curtisi

I created this video to solve a different e-mail issue, but it also goes over how to create and populate a template with as much or as little information as you'd like: Solarwinds Log and Event Manager - Resolving E-mails With No Information - YouTube

In the LEM Reports console, you can go to Manage --> Categories and pick HIPPA as a category to get a list of compliance reports.

Can you go into Manage --> Appliances as the Admin user? Click on the gear to the left of your LEM, pick "Connectors" Click the "Configured" check box. Are your Directory Service and Email Active Response connectors running? Sometimes they stop after an upgrade. Once they're started, try logging out and logging in as your…

* Log into the web interface * Go to Explore --> nDepth * In the upper right corner of the screen is a little toggle. Flip it to "Text Input Mode" * Type your string in the box, adjust the date/time range as needed * Run the search

No, but that sounds like something that should be in a Feature Request!

Remote Agent Installer - * The host discovery uses a NetBIOS broadcast to look for hosts. Are you blocking this network traffic or ports? * Are you running the remote installer with credentials that have access to make system changes on all hosts? * The remote installer copies files to each machine via standard Windows…

You could have LEM disable the offending account, and that should kill the file operation in progress.

Any chance you could export and upload the Rules, or grab some screenshots? I'd like to see the logic in use.

Here's my attempt: WanaCrypt v1 Detection Rule

You will probably want to use Advanced Correlations. Assuming that your rule is something like this, click the highlighted gear button: Then you can create a correlation like this: That means that all five events (in my example) have to come from the same DetectionIP to trigger the rule. I hope that helps!

I'd usually blame the virtual switch or some routing rule. * Can you access the console from another system? * Can you access the console via port 8443?

You probably want to open a support ticket for a connector request, but if you're okay with it, can you run an EXPORTSYSLOG and pull the DAEMON log off the LEM and attach it here? I can test it against our connectors.

Garreth, It looks like those events are logged under Event Viewer\Applications and Services Logs\Microsoft\Windows\TaskScheduler\Operational. The LEM has connectors for the big Windows logs: System, Security and Application. We don't have a connector for these Applications and Services logs, though I've seen more than a…

Can you post a screen-shot of the event from the LEM console? If the source isn't part of the original event (is it in the original event from the node?), then the LEM can't make that info up.

Can you run a debug and look for the repository.log in the resulting tar.gz? That should give us some idea of the actual problem.

Can we get a screenshot of the rule you created? Have you confirmed the e-mail settings work for a test message? Have you clicked the "Activate Rules" button?

You'll probably want a custom template and then to populate that template with the info you care about. I have a video that can walk you through that: Solarwinds Log and Event Manager - Resolving E-mails With No Information - YouTube

So, I did some digging. No connector will throw a PingSweep event by itself. Some of them will create ICMPPingSweep events, or TCPPingSweep events, but no "just" PingSweep events. That means all of them are inferred from other rules, like: * ICMPTrafficAudit Echo Request Infer Ping Sweep alert * ICMPTrafficAudit Echo Reply…

They are the same product, you're looking at two different marketing pages. One highlights the SIEM function of LEM, the other the log management functions; they are both for the same product.

The "Last Connected" time in the Report is the last time the LEM and the Agent went through a whole handshake/negotiation/connection cycle. This usually occurs when the Agent service is restarted or a device reboots. If your boxes were last rebooted two months ago, and everything has been up and running since then, that's…

You're going to have to wait for the migration to complete. The 5.7 upgrade package will fail out if you try while the migration process is running.

It's possible to configure the LEM to create a new database for raw, un-normalized data as well as the normalized alert data used in Rules and Reports. Details on how to do this are here: SolarWinds Knowledge Base :: Configuring Your LEM Appliance for Log Message Storage and nDepth Search Be aware that when you do this,…

First, I notice the Activate Rules button is illuminated. Have you saved the rule and clicked activate rules? Second, failed logins should always come in under the UserLogonFailure event. Your "OR" statement is still fine (if maybe unnecessary) but I think it'll cause some issues with the e-mails you get. The e-mail will…

Agents on nodes attempt to resolve their own names via DNS. Was there a DNS entry for the node in question? Syslog nodes typically get whatever name is included in the syslog messages they send, so if they only send IP, that's all you'll get. DNS entries can help there too.

Sandeep, First, you'll need to work with Support to get LEM logs restored for review, research and reporting. It requires root access to the LEM appliance, and restoring logs (as of May 30) isn't something an end-user can do. Second, when you restore logs, they will replace what is currently on the LEM appliance, which…

Yes, yes it is! I had to do some digging. The first part of this is to make sure that you have the right audit policies in place on your machine or in your domain. The category in Windows 7/8/2008 is "Other Object Access Events." I was able to enable this on my local machine with the command: auditpol /set…

Nope. We do have this, though: Create LEM Custom Reports Using Crystal Reports - SolarWinds Worldwide, LLC. Help and Support

What sorts of sessions? I know that there are (for example) Cisco events that include information about the VPN session length, so you can collect those events and report on them. I am not aware of any events in Windows with session length.

I can think of a couple ways to make this work. First, I built a crazy rule: This rule looks for a user running the Microsoft Management Console followed by the Agent going off-line. It's not 100% that they ran the Services snap-in or that they used it to stop the Agent, but it seems like the odds of the MMC getting…

Once you have a license applied, you can run the ACTIVATE command under the MANAGER menu. SolarWinds Knowledge Base :: Activating SolarWinds LEM Virtual Appliance Part of this activation is to disable port 8080 and require connection on 8443.