curtisi

This is a known issue with reports 5.6 (see nicole pauls answers on LEM Reports Run Endlessly) Today we released LEM 5.7, and that should be available through the customer portal and for download as a demo. Try upgrading your LEM and Reports to the latest version. The release notes are here: Log & Event Manager 5.7 Release…

For the syslog dumps, what silverwolf​ says will work. If you want to dump the LEM's internal database, you can do that with the backup commands described here: Configure Backups on your LEM Appliance - SolarWinds Worldwide, LLC. Help and Support

https://www.youtube.com/watch?v=9Naf1sG3WuQ

* Are you connecting via http://LEMIP:8080 or https://LEMIP:8443? * Can you clear your browser cache and cookies? * Can you try a different browser? * Can you try a different machine? * Can you ping the LEM IP or hostname from your machine?

Can you grab this line off the last page of the DB Maint report? Also, what version of LEM and Reports are you running?

I just fought this for a couple days. Part of my issue was that I broke the Local Profile Service in Windows, so if you've got users getting logged into TEMP profiles, that seems to break things. Second, I found that the Windows Service Manager could start/stop the MSSQL Auditor service, and I would see logs and data…

Yes, but you'll need to setup the GMSA as a "Reports" user in LEM to grant it access to the LEM database when running the Reports console.

The first thing I'd try is removing the naked UserAuthTicket and UserLogon criteria. UserLogon is implied by the fact you're checking for specific values in specific fields, and you're not doing any filtering on UserAuthTickets at all (in that screenshot). See if that helps, then we can drill into the AND/OR nesting you…

How many of your directories will match the mask "*.*"? I don't see a lot of directories with dots in their name. You may need to add another condition that is just a "*" with only the directory delete selected. They should come into the LEM as a FileDelete. I do have this working in my lab.

Haven't tested it, but I think this captures the logic you're looking for.

Correct, if your eval has expired, you cannot add any more nodes. In fact, the LEM won't collect or store any new data after the eval expires.

If you have a maintenance agreement on LEM with Solarwinds, this is something you should contact Support about. In any case, you can also create a Feature Request here on THWACK.

What version of LEM and LEM Agent do you have installed? Can you please check the following? One, if you open the registry on the Agent machine, do you see values in: HKLM\System\CurrentControlSet\Services\SWFsFltr ? Two, if you open a command prompt and enter "fltmc" do you see a SWFsFltr installed and running? If…

Here's a guide I have using LEM and WHD as examples on how to have LEM open tickets automatically. Using Solarwinds Web Help Desk with Patch Manager and Log and Event Manager

I have the answer here! Manual License Generation

First, you're going to have to make sure that the events are actually getting audited, as the LEM will only be able to record things that cause events. Then you're going to want to make sure you're reading the Directory Service logs on your DC. From there, we'd need to see sample events to help you create alerts, but I…

With the logic backwards, you were triggering on ANY service stop on Avantis OR ANY service stop that was ALL four of those names. Obviously, no one service can have four names, so it was only alerting off any service stop on Avantis.

Short answer: Do this. Slightly longer answer! Your current logic is set such that the rule will fire if: * A service matching those four names stops on ANY server * A service on a server with DetectionIP including "Avantis" stops The joy of OR statements: if ANY contained piece is TRUE, then the whole expression is TRUE.…

I'm going to argue with qle‌: You can customize the out-of-the-box Reports in the Reports console. Say, for example, that you want authentication events for a specific user. * Run Reports * Run an Authentication report (I'm using Authentication - Log On/Off/Failure) for something like a ten minute span * When it completes,…

That's not currently a possibility, but it would make a good Feature Request.

I think I might have the 4 and 3 backwards, but I think something like this would work: If it's ANY of the Destination IPs, group 1 is true. If it's ANY of the Source IPs, group 2 is true. If group 1 AND group 2 is true, the criteria are met.

I'm assuming there's a LEM agent on the Windows 2008 box, which makes it very strange that the LEM appliance would slow to a crawl. It may be that the Agent is reading the log files, and sending enough data that the Appliance is bogging down writing it all to the database. With most rotating logs (like IIS and Apache),…

It doesn't appear that this is a feature in LEM, though I definitely see the value of it. I didn't find any similar feature request for LEM, so I created one here: https://thwack.solarwinds.com/ideas/4534 Go vote and we'll make it happen!

So, the first thing I'd do is put all those criteria in a User Defined Group (UDG). I'm a nice guy, so I already made one and attached it to this post so you can download and import it (the CSV). When imported, it'll look something like this: Instructions on how to import that list can be found here: Import a text file to…

Lawrence Garvin is correct. The Directory Service Query Tool (with the orange wrench) is how you configure the LEM to reach out to LDAP and pull in information about users (so you can log in with domain credentials) and groups. It's also how the LEM will perform response actions on AD if your rules call for it, like…

What do you mean by "Admin Account"? When a user uses "Run as Admin" in Windows? Logging into the LEM as Admin? Something else?

If it helps, here's a profile I use in our SE lab to collect from Centos systems.