curtisi

If you have a list of SIDs from Cisco, it seems like creating rules to alert off those events in LEM would be fairly simple.

I rebooted mine last week to test an Orion alert, but before that my uptime was over 100 days.

Can you get a screenshot of the message? You should be able to search it out of nDepth.

The LEM agent will get information about process and service events from the Windows event logs by default assuming that your audit policies are set to generate those events.

Filters in the monitor tab are real-time, so events appear as soon as they are logged and match the criteria. nDepth searches depend on database/manager time. Are you sure that your manager time is correct so it's stamping events with the right time? What if you expand your nDepth search time-frame, do you start to get…

Solarwinds LEM - Make a rule fire once - YouTube

Congrats, man! I'm half-way there!

I ran into this when I was in Support. In the Web GUI, Fortigate only presents the options for sending data to their analyzer. You can't put the LEM in there and have it work, since the Analyzers are a little different. However, there is a number of CLI commands that will enable logging to the LEM. The CLI reference for…

If you go to the CMC shell on the LEM, go to APPLIANCE, enter DATECONFIG and hit enter 4 times, what timezone is the LEM set to? You can use the TZCONFIG command under the APPLIANCE menu to change the timezone.

You're looking at the result of a rule firing, which is to create an inference, which shows up in a filter. If you look at the rule that creates these inferences, you'll see the LEM is basically looking for specific events and then drawing attention to them. You might want to look at the rule, figure out what's triggering…

Tim, You may want to open a Support ticket so they can work with you over the phone, but... On the machines that are showing disconnected, can you go to: C:\Windows\System32 (or SysWOW64)\ContegoSPOP and look at the spoplog.txt? Are there errors or any interesting messages? Look at the spop.conf. Is the manager name/IP set…

I have Reports working on Windows 10, so I don't think that's the issue. Has the time zone or time changed on the LEM appliance?

The LEM "installer" was probably the self-extracting compressed file. There may be a folder on the desktop of the machine you ran that on called "SolarWinds Log and Event Manager" that has the VHD in it waiting to be imported into Hyper-V. I've spun LEM up on Hyper-V 2016, so it does work, it just sounds like we need to…

I know that 6.3 (currently in RC) is supposed to address some short-comings in LEM that may impact NIST compliance, especially as it relates to CAC requirements. It may be that they haven't re-certified that new version yet. I'll check with the PM and see what they know.

Hello! It doesn't appear that there is a connector for the LEM to read that device's logs yet, but if you contact support, we can work with you to gather data to create a new connector. If you already have the MIMESweeper logging to the LEM, you can export that log and have it ready for support to use as a sample. It also…

I have, and I have no idea why, I've just learned to type my username and password every time, and I do have LDAP integration configured.

I've noticed that the Node Details widgets can be flaky. If you do an nDepth search for AnyAlert.DetectionIP = THAT NODE, what do you get back for the last week? Do you see YUM data there? We have Centos 7 running in the lab and it works with those connectors. I know it's not RHEL, but the logs are similar.

To my knowledge, there isn't a way to change the entry in the Report Title column. However, you can change the file-name of the Custom Reports and that will appear in the File Name column, so you could call the report something more identifiable there.

5.7 is officially available and released today! If you're still having reports problems and haven't upgraded to 5.7, please try that and see if it fixes the issue!

Have you created a Juniper connector to tell the LEM to look at Local0 for Juniper logs? I created a doc going over this process here: SNMP and Syslog Connector Creation

If you enable the flow collection service on the LEM: * SSH into the LEM * Go to the Service menu * Run "EnableFlow" In the manager console, in the "Explore" menus that appear in the Monitor and nDepth screens, you'll see a new "Flow" option. Clicking it will get you to a new search dialogue that'll make graphs and lists:…

Log and Event Manager can collect File Auditing information a couple ways. One, it can collect native file auditing info from the OS. This would require that you have the LEM Agent on the interesting servers/workstations, and that you have file auditing configured in Windows, Linux, MacOS, etc. In Windows, this means that…

It looks like LEM gets data from these attempts, like this: On the Authentication - User Log On Failure report, it looks like this: You could create a custom report that only shows results with that failure reason, or a rule to alert off those events in LEM.

That's something to submit to Support so they can improve the Fortigate connector so it parses the data correctly. Can you open the Reports Console, and run the Tool Maintenance by Alias Report for the last 72 hours? Save it as an RPT, Support will want that.

You can also look for these errors in the web console. By default, they go under the LEM internal events filter, but if you have a lot of rules and agents, that filter can be really busy and flood out the mail events. If you create a filter like this, and then run the tests, it'll grab and sort out the email events:

Time of day sets don't include dates. There are no dates in this Time of Day Set: If you look at this template rule, the date isn't a factor: Maybe you can include a screenshot of what you're seeing?

Short term: Add an exception to the rule for "AND UserLogonFailure.DestinationAccount DOES NOT EQUAL 0" to keep the rule from firing erroneously. Medium term: Search the logs in nDepth, look for all user logons or failures where the destination account is 0. Does it ever successfully logon? Could it be a local account…

In the LEM Reports console, make sure you're under "Standard Reports" in the category (upper-left corner drop down in the ribbon). You should be able to get the Database Maintenance Report in that list.

So here's some samples from my lab: Event NameEventInfoInsertionIPManagerDetectionIPInsertionTimeDetectionTimeProviderSIDExtraneousInfoSystemStatusDetached "Port_#0001.Hub_#0001" (SAMSUNG Mobile USB Composite Device )CINGRAM-LT.tul.solarwinds.netcing-lehi-managerCINGRAM-LT.tul.solarwinds.netMon Oct 6 09:10:34 GMT-0600…

Looks like page 522 of the configuration guide (PDF calls it page 520) has directions on logging from the WLC with Juniper Mobility to a syslog server (like the LEM): http://www.juniper.net/techpubs/en_US/release-independent/wireless/information-products/topic-collections/wireless-lan/s… I don't know if we already have a…