following requirements are the minimum requirements. Depending on your deployment, you may need additional resources to support increased log-traffic volume and data retention.

Memory 512 MB RAM
Hard Drive Space 1 GB
Other requirements

Administrative access to the device hosting the SEM Agent.

The SEM agent for Mac OS X requires Java Runtime Environment (JRE) 11 or later.

The SEM agent for AIX requires Java Runtime Environment (JRE) 11 or later.

The SEM agent for HP-UX requires Java Runtime Environment (JRE) 11 or later.

The SEM agent for Solaris requires Java Runtime Environment (JRE) 11 or 16 (Non-LTS).

SEM reports application hardware and software requirements

Hardware and Software Requirements
Operation System (OS)

The SEM reports application is only supported by the following Windows operating systems:

  • Windows 11

  • Windows Server 2012, 2016, and 2022

    Windows Server 2022 supports SEM 2022.4 and later.
Memory

512 MB RAM minimum.

SolarWinds recommends using a computer with 1 GB of RAM or more for optimal reports performance.

Other requirements

Install the SEM reports application on a system that runs overnight. This is important because the daily and weekly start time for these reports is 1:00 AM and 3:00 AM, respectively.

Ensure the Reports Console version matches your version of the SEM appliance. Incompatible versions may result in installation or login failures.

See the following Customer Success Center articles for troubleshooting tips:

SEM port requirements

For a list of ports required to communicate with SolarWinds products, see Port requirements for all SolarWinds products.

Port # Protocol Service/Process Direction Description
22 TCP SSH Bidirectional SSH traffic to the SolarWinds SEM VM. If you need to close ports 22, contact SolarWinds Support.
25 TCP SMTP Outbound SMTP traffic from the SolarWinds SEM VM to your email server for automated email notifications.
80, 8080 TCP HTTP Bidirectional

Non-secure HTTP traffic from the SolarWinds SEM console to the SolarWinds SEM VM. (SEM closes this port when the activation is completed

445 TCP NetBIOS, SMB2 Bidirectional

Standard Windows file sharing ports (NetBIOS Session Service, Microsoft SMB) that SEM uses to export debug files, syslog messages, and backup files.

The SEM Remote Agent Installer also uses these ports to install agents on Microsoft Windows hosts across your network.

Server Message Block version 1 (SMB1) is no longer supported.
161, 162 TCP SNMP Bidirectional SNMP trap traffic received from devices, and used by the Orion platform to monitor SEM.
389, 636 TCP  LDAP Outbound

LDAP ports that the SEM Directory Service Connector tool uses to communicate with a designated Active Directory domain controller.

The SEM Directory Service Connector tool uses port 636 for SSL communications to a designated Active Directory domain controller.

443, 8443 TCP HTTPS Bidirectional

HTTPS traffic from the SolarWinds SEM console to the SEM VM.

SEM uses these secure HTTP ports after SEM is activated.

This port is also used to automatically update the SEM Connectors.

(445) TCP     See entry for port 139.
514 TCP or UDP Syslog Inbound Syslog traffic from devices sending syslog event messages to the SolarWinds SEM VM.
(636) TCP     See entry for port 389.
1094 TCP Syslog Inbound Syslog traffic from certain Cisco devices.
1470 TCP PSyslog Inbound Syslog traffic from certain Cisco devices.
6343 UDP flow Inbound Flow traffic from devices sending flow to the SolarWinds SEM VM.
(8080) TCP     See entry for port 80.
(8443) TCP     See entry for port 443.
8983 TCP nDepth Inbound nDepth traffic sent from nDepth to the SEM VM containing raw (original) log data. 
9001 TCP SEM reports application Bidirectional SEM reports application traffic used to gather SEM reports data on the SEM VM.
37890-37892 TCP SEM Agents Inbound SEM Agent traffic sent from SolarWinds SEM Agents to the SolarWinds SEM VM. (These ports correspond to the destination ports on the SEM VM.)