curtisi

While there are connectors that will direct the Agent to many places in the Windows Event Logs, if we don't have a connector for it, you'll need to put in a support request for a new reader for that log location.

What version of LEM and Reports? I've noticed a similar issue with a password containing the @ character with LEM 6.6 and Reports 6.4, and I don't know if that's a new behavior or something that's always been there. Likewise, the same password works fine for the web console.

At the moment, there is no functionality like this in LEM. We do have a Feature Request looking for up-votes, though. You may want to create a feature request for your specific case, though.

The connector for Directory Services will identify and display Security Groups, not OUs. I think OUs can also be Security Groups, but if you don't have Security Groups, you won't see much in the "Directory Service Groups" section.

Alex, The LEM doesn't support forwarding the raw logs to other devices. Many devices allow you to configure multiple logging servers: for example, you can tell a Cisco device to log to both the LEM and to another IP if you are so inclined, but the LEM doesn't have any functionality like the "hub" you're looking for.

You could use a rule like this one: https://www.youtube.com/watch?v=DUiVQOEeX6c But where they have the process listed explicitly, you can create a user defined group of processes and have the rule refer to that instead of the specific process name.

Can you SSH into the LEM? SolarWinds Knowledge Base :: Use an SSH client to connect to your LEM appliance Go into the MANAGER menu and issue a RESTART. Give it 5-10 minutes and see if the web is more responsive.

The file store for the cold storage is going to be a CIFS or SMB share on a server of your choosing, so you can easily show that you have years of data (by creation/modification date) in that location. Support is aware of these requirements and will promptly assist with this process if your auditor needs to see more.

How to configure backups from LEM is detailed here: Configure Backups on LEM Appliance - SolarWinds Worldwide, LLC. Help and Support Restoring backups for review and reporting requires intervention from Support.

It almost looks like a Java problem. What version of Java do you have on the working servers vs the not-working servers? Can you telnet from those servers to the LEM on 37890? You could also use license recycling to regularly have the LEM go through and clean up those dead duplicate nodes. This option is under "Manage -->…

Try the "Audit - Internal Audit Report" or "Audit - Internal Audit Report by User." That shows all the events the LEM has logged about itself regarding users and their operations. For me, it showed things like this (and others):

* Click the Configure gear * Pick the "Managers - Certificates and Credentials" option * In the box that pops up, hit the drop down, pick the wrong server, then click the red circle to remove it * Enter the right server and credentials, click the green circle (box will go blank, don't panic!) * You should see the right…

A LEM Contact cannot log in to the web console. They're place-holders for e-mail addresses, so users can receive e-mail notifications, but have no log in rights. A LEM Alerts Only user can log into the web console and receive alerts from the LEM web console, but has no administrative rights or access.

Okay, there's this article: SolarWinds Knowledge Base :: What can the LEM Agent do when it's disconnected from the LEM Manager? What it doesn't tell you is "How long?" and the reason for that is that there's some trickery involved in figuring that out. First, by default, the LEM agent will queue data until there is less…

Have you rebooted since the install? I know the installer makes some registry changes that you may need to reboot to get in effect.

The template rules that akak925​ pointed to is based on the LEM's hourly "InternalInfo" events, which look like this: You can see the usage of my logs partition (where the alert data lives) in this example is 83%. The LEM does not calculate retention when it checks the disks, so you can't create an alert off days, but the…

There's a Template rule for Windows Update Failure that you might want to look at. The LEM normalizes a class of events as "SoftwareInstall" so looking for those events ought to show you installs. This is contingent on those events being logged, however, which in Windows means "Using the MSI installer service." If someone…

Take out that first line that just says "File Audit Alerts". It'll fix the issue. You have an OR on that section of the rule (the orange stripe means OR), so the LEM is grabbing everything that is a FILE AUDIT ALERT OR everything that is a FILE AUDIT ALERT that doesn't include the SOURCE ACCOUNT *SYSTEM*. That means it…

It appears that SoftwareInstall is looking for the MSIInstaller events, like 1033. If the installer isn't going to call the Windows Application Installer service, it'll throw different events.

Are we talking the Web interface (should default to admin/password) or the SSH customer maintenance shell (cmc/password)?

There isn't a way for a customer to nuke the database. What I'd suggest is backing up the LEM configuration on Dec 31, re-deploying the VM and then importing the LEM configuration. You'll start with a shiny, empty LEM with all your rules and configurations. You'll want to be familiar with the backupconfig command from this…

First off, the official response is: "SolarWinds have had customers request or provide additional trace auditing, but SolarWinds advised against capturing anything that might have actual query/insert data in it since that could be either stored in a log file (in plain text) on disk on the system and/or in the LEM…

Go to Build --> Groups and filter to Time of Day Sets. Customize the built in groups or make your own. In the rules, open the "Time of Day" drawer and then drag the set you want to the rule.

You set a "ToolAlias" when you configured the connector. Do an nDepth search for (Event Group) AnyAlert.ToolAlias = [WHATEVER THAT ALIAS WAS] and see if any events are returned.

Can you run a DISKUSAGE in the APPLIANCE menu of the CMC shell and paste the output?

Retention is based on disk size. You'd need to resize the disk to only be capable of holding 2 months of data. There is no "setting" for this in the interface otherwise. SolarWinds Knowledge Base :: Resizing a LEM Virtual Appliance v5.4 or above

Can you post a list of the whitelisted devices? Specifically, I'd be interested in seeing any entries with wildcards in them. Can you also post the ExtraneousInfo data from the USB attach events?

I ran some tests and I found this: I went digging in the Windows Security log for this event, and the description includes this: Process Information: New Process ID: 0x110c New Process Name: C:\Windows\System32\dllhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x350 Token Elevation Type…

If you go to C:\Windows\System32 (or SysWOW64)\ContegoSPOP and look at the SPOPLog.txt, what (if any) messages are there? If you do an nDepth search for AnyAlert.DetectionIP = *(Your Server)*, do you get any results? Do you see the node in Monitor, but disconnected? What is the state of your LEM license (go to Manage -->…

So, this KB is for Windows... http://knowledgebase.solarwinds.com/kb/questions/3152/How+to+include+the+LEM+Agent+in+a+Windows+image But! On any OS, the folder structure for the agent will be similar. You'll find the certs that identify the Agent in the SPOP folder mentioned. That folder needs to be empty in your image.