curtisi

Subramaniam, I am pretty sure that this rule will, in fact, crash your LEM. The LEM will need to assign memory space for every matching event and then keep that memory assigned for 24 hours. That will need a lot of memory. That said, the logic is pretty simple, and I'm attaching the rule for your use to this post. Curtis

Do you already have a Sonicwall Email Security connector setup on the LEM and have data from the Sonicwall appliance syslogging to the LEM? SolarWinds Knowledge Base :: Configuring SonicWall Firewalls to Log to Your LEM Appliance I see a connector is available, and I have revision 5 in my lab. Have you updated your…

Stack Overflow has an article on this: proc - Is there an easy way to log all commands executed, including command line arguments? - Unix & Linux Stack Exchang… You'll probably want to configure the Linux AuditD connector on the Agent from the LEM Web Console, and point it to wherever your distro puts the AuditD log, but…

Are you running the 5.7 Agent? If so, there is an Agent Hotfix. From the readme of the hotfix: SolarWinds Log & Event Agent Hotfix_570_1 The SolarWinds Log & Event Manager 5.7.0 Hotfix 1 resolves issues in this area: • LEM agent - Patches that were too late to make it into the 5.7.0 release proper. Agent Issue Resolved •…

LEM converts everything to Unix Epoch, so time zone doesn't matter.

First: The device you're messing with is actually going to be parsed under the PIX/IOS connector for LEM. CatOS is for legacy devices running the Catalyst Operating System (which even the Catalyst switches don't use anymore) Second: The LEM makes a "Best Effort" in matching connectors, and configures every possible match.…

* Do the servers do the same thing in the native WSUS console? * If you run gpresult /h and generate the report, are there any policies that may be unloading or denied or over-ridden that are messing with the WSUS settings?

Have you setup a connector to read/normalize the FortiOS data? SNMP and Syslog Connector Creation

They've been there since LEM 5.6, at least.

* Authentication Traffic but No Agent - The LEM has received an authentication event, probably from a Domain Controller, originating from a system that does not have an Agent installed (compare source machine with list of Agents) and fires an alert * DHCP but no Agent - The LEM has received an address assignment event,…

Do you have the Agent on the user's laptop? If you search for logons based only on data from a domain controller, than you're going to see events all day. Windows is constantly asking the domain to confirm rights for all sorts of things (permission to run apps, connect to Exchange, map shares, access files, etc) and…

SAM can do it, but it'll require some level of scripting to tell SAM how to read the file. LEM can do it, but you'll have to open a Support ticket to get connectors made for the product.

It appears that a lot of mySQL events are written to the Windows Application log, according to this: MySQL :: MySQL 5.0 Reference Manual :: 5.2.1 The Error Log What platform are you running mySQL on? Have you got a hostname.err file? I don't seem to have any application specific connectors for mySQL at this time, but if…

There isn't a way to do that for a customer, but support can change that behavior with root. Still, you shouldn't be seeing a hit 90%.

Have you checked the list of Hotfixes and updates in the Customer Portal?

Do you mean the LEM's internal logs/data partition on the virtual machine, or the data-store back-end for the virtual machine?

Garreth, I've made it work as described, using the carrier's e-mail-to-sms services. You can have a rule fire multiple "Send E-mail" actions, so I built a template that was short and sweet (and hopefully less than 140 characters) that would be used for cell phones while simultaneously sending the more verbose e-mail to…

You can collect a LOT of information with LEM from a lot of sources. Maybe it'd be easier if you could specify what you're looking to collect and we can confirm or deny the LEM gets that information? LEM is a SIEM solution, so it primarily focuses on compliance and auditing information. That means a lot of change…

The LEM portion of the configuration should stay the same, but the syslog commands can change from version to version. You may need to check your Fortigate admin guides for version 6 to see if anything is different.

There isn't a way to upgrade components of the LEM except through the releases from Solarwinds. These include updates to the LEM software, database, OS and other components. However, looking at Apache's website, there appears to have only been one fix in the one newer release of Apache: Apache Tomcat - Apache Tomcat 6…

As mesverrum​ said, you'll need agents on the client systems for process monitoring. You'll also have to make sure that your audit policy is configured to get process information. In Windows, you'll need to look at the Detailed Tracking settings in your audit policies. Specifically, you'll need to set your "Process…

Okay, easy question first: yes, you can find out what is sending you e-mail. * Go to Explore --> nDepth * Open the "Events" drawer and find "InternalRuleFired." Click on this. * Pick the "ExtraneousInfo" field from the list of fields. Drag it up to the search bar. You should have something like…

According to some documentation I found internally, it's 10MB. This can be managed by modifying the spop.conf for the Agent, located at: * Windows 64-bit: C:\Windows\SysWOW64\ContegoSPOP\spop.conf * Windows 32-bit: C:\Windows\System32\ContegoSPOP\spop.conf * Linux: /usr/local/contego/ContegoSPOP And adding:…

It seems odd to me that the connector works, but fails at the third layer down in a structure. Can you bring in users or groups that are less than 3 layers deep? Can you go three layers down a different branch? Or does any branch fail? Do you have any interesting characters in the names on the branch or branches that are…

In regards to reports, can you please check the following? 1. For LEM 5.6, have you deployed Hotfix 1? - If you SSH into your LEM, go to the MANAGER menu and then run VIEWSYSINFO, the TriGeo manager build should be "hotfix1" 2. For Windows Vista and above, was the Reports console installed as an Administrator? - If you're…

jhynds​ method should work. Alternatively, Support can root into your appliance and dump the raw logs into LEM via the syslog facilities. One note, though: DETECTION TIME is the original time-stamp on the event. INSERTION TIME is when the event was written into the LEM database. Your Detection Times will reflect when…

* Are you running LEM 6.1.0? If not, what version are you running? * Can you get a capture of the Fortigate Active Response connector you have configured under Manage --> Appliances --> Connectors?* Does the config look correct? * What model of Fortigate is it? * What version of FortiOS is it?

AIX NMON Data (and other) LEM can take data from AIX syslog, and we have an AIX Agent for some IBM platforms. For others, you'll need to look at a third-party agent like Patrick Townsend. I don't see any reader for NMON in particular. Unstructured Data LEM parses data using "connectors," which is our term for "an XML file…

Are these Agent or syslog nodes? If Agents, that suggests they're still on and trying to connect somewhere. If syslog, has something else claimed the same IP and sent logs to LEM? If you search for the node name in nDepth when it re-appears, what shows up?

I can make rules time-aware with "Time of Day Sets," and you'll find those under Build --> Groups. These allow you to make rules that only fire in certain time frames, or exclude time-frames. Like, if you know you're going to reboot machines every day at 2AM, maybe you make your "Agent/System Offline" rule inactive between…