SolarWinds is ranked by Gartner in the Niche Players section of its latest Magic Quadrant for SIEM. It lacks the full security suite presence of some competitors, but is well-integrated across a variety of IT operation capabilities, making it a good fit for SMEs who may lack their own internal security teams. The company targets tightly resourced, budget-conscious security teams, in organizations with up to 10,000 employees, and often cites compliance as a driver.
Since 1999, SolarWinds has been providing management and monitoring software for security, networks, servers, applications, storage, databases, virtualization and the cloud. It is a private company.
SolarWinds Log & Event Manager (LEM) is composed of several elements:
- Manager for central management, log and event management, and
- Console and user interface
- LEM Agents for real-time event collection from endpoints, encryption and compression of data
Network traffic, application and virtualized platform monitoring can be tied into LEM through SolarWinds Virtualization Manager, Network Performance Monitor, and Server & Application Monitor. Multifactor authentication is a relatively new feature. SolarWinds Log & Event Manager (LEM) 6.5 has been recently released, with features that include support for log forwarding to other applications, as well as SolarWinds LEM deployments on Azure. The company is working on a new UI and events console. Other improvements over the last 12 months include an increase to the SolarWinds LEM appliance storage limit, an update to LEM's underlying Debian OS, and support for SQL Server 2016 auditing.
SolarWinds SIEM Features Rated
Threats Blocked: Good. LEM ships with hundreds of predefined correlation rules, including authentication, change management, network attacks, and more. SolarWinds LEM also integrates with online threat feeds and can notify and respond to inbound/outbound traffic and authentication attempts with known bad IP addresses for threats such as ransomware, malware, spam, phishing, and more.
Breadth of Sources: Very good. SolarWinds LEM includes seven hundred log parsers. There is a process in place for users to request new connectors or updates to existing connectors. Gartner added that SolarWinds LEM supports a variety of event sources, including nonevent data sources that can be integrated into its analytics and correlation rules.
Throughput: Good. While SolarWinds LEM can support several thousand nodes, it rarely sees users exceed 2,000 EPS. Most customers store between 2 to 8 TB of data, but users have the option of scaling beyond 8 TB.
Value: Good. SolarWinds provides good value in overall cost and time to implement.
Implementation: Best. Users praise the product's ease of implementation. SolarWinds LEM is deployed as a self-contained virtual appliance, which includes the SolarWinds LEM database, correlation engine, and all other components required. It can be deployed typically within minutes. Gartner complimented SolarWinds on its simple architecture, easy licensing, and robust out-of-the-box content and features.
Management: Good. Ease of use is an area of frequent praise, but Gartner notes that as a closed system, SolarWinds LEM is limited in its ability to integrate with third-party advanced threat detection, threat intelligence feeds and User Behavior Analytics (UBA) tools.
Support: Very good. SolarWinds has been recognized for its technical support and customer success programs globally. The company recently deployed Smart Start. This assisted onboarding program provides access to implementation experts who work with users to understand their goals, assist in installing and configuring the product, and help optimize their environments based on business needs.
Scalability: Good. LEM's architecture scales horizontally to support thousands of nodes, but it doesn't scale as well vertically according to Gartner.
CC certified at assurance level (EAL) 2+. Department of Defense (DoD) agency-specific certifications for the U.S. Army and Navy.
SolarWinds Log & Event Manager customers leverage pre-defined correlation rules targeted at user and system change monitoring. These rules include direct change auditing (user permission, metadata, group memberships, etc.) and system change auditing (policies, files, etc.). Thresholds for behavior can be applied to differentiate normal from abnormal behavior.
Virtual appliance for VMware and Hyper-V platforms, plus a deployment option for Azure.
The SolarWinds SIEM platform employs agents.
SolarWinds LEM is priced in an all-inclusive per-node model, starting at $4,585 for 30 nodes. License costs includes log management, agents, connectors, file integrity monitoring, USB Defender, SQL auditing, and all SIEM components. A workstation edition license enables SolarWinds LEM customers to extend deployments to Windows workstations. The first year of maintenance is included in the license cost. Consulting and professional services are typically not required.
For more analysis of SolarWinds Log & Event Manager, see SolarWinds vs Splunk: Top SIEM Solutions Compared.