Get the latest news about SolarWinds Security Event Manager (SEM)
Is there a place I can go to find out exactly what an Event or an Event Group is looking at. For example, I noticed that one of the built in filters is called "Security Events". When you go to edit that filer, you see that the condition is "Security Alerts". Where can I go to see exactly what is considered and what will…
We're seeing this pair of Windows Security events every second or two against a user's account. Name: UserLogonFailure ProviderSID: "Windows-Security-Auditing" <Event> Severity: 4 1) Event 4776 EVENT INFO: [Account "<username>@<domain>" used for login failed from "<workstation>" ExtraneousInfo: Error Code: 0xc000006a…
So this isn't a new issue but I'm just getting around to addressing it . Upgraded to SEM 2020.4.1 a while back. We always disable automatic agent updates before an upgrade now due to a memory leak issue with a previous version of the SEM agent. I recently re-enabled automatic agent updates to get our 2020.2.1 agents up to…
I am getting close to 2k logs per second = 120k per minute or more. The Historical search only allows a 100k limit over 1 minute... Does this mean I will never be able to search all logs? So far, that has been my experience. Disappointing.
I am still on version 6.4 of SEM. A vulnerability scan identified an expired SSL certificate on my SEM appliance on a service related to TCP port 37891. It looks like this port is used for agent communication back to the SEM. The cert apparently expired earlier this year. I am wondering if anyone knows of a way to replace…
We have the Windows Application Log connector enabled on our machines. I am trying to figure out why I am not seeing those logs in SEM. One log in general that hits the Application Event Log is for the DUO Windows Client (Successful Duo Local login for '{username}'). We are trying to grab a report for this specifically to…
I've been given a list of IP addresses, over 1500 and several dozen URLs to search and determine if there has been any communication between our systems and those associated IPs and URLs. My question is, what is the best way to upload this amount of data into the SEM and what is the most effective way to search without it…
I have a port scan rule configured in SEM of: TCPTrafficAudit occurred and whole rule occurs at least 10x in 30 seconds in 5 min window same SourceMachine (TCPTrafficAudit) Distinct DestinationPort (TCPTrafficAudit) I am receiving a lot of alerts from this rule firing. From what I can tell initially for the number of…
The node is a Windows 2019 RDS session host using profile disks. I don't want to monitor the user disks (and they raised alarms with no apparent reason), so I deleted them: Manage Nodes -> click the arrow on the left of the node -> select the disks -> delete Now the node is in warning: "Node status is Warning, C:\Users\xyz…
Since two days some hotfixes were available, but there was not warning/alarm about those hotfixes. I enabled "Orion Server 2020.2.6 - Main Polling Engine" but that does not seem to check for updates. It seems quite curious that your monitoring tool does not inform you about it's own updates (with critical security fixes…
It looks like you're new here. Sign in or register to get started.