Download as pdf or txt
Download as pdf or txt
You are on page 1of 53


Log & Event Manager

Version 6.3.1

Last Updated: Tuesday, October 24, 2017

Retrieve the latest version from:

Copyright © 2017 SolarWinds Worldwide, LLC. All rights reserved worldwide.

No part of this document may be reproduced by any means nor modified, decompiled, disassembled,
published or distributed, in whole or in part, or translated to any electronic medium or other means
without the written consent of SolarWinds. All right, title, and interest in and to the software and
documentation are and shall remain the exclusive property of SolarWinds and its respective licensors.



The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide,
LLC and its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or
pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be
common law marks, registered or pending registration in the United States or in other countries. All other
trademarks mentioned herein are used for identification purposes only and may be or are trademarks or
registered trademarks of their respective companies.

page 2
Table of Contents
LEM installation overview 6

How LEM works 7

Audit reports 7

Integration with SolarWinds products 7

About the LEM components that make up a typical deployment 8

Overview 8

About the LEM Manager component 9

About the LEM Agent 9

About Network devices 10

About the LEM reports application 10

LEM deployment examples 11

Simple deployment example 11

Complex deployment example with multiple syslog servers 12

Complex deployment example with multiple LEM VMs 13

Choose a licensing method for your LEM deployment 15

About LEM licensing 15

Licensing an evaluation version of LEM 15

LEM 6.3.1 system requirements 17

Sizing criteria 18

LEM VM hardware requirements 19

LEM software requirements 20

LEM Agent hardware and software requirements 21

LEM reports application hardware and software requirements 22

LEM port requirements 23

LEM pre-installation checklist 24

page 3

Prepare the server environment 25

Download LEM 26

Install LEM on the hypervisor 27

Install SolarWinds LEM on Microsoft Hyper-V 28

Install SolarWinds LEM on VMware vSphere 31

Install LEM Agents to protect servers, domain controllers, and workstations 33

Deploying the LEM Agent 34

Deploying the LEM Agent to multiple Windows computers in an enterprise environment 34

LEM Agent pre-installation checklist: Prepare to deploy LEM Agents 35

LEM Agent installer requirements 35

Antivirus recommendations 35

Download the LEM Agent installers 36

To download a LEM Agent installer from the LEM console 36

To download a LEM Agent installer from the SolarWinds Customer Portal 36

Install the LEM Agent on Linux and Unix 37

Installation notes for the Linux Agent installer 37

Run the LEM Agent Installer on Linux or Unix 37

To uninstall the LEM Agent on Linux or Unix 38

Install the LEM Agent on Mac OS X 10.7 and later 39

Installation notes for the Mac OS X installer 39

Run the LEM Agent Installer on Mac OS X 39

To configure the LEM Agent as a Mac OS X service and set it to start automatically 40

To start the LEM Agent on Mac OS X manually 40

Run the LEM Remote Agent Installer non-interactively for large Windows deployments 41

Installation notes for the Remote Agent Installer 41

Run the LEM Agent installer for Windows 42

Run the LEM Local Agent Installer non-interactively for large Windows deployments 43

Installation notes 43

page 4
Create a setup file for the Local Agent Installer 44

Configure a custom file 44

Run the Local Agent Installer non-interactively 45

Verify the LEM Agent connection 46

Install the LEM 6.3.1 optional add-on applications 47

Install the LEM reports application 48

Pick a suitable host for the reports application 48

Install the LEM reports application 49

Install the LEM reports application provided in the LEM distribution package 49

Install the LEM reports application files downloaded from the Customer Portal 49

Connect the LEM reports application to your LEM database 49

Install the LEM desktop console 52

Install Adobe Air Runtime for Windows 52

Install the LEM desktop console 52

Configure the LEM desktop console after you install it 53

Resolve the Hostname 53

page 5

LEM installation overview

In this section:

  • How LEM works 7

• About the LEM components that make up a typical deployment 8

• LEM deployment examples 11

• Choose a licensing method for your LEM deployment 15

page 6
How LEM works
SolarWinds LEM collects log data in your corporate network from two resources:

 l Agents – An Agent is a software application that collects and normalizes log data before it is sent to
the LEM Manager.
 l Non-Agent devices – These are devices that send log data directly to the LEM Manager for
normalization and processing.

After normalization, LEM Manager processes the data. The LEM Manager policy engine correlates the data
based on user-defined rules and local alert filters, and initiates the associated actions when applicable.
These actions can include:

 l Notifying users through the console or by email

 l Blocking an IP address
 l Shutting down or rebooting a workstation
 l Passing alerts to the LEM database for future analysis and reporting within the Reports application

You can install Agents on workstations, servers, and other network devices. Agents can send log data from
security products (such as antivirus software and network-based intrusion systems) on each device to the
LEM virtual appliance. If you cannot install an Agent on a device (such as firewalls and routers), you can
configure the device to send log data to the LEM Manager for normalization and processing. If your change
management process does not permit adding any additional syslog servers to the network device
configurations, you can leverage your existing syslog servers.

Audit reports
You can generate reports against your Log & Event Manager database using the LEM reports console
installed on a supported server. Using the console, you can schedule and execute over 300 audit reports. If
your corporate security policy restricts access to sensitive reports, you can configure your LEM Appliance to
restrict access to the console by IP address. During the 30-day evaluation period, you can install the
console on any server or workstation that can access port 9001 in the LEM Manager. You can also export
reports to multiple formats, including TXT, PDF, CSV, DOC, XLS, and HTML.

Integration with SolarWinds products

Additional SolarWinds solutions such as Network Performance Monitor (NPM), Server & Application
Monitor (SAM), and Virtualization Manager (VMan) can send performance alerts as SNMP Traps to the LEM
Manager to correlate performance alerts with LEM events.

LEM uses additional data collection tools such as Web Services and SNMP traps. Contact Customer
Service for more information about integrating LEM into your corporate enterprise.

page 7

About the LEM components that make up a typical

This topic describes the software components that make up a typical SolarWinds LEM deployment. Review
this topic to get a better understanding of how LEM should be deployed on your network.

This topic includes the following sections:

  • Overview 8

• About the LEM Manager component 9

• About the LEM Agent 9

• About Network devices 10

• About the LEM reports application 10

The following illustration shows the software components, log files, and network protocols in a typical
SolarWinds LEM deployment.

page 8
A complete LEM installation includes the following components:

 l The LEM Manager (or LEM VM), which collects and processes log and event information. This
component is installed first.
 l The desktop software or web client (not shown) that allows you to view LEM information from a
desktop or laptop computer.

About the LEM Manager component

Originally, LEM was sold as a physical appliance that you deployed on your network. Today, the LEM
Manager is the virtual image of a Linux-based appliance. The LEM Manager VM (virtual machine) can be
easily deployed on a host computer running a VMware® or Microsoft® hypervisor.

The LEM documentation uses the term virtual machine (or VM) to refer to the LEM virtual appliance
that runs on the hypervisor.

The LEM Manager collects and processes log and event information. It includes the following systems and

 l Hardened Linux® OS
 l Syslog Server and SNMP Trap Receiver
 l High compression, search-optimized database
 l Web server
 l Correlation engine

About the LEM Agent

The LEM Agent is installed on workstations, servers, and other network devices. It collects and normalizes
log data in real time before it is sent to the LEM Manager. It also collects security data such as Windows
Event Logs, a variety of database logs, and local antivirus logs on each device and transmits that data over
TCP to the LEM Manager. The LEM Agent has a small footprint on the device and prevents log tampering
during data collection and transmission.

You can also use the LEM Agent with devices that support syslog. The Agent transmits syslog messages
over TCP to the LEM Manager. TCP is preferred over UDP because TCP ensures messages arrive intact.

The LEM Agent provides the following benefits:

 l Captures events in real-time.

 l Encrypts and compresses the data for efficient and secure transmission to the LEM Manager.
 l Buffers the events locally if you lose network connectivity to the LEM Manager.

page 9

About Network devices

The following table lists some network resources that provide input to LEM Manager.


Network Device log sources Syslog messages
(such as routers, firewalls, and switches

Servers and applications LEM Agent data

Microsoft® Windows® Workstations LEM Agent data

SolarWinds NPM SNMP traps (performance alerts)

SolarWinds SAM See "Enable LEM to receive SNMP traps by turning on

the SNMP Trap Logging Service" in the
SolarWinds Virtualization Manager (VMan)
LEM Administrator Guide for details.

LEM accepts device input using the TCP and UDP protocols:

 l Network devices use TCP or UDP to send syslog events to the LEM Manager.
 l LEM Agents installed on servers and workstations use TCP to push data to the LEM Manager.
 l SolarWinds Orion/VMan server instances (including NPM and SAM) send SNMP traps over UDP to the
LEM Manager.

About the LEM reports application

You can install the LEM reports application on a networked server to schedule and execute over 300 audit-
proven reports. For added security, you can initiate the restrictreports command service to limit
users by IP address to run these reports. If you are running LEM in Evaluation Mode, you can install the
LEM reports application on any server or workstation that can access port 9001 in the LEM Manager.

page 10
LEM deployment examples
This section will help get you started planning your LEM architecture. The examples show different LEM
deployment options.

This topic includes the following sections:

  • Simple deployment example 11

• Complex deployment example with multiple syslog servers 12

• Complex deployment example with multiple LEM VMs 13

Simple deployment example

The following deployment example uses one central syslog server to collect log data from your network
devices in a local network. In this deployment, network devices use TCP or UDP to send syslog data to the
LEM Manager's syslog server, whereas LEM Agents running on workstations and servers just use TCP to
push log data to the LEM Manager.

page 11

The syslog server receives logs on port 514 and saves the data in the LEM Manager /var/log file
partition. Log file names vary based on the target facility configured on the network device.

The LEM Manager relies on routers, firewalls, and switches to transmit syslog messages to the
syslog server running on the LEM Manager. If your log sources are located behind firewalls, see
SolarWinds LEM port and firewall information to open the necessary ports. For a list of all ports
required to communicate with LEM, see the SolarWinds Port Requirements for SolarWinds
Products Guide at:

Complex deployment example with multiple syslog servers

The following deployment example uses two syslog servers located in different cities. LEM can capture logs
from multiple remote locations across wide area network (WAN) links. Because the LEM Agent includes
built-in encryption, compression, and buffering capabilities, this can be done securely and efficiently.

Instead of using the syslog server built in to the LEM Manager component, this design calls for one syslog
server per location. When using a detached syslog server, you need to install a LEM Agent on each
detached server, and then enable the appropriate connectors on the LEM Agent. Following configuration,
the LEM connectors normalize raw log messages into LEM events.

If you cannot add new logging hosts on your network devices due to restrictive change management
processes, consider implementing this multi syslog server deployment example to leverage your
existing syslog servers.

page 12
Complex deployment example with multiple LEM VMs
To increase performance, you can divide LEM's workload across multiple LEM VMs. Each VM can be
configured to provide dedicated processing for tasks such as:

 l Management and event analysis

 l Database storage, search, and reporting
 l Log storage, search, and analysis
 l Log collection

Although multi-VM LEM installations are possible, 98% of all LEM deployments perform well as a
single appliance that you can scale up by dedicating additional resources from the virtual host.

Each LEM VM can specialize and provide dedicated processing for one or more of the following:

 l Management and event analysis

 l Database storage, search, and reporting
 l nDepth log storage, search, and analysis
 l Log collection

The following diagram shows four LEM VM instances. One each for the LEM Manager, syslog collection, the
normalized data store, and an optional original data store.

Deploying each LEM VM on separate hardware increases performance. You can also deploy multiple
VMs on the same hardware host with minimal negative performance impacts.

page 13

LEM allows you to assign resources in different ways based on your organization's needs. For example, you
can deploy two LEM Managers, each on a separate VM if your organization has logical divides in
management and/or monitoring responsibilities.

In the above example a single LEM console provides a consolidated, real-time search and management
view across two LEM VMs.

See also:

 l "LEM 6.3.1 system requirements" on page 17

page 14
Choose a licensing method for your LEM deployment
This section explains how LEM licenses are assigned. It also discusses how to transition from an evaluation
version of LEM to a fully-functional production version.

It includes the following sections:

  • About LEM licensing 15

• Licensing an evaluation version of LEM 15

For more information, see the following topics in the LEM Administrator Guide:

 l "Install the LEM license using the web console"

 l "View LEM license information"
 l "Enable LEM license recycling"

About LEM licensing

Licensing a Log & Event Manager deployment is based on:

 l The number of universal nodes. Universal nodes include non-agent devices, such as switches,
routers, and firewalls, and systems running either a Windows Server or Unix operating system.
 l The number of workstation nodes. Workstation nodes include desktop systems that run
Windows and the LEM Agent.

For example, a LEM deployment that has a LWE250 for LEM30 license can add 250 Windows workstation
nodes and 30 universal nodes.

Licensing an evaluation version of LEM

If you are evaluating Log & Event Manager, you do not need to apply an activation key to activate the LEM
VM. For 30 days, you will have unlimited access to all product features.

If you have not purchased and provided a license key after 30 days, the application will stop collecting
event logs from your syslog and Agent devices. You can continue using Log and Event Manager in this
mode and access your saved logs. Applying a license reactivates event log collection and you can continue
monitoring all events in your deployment. If you need to extend your evaluation period, contact Customer

You can upgrade to a fully-functional production version by purchasing a new license from Customer Sales
and downloading the license key from the Customer Portal. After you install the new license key, you can
access all features within the LEM appliance.

page 15

You cannot upgrade your license using the SolarWinds License Manager.

page 16
LEM 6.3.1 system requirements
Use the following tables to plan your Log & Event Manager deployment to suit your network environment.

This topic includes the following sections:

  • Sizing criteria 18

• LEM VM hardware requirements 19

• LEM software requirements 20

• LEM Agent hardware and software requirements 21

• LEM reports application hardware and software requirements 22

• LEM port requirements 23

Server sizing is impacted by:

 l Number of nodes and network traffic. Consider event throughput and performance degradation
when planning the size of your deployment. As the number of nodes and network traffic increase,
the size of your deployment will need to grow with it. For example, if you are running a small
deployment and begin to notice performance degradation at 300 nodes, move to a medium
 l Storing original (raw) log messages in addition to normalized log messages. If you will be
storing original log messages, increase the CPU and memory resource requirements by 50%. See
your hypervisor documentation for more information.

page 17

Sizing criteria
Use the following table to determine if a small, medium, or large deployment is best suited to supporting
your environment.

Number of Fewer than 500 Between 300 and 2,000 nodes More than 1,000 nodes in the
nodes nodes in the in the following combinations: following combinations:
combinations:  l 10 – 25 security devices  l 25 – 50 security devices
 l 200 – 1,000 network  l 250 – 1,000 network devices,
 l 5 – 10 devices, including including workstations
security workstations  l 500 – 1,000 servers
devices  l 50 – 500 servers
 l 10 – 250
 l 30–150

Events 5M – 35M events 30M – 100M events 200M – 400M events

received per
day Note: The most successful
large deployments receive
up to 250M events per day.

Rules fired Up to 500 Up to 1,000 Up to 5,000

per day

page 18
LEM VM hardware requirements
See "Allocate CPU and memory resources to the LEM VM" in the LEM Administrator Guide for
information about how to manage LEM system resources.


CPU 2 – 4 core 6 – 10 core processors at 2.0 GHz 10 – 16 core processors at 2.0

processors at 2.0 GHz

If you will be storing original log messages in addition to normalized log messages,
increase the CPU and memory resource requirements by 50%.

Memory 8 GB RAM 16 GB – 48 GB RAM 48 GB – 256 GB RAM

Hard drive 250GB, 15k hard 500GB, 15K hard drives (RAID 1TB, 15k hard drives (RAID
storage drives (RAID 1/mirrored settings) 1/mirrored settings)

 l Installing LEM in a SAN is preferred.

 l High-speed hard drives (such as SSD drives) are required for high-end
 l Large deployments may require 1 to 2TB of storage, which you can reserve
on VMware ESX(i) 4/5+ and Microsoft Hyper-V 2008 R-2/2012.

Input/output 40 – 200 IOPS 200 – 400 IOPS 400 or more IOPS

per second


page 19

LEM software requirements

Hypervisor One of the following:
(required on the VM
host)  l VMware vSphere ESX 4.0 or ESXi 4.0 and later
 l Microsoft Hyper-V Server 2016, 2012 R2, 2012, or 2008 R2

Web browser One of the following:

(required on a
remote computer to
 l Google® Chrome™ 17 and later
run the web  l Microsoft Internet Explorer® 8 and later
Note: The web console does not run on Internet Explorer 10 on
Windows Server 2012.

 l Mozilla Firefox® 10 and later

Adobe Flash Adobe Flash Player 15

(browser plug-in
required on a
remote computer to
run the web

Optional software Adobe Air Runtime

(required if you
For more information, visit the "What is Adobe AIR?" page:
want to run the
desktop console on
a desktop computer)

page 20
LEM Agent hardware and software requirements


Operation System (OS) The LEM Agent is compatible with the following
operating systems:

 l Linux
 l Mac OS X 10.7 or later
 l Oracle® Solaris
 l Windows (10, 8, 7, Vista)
 l Windows Server (2016, 2012, 2008)

The requirements specified below are minimum requirements. Depending on your deployment,
you may need additional resources to support increased log-traffic volume and data retention.

CPU 450 MHz Pentium III or equivalent

Memory 512 MB RAM

Hard Drive Space 1 GB

Other requirements Administrative access to the device hosting the

LEM Agent

The LEM Agent for Mac OS X requires Java Runtime

Environment (JRE) 1.5 or later.

page 21

LEM reports application hardware and software


Operation The LEM reports application is Windows only. The following Windows versions are
System (OS) supported:

 l Windows 10, 8, and 7

 l Windows Server 2016, 2012, 2008, 2003

Memory 512 MB RAM minimum.

SolarWinds recommends using a computer with 1 GB of RAM or more for optimal reports

Other Install the LEM reports application on a system that runs overnight. This is important
requirements because the daily and weekly start time for these reports is 1:00 AM and 3:00 AM,

page 22
LEM port requirements
If your log sources are located behind firewalls, see "SolarWinds LEM Port and Firewall Information" at the
following location to open the necessary ports:

See the "SolarWinds Port Requirements for SolarWinds Products Guide" at the following location for a list
of all ports required to communicate with SolarWinds products:

page 23

LEM pre-installation checklist

Before installing Log & Event Manager, complete the pre-installation checklist below.

This topic includes the following sections:

  • Prepare the server environment 25

• Download LEM 26

The installation preflight checklist helps you:

 l Verify that system requirements are met, all required software is installed, and required roles and
features are enabled.
 l Gather the information required to complete the installation.

1. Review system Make sure that your environment meets the hardware and software
requirements requirements for your installations. Hypervisor software should be installed
prior to installing LEM. VMware vSphere and Microsoft Hyper-V are both
supported. The hypervisor software provides the virtual environment that hosts
your LEM deployment.

See "LEM 6.3.1 system requirements" on page 17 for details.

2. Select a Determine if your architecture will include one or more syslog servers.
See "LEM deployment examples" on page 11 for details.

3. Review release Review the Log & Event Manager release notes and available documentation in
notes the Success Center:

4. Gather The Local Administrator Account is required for installation.

The Local Administrator Account is not the same as a domain account
with local admin rights. A domain account is subject to your domain
group policies.

page 24
Prepare the server environment
Prepare the server where you will install the LEM VM.

1. Build the Prepare the servers based on your deployment size and system requirements.
environment Install either VMware vSphere or Microsoft Hyper-V.

By default, Log & Event Manager deploys with 8GB RAM and 2CPUs on
both hypervisor platforms.

2. Run all OS Before installation, check for and run all OS updates on all servers.

3. Open ports If your log sources are located behind firewalls, see "SolarWinds LEM Port and
according to Firewall Information" at the following location to open the necessary ports:

SolarWinds uses these ports to send and receive data.

page 25

Download LEM
SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so be sure to
download the correct version.

1. Download LEM Download the LEM installer from the SolarWinds customer portal, or download a
free trial version from

The trial version provides unlimited access to all product features for 30
days. See "Licensing an evaluation version of LEM" on page 15 for more

Next steps:

 l See "Install SolarWinds LEM on Microsoft Hyper-V" on page 28

 l See "Install SolarWinds LEM on VMware vSphere" on page 31

page 26
Install LEM on the hypervisor
In this section:

  • Install SolarWinds LEM on Microsoft Hyper-V 28

• Install SolarWinds LEM on VMware vSphere 31

page 27

Install SolarWinds LEM on Microsoft Hyper-V

These instructions provide steps for installing the Log & Event Manager VM on Microsoft Hyper-V.
SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so check that you
downloaded the correct version.

Complete the "LEM pre-installation checklist" on page 24 before installing LEM.

1. Extract the files Double-click the evaluation EXE file that you downloaded previously.
This step will extract the required files and tools to a folder on your

The "How to Install" page opens automatically. The following image

shows the wizard for installing LEM on VMware vSphere.

To return to this page after it is closed, go to

%USERPROFILE%\Desktop\SolarWinds Log and Event

2. Complete the  1. In the navigation pane of Hyper-V Manager, select the
following steps to computer running Hyper-V.
import the Virtual  2. Click Action > Import Virtual Machine. Click Next if the "Before
Machine. You Begin" screen displays.

page 28
 3. On the Locate Folder screen, navigate to the folder that
matches your version of Windows Server. For example:
%USERPROFILE%\Desktop\SolarWinds Log and
Event Manager\SolarWinds Log & Event
Manager\Virtual Machines 2012 R2

For Windows Server 2016, navigate to the Virtual

Machines 2012 R2 folder.

 4. Click Next.

On the Select Virtual Machine screen, select SolarWinds Log &
Event Manager, and click Next.
 5. On the Select Virtual Machine screen, select SolarWinds Log &
Event Manager, and click Next.
 6. On the Choose Import Type screen, choose Copy the virtual
machine (create a new unique ID), and click Next.
 7. On the Choose Folders for Virtual Machine Files screen, change
the folder locations that the wizard will import files to (if
needed). Otherwise, click Next.
 8. On the Choose Folders to Store Virtual Hard Disks screen,
change the location of the virtual hard disks for this virtual
machine (if needed). Otherwise, click Next.
 9. On the Configure Memory screen, configure the Startup RAM
setting, and the Minimum RAM and Maximum RAM settings for
Dynamic Memory, and then click Next.
 10. On the Summary screen, review the configuration settings and
click Finish.
The installer will copy the SolarWinds-LEM-6.3.1.vhd file to Hyper-

3. Connect to the LEM Select the newly added VM, and then click Action > Connect on the
VM. main Hyper-V Manager window.

The virtual console opens.

4. Start LEM. Click Action > Start in the virtual console window.

The LEM VM starts.

page 29

After LEM starts, write down the IP Address of the VM. You will
be able to change the IP address later during the
configuration phase.

5. Set up your new See "Setting up a new LEM installation" in the LEM Administrator
LEM installation. Guide.

Following installation, the default LEM host name is swi-lem. To change the default host name and
IP address settings, see "Run the activate command to secure LEM and configure network settings"
in the LEM Administrator Guide.

page 30
Install SolarWinds LEM on VMware vSphere
These instructions provide steps for installing the Log & Event Manager VM on VMware vSphere.
SolarWinds provides separate installation packages for Hyper-V and VMware vSphere, so check that you
downloaded the correct version.

Complete the "LEM pre-installation checklist" on page 24 before installing LEM.

1. Extract the files Double-click the evaluation EXE file that you downloaded previously.
This step will extract the required files and tools to a folder on your

The "How to Install" page opens automatically. The following image

shows the wizard for installing LEM on VMware vSphere.

To return to this page after it is closed, go to

%USERPROFILE%\Desktop\SolarWinds Log and Event

2. Complete the  1. Start the VMware vSphere Client and log in with VMware
following steps to administrator privileges.
deploy LEM.  2. Deploy the open virtualization format (OVF) template.

page 31

 3. Open the SolarWinds Log & Event Manager folder located on
your desktop and double-click:
Deploy First—LEM Virtual Appliance.ova
 4. Complete the setup wizard.
When prompted, select the Thin Provisioned disk format.

Thin provisioning offers more performance flexibility

than thick provisioning, but requires more oversight
than thick provisioning. Thin provisioning provides
increased performance by dedicating physical storage

 5. Map the network interface card (NIC) to the appropriate

 6. When the OVF deployment is completed, click Finish.

3. Start LEM.  1. Select the SolarWinds Log and Event Manager virtual appliance
and click Play.
 2. Click the Console tab.

The LEM VM starts.

After LEM starts, write down the IP Address of the VM. You will
be able to change the IP address later during the
configuration phase.

4. Set up your new LEM See "Setting up a new LEM installation" in the LEM Administrator
installation. Guide.

Following installation, the default LEM host name is swi-lem. To change the default host name and
IP address settings, see "Run the activate command to secure LEM and configure network settings"
in the LEM Administrator Guide.

page 32
Install LEM Agents to protect servers, domain
controllers, and workstations
In this section:

  • Deploying the LEM Agent 34

• LEM Agent pre-installation checklist: Prepare to deploy LEM Agents 35

• Install the LEM Agent on Linux and Unix 37

• Install the LEM Agent on Mac OS X 10.7 and later 39

• Run the LEM Remote Agent Installer non-interactively for large

Windows deployments 41

• Run the LEM Local Agent Installer non-interactively for large

Windows deployments 43

• Verify the LEM Agent connection 46

page 33

Deploying the LEM Agent

This topic describes options for installing the LEM Agent.

See "About the LEM Agent" on page 9 to learn about the role the LEM Agent plays in a typical LEM

SolarWinds provides LEM Agents for these operating systems:

 l Microsoft Windows (local and remote installers)

 l Linux
 l Mac OS X
 l Solaris on Intel
 l Solaris on Sparc
 l HPUX on PA
 l HPUX on Itanium
 l AIX

Deploying the LEM Agent to multiple Windows computers in an enterprise

There are two options for deploying the LEM Agent unattended on Windows:

 l Option 1: You can use the Remote Agent Installer to deploy LEM Agents to computers non-
See "Run the LEM Remote Agent Installer non-interactively for large Windows deployments" on
page 41 for more information.
 l Option 2: Use the Local Agent Installer with either software distribution policies or local logon scripts
to deploy the LEM Agent non-interactively. This method is an alternative to the Remote Agent
Installer option for large deployments.
See "Run the LEM Local Agent Installer non-interactively for large Windows deployments" on
page 43 for more information.

page 34
LEM Agent pre-installation checklist: Prepare to deploy LEM
Complete the following tasks before installing the LEM Agent. See "Deploying the LEM Agent" on the
previous page to learn more about installing LEM Agents.

This topic includes the following sections:

  • LEM Agent installer requirements 35

• Antivirus recommendations 35

• Download the LEM Agent installers 36

LEM Agent installer requirements

1. Review system See "LEM Agent hardware and software requirements" on page 21 for
requirements details.

2. Gather credentials Verify that you have administrative access to the servers and
workstations you plan to monitor with the Agent. Windows-based
systems require Domain or Local administrative privileges; Linux or Unix
systems require root-level access.

The Local Administrator Account is not the same as a domain

account with local admin rights. A domain account is subject to
your domain group policies.

3. Review the LEM See "Deploying the LEM Agent" on the previous page for installation
Agent installation information, and information about unattended Agent installations.

Antivirus recommendations

1. Disable anti-malware Turn off any anti-malware or endpoint protection applications on

and endpoint protection host systems during the installation process, because these
software during applications can affect the process by which installation files are
installation. transferred to the hosts.

page 35

2. After installation, add Set an exception in your antivirus or anti-malware scanning software
an exception to your for the ContegoSPOP folder where the LEM Agents will be installed.
antivirus or anti- The alerts are kept in queue files, which change constantly as they
malware software for are normalized and encrypted.
the LEM Agent folder.

Download the LEM Agent installers

You can download LEM Agent installers from the LEM console or from the SolarWinds Customer Portal.

To download a LEM Agent installer from the LEM console

 1. Open the LEM console. See "Log in to the LEM web console" or "Log in to the LEM desktop console" in
the LEM Administrator Guide for steps.
 2. Choose from the following options:
 l Click Ops Center, go to the Getting Started widget, and click "Add Nodes to Monitor."
 l Click Manage > Nodes. Click Add Node, then click Agent Node.
 3. Click an Agent to download it.

To download a LEM Agent installer from the SolarWinds Customer Portal

If you are using a trial version of LEM, download the LEM Agent installer from the LEM console, or
contact SolarWinds for assistance.

 1. Download the installer from the SolarWinds Customer Portal:
Log in with your SWID if necessary.
 2. Find LEM in the product list, and then click Choose Download.
 3. Find the Agent Installer on the list.

Next steps:

See the following topics to install the LEM Agents:

 l "Install the LEM Agent on Linux and Unix" on the facing page
 l "Install the LEM Agent on Mac OS X 10.7 and later" on page 39
 l "Run the LEM Remote Agent Installer non-interactively for large Windows deployments" on page 41
 l "Run the LEM Local Agent Installer non-interactively for large Windows deployments" on page 43

page 36
Install the LEM Agent on Linux and Unix
This topic describe how to install Agents locally on a variety of Linux and Unix operating systems. Once
installed, the LEM Agent automatically starts and connects to the LEM Manager.

This topic includes the following sections:

  • Installation notes for the Linux Agent installer 37

• Run the LEM Agent Installer on Linux or Unix 37

• To uninstall the LEM Agent on Linux or Unix 38

See "LEM Agent pre-installation checklist: Prepare to deploy LEM Agents" on page 35 for Agent
download information and a pre-install checklist.

Installation notes for the Linux Agent installer

 l A reboot is not required following installation
 l LEM Agents are installed in the /usr/local/contego/ContegoSPOP folder by default.

Run the LEM Agent Installer on Linux or Unix

To run the LEM Agent installer:

 1. Extract the contents of the installer ZIP, and then copy setup.bin to a local or network location.
 2. cd to the folder that contains the installer.
 3. Enter chmod +x setup.bin to convert the installer into an executable application.
 4. Run setup.bin as root.
 5. Press Enter to start the installer.
 6. Press Enter to page through the End User License Agreement, and then enter y to accept the terms
if you agree.
 7. Enter a custom installation path, or press Enter to accept the default (recommended).
 8. Enter the hostname of your LEM Manager.

Use the fully qualified domain name for your LEM Manager when you deploy LEM Agents on a
different domain. For example, enter

 9. Press Enter twice to accept the default port values, and then press Enter again to proceed.
 10. Review the Pre-Installation Summary, and then press Enter to proceed.
 11. Once the installer finishes, press Enter to exit the installer.

page 37

The LEM Agent begins sending alerts to your LEM Manager immediately. To configure the LEM Agent to
start automatically on boot, add /etc/init.d/swlem-agent to your list of startup scripts.

Next steps:

 l See "Verify the LEM Agent connection" on page 46 to test that the Agent connected to the LEM

To uninstall the LEM Agent on Linux or Unix

To uninstall the LEM Agent:

 1. Log in to you Linux computer as root.

 2. Stop the SolarWinds LEM Agent service.
 3. Delete the /usr/local/contego/ContegoSPOP folder.
 4. Remove any startup scripts, if any.

page 38
Install the LEM Agent on Mac OS X 10.7 and later
See "LEM Agent pre-installation checklist: Prepare to deploy LEM Agents" on page 35 for Agent
download information and a pre-install checklist.

This topic includes the following sections:

  • Installation notes for the Mac OS X installer 39

• Run the LEM Agent Installer on Mac OS X 39

• To configure the LEM Agent as a Mac OS X service and set it to start

automatically 40

• To start the LEM Agent on Mac OS X manually 40

Installation notes for the Mac OS X installer

 l The plist file used to start the version 5.3.1 Agent contains incorrect values, and does not work as
expected. This is a known issue that will be fixed in a future release.
 l A reboot is not required following installation.
 l LEM Agents are installed in /Applications/TriGeoAgent/ folder by default.
To run as a service and start automatically, the LEM Agent also uses the following folders:
 l /System/Library/StartupItems/
 l /Library/LaunchDaemons/

 l Mac OS X 10.7 or later is required to install the Agent.

 l Java Runtime Environment (JRE) 1.5 or later is required to install the Agent.

Run the LEM Agent Installer on Mac OS X

To run the LEM Agent installer on Mac OS X:

 1. Extract the contents of the installer ZIP file to a local or network location.
 2. Run, and then click Next to start the installation wizard.
 3. Accept the End User License Agreement if you agree, and then click Next.
 4. Enter the hostname of your LEM Manager in the Manager Name field and click Next. Do not change
the default port values.
Use the fully-qualified domain name of the LEM Manager when you deploy LEM Agents on a
different domain. For example, enter:
 5. Confirm the Manager Communication settings, and click Next.

page 39

 6. Confirm the settings on the Pre-Installation Summary, and click Install.
 7. After the installer finishes, click Done to exit the installer.
Ignore the error message that says some errors occurred during the install.

Next steps:

 l See "Verify the LEM Agent connection" on page 46 to test that the Agent connected to the LEM

To configure the LEM Agent as a Mac OS X service and set it to start

 1. Copy /Applications/TrigeoAgent to /System/Library/StartupItems/
 2. Modify the plist file packaged with the installed Agent by performing the following:
 a. Navigate to /System/Library/StartupItems/TrigeoAgent/
 b. Open com.trigeo.trigeoagent.plist in a text editor.
 c. In the file, replace
 d. Save the file here: /System/Library/LaunchDaemons/
 3. Change the permissions on the plist file. This only needs to be completed if the plist file is moved
with a non-root account.
chown root:wheel
 4. Restart the computer.
 5. Run ps -ef | grep -i trigeo to verify that the Agent starts automatically after the computer

To start the LEM Agent on Mac OS X manually

 1. Configure the LEM Agent as a service and set it to start automatically. See the previous section.
 2. Open Terminal.
 3. Enter launchctl load /Library/LaunchDaemons/com.trigeo.trigeoagent.plist

The LEM Agent continues running on your computer unless you uninstall or manually stop it. It begins
sending alerts to the LEM Manager immediately.

page 40
Run the LEM Remote Agent Installer non-interactively for
large Windows deployments
The Remote Agent Installer allows you to install the LEM Agent on multiple Windows computers without
the need to step through an installation wizard. Once installed, the LEM Agent automatically starts and
connects to the LEM Manager.

This topic includes the following sections:

  • Installation notes for the Remote Agent Installer 41

• Run the LEM Agent installer for Windows 42

See "LEM Agent pre-installation checklist: Prepare to deploy LEM Agents" on page 35 for Agent
download information and a pre-install checklist.

To install the LEM Agent unattended on non-Windows systems, see "Run the LEM Local Agent Installer
non-interactively for large Windows deployments" on page 43

Installation notes for the Remote Agent Installer

 l The Remote Agent Installer is Windows-only.
 l You will need a user account with privileges to write to Windows administrative shares such as
C$:\ or D$:\
 l LEM Agents are installed to the following folders:

Bitness Installation Folder

32-bit C:\Windows\system32\ContegoSPOP

64-bit C:\Windows\sysWOW64\contegoSPOP

 l If you are installing LEM Agents on the far end of a WAN link, copy the Remote Agent Installer
executable to the end of the WAN link and run it there. This will avoid using your WAN bandwidth to
copy LEM Agents multiple times.
 l A reboot is not required

page 41

Run the LEM Agent installer for Windows

To run the LEM Agent installer:

 1. Extract the contents of the installer ZIP file to a local or network location.
 2. Run setup.exe.
 3. Click Next to start the installation wizard.
 4. Accept the End User License Agreement if you agree, and then click Next.
 5. Enter the hostname of your LEM Manager in the Manager Name field, and then click Next. Do not
change the default port values.

Use the fully qualified domain name for your LEM Manager when you deploy LEM Agents on a
different domain. For example, enter

 6. Confirm the Manager Communication settings, and then click Next.
 7. Specify whether or not you want to install USB-Defender with the LEM Agent, and then click Next.
The installer will include USB-Defender by default. To omit this from the installation, clear the Install
USB-Defender option box.

SolarWinds recommends installing USB-Defender on every system. USB-Defender will never

detach a USB device unless you have explicitly enabled a rule to do so. By default, USB-
Defender simply generates alerts for USB mass storage devices attached to your LEM Agents.

 8. Confirm the settings on the Pre-Installation Summary, and then click Install.
 9. Once the installer finishes, it will start the LEM Agent service when you click Next.
 10. Inspect the Agent Log for any errors, and then click Next.
 11. Click Done to exit the installer.

The LEM Agent continues running on your computer unless you uninstall or manually stop it. It begins
sending alerts to your LEM Manager immediately.

Next steps:

 l See "Verify the LEM Agent connection" on page 46 to test that the Agent connected to the LEM

page 42
Run the LEM Local Agent Installer non-interactively for large
Windows deployments
The Local Agent Installer allows you to install the LEM Agent without the need to step through an
installation wizard. This option is only available for Windows systems.

This topic includes the following sections:

  • Installation notes 43

• Create a setup file for the Local Agent Installer 44

• Configure a custom file 44

• Run the Local Agent Installer non-interactively 45

You can run the Local Agent Installer non-interactively using software distribution policies or local logon
scripts. This method is an alternative to the Windows-only Remote Agent Installer in large deployment

This procedure only works with the local installer. Do not use the Remote Agent Installer for this

Installation notes
See "LEM Agent pre-installation checklist: Prepare to deploy LEM Agents" on page 35 for Agent
download information and a pre-install checklist.

There are three steps to using the Local Agent Installer to install the LEM Agent non-interactively. Each
step is described in detail in the sections below.

 1. Create the setup.* installer file for the operating system running on the computer hosting the
LEM Agent. The installer file extension is unique for each Windows operating system.
 2. Configure a custom file that contains your environmental variables.
 3. Run the Local Agent Installer non-interactively.

See "Run the LEM Remote Agent Installer non-interactively for large Windows deployments" on page 41
for more information about installing the SolarWinds LEM Agent.

page 43

Create a setup file for the Local Agent Installer

 1. Download the installer from the SolarWinds Customer Portal:
 a. Log in to the Customer Portal.
 b. Navigate to the License Management page.
 c. Locate LEM in the product list, and then click Choose Download.
 d. Download the local Agent installer for Windows. Find the appropriate installer on the list.

Be sure you download the Local Agent Installer. You cannot use the Remote Agent
Installer for this task.

 2. Extract the contents of the installer ZIP file to a local or network location.
 3. Copy setup.* to a known location.

Configure a custom file

 1. Open a text editor and create a file with the following two lines, followed by a carriage return:
/* Remove this third line and replace it with a carriage return. The third
line needs to be blank. */
 l <LEMManagerHostname> is the hostname or IP address of the LEM appliance.
 l <n> is 0 or 1. Specify 0 if USB defender should not be installed, or 1 if USB defender should be
 2. Verify that a blank line with a carriage return follows the INSTALL_USB_DEFENDER entry.

A blank line with a carriage return after the INSTALL_USB_DEFENDER entry is required for
the file to work correctly.

The contents of the file should look similar to this:


 3. Save the file as in the same folder as the setup.* file.

page 44
Run the Local Agent Installer non-interactively
 1. Verify that setup.* and are located in the same folder.

UNC paths should not be used during this installation.

 2. Run the command, setup -i silent using the active resource directory that matches the folder
that contains the two installer files. The command immediately returns to the command prompt.

Right-click the installer file and select Run as administrator.

The LEM Agent starts automatically and continues running until you uninstall or manually stop the
Agent. It begins sending alerts to your LEM Manager immediately. The LEM Agent should also appear
in Add/Remove Programs.
Next steps:
 l See "Verify the LEM Agent connection" on the next page to test that the Agent connected to
the LEM Manager.

page 45

Verify the LEM Agent connection

After you install the LEM Agent on your Agent nodes, verify that the Agent connected to the LEM Manager.

 1. Open the LEM console. See "Log in to the LEM web console" or "Log in to the LEM desktop console" in
the LEM Administrator Guide for steps.
 2. Click Manage > Nodes.
 3. In the Nodes grid, ensure that all connected nodes include a green status indicator.

For help troubleshooting LEM Agents, see "Troubleshoot LEM Agents and network devices" in
the LEM Administrator Guide.

Next steps:
 l "Configure LEM Agents after they are installed" in the LEM Administrator Guide.
 l If you have similar LEM Agents installed, see "Create connector profiles to manage and
monitor LEM Agents" in the LEM Administrator Guide.

page 46
Install the LEM 6.3.1 optional add-on applications
In this section:

  • Install the LEM reports application 48

• Install the LEM desktop console 52

page 47

Install the LEM reports application

This topic describes how to install the optional LEM reports application on either a separate server or on a
workstation. The reports application allows you to produce over 200 standard and industry-specific

This topic includes the following sections:

  • Pick a suitable host for the reports application 48

• Install the LEM reports application 49

• Connect the LEM reports application to your LEM database 49

Pick a suitable host for the reports application

You can install the LEM reports application on as many servers and workstations as you require. Install the
LEM reports application on a system that runs overnight. This is important because the daily and weekly
start time for these reports is 1:00 AM and 3:00 AM, respectively. It's also important that you install the
reports application on a system that can access the LEM database.

See "LEM reports application hardware and software requirements " on page 22 for additional

page 48
Install the LEM reports application
The LEM reports application requires the free Crystal Reports runtime application. There are two ways to
install the LEM reports application:

 l You can run the reports application installer included in the SolarWinds Log and Event Manager
distribution package. The installer installs Crystal Reports and the LEM reports application together.
 l You can download Crystal Reports and the LEM reports application individually from the
SolarWinds Customer Portal. You will need to install each application one at a time. This may be
necessary if your Windows security settings prevent you from running the other installer.

Install the LEM reports application provided in the LEM distribution package
This installer also installs the Crystal Reports Runtime.

 1. If necessary, copy the SolarWinds Log and Event Manager installation folder to a local drive and open
the folder.
 2. Right-click the file "Install Next - LEM Reporting Software.exe" and choose "Open."
A dialog box that says "Do you want to allow this app to make changes to your device?" opens.
 3. Click Yes to continue.
The Welcome screen opens.
 4. Click Next, and review the Requirements for Installation.
 5. Click Next, and then click "Begin Install" to start the installation process.
The installer installs the required applications.
 6. Click Close when the Installation Complete dialog displays.

Install the LEM reports application files downloaded from the Customer Portal
Complete these steps if you were not able to install the LEM reports application using the installer
included in the SolarWinds Log and Event Manager distribution package.

Before you begin: Download the LEM reports application and the Crystal Reports Runtime installers from
the SolarWinds Customer Portal (

 1. Run the Crystal Reports Runtime installer and complete the installation steps.
 2. Run the LEM reports application installer and complete the installation steps.
 3. When the installation is complete, click Close.

The LEM reports application is installed on your system.

Connect the LEM reports application to your LEM database

When you enter a LEM Manager IP address into the LEM reports application, you create a connection
between the reports application and the LEM database server running on the LEM Manager VM.

Before you begin: You will need the IP address of the LEM VM and your LEM console login credentials.

page 49

 1. Right-click the Reports application icon on your desktop and select Run as administrator.

To automatically run Reports as an administrator:

 1. Right-click the Reports shortcut and select Properties.
 2. Click Advanced and select the Run as administrator option.

 3. Click OK.

 4. Click OK in the Reports Properties window.

 2. Click Yes in the antivirus dialog box to continue.

 3. Click OK in the information box to create a list containing at least one Manager.

 4. Enter the hostname or IP address of your LEM appliance in the Manager Name field.

Whenever you see Manager in reference to LEM, it usually refers to the IP address or
hostname of your virtual appliance.

 5. Enter the username and password used to log in to the LEM console.

You can audit users accessing the reporting server running on the LEM VM. Only users with
admin, auditor, or reports roles can run reports on the LEM database.

 6. (Optional) Select the Use TLS connection check box to use the transport layer security protocol for a
secure connection.

page 50
 7. Click Test Connection to verify the connection between the LEM database server and the LEM reports
The reports application pings the LEM database and verifies the connection. If the ping is successful,
Ping Successful displays in the dialog box.

 8. Click to add the IP address to your LEM Manager list, and then click Yes to confirm.
 9. Click Close.
The reports application is connected to your LEM database and displays on your screen.

page 51

Install the LEM desktop console

The optional LEM desktop console lets you manage and monitor LEM without a web browser. The desktop
console provides the same functionality as the LEM web console, but as a Windows-only native app.

This topic includes the following sections:

  • Install Adobe Air Runtime for Windows 52

• Install the LEM desktop console 52

• Configure the LEM desktop console after you install it 53

• Resolve the Hostname 53

Install Adobe Air Runtime for Windows

Install the Adobe Air Runtime before you install the LEM desktop console.

The desktop console requires that you install the free Adobe AIR Runtime for Windows on your

 1. Download Adobe Air Runtime for Windows from the SolarWinds Customer Portal
(,or from the Adobe AIR website:
 2. Extract the contents of the ZIP file and double-click the installer.
 3. Follow the instructions to complete the installation.

Install the LEM desktop console

 1. Download the standalone console installer from the SolarWinds Customer Portal
 2. Extract the contents of the ZIP file and double-click the LEM console installer.
 3. Click Install.
 4. Select your installation preferences.
 5. Click Continue to begin the installation process.

The LEM desktop console is now installed on your system.

page 52
Configure the LEM desktop console after you install it
 1. If you did not instruct the console to open after the installation, open the desktop console.
 2. Accept the End User License Agreement if you agree, and click OK.
 3. Enter the IP address or hostname of the LEM VM, and then click Connect.

The computer running the LEM console must be able resolve the hostname of the LEM VM
using either DNS, or a manual entry in the Windows hosts file. See "Resolve the Hostname"
below for more information.

 4. Create a new password.

The first time the LEM console connects to the LEM VM, it prompts you to change your password. The
password must be between 6 and 40 characters, and contain at least one capital letter and one
 5. If you agree, enter your email address to participate in the SolarWinds Improvement Program.
Otherwise, clear the check box.
 6. Click Save.

The LEM desktop console is now configured on your system.

See also:

 l "Troubleshoot the LEM desktop console" in the LEM Administrator Guide

Resolve the Hostname

The system hosting the LEM desktop software must resolve the hostname of the LEM VM using DNS or a
manual entry in the hosts file. Otherwise, you cannot connect or you may have an unreliable connection.

Configure forward and reverse DNS entries (a HOST and PTR record) for the LEM VM on your DNS server.
When you create the DNS entries, use the default hostname or the hostname you specified when you
installed the VM. If you cannot configure DNS directly on your DNS server, configure a hosts file on the
computer by editing the Windows\system32\drivers\etc\hosts file in a text editor and adding a
line with the LEM virtual machine IP address and host name, separated by a space or tab character.

page 53

You might also like