My Document - SolarWinds
Transcription
My Document - SolarWinds
Contents Copyright © 1995-2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The SolarWinds, the SolarWinds & Design, ipMonitor, LANsurveyor, Orion, and other SolarWinds marks, identified on the SolarWinds website, as updated from SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark Office and may be registered or pending registration in other countries. All other SolarWinds trademarks may be common law marks or registered or pending registration in the United States or in other countries. All other trademarks or registered trademarks contained and/or mentioned herein are used for identification purposes only and may be trademarks or registered trademarks of their respective companies. Microsoft®, Windows®, and SQL Server® are registered trademarks of Microsoft Corporation in the United States and/or other countries. LEM 6.1 2/3/15 2 Quick Start Guide Chapter 1: Introduction 1 Chapter 2: Installing LEM 2 Chapter 3: Requirements 3 Chapter 4: Installing the Virtual Appliance 5 Deploying LEM Using VMware vSphere 5 URLs that are Supported and Not Supported 6 Deploying LEM Using Microsoft Hyper-V 6 Chapter 5: Going from Evaluation to Production Installing the License Using the Web Console 10 10 VM Resource Reservations 10 Vsphere Reservation Settings 11 LEM Reservations within the Hyper-V Console (2008 and 2012) 13 RAM Memory Settings 13 Processor/CPU Settings for 2008 13 Processor/CPU Settings for 2012 13 Activating the Virtual Appliance Using Vsphere/Hyper-V SSH-type Console 13 Reconnecting the Virtual Appliance to the Desktop Software 14 SSL Certificate 15 Resolving the Hostname 15 i Chapter 1: Introduction SolarWinds Log & Event Manager (LEM) is a state-of-the-art virtual appliance that adds value to existing security products and increases efficiencies in administering, managing and monitoring security policies and safeguards on your network. SolarWinds LEM is based on brand new concepts in security. You can think of it as an immunity system for computers. It is a system that is distributed throughout your network to several “points of presence” that work together to protect and defend your network. SolarWinds LEM responds effectively with focus and speed to a wide variety of threats, attacks, and other vulnerabilities. SolarWinds LEM collects, stores and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response. Data is also available for scheduled and ad hoc reporting from both the LEM Console and standalone LEM Reports console. Some common use cases for SolarWinds LEM include the following: l Correlating network traffic from a variety of sources using filters and rules. l Visualizing log data in dynamic graphs, charts and other widgets. l Monitoring USB mass storage device activity on network Agents. l Responding to countless threats, attacks and other vulnerabilities with easy to use point-and-click and automated active responses. l Searching normalized log data for events of interest. l Change Management and other security-related reporting for management and auditors. 1 Chapter 2: Installing LEM SolarWinds Log & Event Manager is a two-part installation requiring you to separately install its two components. Install the virtual appliance first, followed by the desktop software component. A complete LEM installation includes the following components: l The virtual appliance to collect and process log and event information l The desktop software which allows you to view the information from a desktop or laptop What is the difference between a virtual appliance and desktop software? l A virtual appliance (also called an OVF template) functions more or less like a virtual machine. It appears as a virtual machine in vSphere. Deploy the virtual appliance using vSphere. The OVA file must be deployed from within vSphere for it to work. l The desktop software runs on a machine's operating system. It is installed by doubleclicking an executable (.exe) file, which then displays the install screens. 2 Chapter 3: Requirements This section discusses software and hardware requirements. Before installing, make sure your hardware and software meet these minimum requirements. The following table provides the minimum installation requirements: Software/Hardware Requirements Virtualization Platform n vSphere 4 or later n Microsoft Hyper -V 2008 R2 n Microsoft Hyper-V 2012 CPU Speed 2 GHZ Memory 8 GB Hard Drive Space n 250 GB is for a small deployment n 2.0 TB is advised for a larger deployment The following table provides the minimum installation requirements for the SolarWinds LEM desktop console software and reports: Software/Hardware Requirements Operating System - n Windows XP n Windows Server 2003 Desktop Console & n Windows Vista n Windows Server 2008 Reports n Windows 7 n Windows Server 2008R2 n Windows 8 CPU Speed 1 GHz Pentium III or equivalent Memory 1 GB 3 Chapter 3: Requirements Software/Hardware Requirements Hard Drive Space 5GB Environment Variables The ability to install all software with administrator rights The following table provides the minimum installation requirements for the SolarWinds LEM web console: Software/Hardware Requirements Adobe Flash Flash Player 15 Supported Browsers n Internet Explorer 8 and later. Note: Cannot run the web console on Internet Explorer 10 on a Windows Server 2012 n Mozila Firefox 10 and later n Google Chrome 17 and later 4 Chapter 4: Installing the Virtual Appliance This chapter discusses installing the SolarWinds LEM VMware virtual appliance. The files in each executable contain the virtual appliance image to deploy SolarWinds Log & Event Manager using either VMware vSphere or Microsoft HyperV. Preparing the Installation Files Double-click the SolarWinds Log and Event Manager.exe file to extract the application files to a folder on your desktop. Follow the prompts shown in the Quick Start: Log and Event Manage screen. Deploying LEM Using VMware vSphere Deploy LEM using VMware vSphere version 4 or higher. Note: If you are using a non-US keyboard, use SSH to input the settings. Installing the virtual appliance using the vSphere Client: 5 Chapter 4: Installing the Virtual Appliance 1. Start the VMware vSphere Client and log on with VMware administrator privileges. 2. Click File > Deploy OVF Template. 3. Click Browse to select the Deploy First – LEM Virtual Appliance.ova file in the SolarWinds Log & Event Manager folder on your desktop, and then click Next. 4. Complete the setup wizard. 5. Select Thin provisioned as the disk format, and then click Next. 6. Select the network to be mapped to the network interface card, and then click Next. 7. Click Finish after the OVF deployment completes successfully. 8. Select the SolarWinds Log and Event Manager virtual appliance and then click Play. 9. Click the Console tab. 10. To start the LEM web console, launch a web browser and enter the Web Console URL shown in the Console tab. URLs that are Supported and Not Supported URLs that are supported URLs that are NOT supported http://<insert IP Address here> https://<insert IP Address here> http://<insert IP Address here>:8080/lem https://<insert IP Address here>:8443/lem http://<insert IP Address here> http://<insert Hostname here>:8080/lem https://<insert Hostname here> https://<insertHostname here>:8443/lem Deploying LEM Using Microsoft Hyper-V 1. Open Hyper-V Manager. 2. Click Action > Import Virtual Machine. 3. Click Browse to open the SolarWinds Log and Event Manager folder extracted to the desktop during installation. 6 Deploying LEM Using Microsoft Hyper-V 4. Select the SolarWinds Log & Event Manager folder. Note: Windows 2012 R2 users should select the Virtual Machines 2012 R2 directory when importing the virtual machine. 5. Click Select Folder. 6. Select Copy the virtual machine... and Duplicate all files... on the Import Virtual Machine window and then click Import. 7. Right-click the newly created SolarWinds Log & Event Manager virtual appliance and select Settings. 8. Specify Network Adapter for a VM. Click OK to save the settings. 9. Select the SolarWinds Log & Event Manager virtual appliance and then click Action > Connect. 10. In the virtual console window, click Action > Start and wait for the virtual appliance to start. 11. Write down the IP Address of the virtual appliance which displays after the virtual appliance starts up. Note: To start the LEM web console, launch a web browser and enter the Web Console URL shown in the Virtual Machine Connection screen. For more information, seeDeploying LEM Using Microsoft Hyper-V URLs that are Supported and Not Supported URLs that are supported URLs that are NOT supported http://<insert IP Address here> https://<insert IP Address here> http://<insert IP Address here>:8080/lem https://<insert IP Address here>:8443/lem http://<insert IP Address here> http://<insert Hostname here>:8080/lem https://<insert Hostname here> https://<insertHostname here>:8443/lem 7 Chapter 4: Installing the Virtual Appliance Configuring a Static IP Address To configure a static IP Address: 1. Start the Client and log on with administrator privileges. 2. Arrow down to Advanced Configuration, and then press Enter. 3. At the cmc> prompt, enter appliance. 4. At the cmc::acm# prompt, enter netconfig. 5. At the prompt, enter static. 6. Follow the prompts to configure the remaining network settings. Note: An entry is required for each prompt. Leaving blank entry results in a bad network configuration and the ‘netconfig’ command needs to be run again. Installing the LEM Reports After installing the virtual appliance, install the SolarWinds Log & Event Manager Reports from the Quick Start: Log and Event Manager splash screen. Installing the SolarWinds LEM Reports: 1. Click the Install Desktop Software button 2. Click Run. 3. Click Next. 4. Review the Requirements for Installation information and then click Next. 5. Click Begin Install to begin the installation process. 6. Click Next. 7. Click Finish. Connecting to the Web Console When you have installed the LEM Reports, you are ready to connect to the LEM web console. 8 Deploying LEM Using Microsoft Hyper-V To access the web console: 1. To start the LEM web console, launch a web browser and enter the Web Console URL provided during the configuration of VMware vSphere or Microsoft Hyper-V. 2. Click Connect. Installing the LEM Desktop Console Software If you do not wish to use the LEM web console, you can install the LEM desktop console software.The LEM desktop console software is a Windows application that can be installed on any computer that meets the system requirements. Installing the SolarWinds LEM desktop software: 1. Download the Adobe AIR Runtime for Windows and Log & Event Manager Console zip files from the Downloads section of the Customer Portal on Solarwinds.com. 2. Extract the contents of SolarWinds-LEM-v6.1.0-Console.zip and double-click the LEM Console installer. 3. Click Install. 4. Specify your installation preferences. 5. Click Continue to begin the installation process. 6. If you did not instruct the console to open after installation, open the desktop console. 7. Accept the End User License Agreement, and then click OK. 8. Enter the IP Address of the virtual appliance and then click Connect. Note: The LEM desktop software requires that you change your LEM password after installation. This password must be between 6 and 40 characters, and must contain at least one capital letter and one number. 9. Enter your email address to use the SolarWinds Improvement Program to send anonymous data about your usage to SolarWinds. If you do not wish to participate, clear the check box. 10. Click Save. 9 Chapter 5: Going from Evaluation to Production The evaluation version of SolarWinds Log & Event Manager can be upgraded to a fully functional production version after purchasing a license from SolarWinds.com. There are two necessary steps to that must be completed in the following order to activate and license the virtual appliance and desktop software correctly: o Installing o Activating the Virtual Appliance Using Vsphere/Hyper-V SSH-type Console o SSL Certificate o Reconnecting the Virtual Appliance to the Desktop Software Installing the License Using the Web Console 1. In the LEM Console, navigate to Manage > Appliances. 2. Click the License tab in the Properties area. 3. Select the Manager to be licensed. 4. Enter the License Key in the Key field. Note: Administrator privileges are necessary to perform this operation. 5. Enter your Name, Email, and Phone. 6. Click Activate. 7. Click OK when the license has been successfully activated. VM Resource Reservations This section discusses disk space requirements and the VM resource ‘reservations’ for proper operation. The deployment default for LEM is 250GB. For larger deployments, 2.0TB may be required, which is available when using ESX(i) 4/5+ and Hyper-V 2008 R-2. 10 Chapter 5: Going from Evaluation to Production LEM deployment requires “reservations” for system resources in the Virtual environment. LEM has nearly 500 connectors to receive traffic from a multitude of different devices on a network. The type of traffic varies depending upon the device sending the traffic, and the volume of traffic varies depending on audit and log settings on those devices. This volume of traffic is typically a continuous stream of traffic that fluctuates slightly due to changes in user needs, server usage, and network activity. LEM data is received by connectors, presented in the console Monitor area, passed through the rules engine for specified actions, and then pushed into a database for retrieval by the reports application or nDepth search function. To accommodate processing the data real-time, LEM requires reservations from the VM host. When the volume of traffic exceeds 15 million events per day, increasing the reservations is needed. The LEM Reports application determines the volume of traffic per day and the ‘span of time’ that the database allows. Contact SolarWinds Technical Support to assist in setting the appropriate reservations. By default LEM deploys with 8GB of RAM and 2-CPU’s on both ESX and Hyper-V platforms. Vsphere Reservation Settings When using VMware, the reservations can be viewed under Vsphere settings for the LEM. To view the reservation settings in Vsphere: 1. Log into Vsphere. 2. View Settings/Reservations. 3. Select the desired LEM appliance from the list. 4. Click the Summary tab to view the number of CPU's. Note: The Provisioned Storage in the Resource area is the total diskspace LEM can use. 5. Select the Resource Allocation tab, and note CPU reservation on the left and the Memory reservations on the right. 6. At the bottom left, a reservation should show CPU reservation at 2.0 Ghz (& limit is typically unlimited). 7. àsome docs show 3.0Ghz, but 2.0 is our minimum setting. 11 Vsphere Reservation Settings 8. (it is possible to have 3.0 Ghz, and beyond that, we need to find VMware documentation to support higher speeds.) 9. At the bottom right, a reservation should show Memory reservation of 8.0 GB (& limit is typically unlimited). 10. (The Configured must be at least the same value [or higher] than the reservation). 11. You may see Memory Reservations as high as 64GB or RAM (for customers over 150 million events per day). or 1. Open a putty session (or Vsphere console), 2. Enter the “manager” menu. 3. Enter the “viewsysinfo” command. 4. View the “CPU > Reservation” and the “Memory Reservation.” 12 Chapter 5: Going from Evaluation to Production LEM Reservations within the Hyper-V Console (2008 and 2012) RAM Memory Settings l Static ram set to 8GB, 16GB, 24GB, 32GB. l Memory Weight must to be set to High. Processor/CPU Settings for 2008 1. Set the number of processors: 2, 4, 6, 8, 10, or 12. 2. Set the VM reserve CPU cycles to 100%. 3. Set the Limit CPU cycles to 100%. 4. Set the relative weight for CPU to 100%. Processor/CPU Settings for 2012 1. Set the CPU Priority to High. 2. Set the Reserve CPU cycle to 100%. 3. Set the Limit CPU cycles to 100%. Activating the Virtual Appliance Using Vsphere/Hyper-V SSH-type Console 1. On the virtual appliance, click the Console tab, and then scroll to the bottom of the page. 2. Using the arrow keys, navigate to Advanced Configuration, and then press Enter. 3. At the cmc> prompt, enter appliance 4. The prompt changes to cmc::acm# indicating you are in the appliance configuration menu. 5. At the acm> prompt, enter activate 6. Enter and validate the password. 13 Reconnecting the Virtual Appliance to the Desktop Software 7. Select Yes to specify a Static IP (recommended), and then set the following properties: l IP Address l Subnet Mask l Gateway l Fully qualified domain name of the DNS domain l DNS server IP address 8. Select Yes to specify a hostname, or No to accept the default hostname. The following is information on hostname conventions: l Standard hostname naming conventions must be observed. l Hostname labels may contain only the ASCII letters a through z (in a caseinsensitive manner), the digits 0 through 9, and the hyphen (-). l Hostnames cannot start with a digit or a hyphen, and must not end with a hyphen. l No other symbols, punctuation characters, or white spaces are permitted. 9. Select Yes to specify a whitelist of IP addresses that can access reports. This is the recommended setting. Note: Enter viewnetconfig at the cmc::acm# prompt to confirm the network configurations configured above. 10. To ensure secure communication between the desktop software and the virtual appliance, the SSL certificate is automatically exported from the virtual appliance after activation is completed. Follow the prompts to export the certificate to a network share. Reconnecting the Virtual Appliance to the Desktop Software After activating the license on the virtual appliance, the desktop software automatically attempts to reconnect. If it has been disconnected, or if the hostname changed, you need to delete and add your appliance in Manage > Appliance on the desktop software. 14 Chapter 5: Going from Evaluation to Production SSL Certificate This procedure is only applicable for the desktop console. Exporting the SSL certificate in the activation is only necessary if you plan to use the “Adobe Air” version of the LEM console, instead of the web-based console which automatically imports the SSL certificate. After activation, the LEM Console connects with the virtual appliance using secure communications. To import the virtual appliance CA SSL Certificate to the Certificate store: 1. Locate and double-click the certificate on the network share. 2. Click Install Certificate. 3. Click Next and select Place all certificates in the following store. 4. Click Browse. 5. Select Trusted Root Certification Authorities, click OK, and then click Next. 6. Click Finish. 7. Click Yes to confirm that you trust the certificate. Resolving the Hostname Note: This procedure is only applicable for the desktop console. The computer running the LEM Console must be able resolve the hostname of the appliance via DNS or a manual entry in the hosts file. Failing to resolve the hostname results in an inability to connect, or an unreliable communication. Configure forward and reverse DNS entries (a HOST and PTR record) for your appliance on your DNS server. When creating the DNS entries, use the default hostname or the hostname you specified when the virtual appliance was imported. If you cannot configure DNS directly on your DNS server, configure a hosts file on the computer by editing Windows\System32\drivers\etc\hosts in a text editor and adding a line with your virtual appliance’s IP address and hostname (space or tab separated). 15