[thwackCamp 2013 Chat Log] I've Got Logs and LEM, Now What? Pro tips for Security, Compliance, and all around Monitoring with LEM

Version 1
    MsgTimeIPAddressSenderTargetText
    10/10/2013 16:0067.79.13.42sandipWelcome back Nicole
    10/10/2013 16:0167.79.13.42sandipNicole is our Principle PM for LEM, so please ask her any questions you have!
    10/10/2013 16:0312.234.128.131colbyfeel free to ask questions as we go, but we'll have time at the end, too I neglected to mention that in my voiceover.
    10/10/2013 16:04118.209.171.97ShuthAre these pre-recorded or are you responding while presenting?
    10/10/2013 16:0464.129.144.40brianmradPre-recorded
    10/10/2013 16:0412.234.128.131colbythey are pre-recorded, thankfully
    10/10/2013 16:0564.129.144.40brianmradNicole is awesome at multi-tasking
    10/10/2013 16:05118.209.171.97ShuthNow I don't feel as bad for asking stuff during the presentation
    10/10/2013 16:0569.30.53.222byronaThe pre-recorded approach with the PM's answering questions here is really nice.  I like this much better than the format last year.
    10/10/2013 16:0564.129.144.40brianmradWe do too
    10/10/2013 16:0612.234.128.131colbythe chat is a pretty handy way to do everything from vote on your favorite feature to ask a nagging question to bump a thwack thread
    10/10/2013 16:1169.30.53.222byronaHas SolarWinds provided any documentation on how it positions and differentiates itself in the marketplace with LEM when compared to Splunk?
    10/10/2013 16:1212.234.128.131colbylet me check. it's sort of two different approaches to the problem
    10/10/2013 16:1369.30.53.222byronacolbyI would agree completely agree with you; however, I am curious what the SolarWinds perspective on that is.
    10/10/2013 16:1312.234.128.131colbysplunk is much more of a platform, so where we see it succeed is when people have teams very familiar with log data who need to integrate with other systems; but where we see it fail is in people who need a solution to a specific problem (security) or don't have lots of expertise with the ins and outs of data and integration. (Also... cost)
    10/10/2013 16:1569.30.53.222byronacolbyThanks!  I would love to see an official SolarWinds document or even a Blog post on that since I often get asked that question.
    10/10/2013 16:1769.30.53.222byronacolbyAs a service provider I love the fact that I can get a LEM environment up and running in full force in just a few days providing useful data... and the cost.
    10/10/2013 16:1712.234.128.131colbywe do have a sales-facing comparison PDF, but it really reduces it down to the bullets. i don't see a good landing page or English version
    10/10/2013 16:1812.234.128.131colbywith ANY log data what seems to overwhelm people is finding what they are looking for, so something like LEM with out of the box stuff helps chew away at the problem faster.
    10/10/2013 16:1812.234.128.131colbyi think the new navigation for rules we put out in 5.6 helped that a lot too.
    10/10/2013 16:1969.30.53.222byronaWhen working with Customers I find I can show them LEM and it both shows well with it's visualizations and it doesn't intimidate users with having to learn complex RegEx, etc.
    10/10/2013 16:22108.192.177.172ChrystalI agree with you nicole, on the new navigation for rules.  that made things much simpler
    10/10/2013 16:23108.192.177.172Chrystalit was a bit overwhelming before. also, the rules being turned off instead of on by default was a great change
    10/10/2013 16:2312.234.128.131colbyit was something we'd been mulling over for a while, hopefully in the future we can glue all that stuff together in a quick setup way.
    10/10/2013 16:28108.192.177.172Chrystali have been having trouble with the IIS connector on a client site.  I cannot seem to get it to pull any logs in.  i have tried the various suggestions you have made through thwack posts on others that had an issue, but still not working.  the only thing i can think of that is different is that the log files are originating from a non-default location
    10/10/2013 16:28108.192.177.172Chrystal(thought I would ask while I could bend your ear )
    10/10/2013 16:3012.234.128.131colbyIIS 7.x?
    10/10/2013 16:30108.192.177.172Chrystalit is 6.x
    10/10/2013 16:3012.234.128.131colbythe agent maintains the state of what it's reading in the file readerState.xml - you might be able to take a peek in there and confirm that what is configured in the UI is what's configured on the agent itself.
    10/10/2013 16:3112.234.128.131colbyIIS 6.x should be even less troublesome, theoretically...
    10/10/2013 16:31108.192.177.172Chrystallet me take a look at that file...
    10/10/2013 16:3470.169.66.194ToddLWhat is the correct way to add storage to LEM. My log area is 71% full.
    10/10/2013 16:3412.234.128.131colbyyou can expand the virtual disk
    10/10/2013 16:3412.234.128.131colbyit will maintain itself within the space available
    10/10/2013 16:3512.234.128.131colbyi.e. if it gets to 90%, it won't get to 100%, it'll cycle out old data
    10/10/2013 16:3512.234.128.131colbythere's a KB on expanding the disk - let me grab it
    10/10/2013 16:3512.234.128.131colbyhttp://knowledgebase.solarwinds.com/kb/questions/3717/Resizing+a+LEM+Virtual+Appliance+v5.4+or+above
    10/10/2013 16:36108.192.177.172Chrystalnicole, where can i find that xml
    10/10/2013 16:3670.169.66.194ToddLby expand do you mean increse the current disk or add a new disk.
    10/10/2013 16:3612.234.128.131colbyeverything is on one disk
    10/10/2013 16:3612.234.128.131colbyso increase current disk
    10/10/2013 16:3612.234.128.131colbyreaderState.xml - should be in ContegoSPOP\spop\
    10/10/2013 16:3669.30.53.222byronaYou mention file auditing, is that something that is turned on separately?
    10/10/2013 16:3612.234.128.131colbywindows\system32 (or syswow64)
    10/10/2013 16:3612.234.128.131colbyfile auditing - Windows File Auditing
    10/10/2013 16:3712.234.128.131colbynot file integrity monitoring yet
    10/10/2013 16:3769.30.53.222byronaOk, yeah I made that Feature Request LOL
    10/10/2013 16:3712.234.128.131colbyit's sort of second tier on the what we're working on.
    10/10/2013 16:3712.234.128.131colbyso, don't expect it imminently, but...
    10/10/2013 16:3869.30.53.222byronaHaving both SIEM and FIM in the product would make it super awesome!
    10/10/2013 16:3812.234.128.131colbysurprisingly a LOT of people are using windows file auditing and more happy with that than they should be
    10/10/2013 16:3812.234.128.131colbyI think maybe PCI auditors stopped applying pressure there
    10/10/2013 16:3969.30.53.222byronaPCI is our big driver for FIM capabilities
    10/10/2013 16:4069.30.53.222byronaWhen you say Windows File Auditing, are you talking about just looking at File Audit logs or something more specific?
    10/10/2013 16:4012.234.128.131colbythe auditing built-in to windows - that generates events in the security log
    10/10/2013 16:4072.192.75.207Loop1SystemsChrystalGreat presentation Nicole.  Thank you.
    10/10/2013 16:4112.234.128.131colbyno problem! hope it was helpful.
    10/10/2013 16:4112.234.128.131colbylogs are a lot to chew on
    10/10/2013 16:4169.30.53.222byronaAh, the Audit Policy; audit object access?
    10/10/2013 16:4112.234.128.131colbyyes
    10/10/2013 16:4169.30.53.222byronaOk, thanks
    10/10/2013 16:4169.30.53.222byronaYeah, awesome presentation!
    10/10/2013 16:4212.234.128.131colbyI'll be around for a bit if anyone has questions or wants to chat about LEM (or... whatever... it's 4:40 on a Thursday. Early TGIF?)
    10/10/2013 16:4270.169.66.194ToddLI have trouble creating the filters. Is there a good doc on how to.
    10/10/2013 16:4212.234.128.131colbylet me get you a couple of filters videos
    10/10/2013 16:4312.234.128.131colbyhere's the short filters video - the one linked in the "getting started": http://www.solarwinds.com/resources/videos/effectively-creating-filters-and-monitoring-events-with-log---event-manager.html
    10/10/2013 16:43108.192.177.172Chrystalam i looking for something specific in this xml
    10/10/2013 16:4312.234.128.131colbymore detailed: http://www.solarwinds.com/resources/videos/how-to-create-filters-in-your-solarwinds-lem-console-to-pinpoint-events-of-interest.html
    10/10/2013 16:4312.234.128.131colbyand notifications/widgets: http://www.solarwinds.com/resources/videos/monitoring-your-solarwinds-lem-filters-using-desktop-notifications-and-graphical-widgets.html
    10/10/2013 16:4412.234.128.131colbythere should be a line that corresponds to your IIS config - confirm that the logLocation in that XML matches where it should be
    10/10/2013 16:4412.234.128.131colbydoes it have a filename at the end or is it still the directory?
    10/10/2013 16:4412.234.128.131colby(if filename, is it the current one?)
    10/10/2013 16:45108.192.177.172Chrystalfile name looks correct
    10/10/2013 16:4570.169.66.194ToddLThanks
    10/10/2013 16:4512.234.128.131colbyok, good. does the logStartPoint have a number other than 0 or -1
    10/10/2013 16:4512.234.128.131colbythis tells us that it's following the log at least
    10/10/2013 16:4612.234.128.131colbythe next thing is why it doesn't think there's data in it
    10/10/2013 16:47108.192.177.172Chrystal0 on all
    10/10/2013 16:48108.192.177.172Chrystalnot sure.  i can force a log to be created and see it in the log file on the server
    10/10/2013 16:4812.234.128.131colbyis there data in the corresponding log file?
    10/10/2013 16:49108.192.177.172Chrystali have tried all of your suggestions from the thwack posts.... i have all logging fields applied, collecting daily logs, restarting IIS, waiting a day.... idk.  im stuck
    10/10/2013 16:49108.192.177.172Chrystalyes
    10/10/2013 16:4912.234.128.131colbyif you want to send me the info I can help you dig in
    10/10/2013 16:50108.192.177.172Chrystalawesome. i appreciate it.  i have tried several variations with no success. feel like pulling my hair out on this. i dont get stumped often in there
    10/10/2013 16:5012.234.128.131colbyyeah, I can have dev take a look when we get stuck, at least rule some stuff out.
    10/10/2013 16:51108.192.177.172Chrystalok i will email you some screenshots and the info.
    10/10/2013 16:5312.234.128.131colbyperfect
    10/10/2013 17:0012.234.128.131colbythanks everyone for hanging out at thwackCamp chat today!! if Danielle were here she'd say to not forget about the day 2 mission: http://www.surveygizmo.com/s3/1378181/744b442d784e
    10/10/2013 17:0167.79.13.42sandipthanks Nicole!
    10/10/2013 17:0367.79.13.42sandipHave a great night everyone and we'll see you tomorrow!!