curtisi

You'd need to ask Fortigate that for a real answer, but I have seen people with the Analyzer and Syslog options set at the same time.

On the impacted machines, can you telnet to the LEM on port 37892? That connection appears to be failing. Does DNS on the impacted systems come up with the right IP for qcswlem.qchek.com?

So it appears that you should be able to run reports for dates as far back as 11/17/2014 at 01:17 AM.

This was an issue we saw occasionally with 6.0.0. 6.0.1 has code to prevent this issue, but it doesn't appear that FIM installed correctly. You might want to uninstall and reinstall the 6.0.1 Agent.

Please update to 6.1 and let the LEM upgrade the Agents. Some operations will always show SYSTEM but you should see user names for most delete, create and write events once you upgrade.

This filter is dependent on the "Admin Accounts" User Defined Group, so your Admin Accounts need to be specified in that group.

Can we have a screenshot of the Time of Day set? Also, I'd use "Detection Time" instead of Insertion Time.

Like nicole pauls said, I think if you were to actually try this exploit on the LEM, you'd find that the Apache has been fixed so it's not possible, so the PEN test is just tripping on the version string. At the same time, the LEM shouldn't be open to the Internet (we don't support that), so the potential list of "hackers"…

Well, at this point, you have three options: * Get a license from Solarwinds * Contact Solarwinds sales and get an eval extension * Nuke your LEM and redeploy, which will restart the 30 day evaluation license I get that it's inconvenient, but 30 days is a pretty long time to get to use something as powerful as LEM for free…

You'll want to open a support ticket. What we'll probably need to know is the credentials for that table, to know what sort of DB it is, and we'll probably want an export of the DB/table so that we can test against it.

The fields I use in the video are "made up" in the sense that you can put anything in the variable names. You could have variables called bacon, ham, egg, and potatoes. If you want to use the same field names that the LEM does, go to Monitor, nDepth or Rules: if you pull up a new filter/search/rule and pull up an event,…

This is the article I used to get that information: Auditing Group Policy changes – Canberra Premier Field Engineering: Team Blog The name is there, it's {67299FB4-1A29-...33E2C8}. Oh wait! You wanted the completely rationally expected human readable name of the policy? Microsoft didn't think that was a requirement, so…

Whitelist specific USB Device model - LEM I wrote that for a similar question. You'll want the values from the Extraneous Info in the DATA column of the Authorized USB Devices group.

That could be useful to modify the agent for really busy VDI environments. You should put that in as a Feature Request.

Are you also running LEM 5.5? We'd suggest that you upgrade, and make sure your connectors are all up to date.

We have literally tens of thousands of agents deployed, and if there was something generally wrong, we'd know. That said, it may be that there is a queue file from a network outage that wasn't handled properly a long time ago and the Agent is re-sending it? Maybe Support could help with that. On that machine, is there…

If that's the case, what is the "Response Time" on the USB defender rule? Dumped data shouldn't be triggering rules.

The LEM can have some goldfish tendencies (expanding to fill all available space) but Checkpoint firewalls are infamously super chatty and capable of generating tons of traffic, which requires more memory.

Wouldn't that just be a failed log on? We have template rules for that.

Looks like someone has already started that process: http://thwack.solarwinds.com/ideas/3546

Just seconding Lawrence Garvin: The LEM can have multiple Directory Query tools and import users/groups from multiple domains. However, there's no way to prevent a user from Domain/Forest A from searching events from Domain/Forest B if they all log to the same place. Maybe the type of events you log don't include enough…

I think there are two critical things to understand about USB Defender: The first is, USB Defender doesn't allow or disallow devices to work on a system in and of itself. All USB Defender does is improve the native Windows logging around USB devices, and add those logs (like the one you saw) to the Event logs so the LEM…

Just to backup HolyGuacamole with some pictures: You'd want a rule that was at least this complicated: The circled thing is what Guac is referring to. Then you can do this: And that means the LEM has to see 5 events in 30 seconds from the same DetectionIP. You can obviously use other fields as well if you want to play with…

I did some Googling, and the suggestion I found for the error resolution is using the IP address instead of the hostname of the server. Are you using a hostname in the backup commands?

That can be variable based on your environment, but I think 1 to 2 hours is reasonable.

Yes, this will work on Debian and Ubuntu.

I don't know of any scenario to change that setting from the default. You'd probably need to talk to Kaspersky about the connection string options.

You're in the LEM forum here, is this for Log and Event Manager? LEM doesn't use or support SQL, neither can it use SQL authentication for anything.

I agree with wolram‌, it's probably the Active Directory connector, though you may have other tools (Cisco IDS or the like) that you setup with RADIUS or TACACS credentials linked to the domain. Ideally, the LEM would have a service account for domain queries. You can get to the AD connector by going to Manage -->…

Yep, reservations are a big deal for the LEM! https://thwack.solarwinds.com/docs/DOC-173770