curtisi

Oh! Okay, I get it. I was like..."Wait, there are OS updates for LEM out there once a month? Why did no one tell me?!"

I'd suggest working with Support.

I used the AIO package.

Yeah, that's not an uncommon comment. We're well aware of the scalability issues, and I know our dev team is working on it. I guess the larger picture for Solarwinds is LEM handles logs, NTA handles flow.

Can you export your rule and attach it to this thread or send it to me in a private message?

* Have you clicked the "Activate Rules" button? * Is it possible that's another rule doing that? * Could it be that the events are backed up and the LEM is still firing on slightly older events? Barring that, the only thing I think might be an issue is that "." in one of the services. Maybe move the Asterisk up so it's…

The reports and nDepth will give you the whole history, that's true. The OpsCenter and Monitor sections are good for a high-level over-view, but it's not really intended to be watched 24/7. Most filters and widgets are only tracking the last 1000 matching events for that filter or widget anyway, so if you're getting more…

I know you've already nuked Reports and paved, but... Can you uninstall Reports, nuke the install directory if it gets left behind, and then reinstall with the "Run as Admin" and let me know if that works? Has someone run the RESTRICTREPORTS command on the LEM, maybe? You may need to have them run the UNRESTRICTREPORTS and…

Yes, you need a separate manager to restore logs. The new manager, however, does not require a license. LEM licenses are consumed when you have new data coming from sources, so since there'll be no new data coming in, the manager you spin up to look at restored logs will not need a license. Spin up a 30 day eval, and…

401002 Error Message %ASA-4-401002: Shun added: IP_address IP_address port port Explanation A shun command was entered, where the first IP address is the shunned host. The other addresses and ports are optional and are used to terminate the connection if available. An institution to keep a record of shunning activity was…

I wonder if it's the Linux syslog is part of it. Have you tried the Linux Agent?

So it appears that that device isn't advertising that it has mass-storage capabilities, so USB Defender won't catch that.

Just sitting in the cart. I don't see a way to remove an item.

I just did a Checkpoint config, and the issue we ran into was that the policy had not been installed/pushed to the Checkpoint cluster. Have you saved all your config settings on Checkpoint?

So the time and date on the event were correct and didn't match the "Detection Time" reported by LEM? If that's the case, I'd open a support ticket to have them look at this.

The Reports console wants to interact with the Windows Task Scheduler, so that you can create tasks to run and output reports automatically on a regular basis. That is why it wants Admin tokens.

Glad I could help! If this answers the question, I'd appreciate the points from you marking it so (I need more SW swag!)

The Agents read the logs that are on the machine they are installed on, so you'll only get events from the Domain Controllers. Where the Domain Controllers are contacted by the workstations (ie, for machine or user authentication events) you should get those events in the DC logs, assuming you have an audit policy that…

Connect to the LEM CMC shell: http://knowledgebase.solarwinds.com/kb/questions/3303/Use+an+SSH+client+to+connect+to+your+LEM+appliance Go to the APPLIANCE menu and enter CHECKLOGS. If you view Local2, do you see information from the switch's IP?

saroop I created this document to help with agentless nodes, since there seems to be some struggle with it: SNMP and Syslog Connector Creation In this case, you'd want to create a Cisco IOS/PIX connector and set it to read Local2.

byrona‌: You can do it, and I covered the steps answering this other thread. Re: new syslog node You need a connector, but it can be any connector that can handle the log type (ie, syslog, flat files, evtx) so long as you set the connector output to "nDepth only" it'll skip normalization and store the raw log data.

I worked Support for Patch Manager and now work as a Sales Engineer for Solarwinds. I use it in our lab to manage updates and reboots for our demo servers (which we have to manage carefully so we don't crash in the middle of a customer demo!) I also got to see Patch in a lot of customer environments (though usually…

Can you send over a screenshot of the connector you're using for the LEM to connect to Cisco and the config of that connector?

You can't run two appliances on the same license, so you'd be looking at two separate licenses for two appliances. The appliances don't share data at all, so they would be completely separate.

It looks like you have a lot of syslog traffic on the LEM. Can you run a CHECKLOGS under the APPLIANCE menu and see what that returns? What are the log file sizes? And you may want to run those commands I recommended before: SETLOGROTATE --> Change to hourly LIMITSYSLOG --> Change to 24

FileAttributeChange is included within the "File Audit Alerts" group, so specifying that something be a FileAttributeChange AND in the File Audit Alerts group is redundant. This doesn't work the other way, though, as there are other events in the File Audit Alerts group besides the FileAttributeChange.

SolarWinds Knowledge Base :: Use an SSH client to connect to your LEM appliance This includes steps and the default username and password (cmc/password). If that doesn't work, it's a support ticket to have them crack the password.

Like Lawrence Garvin said, the LEM is AD agnostic. It's not part of the domain, and generally isn't aware of the domain structure except in those cases where you specifically tell it to keep an eye on something. Assuming that nodes have a routable path to and from the LEM server on the appropriate ports, the LEM and the…

I'm going to load up the DHCP services in my lab to take a look at it, but if a new connector is required, this will need to be a help desk ticket so we can gather the right information. At the very least, we'd need sample log data (my log only gets two events since I'm not really an authorized DHCP host).

At this time (6.2.1) there isn't a means for a customer to restore the DB backups themselves. That may be a feature in the future, but right now there's no way to restore the DB backups without help from Solarwinds Support.