Hi guys,
Can someone please tell me why LEM keeps adding unknown nodes? I see devices that are not even in the ip range i use. Is there maybe a way to configure LEM with my DHCP?
There's a variety of reasons that bogus nodes might appear, including but not limited to:
Is there maybe a way to block this devices? I tried to delete one of the devices, but LEM did a scan and added the device again?
Is there maybe a way to block these devices? I tried to delete one of them, but LEM adds it again after the scan.
Do you have a screenshot to share? What kind of events are associated with these 'bogus' nodes?
No, if the LEM sees data with an IP, it'll treat it as a new source and add a node for that. You'll need to resolve the bogus source to prevent the data from coming back.
Is there any documentation of how i can do this? I did a nslookup but get the message that the device has no domain and it is offline.
No I don't have a screenshot. I don't see the old events anymore.
If they keep coming back after you delete them, it's because new events are coming in with that DetectionIP value from one of your log sources. LEM uses DetectionIP to determine when a host is sending data to another that's picked up by LEM. We'll have to track down what that log source is to see if we can figure out why it's happening. If you double click on that node from Manage>Nodes it should do a quick search for that node's IP anywhere in your data, though if it's been too long you might have to dig farther back in time.
This is what i see when i double click on a node.
