Professional Documents
Culture Documents
This document may not be reproduced by any means nor modified, decompiled, disassembled,
published or distributed, in whole or in part, or translated to any electronic medium or other means
without the prior written consent of SolarWinds. All right, title, and interest in and to the software,
services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates,
and/or its respective licensors.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of
SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office,
and may be registered or pending registration in other countries. All other SolarWinds trademarks,
service marks, and logos may be common law marks or are registered or pending registration. All
other trademarks mentioned herein are used for identification purposes only and are trademarks of
(and may be registered trademarks) of their respective companies.
page 2
Table of Contents
SEM installation overview 5
How SEM works 5
Sizing criteria 13
Download SEM 22
page 3
INSTALLATION GUIDE: SECURITY EVENT MANAGER
Run the SEM Remote Agent Installer for large Windows deployments 55
Run the SEM Local Agent Installer for large Windows deployments 58
page 4
SEM installation overview
This section describes how Security Event Manager (formerly Log & event Manager), works and
provides examples of components used in various deployment environments.
How SEM works
SolarWinds SEM collects log data in your corporate network from two resources:
l Agents – An Agent is a software application that collects and normalizes log data before it is
sent to the SEM Manager.
l Non-Agent devices – These are devices that send log data directly to the SEM Manager for
normalization and processing.
After normalization, SEM Manager processes the data. The SEM Manager policy engine correlates the
data based on user-defined rules and local alert filters, and initiates the associated actions when
applicable. These actions can include:
You can install Agents on workstations, servers, and other network devices. Agents can send log data
from security products (such as antivirus software and network-based intrusion systems) on each
device to the SEM virtual appliance. If you cannot install an Agent on a device (such as firewalls and
routers), you can configure the device to send log data to the SEM Manager for normalization and
processing. If your change management process does not permit adding any additional syslog
servers to the network device configurations, you can leverage your existing syslog servers.
Audit reports
page 5
INSTALLATION GUIDE: SECURITY EVENT MANAGER
You can generate reports against your Security Event Manager database using the SEM reports
console installed on a supported server. Using the console, you can schedule and execute over 300
audit reports. If your corporate security policy restricts access to sensitive reports, you can configure
your SEM Appliance to restrict access to the console by IP address. During the 30-day evaluation
period, you can install the console on any server or workstation that can access port 9001 in the SEM
Manager. You can also export reports to multiple formats, including TXT, PDF, CSV, DOC, XLS, and
HTML.
SEM uses additional data collection tools such as Web Services and SNMP traps. Contact
Customer Service for more information about integrating SEM into your corporate enterprise.
page 6
Overview
The following illustration shows the software components, log files, and network protocols in a
typical SolarWinds SEM deployment.
l The SEM Manager (or SEM VM), which collects and processes log and event information. This
component is installed first.
l The desktop software or web client (not shown) that allows you to view SEM information from
a desktop or laptop computer.
The SEM documentation uses the term virtual machine (or VM) to refer to the SEM virtual
appliance that runs on the hypervisor.
page 7
INSTALLATION GUIDE: SECURITY EVENT MANAGER
The SEM Manager collects and processes log and event information. It includes the following
systems and services:
l Hardened Linux® OS
l Syslog Server and SNMP Trap Receiver
l High compression, search-optimized database
l Web server
l Correlation engine
You can also use the SEM Agent with devices that support syslog. The Agent transmits syslog
messages over TCP to the SEM Manager. TCP is preferred over UDP because TCP ensures messages
arrive intact.
page 8
SEM accepts device input using the TCP and UDP protocols.
l Network devices use TCP or UDP to send syslog events to the SEM Manager.
l SEM Agents installed on servers and workstations use TCP to push data to the SEM Manager.
l SolarWinds Orion/VMAN server instances (including NPM and SAM) send SNMP traps over UDP
to the SEM Manager.
page 9
INSTALLATION GUIDE: SECURITY EVENT MANAGER
The syslog server receives logs on port 514 and saves the data in the SEM Manager /var/log file
partition. Log file names vary based on the target facility configured on the network device.
The SEM Manager relies on routers, firewalls, and switches to transmit syslog messages to the
syslog server running on the SEM Manager. If your log sources are located behind firewalls, see
SolarWinds SEM port and firewall information to open the necessary ports. For a list of all
ports required to communicate with SEM, see the Port requirements for all SolarWinds
products.
page 10
Complex deployment example with multiple syslog servers
The following deployment example uses two syslog servers located in different cities. SEM can
capture logs from multiple remote locations across wide area network (WAN) links. Because the SEM
Agent includes built-in encryption, compression, and buffering capabilities, this can be done securely
and efficiently.
Instead of using the syslog server built in to the SEM Manager component, this design calls for one
syslog server per location. When using a detached syslog server, you need to install a SEM Agent on
each detached server, and then enable the appropriate connectors on the SEM Agent. Following
configuration, the SEM connectors normalize raw log messages into SEM events.
If you cannot add new logging hosts on your network devices due to restrictive change man-
agement processes, consider implementing this multi syslog server deployment example to
leverage your existing syslog servers.
page 11
INSTALLATION GUIDE: SECURITY EVENT MANAGER
For more information, see the following topics in the SEM Administrator Guide:
l Universal license (SEM). Includes the number of universal nodes. Universal nodes include non-
agent devices, such as switches, routers, and firewalls, and systems running either a Windows
Server or Unix operating system.
l Workstation Edition license (SWE). Includes the number of workstation nodes. Workstation
nodes include desktop systems that run Windows and the SEM Agent.
For example, a SEM deployment that has SWE250 and SEM30 licenses can add 250 Windows
workstation nodes and 30 universal nodes.
Beginning in April 2020, you can choose to use a perpetual license or a subscription-based
(term-based) license. Learn more here.
If you have not purchased and provided a license key after 30 days, the application will stop
collecting event logs from your syslog and Agent devices. You can continue using Security Event
Manager in this mode and access your saved logs. Applying a license reactivates event log collection
and you can continue monitoring all events in your deployment. If you need to extend your evaluation
period, contact Customer Sales.
You can upgrade to a fully-functional production version by purchasing a new license from Customer
Sales and downloading the license key from the Customer Portal. After you install the new license
key, you can access all features within the SEM appliance.
You cannot upgrade your license using the SolarWinds License Manager.
page 12
SEM 2020.4 system requirements
Use the following tables to plan your Security Event Manager (SEM) deployment to suit your network
environment.
l Number of nodes and network traffic. Consider event throughput and performance degradation
when planning the size of your deployment. As the number of nodes and network traffic
increase, the size of your deployment will need to grow with it. For example, if you are running a
small deployment and begin to notice performance degradation at 300 nodes, move to a
medium deployment.
l Storing original (raw) log messages in addition to normalized log messages. If you will be
storing original log messages, increase the CPU and memory resource requirements by 50
percent. See your hypervisor documentation for more information.
Sizing criteria
Use the following table to determine if a small, medium, or large deployment is best suited to
supporting your environment.
Sizing Cri-
Small Medium Large
teria
Number of Fewer than 500 Between 300 and 2,000 nodes in More than 1,000 nodes in the
nodes nodes in the the following combinations: following combinations:
following
l 10 – 25 security devices l 25 – 50 security devices
combinations:
l 200 – 1,000 network l 250 – 1,000 network
l 5 – 10 devices, including devices, including
security workstations workstations
devices l 50 – 500 servers l 500 – 1,000 servers
l 10 – 250
network
devices,
including
workstations
l 30–150
servers
page 13
INSTALLATION GUIDE: SECURITY EVENT MANAGER
Sizing Cri-
Small Medium Large
teria
Hardware
on the VM Small Medium Large
host
Hard drive 250GB, 15k hard 500GB, 15K hard drives (RAID 1TB, 15k hard drives (RAID
storage drives (RAID 1/mirrored settings) 1/mirrored settings)
1/mirrored
settings)
page 14
Hardware
on the VM Small Medium Large
host
Amazon Web Services Learn about Amazon Web Services requirements here.
page 15
INSTALLATION GUIDE: SECURITY EVENT MANAGER
Operation System (OS) The SEM agent is compatible with the following
operating systems:
l HPUX on Itanium
l IBM AIX 7.1 TL3, 7.2 TL1 and later
l Linux
l macOS Mojave, Sierra, High Sierra
l Oracle® Solaris 10 and later
page 16
SEM reports application hardware and software
requirements
Hardware
and Soft- Requirements
ware
Operation The SEM reports application is Windows only. The following Windows versions are
System (OS) supported:
l Windows 10 and later
l Windows Server 2016 and 2012
Other Install the SEM reports application on a system that runs overnight. This is
requirements important because the daily and weekly start time for these reports is 1:00 AM and
3:00 AM, respectively.
Ensure the Reports Console version matches your version of the SEM
appliance. Incompatible versions may result in installation or login failures.
See the following articles in the Customer Success Center for troubleshooting
tips:
page 17
INSTALLATION GUIDE: SECURITY EVENT MANAGER
22, 32022 TCP SSH Bidirectional SSH traffic to the SolarWinds SEM VM.
(Port 22 is not used prior to version 6.3.x.).
If you need to close either ports 22 or
32022, contact SolarWinds Support.
80, 8080 TCP HTTP Bidirectional Non-secure HTTP traffic from the
SolarWinds SEM console to the
SolarWinds SEM VM. (SEM closes this
port when activation completes, but you
can re-open it with the
CMC togglehttp command.)
139, 445 TCP NetBIOS, SMB Bidirectional Standard Windows file sharing ports
(NetBIOS Session Service, Microsoft
SMB) that SEM uses to export debug files,
syslog messages, and backup files.
161, 162 TCP SNMP Bidirectional SNMP trap traffic received from devices,
and used by the Orion platform to monitor
SEM. (Monitoring SEM on port 161 is not
used prior to version 6.3.x.)
389, 636 TCP LDAP Outbound LDAP ports that the SEM Directory
Service Connector tool uses to
communicate with a designated Active
Directory domain controller.
page 18
Port # Protocol Service/Process Direction Description
443, 8443 TCP HTTPS Bidirectional HTTPS traffic from the SolarWinds SEM
console to the SEM VM.
8983 TCP nDepth Inbound nDepth traffic sent from nDepth to the
SEM VM containing raw (original) log
data.
page 19
INSTALLATION GUIDE: SECURITY EVENT MANAGER
5433 TCP SEM Reports Inbound Port 5433 is no longer used. Previously,
this port carried traffic from the SolarWinds
SEM reports application to the SolarWinds
SEM VM. This was used by versions
prior to LEM 5.6, for which support ended
December 2015.
page 20
SEM pre-installation checklist
Before installing SEM, complete the pre-installation checklist below. This checklist helps you:
l Verify that system requirements are met, all required software is installed, and required roles
and features are enabled.
l Gather the information required to complete the installation.
1. Review the Make sure that your environment meets the hardware and software
system requirements for your installations. Hypervisor software should be installed
requirements. prior to installing SEM. VMware vSphere and Microsoft Hyper-V are both
supported. The hypervisor software provides the virtual environment that
hosts your SEM deployment.
2. Select a Determine if your architecture will include one or more syslog servers.
deployment
See SEM deployment examples for details.
architecture.
3. Review the Review the Security Event Manager release notes and available
release notes. documentation in the Customer Success Center.
1. Build the Prepare the servers based on your deployment size and system
environment. requirements. Install either VMware vSphere or Microsoft Hyper-V.
2. Run all OS Before installation, check for and run all OS updates on all servers.
updates.
page 21
INSTALLATION GUIDE: SECURITY EVENT MANAGER
3. Open ports If your log sources are located behind firewalls, see the SolarWinds SEM
according to the Port and Firewall requirements.
requirements.
SolarWinds uses these ports to send and receive data.
Download SEM
SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so be sure to
download the correct version.
Download the Download the SEM installer from the SolarWinds Customer Portal, or
SEM installer. download a free trial version from www.solarwinds.com/log-event-manager.
The trial version provides unlimited access to all product features for
30 days. See Choose a licensing method for your SEM deployment for
more information.
Next steps:
page 22
Install SEM on the hypervisor and the cloud
This section describes how to install SEM on Microsoft Hyper-V, VMware vSphere, Microsoft Azure,
and Amazon Web Services.
1. Extract the files. Double-click the evaluation EXE file that you
downloaded previously. This step will extract the
required files and tools to a folder on your desktop.
page 23
INSTALLATION GUIDE: SECURITY EVENT MANAGER
page 24
11. On the Configure Memory screen, configure the
Startup RAM setting, and the Minimum RAM
and Maximum RAM settings for Dynamic
Memory, and then click Next.
12. On the Summary screen, review the
configuration settings and click Finish.
The installer will copy the SolarWinds-SEM-
2020.4.vhd file to Hyper-V.
3. Connect to the Select the newly added VM, and then click Action >
SEM VM. Connect on the main Hyper-V Manager window.
4. Start SEM. Click Action > Start in the virtual console window.
5. Set up your new See Setting up a new SEM installation in the SEM
SEM installation. Administrator Guide.
Following installation, the default SEM host name is swi-sem. To change the default host
name and IP address settings, see Run the activate command to secure SEM and configure
network settings in the SEM Administrator Guide.
page 25
INSTALLATION GUIDE: SECURITY EVENT MANAGER
1. Extract the files. Double-click the evaluation EXE file that you
downloaded previously. This step will extract the
required files and tools to a folder on your desktop.
2. Complete the 1. Start the VMware vSphere client and log in
following steps to with VMware administrator privileges.
deploy SEM.
2. Deploy the open virtualization format (OVF)
template.
3. Open the SolarWinds Security Event Manager
folder located on your desktop and double-
click:
Deploy First—SEM Virtual
Appliance.ova
page 26
3. Start SEM. 1. Select the SolarWinds Security Event
Manager virtual appliance and click Play.
2. Click the Console tab.
The SEM VM starts.
4. Set up your new See Setting up a new SEM installation in the SEM
SEM installation. Administrator Guide.
Following installation, the default SEM host name is swi-sem. To change the default host
name and IP address settings, see Run the activate command to secure SEM and configure
network settings in the SEM Administrator Guide.
This guide covers deployment from Windows (PowerShell) and Linux (Bash).
SolarWinds provides a ZIP archive containing two VHD files. The first file (xxx-system.vhd) contains
an operating system based on Linux Debian. The second file (xxx-data.vhd) serves as the data
partition. The layout is similar to the VMware and Hyper-V appliances.
Azure CLI 2.0 must be installed on Windows or Linux systems. After CLI is authenticated, users can
control Azure via API by executing CLI commands.
SEM sizing
For sizing criteria, SolarWinds use three basic sizes of SEM deployment: small, medium, and large:
see the SEM system requirements for details.
Follow the procedures below to deploy SEM via Azure CLI 2.0:
page 27
INSTALLATION GUIDE: SECURITY EVENT MANAGER
page 28
2. Launch the installer, select the check box to accept the License Agreement terms, and then click
Install.
3. From a command line (Windows Command Prompt or PowerShell), run the az login
command.
page 29
INSTALLATION GUIDE: SECURITY EVENT MANAGER
4. When the browser launches prompting you to log in, sign in to Microsoft Azure with your
account credentials.
The resource group name and location are present in JSON output. For more details about
listing the storage account in the command line, see az storage account (© Microsoft 2020,
available at docs.microsoft.com, retrieved October 5, 2020).
To access the Azure Portal, click Portal in the upper right of the Microsoft Azure page.
page 30
Storage accounts, locations, and resource groups are also available in the Azure Portal under Home >
Storage accounts.
The storage account name, location, and resource group names are needed for running
additional commands. List them and maintain for later use.
page 31
INSTALLATION GUIDE: SECURITY EVENT MANAGER
3. Under Project details, select your Subscription and Resource group from the drop-down lists.
5. Enter a name for the resource group, and then click OK (Write this down).
6. Under Instance details, enter a name for the storage account (Write this down). The name must
not already exist in Azure, must be between 3 and 24 characters in length, and include numbers
and lowercase letters only.
page 32
7. Select a location, or use the default (Write this down).
8. Maintain the default values for the remaining fields.
9. Click Review + create to review your settings, and then click Create.
10. To verify the storage account, open a command prompt and run the following command:
page 33
INSTALLATION GUIDE: SECURITY EVENT MANAGER
11. Scroll down to find the name of your new storage account.
Write down the names of your storage account and resource group, as well as the
location. You will need them later.
12. Now that you have a storage account and resource group, create a container. The container
holds your uploaded VHD files.
a. On the Azure Portal Home page, click Storage accounts.
b. Select your storage account, and then click Containers.
c. On the Containers toolbar, click + Container. Enter a name for your container, and then
click OK (write the container name down).
List storage account keys in Azure CLI with the command below:
page 34
az storage account keys list --account-name <STORAGE_ACCOUNT> --resource-
group <RESOURCE_GROUP>
Replace the STORAGE_ACCOUNT and RESOURCE_GROUP strings with the storage account and
resource group names obtained in the previous section. You can find your storage account and
resource group in the Azure Portal under Home > Storage accounts.
Remove angle brackets (< >) when entering the actual account and resource group names.
The command will list two storage account keys in JSON format (default format, but can be
changed): primary (key1) and secondary (key2). You can use either key.
page 35
INSTALLATION GUIDE: SECURITY EVENT MANAGER
page 36
l Location: LOCATION
To find your location, look in your storage account details in the Azure Portal, or run the az
storage account list command, and then search for the location. In the example below,
the location is eastus, for Eastern US.
page 37
INSTALLATION GUIDE: SECURITY EVENT MANAGER
Additionally, the virtual machine name and disk names should be considered before deployment.
Boot diagnostics
Boot diagnostics is basically a screen shot of a video output of the virtual machine. Enabling this
feature is optional, but required before creating a support ticket with the SolarWinds Helpdesk. The
support representative needs the support key shown in the screen shot. The command to enable the
feature for both Linux and Microsoft is listed in step six below.
PowerShell is a command-line interface that is installed by default on newer Microsoft systems. Find
more information here (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5,
2020).
Lines starting with the # character are comments. The back quote (`) character on the end of
lines indicates multi-line commands.
1. From a command line (Windows Command Prompt or PowerShell), run the az login
command.
page 38
Log in with any authentication option. Running the az login command is
recommended. For more details and other options, see Sign in with Azure CLI 2.0 (©
Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020).
2. When the browser launches prompting you to log in, sign in to Microsoft Azure with your
account credentials.
page 39
INSTALLATION GUIDE: SECURITY EVENT MANAGER
3. Create your script. The following script is a template: you will need to fill in the variables for
your Azure VM environment. The script will run, upload your two VHD files, and then create your
VM in the Azure Portal. You can also download the script from SolarWinds using this link.
<#
Scripts are not supported under any SolarWinds support program or
service. Scripts are provided
AS IS without warranty of any kind. SolarWinds further disclaims all
warranties including,
without limitation, any implied warranties of merchantability or of
fitness for a particular
purpose. The risk arising out of the use or performance of the scripts
and documentation stays
with you. In no event shall SolarWinds or anyone else involved in the
creation, production,
or delivery of the scripts be liable for any damages whatsoever
(including, without limitation,
damages for loss of business profits, business interruption, loss of
business information, or other
pecuniary loss) arising out of the use of or inability to use the scripts
or documentation.
#>
# How to use:
# copy script to folder that contains azure disks
# change <USERNAME>, <SEM_VERSION>, <STORAGE_ACCOUNT>, <ACCESS_KEY>,
<RESOURCE_GROUP>, <VM_LOCATION>
# log in to azure (az login)
# run script
#
############################################
$username=<USERNAME>
$semVersion=<SEM_VERSION>
Write-Host "SEM version: $semVersion" -foreground Green
# storage account and key set to ENV to avoid typing it to each command
$env:AZURE_STORAGE_ACCOUNT=<STORAGE_ACCOUNT>
$env:AZURE_STORAGE_ACCESS_KEY=<ACCESS_KEY>
$disk1Filename="SolarWinds-SEM-Azure-$semVersion-disk1-system.vhd"
$disk2Filename="SolarWinds-SEM-Azure-$semVersion-disk2-data.vhd"
$sku="Standard_LRS"
$vmSize="Standard_B1s"
$resourceGroup=<RESOURCE_GROUP>
page 40
$vmLocation=<VM_LOCATION>
$vmName="$username-sem-$semVersion"
$disk1Name="$vmName-disk1.vhd"
$disk2Name="$vmName-disk2.vhd"
# check for presence of files
if (!((Test-Path $disk1Filename) -and (Test-Path $disk2Filename)))
{Write-Host "Couldn't find .vhd files" -foreground Red; break}
# upload system and data disks
az storage blob upload --container-name vhds-built --type page --file
$disk1Filename --name $disk1Name
az storage blob upload --container-name vhds-built --type page --file
$disk2Filename --name $disk2Name
# get blob urls
$blobUrlDisk1=az storage blob url --container-name vhds-built --name
$disk1Name
$blobUrlDisk2=az storage blob url --container-name vhds-built --name
$disk2Name
# create system and data disks
az disk create --resource-group $resourceGroup --sku $sku --name
$disk1Name --source $blobUrlDisk1
az disk create --resource-group $resourceGroup --size-gb "250" --sku $sku
--name $disk2Name
--source $blobUrlDisk2
# create a machine and enable boot diagnosticsaz vm create --resource-
group
$resourceGroup --size $vmSize --public-ip-sku "Basic" --location
$vmLocation
--name $vmName --os-type "linux" --attach-os-disk $disk1Name --attach-
data-disks $disk2Name
az vm boot-diagnostics enable --name $vmName --resource-group
$resourceGroup --storage $env:AZURE_STORAGE_ACCOUNT
Change the directory (cd) in PowerShell to the directory where the VHD files reside on
your local system.
2. Paste your script into PowerShell, and then press Enter.
You can monitor the progress as the script is running. If the script encounters an error, such as
a typo in your script, simply correct the error, and rerun the script.
page 41
INSTALLATION GUIDE: SECURITY EVENT MANAGER
Upon completion, you can access your new VM in the Azure Portal under Home > Virtual
machines.
Lines starting with the # character are just comments. The back quote (`) character on the end
of lines is for multi-line commands.
1. Run Bash shell (WSL or native) where Azure CLI 2.0 is installed, and then log in to the Azure
Portal.
2. Create your script. The following script is a template. When you fill in the variables for your
Azure VM environment, the script will run, upload your two VHD files, and then create your VM in
the Azure Portal.
Replace the values in red below with the values you wrote down in the previous sections
unless otherwise indicated. Enter values between the quotation marks, when present.
Copy the entire script template into a text editor, such as Notepad, to make your edits.
# storage account and key set to ENV to avoid typing it to each command
$env:AZURE_STORAGE_ACCOUNT="STORAGE_ACCOUNT"
$env:AZURE_STORAGE_ACCESS_KEY="ACCESS_KEY"
$disk1Filename="SolarWinds-SEM-Azure-<SEM_VERSION>-disk1-system.vhd"
$disk2Filename="SolarWinds-SEM-Azure-<SEM_VERSION>-disk2-data.vhd"
$sku="Standard_LRS"
$vmSize="Standard_B1s"
$resourceGroup="RESOURCE_GROUP"
$vmLocation="LOCATION"
$disk1Name="SYSTEM-disk1.vhd"
$disk2Name="DATA-disk2.vhd"
$vmName="VM-NAME"
page 42
# upload system and data disks
az storage blob upload --container-name CONTAINER NAME --type page --file
$disk1Filename --name $disk1Name
az storage blob upload --container-name CONTAINER NAME --type page --file
$disk2Filename --name $disk2Name
page 43
INSTALLATION GUIDE: SECURITY EVENT MANAGER
Below is an explanation of what these values and variables are. The first section below
initializes the variables. The subsequent sections of the script will execute these variables to
upload the disks and create the VM.
# storage account and key set to ENV to avoid typing it to each command
$env:AZURE_STORAGE_ACCOUNT="STORAGE_ACCOUNT" This is the resource
group you created in the Azure Portal.
$env:AZURE_STORAGE_ACCESS_KEY="ACCESS_KEY" This is the multicharacter
key you copied in a previous section. Paste the entire key
between the quotation marks.
$disk1Filename="SolarWinds-SEM-Azure-<SEM_VERSION>-disk1-system.vhd"
$disk2Filename="SolarWinds-SEM-Azure-<SEM_VERSION>-disk2-data.vhd" The
names of the system and data disk names will vary based on the
SEM version. The system disk is much larger ~18GB - the data disk
is typically ~1GB.
$sku="Standard_LRS" This is the minimum requirement.
$vmSize="Standard_B1s" This is the minimum requirement.
$resourceGroup="REOURCE_GROUP" This is the resource group you
created in the Azure Portal.
$vmLocation="LOCATION" For example, "eastus" for Eastern US.
page 44
The only other value you need to add is the container name you wrote down in a previous
section as shown below. No quotation marks needed.
Change the directory (cd) in Bash to the directory where the VHD files reside on your local
system.
4. Paste your script into Bash, and then press Enter.
You can monitor the progress as the script is running. If the script encounters an error, such as
a typo in your script, simply correct the error, and rerun the script.
Upon completion, you can access your new VM in the Azure Portal under Home > Virtual
machines.
Configure networking
By default, the inbound firewall rule allowing SSH is enabled for a new Linux machine. If needed, you
can disable SSH from the outside world for a SEM appliance. To see all default rules created per
virtual machine, see Default security rules (© Microsoft 2020, available at docs.microsoft.com,
retrieved October 5, 2020).
Configure firewall rules based on your specific needs. Review the SEM port and firewall requirements
here.
page 45
INSTALLATION GUIDE: SECURITY EVENT MANAGER
The following example shows security rules for a SEM Azure deployment:
SolarWinds is not responsible for fees incurred when deploying SolarWinds products to AWS.
1. Contact your SolarWinds Sales (evaluation customers) or Customer Support (existing
customers) representative to request access to the AWS Amazon Machine Image (AMI) for
SEM.
You will need to provide your AWS account ID and AWS Region.
2. When you receive notification that your AMI is available, launch the AMI from the AWS EC2
console.
3. Configure security groups to enable the required ports.
On versions earlier than 2020.2 you cannot resize partitions on managers deployed on AWS.
page 46
Install SEM Agents to protect servers, domain
controllers, and workstations
This section provides SEM deployment options and installation steps.
See SEM components that make up a typical deployment to learn about the role the SEM
Agent plays in a typical SEM deployment.
l Option 1: You can use the Remote Agent Installer to deploy SEM Agents to computers non-
interactively.
See Run the SEM Remote Agent Installer for large Windows deployments for more information.
l Option 2: Use the Local Agent Installer with either software distribution policies or local logon
scripts to deploy the SEM Agent non-interactively. This method is an alternative to the Remote
Agent Installer option for large deployments.
See Run the SEM Local Agent Installer for large Windows deployments for more information.
page 47
INSTALLATION GUIDE: SECURITY EVENT MANAGER
2. Gather Verify that you have administrative access to the servers and
credentials workstations you plan to monitor with the Agent. Windows-based
systems require Domain or Local administrative privileges; Linux or
Unix systems require root-level access.
3. Review the SEM See Deploying the SEM Agent for installation information, and
Agent installation information about unattended Agent installations.
overview
Antivirus recommendations
1. Disable anti- Turn off any anti-malware or endpoint protection applications on
malware and endpoint host systems during the installation process, because these
protection software applications can affect the process by which installation files are
during installation. transferred to the hosts.
page 48
Download the SEM Agent installers
You can download SEM Agent installers from the SEM HTML5 and Flash consoles or from the
SolarWinds Customer Portal.
If you are using a trial version of SEM, download the SEM Agent installer from the SEM
console, or contact SolarWinds for assistance.
1. Download the installer from the SolarWinds Customer Portal. Log in with your SWID if
necessary.
2. Find SEM in the product list, and then click Choose Download.
3. Find the Agent Installer on the list.
Before deploying SEM Agents, make note of formatting in any .txt files that contain host
entries:
l Ensure there is only one host entry per line.
l If the format is tab separated, remove the tab spacing, and then enter a space between
each value. For example, 10.10.10.10 xxx03 xxx03 yyy abcd.net. If tab spacing is present,
the installer will not be able to parse the file correctly and will fail.
To download a SEM Agent installer from the SEM legacy Flash console
Adobe will stop distributing and updating Flash Player after December 31, 2020. Please visit
the Adobe Flash Player EOL General Information Page (Copyright © 2020 Adobe, retrieved
November 5, 2020) for information.
page 49
INSTALLATION GUIDE: SECURITY EVENT MANAGER
Next steps:
See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download
information and a pre-install checklist.
Use the fully qualified domain name for your SEM Manager when you deploy SEM Agents
on a different domain. For example, enter SEMhostname.example.com.
page 50
9. Press Enter twice to accept the default port values, and then press Enter again to proceed.
10. Review the Pre-Installation Summary, and then press Enter to proceed.
11. Once the installer finishes, press Enter to exit the installer.
The SEM Agent begins sending alerts to your SEM Manager immediately. To configure the SEM
Agent to start automatically on boot, add /etc/init.d/swsem-agent (or swsem-agent) to your list
of startup scripts.
Next steps:
l See Verify the SEM Agent connection to test that the Agent connected to the SEM Manager.
Installation notes
l Installing the SEM Agent on macOS requires enabling the 'root' user account and disabling
System Integrity Protection (SIP). Not doing so will prevent the Agent from running properly.
l This procedure applies to SEM versions 6.4 and later.
Enable root credentials, disable SIP, and download and install the
Agent
1. Enable root credentials on the Apple Mac system.
See How to enable the root user on your Mac or change your root password for details.
page 51
INSTALLATION GUIDE: SECURITY EVENT MANAGER
See System Integrity Protection (SIP) is preventing install of SEM Agent on macOS X
10.x and later for details.
You can also use the terminal flag sudo nvram "recovery-boot-mode=unused"
to reboot into recovery.
If the installer was not run as the root, run the following commands:
cp -rp /Users/<username>/Applications/SWSEMAgent
/System/Library/StartupItems/
cp -rp /Users/<username>/Applications/SWSEMAgent /Applications/
page 52
12. Navigate to the PLIST file packaged with the installed Agent by executing the following
command:
cd /System/Library/StartupItems/StartupFiles/SWSEMAgent
14. If necessary, change the permissions on the PLIST file. This only needs to be completed if the
PLIST file is moved with a non-root account.
chown root:wheel
/Library/LaunchDaemons/com.solarwinds.swsemagent.plist
page 53
INSTALLATION GUIDE: SECURITY EVENT MANAGER
Installer notes
64-bit C:\Windows\sysWOW64\contegoSPOP
Antivirus Recommendations
Set an exception in your antivirus or anti-malware scanning software for the ContegoSPOP folder
where the SEM Agent will be installed. The alerts are kept in queue files, which change constantly as
they are normalized and encrypted.
Turn off any anti-malware or endpoint protection applications on host systems during the
installation process, as they can affect the process by which installation files are transferred to the
hosts.
Warning: Uninstall the old version of the SEM Agent before upgrading to the new version.
If you are using a trial version of SEM, download the SEM Agent installer from the SEM console
(Nodes > Nodes > Add agent node), or contact SolarWinds for assistance.
1. Download the installer from the SolarWinds Customer Portal. Log in with your SWID if
necessary.
2. Find SEM in the product list, and then select and download the Local Agent Installer from the
Agent Downloads list.
3. Extract the contents of the installer ZIP file to a local or network location.
4. Run setup.exe, and then click Next to start the installation wizard.
5. Accept the End User License Agreement if you agree, and then click Next.
6. Enter the hostname of your SEM Manager in the Manager Name field, and then click Next.
page 54
7. Do not change the default port values.
Note: Use the fully qualified domain name for your SEM Manager when you deploy SEM
Agents on a different domain. For example, enter SEMhostname.SolarWinds.com.
8. Confirm the Manager Communication settings, and then click Next.
9. Specify whether or not you want to install USB-Defender with the SEM Agent, and then click
Next. The installer includes USB-Defender by default. To omit this from the installation, Clear
the Install USB-Defender box.
10. Confirm the settings on the Pre-Installation Summary, and then click Install.
11. Once the installer finishes, it will start the SEM Agent service when you click Next.
12. Inspect the Agent Log for any errors, and then click Next.
13. Click Done to exit the installer.
The SEM Agent continuously runs on your computer unless you uninstall or manually stop it. It
begins sending alerts to your SEM Manager immediately.
In new installations of SEM (6.7 and newer), corresponding agent versions communicate by
default using a secure certificate, which no longer requires TLS 1.0, 3DES, or anonymous
cipher. If you need to connect to earlier agent versions, navigate to the SEM Console security
tab (Settings > Security), and switch the toggle button to enable lower security settings.
See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download
information and a pre-install checklist.
page 55
INSTALLATION GUIDE: SECURITY EVENT MANAGER
64-bit C:\Windows\sysWOW64\contegoSPOP
l If you are installing SEM Agents on the far end of a WAN link, copy the Remote Agent Installer
executable to the end of the WAN link and run it there. This will avoid using your WAN
bandwidth to copy SEM Agents multiple times.
l A reboot is not required.
l NetBIOS – If not enabled, the Remote Agent Installer will require a text file of available hosts
with each IP address or hostname on its own line.
Use the fully qualified domain name for your SEM Manager when you deploy SEM Agents
on a different domain. For example, enter SEMhostname.example.com.
page 56
7. Select Get hosts automatically or Get hosts from file (One host per line), and then click OK.
l Get hosts automatically uses a NetBIOS broadcast to identify hosts on the same subnet
and domain as the computer running the installer.
l Get hosts from file (One host per line) prompts you to browse for a text file that includes
the hosts on which you want to install SEM Agents. Use this option for any of the
following reasons:
o You are deploying SEM Agents to computers on a different subnet than that on
which the computer running the installer resides. Your computer may be able to
access these subnets, but their hosts will not be recognized by the NetBIOS
broadcast used to get hosts automatically.
o You are deploying SEM Agents to a small segment of a large network, which could
make choosing them from a list time prohibitive.
o You are deploying SEM Agents in a network with a complex naming scheme, which
could make choosing hosts from a list time prohibitive.
The text file used for this option can contain hostnames, fully qualified domain names or
IP addresses, each on their own lines. If DNS names are used, the computer running the
installer must be able to resolve them.
8. Select the check boxes next to the computers on which you want to install a SEM Agent, and
then click Next.
9. Confirm the list is correct, and then click Next.
10. Specify the Windows destination for the remote installation.
l The default paths are provided for all supported Windows systems. We strongly
recommend using the default paths, as the SEM Agent may not be recognized as a service
by Windows if it is not installed in a system folder.
l The installer is set to automatically detect host operating systems by default, but you can
also specify an operating system if all of the target hosts are running the same one.
11. Click Next.
12. Specify whether or not you want to install USB-Defender with the SEM Agent, and then click
Next. The installer will include USB-Defender by default. To omit this from the installation, clear
the Install USB-Defender option box.
page 57
INSTALLATION GUIDE: SECURITY EVENT MANAGER
13. Confirm the settings on the Pre-Installation Summary, and then click Install.
14. Once the installer finishes, it will start the SEM Agent service when you click Next.
15. Inspect the Agent Log for any errors, and then click Next.
16. Click Done to exit the installer.
The SEM Agent continues running on your computer unless you uninstall or manually stop it. It
begins sending alerts to your SEM Manager immediately.
Next steps:
l See Verify the SEM Agent connection to test that the Agent connected to the SEM Manager.
You can run the Local Agent Installer using software distribution policies or local logon scripts. This
method is an alternative to the Windows-only Remote Agent Installer in large deployment scenarios.
This procedure only works with the local installer. Do not use the Remote Agent Installer for
this task.
Installation notes
See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download
information and a pre-install checklist.
There are three steps to using the Local Agent Installer to install the SEM Agent. Each step is
described in detail in the sections below.
See Run the SEM Remote Agent Installer for large Windows deployments for more information about
installing the SolarWinds SEM Agent.
page 58
Download the Local Agent Installer
1. Download the installer from the SolarWinds Customer Portal:
a. Log in to the Customer Portal.
b. Navigate to the License Management page.
c. Locate SEM in the product list, and then click Choose Download.
d. Download the Local Agent installer for Windows. Find the appropriate installer on the list.
Be sure you download the Local Agent Installer. You cannot use the Remote Agent
Installer for this task.
2. Extract the contents of the installer ZIP file to a local or network location.
3. Copy SolarWinds-SEM-2020.4-Agent-WindowsInstaller.exe to a known location.
Where:
l <SEMManagerHostname> is the hostname or IP address of the SEM appliance.
l silent to run the installer in silent mode.
l <n> is 0 or 1. Specify 0 if USB defender should not be installed, or 1 if USB defender
should be installed.
2. Verify that a blank line with a carriage return follows the INSTALL_USB_DEFENDER entry.
A blank line with a carriage return after the INSTALL_USB_DEFENDER entry is required for
the file to work correctly.
INSTALLER_UI=silent
INSTALL_USB_DEFENDER=0
3. Save the file as installer.properties in the same folder as the .exe file.
page 59
INSTALLATION GUIDE: SECURITY EVENT MANAGER
2. Run the command, setup -i silent using the active resource directory that matches the
folder that contains the two installer files. The command immediately returns to the command
prompt.
The SEM Agent starts automatically and continues running until you uninstall or manually stop
the Agent. It begins sending alerts to your SEM Manager immediately. The SEM Agent should
also appear in Add/Remove Programs.
Next steps:
l See Verify the SEM Agent connection to test that the Agent connected to the SEM
Manager.
SEM console
page 60
3. In the agent node list, ensure all connected nodes display a green check mark indicator.
To download a SEM Agent installer from the SEM legacy Flash console
Adobe will stop distributing and updating Flash Player after December 31, 2020. Please visit
the Adobe Flash Player EOL General Information Page (Copyright © 2020 Adobe, retrieved
November 5, 2020) for information.
page 61
INSTALLATION GUIDE: SECURITY EVENT MANAGER
For help troubleshooting SEM Agents, see Troubleshoot SEM Agents and network devices
in the SEM Administrator Guide.
Next steps:
l Configure SEM Agents after they are installed in the SEM Administrator Guide.
l If you have similar SEM Agents installed, see Create connector profiles to manage and
monitor SEM Agents in the SEM Administrator Guide.
page 62
Install the SEM reports application
This section describes how to install the optional SEM reports application on either a separate server
or on a workstation. The reports application allows you to produce over 200 standard and industry-
specific reports.
See the SEM system requirements in the Installation Guide for additional requirements.
page 63
INSTALLATION GUIDE: SECURITY EVENT MANAGER
l You can run the reports application installer included in the SolarWinds Security Event Manager
distribution package. The installer installs Crystal Reports and the SEM reports application
together.
l You can download Crystal Reports and the SEM reports application individually from the
SolarWinds Customer Portal. You will need to install each application one at a time. This may
be necessary if your Windows security settings prevent you from running the other installer.
1. If necessary, copy the SolarWinds Security Event Manager installation folder to a local drive
and open the folder.
2. Right-click the file Install Next - SEM Reporting Software.exe, and then select Open.
A dialog box appears prompting you to allow the app to make changes to your device.
3. Click Yes to continue.
The Welcome screen appears.
4. Click Next, and then review the Requirements for Installation.
5. Click Next, and then click Begin Install to start the installation process.
6. When the Installation Complete dialog displays, click Close.
Before you begin: Download the SEM reports application and the Crystal Reports Runtime installers
from the SolarWinds Customer Portal.
1. Run the Crystal Reports Runtime installer and complete the installation steps.
2. Run the SEM reports application installer and complete the installation steps.
page 64
3. When the installation is complete, click Close.
Before you begin: You will need the IP address of the SEM VM and your SEM console login
credentials.
1. Right-click the Reports application icon on your desktop and select Run as administrator.
a. Right-click the Reports shortcut and select Properties.
b. Click Advanced and select the Run as administrator option.
4. Enter the hostname or IP address of your SEM appliance in the Manager Name field.
Whenever you see Manager in reference to SEM, it usually refers to the IP address or
hostname of your virtual appliance.
page 65
INSTALLATION GUIDE: SECURITY EVENT MANAGER
5. Enter the username and password used to log in to the SEM console.
You can audit users accessing the reporting server running on the SEM VM. Only users
with admin, auditor, or reports roles can run reports on the SEM database.
6. (Optional) Select the Use TLS connection check box to use the transport layer security protocol
for a secure connection.
7. Click Test Connection to verify the connection between the SEM database server and the SEM
reports application.
The reports application pings the SEM database and verifies the connection. If the ping is
successful, Ping Successful displays in the dialog box.
8. Click to add the IP address to your SEM Manager list, and then click Yes to confirm.
9. Click Close.
The reports application is connected to your SEM database and displays on your screen.
page 66