curtisi

First things first: I was able to replicate this with a much simpler filter: That seems like a cool bug. Second, I'd suggest that if you're getting unmatched data, it means you have an issue to troubleshoot. Either you have a mis-configured connector, you need to update your connectors, or you have some legitimately new…

First, I think it would probably be easier to send an alert to the admin when the service stops, and have the LEM try to restart it immediately. Second, the LEM works by responding to events and logs. There are no events or logs for "something didn't happen," since that would lead to some weird logs: 1424788635000…

Can you check the time on the LEM? SolarWinds Knowledge Base :: Use an SSH client to connect to your LEM appliance SSH into the LEM, and then go to APPLIANCE and run DATECONFIG. Hit enter without entering anything, and check the time. If it's off more than 5 minutes, that can break the rules engine and stop alerts.

That sure seems weird. Can you try some tests? - Can you reload the console in your browser? - Can you try another browser? - Can you try clearing your browser cache and cookies? - Can you clear your Flash cache? What browser and OS are you using when you get this problem?

What other information do you get? The logon type should be in the event details. Maybe a scripted task with bad credentials?

If you open the CMC shell, go to Manager and then do a WATCHLOG, what does the manager log say? Is the disk full? (Go to APPLIANCE --> DISKUSAGE) Is the store for the VM disk full? You should probably be opening a ticket with Support. All of the support numbers are listed on our website at…

AFAIK, that's working as intended. Those fields only populate for VMware hosts.

I didn't think I could make this work, but I tested it and my original rule spammed the snot out of my mailbox (something like 32 e-mails in 10 seconds). Here's how I did it, though I also see there is a SystemReboot event class that might work for this even better. The LEM always has a dozen ways to skin any particular…

Fixing the immediate problem: SSH into the LEM and issue a Reboot. Okay, I'm going to put this here for all time (or until we change this): Friends don't let friends "Scan for New Nodes"! I'm going to assume for a moment that we're friends for the sake of this discussion. LEM gets data one of two ways: * You send it syslog…

There's a variety of reasons that bogus nodes might appear, including but not limited to: * DNS configuration issues * Weird host file entries * Rules firing alerts with bad field data (like an Incident Alert with the "DetectionTime" in the "DetectionIP" field) * Devices with inconsistent logging source IPs (like a machine…

You can probably achieve this by using Advanced Correlations in the Rules Engine. Start with something like this (this is based on the Template: User Account Lockout rule): Click the highlighted gear. On the next screen, try:

Is this shutdown during the installation of the LEM Agent on MacOS or is this when using some action from the LEM rules?

Jeremy, There's no way for a customer to add a static route, but if you contact support, they can make the changes. The caveat is that these changes may be over-written in a future upgrade, so when 6.1 or whatever the next version is comes out and you upgrade, you'll need to make that call again. Static Routes- Another…

First, the reason it's not working is because you have an "OR" in the logic. The orange line on the right with the round bump in your screen shot means "OR." Second, you may be solving the wrong problem. Based on what you're trying to exclude, I'm guessing you ran a "Node Discovery" and then didn't uncheck the boxes for…

There are two things I would do first: * Go into your Task History, delete any task more than X days old (I'd say 30 to 90) * Go into Managed Computers, remove any deprecated or bogus machines Does that help with the license issue?

Have you checked out this KB on the Success Center? Live Data Storage Retention - SolarWinds Worldwide, LLC. Help and Support

Here on Thwack, a great resource is the Library & Support section. You'll find pages for each Solarwinds product, with links to videos and documentation.

Are you running agents on your local machines? Do the agents read the appropriate logs (have connectors) for failed authentication attempts? Are your audit policies set to produce those log entries?

Couple things to try: First, open the Reports shortcut. At the end of the target line, add "/L" so it looks like this: "C:\Program Files (x86)\SolarWinds Log and Event Manager Reports\SWLEMReports.exe" /L Now when you run reports, you'll get a log file in the Reports install directory called SWLEMReports.log. Can you paste…

Sorry, trying to understand: You can't log into the servers via RDP or you can't get the Agent service started?

The LEM will be connecting to https://emergingthreats.net on typical https ports (443)

Joseph, you probably should call and open a ticket with Support to clean up the LEM disks, since that isn't normal operation. That said, if you log into the LEM via SSH, and other APPLIANCE run a CHECKLOGS...do you have any log facilities that are really large? SolarWinds Knowledge Base :: Use an SSH client to connect to…

Can we get some more information or a screenshot or where you're trying to accomplish this and with what data?

LEM Agent traffic is comparable to AD authentication traffic.

You can't, but Support can with root access.

I don't know if there are immediate issues, but the updated agents are always stream-lined and patched. If there were security concerns between manager and agent, those would be fixed in new released. You'll also miss out on any new features that require the new agent, eg the FIM on the new Windows Agent. Linux agents…

* SSH into your LEM: SolarWinds Knowledge Base :: Use an SSH client to connect to your LEM appliance * Enter APPLIANCE * Run DATECONFIG * Press ENTER through the prompts without typing anything in Is the timezone and date/time correct? If not, use TZCONFIG in that context to fix the time zone, or use DATECONFIG to fix the…

* It downloads and stores the IP database locally * It updates every 24 hours * It uses EmergingThreats.net for the threat database, specifically https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

I think it's important to understand that LEM normalizes data: that is, it's taking data from many sources in many formats and making them fit the structure of the events in LEM. (I think this is just me repeating jrouviere​'s answer with pictures from here on) If you look at some MSSQL Auditor events from my lab, you can…

I've used mid-string wildcards successfully in filters, so 192.168.*.* would work. blsanner is also correct, that 192.168.* would work, though it won't just match 192.168.0.1 to 192.168.255.255, but also 192.168.chickensandwich. It's unlikely that the LEM will ever see chickensandwich in an IP, but that could be an issue…