solarwinds security event manager installation guide€¦ · install sem on the hypervisor and the...

INSTALLATION GUIDE

Security Event ManagerVersion 2020.4

Last Updated: Monday, November 16, 2020

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

INSTALLATION GUIDE: SECURITY EVENT MANAGER

page 2

Table of ContentsSEM installation overview 5

How SEM works 5

SEM components that make up a typical deployment 6

SEM deployment examples 10

Choose a licensing method for your SEM deployment 11

SEM 2020.4 system requirements 13

Sizing criteria 13

SEM VM hardware requirements 14

SEM Azure hardware requirements 15

SEM software requirements 15

SEM agent hardware and software requirements 16

SEM reports application hardware and software requirements 17

SEM port requirements 17

SEM pre-installation checklist 21

Prepare the server environment 21

Download SEM 22

Install SEM on the hypervisor and the cloud 23

Install SolarWinds SEM on Microsoft Hyper-V 23

Install SolarWinds SEM on VMware vSphere 25

Deploy SEM to Microsoft Azure 27

Deploy SEM to Amazon Web Services 46

Install SEM Agents to protect servers, domain controllers, and workstations 47

Deploying the SEM Agent 47

SEM Agent pre-installation checklist: Prepare to deploy SEM Agents 48

Install the SEM Agent on Linux and Unix 50

page 3

Install the SEM Agent on macOS X 51

Install the SEM Agent on Windows 54

Run the SEM Remote Agent Installer for large Windows deployments 55

Run the SEM Local Agent Installer for large Windows deployments 58

Verify the SEM Agent connection 60

Install the SEM reports application 63

Pick a suitable host for the reports application 63

Install the SEM reports application 64

Connect the SEM reports application to your SEM database 65


page 4

SEM installation overviewThis section describes how Security Event Manager (formerly Log & event Manager), works and provides examples of components used in various deployment environments.

How SEM worksSolarWinds SEM collects log data in your corporate network from two resources:

l Agents – An Agent is a software application that collects and normalizes log data before it is sent to the SEM Manager.

l Non-Agent devices – These are devices that send log data directly to the SEM Manager for normalization and processing.

After normalization, SEM Manager processes the data. The SEM Manager policy engine correlates the data based on user-defined rules and local alert filters, and initiates the associated actions when applicable. These actions can include:

l Notifying users through the console or by email

l Blocking an IP address

l Shutting down or rebooting a workstation

l Passing alerts to the SEM database for future analysis and reporting within the Reports application

You can install Agents on workstations, servers, and other network devices. Agents can send log data from security products (such as antivirus software and network-based intrusion systems) on each device to the SEM virtual appliance. If you cannot install an Agent on a device (such as firewalls and routers), you can configure the device to send log data to the SEM Manager for normalization and processing. If your change management process does not permit adding any additional syslog servers to the network device configurations, you can leverage your existing syslog servers.

Audit reports

page 5

You can generate reports against your Security Event Manager database using the SEM reports console installed on a supported server. Using the console, you can schedule and execute over 300 audit reports. If your corporate security policy restricts access to sensitive reports, you can configure your SEM Appliance to restrict access to the console by IP address. During the 30-day evaluation period, you can install the console on any server or workstation that can access port 9001 in the SEM Manager. You can also export reports to multiple formats, including TXT, PDF, CSV, DOC, XLS, and HTML.

Integration with SolarWinds productsAdditional SolarWinds solutions such as Network Performance Monitor (NPM), Server & Application Monitor (SAM), and Virtualization Manager (VMan) can send performance alerts as SNMP Traps to the SEM Manager to correlate performance alerts with SEM events.

SEM uses additional data collection tools such as Web Services and SNMP traps. Contact Customer Service for more information about integrating SEM into your corporate enterprise.

SEM components that make up a typical deploymentThis section describes the software components that make up a typical SolarWinds SEM deployment. Review this section to get a better understanding of how SEM should be deployed on your network.


page 6

https://documentation.solarwinds.com/en/success_center/SEM/Content/Admin_Guide/12-sem_reports/report-tables.htmhttps://documentation.solarwinds.com/en/success_center/SEM/Content/Admin_Guide/12-sem_reports/report-tables.htm

OverviewThe following illustration shows the software components, log files, and network protocols in a typical SolarWinds SEM deployment.

A complete SEM installation includes the following components:

l The SEM Manager (or SEM VM), which collects and processes log and event information. This component is installed first.

l The desktop software or web client (not shown) that allows you to view SEM information from a desktop or laptop computer.

About the SEM Manager componentOriginally, SEM was sold as a physical appliance that you deployed on your network. Today, the SEM Manager is the virtual image of a Linux-based appliance. The SEM Manager VM (virtual machine) can be easily deployed on a host computer running a VMware® or Microsoft® hypervisor.

The SEM documentation uses the term virtual machine (or VM) to refer to the SEM virtual appliance that runs on the hypervisor.

page 7

The SEM Manager collects and processes log and event information. It includes the following systems and services:

l Hardened Linux® OS l Syslog Server and SNMP Trap Receiver l High compression, search-optimized database l Web server l Correlation engine

About the SEM AgentThe SEM Agent is installed on workstations, servers, and other network devices. It collects and normalizes log data in real time before it is sent to the SEM Manager. It also collects security data such as Windows Event Logs, a variety of database logs, and local antivirus logs on each device and transmits that data over TCP to the SEM Manager. The SEM Agent has a small footprint on the device and prevents log tampering during data collection and transmission.

You can also use the SEM Agent with devices that support syslog. The Agent transmits syslog messages over TCP to the SEM Manager. TCP is preferred over UDP because TCP ensures messages arrive intact.

The SEM Agent provides the following benefits:

l Captures events in real time. l Encrypts and compresses the data for efficient and secure transmission to the SEM Manager. l Buffers the events locally if you lose network connectivity to the SEM Manager.

About Network devicesThe following table lists some network resources that provide input to SEM Manager.

Network Resource SEM Input

Network Device log sources (such as routers, firewalls, and switches

Syslog messages

Servers and applications SEM Agent data

Microsoft® Windows® Workstations SEM Agent data

SolarWinds NPM

SolarWinds SAM

SolarWinds Virtualization Manager (VMAN)

SNMP traps (performance alerts)

See Enable SEM to receive SNMP traps by turning on the SNMP Trap Logging Service in the online SEM Administrator Guide for details.


page 8

https://documentation.solarwinds.com/en/success_center/SEM/content/Admin_Guide/2-sem_set-up_config_maintenance/enable-snmp-trap-logging-service.htmhttps://documentation.solarwinds.com/en/success_center/SEM/content/Admin_Guide/2-sem_set-up_config_maintenance/enable-snmp-trap-logging-service.htm

SEM accepts device input using the TCP and UDP protocols.

l Network devices use TCP or UDP to send syslog events to the SEM Manager.

l SEM Agents installed on servers and workstations use TCP to push data to the SEM Manager.

l SolarWinds Orion/VMAN server instances (including NPM and SAM) send SNMP traps over UDP to the SEM Manager.

About the SEM reports applicationYou can install the SEM reports application on a networked server to schedule and execute over 300 audit-proven reports. For added security, you can initiate the restrictreports command service to limit users by IP address to run these reports. If you are running SEM in Evaluation Mode, you can install the SEM reports application on any server or workstation that can access port 9001 in the SEM Manager.

page 9

SEM deployment examplesThis section will help get you started planning your SEM architecture. The examples show different SEM deployment options.

Simple deployment exampleThe following deployment example uses one central syslog server to collect log data from your network devices in a local network. In this deployment, network devices use TCP or UDP to send syslog data to the SEM Manager's syslog server, whereas SEM Agents running on workstations and servers just use TCP to push log data to the SEM Manager.

The syslog server receives logs on port 514 and saves the data in the SEM Manager /var/log file partition. Log file names vary based on the target facility configured on the network device.

The SEM Manager relies on routers, firewalls, and switches to transmit syslog messages to the syslog server running on the SEM Manager. If your log sources are located behind firewalls, see SolarWinds SEM port and firewall information to open the necessary ports. For a list of all ports required to communicate with SEM, see the Port requirements for all SolarWinds products.


page 10

https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-LEM-Port-and-Firewall-Requirementhttps://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/core-solarwinds-port-requirements.htmhttps://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/core-solarwinds-port-requirements.htm

Complex deployment example with multiple syslog serversThe following deployment example uses two syslog servers located in different cities. SEM can capture logs from multiple remote locations across wide area network (WAN) links. Because the SEM Agent includes built-in encryption, compression, and buffering capabilities, this can be done securely and efficiently.

Instead of using the syslog server built in to the SEM Manager component, this design calls for one syslog server per location. When using a detached syslog server, you need to install a SEM Agent on each detached server, and then enable the appropriate connectors on the SEM Agent. Following configuration, the SEM connectors normalize raw log messages into SEM events.

If you cannot add new logging hosts on your network devices due to restrictive change man-agement processes, consider implementing this multi syslog server deployment example to leverage your existing syslog servers.

Choose a licensing method for your SEM deploymentThis section explains how SEM licenses are assigned. It also discusses how to transition from an evaluation version of SEM to a fully-functional production version.

page 11

For more information, see the following topics in the SEM Administrator Guide:

l Install the SEM license using the web console l View SEM license information l Enable SEM license recycling

About SEM licensingLicensing a Security Event Manager deployment is based on two license types:

l Universal license (SEM). Includes the number of universal nodes. Universal nodes include non-agent devices, such as switches, routers, and firewalls, and systems running either a Windows Server or Unix operating system.

l Workstation Edition license (SWE). Includes the number of workstation nodes. Workstation nodes include desktop systems that run Windows and the SEM Agent.

For example, a SEM deployment that has SWE250 and SEM30 licenses can add 250 Windows workstation nodes and 30 universal nodes.

Beginning in April 2020, you can choose to use a perpetual license or a subscription-based (term-based) license. Learn more here.

Licensing an evaluation version of SEMIf you are evaluating Security Event Manager, you do not need to apply an activation key to activate the SEM VM. For 30 days, you will have unlimited access to all product features.

If you have not purchased and provided a license key after 30 days, the application will stop collecting event logs from your syslog and Agent devices. You can continue using Security Event Manager in this mode and access your saved logs. Applying a license reactivates event log collection and you can continue monitoring all events in your deployment. If you need to extend your evaluation period, contact Customer Sales.

You can upgrade to a fully-functional production version by purchasing a new license from Customer Sales and downloading the license key from the Customer Portal. After you install the new license key, you can access all features within the SEM appliance.

You cannot upgrade your license using the SolarWinds License Manager.


page 12

https://documentation.solarwinds.com/en/success_center/SEM/content/SEM_Administrator_Guide.htmhttps://documentation.solarwinds.com/en/success_center/SEM/content/Admin_Guide/2-sem_set-up_config_maintenance/install-the-sem-license.htmhttps://documentation.solarwinds.com/en/success_center/SEM/content/Admin_Guide/2-sem_set-up_config_maintenance/sem-configuring-appliances.htmhttps://documentation.solarwinds.com/en/success_center/SEM/content/Admin_Guide/2-sem_set-up_config_maintenance/sem-configuring-appliances.htm#enablehttps://www.solarwinds.com/licensing-optionshttp://www.solarwinds.com/company/contact.aspxhttps://customerportal.solarwinds.com/

SEM 2020.4 system requirementsUse the following tables to plan your Security Event Manager (SEM) deployment to suit your network environment.

Server sizing is impacted by:

l Number of nodes and network traffic. Consider event throughput and performance degradation when planning the size of your deployment. As the number of nodes and network traffic increase, the size of your deployment will need to grow with it. For example, if you are running a small deployment and begin to notice performance degradation at 300 nodes, move to a medium deployment.

l Storing original (raw) log messages in addition to normalized log messages. If you will be storing original log messages, increase the CPU and memory resource requirements by 50 percent. See your hypervisor documentation for more information.

Sizing criteriaUse the following table to determine if a small, medium, or large deployment is best suited to supporting your environment.

Sizing Cri-teria Small Medium Large

Number of nodes

Fewer than 500 nodes in the following combinations:

l 5 – 10 security devices

l 10 – 250 network devices, including workstations

l 30–150 servers

Between 300 and 2,000 nodes in the following combinations:

l 10 – 25 security devices l 200 – 1,000 network

devices, including workstations

l 50 – 500 servers

More than 1,000 nodes in the following combinations:

l 25 – 50 security devices l 250 – 1,000 network

devices, including workstations

l 500 – 1,000 servers

page 13

Sizing Cri-teria Small Medium Large

Events received per day

5M – 35M events 30M – 100M events Up to 216m events (2,500 EPS)

Rules fired per day

Up to 500 Up to 1,000 Up to 5,000

SEM VM hardware requirements See Allocate CPU and memory resources to the SEM VM in the SEM Administrator Guide for information about how to manage SEM system resources.

Hardware on the VM host

Small Medium Large

CPU 2 – 4 core processors at 2.0 GHz

6 – 10 core processors at 2.0 GHz

10 – 16 core processors at 2.0 GHz

If you will be storing original log messages in addition to normalized log messages, increase the CPU and memory resource requirements by 50%.

Memory 8 GB RAM 16 GB – 48 GB RAM 48 GB – 256 GB RAM

Hard drive storage

250GB, 15k hard drives (RAID 1/mirrored settings)

500GB, 15K hard drives (RAID 1/mirrored settings)

1TB, 15k hard drives (RAID 1/mirrored settings)

l Installing SEM in a SAN is preferred. l High-speed hard drives (such as SSD drives) are required for high-end

deployments. l Large deployments may require 1 to 2TB of storage, which you can

reserve on VMware ESXi 6.5 (and later) and Microsoft Hyper-V 2012 R2 or 2016.


page 14

https://documentation.solarwinds.com/en/success_center/SEM/content/Admin_Guide/2-sem_set-up_config_maintenance/allocate-cpu-and-memory.htm

Hardware on the VM host

Small Medium Large

Input/output operations per second (IOPS)

40 – 200 IOPS 200 – 400 IOPS 400 or more IOPS

NIC 1 GBE NIC 1 GBE NIC 1 GBE NIC

SEM Azure hardware requirements

Hardware on the VM host SmallStandard_DS3_v2MediumStandard_DS4_v2

LargeStandard_D32s_v3

CPU [cores] 4 8 32

RAM [GB] 14 28 128

IOPs 12800 25600 51200

SEM software requirements Software Requirements

Hypervisor (required on the VM host)

One of the following:

l VMware vSphere ESXi 6.5 and later l Microsoft Hyper-V Server 2016 or 2012 R2

Microsoft Azure Learn about Microsoft Azure requirements here.

Amazon Web Services Learn about Amazon Web Services requirements here.

Web browser (required on a remote computer to run the web console)

Current and later versions of the following:

l Google® Chrome™ 77

l Mozilla Firefox® 70

l Microsoft Edge

Adobe Flash (browser plug-in required on a remote computer to run the web console)

Adobe Flash Player 15

page 15

SEM agent hardware and software requirementsHardware and Software Requirements

Operation System (OS) The SEM agent is compatible with the following operating systems:

l HPUX on Itanium

l IBM AIX 7.1 TL3, 7.2 TL1 and later

l Linux

l macOS Mojave, Sierra, High Sierra

l Oracle® Solaris 10 and later

l Windows (10, 8, 7, Vista)

l Windows Server (2019, 2016, 2012, 2008 R2)

The requirements specified below are minimum requirements. Depending on your deployment, you may need additional resources to support increased log-traffic volume and data retention.

Memory 512 MB RAM

Hard Drive Space 1 GB

Other requirements Administrative access to the device hosting the SEM Agent.

The SEM agent for Mac OS X requires Java Runtime Environment (JRE) 8 or later.


page 16

SEM reports application hardware and software requirements

Hardware and Soft-ware

Requirements

Operation System (OS)

The SEM reports application is Windows only. The following Windows versions are supported:

l Windows 10 and later

l Windows Server 2016 and 2012

Memory 512 MB RAM minimum.

SolarWinds recommends using a computer with 1 GB of RAM or more for optimal reports performance.

Other requirements

Install the SEM reports application on a system that runs overnight. This is important because the daily and weekly start time for these reports is 1:00 AM and 3:00 AM, respectively.

Ensure the Reports Console version matches your version of the SEM appliance. Incompatible versions may result in installation or login failures. See the following articles in the Customer Success Center for troubleshooting tips:

l Troubleshoot the SEM reports application l SEM reports won't install correctly l Error with Sophos Enterprise Console

SEM port requirementsFor a list of ports required to communicate with SolarWinds products, see Port requirements for all SolarWinds products.

page 17

https://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/16-sem_troubleshooting/troubleshoot-reports.htmhttps://support.solarwinds.com/SuccessCenter/s/article/LEM-6-4-Reports-Console-does-not-install-correctlyhttps://support.solarwinds.com/SuccessCenter/s/article/LEM-Reports-Console-and-Sophos-Enterprise-Consolehttps://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/core-solarwinds-port-requirements.htmhttps://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/core-solarwinds-port-requirements.htm

Port # Protocol Service/Process Direction Description

22, 32022 TCP SSH Bidirectional SSH traffic to the SolarWinds SEM VM. (Port 22 is not used prior to version 6.3.x.). If you need to close either ports 22 or 32022, contact SolarWinds Support.

25 TCP SMTP Outbound SMTP traffic from the SolarWinds SEM VM to your email server for automated email notifications.

80, 8080 TCP HTTP Bidirectional Non-secure HTTP traffic from the SolarWinds SEM console to the SolarWinds SEM VM. (SEM closes this port when activation completes, but you can re-open it with the CMC togglehttp command.)

139, 445 TCP NetBIOS, SMB Bidirectional Standard Windows file sharing ports (NetBIOS Session Service, Microsoft SMB) that SEM uses to export debug files, syslog messages, and backup files.

The SEM Remote Agent Installer also uses these ports to install Agents on Microsoft Windows hosts across your network.

161, 162 TCP SNMP Bidirectional SNMP trap traffic received from devices, and used by the Orion platform to monitor SEM. (Monitoring SEM on port 161 is not used prior to version 6.3.x.)

389, 636 TCP LDAP Outbound LDAP ports that the SEM Directory Service Connector tool uses to communicate with a designated Active Directory domain controller.

The SEM Directory Service Connector tool uses port 636 for SSL communications to a designated Active Directory domain controller.


page 18


443, 8443 TCP HTTPS Bidirectional HTTPS traffic from the SolarWinds SEM console to the SEM VM.

SEM uses these secure HTTP ports after SEM is activated.

(445) TCP See entry for port 139.

514 TCP or UDP

Syslog Inbound Syslog traffic from devices sending syslog event messages to the SolarWinds SEM VM.


2100 UDP NetFlow Inbound NetFlow traffic from devices sending NetFlow to the SolarWinds SEM VM.

6343 UDP sFlow Inbound sFlow traffic from devices sending sFlow to the SolarWinds SEM VM.



8983 TCP nDepth Inbound nDepth traffic sent from nDepth to the SEM VM containing raw (original) log data.

9001 TCP SEM reports application

Bidirectional SEM reports application traffic used to gather SEM teports data on the SEM VM.


37890-37892

TCP SEM Agents Inbound SEM Agent traffic sent from SolarWinds SEM Agents to the SolarWinds SEM VM. (These ports correspond to the destination ports on the SEM VM.)

SEM no longer uses the following ports:

page 19


5433 TCP SEM Reports Inbound Port 5433 is no longer used. Previously, this port carried traffic from the SolarWinds SEM reports application to the SolarWinds SEM VM. This was used by versions prior to LEM 5.6, for which support ended December 2015.


page 20

SEM pre-installation checklistBefore installing SEM, complete the pre-installation checklist below. This checklist helps you:

l Verify that system requirements are met, all required software is installed, and required roles and features are enabled.

l Gather the information required to complete the installation.

1. Review the system requirements.

Make sure that your environment meets the hardware and software requirements for your installations. Hypervisor software should be installed prior to installing SEM. VMware vSphere and Microsoft Hyper-V are both supported. The hypervisor software provides the virtual environment that hosts your SEM deployment.

See the system requirements for details.

2. Select a deployment architecture.

Determine if your architecture will include one or more syslog servers.

See SEM deployment examples for details.

3. Review the release notes.

Review the Security Event Manager release notes and available documentation in the Customer Success Center.

4. Gather your credentials.

The Local Administrator Account is required for installation.

The Local Administrator Account is not the same as a domain account with local admin rights. A domain account is subject to your domain group policies.

Prepare the server environmentPrepare the server where you will install the SEM VM.

1. Build the environment.

Prepare the servers based on your deployment size and system requirements. Install either VMware vSphere or Microsoft Hyper-V.

By default, Security Event Manager deploys with 8GB RAM and 2CPUs on both hypervisor platforms.

2. Run all OS updates.

Before installation, check for and run all OS updates on all servers.

page 21

https://support.solarwinds.com/SuccessCenter/s/

3. Open ports according to the requirements.

If your log sources are located behind firewalls, see the SolarWinds SEM Port and Firewall requirements.

SolarWinds uses these ports to send and receive data.

Download SEMSolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so be sure to download the correct version.

Download the SEM installer.

Download the SEM installer from the SolarWinds Customer Portal, or download a free trial version from www.solarwinds.com/log-event-manager.

The trial version provides unlimited access to all product features for 30 days. See Choose a licensing method for your SEM deployment for more information.

Next steps:

l See Install SolarWinds SEM on Microsoft Hyper-V l See Install SolarWinds SEM on VMware vSphere


page 22

https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-LEM-Port-and-Firewall-Requirementhttps://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-LEM-Port-and-Firewall-Requirementhttp://www.solarwinds.com/log-event-manager

Install SEM on the hypervisor and the cloudThis section describes how to install SEM on Microsoft Hyper-V, VMware vSphere, Microsoft Azure, and Amazon Web Services.

Install SolarWinds SEM on Microsoft Hyper-VThese instructions provide steps for installing the Security Event Manager VM on Microsoft Hyper-V. SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so check that you downloaded the correct version.

1. Extract the files. Double-click the evaluation EXE file that you downloaded previously. This step will extract the required files and tools to a folder on your desktop.

The How to Install page opens automatically.

To return to this page after it is closed, go to %USERPROFILE%\Desktop\SolarWinds Security Event Manager\html\install_now.hta

page 23

2. Complete the following steps to import the Virtual Machine.

1. Ensure "Volume Shadowcopy" is disabled on the Hyper-V machine.

2. In the navigation pane of Hyper-V Manager, select the computer running Hyper-V.

3. Click Action > Import Virtual Machine. Click Next if the "Before You Begin" screen displays.

4. On the Locate Folder screen, navigate to the folder that matches your version of Windows Server. For example:

..\SolarWinds-SEM-2020.4-Appliance-HyperV\SolarWinds Security Event Manager\Virtual Machines 2012 R2

For Windows Server 2016, navigate to the Virtual Machines 2012 R2 folder.

5. Click Next.

6. On the Select Virtual Machine screen, select SolarWinds Security Event Manager, and click Next.

7. On the Choose Import Type screen, choose Copy the virtual machine (create a new unique ID), and click Next.

8. On the Choose Folders for Virtual Machine Files screen, change the folder locations that the wizard will import files to (if needed). Otherwise, click Next.

9. On the Choose Folders to Store Virtual Hard Disks screen, change the location of the virtual hard disks for this virtual machine (if needed). Otherwise, click Next.

10. Ensure that "Volume Shadowcopy" is disabled for this virtual Hyper-V machine.


page 24

11. On the Configure Memory screen, configure the Startup RAM setting, and the Minimum RAM and Maximum RAM settings for Dynamic Memory, and then click Next.

12. On the Summary screen, review the configuration settings and click Finish.

The installer will copy the SolarWinds-SEM-2020.4.vhd file to Hyper-V.

3. Connect to the SEM VM.

Select the newly added VM, and then click Action > Connect on the main Hyper-V Manager window.

The virtual console opens.

4. Start SEM. Click Action > Start in the virtual console window.

The SEM VM starts.

After SEM starts, write down the IP Address of the VM. You will be able to change the IP address later during the configuration phase.

5. Set up your new SEM installation.

See Setting up a new SEM installation in the SEM Administrator Guide.

Following installation, the default SEM host name is swi-sem. To change the default host name and IP address settings, see Run the activate command to secure SEM and configure network settings in the SEM Administrator Guide.

Install SolarWinds SEM on VMware vSphereThese instructions provide steps for installing the Security Event Manager VM on VMware vSphere. SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so check that you downloaded the correct version.

page 25

https://documentation.solarwinds.com/en/success_center/SEM/content/SEM_Administrator_Guide.htmhttps://documentation.solarwinds.com/en/success_center/SEM/content/SEM_Administrator_Guide.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/2-sem_set-up_config_maintenance/run-the-activate-command.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/2-sem_set-up_config_maintenance/run-the-activate-command.htm

1. Extract the files. Double-click the evaluation EXE file that you downloaded previously. This step will extract the required files and tools to a folder on your desktop.

The How to Install page opens automatically.

To return to this page after it is closed, go to %USERPROFILE%\Desktop\SolarWinds Security Event Manager\html\install_now.hta

2. Complete the following steps to deploy SEM.

1. Start the VMware vSphere client and log in with VMware administrator privileges.

2. Deploy the open virtualization format (OVF) template.

3. Open the SolarWinds Security Event Manager folder located on your desktop and double-click:

Deploy First—SEM Virtual Appliance.ova

4. Complete the setup wizard.

When prompted, select the Thin Provisioned disk format.

Thin provisioning offers more performance flexibility than thick provisioning, but requires more oversight than thick provisioning. Thin provisioning provides increased performance by dedicating physical storage space.

5. Map the network interface card (NIC) to the appropriate network.

6. When the OVF deployment is completed, click Finish.


page 26

3. Start SEM. 1. Select the SolarWinds Security Event Manager virtual appliance and click Play.

2. Click the Console tab.

The SEM VM starts.

After SEM starts, write down the IP Address of the VM. You will be able to change the IP address later during the configuration phase.

4. Set up your new SEM installation.

See Setting up a new SEM installation in the SEM Administrator Guide.

Following installation, the default SEM host name is swi-sem. To change the default host name and IP address settings, see Run the activate command to secure SEM and configure network settings in the SEM Administrator Guide.

Deploy SEM to Microsoft AzureSolarWinds Security Event Manager (SEM) is not currently available in the Azure Marketplace—it’s deployed manually by users. Deployment is initiated via Azure CLI 2.0.

This guide covers deployment from Windows (PowerShell) and Linux (Bash).

SolarWinds provides a ZIP archive containing two VHD files. The first file (xxx-system.vhd) contains an operating system based on Linux Debian. The second file (xxx-data.vhd) serves as the data partition. The layout is similar to the VMware and Hyper-V appliances.

Azure CLI 2.0 must be installed on Windows or Linux systems. After CLI is authenticated, users can control Azure via API by executing CLI commands.

SEM sizingFor sizing criteria, SolarWinds use three basic sizes of SEM deployment: small, medium, and large: see the SEM system requirements for details.

Deploy SEM via Azure CLI 2.0To learn more about installing CLI on Windows and Linux, see Azure CLI 2.0 on the Microsoft website.

Follow the procedures below to deploy SEM via Azure CLI 2.0:

page 27

https://documentation.solarwinds.com/en/Success_Center/SEM/Content/SEM_Administrator_Guide.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/SEM_Administrator_Guide.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/2-sem_set-up_config_maintenance/run-the-activate-command.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/2-sem_set-up_config_maintenance/run-the-activate-command.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/System_Requirements/system_requirements.htmhttps://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest

1. Download and install Azure CLI 2.0 (Windows).

2. Create and manage storage accounts and define resource groups and locations.

3. Get the storage access key.

4. Prepare to deploy VHD disks

Install Azure CLI 2.0 on Microsoft Windows

Learn how to install Azure CLI on Linux or macOS here.

1. Download the Azure CLI 2.0 MSI installer here.


page 28

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latesthttps://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

2. Launch the installer, select the check box to accept the License Agreement terms, and then click Install.

3. From a command line (Windows Command Prompt or PowerShell), run the az login command.

page 29

Log in with any authentication option. Running the az login command is recommended. For more details and other options, see Sign in with Azure CLI 2.0 (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020).

4. When the browser launches prompting you to log in, sign in to Microsoft Azure with your account credentials.

Create and manage storage accounts, resource groups, and locations

If your storage account already exists, you can list it in Azure CLI by running the following command:

az storage account list

If a storage account does not exist, create one.

The resource group name and location are present in JSON output. For more details about listing the storage account in the command line, see az storage account (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020).

To access the Azure Portal, click Portal in the upper right of the Microsoft Azure page.


page 30

https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latesthttps://docs.microsoft.com/https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az-storage-account-listhttps://docs.microsoft.com/

Storage accounts, locations, and resource groups are also available in the Azure Portal under Home > Storage accounts.

The storage account name, location, and resource group names are needed for running additional commands. List them and maintain for later use.

page 31

Create a storage account in the Azure Portal

1. On the Azure Portal Home page, click Storage accounts.

2. On the Storage accounts toolbar, click Add.

3. Under Project details, select your Subscription and Resource group from the drop-down lists.

4. If you do not have a resource group, click Create new.

5. Enter a name for the resource group, and then click OK (Write this down).

6. Under Instance details, enter a name for the storage account (Write this down). The name must not already exist in Azure, must be between 3 and 24 characters in length, and include numbers and lowercase letters only.


page 32

7. Select a location, or use the default (Write this down).

8. Maintain the default values for the remaining fields.

9. Click Review + create to review your settings, and then click Create.

10. To verify the storage account, open a command prompt and run the following command:

page 33

11. Scroll down to find the name of your new storage account.

Write down the names of your storage account and resource group, as well as the location. You will need them later.

12. Now that you have a storage account and resource group, create a container. The container holds your uploaded VHD files.

a. On the Azure Portal Home page, click Storage accounts.

b. Select your storage account, and then click Containers.

c. On the Containers toolbar, click + Container. Enter a name for your container, and then click OK (write the container name down).

Get the storage access key

The storage account key is a 512b access key used for authentication when accessing the storage account. It’s generated automatically when the storage account is created.

List storage account keys in Azure CLI with the command below:


page 34

az storage account keys list --account-name --resource-group

Replace the STORAGE_ACCOUNT and RESOURCE_GROUP strings with the storage account and resource group names obtained in the previous section. You can find your storage account and resource group in the Azure Portal under Home > Storage accounts.

Remove angle brackets (< >) when entering the actual account and resource group names.

The command will list two storage account keys in JSON format (default format, but can be changed): primary (key1) and secondary (key2). You can use either key.

See the example below:

page 35

Prepare to deploy VHD disks

Before deployment, locate the following information you obtained in the previous sections. Each value stored in a variable in the following commands is typed as a token (for example, TOKEN), and should replace the code snippets below.

l Storage account name: STORAGE_ACCOUNT

Find your storage account name in the Azure Portal, or run the az storage account list command, and then search for the storage account. In the example below, the storage account name is semtest.

l Storage account key: ACCESS_KEY l Resource group: RESOURCE_GROUP

Find your resource group name in the Azure Portal, or run the az storage account list command, and then search for the resource group. In the example below, the resource group is SEM-Test.


page 36

l Location: LOCATION

To find your location, look in your storage account details in the Azure Portal, or run the az storage account list command, and then search for the location. In the example below, the location is eastus, for Eastern US.

l Storage size - sku: SKU

To find your sku, run the az storage account list command, and then search for the sku. In the example below, the sku name is Standard_LRS. The minimum requirement is Standard_LRS. Learn more about sku types here (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020). If the returned SKU value is not supported (Standard_RAGRS, for example), change it to a supported value (see image below) when you update your script.

page 37

https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_typeshttps://docs.microsoft.com/

l Virtual machine size: VM_SIZE

Learn more about VM sizes here (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020). If you are missing anything from the list above, review the previous sections.

Additionally, the virtual machine name and disk names should be considered before deployment.

l Virtual machine name: VM_NAME

Can be any name you would like to use. For example, solarwinds.sem.

l Disk 1 (system) name: DISK1 l Disk 2 (data) name: DISK2

Boot diagnostics

Boot diagnostics is basically a screen shot of a video output of the virtual machine. Enabling this feature is optional, but required before creating a support ticket with the SolarWinds Helpdesk. The support representative needs the support key shown in the screen shot. The command to enable the feature for both Linux and Microsoft is listed in step six below.

Deploy from PowerShell (Windows)

Scripts are not supported under any SolarWinds support program or service. Scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.

PowerShell is a command-line interface that is installed by default on newer Microsoft systems. Find more information here (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020).

Lines starting with the # character are comments. The back quote (`) character on the end of lines indicates multi-line commands.

1. From a command line (Windows Command Prompt or PowerShell), run the az login command.


page 38

https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_typeshttps://docs.microsoft.com/en-us/powershell/scripting/install/windows-powershell-system-requirements?view=powershell-7https://docs.microsoft.com/

Log in with any authentication option. Running the az login command is recommended. For more details and other options, see Sign in with Azure CLI 2.0 (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020).

2. When the browser launches prompting you to log in, sign in to Microsoft Azure with your account credentials.

page 39

https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latesthttps://docs.microsoft.com/

3. Create your script. The following script is a template: you will need to fill in the variables for your Azure VM environment. The script will run, upload your two VHD files, and then create your VM in the Azure Portal. You can also download the script from SolarWinds using this link.

# How to use: # copy script to folder that contains azure disks # change , , , , , # log in to azure (az login) # run script # ############################################ $username= $semVersion= Write-Host "SEM version: $semVersion" -foreground Green # storage account and key set to ENV to avoid typing it to each command $env:AZURE_STORAGE_ACCOUNT= $env:AZURE_STORAGE_ACCESS_KEY= $disk1Filename="SolarWinds-SEM-Azure-$semVersion-disk1-system.vhd" $disk2Filename="SolarWinds-SEM-Azure-$semVersion-disk2-data.vhd" $sku="Standard_LRS" $vmSize="Standard_B1s" $resourceGroup=


page 40

https://downloads.solarwinds.com/solarwinds/Release/SEM/azure_deployment_configuration_script.zip

$vmLocation= $vmName="$username-sem-$semVersion" $disk1Name="$vmName-disk1.vhd" $disk2Name="$vmName-disk2.vhd" # check for presence of files if (!((Test-Path $disk1Filename) -and (Test-Path $disk2Filename))) {Write-Host "Couldn't find .vhd files" -foreground Red; break} # upload system and data disks az storage blob upload --container-name vhds-built --type page --file $disk1Filename --name $disk1Name az storage blob upload --container-name vhds-built --type page --file $disk2Filename --name $disk2Name # get blob urls $blobUrlDisk1=az storage blob url --container-name vhds-built --name $disk1Name $blobUrlDisk2=az storage blob url --container-name vhds-built --name $disk2Name # create system and data disks az disk create --resource-group $resourceGroup --sku $sku --name $disk1Name --source $blobUrlDisk1 az disk create --resource-group $resourceGroup --size-gb "250" --sku $sku --name $disk2Name --source $blobUrlDisk2 # create a machine and enable boot diagnosticsaz vm create --resource-group $resourceGroup --size $vmSize --public-ip-sku "Basic" --location $vmLocation --name $vmName --os-type "linux" --attach-os-disk $disk1Name --attach-data-disks $disk2Name az vm boot-diagnostics enable --name $vmName --resource-group $resourceGroup --storage $env:AZURE_STORAGE_ACCOUNT

1. Launch PowerShell.

Change the directory (cd) in PowerShell to the directory where the VHD files reside on your local system.

2. Paste your script into PowerShell, and then press Enter.

You can monitor the progress as the script is running. If the script encounters an error, such as a typo in your script, simply correct the error, and rerun the script.

page 41

Upon completion, you can access your new VM in the Azure Portal under Home > Virtual machines.

Deploy from Bash (Linux)

Scripts are not supported under any SolarWinds support program or service. Scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.

Lines starting with the # character are just comments. The back quote (`) character on the end of lines is for multi-line commands.

1. Run Bash shell (WSL or native) where Azure CLI 2.0 is installed, and then log in to the Azure Portal.

2. Create your script. The following script is a template. When you fill in the variables for your Azure VM environment, the script will run, upload your two VHD files, and then create your VM in the Azure Portal.

Replace the values in red below with the values you wrote down in the previous sections unless otherwise indicated. Enter values between the quotation marks, when present. Copy the entire script template into a text editor, such as Notepad, to make your edits.

# storage account and key set to ENV to avoid typing it to each command $env:AZURE_STORAGE_ACCOUNT="STORAGE_ACCOUNT" $env:AZURE_STORAGE_ACCESS_KEY="ACCESS_KEY" $disk1Filename="SolarWinds-SEM-Azure--disk1-system.vhd" $disk2Filename="SolarWinds-SEM-Azure--disk2-data.vhd" $sku="Standard_LRS" $vmSize="Standard_B1s" $resourceGroup="RESOURCE_GROUP" $vmLocation="LOCATION" $disk1Name="SYSTEM-disk1.vhd" $disk2Name="DATA-disk2.vhd" $vmName="VM-NAME"


page 42

# upload system and data disks az storage blob upload --container-name CONTAINER NAME --type page --file $disk1Filename --name $disk1Name az storage blob upload --container-name CONTAINER NAME --type page --file $disk2Filename --name $disk2Name # get blob urls $blobUrlDisk1=az storage blob url --container-name CONTAINER NAME --name $disk1Name $blobUrlDisk2=az storage blob url --container-name CONTAINER NAME --name $disk2Name # create system and data disks az disk create --resource-group $resourceGroup --sku $sku --name $disk1Name --source $blobUrlDisk1 az disk create --resource-group $resourceGroup --size-gb "250" --sku $sku --name $disk2Name --source $blobUrlDisk2 # create a machine and enable boot diagnostics az vm create --resource-group $resourceGroup --size $vmSize --public-ip-sku "Basic" --location $vmLocation --name $vmName --os-type "linux" --attach-os-disk $disk1Name --attach-data-disks $disk2Name az vm boot-diagnostics enable --name $vmName --resource-group $resourceGroup --storage $env:AZURE_STORAGE_ACCOUNT

page 43

Below is an explanation of what these values and variables are. The first section below initializes the variables. The subsequent sections of the script will execute these variables to upload the disks and create the VM.

# storage account and key set to ENV to avoid typing it to each command $env:AZURE_STORAGE_ACCOUNT="STORAGE_ACCOUNT" This is the resource group you created in the Azure Portal. $env:AZURE_STORAGE_ACCESS_KEY="ACCESS_KEY" This is the multicharacter key you copied in a previous section. Paste the entire key between the quotation marks. $disk1Filename="SolarWinds-SEM-Azure--disk1-system.vhd" $disk2Filename="SolarWinds-SEM-Azure--disk2-data.vhd" The names of the system and data disk names will vary based on the SEM version. The system disk is much larger ~18GB - the data disk is typically ~1GB. $sku="Standard_LRS" This is the minimum requirement. $vmSize="Standard_B1s" This is the minimum requirement. $resourceGroup="REOURCE_GROUP" This is the resource group you created in the Azure Portal. $vmLocation="LOCATION" For example, "eastus" for Eastern US. $disk1Name="SYSTEM-disk1" You can give these disks any descriptive name you like. $disk2Name="DATA-disk2" $vmName="VM-NAME" You can give the VM any descriptive name you like.


page 44

The only other value you need to add is the container name you wrote down in a previous section as shown below. No quotation marks needed.

# upload system and data disks az storage blob upload --container-name CONTAINER NAME --type page --file $disk1Filename --name $disk1Name az storage blob upload --container-name CONTAINER NAME --type page --file $disk2Filename --name $disk2Name # get blob urls $blobUrlDisk1=az storage blob url --container-name CONTAINER NAME --name $disk1Name $blobUrlDisk2=az storage blob url --container-name CONTAINER NAME --name $disk2Name

3. Launch Bash.

Change the directory (cd) in Bash to the directory where the VHD files reside on your local system.

4. Paste your script into Bash, and then press Enter.

You can monitor the progress as the script is running. If the script encounters an error, such as a typo in your script, simply correct the error, and rerun the script.

Upon completion, you can access your new VM in the Azure Portal under Home > Virtual machines.

Configure networkingBy default, the inbound firewall rule allowing SSH is enabled for a new Linux machine. If needed, you can disable SSH from the outside world for a SEM appliance. To see all default rules created per virtual machine, see Default security rules (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020).

Configure firewall rules based on your specific needs. Review the SEM port and firewall requirements here.

page 45

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-ruleshttps://docs.microsoft.com/https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-LEM-Port-and-Firewall-Requirement

The following example shows security rules for a SEM Azure deployment:

Deploy SEM to Amazon Web ServicesWith version 6.7 and later, you can deploy SEM to Amazon Web Services (AWS). To get started, contact your SolarWinds Sales or Customer Support representative to request access to SEM on AWS.

SolarWinds is not responsible for fees incurred when deploying SolarWinds products to AWS.

1. Contact your SolarWinds Sales (evaluation customers) or Customer Support (existing customers) representative to request access to the AWS Amazon Machine Image (AMI) for SEM.

You will need to provide your AWS account ID and AWS Region.

2. When you receive notification that your AMI is available, launch the AMI from the AWS EC2 console.

3. Configure security groups to enable the required ports.

On versions earlier than 2020.2 you cannot resize partitions on managers deployed on AWS.


page 46

https://aws.amazon.com/premiumsupport/knowledge-center/launch-instance-custom-ami/https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-base-security-grouphttps://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-LEM-Port-and-Firewall-Requirement

Install SEM Agents to protect servers, domain controllers, and workstationsThis section provides SEM deployment options and installation steps.

Deploying the SEM AgentThis section describes options for installing the SEM Agent.

See SEM components that make up a typical deployment to learn about the role the SEM Agent plays in a typical SEM deployment.

SolarWinds provides SEM Agents for these operating systems:

l Microsoft Windows (local and remote installers) l Linux l Mac OS X l Solaris on Intel l Solaris on Sparc l HPUX on Itanium l AIX

Deploying the SEM Agent to multiple Windows computers in an enterprise environmentThere are two options for deploying the SEM Agent unattended on Windows:

l Option 1: You can use the Remote Agent Installer to deploy SEM Agents to computers non-interactively.

See Run the SEM Remote Agent Installer for large Windows deployments for more information.

l Option 2: Use the Local Agent Installer with either software distribution policies or local logon scripts to deploy the SEM Agent non-interactively. This method is an alternative to the Remote Agent Installer option for large deployments.

See Run the SEM Local Agent Installer for large Windows deployments for more information.

page 47

SEM Agent pre-installation checklist: Prepare to deploy SEM AgentsComplete the following tasks before installing the SEM Agent. See Deploying the SEM Agent to learn more about installing SEM Agents.

SEM Agent installer requirements1. Review system requirements

See the SEM agent requirements in the system requirements section for details.

2. Gather credentials

Verify that you have administrative access to the servers and workstations you plan to monitor with the Agent. Windows-based systems require Domain or Local administrative privileges; Linux or Unix systems require root-level access.

The Local Administrator Account is not the same as a domain account with local admin rights. A domain account is subject to your domain group policies.

3. Review the SEM Agent installation overview

See Deploying the SEM Agent for installation information, and information about unattended Agent installations.

Antivirus recommendations1. Disable anti-malware and endpoint protection software during installation.

Turn off any anti-malware or endpoint protection applications on host systems during the installation process, because these applications can affect the process by which installation files are transferred to the hosts.

2. After installation, add an exception to your antivirus or anti-malware software for the SEM Agent folder.

Set an exception in your antivirus or anti-malware scanning software for the ContegoSPOP folder where the SEM Agents will be installed. The alerts are kept in queue files, which change constantly as they are normalized and encrypted.


page 48

Download the SEM Agent installersYou can download SEM Agent installers from the SEM HTML5 and Flash consoles or from the SolarWinds Customer Portal.

To download a SEM Agent installer from the SEM Console

1. On the SEM Console, click the Nodes tab, and then click Add agent node. The Add agent node window appears displaying options for remote and local installation.

2. Select an option, and then follow the instructions to add the monitored node.

To download a SEM Agent installer from the SolarWinds Customer Portal

If you are using a trial version of SEM, download the SEM Agent installer from the SEM console, or contact SolarWinds for assistance.

1. Download the installer from the SolarWinds Customer Portal. Log in with your SWID if necessary.

2. Find SEM in the product list, and then click Choose Download.

3. Find the Agent Installer on the list.

Before deploying SEM Agents, make note of formatting in any .txt files that contain host entries:

l Ensure there is only one host entry per line. l If the format is tab separated, remove the tab spacing, and then enter a space between

each value. For example, 10.10.10.10 xxx03 xxx03 yyy abcd.net. If tab spacing is present, the installer will not be able to parse the file correctly and will fail.

To download a SEM Agent installer from the SEM legacy Flash console

Adobe will stop distributing and updating Flash Player after December 31, 2020. Please visit the Adobe Flash Player EOL General Information Page (Copyright © 2020 Adobe, retrieved November 5, 2020) for information.

1. Open the SEM legacy Flash console.

2. Choose from the following options:

l Click Ops Center, go to the Getting Started widget, and click Add Nodes to Monitor.

l Click Manage > Nodes. Click Add Node, then click Agent Node.

3. Click an Agent to download it.

page 49

https://customerportal.solarwinds.com/Licenseshttps://www.adobe.com/products/flashplayer/end-of-life.html

Next steps:

See the following topics to install the SEM Agents:

l Install the SEM Agent on Linux and Unix l Install the SEM Agent on macOS X l Run the SEM Remote Agent Installer for large Windows deployments l Run the SEM Local Agent Installer for large Windows deployments

Install the SEM Agent on Linux and UnixThis section describes how to install Agents locally on a variety of Linux and Unix operating systems. Once installed, the SEM Agent automatically starts and connects to the SEM Manager.

See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download information and a pre-install checklist.

Installation notes for the Linux Agent installer l A reboot is not required following installation.

l SEM Agents are installed in the /usr/local/contego/ContegoSPOP folder by default.

Run the SEM Agent Installer on Linux or Unix 1. Copy SolarWinds-SEM-Agent-LinuxInstaller.bin to a local or network location.

2. cd to the folder that contains the installer.

3. Enter chmod +x SolarWinds-SEM-Agent-LinuxInstaller.bin to convert the installer into an executable application.

4. Run SolarWinds-SEM-Agent-LinuxInstaller.bin as root.

5. Press Enter to start the installer.

6. Press Enter to page through the End User License Agreement, and then enter y to accept the terms if you agree.

7. Enter a custom installation path, or press Enter to accept the default (recommended).

8. Enter the hostname of your SEM Manager.

Use the fully qualified domain name for your SEM Manager when you deploy SEM Agents on a different domain. For example, enter SEMhostname.example.com.


page 50

9. Press Enter twice to accept the default port values, and then press Enter again to proceed.

10. Review the Pre-Installation Summary, and then press Enter to proceed.

11. Once the installer finishes, press Enter to exit the installer.

The SEM Agent begins sending alerts to your SEM Manager immediately. To configure the SEM Agent to start automatically on boot, add /etc/init.d/swsem-agent (or swsem-agent) to your list of startup scripts.

Next steps:

l See Verify the SEM Agent connection to test that the Agent connected to the SEM Manager.

To uninstall the SEM Agent on Linux or Unix 1. Log in to you Linux computer as root.

2. Stop the SolarWinds SEM Agent service.

3. Delete the /usr/local/contego/ContegoSPOP folder.

4. Remove any startup scripts, if any.

Install the SEM Agent on macOS X See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download information and a pre-install checklist.

SEM does not currently support USB defender on macOS X.

Installation notes l Installing the SEM Agent on macOS requires enabling the 'root' user account and disabling

System Integrity Protection (SIP). Not doing so will prevent the Agent from running properly. l This procedure applies to SEM versions 6.4 and later.

Enable root credentials, disable SIP, and download and install the Agent

1. Enable root credentials on the Apple Mac system.

See How to enable the root user on your Mac or change your root password for details.

page 51

https://support.apple.com/en-us/HT204012

2. Disable System Intrusion Protection on the Mac system.

See System Integrity Protection (SIP) is preventing install of SEM Agent on macOS X 10.x and later for details.

You can also use the terminal flag sudo nvram "recovery-boot-mode=unused" to reboot into recovery.

3. Download the SolarWinds-SEM-v#.#.#-MacOSAgentInstaller.zip file from the Customer Portal.

4. Decompress or unzip the file to a local drive--not a network drive.

5. Navigate to the correct directory path using finder in the GUI.

If you are logged in as root, enter:

cd /Users//SolarWinds-SEM-v#.#.#-MAcOSAgentInstaller/MacOS

If you are not logged in as root, enter:

cd /private/var/root/SolarWinds-SEM-v#.#.#-MAcOSAgentInstaller/MacOS Agent/

6. Log in as root or as your current user.

7. Double-click the Setup.app file on the Macintosh system.

8. Follow the installer instructions. During the installation, add Manager IP (IP of SEM), leave all ports default. and click next until finished.

9. Open Terminal.

10. For Catalina (10.15) ONLY, remount the file system not as read only sudo mount -uw /

11. Copy the SEM Agent to the correct startup path to have it initialize upon reboot.

If the installer was run with the root account, run the following command to copy the folder:

cp -rp /private/var/root/Applications/SWSEMAgent /System/Library/StartupItems/

cp -rp /private/var/root/Applications/SWSEMAgent /Applications/

If the installer was not run as the root, run the following commands:

cp -rp /Users//Applications/SWSEMAgent /System/Library/StartupItems/

cp -rp /Users//Applications/SWSEMAgent /Applications/


page 52

https://support.solarwinds.com/SuccessCenter/s/article/System-Integrity-Protection-SIP-is-preventing-install-of-LEM-Agent-on-Mac-OS-X-10-x-and-laterhttps://support.solarwinds.com/SuccessCenter/s/article/System-Integrity-Protection-SIP-is-preventing-install-of-LEM-Agent-on-Mac-OS-X-10-x-and-later

12. Navigate to the PLIST file packaged with the installed Agent by executing the following command:

cd /System/Library/StartupItems/StartupFiles/SWSEMAgent

13. Copy the PLIST file to the LaunchDaemons folder.

cp -rp com.solarwinds.swsemagent.plist /Library/LaunchDaemons/

14. If necessary, change the permissions on the PLIST file. This only needs to be completed if the PLIST file is moved with a non-root account.

chown root:wheel /Library/LaunchDaemons/com.solarwinds.swsemagent.plist

15. Restart the computer.

16. Verify that the agent is running by running the following command:

launchctl list | grep swsemagent

Start and stop the MAC Agent Service l To start the Mac Agent Service, execute:

launchctl load /Library/LaunchDaemons/com.solarwinds.swlemagent.plist

l To stop the Mac Agent Service, execute:

launchctl unload /Library/LaunchDaemons/com.solarwinds.swlemagent.plist

Verify that the Agent service is running l Run the following command:

launchctl list | grep swlemagent

l If the Agent Service is running, the output is below:

Mac-mini:~ root# 865 0 com.solarwinds.swlemagent

l If the Agent Service is not running, the output is blank:

Mac-mini:~ root#

page 53

Install the SEM Agent on WindowsThe Windows Agent installer allows you to install SolarWinds Security Event Manager Agents locally on a variety of Windows operating systems. Once installed, the SEM Agent automatically starts and connects to your SEM Manager.

Installer notes

l The Local Agent Installer is Windows-only.

l SEM Agents are installed to the following folders:

Bitness Installation Folder

32-bit C:\Windows\system32\ContegoSPOP

64-bit C:\Windows\sysWOW64\contegoSPOP

l A reboot is not required.

Antivirus Recommendations

Set an exception in your antivirus or anti-malware scanning software for the ContegoSPOP folder where the SEM Agent will be installed. The alerts are kept in queue files, which change constantly as they are normalized and encrypted.

Turn off any anti-malware or endpoint protection applications on host systems during the installation process, as they can affect the process by which installation files are transferred to the hosts.

Warning: Uninstall the old version of the SEM Agent before upgrading to the new version.

If you are using a trial version of SEM, download the SEM Agent installer from the SEM console (Nodes > Nodes > Add agent node), or contact SolarWinds for assistance.

1. Download the installer from the SolarWinds Customer Portal. Log in with your SWID if necessary.

2. Find SEM in the product list, and then select and download the Local Agent Installer from the Agent Downloads list.

3. Extract the contents of the installer ZIP file to a local or network location.

4. Run setup.exe, and then click Next to start the installation wizard.

5. Accept the End User License Agreement if you agree, and then click Next.

6. Enter the hostname of your SEM Manager in the Manager Name field, and then click Next.


page 54

https://customerportal.solarwinds.com/Licenses

7. Do not change the default port values.

Note: Use the fully qualified domain name for your SEM Manager when you deploy SEM Agents on a different domain. For example, enter SEMhostname.SolarWinds.com.

8. Confirm the Manager Communication settings, and then click Next.

9. Specify whether or not you want to install USB-Defender with the SEM Agent, and then click Next. The installer includes USB-Defender by default. To omit this from the installation, Clear the Install USB-Defender box.

Note: We recommend installing USB-Defender on every system. USB-Defender will never detach a USB device unless you have explicitly enabled a rule to do so. By default, USB-Defender simply generates alerts for USB mass storage devices attached to your SEM Agents.

10. Confirm the settings on the Pre-Installation Summary, and then click Install.

11. Once the installer finishes, it will start the SEM Agent service when you click Next.

12. Inspect the Agent Log for any errors, and then click Next.

13. Click Done to exit the installer.

The SEM Agent continuously runs on your computer unless you uninstall or manually stop it. It begins sending alerts to your SEM Manager immediately.

In new installations of SEM (6.7 and newer), corresponding agent versions communicate by default using a secure certificate, which no longer requires TLS 1.0, 3DES, or anonymous cipher. If you need to connect to earlier agent versions, navigate to the SEM Console security tab (Settings > Security), and switch the toggle button to enable lower security settings.

Run the SEM Remote Agent Installer for large Windows deploymentsThe Remote Agent Installer allows you to install the SEM Agent on multiple Windows computers without the need to step through an installation wizard. Once installed, the SEM Agent automatically starts and connects to the SEM Manager.


page 55

Installation notes for the Remote Agent Installer l The Remote Agent Installer is Windows-only.

l You will need a user account with privileges to write to Windows administrative shares such as C$ or D$

l SEM Agents are installed to the following folders:

Bitness Installation Folder

32-bit C:\Windows\system32\ContegoSPOP

64-bit C:\Windows\sysWOW64\contegoSPOP

l If you are installing SEM Agents on the far end of a WAN link, copy the Remote Agent Installer executable to the end of the WAN link and run it there. This will avoid using your WAN bandwidth to copy SEM Agents multiple times.

l A reboot is not required.

l NetBIOS – If not enabled, the Remote Agent Installer will require a text file of available hosts with each IP address or hostname on its own line.

Run the SEM Agent installer for Windows 1. Extract the contents of the installer ZIP file to a local or network location.

2. Run the .exe file.

3. Click Next to start the installation wizard.

4. Accept the End User License Agreement if you agree, and then click Next.

5. Specify a temporary folder on your computer to use for the installation process and click Next. The default is C:\SolarWindsSEMMultiInstall.

6. Enter the hostname of your SEM Manager in the Manager Host field, and then click Next. Do not change the default port values.

Use the fully qualified domain name for your SEM Manager when you deploy SEM Agents on a different domain. For example, enter SEMhostname.example.com.


page 56

7. Select Get hosts automatically or Get hosts from file (One host per line), and then click OK.

l Get hosts automatically uses a NetBIOS broadcast to identify hosts on the same subnet and domain as the computer running the installer.

l Get hosts from file (One host per line) prompts you to browse for a text file that includes the hosts on which you want to install SEM Agents. Use this option for any of the following reasons:

o You are deploying SEM Agents to computers on a different subnet than that on which the computer running the installer resides. Your computer may be able to access these subnets, but their hosts will not be recognized by the NetBIOS broadcast used to get hosts automatically.

o You are deploying SEM Agents to a small segment of a large network, which could make choosing them from a list time prohibitive.

o You are deploying SEM Agents in a network with a complex naming scheme, which could make choosing hosts from a list time prohibitive.

The text file used for this option can contain hostnames, fully qualified domain names or IP addresses, each on their own lines. If DNS names are used, the computer running the installer must be able to resolve them.

8. Select the check boxes next to the computers on which you want to install a SEM Agent, and then click Next.

9. Confirm the list is correct, and then click Next.

10. Specify the Windows destination for the remote installation.

l The default paths are provided for all supported Windows systems. We strongly recommend using the default paths, as the SEM Agent may not be recognized as a service by Windows if it is not installed in a system folder.

l The installer is set to automatically detect host operating systems by default, but you can also specify an operating system if all of the target hosts are running the same one.

11. Click Next.

12. Specify whether or not you want to install USB-Defender with the SEM Agent, and then click Next. The installer will include USB-Defender by default. To omit this from the installation, clear the Install USB-Defender option box.

SolarWinds recommends installing USB-Defender on every system. USB-Defender will never detach a USB device unless you have explicitly enabled a rule to do so. By default, USB-Defender simply generates alerts for USB mass storage devices attached to your SEM Agents.

page 57

13. Confirm the settings on the Pre-Installation Summary, and then click Install.

14. Once the installer finishes, it will start the SEM Agent service when you click Next.

15. Inspect the Agent Log for any errors, and then click Next.

16. Click Done to exit the installer.

The SEM Agent continues running on your computer unless you uninstall or manually stop it. It begins sending alerts to your SEM Manager immediately.

Next steps:


Run the SEM Local Agent Installer for large Windows deploymentsThe Local Agent Installer allows you to install the SEM Agent without the need to step through an installation wizard. This option is only available for Windows systems.

You can run the Local Agent Installer using software distribution policies or local logon scripts. This method is an alternative to the Windows-only Remote Agent Installer in large deployment scenarios.

This procedure only works with the local installer. Do not use the Remote Agent Installer for this task.

Installation notes


There are three steps to using the Local Agent Installer to install the SEM Agent. Each step is described in detail in the sections below.

1. Download the Local Agent Installer.

2. Configure a custom installer.properties file that contains your environmental variables.

3. Run the Local Agent Installer.

See Run the SEM Remote Agent Installer for large Windows deployments for more information about installing the SolarWinds SEM Agent.


page 58

Download the Local Agent Installer 1. Download the installer from the SolarWinds Customer Portal:

a. Log in to the Customer Portal.

b. Navigate to the License Management page.

c. Locate SEM in the product list, and then click Choose Download.

d. Download the Local Agent installer for Windows. Find the appropriate installer on the list.

Be sure you download the Local Agent Installer. You cannot use the Remote Agent Installer for this task.

2. Extract the contents of the installer ZIP file to a local or network location.

3. Copy SolarWinds-SEM-2020.4-Agent-WindowsInstaller.exe to a known location.

Configure a custom installer.properties file 1. Open a text editor and create a file with the following two lines, followed by a carriage return:

MANAGER_IP=INSTALLER_UI=silentINSTALL_USB_DEFENDER=

Where:

l is the hostname or IP address of the SEM appliance.

l silent to run the installer in silent mode.

l is 0 or 1. Specify 0 if USB defender should not be installed, or 1 if USB defender should be installed.

2. Verify that a blank line with a carriage return follows the INSTALL_USB_DEFENDER entry.

A blank line with a carriage return after the INSTALL_USB_DEFENDER entry is required for the file to work correctly.

The contents of the file should look similar to this:

MANAGER_IP=swi-sem

INSTALLER_UI=silent

INSTALL_USB_DEFENDER=0

3. Save the file as installer.properties in the same folder as the .exe file.

page 59

http://www.solarwinds.com/customerportal/LicenseManagement.aspx

Run the Local Agent Installer 1. Verify that .exe and installer.properties are located in the same folder.

UNC paths should not be used during this installation.

2. Run the command, setup -i silent using the active resource directory that matches the folder that contains the two installer files. The command immediately returns to the command prompt.

Right-click the installer file and select Run as administrator.

The SEM Agent starts automatically and continues running until you uninstall or manually stop the Agent. It begins sending alerts to your SEM Manager immediately. The SEM Agent should also appear in Add/Remove Programs.

Next steps:


Verify the SEM Agent connectionAfter you install the SEM Agent on your Agent nodes, verify that the Agent connected to the SEM Manager.

SEM console

1. On the SEM Console, click the Nodes tab.

2. Under Refine results, click the Agent and Connected check boxes.


page 60

3. In the agent node list, ensure all connected nodes display a green check mark indicator.

SEM legacy Flash console

To download a SEM Agent installer from the SEM legacy Flash console

Adobe will stop distributing and updating Flash Player after December 31, 2020. Please visit the Adobe Flash Player EOL General Information Page (Copyright © 2020 Adobe, retrieved November 5, 2020) for information.


2. Choose from the following options:

l Click Ops Center, go to the Getting Started widget, and click Add Nodes to Monitor.

l Click Manage > Nodes. Click Add Node, then click Agent Node.

3. Click an Agent to download it.

page 61

https://www.adobe.com/products/flashplayer/end-of-life.html


2. Click Manage > Nodes.

3. In the Nodes grid, ensure that all connected nodes include a green status indicator.

For help troubleshooting SEM Agents, see Troubleshoot SEM Agents and network devices in the SEM Administrator Guide.

Next steps:

l Configure SEM Agents after they are installed in the SEM Administrator Guide. l If you have similar SEM Agents installed, see Create connector profiles to manage and

monitor SEM Agents in the SEM Administrator Guide.


page 62

https://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/16-sem_troubleshooting/troubleshoot-agents-net-devices.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/4-deploy_sem_agents/configure-sem-agents.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/6.0-config_sem_connectors/sem-create-connector-profile-manage-monitor-agents.htmhttps://documentation.solarwinds.com/en/Success_Center/SEM/Content/Admin_Guide/6.0-config_sem_connectors/sem-create-connector-profile-manage-monitor-agents.htm

Install the SEM reports applicationThis section describes how to install the optional SEM reports application on either a separate server or on a workstation. The reports application allows you to produce over 200 standard and industry-specific reports.

Pick a suitable host for the reports applicationYou can install the SEM reports application on as many servers and workstations as you require. Install the SEM reports application on a system that runs overnight. This is important because the daily and weekly start time for these reports is 1:00 AM and 3:00 AM, respectively. It's also important that you install the reports application on a system that can access the SEM database.

See the SEM system requirements in the Installation Guide for additional requirements.

page 63

Install the SEM reports applicationThe SEM reports application requires the free Crystal Reports runtime application. There are two ways to install the SEM reports application:

l You can run the reports application installer included in the SolarWinds Security Event Manager distribution package. The installer installs Crystal Reports and the SEM reports application together.

l You can download Crystal Reports and the SEM reports application individually from the SolarWinds Customer Portal. You will need to install each application one at a time. This may be necessary if your Windows security settings prevent you from running the other installer.

Install the SEM reports application provided in the SEM distribution packageThis installer also installs the Crystal Reports Runtime.

1. If necessary, copy the SolarWinds Security Event Manager installation folder to a local drive and open the folder.

2. Right-click the file Install Next - SEM Reporting Software.exe, and then select Open.

A dialog box appears prompting you to allow the app to make changes to your device.

3. Click Yes to continue.

The Welcome screen appears.

4. Click Next, and then review the Requirements for Installation.

5. Click Next, and then click Begin Install to start the installation process.

6. When the Installation Complete dialog displays, click Close.

Install the SEM reports application files downloaded from the Customer PortalComplete these steps if you were not able to install the SEM reports application using the installer included in the SolarWinds Security Event Manager distribution package.

Before you begin: Download the SEM reports application and the Crystal Reports Runtime installers from the SolarWinds Customer Portal.

1. Run the Crystal Reports Runtime installer and complete the installation steps.

2. Run the SEM reports application installer and complete the installation steps.


page 64

https://customerportal.solarwinds.com/

3. When the installation is complete, click Close.

The SEM reports application is installed on your system.

Connect the SEM reports application to your SEM database When you enter a SEM Manager IP address into the SEM reports application, you create a connection between the reports application and the SEM database server running on the SEM Manager VM.

Before you begin: You will need the IP address of the SEM VM and your SEM console login credentials.

1. Right-click the Reports application icon on your desktop and select Run as administrator.

a. Right-click the Reports shortcut and select Properties.

b. Click Advanced and select the Run as administrator option.

c. Click OK.

d. In the reports Properties window, click OK.

2. Click Yes in the antivirus dialog box to continue.

3. Click OK in the information box to create a list containing at least one Manager.

4. Enter the hostname or IP address of your SEM appliance in the Manager Name field.

Whenever you see Manager in reference to SEM, it usually refers to the IP address or hostname of your virtual appliance.

page 65

5. Enter the username and password used to log in to the SEM console.

You can audit users accessing the reporting server running on the SEM VM. Only users with admin, auditor, or reports roles can run reports on the SEM database.

6. (Optional) Select the Use TLS connection check box to use the transport layer security protocol for a secure connection.

7. Click Test Connection to verify the connection between the SEM database server and the SEM reports application.

The reports application pings the SEM database and verifies the connection. If the ping is successful, Ping Successful displays in the dialog box.

8. Click to add the IP address to your SEM Manager list, and then click Yes to confirm.

9. Click Close.

The reports application is connect

solarwinds security event manager installation guide€¦ · install sem on the hypervisor and the...

Documents