curtisi

I tried an nDepth search in my lab, and it worked for me. I honestly don't like the "RefineFields" options since they're sort of a blunt instrument. They work, but there's a better way! If you use, for example, "UserLogon.DestinationAccount=*USERNAME*" I think the results are better/more consistent. I'd include…

I think this is interesting, and I'll have to ask my devs if they know of a limit, but...I think it all comes down to how you're achieving it. For example, let's say that you want a rule to capture anything BUT certain events from a certain IP. You might make a rule like this: Now, this is a terrible rule, because it uses…

Hey trunks, the major limiting factor in versions of LEM prior to 5.6 was the database architecture. It couldn't be expanded to more than 1TB. In 5.6 with the Lucene foundation (thanks prawij!) the sky is the limit...except that VMWare and HyperV (until very recently) only allowed a virtual machine to expand to 2TB.…

First, it sure looks like Sourcefire's documentation has gone down-hill since Cisco bought them. I spent a couple hours today trying to find an admin guide or something for Defense Center, and I got nothing. Still, it appears that the Defense Center can be configured to send syslog. If that's true, and you can send it to…

The separate appliances option was something Trigeo did in the days before virtualization. When you were constrained by a physical chassis and the number of platters on a spindle, sometimes the only way to expand the appliance was with another box. Now that virtualization, SANs and LUNs are a thing, the need for additional…

Those errors are usually on the Windows side. Behind the scenes, all the LEM is doing is a mount -t cifs //yourserver/yourshare /tmp/smb -o user=youruser,domain=yourdomain,password=yourpassword. Please note that mount.cifs notoriously has issues with multi-layer share paths. If your share is…

Can you try listening on port 514?

Have you looked at the admin guide for this task? Enable log forwarding - SolarWinds Worldwide, LLC. Help and Support

Sounds like you have two different alerts using two different mail templates triggering on your LEM. Check for duplicate alerts in the rules.

Can you check out the spoplog.txt for anything interesting? On Windows, it'll be in C:\Windows\SYSWOW64\ContegoSPOP. Did some more digging and found this as well: * Stop the Solarwinds Log and Event Manager Agent Service * In that same folder, open spop.conf * Add this line:* ForcedLocalAddress=172.16.0.43 * (Change the IP…

Yeah, editing the file properties disappeared in Windows Vista for some reason. You can still follow the other steps to create a custom report, it just won't have a pretty name in the Reports console.

The way I'd handle this would be to: * Setup the Directory Services Query Active Response connector in the LEM web console* This is basically the only reason to have this connector configured in LEM 6.3.1 and above * Go to Build → Groups, hit the "+" and pick "Directory Service Group" * Select the Security Group that…

We can do it! * Go to Explore --> nDepth * Open the "Events" drawer and find "InternalRuleFired" * From the list of fields, click on "ExtraneousInfo" and drag it up to the search bar* You should now have something like "InternalRuleFired.ExtraneousInfo=" * On the other side of the equals, type *email* * Run your search…

But you're not actually running CatOS on the 3750. It's still IOS, just old IOS. Have you tried the IOS connector?

I don't believe there is a way to change that setting, so this will likely need to be a feature request.

* Windows file auditing isn't required to use the Log and Event Manager FIM * That's still the case. IMHO, reads aren't worth collecting * The "Writes" can be useful for flagging changes to permissions and ownership * Some operations will always show NTSYSTEM, but as long as the Agent is running where files are hosted,…

Provider SID is usually just the event ID from the source system. If you know the sorts of databases that you're monitoring (SQL, Oracle, etc) and can find event IDs that are interesting from those vendors, that would correspond to SID. Also, LEM is up to 6.6! Time to upgrade!

I know that in the new version (6.1) these rules will no longer be enabled by default, but I did make a chart of the ones tat are enabled by default in 6.0.1 and previous. I'm sharing it here, in case it helps at least explain some of the noise that LEM makes out of the box.

You opened this in the Log and Event Manager Forum (LEM), you may have better luck opening this in the NPM/Core area.

Is there anything in the Windows Event logs when you install to shed some light on what's happening?

You can use these steps to export your database and configurations from your Hyper-V LEM: Configure Backups on your LEM Appliance - SolarWinds Worldwide, LLC. Help and Support You can then use these steps to import your config to the new VMware LEM (just think of the Hyper-V as a "hardware" device for the sake of the…

No, there's a feature request out there to teach the LEM CIDR, but right now the only way to a range like that would be 10.10.10.*

The LEM has "Connectors" (the Solarwinds name for "log readers") that take the raw logs from your systems and makes them fit the formatting and display the LEM uses in the console. What are you looking for or what are you used to searching for? In LEM, if you go to Explore --> nDepth, there's a little toggle in the upper…

I have SQL Auditor running in my lab, is there something in particular I can look for to see if it captures it?

There's not a way to bulk-edit rules for things like mail destination. Couple options I can see: * Delete all the rules and re-run the "Add Rules" wizard and select the new account(s) in the options * Change the current destination user's e-mail to the new e-mail address in LEM

Here's what I would use: First, create a User Defined Group like this one: Then, in your rule for logins, make is something like this: (This is an awful rule, you'd probably want some NOT statements to trim out the Windows NTSYSTEM accounts and other corporate accounts that legitimately are going to login to lots of…

Regarding connecting Crystal to the LEM, have you seen this KB? http://knowledgebase.solarwinds.com/kb/questions/4951/Creating+a+Custom+Report+for+LEM+5.6+and+newer I'm not sure the information you're asking about (Office, Department, Manager) is going to be included in the change messages logged in AD. Do you see this…

Are you seeing any unmatched data in the LEM's Internal Events filter in the Monitor tab?

That looks like the case looking at the connector Regex. Any ID between 4625 and 4633 (inclusive) will be categorized a MachineLogonFailure. That should be a case to Support to get the connector fixed. Can you attach an EVTX from Event Viewer of an example event?

It's taken me a while to get back to it, but here's my 10 minute take on Incident Management and Reporting with LEM: https://www.youtube.com/watch?v=5SkYDwwHTYw