Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn more about our patch management solution.


Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Introduction to LEM > How LEM works

How LEM works

Created by Caroline Juszczak, last modified by Caroline Juszczak on Sep 16, 2016

Views: 54 Votes: 0 Revisions: 10

SolarWinds LEM collects log data in your corporate network from two resources:

  • Agents: software modules that collect and normalize log data before it is sent to the LEM Manager.
  • Non-agent devices: devices that send log data directly to the LEM Manager for normalization and processing.

After the data are normalized, the LEM Manager processes the data. The LEM Manager policy engine correlates the data based on user-defined rules and local alert filters, and initiates the associated actions when applicable. These actions can include:

  • Notifying users through the console or by email
  • Blocking an IP address
  • Shutting down or rebooting a workstation
  • Passing alerts to the LEM database for future analysis and reporting within the Reports application

You can install agents on workstations, servers, and other network devices. Agents can send log data from security products (such as antivirus software and network-based intrusion systems) on each device to the LEM virtual appliance. If you cannot install an agent on a device (such as firewalls and routers), you can configure the device to send log data to the LEM Manager for normalization and processing. If your change management process does not permit adding any additional syslog servers to the network device configurations, you can leverage your existing syslog servers.

Audit reports

You can generate reports against your Log & Event Manager database using the LEM reports console installed on a supported server. Using the console, you can schedule and execute over 300 audit reports. If your corporate security policy restricts access to sensitive reports, you can configure your LEM Appliance to restrict access to the console by IP address. During the 30-day evaluation period, you can install the console on any server or workstation that can access port 9001 in the LEM Manager. You can also export reports to multiple formats, including TXT, PDF, CSV, DOC, XLS, and HTML.

Integration with SolarWinds products

Additional SolarWinds solutions such as Network Performance Monitor (NPM), Server & Application Monitor (SAM) and Virtualization Manager (VMan) can send performance alerts as SNMP Traps to the LEM Manager to correlate performance alerts with LEM events.

LEM uses additional data collection tools such as Web Services and SNMP Traps. Contact Customer Service for more information about integrating LEM into your corporate enterprise.

Security, audit policies, and best practices

For LEM appliance security information, see LEM appliance security information. For LEM audit polices and best practices, see LEM appliance security information.

Learn more...

How reservations work on LEM 

Last modified
15:31, 16 Sep 2016