curtisi

Can you check that the date/time and timezone on your LEM is correct?

Click the line above the one you have selected, then click the "Event Details" button. Expand the frame, and screenshot that.

You could also use the free Kiwi syslog tool to do this: Download Kiwi Syslog - Cattools | Kiwi

You could probably get one of them to run a PowerShell script and then take those results from the various systems to build something like a Report, but I don't think SAM or NPM have any stock component monitors for "Local Group Membership" monitoring.

Glad to hear it!

I think I know what was causing the issue, and this has been updated to remedy the problem. Please give the new version a try and let me know if it's still borked.

I think I know what was causing the issue, and this has been updated to remedy the problem. Please give the new version a try and let me know if it's still borked.

I think I know what was causing the issue, and this has been updated to remedy the problem. Please give the new version a try and let me know if it's still borked.

I only have a lab system with about 15 machines to test against, but the report is looking for any one of about 10 KBs and the MS17-010 classification, it may be that my attempt to be more thorough is leading to a really large data set. If you look at the list I based the report on, if you don't have Windows XP or Server…

On my test system, it was less than a minute, but depending on the number of nodes and speed of your database it could take longer.

That looks like a really nifty graphic for breaking down the rule. I haven't been able to test it in production (fortunately?) and I would be surprised if newer versions of ransomware didn't operate differently. At this stage, this rule is more an exercise it what could be possible than a practical example.

Part of the event trail this rule looks for is modifications to the registry and services, which only get logged on the local machine. If you're concerned about infected workstations, it would require those logs as well.

I've had mixed feedback that some people can import TXT files and some can import CSV files. Have you tried changing the file type?

It can, in that it'll identify where CCleaner and other possibly affected tools are/were installed. Based on my reading, even running an uninstall won't necessarily remove the infected code or controlling registry keys, so this can help you look beyond the Programs and Features dialogue.

Have you imported the UDG that was included as well? You may need to do that, then close and re-open the rule.

A number of factors contribute to LEM memory utilization. How many events are your nodes generating a day (week/hour/minute/second)? Are these events spread evenly over 24 hours or do you get spikes and troughs on specific days or during specific hours? How active are your rules? Rules are probably the biggest user of…

I'd trust the support team if they say tuning is needed. Obviously I'm guessing, but I'd wonder if your Database Maintenance Report shows a LOT of events, or if you maybe have some hyper-active rules. While 8GB is enough memory to get the LEM started, it certainly isn't a cap on how much memory the LEM can and will use if…

This report was written for and is intended for use with Solarwinds Patch Manager (the forum this is shared in). Are you trying to import into SPM or NPM? This report will not work with Network Performance Monitor.

I've used these steps to get CheckPoint working in the past: http://knowledgebase.solarwinds.com/kb/questions/3158/Integrating+Check+Point+with+SolarWinds+LEM So, it appears that you have the Opsec Application setup correctly based on the screenshots. Did you set the one-time password in the Communication screen under the…

Nope, that might be worth having support look at the Vormetric connector to see if they can suggest a fix and then we can apply that to the Generic Connector.

Yeah, I don't think I can do anything about that. If you test with another connector set to nDepth (I suggest the Vormetric connector), is there still a delay?

Yeah, I went and borrowed a lab that had never had the raw logging enabled, configured it, and it all seemed to work. There was a noticeable delay between sending data and it being searchable, but I have no idea what the cause there may be.

I've had a couple people eyeball my XML code (totally unofficially) and they didn't find anything obviously wrong with it. Rooting into my lab, I was able to confirm that the connector is moving through the log data it receives. Now, I setup a known good connector (Cisco) and had it send nDepth data, and it looks like my…

Revision 2: I apparently removed a line that I shouldn't have, and I put it back. It's starting in my lab now.

Correct. Reports and Rules are built on normalized data, and this connector won't produce any.

I'm pretty sure that the Support team won't kick you to the curb for having a single off-label connector (and when I was in Support, I saw more than a few attempts to manipulate the connectors), but I understand the concern. I know that the product team is aware of the need and requests.

I'm not a part of the connector team, dev team or product management team for LEM, so I can't promise any support. If someone identifies an issue I can fix, I'll take a whack at it and then re-upload, but I don't want to set the expectation and then disappoint. I've played with this in my lab, it seems to work, and I want…

It looks like SCCM creates messages to audit all the possible actions that might be taken (How to configure SCCM Security Auditing) but I don't have any idea where it puts those logs or information at this moment. It doesn't look like SCCM writes this to a flat-file or one of the system logs. If we can figure out where…

If you go to Build --> Rules, click the gear in the upper right corner, and then pick "Import" it should allow you to import the SWRUL files.