ecklerwr1 · Sr. Network / Systems Architect · ✭✭✭✭✭

Yep I keep my database at around 2.5TB so I can keep enough data to make SEM usable over at least a year. I keep physical RAW logs for windows, linux, and solaris but forward them directly to a NAS for keeping long term ie. now 5 years minimum. Bill

Just checked yes it's new feature in 2022.4: Export nodes * All or selected node information can be exported as a CSV file on the Configure > Nodes page. 

I think this feature was added right after 2022.2.1

Funny thing I got 3 Nutanix servers that are really re-badged Dell servers and ended up just loading ESXi on them.

You guys are good! Bill

Luckily we got export/import... before that it was a nightmare trying to standardize filters if you have 10 SEM instances in different places. What I really need are 800-53 security control filters SEM is capable of seeing. It's been a journey to say the least! Bill

Add in applying the STIGs to everything and yeah... you get a LOT of logs and yes there is some duplication since the DCs see a lot going on with clients. I've found doing SIEM is a little bit of an art and not completely a science. Even after having for years we get turnover in IA and it means a whole new group needing to…

SAM can get expensive. I have two SLX licenses which helps but I totally agree with your comment about how components were... you really need unlimited components to do a lot with SAM. Bill

Let us know how this goes... I also am still using SEM on multiple networks and haven't seen this yet. I also can only register offline.

Yep and we don't get points when people download what we shared anymore I don't think. I'm ok with the XML but yeah it's harder to read but that's the "cloud" right? Bill

I do this and it does work.

Seems worth trying to me!

SWQL is also a lot safer! We used to all use SQL but that changed a long long time ago. Also like Kevin said... they kept changing how the database was laid out so if we made customizations using SQL upgrades often broke them. Bill

Kinda seems like a catch-22. Bill

Or even trying to see the newest comments sometimes is confusing... maybe I'm not getting it?

Thanks for the tip @"izzy2021"!

I've always had good support from SEM team but haven't used recently since June. Actually I've gotten better support from SEM team than Orion support overall. Bill

I think it must log locally on the appliance in /var/log somewhere? I think you could configure it to log to itself. This is a workaround mind you. You'll also need the root password for you appliance (which you have to get from support). I may look into this myself later this week now that you brought it up. Bill

Also FWIW we use Centrify for logging of full text Privileged Commands which also helps greatly with 2FA for linux and Solaris and also PAM for windows. It essentially give you group policy for Linux and Solaris. I hope to do some integration between Centify and SEM this year. Bill

Any update on this @"izzy2021"? Bill

That was just an example of something we added to the out of box SEM experience. I'm working in the same environment as you. I'm not an ISSO/ISSM but do support the tools they use for satisfying DCSA. Some more examples of added rules: Roxio Secure Burn alert message - Alerts a user to complete all logging requirements…

I worked with UX team (Ashley O.) on the SEM interface html5 reporting and ditching the Crystal Reports is one of the best things SEM has going for it now! Bill

I understand what you're getting at for the STIGs. What you need to do is identify the windows events you want to filter on and come up with a filter for it which you can create a rule for. Here is some info about priv usage on windows:…

That's pretty crafty bob!

You can also let it make a graph of the data if you want in add report after you select the data you want. Bill

I wonder if it's possible it's not recognized because it was End of LIfe February 4, 2014? Regardless you could do a UnDP for it like like @stuartd said. Bill

Usually whenever I've seen this it's because a polling engine is either overloaded or is having issues. This should not happen on a correctly loaded polling engine. You might want to run some tests on the polling engine this happened on. It's possible it would eventually happen with other nodes as well... I suppose unless…

So you can add &isNOCView=true too a link to 3rd party page and embed it in a classic view and it'll rotate with the others?

Ah I see the name and website part isn't showing or the link... perhaps those aren't being evaluated correctly from changes you made or something is missing.

It looks like it's getting all the information for a few of your certs to me. Some of those may not be classical regular certs is my guess.