Submit a ticketCall us

Announcing NPM 12.2
With NPM 12.2 you can monitor your Cisco ASA firewalls, to monitor VPN tunnels for basic visibility and troubleshooting tunnels. NPM 12.2 also uses the SolarWinds Orion Installer so you can easily install and upgrade one or more Orion Platform products simultaneously.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM Agent benefits and best practices

SolarWinds LEM Agent benefits and best practices

Overview

This article discusses the SolarWinds LEM agent's benefits and best practices. The SolarWinds LEM Agent can be installed on a variety of operating systems to normalize and transmit its host’s log data to the LEM Manager. There are a number of benefits of installing the LEM Agent on hosts across your network, and your deployment strategy will depend on what benefits are most important to you. 

Environment

All LEM versions

Detail

Benefits of the LEM Agent

  • Secure, efficient communication
    The LEM Agent uses Secure Socket Layer\Transport Layer Security (SSL/TLS), which is a bandwidth-friendly encryption and compression technology, which provides secure communication with the LEM Manager and ensures the impact on the network is very small. This secure, real-time communication is especially important for data integrity as it sends the logs to a secure collection point before they are exposed to potentially being manipulated or deleted.
  • Centralized logging
    Once the LEM Agent normalizes the logs it collects, it sends the normalized alerts to the LEM Manager for real-time monitoring, powerful correlation, efficient reporting, and long-term storage.
  • Alert correlation
    Alert correlation is at the heart of what LEM does. It allows you to compare log files from a variety of sources to identify patterns that are indicative of a variety of networking issues, external threats, and insider abuse.
  • Local visibility
    Your firewall does not log everything, nor do your domain controllers. The LEM Agent provides additional visibility at the “local” level for events on workstations and member servers that otherwise might be missed. Software installations and logon failures are just two examples.
  • USB device monitoring
    USB Defender is a free add-on for all LEM Agents installed on Windows computers. It tracks events related to USB mass storage devices like flash drives and smart phones, and allows the LEM Manager to send commands to detach offending devices both manually and automatically.
  • Active response
    There are several active responses built into the LEM Manager and some of them require a LEM Agent to execute them. Examples include logging off a user, shutting down a computer, and detaching a USB device.

Deployment best practices

  • Deploy to domain controllers for broad coverage
    When planning your deployment in a domain environment it is especially critical to install the LEM Agent on all domain controllers, which make up the central repository for most audit data. From these computers you will gather critical security events, such as domain-level account lockouts, change management events, and privileged account activity. Remember that not all events are replicated between domain controllers, so we recommend installing a LEM Agent on all domain controllers.
  • Deploy to workstations and member servers for local coverage and active response
    Even in a domain environment, certain events are not replicated to the domain controllers from member servers and workstations. These events include logon activity, local change management events, file audit events, process and service activity, and local antivirus events.
    Furthermore, some active responses are dependent on the target operating system, making the LEM Agent a prerequisite. Examples of agent-dependent active responses are noted above, but it’s worth mentioning the Detach USB Device action again since it’s driven by USB Defender – a service that provides more than just active response. Additionally, USB Defender tracks all attach, detach, and file audit events for all USB mass storage devices that are attached to a LEM Agent with the USB Defender service installed.
  • Deploy to workstations or servers to monitor antivirus events
    Antivirus is another consideration. Where you deploy your LEM Agents will also depend on where your antivirus logs. If it logs to an antivirus server, a LEM Agent on that server will do the trick. However, if it logs at each endpoint, the LEM Agent will be needed on each computer in order to effectively track and respond to antivirus events with the LEM Manager
Last modified
20:20, 22 Jun 2016

Tags

Classifications

Public