evanr

Wow very nice. I love the integration with Solarwinds. 

Very nice thank you. User error I wasn't viewing the command line under taskmanager so was only seeing it as a IIS worker process w/o the app pool name. Thanks much.

Nope. We use LEM and Tripwire for FIM.

There is a reg hack I found that would do the job for us in HV. But since then we have decided to deploy a dedicated Snort box to do the job for us. Thanks for the info.

Yeah it's definitely up and configured. 21714 snort 20 0 134m 52m 3780 S 3 0.7 0:44.63 snort 1371060294000 SLEM snort[21601]: Initializing Network Interface eth0 1371060294000 SLEM snort[21601]: Initializing daemon mode 1371060294000 SLEM snort[21601]: Daemon parent exiting 1371060294000 SLEM snort[21714]: Daemon…

Blah nevermind. We had a WAF logging to the same local log. I tweaked Tripwire to log to local5 on LEM and I'm seeing it correctly now. 

It definitely could be. Here is my rule. I also set the following: Not sure if I need the Modifier or not?

Ah so simple. Very nice. Thank you.

The ultimate objective is to create a custom tab for a few machines we are experiencing latency on. When I edit the default Interface Details page -> then click preview. The interface details are defaulting to one of the nodes on the network. Interface Details - default node IP - NIC info. Where can I change where its…

Very nice. Thank you Nicole.

Great information thank you.

My fault its actually running IOS 15.0(2). Yes I have tried the following connector: I verified via local3 that I'm getting log data now: For some reason my filter doesn't work. I'm not getting any hits with that. But I am getting log data.

Very helpful. Thanks for the info.

Yeah that's what I kind of figured. I have put in the feature request

Great thanks Nicole.

Very nice thanks. Yes it should specify that you need to include the "manager" folder in the share path. All set. Thanks. TriGeo manager version is: 5.6.0 TriGeo manager build is: hotfix1 TriGeo upgrade build is: 520398

Upgraded as well from 5.7

Still getting it. Seems the javaw process will send the syn_sent packet. A deeper packet trace will show the three way handshake. But for some reason the agent machine will send a RST and that is all she wrote. I suspect there may be an underlying network issue as these machines are in a separate offsite data center that…

So since our recent upgrade to 5.6.0 we have been having some issues with agent coming online then dropping off. (Fri Jul 05 11:14:52 CDT 2013) II:NOTICE [NioCenter v23873] {ComModuleSpop:21} Initializing Nio Center.; (Fri Jul 05 11:14:52 CDT 2013) II:NOTICE [NioCenter v23873] {NioComNetworkParent:1050} Nio Center…

Do you know where it pulls the initial info from though? These are brand new installs but for whatever reason the .conf file is populating with the old ip. Like you mentioned I have been able to stop the service, edit the .conf file, delete the spop folder, and restart services and all is good. But I would rather not have…

Do you have an example of this? This is outputting the 1 correctly. But still getting get output failed. If ($file = Get-ChildItem \\172.20.0.41\f$\Inetpub\ftproot\VBFTP\Process -Recurse | Where-Object {$_.Length -gt 1KB}) { 1 } Edit: Oh blah I see so it needs to actually be "Statistic:1". Got it working. Thanks

Any new info on this? We are still getting dinged with this even though its only querying the version. I'm not sure I will be able to get an exception this year with 3.0 Threat: Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation. Multiple vulnerabilities affecting…

It's CVE 2013-2067 and yes it does only appear to be querying the version. <title>Apache Tomcat/6.0.36 - Error report</title>

Wow very nice. This is exactly the type of SQL info we are looking for. 

Did you find a more permanent solution to this? Doing IIS resets and restarting the info service only temporarily stops this issue for us. 

You have to set up the connector under the node itself. Manage -> Nodes. Refine results - exchange.

We have the same issue. Our web server setup is vanilla but I'm unable to get this to work on 5 different web servers. Would like to know the answer as well. We have set this up as a ToolAlias using Microsoft IIS W3C v7.0 as well and the filter still remains at 0.

So if I wanted to show the full path specifically in EventInfo "[943]created". Would I then have to edit the connector source to get this done? The actual IIS FTP log will show [943]created /FTP/FTPtest.zip which is what I want.

If you are referring to the scheduled searches via nDepth. I don't believe you can change the subject they will come through as Scheduled search.

I don't think the actual change that was done in GP will show up in the log will it? The closest I could come to see changes was by viewing the operational log under Event Viewer -> Applications & Services Log -> Microsoft -> Windows -> GroupPolicy. The messages still seem very generic to me. Starting Audit Policy…