curtisi

Josh, Rebooting may help, but if you know what the device is (Sophos WS) and where it logs to (which local facility on the LEM?) you can create the connector manually and the LEM should detect and break out all the devices sending logs to that location. In Manage --> Appliances, click the gear next to your LEM, and pick…

This usually occurs when: * The Crystal Report run-time is not installed * The Crystal Report run-time was not installed with the "Run as Administrator" option in Windows Vista/7/8 Please uninstall and re-install the Crystal Runtime (available from this page) and try the reports again.

I'll have to dig around to see if LEM users can change their passwords, but might I suggest an alternative? If you configure the LEM Appliance with a Directory Services Query Tool Connector, you can create users based on your AD structure. That means that people log into the LEM with their AD credentials. They can change…

If you download and open the connector package ZIP, there is a text file inside that denotes the date the package was released. I'm not sure who updates the web page, but that file should be definitive. Looks like we've had at least one update in June 2016.

This KB will help you set the LEM up for collecting raw logs, but you'd still need a connector. http://knowledgebase.solarwinds.com/kb/questions/3295/Configuring+Your+LEM+Appliance+for+Log+Message+Storage+and+nDepth+Search I also have a Synology NAS in my home network, and I'd love to get it logging to the LEM, but I can't…

The LEM captures and populates based on what's in the Windows Event fields. Windows logs the whole path, there isn't a way to make LEM mask that.

Under Event Groups, look at Network Audit Alerts. There's source/destination port fields. I'd expect the search to return specific event classes (like TCPTrafficAudit or IPTrafficAudit), and then you could build a rule to look for those events with the right characteristics for alerts.

The first thing I would do is make sure you have the latest connector pack from the Customer Portal or this page: SolarWinds Knowledge Base :: How to apply a LEM connector update package It's possible that there is a new revision of an existing Juniper connector or a new connector that will match the log data that the LEM…

You asked this in the Log and Event Manager forum, so you may not get a good answer here.

If the master image has a populated contegospop\spop folder, that will cause problems when it's cloned to make a new VDI.

Agent IDs are assigned sequentially, and an Agent gets an ID on its first connection to the LEM appliance. This ID is encoded in the certificates that the Agent gets on first run, so if you're getting duplicates that would suggest that the Agent install folder was copied to multiple machines (perhaps VDIs?) We have…

This probably needs to be submitted as a Feature Request‌ if it doesn't already exist and need to be up-voted.

I don't have a DHCP server running the LEM Agent to test this in the lab, but... Windows DHCP Server 2000-2008 are supported as connectors in LEM. The connectors read the directory for DHCP logs (which changes with each Windows iteration). It also appears, based on Microsoft Documentation, that those log files include…

In the Reports console, the Database Maintenance Report may shed some light on this. In the CMC console, go to APPLIANCE and run a DISKUSAGE. That will also show some details. I'm guessing you have syslog backing up, which could be handled with a couple more commands under the APPLIANCE menu in CMC. SETLOGROTATE --> Change…

Yes, it is.

First, I would upgrade to LEM 6.2.1 and make sure that you have the latest connectors installed on the LEM to see if we can stop the problem entirely. Second, when the connector stops, if you pull a DEBUG from the LEM that will give you (or Support) logs that should indicate any errors or issues the system hit that may…

Looking at the Sourcefire 3D connector, it appears we're expecting you to just send syslog from the devices to the LEM virtual appliance, not use the Agent. It could be that Sourcefire doesn't have all the components needed for the LEM Agent for security or simplicity reasons.

Some additional info, please: * What version is Reports? * What version is the LEM? * Can you try the following? * Open the Properties of the Reports shortcut * At the end of the Target: line, outside the quotes, add /L. The line should end like this: SolarWinds Log and Event Manager Reports\SWLEMReports.exe" /L * Open…

https://www.youtube.com/watch?v=9Naf1sG3WuQ

Checkpoint devices don't seem to really like syslog, but we do have an integration using their Opsec NG applications. Integrating Check Point with SolarWinds LEM - SolarWinds Worldwide, LLC. Help and Support

You'll find "Any Alert" in the Event Groups drawer when you're building filters. Here's one I have for all events from my laptop. It look for the DNS/hostname and the IP address.

That rule, by default, is driven by a User Defined Group that contains "root" and "administrator." Have you added your own criteria to the rule to include your critical accounts?

USB Defender creates events in the Windows Application log when devices are attached and detached. Can you check the logs on the origination machine to see what's happening? If I look in my Application log, I see events like this when I connect my phone: Log Name: Application Source: TriGeo USB-Defender Date: 7/6/2015…

Presumably you have a rule that's alerting to failed logins. You could add a correlation to this rule to exclude the Spiceworks IP:

1) You need to configure the Agent (Manage --> Nodes) with the connectors for the data that server is receiving, and point the connectors at the right file locations on Linux file system. 2) No. 3) None, the Agent will do the normalization and send the data automatically.

Connectors get configured where the logs will be normalized. This means that for most syslog devices, where the data is sent to LEM in raw syslog format and the LEM appliance is doing the normalization, you would configure the connectors on the LEM appliance (under Manage --> Appliances). System and application logs are…

I'm sorry, I'm not sure where in the Log and Event Manager UI you're looking. Can you send a screenshot?

Can you connect to the DB server with SQL Server Mgmt Studio and check the properties on the Database Server Instance Name? Or what does it show for instances in the SQL Server Configuration Manager?

When a LEM rule hits the "Block IP" action, it sends a block IP command to every firewall device for which an "Active Response" has been configured under Manage --> Appliances --> Connectors.

Please define "unable" in this context. Is there an error? Is the file empty? What is happening when you make the attempt? We need more information to help you troubleshoot.