Monitoring Logging and Processes on Servers

Hi everyone,

so I am establishing new rules in LEM and need some advice. I would like to monitor all access to certain servers. Firstly I wanted to ask what other information should I be monitoring other than logging? The other questions is my current rule layout.

At the moment I have UserLogin AND rule and UserLogin.insertionIP=*server name* OR rules for the specific server. At the moment the only logging I'm getting is polling from Orion trying to get info from the server. How can I configure it to be looking for actual users accessing the servers? EX. the sys admins or anyone else with or without access?

Thank you!

Nickolas

Find more posts tagged with

rules

lem rules

logging

servers

monitoring

Accepted answers

All comments

curtisi

Nickolas,

For what to log, we do have some recommendations for best practices here:

Audit Policies and Best Practices for LEM - SolarWinds Worldwide, LLC. Help and Support

I think you may be able to get more of what you want with a rule like "Auth Audit Alerts.Destination Machine = (SOME LIST OF SENSITIVE MACHINES)"

That includes all successes and failures, and would also be looking at any AD logs from the domain controllers (assuming agents are deployed) against those machines. The list could be a user defined group or a connector profile.

Auth Audit Alerts is an Event Group.