curtisi

Yep! Using Solarwinds Web Help Desk with Patch Manager and Log and Event Manager

It appears that the LEM Agent can't reach the LEM appliance. Is 172.16.100.222 the right IP for the LEM Manager?

Have you tried changing the setting for that node?

Can you run: sho run | inc logg On one of the switches that works and one that doesn't and compare them?

In LEM, you'd accomplish it with a Rule or Filter like this:

So I created a couple test users in my lab, an Auditor role and a Monitor role. Using the "Rules" section as an example, this is what the Monitor user has: And if I log in as that user and try to access the Rules, I can't: So then I logged in as the Auditor user, that has these permissions: I can access rules, but I can't…

You mention that others can get into console. Are they using the same credentials or are you all using separate accounts? You might try going into the CMC shell, and under MANAGER run a STOP and then a START command (though since it's working for others, I don't think that will fix it) You may have a corrupted user account…

134.63.89.179 is owned by an ISP called Tektronix in Beaverton, Oregon. This seems to match an entry on the current EmergingThreats black list: 134.62.0.0/15 (as of Jan 27, 2017) That mask covers from 134.62.0.0 to 134.63.255.255, so it's possible that the blacklist is over-broad. (Or maybe the Earth Defense Alliance is…

No, the LEM still only has one NIC that is used for management and Agent traffic. The second NIC that appears is non-configurable, because it's in promiscuous mode to support running Snort on your LEM virtual appliance. Snort (LEM) Knowledge base - SolarWinds Adding additional NICs isn't supported at the moment.

Have you created any custom rules around the Palo Alto data? I've seen this behavior if you have a rule with an action like "InferAlert" or "IncidentAlert" but the .DetectionIP field is being populated by the .DetectionTime or .InsertionTime event data. It could also be that you've configured the log format on the PA to…

The nDepth export will always include every possible column, and there's not a way to change that. As a work-around, have you considered making an Excel Macro by recording one of your editing sessions and then replaying that on future exports? Also, it looks like the events you're interested in are some sort of File Audit.…

Can you please confirm or attempt the following for reports? First, what version of the LEM are you running and what version of reports? - To find the LEM version, open the console and look at the Blue Screen of Life. The version is at the top. Alternatively, open an SSH session and run a VIEWSYSINFO under the MANAGER…

You can enable LEM to receive SNMP messages, but there's no alerting or rules on SNMP for LEM. LEM just allows you to search SNMP alerts, there's no rules or alerting off SNMP in LEM. If you want something more proactive (SNMP GET) with alerting off the results, you want to look at the Server and Application Monitor.

You can't forward Windows logs to LEM with the Windows Log Forwarding. Please use the LEM Agent.

Can you make the \LEM folder a top-level share? I have my backups going to a C:\File Shares\LEM and because there's a share at the LEM location, it works fine.

Are you doing any logging with the Agents on Workstations? I just setup an alert for someone, and they were seeing destination machine on the logon and logon failure events.

jeremya: I'm not 100% certain the LEM is the very best way to track this, but tools like IP Address Manager or Network Performance Monitor could help. That said, the LEM does have the ability to look for things like DHCP requests (assuming you're logging your DHCP information) and correlating them against whether a LEM…

iclemuser is right, but I decided to make this answer a little easier with a demo: https://www.youtube.com/watch?v=9Naf1sG3WuQ

Check the time on the LEM appliance. Is it more than a few minutes off?

Rebooting should have killed the mail queue. In nDepth, can you do a search for "InternalRuleFired.ExtraneousEmail = *email*"? That should show you everything that fired that triggered an e-mail. Now, click on one of the events in the nDepth results and pick the "Explore --> Event" option. You'll get a timeline like this:…

The LEM has a connector for the Windows Application log. It's not part of the default set that the LEM assigns to a connector when it detects a Windows platform, so you may need to add it to the agent for your server(s). Now, will it read the app logs correctly? I'm not sure, but getting the connector up and running would…

Sounds like the console is having issues. If you close your browser and reconnect, does the setting stick?

Do you also see nothing if you just run a blank search for the last 10 minutes?

I have this video that may help with this, take a look: Solarwinds LEM - Make a rule fire once - YouTube

LEM floating date ranges are previous day, same day, previous week, previous month, current week and current month. You can't specify a time-range inside a floating range.

Hello! There's a few things you might want to look at. First, take a look at your auditing policies. Open a command prompt and run "auditpol /get /category:*" This will give you an over-view of what the server has as a policy to start with: Most of that Windows noise comes from the two items I have high-lighted (and turned…

Is the "Activate Rules" button lit up? You may need to commit the changes. And yes, Machine = Computer in this case.

It sounds like you have some of the default rules enabled. They are, by design, very broad. We'd rather over-report than under-report and have you miss something. That said, there's some simple things that may help. Take this group of rules for example: The highlighted rule will trigger for any user account update, so…

I tried to replicate this, but I wasn't able to. I just setup an "All Events for the Last Day" report (my lab doesn't generate a ton of traffic) and asked it to run in 10 minutes...and nothing happened for ten minutes. If you create a new search, does this happen a second time? I notice the default schedule for daily is to…

What's "hot" and interesting will also depend on your environment and what compliance and monitoring standards you're trying to meet. What's your industry? What compliance and auditing rules are you trying to maintain?