curtisi

Tom, You're right that by default, the LEM only reads from the Windows Logs. There are a few exceptions, as Microsoft appears to have shuffled where a lot of events wind up in Server 2008 and 2012, and we've built custom connectors for those cases. If you want to open a support ticket, we can help you submit a feature…

There are a number of Authentication reports in the Reports Console, and they can be filtered by whole or partial user names. Have you looked at that?

I don't think this is a simpleton question! I don't think it has a simple answer, either. It's true that the LEM can do a lot of things that Kiwi can't. LEM's strengths include normalizing the log data, correlating the logs and the ability to respond to events. Kiwi doesn't have an active response component and doesn't do…

Does the AIR console behave the same way on your machine? When you run the "Failed Logins" search, is that in nDepth or Reports? Roughly how many events are you returning and what time range are you searching?

It sounds like you've already started modifying the Approved DNS Servers User Defined Group, so is there traffic in/out on port 53 to any other devices?

The connector is going to be expecting a specific format, likely the original format of the firewall. If rsyslog manipulates/changes the log lines, the connector isn't going to know what to do with that data any more. We have some intelligence for syslog servers modifying data built around Kiwi Syslog, so this may be…

I see this question a lot, so here's some info. There are two ways to approach retention in an appliance like the LEM. First: you define a number of days. If the device can keep that number with the assigned resources, all is well. If it can't, then it starts to scream it's head off about how it needs more disk space. How…

https://www.youtube.com/watch?v=9Naf1sG3WuQ

I'm not sure this is a "real" vulnerability for the LEM. First off, the LEM's web server should not be externally accessible, so you'd need someone to be trying to DoS you from inside your own network. Second, you can restrict who has access to the LEM GUI under the SERVICES menu in CMC shell: If only a few machines are…

The LEM will refuse connections and data from nodes above and beyond your license limit.

There are connectors in existence that connect into a database at regular intervals to pull log data (the Kaspersky enterprise DB is one example), but this would be a feature request via Support to get a new connector created. You'll probably need to provide all or part of the DB in question as part of the request so that…

As far as the upgrade goes, is this document not sufficient? http://www.solarwinds.com/documentation/LEM/Docs/SolarWinds-LEM-UpgradeGuide.pdf As for a roll-back, I'd think the easiest plan would be to snap-shot the appliance before the upgrade, and roll-back to that in the event of an issue. Otherwise, you're looking at…

Hello, Can you try this KB? SolarWinds Knowledge Base :: Troubleshooting LEM Agent Connections, 32 bit Some notes: * Current version of the Agent on Windows is 6.0.1, NOT 5.3.1 as listed on the KB * On 64 bit Windows, the Agent will be in the SysWOW64 folder instead of System32. All other steps remain the same.

Go to Build --> Rules in the LEM, open the Compliance section and pick PCI. That will highlight the rule templates for PCI. Turn them on at your discretion.

With rules, the first thing to do is make sure the LEM has the correct time. * SSH into LEM or open the Virtual Console* If you went to the console, pick "Advanced Configuration" * Go to the APPLIANCE menu * Enter DATECONFIG * Press ENTER 4 or 5 times, don't enter any values. The LEM should return it's current date, time…

We have template rules that you can check out as well.

So you're getting an e-mail? * Go to nDepth * Under Events, find "InternalRuleFired" * In the fields, find "Extraneous Info" * Drag "Extraneous Info" to the search bar at the top of the nDepth screen * In the field, enter *email* * Search! The LEM ought to come back with all the times the rules sent an e-mail, and what…

In this scenario, you need to provide the name of a domain controller with the LEM agent installed on it for that first field. You may need to define that with a text constant. The other fields can come from the alert data. Basically, you're telling LEM "If you see THING, then go to DOMAIN CONTROLLER AGENT and remove USER…

Sounds like the device is sending data to LEM via syslog. As long as LEM sees syslog from a device, it'll keep re-adding it. You'll need to turn off the syslog sending on the device side.

A LEM evaluation would include all the Reports and Rules. What sort of information are you expecting on such a list?

No, the columns are defined by the "lowest common denominator" of the events that you have in your filter. IE, a filter for TCPTrafficAudits will have many columns, but a filter based on AnyAlert will have fewer because not ever alert has the same fields.

https://www.youtube.com/watch?v=9Naf1sG3WuQ Can you update the mail template for that alert and see if that changes the alerts you're getting?

That can't be it, unfortunately. The e-mail you pasted has many fields, the e-mail that rule sends has two. Can you do a search in nDepth for "InternalRuleFired.ExtraneousInfo = *email*" (no quotes) for the last week and see what that returns?

It appears that you're sending an e-mail off a correlation of a correlation: basically, a rule is triggering another rule that sends an e-mail. You need to add the "Send E-mail" to the disk full rule, and populate the fields accordingly.

You may also want to modify the rule to use a template with more information slots so you can get things like the "Detection IP" in the e-mail and have it tell you which machine is running low on disk space. Also, that Windows event is based on percentages, not free bytes. It fires when a disk has less than 5% free. If a…

LEM upgrades do not require LEM to have access to the Internet. Download the upgrade package from the customer portal on another machine, and then extract that package and place it in a CIFS share, and then use LEM's SSH session to issue an upgrade command. Detailed instructions should be here: Upgrade the virtual…

This is doable, and you may want to check out this video because I give more details on making e-mail templates and how they work: https://www.youtube.com/watch?v=9Naf1sG3WuQ But generally speaking, a template structured like this: User $DestinationLogonID has been added to the $GroupName group. This change was made by…

Take out the "Exists" sets. They are implied by the fact that you're looking at fields inside those events, and they're probably catching a lot of white noise. Example: You don't need to tell the LEM to look for a FileDelete existing AND a field in FileDelete. By looking for fields in FileDelete, the assumption is the…

Take a look at this and let me know if it applies to the ALADDIN devices. Whitelist specific USB Device model - LEM

You could use the various backup commands to get the LEM to dump all its data to a share, but it's still going to be in a format that is unique to the LEM. SolarWinds Knowledge Base :: How to Configure Backups on LEM Appliance for versions 5.6 and later