Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Introduction to LEM > How LEM works

How LEM works

Created by Caroline Juszczak, last modified by Caroline Juszczak on Sep 16, 2016

Views: 134 Votes: 0 Revisions: 10

SolarWinds LEM collects log data in your corporate network from two resources:

  • Agents: software modules that collect and normalize log data before it is sent to the LEM Manager.
  • Non-agent devices: devices that send log data directly to the LEM Manager for normalization and processing.

After the data are normalized, the LEM Manager processes the data. The LEM Manager policy engine correlates the data based on user-defined rules and local alert filters, and initiates the associated actions when applicable. These actions can include:

  • Notifying users through the console or by email
  • Blocking an IP address
  • Shutting down or rebooting a workstation
  • Passing alerts to the LEM database for future analysis and reporting within the Reports application

You can install agents on workstations, servers, and other network devices. Agents can send log data from security products (such as antivirus software and network-based intrusion systems) on each device to the LEM virtual appliance. If you cannot install an agent on a device (such as firewalls and routers), you can configure the device to send log data to the LEM Manager for normalization and processing. If your change management process does not permit adding any additional syslog servers to the network device configurations, you can leverage your existing syslog servers.

Audit reports

You can generate reports against your Log & Event Manager database using the LEM reports console installed on a supported server. Using the console, you can schedule and execute over 300 audit reports. If your corporate security policy restricts access to sensitive reports, you can configure your LEM Appliance to restrict access to the console by IP address. During the 30-day evaluation period, you can install the console on any server or workstation that can access port 9001 in the LEM Manager. You can also export reports to multiple formats, including TXT, PDF, CSV, DOC, XLS, and HTML.

Integration with SolarWinds products

Additional SolarWinds solutions such as Network Performance Monitor (NPM), Server & Application Monitor (SAM) and Virtualization Manager (VMan) can send performance alerts as SNMP Traps to the LEM Manager to correlate performance alerts with LEM events.

LEM uses additional data collection tools such as Web Services and SNMP Traps. Contact Customer Service for more information about integrating LEM into your corporate enterprise.

Security, audit policies, and best practices

For LEM appliance security information, see LEM appliance security information. For LEM audit polices and best practices, see LEM appliance security information.

Learn more...

How reservations work on LEM 

Last modified
15:31, 16 Sep 2016