curtisi

Go to Manage --> Appliance in the GUI console. Under the Properties pane, pick "Settings." Look for the Current Default Agent. Is that a valid hostname or IP? Is that Agent on-line? Does that Agent have the right network configuration? The LEM sends all those Explore commands to the Command Agent, and has the Agent execute…

Or, just don't configure an Active Response for the Firewall that's auto-blocking, but have it log to the LEM so the rules can trigger the BlockIP on all the other firewalls.

I have attached a filter that would return events from that Alias.

Should there be a .txt on that path? Looks like that's the filetype, but your Explorer is hiding extensions.

Try changing the "Domain Controller Agent" to a constant, and reference the node name or IP of the domain controller.

Okay, check two things. In the web console: * Go to Manage --> Appliances * In the "Properties" pane, there is a License tab * What is the current state of the license? In the virtual console or via SSH: * Go to the APPLIANCE menu * Run DATECONFIG * Hit ENTER 4 times (don't enter any information) * What time does the LEM…

Sounds like you need to exempt your firewall from that rule, then. Maybe it's doing some DNS caching at the border?

Universal Node licenses are consumed by Windows Servers, Linux, Unix, MacOS and any syslog device. Workstation licenses can only be used to cover Windows XP, Vista, 7, 8 and 10. There isn't a way to convert the licenses in LEM, you'd need to contact your sales rep to add more licenses and/or go through your devices and…

If you click on the rule, then click the gear in the top right corner, you'll have an export option.

You may want to open a support ticket to have them look at it.

I'm not sure if you edited your log for confidentiality or something, but this looks wrong: (Fri May 02 11:28:23 PDT 2014) II:NOTICE [NioComNetworkParent v24745] {ComModuleSpop:20} Making install request to: IPADDRESSManagerInstallPort=37890; (Fri May 02 11:28:23 PDT 2014) WW:WARNING [NioComNetworkParent v24745]…

It appears this is an issue with the 7.0 IPS software. It also appears that Cisco is at least up to 7.3 as of 2015. Release Notes for Cisco Intrusion Prevention System 7.3(2)E4 - Cisco Can you update your IPS and try this again?

Out of curiosity, does creating a share on a Windows server and directing the LEM there work? Has the NetApp share ever worked?

VMware vSphere 5.1

If you were looking at the Watchlog, then you had an SSH session open and working already! Are you still having issues?

Is your SIM an L4 with separate database and manager? I notice the 10.254.10.14 address, which is one end of the internal link between manager and database. If you don't have a separate appliance for the database, that seems odd. If you do, something isn't happy. It looks like the manager is trying to send raw message logs…

Shhh! Else everyone will want one! Unfortunately, you can't make rules or filters off the raw data. You can search it in the Explore tab. If we prove the data is coming in though, we might be able to get the connector updated to allow what you're looking for.

Can you enable the logging and paste the output here?

Can we have a new Reports log?

Is your client DN exactly as you copied it from the application settings? This may be totally stupid, but I don't know that the connector can handle an application with a name other than "solarwinds" (all lower case). It may be that an app called "lem" will work, and an app called "LEM" will not. Can you maybe reset up the…

Support could root in and see if the changes made by "RESTRICTREPORTS" are present in the LEM config. You can also see the config yourself. Under MANAGER run VIEWSYSINFO. The last screen of data (keep hitting spacebar!) will show the firewall ACLs: --------------------------------- Network access configuration: *filter…

You have your AND and OR backwards. Fix that, I think the rule will work as expected.

If you pick the "Advanced Editor" (which you can't do from your inbox for some reason) it should allow you attach a file.

In nDepth, can you search for "InternalRuleFired.ExtraneousInfo = *email*"? Pick one of the results, click on the small EXPLORE button in the upper-right corner of the screen, pick "Event." Can you send us a screenshot of the triggering event?

Uhhh...pick something that logs the same way? There's not an easy way, I mostly use arcane knowledge and divining (and luck) to get it right if I have no idea what to use. If it's syslog, I use the Cisco IOS connector. Everything else is "come as it may."

First: Patch Manager and WSUS need to be on the same OS to the build number to work together properly. Otherwise, you'll need an automation server installed on the WSUS box. Second: At what stage is that occurring? Are you sure you're connecting to WSUS on the right port? 2008 defaults to 80, 2012 uses 8530. That sounds…

I believe that Support can get you a copy of "USB Defender on Steroids" that will report on literally anything hitting a USB port. CAUTION: I mean literally anything. Keyboards, mice, web cams, internally connected USB components...so you better have a rock-solid white-list before enforcing rules on machines running this…

I'm afraid my environment isn't setup to let me make that work. Maybe you can do some "Run As..." tasks and then go into the console and run an nDepth search for AnyAlert from DetectionIP from your machine for the last 10 minutes, and also against your DCs for 10 minutes and see if you can identify the event that we could…

What is the tool alias of the connector reading your firewall logs?

The cert in question is backed up as part of the backupconfig and restored as part of the import command, so no worries there!