curtisi

A list of all the supported data sources is here: Product Pages For an example of the devices that the LEM can send commands to, you need to look at the KB for the specific active response. If you look here: SolarWinds Knowledge Base :: How does the Block IP active response work? You'll see the supported devices for the…

No, you can customize and schedule reports using the tools that come with the LEM. [VIDEO] Filtering and Exporting SolarWinds LEM Reports to Quickly Find Events of Interest

Have you applied a license and run the ACTIVATE command in the APPLIANCE menu of the CMC shell?

Of all the connectors we have, the Check Point integration is one of the most complicated. We have details on this here: SolarWinds Knowledge Base :: Integrating Check Point with SolarWinds LEM There's a lot of settings on the Check Point side. On the LEM side, there's some tricks, which are in that document but let me…

I could make one that looks like that! First, you'd need a new e-mail template, probably something like: User $DestinationAccount has attempted to login to server $DestinationServer. The login attempt was $Result. Then you'd need two rules, one for successes (based off correlating UserLogon events) and one for failures…

It'll be restricted to standard file name.

How to gather some information that might help below. All steps should be on the system running FIM/the LEM Agent. * Open a command prompt as an administrator * Run FLTMC, get the results (screenshot) * Run TASKLIST, get the results * Run VERIFIER (Details on verifier are here: https://support.microsoft.com/en-us/kb/244617…

Did you remove the AIR console for 6.2 and install the AIR console for 6.3.1?

Hanif, First, have you checked these steps to enable syslog to the LEM? Store logs in external server - InterScan Web Security Virtual Appliance (IWSVA) Step 5 is where you'd want to enter the LEM's IP. Then, SSH into the LEM: SolarWinds Knowledge Base :: Use an SSH client to connect to your LEM appliance Go to APPLIANCE…

I updated my connectors yesterday, and the FortiGate 5.0+ connector is up to Revision 94. You may want to try updating your connectors. SolarWinds Knowledge Base :: Applying a LEM Connector Update Package

Both the Reports console and the rules engine have pre-built "groups" to help with this sort of thing. In Reports, go to Manage → Categories and you can select your industry or compliance frameworks to see what we suggest. In the LEM console, on the left of the Build → Rules screen, you'll see categories you can explore to…

Hey Zoidberg! Here's hoping you get two meals in one week! As for the LEM backups, first take a look at this: SolarWinds Knowledge Base :: How to Configure Backups on LEM Appliance for versions 5.6 and later In LEM 5.6+, the archiveconfig backups are actually incremental. If you go look at what the LEM produces, it's…

There are template rules for Windows logs being cleared or full, and so logging has been compromised or stops. If an event is generated, we can probably alert off it.

Out of curiosity, if you open a command prompt and run RSOP (Resultant Set of Policy) on your file server, what comes back? Server 2008 and 2012 have a cool command in auditpol /get /category:* which will list an over-view of Audit Policies, but you can use RSOP there, too. It's a little more in-depth and therefore a lot…

I can't speak to any other SIEMs, but I'd say the most chatty false-positive for new customers is the "Suspicious DNS Traffic" rule. I see customers turn this rule on without understanding that they need to define a list of Approved DNS servers, so LEM then flags ALL DNS traffic as suspicious. It's an easy enough thing to…

Did some Googling, it appears that the logs are on the client in a number of locations based on this article: FEP Log Files​ And this technet thing: Endpoint Protection Scan Logs & Automated Tools For Malware Removal? I immediately see some problems that would need to be overcome: * Which of the log files are you…

I'd suggest something like this:

First thing, I'd suggest updating your connectors. I think we already addressed this in a new connector revision for Windows Security events. If that doesn't work, you'll need to work with Support so they can get the dev team involved to re-write how the connector normalizes the data.

Hey rb51, some info that may help: First, there is shell access to the LEM appliance. You can use an SSH client (like PuTTy) to access the LEM. Details on how to do this are here: SolarWinds Knowledge Base :: Use an SSH client to connect to your LEM appliance If you connect to this shell, under the MANAGER options you can…

There seems to be two ways to interpret this question, so I'm going to tackle both. First: Can I monitor the LEM's disk space? Yes! There's a couple ways to do this. If you SSH into the LEM, under APPLIANCE you can run a DISKUSAGE command to get an immediate idea of the LEM's current disk usage. Better yet, there is a…

That's weird. I spend all day demoing LEM to people, and I use Chrome for it with no issues. When I did Support on LEM, we were aware of the IE7-10 compatibility issues, and the behavior of sitting on the login screen with the barber pole spinning forever, though once the console logged in, it works fine on IE. I have…

This thread should help: Node discovered with wrong connector

Okay, here we go: 1) This is probably going to be something to do with what auditing and logging you have the firewall set to collect, and what it does with that collection. The LEM collects logs passively, so if you're not sending the LEM user audit logs, it's not going to see them. You're probably going to have to check…

You've asked this in the LEM Community, it might get more attention if you ask it in the "Issues" thread for THWACK Store orders. Having issues with an order from the thwack store?

There are some connectors in the LEM that look like they should do this: However, I'm running Windows 8.1, and my testing didn't see the LEM capturing the events. I'm not sure if this is an issue with the connectors or Windows changing log formats or something else. I do see events that would include what you want in the…

Can we have a screen shot of the rule? Also, which field of the Change Management Event Group did you have set to equal your GroupA?

The only community string supported by the LEM is PUBLIC. You can certainly deploy the LEM agent on your Hyper V host and log events from it, and SAM and other Orion components can monitor the Hyper-V host. The LEM virtual machine is a closed system, though. You can create rules that will send SNMP traps to other devices…

Do you mean DestinationAccount instead of DestinationMachine?

Okay, so in an effort to not put the answer on a platter... I have a test domain and I have some disabled accounts. I tried to mstsc from one server to another with a disabled account, and in LEM I see this: Now, I have to admit that I'm not super familiar with this particular event, so I went to Randy Smith and asked what…

There are some rules shipped with LEM that monitor things like the LEM's internal database and disk usage. In 6.3.1 you can also hook SAM to LEM to monitor things like the manager processes and disk volumes. On the Build --> Rules screen, open the "Devices" category and click "Manager" to easily find the templates.