curtisi

Please try the following: * SSH into the LEM * Go to the SERVICE menu * Run the UNRESTRICTREPORTS command Does that change anything when you try to telnet or run Reports?

in Database Vendor Code: -1301 & cannot telnet port 9001 from local server Comment by curtisi July 2017

Dobbs, First, I'd make sure you were running the latest connector pack in case this normalization has been added in a new revision of the connector. SolarWinds Knowledge Base :: Applying a LEM Connector Update Package As of today, it looks like a connector pack was published...today! It looks like the IIS 8.5 connector is…

in IIS Activity Logging - Missing User Account Comment by curtisi July 2015

It looks like it should work on Server 2003, based on the req's page. Remote Syslog Server | System Requirements | Kiwi Syslog Server You might have more luck asking this in the Kiwi Syslog forum instead of the LEM forum, though. Kiwi Syslog

in Kiwi Syslog and Log Forwarder Comment by curtisi February 2014

No, but you can assign the pre-defined roles: * Administrator * Monitor * Auditor * Guest * Reports * Contact

in Custom user privileges Comment by curtisi March 2015

I don't know that I'd trust compliance advice from a forum, as no one here is certifiably a lawyer or auditor. I think the underlying question is, does any of that traffic pertain to personally identifiable information (PII)? For PCI, you'd be concerned about payer and card-holder data. For SOX, you're concerned about your…

in Broadcast Noise Filtering Comment by curtisi March 2017

I would think most of that should be filtered at the sending device. If the noise is expected or part of regular operation, it's not really essential to log broadcast messages like ARPs.

in Broadcast Noise Filtering Comment by curtisi March 2017

Do you have some examples of the events that you're curious about? "Noise" is a little generic.

in Broadcast Noise Filtering Comment by curtisi March 2017

What is the LEM Role of the user that you're trying to modify?

in Edit User Password and Profile Comment by curtisi April 2016

Hello! Please take a look at this KB article: SolarWinds Knowledge Base :: Use an SSH client to connect to your LEM appliance "After you connect, log into the LEM appliance to make changes or view data. The user account for these functions is cmc and you set the password after activating your LEM license. If you are…

in What is CMC Credential ? Comment by curtisi April 2014

Have you opened a ticket with Support on this yet? If NTLMv2 is somehow broken in 6.2, we'd need the Support history so the issue can be diagnosed and sent to our developers for resolution. https://customerportal.solarwinds.com/support/submit-a-ticket/

in Connecting to file share broke in 6.2 Comment by curtisi October 2015

LEM 6.3.0 was made available for demo/eval downloads and to customers via the Customer Portal on Aug 16 2016.

in lem 3.0 Comment by curtisi August 2016

Can you run a search like that in nDepth? That will at least show what rules are sending emails. This video will explain how to resolve the blank e-mails: Solarwinds Log and Event Manager - Resolving E-mails With No Information - YouTube

in Where used: Email Templates for unknown rule/action Comment by curtisi September 2017

I've found that I need to create my own Event Group to get to the type of alert you want. I've attached my Event Group and a sample rule showing both a specific folder condition or using a User Defined Group.

in Creating a Rule to Monitor a Specific Folder Comment by curtisi March 2015

Is the rule that's firing called "Suspicious DNS Traffic"? If so, it references a User Defined Group called "Approved DNS Servers." Add your DNS servers to that group.

in DNS traffic sent to 8.8.4.4 flagged as "UnusualUDPTraffic" Comment by curtisi November 2016

I'm not 100% sure what you mean by configuring the event, but I have a couple ideas (and you can reply and let me know if I'm totally off). One, you can always exclude stuff in Rules and Filters by clicking the operator to switch it from "equals" to "does not equal." You can also use Policy to filter what you do and don't…

in Configure TCPTrafficAudit Event to exclude anything with "ProviderSID: Microsoft-Windows-Security-Auditing 5156" Comment by curtisi December 2013

I'm not sure where you got this nice summary, but I went looking here: CIP Standards And I started looking at the "Subject to Future Enforcement" sections. In short, I don't think LEM is the tool for this particular part of CIP compliance. Patch Manager could certainly help you inventory installed software; manage security…

in New version of the NERC CIP standards Comment by curtisi February 2015

On your systems, can you go to C:\Windows\SysWOW64\ContegoSPOP and look at the spop.conf (is the manager listed correct? It should be the IP or hostname [if you have DNS setup] for the LEM appliance) and look at the spoplog.txt? The SPOP log is pretty human readable, any errors?

in LEM Agent Node Not Show Comment by curtisi May 2016

You can find a list of what Third-Party products are incorporated into Solarwinds products here: Third-Party Software List Under Log and Event Manager, the database is a custom system based on Lucene and SOLR.

in Event Log storage Comment by curtisi November 2013

Rick, In your customer portal, go to License Management --> My Downloads. Change the drop-down to LEM, then pick these:

in I have LEM 5.4, We own a 6.0 licence. Can someone show me where to download the 5.6 and the 6.0 upgrades? Thanks Rick Comment by curtisi June 2014

With the disclaimer that "Compliance cannot be achieved by reports alone," and the corollary that garbage-in is garbage-out and nothing-in is nothing-out, here's where I would start in the Reports Client: Go to "Manage Categories" Pick the categories that match your business: Now when you're on the Settings Tab, click the…

in What reports can be used to meet PCI compliance requirements? Comment by curtisi June 2014

The first thing I'd suggest you do is make sure you have the latest connector pack. It's possible that this "error" in the normalization has already been addressed and you just need the newest connectors. If updating the connectors doesn't resolve this, you will need to take advantage of your maintenance to call Support…

in Some fields in source event are not logged Comment by curtisi February 2015

I don't know that we can track down the source, but we could (hypothetically) create a rule that would alert when the behavior of the virus (or any virus) is detected. I made an example: W32.Bugbear Detection Rule

in W32.Bugbear Comment by curtisi December 2015

We've definitely seen customers who use the LEM as you describe, installing the Agent on key servers like Domain Controllers to gather information. Putting the Agent on all your workstations will allow the LEM to do some more in-depth reporting, or course, and can also allow the LEM to do some magic with workstations, but…

in Is it possible to not install LEM agents on workstations and still get audit records from Domain controllers? Comment by curtisi May 2014

It depends on the color of the bar on the right of the group box. Blue with a triangle means AND and all conditions have to be matched to return true. Orange with a semi-circle means OR and any condition matched will return true. You can toggle them by clicking the shape (triangle or semi-circle).

in LEM Rule Correlations – Group vs. Individual Comment by curtisi February 2015

SSH into your appliance, go to the APPLIANCE menu and run DATECONFIG. Hit Enter a few times without entering anything. The LEM will return what it thinks the current date and time is. Is this accurate? In the right timezone?

in SolarWinds LEM - no email alerts for changes to Domain Admins Comment by curtisi April 2017

I don't think there's any technical reason you can't install Patch on Orion, but where Patch really wants to integrate with WSUS or SCCM, it's much easier to do the install on those servers than trying to integrate across the network. It's doable, but it's easier if WSUS/SCCM are local to Patch. Patch has a web interface…

in Patch Manager - Can it be installed on the same server as other Orion modules? Comment by curtisi January 2016

Are you talking about 2950 and 2900 switches? Those have been end of life for a while, so I'm struggling to find any documentation. Are these CatOS or IOS devices? If IOS, can you do a sho run | inc logging and paste it here? The directions you refer to, you mean these for Cisco, right?…

in Unable to connect to network nodes, and 100% CPU utilization since "Scan For New Nodes" Comment by curtisi November 2013

What version is the Cisco IPS running, and what version is the LEM?

in Not able to add Cisco IPS node on LEM Comment by curtisi July 2016

Is there anything that may be interrupting network traffic (flapping ports, duplicate IPs, etc) that may prevent the LEM from seeing the Agent for a few minutes at a time? Or is the service bouncing?

in Agent Offline Rule- recieving alerts but server is up Comment by curtisi September 2015

Multiple appliances would work, but the licensing might not be worth it, and you lose out on correlations: What if "Bad Thing" is only indicated by Event A and Event B, but Event A is getting reported to Engineering and Event B is going to IT? LEM appliances don't chat to compare correlation notes (as of version 6.2).…

in LEM multiple appliances? Comment by curtisi December 2015

curtisi

Comments