curtisi

Your log includes this error: "You are attempting to use functionality that falls under the Business Objects Report Creation API license. This system does not have a valid license, or the evaluation copy of the license has expired. Please contact Business Objects to obtain a Report Creation API license" We usually see this…

In your example, the group isn't doing anything. The LEM rules engine actually does a lot of stuff in the background to simplify convoluted rules, so both examples are probably actually working identically in the background, so it's just cosmetic. If you're going to have a lot of IPs that you're looking at, it will…

There's no supported or official way, but they're just files like anything else.

They should. The point of the config backup/restore is partially to restore those links.

On the machine, in the Agent install directory, you might be able to see events in the TNS log or the SPOP log.

Is it possible for you to attach a screenshot of your cloned filter and the filter you clone'd? You're positive that the filter you created hasn't been paused or turned off?

Do you have duplicate nodes? One connected and one not? Wiping the SPOP directory will result in duplicates, so just remove the disconnected ones once you confirm they have a connected twin.

Yeah, perhaps? LEM really wants to different event categories for this sort of thing.

Yes, but with the same caveats: you'll need to configure the auditing in your distro, and be aware of where the log file is. The same reader will catch the events. Why are you on 6.1.0 when 6.2.1 is out?

As long as the word "Firewalls" appears in the Tool Alias, data from that tool will match the default filter in the Monitor tab. The default name for Cisco IOS connectors is "Cisco PIX and IOS" so it won't match the Firewalls filter unless you change the name to include the word "Firewalls," ie "Cisco Firewalls"

I'd suggest opening a case with Support and let us work with you to find out what is going on.

You can send SNMP to LEM, but LEM can't use SNMP for Reports or Alerting. It's just stored and searchable. Do you have one of these events as it's normalized by LEM? How does it appear in nDepth or the Monitor view?

When Trigeo was still selling the physical SIM appliances, they couldn't very well rely on VMWare or Hyper-V for HA systems. The LEM VM is the same code-base as the SIMs, and so there are some commands that no longer apply still in the CLI and documentation. However, I've spoken with the LEM devs on a few occasions, and…

The advanced correlation you have there means that the 5 events that trigger the rule have to have the SAME value in the WarningMessage field. You may want to make that something like ServiceWarning.DetectionIP so that the 5 events have to come from the SAME system to fire the rule, otherwise 5 different systems getting…

The LEM virtual appliance deploys, by default, with a 250GB disk. In version 5.4, the limit to expand this was 1TB because of license restrictions for the database that was used. In 5.6, the sky is the limit. However, in HyperV and some versions of ESX, the limit on the size of a virtual machine is 2TB. In ESX 5.5, this…

The SNORT settings for the LEM are pretty fixed. You may want to look at putting SNORT on another box, and then having the LEM collect logs from that device. It'll be easier to configure that way too.

Did you create this report to work with LEM 6.0.0 or was it created with a previous version of LEM?

You can put in a request in the Feature Request section of THWACK! https://thwack.solarwinds.com/docs/DOC-167238 https://thwack.solarwinds.com/community/log-and-event_tht/log-and-event-manager/log-and-event-feature-requests If you want to attach a sample log, I can run tests on it to see if any existing connector might…

The Agent reads everything that goes into the logs that it is configured to read. There is no option to drop events at the Agent level, so if you want to avoid getting an event, you need to get it out of the logs.

The actual alert DB has mechanisms that look for that 90% condition, and this triggers the database rotation. The database will start dropping old data to make room for new data, and will drop data until the partition is under 90%. Now, the other thing that lives in that log partition is the syslog facilities. You can…

First, you're going to need to configure your LEM to be able to talk to Active Directory. SolarWinds Knowledge Base :: How to Configure the Directory Service Query Connector Then, you'll need to bring in your Domain Admins group to the LEM, it's kind of like this process, but under Build > Groups click the + and then go to…

What error?

Yeah, unfortunately there isn't a standard "one reports to rule them all" for compliance standards. They want to know that you know about different aspects of your environment, and it wouldn't make sense to cram that into one set of columns.

Cool. It looks like you need o add the wild-cards to that search and it should work. *email*

Check this out: Step-By-Step: Enabling Advanced Security Audit Policy via DS Access – CANITPRO

It appears that's the case, I haven't had a chance to test it myself yet, so if that is what works, please report back and let us all know!

Nope, it won't delete them, unfortunately. To clean them up: * Manage --> Appliances * Click the gear next to the LEM in the list, pick "Connectors" * You'll get a list of connectors. Click the gear next to a bad one, pick "Stop" * Click the gear again, pick "Delete" * Lather, rinse, repeat

RE: 5 - That sounds like you need to reinstall Crystal Reports Runtime as an Administrator! There may be no better way to make things faster than to shrink the time-frames on those reports and run them for 3 or 4 day periods.

anthonychlee‌ and mska‌: Regardless of vendor, the first step is to configure your syslog device to send syslog to the LEM. If you haven't done that, scanning for new nodes won't ever find anything. You'll need to work with the vendor of your device to find out how to configure syslog. Once you've got syslog configured,…

I went and bothered the devs, and the issue we'll have is that there always has to be some event to kick off the rule correlations. You could create a scheduled task on a system with the agent, and create the rule to fire when the event of that task running is detected. The challenge then will be that there is no "Purge…