curtisi

I think the problem with the Event Log is that the "Agent Offline" event isn't generated by the Agent. It's generated by the LEM manager, because the manager is suddenly like, "Oh, hey, there was a node there and now there's not. I better note that." The manager doesn't know why the node went away: did the network go down?…

Okay, that's easier to solve. If you edit the rule, you'll see it has a "Send E-mail" action, and that action specifies fields. If you're using the Default Template, those fields are "Event Info" and "Detection Time." There's no field for Detection IP! You can add one, or make your own template. For example, I created this…

If you're deleting hundreds or thousands of files, you should be able to kill the operation, as Windows continues to check account and permissions as it processes each file.

I don't know that two sub-groups are needed for this, I got it with one: If your environment has some set of tasks that do require/use the default admin accounts, you may want to swap "swi-lem" for a User Defined Group of systems so as to make that easier to maintain. That said, you can stop this alert from making ANY…

It's possible that the share events were different when the connector was written (a lot changed between Server 2003 and Server 2008) and no one has brought this up yet. The usual SLA promised is 4 to 6 weeks, but in my experience things are usually much quicker. That SLA is also for new tools, not for tuning existing…

If nothing is coming to the syslog facilities on the LEM, the LEM won't have any data to normalize and present no matter what we do. On the LEM, in that SSH session, go to APPLIANCE. Run DATECONFIG and then press ENTER 4 times without entering anything. Is the LEM's current date/time/timezone correct? Can you confirm that…

I get mixed reports that some people need a .csv extension and some need .txt. Not sure what the secret sauce is.

Go into the Connectors on the Appliance. Stop and remove the Tipping Point connectors. In the search box, enter "Cisco" and pick the IOS connector. Create a new connector reading local2 (which should be the default), save and start it. Also, there was an issue with a version of the TippingPoint connector, so you may want…

Correct, so I'd do *0x12* in the box, drop the quotes.

The LEM code-base includes an option for stripping the Manager functions and converting the LEM to a syslog server. This process launches an Agent on the syslog server and connects it back to the LEM Manager. The benefit of this deployment is that the conversion also regenerates the product support key in such a way that…

On your Hacker IP Detection rule, is the initial condition supposed to be UserLogonFailure.LogonType =/= null? Can you show some of the sample events you have that match this correlation?

I would guess that you need to apply a newer connector pack to get the Print Service connectors. SolarWinds Knowledge Base :: How to apply a LEM connector update package

As a note, when you're doing a checklogs command and looking at a syslog facility, you can enter a forward slash ("/") and then an IP to search the syslog entries to see where the IP appears. It sounds like some device you do have puts an IP where the Tipping Point connector expects to see a source IP address. Every unique…

Your response window is 1 second. Change that to 5 minutes, and confirm the LEM has the correct time.

Can you SSH to the LEM? Under APPLIANCE, enter PING and press ENTER. Can you hit the network gateway? Can you hit the DNS servers? Run a VIEWNETCONFIG. Does everything look correct? Is the LEM's IP what you expected it to be?

Remote Installer - Even logged in as a Domain Admin, Microsoft has to protect us from ourselves. Are you running the remote installer with the right-click "Run as Administrator" option to make sure that you're utilizing the cosmic god-like authority of that Domain Admin account when it's running? Local Installer - Sure…

The Crystal Reports Runtime will drive Reports, but it's not a full blown installation of Crystal Reports, which is what you'll need to modify the Solarwinds stock reports.

Will, you should be able to see the NetApp connector on 6.0 if you have a current connector pack. http://knowledgebase.solarwinds.com/kb/questions/3196/How+to+apply+a+LEM+connector+update+package

On the log file, can you try specifying a specific log? So, "D:\TomcatData\TransferProd\logs\logname.log"?

Solarwinds has Patch Manager, which is basically purpose built to do what you're asking. Patch Management Software - Software Patching | SolarWinds

So, if you download the latest connectors, and extract the package, you'll find a LOT of XML files. Somewhere in there is the CiscoFirewalls.xml, and this is the file that gets copied to the LEM to be the IOS Connector for ASAs. (For reference, the revision I looked at for this post is "$Revision: #214 $" and was posted…

warren.dilger is correct, these values are defined in the Email Active Response Connector:

If you open the spop.conf file: * Windows 64-bit: C:\Windows\SysWOW64\ContegoSPOP\spop.conf * Windows 32-bit: C:\Windows\System32\ContegoSPOP\spop.conf * Linux: /usr/local/contego/ContegoSPOP Add this line: ForcedLocalAddress=IP OR HOSTNAME THAT YOU WANT And restart the LEM agent service (in Linux, /etc/init.d/swlem-agent…

Do you have DNS entries for all of the switches so LEM can resolve the IPs to names? Do the switches send their names in their syslog? If you've answered no twice, how would LEM know the name of the switches?

I was re-reading your description of the filter, and I think it's dawned on me why it wasn't working. Can you try importing this filter and see if it works better?

Go to nDepth, and do a search for TCPTrafficAudit.DestinationPort = 53 AND TCPTrafficAudit.DestinationMachine =/= Approved DNS Server UDG What comes up?

The extra slash is from Linux putting an escape character in the path, and is normal. Personally, I've noted that mount.cifs has issues with long paths. The command wants to mount an actual share, and struggles when you bury the share path. If (in your example) the share is \\abc-server.domain.com\ABC, that's where you…

You're trying to build a rule off "AnyAlert" which is a problem for a number of reasons, not least of which is that not every alert has that field. Replace all your "AnyAlerts" with "ServiceWarning" events, and you'll be able to find the field you want.

These commands are actually running scripts from the appliance's hardened shell to edit the iptables information. If you look at the screen-shot, you will see you can restrict SSH and Reports access as well. That pretty much shuts down all access to the LEM except from machines you specify.

Running DISKUSAGE would tell us what the LEM thinks it has (in case something went wacky in the VM environment) and will also tell us if events are getting queued, which might also cause this sort of behavior.