WIXLIB

For a complete picture of what’s going on in your network, look beyondthe network itself to correlate events in applications, databases, andmiddleware.READ ON TOLEARNMORE ABOUT:The larger and more compartmentalized an organization is, the lesslikely it is for network administrators to have direct responsibility forapplications, databases, and network security (except to the extent thatsecurity “is everyone’s job”). Yet in implementing Security Informationand Event Management (SIEM), security professionals have learned touse tools like SolarWinds Log & Event Manager (LEM). This tool is notonly essential for investigating security incidents, it is also powerfulenough to be used for many more applications.3 Making Connections4 You Can Do This The Hard Way OrThe Easy Way6 Log & Event Manager and The EffectiveNetwork Administrator8 Proactive Monitoring10 Solutions Instead of Finger-Pointing11 Built for Integrity12 Put Log & Event Manager to Work For YouNetwork admins owe it to themselves to learn enough about SIEM toput it to work for both security and troubleshooting purposes.What makes a good SIEM tool different from all the othermanagement and monitoring tools you have is its breadth.LEM pulls together logs from network devices, identitymanagement infrastructure such as Active Directory ,Web servers, application servers, and virtually everyother system that records system events. Then LEMnormalizes the data into a common taxonomy thatallows you to browse events in real-time, spotcorrelations, and search the history ofinteractionsacrossdevices,networks,operating systems, and applications.

MakingConnectionsSIEM lets you correlate between events recorded indifferent logs for related systems. This is significantbecause attackers often exploit multiple vulnerabilities onseparate but connected systems. With today's distributedapplications, the challenge of troubleshooting moreLEM could be the key to finding the answer faster theroutine failures or slowdowns is not so different. Thenext time you’re wrestling with the question, “Is thebreakdown often lies in the connection between twoproblem with the network or the application?” LEM letssystems, rather than in one or the other.you start with one simple fact, such as discovering the IPaddress of a server that is not performing properly. It thenhelps you retrieve a set of correlated events. Rather thancycling through a list of specialized tools for network,application, and database monitoring, use LEM to get asnapshot of all of them together. You can then go back tothose other tools as necessary.For example, a search that starts by looking up ane-commerce application server by IP address and sortingthrough correlated events might show that the problemwas neither the application nor a network failure. Instead,you discover several Duplex Mismatch errors pointingtoward a misconfigured switch. If the problem was amisconfigured router, log analysis would provide clues tothat issue, too.3

4Many network administrators might dig into logs the hard way. They rely on grep, Perlscripts, and regular expressions, which may require writing scripts or programs toextract even the most basic information. Locating that information is challenging,especially if you don’t know what you are looking for, or where to look.YouTo find the data you need, use Log & Event Manager's nDepth search. You can thinkof LEM's nDepth data exploration tool as a search engine for system logs. LEM alsoincludes a reporting engine for retrieving data you consult on a routine basis.can dothisthehardway ortheeasywayLEM's nDepth Explorer lets you search log data and discover correlations between events.

5LEM provides a consolidateddatabase of system and networkevents compressed into atamper-proof database. It isnormalized and optimized forsearch, and intelligent enough tohelp you identify meaningfulcorrelations. For example, youcanseetherelationshipsbetween Web application serverand database events recorded inseparate logs, and the sequencein which they occurred.LEM uses a variety of visualizationand data discovery techniques,such as word clouds andparameterized searches to helpyou filter through the inherentnoise found in log data. Thismakes it easier to identify theevents that are most important.Look at any single system event,and LEM lets you see what otherevents occurred immediatelybefore and immediately after.This allows you to piece togetherthe sequence of events related toa problem. Similarly, you canstart your search with the IPaddress of the Web server frontendofamalfunctioningapplication. LEM also displays logdata from related systems, suchas the database backend. So evenif you were certain that theproblem was on the Web server,you would be able to quickly seeif the database server has beengenerating errormessages, whichwould then helpguide your searchfor clues.

LEM and theeffective networkadministrator6Network administrators should become more familiar with LEM,given the role they play with network security. They are often thefirst to spot suspicious traffic patterns or other signs of a breach,even in organizations large enough to support a dedicatedsecurity specialist.A SolarWinds product manager was demonstrating LEM for aclient recently and stumbled across a pattern of traffic beingdirected through a DNS server outside the firewall. It turns outthis was no mere misconfiguration, but a hack designed tomisdirect proprietary information outside the organization.While hacking occurs at every level, from the application to theManaginghardware, attacks targeting the base network infrastructure areconfiguration is a security issue as well as a reliability andamong the most insidious. The entire IT team must workperformance issue, particularly for remote or travelingtogether to prevent them, detect them, and shut them down.employees who rely on VPN connections. The two mostLEM is great for tracking unauthorized access that might not becommon network administration requirements are:“hacking” per se, but might include improper off-hours access by User monitoring: Many organizations want routinea contractor, or prohibited use of remote access tools such astracking of logons and logon attempts, particularly forGoToMyPC on an enterprise network. LEM alsooutside vendors with network access permissions. LEMpays off in more network-related issues, orcan extract this information from firewall and VPN logsthose that span networking and securityand flag inappropriate access in scheduled VPNshut it down automatically. VPN connection problems: LEM can provide real-timealerts with details when a failure occurs at any phase ofthe VPN connection process.

7Change management: If you have been tasked with applying an enterprise-wide change to firewalls andVPNs, SolarWinds Network Configuration Manager (NCM) can help you prepare the configurations andperform a mass update.Immediately after, you can use your SIEM console to monitor events recorded on these devices, and checkfor: Errors, warnings, or exceptions following the push. Negative effects on traffic flow across the network.You can filter real-time log views for specific ports, IP addresses, and log messages to verify that the changewas successful. Best of all, you can view all device activity in a single console, rather than accessing eachdevice individually.Finally, NCM allows you to schedule a search or report following the change, which helps you review thelogs for further verification.Pinpointing failures: Instead of pointing fingers, a network administrator should strive to pinpoint the realcause of any problem as quickly as possible. LEM can help. For example, one user complained about howMicrosoft Exchange server was performing poorly. However, SIEM analysis showed a pattern of constantdisconnects and reconnects on the server. This wasn’t a software problem at all, but a bad networkinterface card. Another example involves a remote VoIP service that blamed voice quality problems on thecorporate firewall. The logs proved traffic was coming throughthe firewall just fine, and that the problem was a timing issueon the service provider network due to misconfigured serverports.

ProactivemonitoringBeing able to investigate problems is good, but being able to preventproblems is better. LEM can be configured to detect importantevents, such as firewall rule changes or port scans, and alert youimmediately.With LEM Active Response, you can also define rules that dictateactions to be performed automatically. For example, Windows agents can be programmed to restart applications that crash orfreeze automatically. Other actions include blocking access from aspecific IP address, shutting down a service, ordeactivating a user account.One customer reported saving at least fivehours per week after automating thepassword reset process for its mail server.Instead of waiting for users to request apassword reset after being locked out oftheir account, they configured LEM todetect the lockout condition andautomatically initiate a password reset.8

9LEM ships with a library ofsuggested Active Responseactions, and multipleactions can be appliedto a single response.Most customers tend tobuild rules around sending analert to a system administrator when an eventoccurs, but you can specify other actions that should betaken in addition to or instead of an alert, such asautomatically restarting an application or suspending theaccount of a user. Possible actions vary depending on thesystem in question, but we give you a range of options.Using Correlation Rules, you can go beyond detecting asingle event to watching for patterns within commonproblems, such as configuration changes that result innetwork slowdowns. A Correlation Rule might also detectthree failed attempts within a 30-second window to log onto a server that manages payroll. In this case, that user’saccount could be deactivated, either across a domain or onthat local machine.LEM comes with more than 700 built-in event CorrelationRules, which you can clone and modify as needed.

Solutions10instead offinger-pointingThink of LEM as a tool to help teams of network,system, application, database, and securityprofessionals act more like one big team. Thekey to achieving a high-performing, reliablesystem isn’t to expect perfection, but to improveprevention skills and work to resolve issuesNetwork administrators have limited visibilityfaster when things do go wrong.beyond their area of expertise. What we can dois work with them to pay attention to theborders between our specialties so that nothingfalls through the cracks.By correlating data across the entire ITdepartment, we have the opportunity to notmerely point fingers but discover the probableroot cause of a problem. So instead of saying,“It’s not the network, it’s the application,” youcan indicate to where your system administratorpeer can start looking by pointing to a specificseries of log entries correlated with anapplication failure.