INSTALLATION GUIDE

Security Event Manager

Version 2020.4

Last Updated: Monday, November 16, 2020

INSTALLATION GUIDE: SECURITY EVENT MANAGER

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled,
published or distributed, in whole or in part, or translated to any electronic medium or other means
without the prior written consent of SolarWinds. All right, title, and interest in and to the software,
services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates,
and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR

IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT
LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY
INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS
LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY
OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of
SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office,
and may be registered or pending registration in other countries. All other SolarWinds trademarks,
service marks, and logos may be common law marks or are registered or pending registration. All
other trademarks mentioned herein are used for identification purposes only and are trademarks of
(and may be registered trademarks) of their respective companies.

page 2
Table of Contents
SEM installation overview 5

How SEM works 5

SEM components that make up a typical deployment 6

SEM deployment examples 10

Choose a licensing method for your SEM deployment 11

SEM 2020.4 system requirements 13

Sizing criteria 13

SEM VM hardware requirements 14

SEM Azure hardware requirements 15

SEM software requirements 15

SEM agent hardware and software requirements 16

SEM reports application hardware and software requirements 17

SEM port requirements 17

SEM pre-installation checklist 21

Prepare the server environment 21

Download SEM 22

Install SEM on the hypervisor and the cloud 23

Install SolarWinds SEM on Microsoft Hyper-V 23

Install SolarWinds SEM on VMware vSphere 25

Deploy SEM to Microsoft Azure 27

Deploy SEM to Amazon Web Services 46

Install SEM Agents to protect servers, domain controllers, and workstations 47

Deploying the SEM Agent 47

SEM Agent pre-installation checklist: Prepare to deploy SEM Agents 48

Install the SEM Agent on Linux and Unix 50

page 3
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Install the SEM Agent on macOS X 51

Install the SEM Agent on Windows 54

Run the SEM Remote Agent Installer for large Windows deployments 55

Run the SEM Local Agent Installer for large Windows deployments 58

Verify the SEM Agent connection 60

Install the SEM reports application 63

Pick a suitable host for the reports application 63

Install the SEM reports application 64

Connect the SEM reports application to your SEM database 65

page 4
SEM installation overview
This section describes how Security Event Manager (formerly Log & event Manager), works and
provides examples of components used in various deployment environments.

How SEM works
SolarWinds SEM collects log data in your corporate network from two resources:

 l Agents – An Agent is a software application that collects and normalizes log data before it is
sent to the SEM Manager.
 l Non-Agent devices – These are devices that send log data directly to the SEM Manager for
normalization and processing.

After normalization, SEM Manager processes the data. The SEM Manager policy engine correlates the
data based on user-defined rules and local alert filters, and initiates the associated actions when
applicable. These actions can include:

 l Notifying users through the console or by email

 l Blocking an IP address
 l Shutting down or rebooting a workstation
 l Passing alerts to the SEM database for future analysis and reporting within the Reports
application

You can install Agents on workstations, servers, and other network devices. Agents can send log data
from security products (such as antivirus software and network-based intrusion systems) on each
device to the SEM virtual appliance. If you cannot install an Agent on a device (such as firewalls and
routers), you can configure the device to send log data to the SEM Manager for normalization and
processing. If your change management process does not permit adding any additional syslog
servers to the network device configurations, you can leverage your existing syslog servers.

Audit reports

page 5
INSTALLATION GUIDE: SECURITY EVENT MANAGER

You can generate reports against your Security Event Manager database using the SEM reports
console installed on a supported server. Using the console, you can schedule and execute over 300
audit reports. If your corporate security policy restricts access to sensitive reports, you can configure
your SEM Appliance to restrict access to the console by IP address. During the 30-day evaluation
period, you can install the console on any server or workstation that can access port 9001 in the SEM
Manager. You can also export reports to multiple formats, including TXT, PDF, CSV, DOC, XLS, and
HTML.

Integration with SolarWinds products

Additional SolarWinds solutions such as Network Performance Monitor (NPM), Server & Application
Monitor (SAM), and Virtualization Manager (VMan) can send performance alerts as SNMP Traps to
the SEM Manager to correlate performance alerts with SEM events.

SEM uses additional data collection tools such as Web Services and SNMP traps. Contact
Customer Service for more information about integrating SEM into your corporate enterprise.

SEM components that make up a typical deployment

This section describes the software components that make up a typical SolarWinds SEM
deployment. Review this section to get a better understanding of how SEM should be deployed on
your network.

page 6
Overview
The following illustration shows the software components, log files, and network protocols in a
typical SolarWinds SEM deployment.

A complete SEM installation includes the following components:

 l The SEM Manager (or SEM VM), which collects and processes log and event information. This
component is installed first.
 l The desktop software or web client (not shown) that allows you to view SEM information from
a desktop or laptop computer.

About the SEM Manager component

Originally, SEM was sold as a physical appliance that you deployed on your network. Today, the SEM
Manager is the virtual image of a Linux-based appliance. The SEM Manager VM (virtual machine) can
be easily deployed on a host computer running a VMware® or Microsoft ® hypervisor.

The SEM documentation uses the term virtual machine (or VM) to refer to the SEM virtual
appliance that runs on the hypervisor.

page 7
INSTALLATION GUIDE: SECURITY EVENT MANAGER

The SEM Manager collects and processes log and event information. It includes the following
systems and services:

 l Hardened Linux® OS
 l Syslog Server and SNMP Trap Receiver
 l High compression, search-optimized database
 l Web server
 l Correlation engine

About the SEM Agent

The SEM Agent is installed on workstations, servers, and other network devices. It collects and
normalizes log data in real time before it is sent to the SEM Manager. It also collects security data
such as Windows Event Logs, a variety of database logs, and local antivirus logs on each device and
transmits that data over TCP to the SEM Manager. The SEM Agent has a small footprint on the
device and prevents log tampering during data collection and transmission.

You can also use the SEM Agent with devices that support syslog. The Agent transmits syslog
messages over TCP to the SEM Manager. TCP is preferred over UDP because TCP ensures messages
arrive intact.

The SEM Agent provides the following benefits:

 l Captures events in real time.

 l Encrypts and compresses the data for efficient and secure transmission to the SEM Manager.
 l Buffers the events locally if you lose network connectivity to the SEM Manager.

About Network devices

The following table lists some network resources that provide input to SEM Manager.

Network Resource SEM Input

Network Device log sources Syslog messages

(such as routers, firewalls, and switches

Servers and applications SEM Agent data

Microsoft® Windows® Workstations SEM Agent data

SolarWinds NPM SNMP traps (performance alerts)

SolarWinds SAM See Enable SEM to receive SNMP traps by turning

on the SNMP Trap Logging Service in the online
SolarWinds Virtualization Manager (VMAN)
SEM Administrator Guide for details.

page 8
SEM accepts device input using the TCP and UDP protocols.

 l Network devices use TCP or UDP to send syslog events to the SEM Manager.
 l SEM Agents installed on servers and workstations use TCP to push data to the SEM Manager.
 l SolarWinds Orion/VMAN server instances (including NPM and SAM) send SNMP traps over UDP
to the SEM Manager.

About the SEM reports application

You can install the SEM reports application on a networked server to schedule and execute over 300
audit-proven reports. For added security, you can initiate the restrictreports command service to
limit users by IP address to run these reports. If you are running SEM in Evaluation Mode, you can
install the SEM reports application on any server or workstation that can access port 9001 in the
SEM Manager.

page 9
INSTALLATION GUIDE: SECURITY EVENT MANAGER

SEM deployment examples

This section will help get you started planning your SEM architecture. The examples show different
SEM deployment options.

Simple deployment example

The following deployment example uses one central syslog server to collect log data from your
network devices in a local network. In this deployment, network devices use TCP or UDP to send
syslog data to the SEM Manager's syslog server, whereas SEM Agents running on workstations and
servers just use TCP to push log data to the SEM Manager.

The syslog server receives logs on port 514 and saves the data in the SEM Manager /var/log file
partition. Log file names vary based on the target facility configured on the network device.

The SEM Manager relies on routers, firewalls, and switches to transmit syslog messages to the
syslog server running on the SEM Manager. If your log sources are located behind firewalls, see
SolarWinds SEM port and firewall information to open the necessary ports. For a list of all
ports required to communicate with SEM, see the Port requirements for all SolarWinds
products.

page 10
Complex deployment example with multiple syslog servers
The following deployment example uses two syslog servers located in different cities. SEM can
capture logs from multiple remote locations across wide area network (WAN) links. Because the SEM
Agent includes built-in encryption, compression, and buffering capabilities, this can be done securely
and efficiently.

Instead of using the syslog server built in to the SEM Manager component, this design calls for one
syslog server per location. When using a detached syslog server, you need to install a SEM Agent on
each detached server, and then enable the appropriate connectors on the SEM Agent. Following
configuration, the SEM connectors normalize raw log messages into SEM events.

If you cannot add new logging hosts on your network devices due to restrictive change man-
agement processes, consider implementing this multi syslog server deployment example to
leverage your existing syslog servers.

Choose a licensing method for your SEM deployment

This section explains how SEM licenses are assigned. It also discusses how to transition from an
evaluation version of SEM to a fully-functional production version.

page 11
INSTALLATION GUIDE: SECURITY EVENT MANAGER

For more information, see the following topics in the SEM Administrator Guide:

 l Install the SEM license using the web console

 l View SEM license information
 l Enable SEM license recycling

About SEM licensing

Licensing a Security Event Manager deployment is based on two license types:

 l Universal license (SEM). Includes the number of universal nodes. Universal nodes include non-
agent devices, such as switches, routers, and firewalls, and systems running either a Windows
Server or Unix operating system.
 l Workstation Edition license (SWE). Includes the number of workstation nodes. Workstation
nodes include desktop systems that run Windows and the SEM Agent.

For example, a SEM deployment that has SWE250 and SEM30 licenses can add 250 Windows
workstation nodes and 30 universal nodes.

Beginning in April 2020, you can choose to use a perpetual license or a subscription-based
(term-based) license. Learn more here.

Licensing an evaluation version of SEM

If you are evaluating Security Event Manager, you do not need to apply an activation key to activate
the SEM VM. For 30 days, you will have unlimited access to all product features.

If you have not purchased and provided a license key after 30 days, the application will stop
collecting event logs from your syslog and Agent devices. You can continue using Security Event
Manager in this mode and access your saved logs. Applying a license reactivates event log collection
and you can continue monitoring all events in your deployment. If you need to extend your evaluation
period, contact Customer Sales.

You can upgrade to a fully-functional production version by purchasing a new license from Customer
Sales and downloading the license key from the Customer Portal. After you install the new license
key, you can access all features within the SEM appliance.

You cannot upgrade your license using the SolarWinds License Manager.

page 12
SEM 2020.4 system requirements
Use the following tables to plan your Security Event Manager (SEM) deployment to suit your network
environment.

Server sizing is impacted by:

 l Number of nodes and network traffic. Consider event throughput and performance degradation
when planning the size of your deployment. As the number of nodes and network traffic
increase, the size of your deployment will need to grow with it. For example, if you are running a
small deployment and begin to notice performance degradation at 300 nodes, move to a
medium deployment.
 l Storing original (raw) log messages in addition to normalized log messages. If you will be
storing original log messages, increase the CPU and memory resource requirements by 50
percent. See your hypervisor documentation for more information.

Sizing criteria
Use the following table to determine if a small, medium, or large deployment is best suited to
supporting your environment.

Sizing Cri-
Small Medium Large
teria

Number of Fewer than 500 Between 300 and 2,000 nodes in More than 1,000 nodes in the
nodes nodes in the the following combinations: following combinations:
following
 l 10 – 25 security devices  l 25 – 50 security devices
combinations:
 l 200 – 1,000 network  l 250 – 1,000 network
 l 5 – 10 devices, including devices, including
security workstations workstations
devices  l 50 – 500 servers  l 500 – 1,000 servers
 l 10 – 250
network
devices,
including
workstations
 l 30–150
servers

page 13
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Sizing Cri-
Small Medium Large
teria

Events 5M – 35M events 30M – 100M events Up to 216m events (2,500

received per EPS)
day

Rules fired Up to 500 Up to 1,000 Up to 5,000

per day

SEM VM hardware requirements

See Allocate CPU and memory resources to the SEM VM in the SEM Administrator Guide for
information about how to manage SEM system resources.

Hardware
on the VM Small Medium Large
host

CPU 2 – 4 core 6 – 10 core processors at 2.0 10 – 16 core processors at 2.0

processors at 2.0 GHz GHz
GHz

If you will be storing original log messages in addition to normalized log

messages, increase the CPU and memory resource requirements by 50%.

Memory 8 GB RAM 16 GB – 48 GB RAM 48 GB – 256 GB RAM

Hard drive 250GB, 15k hard 500GB, 15K hard drives (RAID 1TB, 15k hard drives (RAID
storage drives (RAID 1/mirrored settings) 1/mirrored settings)
1/mirrored
settings)

 l Installing SEM in a SAN is preferred.

 l High-speed hard drives (such as SSD drives) are required for high-end
deployments.
 l Large deployments may require 1 to 2TB of storage, which you can
reserve on VMware ESXi 6.5 (and later) and Microsoft Hyper-V 2012 R2
or 2016.

page 14
 Hardware
on the VM Small Medium Large
host

Input/output 40 – 200 IOPS 200 – 400 IOPS 400 or more IOPS

operations
per second
(IOPS)

NIC 1 GBE NIC 1 GBE NIC 1 GBE NIC

SEM Azure hardware requirements

Small Medium Large
Hardware on the VM host
Standard_DS3_v2 Standard_DS4_v2 Standard_D32s_v3
CPU [cores] 4 8 32

RAM [GB] 14 28 128

IOPs 12800 25600 51200

SEM software requirements

Software Requirements

Hypervisor (required on the VM One of the following:

host)
 l VMware vSphere ESXi 6.5 and later
 l Microsoft Hyper-V Server 2016 or 2012 R2

Microsoft Azure Learn about Microsoft Azure requirements here.

Amazon Web Services Learn about Amazon Web Services requirements here.

Web browser (required on a Current and later versions of the following:

remote computer to run the
 l Google® Chrome™ 77
web console)
 l Mozilla Firefox® 70
 l Microsoft Edge

Adobe Flash (browser plug-in Adobe Flash Player 15

required on a remote computer
to run the web console)

page 15
INSTALLATION GUIDE: SECURITY EVENT MANAGER

SEM agent hardware and software requirements

Hardware and Software Requirements

Operation System (OS) The SEM agent is compatible with the following
operating systems:

 l HPUX on Itanium
 l IBM AIX 7.1 TL3, 7.2 TL1 and later
 l Linux
 l macOS Mojave, Sierra, High Sierra
 l Oracle® Solaris 10 and later

 l Windows (10, 8, 7, Vista)

 l Windows Server (2019, 2016, 2012, 2008
R2)

The requirements specified below are minimum requirements. Depending on your

deployment, you may need additional resources to support increased log-traffic volume and
data retention.

Memory 512 MB RAM

Hard Drive Space 1 GB

Other requirements Administrative access to the device hosting the

SEM Agent.

The SEM agent for Mac OS X requires Java

Runtime Environment (JRE) 8 or later.

page 16
SEM reports application hardware and software
requirements
Hardware
and Soft- Requirements
ware

Operation The SEM reports application is Windows only. The following Windows versions are
System (OS) supported:
 l Windows 10 and later
 l Windows Server 2016 and 2012

Memory 512 MB RAM minimum.

SolarWinds recommends using a computer with 1 GB of RAM or more for optimal

reports performance.

Other Install the SEM reports application on a system that runs overnight. This is
requirements important because the daily and weekly start time for these reports is 1:00 AM and
3:00 AM, respectively.

Ensure the Reports Console version matches your version of the SEM
appliance. Incompatible versions may result in installation or login failures.
See the following articles in the Customer Success Center for troubleshooting
tips:

 l Troubleshoot the SEM reports application

 l SEM reports won't install correctly
 l Error with Sophos Enterprise Console

SEM port requirements

For a list of ports required to communicate with SolarWinds products, see Port requirements for all
SolarWinds products.

page 17
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Port # Protocol Service/Process Direction Description

22, 32022 TCP SSH Bidirectional SSH traffic to the SolarWinds SEM VM.
(Port 22 is not used prior to version 6.3.x.).
If you need to close either ports 22 or
32022, contact SolarWinds Support.

25 TCP SMTP Outbound SMTP traffic from the SolarWinds

SEM VM to your email server for
automated email notifications.

80, 8080 TCP HTTP Bidirectional Non-secure HTTP traffic from the
SolarWinds SEM console to the
SolarWinds SEM VM. (SEM closes this
port when activation completes, but you
can re-open it with the
CMC togglehttp command.)

139, 445 TCP NetBIOS, SMB Bidirectional Standard Windows file sharing ports
(NetBIOS Session Service, Microsoft
SMB) that SEM uses to export debug files,
syslog messages, and backup files.

The SEM Remote Agent Installer also

uses these ports to install Agents on
Microsoft Windows hosts across your
network.

161, 162 TCP SNMP Bidirectional SNMP trap traffic received from devices,
and used by the Orion platform to monitor
SEM. (Monitoring SEM on port 161 is not
used prior to version 6.3.x.)

389, 636 TCP  LDAP Outbound LDAP ports that the SEM Directory
Service Connector tool uses to
communicate with a designated Active
Directory domain controller.

The SEM Directory Service Connector

tool uses port 636 for SSL
communications to a designated Active
Directory domain controller.

page 18
 Port # Protocol Service/Process Direction Description

443, 8443 TCP HTTPS Bidirectional HTTPS traffic from the SolarWinds SEM
console to the SEM VM.

SEM uses these secure HTTP ports after

SEM is activated.

(445) TCP     See entry for port 139.

514 TCP or Syslog Inbound Syslog traffic from devices sending

UDP syslog event messages to the SolarWinds
SEM VM.

(636) TCP     See entry for port 389.

2100 UDP NetFlow Inbound NetFlow traffic from devices sending

NetFlow to the SolarWinds SEM VM.

6343 UDP sFlow Inbound sFlow traffic from devices sending sFlow

to the SolarWinds SEM VM.

(8080) TCP     See entry for port 80.

(8443) TCP     See entry for port 443.

8983 TCP nDepth Inbound nDepth traffic sent from nDepth to the
SEM VM containing raw (original) log
data. 

9001 TCP SEM reports Bidirectional SEM reports application traffic used to

application gather SEM teports data on the SEM VM.

(32022) TCP     See entry for port 22.

37890- TCP SEM Agents Inbound SEM Agent traffic sent from SolarWinds

37892 SEM Agents to the SolarWinds SEM VM.
(These ports correspond to the
destination ports on the SEM VM.)
SEM no longer uses the following ports:

page 19
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Port # Protocol Service/Process Direction Description

5433 TCP SEM Reports Inbound Port 5433 is no longer used. Previously,
this port carried traffic from the SolarWinds
SEM reports application to the SolarWinds
SEM VM. This was used by versions
prior to LEM 5.6, for which support ended
December 2015.

page 20
SEM pre-installation checklist
Before installing SEM, complete the pre-installation checklist below. This checklist helps you:

 l Verify that system requirements are met, all required software is installed, and required roles
and features are enabled.
 l Gather the information required to complete the installation.

1. Review the Make sure that your environment meets the hardware and software
system requirements for your installations. Hypervisor software should be installed
requirements. prior to installing SEM. VMware vSphere and Microsoft Hyper-V are both
supported. The hypervisor software provides the virtual environment that
hosts your SEM deployment.

See the system requirements for details.

2. Select a Determine if your architecture will include one or more syslog servers.
deployment
See SEM deployment examples for details.
architecture.

3. Review the Review the Security Event Manager release notes and available
release notes. documentation in the Customer Success Center.

4. Gather your The Local Administrator Account is required for installation.

credentials.
The Local Administrator Account is not the same as a domain
account with local admin rights. A domain account is subject to your
domain group policies.

Prepare the server environment

Prepare the server where you will install the SEM VM.

1. Build the Prepare the servers based on your deployment size and system
environment. requirements. Install either VMware vSphere or Microsoft Hyper-V.

By default, Security Event Manager deploys with 8GB RAM and

2CPUs on both hypervisor platforms.

2. Run all OS Before installation, check for and run all OS updates on all servers.
updates.

page 21
INSTALLATION GUIDE: SECURITY EVENT MANAGER

3. Open ports If your log sources are located behind firewalls, see the SolarWinds SEM
according to the Port and Firewall requirements.
requirements.
SolarWinds uses these ports to send and receive data.

Download SEM
SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so be sure to
download the correct version.

Download the Download the SEM installer from the SolarWinds Customer Portal, or
SEM installer. download a free trial version from www.solarwinds.com/log-event-manager.

The trial version provides unlimited access to all product features for
30 days. See Choose a licensing method for your SEM deployment for
more information.

Next steps:

 l See Install SolarWinds SEM on Microsoft Hyper-V

 l See Install SolarWinds SEM on VMware vSphere

page 22
Install SEM on the hypervisor and the cloud
This section describes how to install SEM on Microsoft Hyper-V, VMware vSphere, Microsoft Azure,
and Amazon Web Services.

Install SolarWinds SEM on Microsoft Hyper-V

These instructions provide steps for installing the Security Event Manager VM on Microsoft Hyper-V.
SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so check that
you downloaded the correct version.

1. Extract the files. Double-click the evaluation EXE file that you
downloaded previously. This step will extract the
required files and tools to a folder on your desktop.

The How to Install page opens automatically.

To return to this page after it is closed, go to

%USERPROFILE%\Desktop\SolarWinds
Security Event Manager\html\install_
now.hta

page 23
INSTALLATION GUIDE: SECURITY EVENT MANAGER

2. Complete the  1. Ensure "Volume Shadowcopy" is

following steps to disabled on the Hyper-V machine.
import the Virtual
Machine.  2. In the navigation pane of Hyper-V Manager,
select the computer running Hyper-V.
 3. Click Action > Import Virtual Machine. Click
Next if the "Before You Begin" screen displays.
 4. On the Locate Folder screen, navigate to the
folder that matches your version of Windows
Server. For example:
..\SolarWinds-SEM-2020.4-
Appliance-HyperV\SolarWinds
Security Event Manager\Virtual
Machines 2012 R2

For Windows Server 2016, navigate to

the Virtual Machines 2012 R2 folder.

 5. Click Next.

 6. On the Select Virtual Machine screen, select
SolarWinds Security Event Manager, and click
Next.
 7. On the Choose Import Type screen, choose
Copy the virtual machine (create a new unique
ID), and click Next.
 8. On the Choose Folders for Virtual Machine
Files screen, change the folder locations that
the wizard will import files to (if needed).
Otherwise, click Next.
 9. On the Choose Folders to Store Virtual Hard
Disks screen, change the location of the virtual
hard disks for this virtual machine (if needed).
Otherwise, click Next.
 10. Ensure that "Volume Shadowcopy" is disabled
for this virtual Hyper-V machine.

page 24
  11. On the Configure Memory screen, configure the
Startup RAM setting, and the Minimum RAM
and Maximum RAM settings for Dynamic
Memory, and then click Next.
 12. On the Summary screen, review the
configuration settings and click Finish.
The installer will copy the SolarWinds-SEM-
2020.4.vhd file to Hyper-V.

3. Connect to the Select the newly added VM, and then click Action >
SEM VM. Connect on the main Hyper-V Manager window.

The virtual console opens.

4. Start SEM. Click Action > Start in the virtual console window.

The SEM VM starts.

After SEM starts, write down the IP Address

of the VM. You will be able to change the IP
address later during the configuration phase.

5. Set up your new See Setting up a new SEM installation in the SEM
SEM installation. Administrator Guide.

Following installation, the default SEM host name is swi-sem. To change the default host
name and IP address settings, see Run the activate command to secure SEM and configure
network settings in the SEM Administrator Guide.

Install SolarWinds SEM on VMware vSphere

These instructions provide steps for installing the Security Event Manager VM on VMware vSphere.
SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so check that
you downloaded the correct version.

page 25
INSTALLATION GUIDE: SECURITY EVENT MANAGER

1. Extract the files. Double-click the evaluation EXE file that you
downloaded previously. This step will extract the
required files and tools to a folder on your desktop.

The How to Install page opens automatically.

To return to this page after it is closed, go to

%USERPROFILE%\Desktop\SolarWinds
Security Event
Manager\html\install_now.hta

2. Complete the  1. Start the VMware vSphere client and log in
following steps to with VMware administrator privileges.
deploy SEM.
 2. Deploy the open virtualization format (OVF)
template.
 3. Open the SolarWinds Security Event Manager
folder located on your desktop and double-
click:
Deploy First—SEM Virtual
Appliance.ova

 4. Complete the setup wizard.

When prompted, select the Thin Provisioned
disk format.

Thin provisioning offers more

performance flexibility than thick
provisioning, but requires more
oversight than thick provisioning. Thin
provisioning provides increased
performance by dedicating physical
storage space.

 5. Map the network interface card (NIC) to the

appropriate network.
 6. When the OVF deployment is completed, click
Finish.

page 26
 3. Start SEM.  1. Select the SolarWinds Security Event
Manager virtual appliance and click Play.
 2. Click the Console tab.
The SEM VM starts.

After SEM starts, write down the IP Address

of the VM. You will be able to change the IP
address later during the configuration
phase.

4. Set up your new See Setting up a new SEM installation in the SEM
SEM installation. Administrator Guide.

Following installation, the default SEM host name is swi-sem. To change the default host
name and IP address settings, see Run the activate command to secure SEM and configure
network settings in the SEM Administrator Guide.

Deploy SEM to Microsoft Azure

SolarWinds Security Event Manager (SEM) is not currently available in the Azure Marketplace—it’s
deployed manually by users. Deployment is initiated via Azure CLI 2.0.

This guide covers deployment from Windows (PowerShell) and Linux (Bash).

SolarWinds provides a ZIP archive containing two VHD files. The first file (xxx-system.vhd) contains
an operating system based on Linux Debian. The second file (xxx-data.vhd) serves as the data
partition. The layout is similar to the VMware and Hyper-V appliances.

Azure CLI 2.0 must be installed on Windows or Linux systems. After CLI is authenticated, users can
control Azure via API by executing CLI commands.

SEM sizing
For sizing criteria, SolarWinds use three basic sizes of SEM deployment: small, medium, and large:
see the SEM system requirements for details.

Deploy SEM via Azure CLI 2.0

To learn more about installing CLI on Windows and Linux, see Azure CLI 2.0 on the Microsoft website.

Follow the procedures below to deploy SEM via Azure CLI 2.0:

page 27
INSTALLATION GUIDE: SECURITY EVENT MANAGER

 1. Download and install Azure CLI 2.0 (Windows).

 2. Create and manage storage accounts and define resource groups and locations.
 3. Get the storage access key.
 4. Prepare to deploy VHD disks

Install Azure CLI 2.0 on Microsoft Windows

Learn how to install Azure CLI on Linux or macOS here.

 1. Download the Azure CLI 2.0 MSI installer here.

page 28
  2. Launch the installer, select the check box to accept the License Agreement terms, and then click
Install.

 3. From a command line (Windows Command Prompt or PowerShell), run the az login
command.

page 29
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Log in with any authentication option. Running the az login command is

recommended. For more details and other options, see Sign in with Azure CLI 2.0 (©
Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020).

 4. When the browser launches prompting you to log in, sign in to Microsoft Azure with your
account credentials.

Create and manage storage accounts, resource groups, and locations

If your storage account already exists, you can list it in Azure CLI by running the following command:

az storage account list

If a storage account does not exist, create one.

The resource group name and location are present in JSON output. For more details about
listing the storage account in the command line, see az storage account (© Microsoft 2020,
available at docs.microsoft.com, retrieved October 5, 2020).

To access the Azure Portal, click Portal in the upper right of the Microsoft Azure page.

page 30
Storage accounts, locations, and resource groups are also available in the Azure Portal under Home >
Storage accounts.

The storage account name, location, and resource group names are needed for running
additional commands. List them and maintain for later use.

page 31
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Create a storage account in the Azure Portal

 1. On the Azure Portal Home page, click Storage accounts.

 2. On the Storage accounts toolbar, click Add.

 3. Under Project details, select your Subscription and Resource group from the drop-down lists.

 4. If you do not have a resource group, click Create new.

 5. Enter a name for the resource group, and then click OK (Write this down).
 6. Under Instance details, enter a name for the storage account (Write this down). The name must
not already exist in Azure, must be between 3 and 24 characters in length, and include numbers
and lowercase letters only.

page 32
  7. Select a location, or use the default (Write this down).
 8. Maintain the default values for the remaining fields.
 9. Click Review + create to review your settings, and then click Create.

 10. To verify the storage account, open a command prompt and run the following command:

page 33
INSTALLATION GUIDE: SECURITY EVENT MANAGER

 11. Scroll down to find the name of your new storage account.

Write down the names of your storage account and resource group, as well as the
location. You will need them later.

 12. Now that you have a storage account and resource group, create a container. The container
holds your uploaded VHD files.
 a. On the Azure Portal Home page, click Storage accounts.
 b. Select your storage account, and then click Containers.

 c. On the Containers toolbar, click + Container. Enter a name for your container, and then
click OK (write the container name down).

Get the storage access key

The storage account key is a 512b access key used for authentication when accessing the storage
account. It’s generated automatically when the storage account is created.

List storage account keys in Azure CLI with the command below:

page 34
 az storage account keys list --account-name <STORAGE_ACCOUNT> --resource-
group <RESOURCE_GROUP>

Replace the STORAGE_ACCOUNT and RESOURCE_GROUP strings with the storage account and
resource group names obtained in the previous section. You can find your storage account and
resource group in the Azure Portal under Home > Storage accounts.

Remove angle brackets (< >) when entering the actual account and resource group names.

The command will list two storage account keys in JSON format (default format, but can be
changed): primary (key1) and secondary (key2). You can use either key.

See the example below:

page 35
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Prepare to deploy VHD disks

Before deployment, locate the following information you obtained in the previous sections. Each
value stored in a variable in the following commands is typed as a token (for example, TOKEN), and
should replace the code snippets below.

 l Storage account name: STORAGE_ACCOUNT

Find your storage account name in the Azure Portal, or run the az storage account list
command, and then search for the storage account. In the example below, the storage account
name is semtest.

 l Storage account key: ACCESS_KEY

 l Resource group: RESOURCE_GROUP
Find your resource group name in the Azure Portal, or run the az storage account list
command, and then search for the resource group. In the example below, the resource group is
SEM-Test.

page 36
  l Location: LOCATION
To find your location, look in your storage account details in the Azure Portal, or run the az
storage account list command, and then search for the location. In the example below,
the location is eastus, for Eastern US.

 l Storage size - sku: SKU

To find your sku, run the az storage account list command, and then search for the
sku. In the example below, the sku name is Standard_LRS. The minimum requirement is
Standard_LRS. Learn more about sku types here (© Microsoft 2020, available at
docs.microsoft.com, retrieved October 5, 2020). If the returned SKU value is not supported
(Standard_RAGRS, for example), change it to a supported value (see image below) when you
update your script.

page 37
INSTALLATION GUIDE: SECURITY EVENT MANAGER

 l Virtual machine size: VM_SIZE

Learn more about VM sizes here (© Microsoft 2020, available at docs.microsoft.com,

retrieved October 5, 2020). If you are missing anything from the list above, review the
previous sections.

Additionally, the virtual machine name and disk names should be considered before deployment.

 l Virtual machine name: VM_NAME

Can be any name you would like to use. For example, solarwinds.sem.
 l Disk 1 (system) name: DISK1
 l Disk 2 (data) name: DISK2

Boot diagnostics

Boot diagnostics is basically a screen shot of a video output of the virtual machine. Enabling this
feature is optional, but required before creating a support ticket with the SolarWinds Helpdesk. The
support representative needs the support key shown in the screen shot. The command to enable the
feature for both Linux and Microsoft is listed in step six below.

Deploy from PowerShell (Windows)

Scripts are not supported under any SolarWinds support program or service. Scripts are provided AS IS
without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation,
any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of
the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or
anyone else involved in the creation, production, or delivery of the scripts be liable for any damages
whatsoever (including, without limitation, damages for loss of business profits, business interruption,
loss of business information, or other pecuniary loss) arising out of the use of or inability to use the
scripts or documentation.

PowerShell is a command-line interface that is installed by default on newer Microsoft systems. Find
more information here (© Microsoft 2020, available at docs.microsoft.com, retrieved October 5,
2020).

Lines starting with the # character are comments. The back quote (`) character on the end of
lines indicates multi-line commands.

 1. From a command line (Windows Command Prompt or PowerShell), run the az login
command.

page 38
 Log in with any authentication option. Running the az login command is
recommended. For more details and other options, see Sign in with Azure CLI 2.0 (©
Microsoft 2020, available at docs.microsoft.com, retrieved October 5, 2020).

 2. When the browser launches prompting you to log in, sign in to Microsoft Azure with your
account credentials.

page 39
INSTALLATION GUIDE: SECURITY EVENT MANAGER

 3. Create your script. The following script is a template: you will need to fill in the variables for
your Azure VM environment. The script will run, upload your two VHD files, and then create your
VM in the Azure Portal. You can also download the script from SolarWinds using this link.

<#
Scripts are not supported under any SolarWinds support program or
service. Scripts are provided
AS IS without warranty of any kind. SolarWinds further disclaims all
warranties including,
without limitation, any implied warranties of merchantability or of
fitness for a particular
purpose. The risk arising out of the use or performance of the scripts
and documentation stays
with you. In no event shall SolarWinds or anyone else involved in the
creation, production,
or delivery of the scripts be liable for any damages whatsoever
(including, without limitation,
damages for loss of business profits, business interruption, loss of
business information, or other
pecuniary loss) arising out of the use of or inability to use the scripts
or documentation.
#>
# How to use:
# copy script to folder that contains azure disks
# change <USERNAME>, <SEM_VERSION>, <STORAGE_ACCOUNT>, <ACCESS_KEY>,
<RESOURCE_GROUP>, <VM_LOCATION>
# log in to azure (az login)
# run script
#
############################################
$username=<USERNAME>
$semVersion=<SEM_VERSION>
Write-Host "SEM version: $semVersion" -foreground Green
# storage account and key set to ENV to avoid typing it to each command
$env:AZURE_STORAGE_ACCOUNT=<STORAGE_ACCOUNT>
$env:AZURE_STORAGE_ACCESS_KEY=<ACCESS_KEY>
$disk1Filename="SolarWinds-SEM-Azure-$semVersion-disk1-system.vhd"
$disk2Filename="SolarWinds-SEM-Azure-$semVersion-disk2-data.vhd"
$sku="Standard_LRS"
$vmSize="Standard_B1s"
$resourceGroup=<RESOURCE_GROUP>

page 40
 $vmLocation=<VM_LOCATION>
$vmName="$username-sem-$semVersion"
$disk1Name="$vmName-disk1.vhd"
$disk2Name="$vmName-disk2.vhd"
# check for presence of files
if (!((Test-Path $disk1Filename) -and (Test-Path $disk2Filename)))
{Write-Host "Couldn't find .vhd files" -foreground Red; break}
# upload system and data disks
az storage blob upload --container-name vhds-built --type page --file
$disk1Filename --name $disk1Name
az storage blob upload --container-name vhds-built --type page --file
$disk2Filename --name $disk2Name
# get blob urls
$blobUrlDisk1=az storage blob url --container-name vhds-built --name
$disk1Name
$blobUrlDisk2=az storage blob url --container-name vhds-built --name
$disk2Name
# create system and data disks
az disk create --resource-group $resourceGroup --sku $sku --name
$disk1Name --source $blobUrlDisk1
az disk create --resource-group $resourceGroup --size-gb "250" --sku $sku
--name $disk2Name
--source $blobUrlDisk2
# create a machine and enable boot diagnosticsaz vm create --resource-
group
$resourceGroup --size $vmSize --public-ip-sku "Basic" --location
$vmLocation
--name $vmName --os-type "linux" --attach-os-disk $disk1Name --attach-
data-disks $disk2Name
az vm boot-diagnostics enable --name $vmName --resource-group
$resourceGroup --storage $env:AZURE_STORAGE_ACCOUNT

 1. Launch PowerShell.

Change the directory (cd) in PowerShell to the directory where the VHD files reside on
your local system.

 2. Paste your script into PowerShell, and then press Enter.
You can monitor the progress as the script is running. If the script encounters an error, such as
a typo in your script, simply correct the error, and rerun the script.

page 41
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Upon completion, you can access your new VM in the Azure Portal under Home > Virtual
machines.

Deploy from Bash (Linux)

Scripts are not supported under any SolarWinds support program or service. Scripts are provided AS IS
without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation,
any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of
the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or
anyone else involved in the creation, production, or delivery of the scripts be liable for any damages
whatsoever (including, without limitation, damages for loss of business profits, business interruption,
loss of business information, or other pecuniary loss) arising out of the use of or inability to use the
scripts or documentation.

Lines starting with the # character are just comments. The back quote (`) character on the end
of lines is for multi-line commands.

 1. Run Bash shell (WSL or native) where Azure CLI 2.0 is installed, and then log in to the Azure
Portal.
 2. Create your script. The following script is a template. When you fill in the variables for your
Azure VM environment, the script will run, upload your two VHD files, and then create your VM in
the Azure Portal.

Replace the values in red below with the values you wrote down in the previous sections
unless otherwise indicated. Enter values between the quotation marks, when present.
Copy the entire script template into a text editor, such as Notepad, to make your edits.

# storage account and key set to ENV to avoid typing it to each command
$env:AZURE_STORAGE_ACCOUNT="STORAGE_ACCOUNT"
$env:AZURE_STORAGE_ACCESS_KEY="ACCESS_KEY"
$disk1Filename="SolarWinds-SEM-Azure-<SEM_VERSION>-disk1-system.vhd"
$disk2Filename="SolarWinds-SEM-Azure-<SEM_VERSION>-disk2-data.vhd"
$sku="Standard_LRS"
$vmSize="Standard_B1s"
$resourceGroup="RESOURCE_GROUP"
$vmLocation="LOCATION"

$disk1Name="SYSTEM-disk1.vhd"
$disk2Name="DATA-disk2.vhd"
$vmName="VM-NAME"

page 42
 # upload system and data disks
az storage blob upload --container-name CONTAINER NAME --type page --file
$disk1Filename --name $disk1Name
az storage blob upload --container-name CONTAINER NAME --type page --file
$disk2Filename --name $disk2Name

# get blob urls

$blobUrlDisk1=az storage blob url --container-name CONTAINER NAME --name
$disk1Name
$blobUrlDisk2=az storage blob url --container-name CONTAINER NAME --name
$disk2Name

# create system and data disks

az disk create --resource-group $resourceGroup --sku $sku --name
$disk1Name --source $blobUrlDisk1
az disk create --resource-group $resourceGroup --size-gb "250" --sku $sku
--name $disk2Name --source $blobUrlDisk2

# create a machine and enable boot diagnostics

az vm create --resource-group $resourceGroup --size $vmSize --public-ip-
sku "Basic" --location $vmLocation --name $vmName --os-type "linux" --
attach-os-disk $disk1Name --attach-data-disks $disk2Name
az vm boot-diagnostics enable --name $vmName --resource-group
$resourceGroup --storage $env:AZURE_STORAGE_ACCOUNT

page 43
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Below is an explanation of what these values and variables are. The first section below
initializes the variables. The subsequent sections of the script will execute these variables to
upload the disks and create the VM.

# storage account and key set to ENV to avoid typing it to each command
$env:AZURE_STORAGE_ACCOUNT="STORAGE_ACCOUNT" This is the resource
group you created in the Azure Portal.
$env:AZURE_STORAGE_ACCESS_KEY="ACCESS_KEY" This is the multicharacter
key you copied in a previous section. Paste the entire key
between the quotation marks.
$disk1Filename="SolarWinds-SEM-Azure-<SEM_VERSION>-disk1-system.vhd"
$disk2Filename="SolarWinds-SEM-Azure-<SEM_VERSION>-disk2-data.vhd" The
names of the system and data disk names will vary based on the
SEM version. The system disk is much larger ~18GB - the data disk
is typically ~1GB.
$sku="Standard_LRS" This is the minimum requirement.
$vmSize="Standard_B1s" This is the minimum requirement.
$resourceGroup="REOURCE_GROUP" This is the resource group you
created in the Azure Portal.
$vmLocation="LOCATION" For example, "eastus" for Eastern US.

$disk1Name="SYSTEM-disk1" You can give these disks any descriptive

name you like.
$disk2Name="DATA-disk2"
$vmName="VM-NAME" You can give the VM any descriptive name you
like.

page 44
 The only other value you need to add is the container name you wrote down in a previous
section as shown below. No quotation marks needed.

# upload system and data disks

az storage blob upload --container-name CONTAINER NAME --type page --file
$disk1Filename --name $disk1Name
az storage blob upload --container-name CONTAINER NAME --type page --file
$disk2Filename --name $disk2Name

# get blob urls

$blobUrlDisk1=az storage blob url --container-name CONTAINER NAME --name
$disk1Name
$blobUrlDisk2=az storage blob url --container-name CONTAINER NAME --name
$disk2Name

 3. Launch Bash.

Change the directory (cd) in Bash to the directory where the VHD files reside on your local
system.

 4. Paste your script into Bash, and then press Enter.
You can monitor the progress as the script is running. If the script encounters an error, such as
a typo in your script, simply correct the error, and rerun the script.
Upon completion, you can access your new VM in the Azure Portal under Home > Virtual
machines.

Configure networking
By default, the inbound firewall rule allowing SSH is enabled for a new Linux machine. If needed, you
can disable SSH from the outside world for a SEM appliance. To see all default rules created per
virtual machine, see Default security rules (© Microsoft 2020, available at docs.microsoft.com,
retrieved October 5, 2020).

Configure firewall rules based on your specific needs. Review the SEM port and firewall requirements
here.

page 45
INSTALLATION GUIDE: SECURITY EVENT MANAGER

The following example shows security rules for a SEM Azure deployment:

Deploy SEM to Amazon Web Services

With version 6.7 and later, you can deploy SEM to Amazon Web Services (AWS). To get started,
contact your SolarWinds Sales or Customer Support representative to request access to SEM on
AWS.

SolarWinds is not responsible for fees incurred when deploying SolarWinds products to AWS.

 1. Contact your SolarWinds Sales (evaluation customers) or Customer Support (existing
customers) representative to request access to the AWS Amazon Machine Image (AMI) for
SEM.

You will need to provide your AWS account ID and AWS Region.

 2. When you receive notification that your AMI is available, launch the AMI from the AWS EC2
console.
 3. Configure security groups to enable the required ports.

On versions earlier than 2020.2 you cannot resize partitions on managers deployed on AWS.

page 46
Install SEM Agents to protect servers, domain
controllers, and workstations
This section provides SEM deployment options and installation steps.

Deploying the SEM Agent

This section describes options for installing the SEM Agent.

See SEM components that make up a typical deployment to learn about the role the SEM
Agent plays in a typical SEM deployment.

SolarWinds provides SEM Agents for these operating systems:

 l Microsoft Windows (local and remote installers)

 l Linux
 l Mac OS X
 l Solaris on Intel
 l Solaris on Sparc
 l HPUX on Itanium
 l AIX

Deploying the SEM Agent to multiple Windows computers in an

enterprise environment
There are two options for deploying the SEM Agent unattended on Windows:

 l Option 1: You can use the Remote Agent Installer to deploy SEM Agents to computers non-
interactively.
See Run the SEM Remote Agent Installer for large Windows deployments for more information.
 l Option 2: Use the Local Agent Installer with either software distribution policies or local logon
scripts to deploy the SEM Agent non-interactively. This method is an alternative to the Remote
Agent Installer option for large deployments.
See Run the SEM Local Agent Installer for large Windows deployments for more information.

page 47
INSTALLATION GUIDE: SECURITY EVENT MANAGER

SEM Agent pre-installation checklist: Prepare to deploy SEM

Agents
Complete the following tasks before installing the SEM Agent. See Deploying the SEM Agent to learn
more about installing SEM Agents.

SEM Agent installer requirements

1. Review system See the SEM agent requirements in the system requirements section
requirements for details.

2. Gather Verify that you have administrative access to the servers and
credentials workstations you plan to monitor with the Agent. Windows-based
systems require Domain or Local administrative privileges; Linux or
Unix systems require root-level access.

The Local Administrator Account is not the same as a domain

account with local admin rights. A domain account is subject
to your domain group policies.

3. Review the SEM See Deploying the SEM Agent for installation information, and
Agent installation information about unattended Agent installations.
overview

Antivirus recommendations
1. Disable anti- Turn off any anti-malware or endpoint protection applications on
malware and endpoint host systems during the installation process, because these
protection software applications can affect the process by which installation files are
during installation. transferred to the hosts.

2. After installation, Set an exception in your antivirus or anti-malware scanning

add an exception to software for the ContegoSPOP folder where the SEM Agents will
your antivirus or anti- be installed. The alerts are kept in queue files, which change
malware software for constantly as they are normalized and encrypted.
the SEM Agent folder.

page 48
Download the SEM Agent installers
You can download SEM Agent installers from the SEM HTML5 and Flash consoles or from the
SolarWinds Customer Portal.

To download a SEM Agent installer from the SEM Console

 1. On the SEM Console, click the Nodes tab, and then click Add agent node. The Add agent node
window appears displaying options for remote and local installation.
 2. Select an option, and then follow the instructions to add the monitored node.

To download a SEM Agent installer from the SolarWinds Customer Portal

If you are using a trial version of SEM, download the SEM Agent installer from the SEM
console, or contact SolarWinds for assistance.

 1. Download the installer from the SolarWinds Customer Portal. Log in with your SWID if
necessary.
 2. Find SEM in the product list, and then click Choose Download.
 3. Find the Agent Installer on the list.

Before deploying SEM Agents, make note of formatting in any .txt files that contain host
entries:
 l Ensure there is only one host entry per line.
 l If the format is tab separated, remove the tab spacing, and then enter a space between
each value. For example, 10.10.10.10 xxx03 xxx03 yyy abcd.net. If tab spacing is present,
the installer will not be able to parse the file correctly and will fail.

To download a SEM Agent installer from the SEM legacy Flash console

Adobe will stop distributing and updating Flash Player after December 31, 2020. Please visit
the Adobe Flash Player EOL General Information Page (Copyright © 2020 Adobe, retrieved
November 5, 2020) for information.

 1. Open the SEM legacy Flash console.

 2. Choose from the following options:
 l Click Ops Center, go to the Getting Started widget, and click Add Nodes to Monitor.
 l Click Manage > Nodes. Click Add Node, then click Agent Node.
 3. Click an Agent to download it.

page 49
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Next steps:

See the following topics to install the SEM Agents:

 l Install the SEM Agent on Linux and Unix

 l Install the SEM Agent on macOS X
 l Run the SEM Remote Agent Installer for large Windows deployments
 l Run the SEM Local Agent Installer for large Windows deployments

Install the SEM Agent on Linux and Unix

This section describes how to install Agents locally on a variety of Linux and Unix operating systems.
Once installed, the SEM Agent automatically starts and connects to the SEM Manager.

See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download
information and a pre-install checklist.

Installation notes for the Linux Agent installer

 l A reboot is not required following installation.
 l SEM Agents are installed in the /usr/local/contego/ContegoSPOP folder by default.

Run the SEM Agent Installer on Linux or Unix

 1. Copy SolarWinds-SEM-Agent-LinuxInstaller.bin to a local or network location.
 2. cd to the folder that contains the installer.
 3. Enter chmod +x SolarWinds-SEM-Agent-LinuxInstaller.bin to convert the installer into
an executable application.
 4. Run SolarWinds-SEM-Agent-LinuxInstaller.bin as root.
 5. Press Enter to start the installer.
 6. Press Enter to page through the End User License Agreement, and then enter y to accept the
terms if you agree.
 7. Enter a custom installation path, or press Enter to accept the default (recommended).
 8. Enter the hostname of your SEM Manager.

Use the fully qualified domain name for your SEM Manager when you deploy SEM Agents
on a different domain. For example, enter SEMhostname.example.com.

page 50
  9. Press Enter twice to accept the default port values, and then press Enter again to proceed.
 10. Review the Pre-Installation Summary, and then press Enter to proceed.
 11. Once the installer finishes, press Enter to exit the installer.

The SEM Agent begins sending alerts to your SEM Manager immediately. To configure the SEM
Agent to start automatically on boot, add /etc/init.d/swsem-agent (or swsem-agent) to your list
of startup scripts.

Next steps:

 l See Verify the SEM Agent connection to test that the Agent connected to the SEM Manager.

To uninstall the SEM Agent on Linux or Unix

 1. Log in to you Linux computer as root.
 2. Stop the SolarWinds SEM Agent service.
 3. Delete the /usr/local/contego/ContegoSPOP folder.
 4. Remove any startup scripts, if any.

Install the SEM Agent on macOS X

See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download
information and a pre-install checklist.

SEM does not currently support USB defender on macOS X.

Installation notes
 l Installing the SEM Agent on macOS requires enabling the 'root' user account and disabling
System Integrity Protection (SIP). Not doing so will prevent the Agent from running properly.
 l This procedure applies to SEM versions 6.4 and later.

Enable root credentials, disable SIP, and download and install the
Agent
 1. Enable root credentials on the Apple Mac system.

See How to enable the root user on your Mac or change your root password for details.

page 51
INSTALLATION GUIDE: SECURITY EVENT MANAGER

 2. Disable System Intrusion Protection on the Mac system.

See System Integrity Protection (SIP) is preventing install of SEM Agent on macOS X
10.x and later for details.

You can also use the terminal flag sudo nvram "recovery-boot-mode=unused"
to reboot into recovery.

 3. Download the SolarWinds-SEM-v#.#.#-MacOSAgentInstaller.zip file from the Customer Portal.

 4. Decompress or unzip the file to a local drive--not a network drive.
 5. Navigate to the correct directory path using finder in the GUI.
If you are logged in as root, enter:
cd /Users/<username>/SolarWinds-SEM-v#.#.#-MAcOSAgentInstaller/MacOS

If you are not logged in as root, enter:

cd /private/var/root/SolarWinds-SEM-v#.#.#-MAcOSAgentInstaller/MacOS
Agent/

 6. Log in as root or as your current user.

 7. Double-click the Setup.app file on the Macintosh system.
 8. Follow the installer instructions. During the installation, add Manager IP (IP of SEM), leave all
ports default. and click next until finished.
 9. Open Terminal.
 10. For Catalina (10.15) ONLY, remount the file system not as read only sudo mount -uw /
 11. Copy the SEM Agent to the correct startup path to have it initialize upon reboot.
If the installer was run with the root account, run the following command to copy the folder:
cp -rp /private/var/root/Applications/SWSEMAgent
/System/Library/StartupItems/
cp -rp /private/var/root/Applications/SWSEMAgent /Applications/

If the installer was not run as the root, run the following commands:
cp -rp /Users/<username>/Applications/SWSEMAgent
/System/Library/StartupItems/
cp -rp /Users/<username>/Applications/SWSEMAgent /Applications/

page 52
 12. Navigate to the PLIST file packaged with the installed Agent by executing the following
command:
cd /System/Library/StartupItems/StartupFiles/SWSEMAgent

 13. Copy the PLIST file to the LaunchDaemons folder.

cp -rp com.solarwinds.swsemagent.plist /Library/LaunchDaemons/

 14. If necessary, change the permissions on the PLIST file. This only needs to be completed if the
PLIST file is moved with a non-root account.
chown root:wheel
/Library/LaunchDaemons/com.solarwinds.swsemagent.plist

 15. Restart the computer.

 16. Verify that the agent is running by running the following command:
launchctl list | grep swsemagent

Start and stop the MAC Agent Service

 l To start the Mac Agent Service, execute:
launchctl load
/Library/LaunchDaemons/com.solarwinds.swlemagent.plist

 l To stop the Mac Agent Service, execute:

launchctl unload
/Library/LaunchDaemons/com.solarwinds.swlemagent.plist

Verify that the Agent service is running

 l Run the following command:
launchctl list | grep swlemagent

 l If the Agent Service is running, the output is below:

Mac-mini:~ root# 865 0 com.solarwinds.swlemagent

 l If the Agent Service is not running, the output is blank:

Mac-mini:~ root#

page 53
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Install the SEM Agent on Windows

The Windows Agent installer allows you to install SolarWinds Security Event Manager Agents locally
on a variety of Windows operating systems. Once installed, the SEM Agent automatically starts and
connects to your SEM Manager.

Installer notes

 l The Local Agent Installer is Windows-only.

 l SEM Agents are installed to the following folders:

Bitness Installation Folder

32-bit C:\Windows\system32\ContegoSPOP

64-bit C:\Windows\sysWOW64\contegoSPOP

 l A reboot is not required.

Antivirus Recommendations

Set an exception in your antivirus or anti-malware scanning software for the ContegoSPOP folder
where the SEM Agent will be installed. The alerts are kept in queue files, which change constantly as
they are normalized and encrypted.

Turn off any anti-malware or endpoint protection applications on host systems during the
installation process, as they can affect the process by which installation files are transferred to the
hosts.

Warning: Uninstall the old version of the SEM Agent before upgrading to the new version.

If you are using a trial version of SEM, download the SEM Agent installer from the SEM console
(Nodes > Nodes > Add agent node), or contact SolarWinds for assistance.

 1. Download the installer from the SolarWinds Customer Portal. Log in with your SWID if
necessary.
 2. Find SEM in the product list, and then select and download the Local Agent Installer from the
Agent Downloads list.
 3. Extract the contents of the installer ZIP file to a local or network location.
 4. Run setup.exe, and then click Next to start the installation wizard.
 5. Accept the End User License Agreement if you agree, and then click Next.
 6. Enter the hostname of your SEM Manager in the Manager Name field, and then click Next.

page 54
  7. Do not change the default port values.

Note: Use the fully qualified domain name for your SEM Manager when you deploy SEM
Agents on a different domain. For example, enter SEMhostname.SolarWinds.com.

 8. Confirm the Manager Communication settings, and then click Next.
 9. Specify whether or not you want to install USB-Defender with the SEM Agent, and then click
Next. The installer includes USB-Defender by default. To omit this from the installation, Clear
the Install USB-Defender box.

Note: We recommend installing USB-Defender on every system. USB-Defender will never

detach a USB device unless you have explicitly enabled a rule to do so. By default, USB-
Defender simply generates alerts for USB mass storage devices attached to your SEM
Agents.

 10. Confirm the settings on the Pre-Installation Summary, and then click Install.
 11. Once the installer finishes, it will start the SEM Agent service when you click Next.
 12. Inspect the Agent Log for any errors, and then click Next.
 13. Click Done to exit the installer.

The SEM Agent continuously runs on your computer unless you uninstall or manually stop it. It
begins sending alerts to your SEM Manager immediately.

In new installations of SEM (6.7 and newer), corresponding agent versions communicate by
default using a secure certificate, which no longer requires TLS 1.0, 3DES, or anonymous
cipher. If you need to connect to earlier agent versions, navigate to the SEM Console security
tab (Settings > Security), and switch the toggle button to enable lower security settings.

Run the SEM Remote Agent Installer for large Windows

deployments
The Remote Agent Installer allows you to install the SEM Agent on multiple Windows computers
without the need to step through an installation wizard. Once installed, the SEM Agent automatically
starts and connects to the SEM Manager.

See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download
information and a pre-install checklist.

page 55
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Installation notes for the Remote Agent Installer

 l The Remote Agent Installer is Windows-only.
 l You will need a user account with privileges to write to Windows administrative shares such as
C$ or D$
 l SEM Agents are installed to the following folders:

Bitness Installation Folder

32-bit C:\Windows\system32\ContegoSPOP

64-bit C:\Windows\sysWOW64\contegoSPOP

 l If you are installing SEM Agents on the far end of a WAN link, copy the Remote Agent Installer
executable to the end of the WAN link and run it there. This will avoid using your WAN
bandwidth to copy SEM Agents multiple times.
 l A reboot is not required.
 l NetBIOS – If not enabled, the Remote Agent Installer will require a text file of available hosts
with each IP address or hostname on its own line.

Run the SEM Agent installer for Windows

 1. Extract the contents of the installer ZIP file to a local or network location.
 2. Run the .exe file.
 3. Click Next to start the installation wizard.
 4. Accept the End User License Agreement if you agree, and then click Next.
 5. Specify a temporary folder on your computer to use for the installation process and click Next.
The default is C:\SolarWindsSEMMultiInstall.
 6. Enter the hostname of your SEM Manager in the Manager Host field, and then click Next. Do
not change the default port values.

Use the fully qualified domain name for your SEM Manager when you deploy SEM Agents
on a different domain. For example, enter SEMhostname.example.com.

page 56
  7. Select Get hosts automatically or Get hosts from file (One host per line), and then click OK.
 l Get hosts automatically uses a NetBIOS broadcast to identify hosts on the same subnet
and domain as the computer running the installer.
 l Get hosts from file (One host per line) prompts you to browse for a text file that includes
the hosts on which you want to install SEM Agents. Use this option for any of the
following reasons:
 o You are deploying SEM Agents to computers on a different subnet than that on
which the computer running the installer resides. Your computer may be able to
access these subnets, but their hosts will not be recognized by the NetBIOS
broadcast used to get hosts automatically.
 o You are deploying SEM Agents to a small segment of a large network, which could
make choosing them from a list time prohibitive.
 o You are deploying SEM Agents in a network with a complex naming scheme, which
could make choosing hosts from a list time prohibitive.

The text file used for this option can contain hostnames, fully qualified domain names or
IP addresses, each on their own lines. If DNS names are used, the computer running the
installer must be able to resolve them.

 8. Select the check boxes next to the computers on which you want to install a SEM Agent, and
then click Next.
 9. Confirm the list is correct, and then click Next.
 10. Specify the Windows destination for the remote installation.
 l The default paths are provided for all supported Windows systems. We strongly
recommend using the default paths, as the SEM Agent may not be recognized as a service
by Windows if it is not installed in a system folder.
 l The installer is set to automatically detect host operating systems by default, but you can
also specify an operating system if all of the target hosts are running the same one.
 11. Click Next.
 12. Specify whether or not you want to install USB-Defender with the SEM Agent, and then click
Next. The installer will include USB-Defender by default. To omit this from the installation, clear
the Install USB-Defender option box.

SolarWinds recommends installing USB-Defender on every system. USB-Defender will

never detach a USB device unless you have explicitly enabled a rule to do so. By default,
USB-Defender simply generates alerts for USB mass storage devices attached to your
SEM Agents.

page 57
INSTALLATION GUIDE: SECURITY EVENT MANAGER

 13. Confirm the settings on the Pre-Installation Summary, and then click Install.
 14. Once the installer finishes, it will start the SEM Agent service when you click Next.
 15. Inspect the Agent Log for any errors, and then click Next.
 16. Click Done to exit the installer.

The SEM Agent continues running on your computer unless you uninstall or manually stop it. It
begins sending alerts to your SEM Manager immediately.

Next steps:

 l See Verify the SEM Agent connection to test that the Agent connected to the SEM Manager.

Run the SEM Local Agent Installer for large Windows

deployments
The Local Agent Installer allows you to install the SEM Agent without the need to step through an
installation wizard. This option is only available for Windows systems.

You can run the Local Agent Installer using software distribution policies or local logon scripts. This
method is an alternative to the Windows-only Remote Agent Installer in large deployment scenarios.

This procedure only works with the local installer. Do not use the Remote Agent Installer for
this task.

Installation notes
See SEM Agent pre-installation checklist: Prepare to deploy SEM Agents for Agent download
information and a pre-install checklist.

There are three steps to using the Local Agent Installer to install the SEM Agent. Each step is
described in detail in the sections below.

 1. Download the Local Agent Installer.

 2. Configure a custom installer.properties file that contains your environmental variables.
 3. Run the Local Agent Installer.

See Run the SEM Remote Agent Installer for large Windows deployments for more information about
installing the SolarWinds SEM Agent.

page 58
Download the Local Agent Installer
 1. Download the installer from the SolarWinds Customer Portal:
 a. Log in to the Customer Portal.
 b. Navigate to the License Management page.
 c. Locate SEM in the product list, and then click Choose Download.
 d. Download the Local Agent installer for Windows. Find the appropriate installer on the list.

Be sure you download the Local Agent Installer. You cannot use the Remote Agent
Installer for this task.

 2. Extract the contents of the installer ZIP file to a local or network location.
 3. Copy SolarWinds-SEM-2020.4-Agent-WindowsInstaller.exe to a known location.

Configure a custom installer.properties file

 1. Open a text editor and create a file with the following two lines, followed by a carriage return:
MANAGER_IP=<SEMManagerHostname>
INSTALLER_UI=silent
INSTALL_USB_DEFENDER=<n>

Where:
 l <SEMManagerHostname> is the hostname or IP address of the SEM appliance.
 l silent to run the installer in silent mode.
 l <n> is 0 or 1. Specify 0 if USB defender should not be installed, or 1 if USB defender
should be installed.
 2. Verify that a blank line with a carriage return follows the INSTALL_USB_DEFENDER entry.

A blank line with a carriage return after the INSTALL_USB_DEFENDER entry is required for
the file to work correctly.

The contents of the file should look similar to this:

MANAGER_IP=swi-sem

INSTALLER_UI=silent

INSTALL_USB_DEFENDER=0

 3. Save the file as installer.properties in the same folder as the .exe file.

page 59
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Run the Local Agent Installer

 1. Verify that .exe and installer.properties are located in the same folder.

UNC paths should not be used during this installation.

 2. Run the command, setup -i silent using the active resource directory that matches the
folder that contains the two installer files. The command immediately returns to the command
prompt.

Right-click the installer file and select Run as administrator.

The SEM Agent starts automatically and continues running until you uninstall or manually stop
the Agent. It begins sending alerts to your SEM Manager immediately. The SEM Agent should
also appear in Add/Remove Programs.
Next steps:
 l See Verify the SEM Agent connection to test that the Agent connected to the SEM
Manager.

Verify the SEM Agent connection

After you install the SEM Agent on your Agent nodes, verify that the Agent connected to the SEM
Manager.

SEM console

 1. On the SEM Console, click the Nodes tab.

 2. Under Refine results, click the Agent and Connected check boxes.

page 60
  3. In the agent node list, ensure all connected nodes display a green check mark indicator.

SEM legacy Flash console

To download a SEM Agent installer from the SEM legacy Flash console

Adobe will stop distributing and updating Flash Player after December 31, 2020. Please visit
the Adobe Flash Player EOL General Information Page (Copyright © 2020 Adobe, retrieved
November 5, 2020) for information.

 1. Open the SEM legacy Flash console.

 2. Choose from the following options:
 l Click Ops Center, go to the Getting Started widget, and click Add Nodes to Monitor.
 l Click Manage > Nodes. Click Add Node, then click Agent Node.
 3. Click an Agent to download it.

page 61
INSTALLATION GUIDE: SECURITY EVENT MANAGER

 1. Open the SEM legacy Flash console.

 2. Click Manage > Nodes.
 3. In the Nodes grid, ensure that all connected nodes include a green status indicator.

For help troubleshooting SEM Agents, see Troubleshoot SEM Agents and network devices
in the SEM Administrator Guide.

Next steps:
 l Configure SEM Agents after they are installed in the SEM Administrator Guide.
 l If you have similar SEM Agents installed, see Create connector profiles to manage and
monitor SEM Agents in the SEM Administrator Guide.

page 62
Install the SEM reports application
This section describes how to install the optional SEM reports application on either a separate server
or on a workstation. The reports application allows you to produce over 200 standard and industry-
specific reports.

Pick a suitable host for the reports application

You can install the SEM reports application on as many servers and workstations as you require.
Install the SEM reports application on a system that runs overnight. This is important because the
daily and weekly start time for these reports is 1:00 AM and 3:00 AM, respectively. It's also important
that you install the reports application on a system that can access the SEM database.

See the SEM system requirements in the Installation Guide for additional requirements.

page 63
INSTALLATION GUIDE: SECURITY EVENT MANAGER

Install the SEM reports application

The SEM reports application requires the free Crystal Reports runtime application. There are two
ways to install the SEM reports application:

 l You can run the reports application installer included in the SolarWinds Security Event Manager
distribution package. The installer installs Crystal Reports and the SEM reports application
together.
 l You can download Crystal Reports and the SEM reports application individually from the
SolarWinds Customer Portal. You will need to install each application one at a time. This may
be necessary if your Windows security settings prevent you from running the other installer.

Install the SEM reports application provided in the SEM distribution

package
This installer also installs the Crystal Reports Runtime.

 1. If necessary, copy the SolarWinds Security Event Manager installation folder to a local drive
and open the folder.
 2. Right-click the file Install Next - SEM Reporting Software.exe, and then select Open.
A dialog box appears prompting you to allow the app to make changes to your device.
 3. Click Yes to continue.
The Welcome screen appears.
 4. Click Next, and then review the Requirements for Installation.
 5. Click Next, and then click Begin Install to start the installation process.
 6. When the Installation Complete dialog displays, click Close.

Install the SEM reports application files downloaded from the

Customer Portal
Complete these steps if you were not able to install the SEM reports application using the installer
included in the SolarWinds Security Event Manager distribution package.

Before you begin: Download the SEM reports application and the Crystal Reports Runtime installers
from the SolarWinds Customer Portal.

 1. Run the Crystal Reports Runtime installer and complete the installation steps.
 2. Run the SEM reports application installer and complete the installation steps.

page 64
  3. When the installation is complete, click Close.

The SEM reports application is installed on your system.

Connect the SEM reports application to your SEM database

When you enter a SEM Manager IP address into the SEM reports application, you create a connection
between the reports application and the SEM database server running on the SEM Manager VM.

Before you begin: You will need the IP address of the SEM VM and your SEM console login
credentials.

 1. Right-click the Reports application icon on your desktop and select Run as administrator.
 a. Right-click the Reports shortcut and select Properties.
 b. Click Advanced and select the Run as administrator option.

 c. Click OK.

 d. In the reports Properties window, click OK.
 2. Click Yes in the antivirus dialog box to continue.
 3. Click OK in the information box to create a list containing at least one Manager.

 4. Enter the hostname or IP address of your SEM appliance in the Manager Name field.

Whenever you see Manager in reference to SEM, it usually refers to the IP address or
hostname of your virtual appliance.

page 65
INSTALLATION GUIDE: SECURITY EVENT MANAGER

 5. Enter the username and password used to log in to the SEM console.

You can audit users accessing the reporting server running on the SEM VM. Only users
with admin, auditor, or reports roles can run reports on the SEM database.

 6. (Optional) Select the Use TLS connection check box to use the transport layer security protocol
for a secure connection.
 7. Click Test Connection to verify the connection between the SEM database server and the SEM
reports application.
The reports application pings the SEM database and verifies the connection. If the ping is
successful, Ping Successful displays in the dialog box.

 8. Click to add the IP address to your SEM Manager list, and then click Yes to confirm.
 9. Click Close.
The reports application is connected to your SEM database and displays on your screen.

page 66