curtisi

What do you mean "Universal OU"? I have mine nested in the domain like this: CN=ROLE_LEM_ADMINISTRATORS,OU=LEM Roles,OU=Groups,OU=Solarwinds,DC=corvega,DC=int So it's not in the default Users OU or in the top level of the domain. Can you clarify what you mean by "Universal" OU? My security groups are Global (vs. Universal)…

When you look for these events in nDepth, what is populated in the SourceLogonID field? I'm not sure that the Windows logs on the DC actually send that information to the LEM, but I don't have an AD DC to play with in my lab to confirm. Can you capture a sample event?

They're version specific, but you should also look at setting up the configuration backup. That captures the user-settings (and other things), and while the customer accessible restore feature is very much a "Nuke and pave" of the LEM config, you'd have all the files and settings for your filters and searches. Support…

That may work for NPM Syslog, but you won't be able to get that access to LEM's database (and the DB isn't SQL).

I'd say open a Support case and see if this needs to go to the devs. Also, is this still an issue in 6.3.0?

That would be accomplished by creating rules for the event that you want to alert on. There's some training videos available here: Video |THWACK Basically, when you ran the search, your results would have included an "EventName." You'd want to start with that information, and then alert off the different fields of the…

You'll need to create a mail template with the info that you want, and then populate it in the rule. The field you want is "SourceAccount." This video should help: https://www.youtube.com/watch?v=9Naf1sG3WuQ

Have you opened a ticket with Support on this yet? If NTLMv2 is somehow broken in 6.2, we'd need the Support history so the issue can be diagnosed and sent to our developers for resolution. https://customerportal.solarwinds.com/support/submit-a-ticket/

Detection time is the original time stamp in the vent log, so that means the events were logged to the original system on Friday the 8th. Insertion time is when the LEM actually got the event and put it in the Database, Monday the 11th. The Agents cache data when they can't reach the LEM, so this can happen if there was a…

You may want to call into the help desk and open a ticket so we can setup a GoToMeeting and look at your request in some detail.

You can always add your vote to the feature request as well: http://thwack.solarwinds.com/ideas/3846

I decided to have a go at it and created a CAB file. Use at your own risk, but it might be a good starting point. LEM 6.1.0 Catalog

Select Expert will not allow you to change the layout/view of a report, so no removing or adding or rearranging columns with the LEM Reports console. You can run modified reports on a schedule, though. * Pick a stock report to start with, run it for some time-range. Shorter is better, so long as it includes some sample(s)…

To filter the report using the Reports Console: * Run a "File Audit Events" report, I recommend only running it for a 10 or 30 minute span, something short * When the report completes, pick the Select Expert option in the View Ribbon * When the prompt comes up, pick "New" * Pick "(FileAudit_1.FileName)" from the list * Set…

Make sure your reservations and assignments match, or LEM will be very unhappy when something else balloons and steals its memory!

You can't do a wildcard, but you can have the same action more than once, so add a second "Remove Domain User From Group" and use the second DC in the second action.

The LEM0 is a known issue with using a LEM 5.6+ license on a LEM 5.5 or older system. The upgrade would sort that out, but you still want support to sort out the DB before you start an upgrade. Or you can decide to nuke the DB and start from scratch, which eliminates the whole problem. That will be a choice in the 5.6…

Are you talking about accessing CMC from SSH? Or from the virtual appliance console in Hyper-V or VMware?

If you disabled or enabled rules, and didn't hit the "Activate Rules" button, maybe. Otherwise, I'd say grab a debug and open a support ticket. Get the debug soon so that any relevant breaks might still be in the data. * SSH into the LEM * Go to he MANAGER menu * Run DEBUG, follow the prompts * Open a support ticket…

kolev: If you've upgraded to LEM 5.7, there's a Hotfix 1 that specifically relates to the Log4Net connector. From the ReadMe: Agent Issue Resolved • This resolves support case 535995 - Unable to start/stop connector instances - This only needs to be done if using the "Log4Net" connector • This resolves support case 268630…

Port 37890 is only used by Agents when they first run, to kick off the certificate exchange. Then they move to 37892. 37891 is a back-up port, and provided in case you're running old Agent software.

There's a limit of 10 million events and 2GB on any report, so if the resultant report will get more than either of those, it'll fail. A whole year on a LEM will probably break at least one of those limits.

Okay! Correlation box 101: The "X events in Y" is easy: the LEM will wait for the correlation conditions to be "TRUE" X times in Y time frame before firing. Response Window is "If the events are more than Z time from the present, then don't bother to take the actions." So, you have a network segment get disconnected.…

If you change the connector to get nDepth and Alert, do you see the whole message in the nDepth Raw Log Search? Would that work for what you need?

The "Logout" button in the 5.6 web interface is notorious for corrupting user profiles. We advise just closing the window instead of logging out. If you're already at this stage, the fix is pretty easy, but you'll need to call the help desk so we can root in and clear the bad data.

* Have you got the latest Hotfix on your system? * Did you enter the domain with the user account?

You're doing monthly host OS updates on a LEM? How do you do that?

I pulled that case, and we were told that to close it by the customer about 6 hours ago. Also, @evanr did provide the answer for his version of the issue: " I suspect there may be an underlying network issue as these machines are in a separate offsite data center that has a site-to-site with our production location. There…

I did warn that was the case... "This data isn't used in Reports, Rules or Filters, but you can search it. That's about it."

Leny, can you redownload and try again? The VHD should be in there.