curtisi

The Agent isn't listening on any port for Syslog traffic, nor does it have to have the ability to receive syslog directly. Something else would need to do that and write it to the file system (like Kiwi) where the Agent can get it.

LEM is a log collector, so a certificate would need to generate a log event when it expires for LEM to be able to correlate and alert off of it. AFAIK, that's not a thing, so LEM isn't going to monitor certs for you. SolarWinds does have a solution for this with SAM, though! How to Monitor an SSL Certificate and Create an…

https://www.youtube.com/watch?v=7bu0qsnCkdM Maybe this will help.

I've been playing with it, and I had some of our support guys try, and it doesn't appear that a multi-column table such as you describe is possible.

You can see what's being worked on with the LEM roadmap by looking at this page: What We're Working on - Log & Event Manager Edition There's also some Feature Requests you can up-vote: https://thwack.solarwinds.com/ideas/2157

I have two thoughts: First, it's possible that the machine that's "Detecting" the error is your Domain Controller, which hopefully doesn't have Active Response enabled. Perhaps you should try using UserLogonFailure.DestinationMachine for the agent? Second, and a much simple possibility: Did you click the Activate Rules…

Based on our Template Connector Profile for Windows Server 2008/2012 with the DC role, I'd suggest you set up these connectors at a minimum for your DCs: The other part of this is going to be, what are you auditing? On your Domain Controllers, open a command prompt (and assuming you're on 2K8 or 2K12) enter this command:…

I took a look at that connector, and my guess is that you'd need to do a connector for each sub-folder. As an experiment, can you try building one that points to a specific log for one of your apps and see if it reads data?

This can be accomplished with Advanced Correlation rules. These are hiding in the rules builder behind this gear: When you click on that, you'll get the option to have the LEM check if certain values on multiple events are the same or unique, so you could set it like this: I've attached a rule I built that should do what…

What is the context of that error message? What system is it coming from?

For more than 5 devices, it looks like you'll need the commercial license: Syslog Server Comparison | Kiwi‌ System requirements for Kiwi can be found here: Kiwi Syslog Server - System Requirements | Kiwi You may want to ask around the Kiwi forums vs. LEM if all you want is a syslog server and advice on setting it up.

The LEM does not have a native "digest" function to aggregate messages into hourly/daily packages. I agree with njoylif​: If your rules are firing that many e-mails, you need better rules. A rule being triggered should be a call to action, and too many "calls to action" means the LEM is crying wolf a lot and it'll get easy…

Yes, it is possible.

If they were installed together, there's not an easy way (AFAIK) to remove USB Defender. What you could do, though, is create a policy or script to set the USB Defender service to "Disabled" and "Stopped" and that would effectively kill the functionality.

You might try changing the Response Window on the rule from the default 5 minutes to something like 30 seconds. When the second event shows up, since it'll be more than 30 seconds in the past, the LEM will ignore it. The caveat here is that if the LEM's time (or the DC's time) drifts more than 30 seconds, the rule will…

Okay, this is a little vague, so a screenshot of the rule you're editing would help. However, I'm seeing two possibilities: * You have a rule that is using a constant text value for the OU * You have a rule that's using a Directory Service Group for the OU If it's the former, I'm betting you'd have just edited the text. If…

The LEM will parse any data that gets sent to it, so any filtering will have to be done on the Barracuda. Alternatively, you can forward syslog to something like Kiwi Syslog Server, and then have Kiwi Syslog filtering logs before the LEM Agent reads them.

I've been Google'ing, and it looks like there are some events, like this one in the Application Log: https://support.microsoft.com/en-us/kb/921471 Or these: Get help with activation errors - Windows Help But I can't find a comprehensive list of the errors. Presumably, if the Agent was installed, you could look for these…

Can you be a little more precise on what events you need? The codes 4099 and 4098 could appear in multiple logs (System, Security, Application, etc) or from multiple applications and mean different things based on what is generating them and where they occur. Assuming you mean these:…

The connector in that example is for a Windows Security log, so I'm guessing the machine under your scribble might be losing the events. Is the source message a 4612? Windows Security Log Event ID 4612 - Internal resources allocated for the queuing of audit messages have been exhausted,…

Task Scheduler: Try running Reports with the right-click "Run as Administrator" option. Rebranding: Yes, change the logo file here: C:\Program Files (x86)\SolarWinds Log and Event Manager Reports\Reports

Hey mhoppe​, You opened this in the ARM forum, but I suspect you are asking about Web Help Desk. Can you tell me where in ARM you're seeing tickets and what you're trying to accomplish?

What is the log? Is this IIS, Apache, Tomcat, other? What's the log look like?

Here's my best guess at a basic rule to do what you need. This sends one of my custom templates, so if you import the rule that may be different. Obviously you'd want to change the IP being correlated from my dummy example.

There is a ProcessStop event: However, I'm not sure how useful it is for critical processes. In my lab, in the last week with both my workstation and a couple servers, I only had these 4 events and they all have to relate to Windows and Office Updates. If you're trying to keep critical processes running, it might be worth…

Assuming you're using one of our template PortScan rules, the criteria is just looking for 10 packets where: So if the printer or client send data to the same IP but on different ports trying to establish a pipe, that may cause false positives. You could modify the rule to ignore source and/or destination ports of 5226.

If you set the ASA to log to facility 18, you'll need the connector on the LEM to read /var/log/local2.log, because ASA's use "log + 16" for some reason.

There is no means to install the LEM on bare metal, it only has the drivers for HyperV and VMWare included, so it probably wouldn't work on a server without that layer anyway.

There are some things about this request that I think complicate things. In the context of LEM, a rule is something that looks for some sort of activity or pattern of events and then alerts on it. If there are specific types of activity that you want to receive notifications or responses on, LEM can help. Creating a single…

The license recycling feature only recycles Agent licenses, so what you describe is working as intended. There is a logical reason for this behavior, so maybe that will help explain why. With the LEM Agent, when an Agent disconnects it sends a "last gasp" to the LEM: "I'm going towards the bright light, I see grandma!"…