Comments
-
The simplest thing is probably to make sure your WSUS server is synchronizing updates for Server 2003 with the Critical or Security classification. TechNet has articles on exporting and importing updates from other WSUS servers, and I recently fixed my report for the WanaCry updates on THWACK: UPDATED - Computer Update…
-
To do this, you'll need some information. Primarily, you'll need the location of the file(s) Kiwi writes the syslog messages to. For this example, lets assume you have some Cisco devices and the KIwi rules put their events in C:\Program Files\Solarwinds\Kiwi\var\log\ciscoasa.log. * In the LEM console, find the Agent on the…
-
The way that USB Defender works (and all that it does) is log mass storage all device IDs to the Windows Application Event log. The events look like this: Log Name: Application Source: TriGeo USB-Defender Date: 1/31/2017 4:23:20 PM Event ID: 32004 Task Category: None Level: Information Keywords: Classic User:…
-
USB Defender Local Policy runs seperately from the USB rules on LEM. The point of the UDLP is that, if the Agent is not connected to LEM, it can still block devices that aren't whitelisted. The whitelist has a different format than the whitelist in LEM, however, so I'm betting that's where the issue lies. For the LEM rule,…
-
Looking at my list of connectors, I don't see EdgeMarc or EdgeWater as currently supported sources. It's possible LEM is getting the syslogs, but has no idea what to do with the information to make it visible in our console. * SSH into the LEM or open the LEM virtual machine console * Go to APPLIANCE * Run CHECKLOGS * Pick…
-
Does the path not provide any clues?
-
So the failure is during the first step, for exporting the signing request? Or is it something else?
-
There isn't a way to do that in the LEM, but I definitely think it's worthy of a Feature Request. It already looks like you have your first supporting vote in msteinvertifi! The LEM's Feature Request forum is here: Log & Event Feature Requests
-
The sample data usually shows up when there's no real data for the time period. The first thing I'd check in this scenario, though, is the date config on the LEM. Under the APPLIANCE menu, enter DATECONFIG and then hit enter four (4) times. The LEM will return the current date, time and timezone. Are these correct? Are…
-
I'm not finding any docs that talk about VM Hardware version after a quick search. You always have the option of snap-shotting your LEM, upgrading, and then seeing if there are any issues. However, the LEM is a lot more memory heavy than CPU heavy. Why do you think you need a 16 CPU setup for LEM?
-
The certificate that gets exported ought to match, but only really matters if you're running the Adobe Air console. Are you access the LEM via IP or hostname? Does the DNS name in your network match the hostname you assigned to the LEM appliance? If the name in the URL bar doesn't match the LEM hostname (because you're…
-
There is a template alert under Build --> Rules called "New Critical Group Member" that will do that. You will need to have the LEM Agent on the systems you want to monitor and an appropriate audit policy to generate the relevant events to make it work.
-
Using the Reports console, you could run something like the Authentication - Log On/Off/Failure Report. Run it for a short span (like 30 minutes), then use Select Expert to filter for the account you want. In this case, change "curtis.ingram" to whatever account you want to filter for.
-
Regarding LEM in Azure, AWS and other "clouds": * It is technically possible * It is not supported by Solarwinds (hence the lack of documentation) * Solarwinds Support is best-effort when it comes to cloud deployments: if you've made it go, they'll work with you if you call for support (and have maintenance) but it may be…
-
I don't believe that's a field, and most systems don't send that with their logon events.
-
* No, the LEM only supports the one integration with EmergingThreats.net that you can turn on and off in the Manage --> Appliances screen * It checks IPs only
-
I had to go digging in the internal docs for this. The caveat is that the virtual appliance only supports one logical disk, so any RAID is being done invisibly to the LEM by your storage infrastructure. There may be better ways to optimize it based on your virtualization environment, storage methods, and the infrastructure…
-
Edward, this article from the KB details what it takes to make a JDBC connection to the LEM database: SolarWinds Knowledge Base :: Creating a Custom Report Update June 02 2016: In light of the new Success Center links, here's the new path to that KB: Create Custom Reports Using Crystal Reports - SolarWinds Worldwide, LLC.…
-
That looks pretty good!
-
LEM doesn't know CIDR notation, so 192.168.0.0/24 doesn't match anything. You could use 192.168.0.* for a LEM rule, though.
-
You can force a name on a host by adding a line to the spop.conf file on each agent. ForcedLocalAddress=123.123.123.123 (IP Address) or ForcedLocalAddress=hostname or ForcedLocalAddress=hostname.fqdn.com
-
You can have a monitor that looks at multiple sub-folders like so: And then make sure it's not applying your filters recursively with this option:
-
LEM can't start a process or run a script directly, but you can have LEM send alerts to other tools (like SAM) that will execute scripts and other actions.
-
If you want to send sample logs, I can run all our tools against them to see if any of them wrap the messages and/or submit that up as a feature request.
-
It's true that USB defender will not detach any device unless the LEM has a rule that causes that to happen. If you have LEM deployed, there is a rule template included called "Template: Detach Unauthorized USB Device." It includes in the example conditions a "white-list" of authorized devices. I've even seen a rule that…
-
SolarWinds LEM Agent Installer for Windows - SolarWinds Worldwide, LLC. Help and Support Hardware Requirement RAM 64 MB Disk Space 130 MB I see CPU usage of less than 1% on most modern systems.
-
The LEM is an appliance, so there's no maintenance to do. However, 6.3 (currently in RC) does address a lot of the new vulnerabilities.
-
The simplest way to explain the licensing is this: the LEM will identify a node and consume a license for each unique IP from which it receives logs. The Agent is smart enough to work with the manager if an IP changes because of DHCP, but if the same agent sends traffic over multiple unique IPs, that consumes multiple…
-
So, if I read that right, you've defined... A → B → C. Can communication go back? Is it just that one direction or can we do...? A B C If B can communicate both ways with A and C, it seems like LEM ought to live in network B "on top of the wall" where it can see both sides.
-
There is no way to manually name nodes as of 6.2.1. The LEM probably picked up the website from a log from that node, and parsed it as the node name.
