Overall Satisfaction with SolarWinds Security Event Manager (SEM)
We use LEM for two main purposes. First, to replace an obsolete Cisco MARS appliance that captured a couple of days' worth of packets from our firewalls for forensic purposes. Second, to provide notification to staff of AD events such as account lockouts and administrator logins. Users are strictly within the infrastructure team of the IT department.
- Able to ingest full Syslog output from three enterprise firewalls.
- Able to detect and alert on specific Active Directory events.
- The interface for creating alerts is onerous. It is necessary to dig out the exact event ID of anything you want to alert on.
- Early versions required a separate server to host a FastBit database, but that requirement has been eliminated with the latest release; SQL is now required.
- We did not have to purchase Cisco's successor to MARS, that is a large ROI.
- We did not have the ability to know when users locked their accounts by bad password attempts, now we know before they call us.
We did not evaluate LEM against competitors because we have a significant investment in other SolarWinds products and wanted to leverage the infrastructure and interface as well as staff knowledge.