Item: SolarWinds Security Event Manager (SEM)
Rating: 6
Author: Verified User

Use Cases and Deployment Scope

We are currently using Solarwinds LEM to pull logs from about 150 servers. We have also worked to get logs pulled from some barracuda load balancers and also a barracuda message archiver. We have alerting set on account lockouts and some other security events. LEM has helped notify us of account attacks and has also been valuable to reviewing both application and security logging when we need to cross reference servers or look at historical data.

Pros and Cons

LEM's console interface works well to narrow down all the logs into a view able format.
You can customize alerting triggers off of any event conditions.
the logging agent is relatively small and easy to deploy.

In order to navigate the console smoothly and set alerting in place, you need to go through their training.
All your configuration is done by hand. There are no built in analytics or alerting to help you.
I've found the reporting, real time and otherwise, to be slow and unruly. There are some updates and work a rounds that we have applied to help optimize the process, but if you try to pull to many logs, or over too long a period of time it will often time out.
The logging and reporting is dependent on the server automatically determining the type of server and logs it is getting. If it doesn't properly tag the logs, then they are essentially gone, lost, unsearchable. There is no good way to manually tell the server to classify the logs, which makes the process either difficult or impossible at times.

Return on Investment

It has helped to give us an insight into our accounts and has been valuable to alert us to attacks.
It has been valuable to manually correlate logs after there have been incidents and server issues.
For the price, it has not given us any preventative analytics. Some of our alerting is based off of events that caused problems after the fact, so not really helpful at the time.

Alternatives Considered

AlienVault USM and Splunk Enterprise

Solarwinds LEM lacks a lot of the features and power of their competitors. It also appears, at least at the outside of the competitors, that it is less user friendly and out of the box ready. We ended up with the Solarwinds solution because of budgetary constraints and because Solarwinds heavily discounted the product because we also use some of their other solutions.

Other Software Used

Microsoft Exchange, Skype for Business, SolarWinds Server & Application Monitor, VMware vCenter Server

Likelihood to Recommend

It will get your logs collected and sortable. If you are mostly doing Windows servers or workstations, then it can be a good solution. You will have to be willing to learn the software and manually create all the alerting and reporting, but once you have it set up the way you want, it should work. If you are looking at a log collection solution that has any of its own smarts and analytics, you'll want to look elsewhere. If you want out of the box reporting and alerting, look elsewhere.

SolarWinds LEM, it'll get the job done if you're willing to get your hands dirty.

Overall Satisfaction with SolarWinds Log & Event Manager