Comments
-
The problem I see is this: when an account is enabled, there's nothing in the logs that indicates the reason it was disabled. In an account disable event, there is a distinction (lockouts vs. administratively disabled), but unless the disable and the enable happen fairly quickly (within minutes) the LEM's correlation…
-
As a note, any agents that are not connected when you change the hostname may need to be re-deployed.
-
Hey Andrew, I think there's a little misunderstanding as far as the need for Windows XP. The issue that is being addressed there is that Custom Reports don't have descriptive titles by default. If you want to set these titles, you need to edit the file properties. Windows XP made this super easy, and Windows Vista/7/8…
-
Clock Synchronization : Enabled Hypervisor Time : 18 Mar 2014 16:59:29 Guest Time : Tue Mar 18 17:07:44 2014 You have an almost 10 minute discrepancy in the time between host and guest, and this could cause problems. Can you go to APPLIANCE in the CMC shell and run DATECONFIG? Press enter 4 times to see the current time,…
-
Backing up what evanr said: In the case of Cisco Firewalls, the default Tool Alias is Cisco PIX and IOS. If you have all your Firewalls logging to Local7, you may want to change that to "Cisco Firewalls." Then data would match the default filter. I've also seen people use this on Nodes (or more specifically, Connector…
-
There's a little more configuration that has to happen, so as an addendum to what joelyue posted: You'll need to configure the LEM to have something to do with the raw logs. Those directions are here: SolarWinds Knowledge Base :: Configuring Your LEM Appliance for Log Message Storage and nDepth Search WARNING: This will…
-
It's hard to answer this precisely because I don't know what devices are sending logs and what the LEM will classify those logs as when normalizing them. Therefore, this is a general example, and may or may not work for your specific example. I think you'd end up with a rule that looks something like this:
-
The "Large" deployment described in the linked document will (in our testing) support between 2000 and 4000 events per second. Rough specifications are provided in the same doc, so I'm not sure what I can add here. Bottlenecks for LEM tend to do with storage IOPS (LEM writes to the disk constantly in a busy environment, so…
-
Hey Sam, The biggest question here is "Will you be running the Solarwinds LEM MSSQL Auditor or not? If yes, where will it be running?" MSSQL Auditor runs a trace against the database, and can pull in security events from within SQL, but that comes at a cost to database performance (every write, query, etc is going to incur…
-
The auditd log is what captures those events in Linux, and LEM has a reader for the auditd.log. The only trick is that different distros may move auditd.log around or change the name, so you'll have to make sure you specify the correct path and file in the connector configuration. In Centos 7 it's in…
-
Nickolas, For what to log, we do have some recommendations for best practices here: Audit Policies and Best Practices for LEM - SolarWinds Worldwide, LLC. Help and Support I think you may be able to get more of what you want with a rule like "Auth Audit Alerts.Destination Machine = (SOME LIST OF SENSITIVE MACHINES)" That…
-
In Microsoft style, I'm going to start this response with: * Never use the "AnyAlert" group in a rule, as it will cause the LEM to chew through memory like a boss. * Never extend the correlation time too much, as longer correlation times will cause the LEM to chew through memory like a boss. * This example is really likely…
-
Critical on what kind of system? Can you provide a screenshot or sample event so we can look at the sort of event you want to rule on?
-
That might be a unicorn, though I did put a document together for the default LEM rules some time ago. This was pre-LEM 6.0 when the appliance had rules enabled by default, and only covers those rules, but it may get you started. For any rule or filter, all you have to do is double-click to see the criteria.
-
Some additional info, please: * What version is the LEM that you're connecting to? (Reports is 6.0.0.1, is the LEM 6.0.0?) * What version of Reports did you originally create this custom report with?
-
Are you collecting logs from any of the "source" systems that people log into, or only on the Domain Controllers?
-
Yes, you can have the reports dump to a UNC path instead of to the local drive. Just specify the path when configuring the reports task.
-
There isn't a function to do what you're asking at the moment, that would be a feature request. I don't see an existing feature request for "details from multiple similar events in an email" so that would need to be created.
-
On your DC(s), open an Admin command prompt and try this command: auditpol /get /category:"Logon/Logoff" What are the results? Are there LEM agents on your DC(s)?
-
Have you configured the Cisco ISE connector on the LEM Appliance to read the logs that you're sending?
-
Are you running Snort on the LEM or on your own box?
-
Okay, without a sample event (can I get a screenshot?) I have to make some assumptions. One: If the details you want are in the Event Info field, so it's something like "Firewall reports CPU usage is 68%, memory is 72%, disk is 88% and total sessions at 127,659" then no, you can't do any rules off that. You can't write…
-
Looks like you need to populate those fields in the rule. I have a video on taking care of this: https://www.youtube.com/watch?v=9Naf1sG3WuQ
-
Hello, I'm assuming that you've enabled log forwarding in accordance with this article: Enable log forwarding - SolarWinds Worldwide, LLC. Help and Support That said, LEM can't add foreign fields to the native "syslog" of Windows Security and Event logs because Windows logs aren't syslog. They're XML, and LEM's raw logs…
-
Reinstalling is probably simplest. On the server, stop the LEM Agent Service. Go to the Agent install directory (C:\Windows\SysWOW64\ContegoSPOP) and open the spop folder. There will be 6 files in the folder and two directories. DON'T DELETE THE DIRECTORIES. Delete the six files. Restart the service. That should put the…
-
I'd suggest that you run an ExportSyslog command and dump the Local3 to a server, and then contact support. They can test your logs against the LEM tools, and it could be that a new revision of an existing connector or a new connector is required.
-
* If you setup something like the Kiwi Syslog server and point the device to that IP, do you see data coming into Kiwi? * On the Isilon device, are you sending to a hostname or an IP?* If hostname, can you confirm that DNS is working? * If IP, is it reachable from the Isilon? * Checking the connectors available in LEM, I…
-
In the Reports console, click the Manage button in the Ribbon: This will bring up a list of standards and industries. Pick NCUA (and anything else interesting): Hit OK, and then change the drop-down next to the Manage button to "Industry Reports." This is the list of suggestions (based on customer and auditor feedback) for…
-
Have you checked out the content exchange here on THWACK? In the Reports console, you can go to Manage Categories and pick industries and compliance standards to recommend reports. The same thing can be said for the Rule Templates in the LEM web interface, as there are categories on the left side of the screen. These are…
-
The correlation appears to be looking for a "HostIncident," which can only be generated by the LEM itself. Unless you have another rule that looks for those DNS events under the appropriate taxonomy, like an ObjectAudit or other event calls, and makes a host incident, your rule will probably never fire. Seeing how the SEM…
