Comments
-
Good News/Bad News time. Good News: you can import a UDG from a file! And I have directions for this! https://www.youtube.com/watch?v=2e9eGQPUOmY Bad News: There's no way to do an "Append" so you'd be over-writing the group each time you import, or needing to delete and re-import the new group.
-
Yes. The solution would be deploying something like Kiwi Syslog Server in different network segments. Devices in those segments would send their syslog data to their segment's Kiwi server. The Kiwi machine would have the LEM Agent installed, which would take the data, normalize it, and send it on to the LEM for…
-
Do you regularly use the Web console, or do you use the Air console? Which console did you configure the custom widgets in?
-
As far as requirements, the LEM can parse and bring in data from IIS logs. We have a stock report in the Reports console "Network Traffic Audit - Web Traffic by Source Machine" that can be customized with whatever end-user IP and show all accessed URLs for a time-span, so I think we can meet both requirements that you…
-
For future generations, the way to configure backups is described here: Configure Backups on your LEM Appliance - SolarWinds Worldwide, LLC. Help and Support The answer is "It depends," and the differences are described here: Live Data Storage Retention in LEM - SolarWinds Worldwide, LLC. Help and Support To get 100 days…
-
I imagine that it's similar to this issue: Hyper-V Network Issues Support should be able to resolve this.
-
Tim, Can you try sending that log data to a different facility than the Fortigate Firewalls and turning the level up to debug? That should show data pretty quickly. Alternatively, when you're in checklogs, you can type a / and then the IP of the Mail system to see if that IP appears in the checklogs.
-
This post is old, but Google makes it look like OnTap has a syslog forwarding capability. Syslog - NetApp Community Based on the connector config in my lab, that's what the LEM is expecting from OnTap.
-
Shawn, The Agents won't automatically reconnect. When they connected to your original LEM, they would have exchanged certificates for encrypting the log traffic. These certificates are not going to be valid for the new LEM because they're generated at the time of deployment, so the Agents won't be able to connect (LEM will…
-
When you enable the raw log capture, you'll have a new option in the Explore --> nDepth screen to look exclusively at the raw logs.
-
Changing the normalization would be a feature request to Support. You can setup LEM to collect the raw messages, take a look here: Configure your LEM appliance for log message storage and nDepth search
-
Depends on the server. For Windows, you can use either the Local Windows Installer or the Remote Installer. The Remote Installer will run on another machine, and allow you to push the software to many clients at once. For Linux, use the appropriate x64 or x86 installer. You can find all the installers for the Agents for…
-
It should. Can you attach a screenshot of your connector configuration?
-
I just tested this, and it showed up in my LEM Internal Events filter. In nDepth, you could search for Event Name = Internal Commands, InferenceRule = Kill Proc Name and ExtraneousInfo = [machine, user account, or process] The event looks like this:
-
LEM Reports comes with a number of stock reports showing lots of activity types. You can use the Select Expert functions to customize these reports. Our SolarWinds Academy has a class on reporting and alerting in LEM that you can sign up for in the Customer Portal. The training section of LEM in the Success Center also has…
-
First off, the numbers look like Unix Epoch Seconds. Epoch Converter - Unix Timestamp Converter 1491920600000 = Tuesday, April 11, 2017 2:23:20 PM GMT First problem: it looks like something in the network (assuming this is a recent problem) thinks it's April. Second problem: somehow, the "Detection Time" field is getting…
-
The column sets are fixed, and you'd need to use Crystal Reports to modify the report templates to alter them. The "stacking" was introduced to increase the amount of event information that would reasonably fit on one page.
-
Alright, so this took some fiddling with ProcMon, but I think I have an answer. You'll need to test it, though. ProcMon got me to this part of the Windows Registry: And you can see the "File" key has the path. Since it's in the registry, should be easy enough to set a GPO to set that on machines or use PowerShell to adjust…
-
For the most part, filters have a negligible impact on LEM performance. If you pause a filter for a long period, the LEM will start queing console data, and this can cause a greater impact (which is why we have the option to turn filters off instead of just pausing them). Filters also only run when a console session is…
-
All the tricks I can think of are in this video: https://www.youtube.com/watch?v=7bu0qsnCkdM
-
The LEM correlates, normalizes and displays information from syslog and SNMP sources. If everything your users do is on devices that syslog those activities AND those devices are set to a logging level to capture that AND the devices get their syslog data to the LEM, then the LEM would record all that activity in some…
-
Yeah, I get you. We don't have a document specifically for the LDAP portion of the setup, but all the LDAP steps are contained within the steps for SSO configuration. So, open the SSO doc and then follow ONLY: * Open your Microsoft Management Console (MMC) and create at least one security group called…
-
That's why I gave a list of the steps to follow for just LDAP. You only need Kerberos if you want pure SSO.
-
One, try expanding the response window to something like 5 minutes. 1 second response windows don't work very well. Two, have you clicked the "Activate Rules" button?
-
6.3.1 does things a little differently. The Directory Service Query connector is only for Directory Service Groups. To enable LDAP authentication, you'll need to look at this document: Configure single sign-on Specifically: * Open your Microsoft Management Console (MMC) and create at least one security group called…
-
Nope, not in the searches and correlations. There's regex in use on the back-end, but it's not end-user accessible.
-
I don't think this will be possible in LEM. The username will usually be in the format or "DOMAIN\user" and the file path will be a complete "Z:\Users\user" path. I can't take a partial field from an access event (drop the "DOMAIN\") and a partial path (drop the "Z:\Users\") and compare those values. It is possible to have…
-
Mark, The 5.6 upgrade will evaluate your free disk space, and won't allow the system to proceed with the upgrade if there isn't enough disk space. It also prompt multiple times if you're sure you want to continue, so you could launch the upgrade to see if it has any issues with the pre-upgrade checks, and then quit out of…
-
* Does the node appear in the Manage --> Nodes screen? * What connectors do you have configured for that node in the manager? * If you navigate to C:\Windows\SysWOW64\ContegoSPOP and look at the spoplog.txt, it should end with something like "Parent Connected." Is this the case?
-
That TTY field is only relevant if you're making a serial connection. Assuming you have SSH selected, it shouldn't be an issue. What you may need to do is trigger the action, then run a debug on the LEM and involve Support.
