curtisi

You could theoretically have them spin up a LEM and send them the database partitions, and have them import those partitions for their own analysis. Part of the reasoning for all this complexity is so you can honestly tell auditors, "No, we can't mess with our data." This is a requirement for a lot of compliance standards.

exo‌: I think you got the wrong forum by accident, you might want to take this question to the NPM forum to see if they can help you out.

Support would be a good path if that's the case, as that's where the request would end up anyway.

Have you opened a ticket with Support on this yet? If NTLMv2 is somehow broken in 6.2, we'd need the Support history so the issue can be diagnosed and sent to our developers for resolution. https://customerportal.solarwinds.com/support/submit-a-ticket/

So can you snap-shot your VM and back that image up instead of using the LEM backup mechanisms?

We've never supported trying to access the database directly, but: 1. Open the Properties of the Reports shortcut 2. At the end of the Target: line, outside the quotes, add /L. The line should end like this: SolarWinds Log and Event Manager Reports\SWLEMReports.exe" /L 3. Open Reports and run the report again. 4. Navigate…

It may be a normalization error. Are you on the latest version of the Cisco IOS connector? Can you update and see if the issue persists? Otherwise, this will need to go to Support.

Connectors usually seem to turn around in a couple weeks, though that depends on if we have a reader that already understands the log formatting, if we can use previous connectors as a starting point, or if it's all from scratch. Connectors get made when people request them, and connectors with multiple requests get…

Definitely try the AIR console and see if it's the same way. Does the LEM console behave the same way on other machines or in an incognito tab?

I used to be in Support, and at least in the Lehi office (where most of LEM support lives) the process was the "3 contact close." Support guys are supposed to make at least 3 attempts to contact a customer before closing the ticket, whether by e-mail or phone. Usually these attempts are every other day, so you get 5…

I think it might be time to open a support ticket so someone can look at this with you in real time.

So, your whole rule is an "OR," which means that if any condition is true 5 times in 30 seconds, the rule fires. One of your conditions is "TCPTrafficAudit" so every 5 TCP packets is going to trigger the rule. I'd start by removing the TCPTrafficAudit condition from the rule. I'd suggest something more like this: You could…

You're on the right track with your thinking, so it's details. The default rule is correlating off the [Auditable Group Events] Event Group, so you'll want to use the same Event Group for the SourceAccount field. I think something like this would work:

There is a case where using the extra license for the syslog server is beneficial, though. Syslog traffic is UDP, so if you're monitoring a remote data center and the link between that center and the LEM goes down, syslog traffic sent in that time is lost. However, the LEM Agent caches data when it can't reach the LEM, so…

If you go to EXPLORE --> nDEPTH, and search for events matching the rule correlation, what do you get? What do these events have in the Destination Machine field? Does it all look correct? When you say you don't see the rule firing, you're not seeing events in the Rule Activity filter? If you do an nDepth search for…

No, if the LEM sees data with an IP, it'll treat it as a new source and add a node for that. You'll need to resolve the bogus source to prevent the data from coming back.

If you go to Build --> Rules, and then open the Categories (on the left) for "Change Management" and then "User Changes," the rules from my screenshot and the machine rules are there.

Excellent! Can I beg for you to mark this as answered? I need my Thwack swag points.

Looking at this: Windows Security Log Event ID 4776 - The domain controller attempted to validate the credentials for an account C000006Auser name is correct but the password is wrong Maybe check the scheduled tasks on that workstation?

WHD cannot pull nodes from LEM, but you could have the LEM send the detection IP/node in the e-mail, and possibly create some action or process to modify or assign tickets based on that part of the e-mail.

IIS logs don't match the RFC for Syslog, but the LEM does have IIS readers that can parse the IIS logs (this thread gives some details on how to set that up): IIS 6 & 7 logs into LEM LEM will read the IIS log text files, normalize them and store them in the Alert Database on the LEM Appliance.

Every 24 hours.

As security expectations advance and change, it's completely conceivable that some future iteration of the LEM manager will use encryption or communication methods that the old versions of the Agent will not be compatible with.

Sure, have you checked out this article? Integrate Palo Alto firewalls with LEM - SolarWinds Worldwide, LLC. Help and Support

Okay, so not a disk full. It appears that the database isn't running on the LEM, so events aren't getting archived. Your temp space is being used to store events while the manager collects events with no place to put them. Eventually, that's going to be full and the LEM will start rotating that space, which will lead to…

You posted your question in the LEM forum, so I thought LEM might be involved. You may want to try asking this in the NPM area so their experts can see it.

That's interesting because the license for an eval allows for 2,147,483,647 devices (that's the number after the "LEM" in your screenshot.) Currently, according to that screenshot, you have 2,147,483,647 available licenses (none have been claimed by Agents or Syslog). 2147483647 - 2147483647 = 0 devices used. Is all this…

That implies a much bigger problem. If you go to Manage --> Appliance --> LIcense, what's shown there?

Since the goal is to export the charts, would a report like this (this is just an excerpt) meet your needs? This is built with the LEM Reports console.

Can you run this command and see what the result is on your Domain Controllers?