SolarWinds Log & Event Manager (LEM) offers real-time log analysis and event correlation by giving you the control you need to overcome everyday IT challenges. In this presentation, learn how to leverage the built-in and user defined rules as well as how how SolarWinds LEM performs correlation. We will cover: -- Rules in Log & Event Manager -- Correlation Rule Builder -- Rule Categories and Tags -- Real-time Event Correlation -- How does Event Correlation work? -- Result of Correlation

1. 1
Creating Rules and Understanding
Event Log Correlation with
SolarWinds® Log & Event Manager
© 2013, SolarWinds Worldwide, LLC. All rights reserved.

2. 2
Agenda
» Rules in Log & Event Manager
» Correlation Rule Builder
» Rule Categories and Tags
» Real-time Event Correlation
» How does Event Correlation work?
» Result of Correlation
SOLARWINDS LOG & EVENT MANAGER

3. 3
SolarWinds Log & Event Manager
» SolarWinds Log & Event Manager (LEM) offers real-time log
analysis and event correlation by giving you the control you
need to overcome everyday IT challenges.
» SolarWinds LEM correlates with the help of built-in and user
defined rules.
» Learn how to build to rules and how SolarWinds LEM
performs correlation.
SOLARWINDS LOG & EVENT MANAGER

4. 4
Correlation Rule Builder
SOLARWINDS LOG & EVENT MANAGER

5. 5
Rules in Log & Event Manager
» LEM rules offer the ability to use simple and advanced thresholds such as
time/frequency and same/distinct to add complexity and helps you
significantly reduce false positives.
» They track events in real time even when the LEM console is not
monitored.
» LEM rules allow you to:
• Correlate multiple events from different sources
• Automatically trigger alerts or email notifications
• Respond to security events in real time
SOLARWINDS LOG & EVENT MANAGER

6. 6
Correlation Rule Builder
» SolarWinds LEM has a built-in Rule Builder that helps you to:
• Build new rules easily
• Clone existing rules
• Customize and edit existing rules
» The rule builder interface incorporates easy-to-use techniques such as drag
and drop, an icon-based tool panel, and a graphical object selection panel.
» The rule builder uses a logical ‘AND’ or ‘OR’ Boolean logic for rule creation.
» SolarWinds LEM offers more than 700 pre-built correlation rules that cover
critical network infrastructure, change management and network security
functions.
SOLARWINDS LOG & EVENT MANAGER

7. 7
Correlation Rule Builder (Contd…)
SOLARWINDS LOG & EVENT MANAGER
» For easy rule
creation, there
are additional
events and fields
on the left-side of
the rule builder
window that can
be added to the
correlation rule.

8. 8
Rule Categories and Tags
» LEM rules are organized into pre-built categories like
security, IT operations, compliance and change
management.
» SolarWinds LEM also allows you to add tags making rule
search easier.
SOLARWINDS LOG & EVENT MANAGER

9. 9
Real-Time Event Correlation
SOLARWINDS LOG & EVENT MANAGER

10. 10
Real-time Event Correlation
SOLARWINDS LOG & EVENT MANAGER

11. 11
How does Event Correlation work?
» SolarWinds Log & Event Manager (LEM) is a full-function SIEM solution
that offers an intelligent correlation engine to understand operational,
security and policy-driven events.
» Log Collection: LEM captures real-time event streams from network
devices and utilizes agent technology to capture host-based events in
real time. Here is a list of data sources from which LEM can receive log
data for correlation and analysis.
» Normalization: This is a key step before events are correlated. LEM
parses the raw log data from agent nodes (workstations, servers, VMs,
OS, etc.) and maps events from disparate sources to a consistent
framework. This helps structure the data into identified categories and
fields.
SOLARWINDS LOG & EVENT MANAGER

12. 12
How does Event Correlation work?
» In-Memory Correlation: LEM correlates event logs in-memory thus
avoiding performance bottlenecks associated with database insertion
and query speeds.
» Multiple-Event Correlation: LEM has comprehensive support for
multiple-device, multiple-event correlation, including the unique ability
to set independent thresholds of activity per event, or group of events.
» Non-Linear Correlation: After mapping events in-memory, LEM applies a
completely non-linear, multi-vector, correlation algorithm. This reduces
the number of correlation rules and eliminates the need to build distinct
rules for all possible combination of events.
SOLARWINDS LOG & EVENT MANAGER

13. 13
How does Event Correlation work?
» Field-Level Comparison: LEM combines field-level data with user-defined
groups and variables, making it possible to build rules that minimize false
positives and focus your attention where and when it’s needed.
» Environmental Awareness: LEM’s correlation rules factor in details about
the organization, such as critical assets, applications, time of day or day
of week, etc. to bring focus on the environmental parameters associated
with the events and maximize the value of the data that’s being captured
and analyzed.
SOLARWINDS LOG & EVENT MANAGER

14. 14
Result of Event Correlation
» Using the correlated event data, you can:
• Set up alerts to trigger when a specific security condition
is encountered
• Program active responses to counter threats,
troubleshoot issues and react to policy violations
• Perform event forensics and root cause analysis to
identify suspicious behavior patterns and anomalies
• Generate compliance reports for network and security
audits
SOLARWINDS LOG & EVENT MANAGER

15. 15
SolarWinds Log & Event Manager
» SolarWinds Log & Event Manager (LEM) is a full-function SIEM solution
that extends comprehensive log collection, correlation, analysis, and
incident response to both servers and workstations.
» Watch this short video to learn how to easily create and customize
correlation rules using SolarWinds LEM.
15
SOLARWINDS LOG & EVENT MANAGER

16. 16
Thank You!
SOLARWINDS LOG & EVENT MANAGER