Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > LEM appliance security information

LEM appliance security information

Table of contents
Created by Interspire Import, last modified by Geoffrey Layton on Sep 15, 2016

Views: 273 Votes: 2 Revisions: 13


Log and Event Manager is delivered as a virtual appliance with several related security features and functionality. This article lists appliance and Console security features that are common information requests from customers.


LEM v5.6 and later


  • The Log and Event Manager virtual appliance is a hardened Linux operating system. This means we’ve installed minimal software, keep it patched regularly with LEM updates, have minimal ports open, and provide the ability for customers to restrict or limit most external access.
  • Customers do not have root access to the operating system, but rather utilize a limited command shell. OS access via root or other mechanisms is only used by technical support under certain circumstances, and EVERY LEM  appliance has a different and unique root password that our support team does not know in advance.
  • When making changes to the appliance through the customer command shell, activity is logged and this log can be reviewed. Changes may also be reviewed in the LEM Console and reports.
  • Access to the command shell requires direct access to the appliance virtual console (via the hypervisor) or SSH access. If a customer is using SSH, they can further restrict access to only an acceptable list of IP addresses.
  • Communication to/from the appliance, where technically possible, is encrypted. This includes ALL agent-to-manager (and reverse) communication.
  • Communication to/from the LEM Console is encrypted as long as port 8443 is being used, and non-encrypted traffic can be disabled entirely on the appliance command shell.
  • Access to the LEM Console uses a set of different roles that can be used for limiting visibility and ability to make changes within the LEM system. Customers can also use Active Directory user/group integration to ensure no out-of-band users are being used. The LEM data store only supports write access from the internal application using credentials and connection details that are embedded in the application and are neither editable nor accessible. External access to the database is read-only and can be limited by IP Address by the administrator in the appliance command shell.
  • Activity performed in the Console, including changes and access to certain LEM features, is audited and can be reported on or searched for using LEM Reports and the LEM Console.
Last modified
15:00, 15 Sep 2016