SEM 2024.2 System Requirements
Release date: April 17, 2024
SolarWinds strongly recommends that you install Security Event Manager on a server that is neither public, nor internet-facing. To learn about best practices for configuring your Security Event Manager installation securely, see Best practices to secure SolarWinds Products.
These system requirements will help you plan your Security Event Manager (SEM) deployment for your specific network environment.
Server sizing
Server sizing is impacted by:
-
Number of nodes
-
Network traffic
-
Storing original (raw) and normalized log messages
Consider event throughput and performance degradation when planning the size of your deployment. As the number of nodes and network traffic increase, the size of your deployment will need to grow as well. For example, if you are running a small deployment and begin to notice performance degradation at 300 nodes, move to a medium deployment.
If you will be storing original log messages, increase the CPU and memory resource requirements by 50 percent. See your hypervisor documentation for more information.
Sizing criteria
Use the following table to determine if a small, medium, or large deployment is best suited to supporting your environment.
Sizing Criteria | Small | Medium | Large |
---|---|---|---|
Number of nodes |
Fewer than 500 nodes in the following combinations:
|
Between 300 and 2,000 nodes in the following combinations:
|
More than 1,000 nodes in the following combinations:
|
Events received per day | 5M – 35M events | 30M – 100M events |
Up to 216m events (2,500 EPS) |
Rules fired per day | Up to 500 | Up to 1,000 | Up to 5,000 |
SEM VM hardware requirements
See Allocate CPU and memory resources to the SEM VM in the SEM Administrator Guide for information about how to manage SEM system resources.
Hardware on the VM host | Small | Medium | Large |
---|---|---|---|
CPU |
2 – 4 core processors at 2.0 GHz |
6 – 10 core processors at 2.0 GHz |
10 – 16 core processors at 2.0 GHz |
If you will be storing original log messages in addition to normalized log messages, increase the CPU and memory resource requirements by 50%. |
|||
Memory | 8 GB RAM | 16 GB – 48 GB RAM | 48 GB – 256 GB RAM |
Hard drive storage | 250 GB, 15k hard drives (RAID 1/mirrored settings) | 500 GB, 15K hard drives (RAID 1/mirrored settings) |
1TB, 15k hard drives (RAID 1/mirrored settings) |
|
|||
Input/output operations per second (IOPS) | 40 – 200 IOPS | 200 – 400 IOPS | 400 or more IOPS |
NIC | 1 GBE NIC | 1 GBE NIC | 1 GBE NIC |
SEM Azure hardware requirements
Hardware on the VM host |
Small (Standard_DS3_v2) |
Medium (Standard_DS4_v2) |
Large (Standard_D32s_v3) |
---|---|---|---|
CPU [cores] |
4 |
8 |
32 |
RAM [GB] | 14 | 28 | 128 |
IOPs | 12800 | 25600 | 51200 |
SEM AWS hardware requirements
Instance size |
m5.xlarge / m5a.xlarge |
m5.2xlarge / m5a.2xlarge |
m5.8xlarge / m5a.8xlarge |
---|---|---|---|
vCPU |
4 | 8 | 16 |
Memory (GiB) | 16 | 32 | 128 |
Instance Storage | EBS-Only | EBS-Only | EBS-Only |
SEM software requirements
Software | Requirements |
---|---|
Hypervisor (required on the VM host) |
One of the following:
|
Microsoft Azure | Learn about Microsoft Azure requirements here. |
Amazon Web Services | Learn about Amazon Web Services requirements here. |
Web browser |
|
SEM agent hardware and software requirements
Hardware and Software | Requirements |
---|---|
Operation System (OS) |
The SEM agent is compatible with the following operating systems:
|
The following requirements are the minimum requirements. Depending on your deployment, you may need additional resources to support increased log-traffic volume and data retention. |
|
Memory | 512 MB RAM |
Hard Drive Space | 1 GB |
Other requirements |
Administrative access to the device hosting the SEM Agent. The SEM agent for Mac OS X requires Java Runtime Environment (JRE) 11 or later. The SEM agent for AIX requires Java Runtime Environment (JRE) 11 or later. The SEM agent for HP-UX requires Java Runtime Environment (JRE) 11 or later. The SEM agent for Solaris requires Java Runtime Environment (JRE) 11 or 16 (Non-LTS). |
SEM port requirements
For a list of ports required to communicate with SolarWinds products, see Port requirements for all SolarWinds products.
Port # | Protocol | Service/Process | Direction | Description |
---|---|---|---|---|
22 | TCP | SSH | Bidirectional | SSH traffic to the SolarWinds SEM VM. If you need to close ports 22, contact SolarWinds Support. |
25 | TCP | SMTP | Outbound | SMTP traffic from the SolarWinds SEM VM to your email server for automated email notifications. |
80, 8080 | TCP | HTTP | Bidirectional |
Non-secure HTTP traffic from the SolarWinds SEM console to the SolarWinds SEM VM. (SEM closes this port when the activation is completed |
445 | TCP | NetBIOS, SMB2 | Bidirectional |
Standard Windows file sharing ports (NetBIOS Session Service, Microsoft SMB) that SEM uses to export debug files, syslog messages, and backup files. The SEM Remote Agent Installer also uses these ports to install agents on Microsoft Windows hosts across your network. Server Message Block version 1 (SMB1) is no longer supported.
|
161, 162 | TCP | SNMP | Bidirectional | SNMP trap traffic received from devices, and used by the Orion platform to monitor SEM. |
389, 636 | TCP | LDAP | Outbound |
LDAP ports that the SEM Directory Service Connector tool uses to communicate with a designated Active Directory domain controller. The SEM Directory Service Connector tool uses port 636 for SSL communications to a designated Active Directory domain controller. |
443, 8443 | TCP | HTTPS | Bidirectional |
HTTPS traffic from the SolarWinds SEM console to the SEM VM. SEM uses these secure HTTP ports after SEM is activated. This port is also used to automatically update the SEM Connectors. |
(445) | TCP | See entry for port 139. | ||
514 | TCP or UDP | Syslog | Inbound | Syslog traffic from devices sending syslog event messages to the SolarWinds SEM VM. |
(636) | TCP | See entry for port 389. | ||
1094 | TCP | Syslog | Inbound | Syslog traffic from certain Cisco devices. |
1470 | TCP | PSyslog | Inbound | Syslog traffic from certain Cisco devices. |
(8080) | TCP | See entry for port 80. | ||
(8443) | TCP | See entry for port 443. | ||
8983 | TCP | nDepth | Inbound | nDepth traffic sent from nDepth to the SEM VM containing raw (original) log data. |
37890-37892 | TCP | SEM Agents | Inbound | SEM Agent traffic sent from SolarWinds SEM Agents to the SolarWinds SEM VM. (These ports correspond to the destination ports on the SEM VM.) |