Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Archive > 2017October31 - LEM Deletes > Connector Configuration Tables

Connector Configuration Tables

Created by Caroline Juszczak, last modified by Kevin.Swinson on Oct 31, 2017

Views: 20 Votes: 0 Revisions: 5

The tables in this section describe the various categories of network security products that can be connected to LEM, and explain the fields for configuring sensors, actors, and notification systems.

Connector categories

The following table describes the various categories of network security products that can be connected to LEM. The Description column describes how the connectors (sensors and actors) typically work with each type of product or device. The Use with columns indicate if each product type requires Manager connectors, Agent connectors, or both.

Category Description Use with
Managers Agents

Anti-Virus

This category lets you configure sensors for use with common anti-virus products. These products protect against, isolate, and remove viruses, worms, and Trojan programs from computer systems.

To configure an anti-virus connector, the anti-virus software must already be installed on the Agent computer.

Some anti-virus connectors can also be run on the Manager by remotely logging from an Anti-Virus server.

Due to software conflicts, it is recommended that you run only one brand of anti-virus software per computer.

X

X

Application Switch

This category lets you configure sensors for use with application switches. Application-Layer switches transmit and monitor data at the application layer.

X  

Database

This category lets you configure sensors for use with database auditing products. These products monitor databases for potential database intrusions, changes, and database system events.

X X

File Transfer and Sharing

This category lets you configure sensors for use with file transfer and file sharing products. These products are used to share files over the local network and/or Internet. Monitoring these products provides information about what files are being transferred, by whom, and system events.

 

X

Firewalls

This category lets you configure sensors and actors for use with applications and devices that are used to protect and isolate networks from other networks and the Internet.

Firewall sensors connect to, read, and retrieve firewall logs. Most firewalls also have an active response connector. These connectors configure actors that interface with routers and firewalls to perform block commands. Actors can perform active responses either via telnet or serial/console cable. Normally, you will configure these connectors on the Manager.

To configure a firewall connector, the firewall product must already be installed on the Agent computer, or it must be remotely logging to an Agent or a Manager. Normally, you will configure these connectors on the Manager.

You must also configure each firewall's data gathering and active response capabilities separately. For example, configuring a firewall's data gathering capabilities does not configure the firewall's active response settings.

X X

Identity and Access Management

This category lets you configure sensors for use with identity access, identity management, and other single-sign on connectors. These products provide authentication and single-sign on capabilities, account management, and other user access features. Monitoring these products provides information about authentication and management of accounts.

  X

IDS and IPS

This category lets you configure sensors and actors for use with network-based and host-based intrusion detection systems. These products provide information about potential threats on the network or host, and can be used to raise alarms about possible intrusions, misconfigurations, or network issues.

Generally, network-based IDS and IPS connectors are configured to log remotely, while host-based IDS and IPS systems log locally on an agent system. Some network-based IPS systems provide the capability to perform an active response via their actor connector, allowing you to block an IP address at the IPS device.

X X

Manager

This category lets you configure sensors for use with the Manager and other Appliances. These connectors monitor for conditions on the Manager that may be informational or display potential problems with the appliances.

X  

Network Management

This category lets you configure sensors for use with network management connectors. These connectors monitor for different types of network activity from users on the network, such as workstation-level process and application monitoring. Generally, these systems are configured to log remotely from a central monitoring server.

X X

Network Services

This category lets you configure sensors for use with different network services. These connectors monitor service-level activity for different network services, including DNS and DHCP. Most network services are configured to log locally on an agent's system, however, some are configured to log remotely.

X

X

Operating Systems

This category lets you configure sensors for use with utilities in the Microsoft Windows operating system that monitor system events.

This category includes a Windows Active Response connector. This connector configures an actor that enables Windows active response capabilities on Agents using Windows operating systems. This allows LEM to perform operating system-level responses, such as rebooting computers, shutting down computers, disabling networking, and disabling accounts.

To configure an operating system connector, the operating system software must already be installed on the Agent computer.

If you perform the remote Agent installation, the Windows NT/2000/XP Event Application Logs and System Logs connectors are configured by default.

  X

Proxy Servers and Content Filters

This category lets you configure sensors for use with different content monitoring connectors. These connectors monitor user network activity for such activities as web surfing, IM/chat, and file downloads, and events related to administering the monitoring systems themselves. Generally, these connectors are configured to log remotely from the monitoring system.

X X

Routers/Swi

This category lets you configure sensors, and in some cases actors, for use with different routers and switches. These connectors monitor activity from routers and switches such as connected/disconnected devices, misconfigurations or system problems/events, detailed access-list information, and other related messages. Some routers/switches have the capability to configure an actor connector to block an IP address at the device. Generally, these connectors are configured to log remotely from the router/switch.

X X

System Scan Reporters

This category lets you configure sensors for use with different asset scanning connectors, such as vulnerability scanners. These connectors provide information about potential vulnerabilities, exposures, and misconfigurations with different devices on the network. Generally, these connectors create events in the 'Asset' categories in the event tree.

 

X

System Connectors

This category lets you configure the Manager with an external notification system, so LEM can transmit event messages to LEM users via email or pager.

X  

VPN and Remote Access

This category lets you configure sensors and actors for use with Virtual Private Network (VPN) server products that provide secure remote access to networks. Normally, you will configure these connectors on the Manager.

X X

Web Server

This category lets you configure sensors for use with Web server products. To configure a web server connector, the web server software must already be installed on the Agent or Manager computer.

  X

Configure sensors

The following table describes each field you'll find on the Connector Configuration form when configuring sensors for data gathering connectors. The actual fields that appear depend on the connector you are configuring. Not every field appears with every connector. For convenience, the table is sorted alphabetically by field name.

Field Description

Alias

Type a name that easily identifies the application or appliance event log file that is being monitored.

For active response connectors, we recommend you end the alias with AR. For example, an alias for the Cisco PIX Active Response connector might be Cisco PIX AR. This allows you to differentiate the active response connector from the data gathering connector.

Log File / Log Directory

When you create a new alias for a connector, LEM automatically places a default log file path in the Log File box. This path tells the connector where the operating system stores the product's event log file.

For most connectors, you can change the log file path, as needed. However, some products write events to the Windows Application Log or the Windows System Log. In these cases, you are actually configuring the sensor that monitors events that are written to that log file. For these connectors, the Log File setting is disabled, and the system automatically populates the Log File field with the name of the Windows event log the sensor is monitoring.

In most cases, you should be able to use the default log file path that is shown for the connector. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed, type or paste the correct path in the Log File box, or use the Browse button to explore to correct folder or file.

If you are uncertain about which file path to use, either refer to your original product documentation, or contact SolarWinds Technical Support.

If the product creates separate log files based on the current date or some other fixed interval, you can either select the log directory or any log file in that directory. If you select a log file, LEM reads through the directory's log files in order, from the file you selected to the most current file. The LEM then reads new files as they are added.

nDepth Host If you are using a separate nDepth appliance (other than LEM), type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if you are advised to do so.

nDepth Port

If you are using a separate nDepth appliance (other than the SolarWinds LEM), type the port number to which the connector is to send nDepth data. Generally, the default setting is correct. Only change it if you are advised to do so.

New File Name Interval

Select the interval in which the connector posts and names each new log file. The interval tells the SolarWinds LEM when to begin reading the next log file. The default setting is Daily: yymmdd.

Output

Select the appropriate data output option:

Event: This is the default option. It sends the connector's log file data as events to the SolarWinds LEM for processing by your correlation rules, associated active responses, SolarWinds Consoles, and databases.

nDepth: This option sends the connector's log file data to a separate nDepth appliance for archiving. The data does not go to the SolarWinds LEM, so any potential event activity does not appear in the Event Panel. However, you can still use the Console's nDepth explorer to search the data on this appliance.

Event, nDepth: SolarWinds recommends that you choose this option if you want to use nDepth to search log messages in addition to events. This option sends the connector's log file data to the SolarWinds LEM for event processing and to SolarWinds nDepth for data archiving. This means the LEM reports potential event activity in the Event Panel, and nDepth archives the connector's output data for later reference. Furthermore, you can use the Console's nDepth explorer to search either type of data.

Server IP Address/ [Product] IP Address/ [Product] Server
 

Type the IP address of the router or firewall. Use the following IP address format: 192.123.123.123.

Sleep Time

Type or select the time (in seconds) the connector sensor is to wait between event monitoring sessions. The default (and minimum) value for all connectors is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate connectors.

Windows NT-based connectors automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time dictates the interval the sensor is to use for monitoring new events.

Connector Version

This is the SolarWinds release version for this connector. This is read-only information for reference purposes.

Wrapper Name

This is an identification key that the SolarWinds LEM uses to uniquely identify the properties that apply to this particular connector. This is read-only information for SolarWinds reference purposes.

If the connector settings you need are not shown here, you are probably configuring an active response connector. When you finish configuring the connector settings, start the connector.

Configure actors

The following table describes each field you will find on the Connector Configuration form when configuring actors for active response connectors. Because each connector is product-based, the fields that appear depend on the connector you are currently configuring. Not every field appears with every connector. For convenience, the table is sorted alphabetically by field name.

Field Recommended field settings

Advanced

These settings are no longer applicable.

Auth Port

For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the LEA/OPSEC interface.

Base URL

Type the URL to connect to the SonicWALL firewall and perform the login. Include http:// at the beginning of the URL.

SolarWinds does not support HTTPS. Only use this connector for older SonicWALL firmware version.

Block Timeout

For CheckPoint OPSEC firewalls, type the timeout in seconds for the blocks to expire from the firewall. A value of zero (0) means never expire.

Client DN

For CheckPoint OPSEC firewalls, type the client DN string. The CN and O must be uppercase.

Configuration Mode

Select either telnet or SerialPort.

Enable Password

Type the connector's password for entering Enable mode.

Enable Windows Active Response

For the Windows Active Response connector, select this check box to enable active response settings.

From Zone

Type the external zone used for configuring restrictions on firewall connections.

Incoming Interface

Type the Interface for which the block is to be made effective; that is, the Interface for which incoming traffic will be filtered to prevent traffic from the blocked IP address.

Password / Login Password

Type the connector's login password. For some products, the password name must be the same one that was used when the firewall was installed.

Port Name / Serial Port Name

Select a serial port for performing active response via console cable, if applicable. The port name represents the physical communication port on the computer. The port name is only relevant if the Configuration Mode (below) is set to SerialPort.

/dev/ttyS0 = serial port 1, and

/dev/ttyS1 = serial port 2.

If the Configuration Mode is set to telnet, then this field is disabled and the Port Name box reads: There are no ports available.

Remote Connection Port

Type the firewall port used for connecting to and configuring the firewall.

Server DN

For CheckPoint OPSEC firewalls, type the server DN string. The cn and o must be lowercase.

Server Port

For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the SAM/OPSEC interface.

Server / Server Address / IP Address / [Product] IP Address

Type the IP address of the router or firewall. This address allows LEM to perform active responses to events on that particular router or firewall. Use the following IP address format: 192.123.123.123.

SSLCA

For CheckPoint OPSEC firewalls, click Browse to locate the SSL certificate file to upload to the server. If the connector is already configured, then use the existing certificate on the server. You can use the same path for both the LEA (log reading) and SAM (active response) certificates.

Take Admin Control

Only one person can configure the firewall at one time. Selecting this check box allows LEM's active response to take administrative control over the firewall when a user is logged into the WatchGuard Management Console. That is, LEM disconnects the user and takes control over the firewall.

To Zone

Type the internal zone used for configuring restrictions on firewall connections.

Connector Configuration Instance (Alias)

Type a name that easily identifies the product that LEM is to act on. For active response connectors, we recommend you end the alias with AR. For example, an alias for the Cisco PIX Active Response connector might be Cisco PIX AR. This allows you to differentiate the active response connector from the data gathering connector.

User Name / Login User Name

Type the user name needed to log onto and configure the firewall. For some products, the user name must be the same one that was used when the firewall was installed.

If the connector settings you need are not shown here, you are probably configuring a connector (data gathering) connector.When you have finished configuring the connector settings, don't forget to start the connector.

Set up a Notification System

The Connector Configuration form has a category called System connectors that you can use to set up an external notification system. This allows the Manager to transmit messages to SolarWinds users via e-mail or pager, to record pertinent event data or text to a specified file, or to synchronize your existing Directory Service Groups with your existing network directory services.

The following table explains how to configure each option in the System connectors category.

Field Recommended field settings

Append Text to File Active Response

Description

Use this connector to have the Agent write the specified event data or text to the specified file.

How to append

Select Newline to write the event data to the file so that each event is on a distinct line (that is, one event per line), by inserting a return or newline character.

Select No Newline to stream the event data to the file by appending the new data immediately following any existing data in the file.

Maximum file size (MB)

Type the allowable maximum file size for the text file, in Megabytes.

Directory Service Query

Description

Use this connector to have the Manager communicate with existing directory services on the network to retrieve and update group information. This allows you to synchronize your existing Directory Service Groups for use with rules and filters.

User Name

Type a user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information.

Directory Service Server

Type the IP address or host name of your directory services server (commonly, this is a domain controller).

Domain Name

Type the fully-qualified domain name of your directory services domain.

Password

Type the password for the above user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information.

Directory Service Server's Port

Type the port used to communicate with the directory service server.

Email Active Response

Description

Use this connector to have a Manager automatically notify users of event events when configured to do so by event policy.

Return Display Name

Type the name that you want to appear in the From field of active response e-mail messages.

Port

Type the port used to communicate with the internal email server.

Return Address

Type the email address that you want to appear in the From field of active response email messages.

Mail Host

Type the IP address or host name of an internal SMTP server that the Manager can use to send email messages through without authentication.

Authentication Server Username

Type the user name needed to access the internal email server, if required.

Authentication Server Password

Type the password needed to access the internal email server, if required.

Test E-mail Address

Type the e-mail address you want to use to test the Mail Host assignment. When you click Test Email, a test message should appear at this email address.

Test Email button

This button tests your email notification settings to ensure that you entered the correct e-mail host.

Click Test Email. Then check the email address's in-box. If you entered the correct address, the in-box should receive the test message.

 

Last modified

Tags

Classifications

Public