evanr

Solarwinds UDT can do this. I know you can disable networking on an active node for say virus containment..etc. You might be able to use LEMs snort to accomplish this, or if you had another sniffing device in your network sending its logs to LEM. If your trying to find a rouge DHCP server for example. You may be able to…

Did you add this through the appliance? Manage appliances then add your connector from there.

What do your event types look like in EPO? We use the epo connector in addition to the onaccess and scan connectors for each agent node. The updates generally log any DAT updates where the epo connector will log more system type events such as attempted agent uninstalls..etc. Here is what our filter and appliance connector…

Here is what the UserGuide says: InsertionTime = The time the manager or agent first created the alert. This time indicates when the data was read from a log file or other source. DetectionTime = The time the network node generated the data. This is usually the same as the InsertionTime field, but they can differ when the…

Flag me as well. I had posted on Oct 21. But just changed the subject thinking that's how maybe the system would query this. Anyway no points or card yet. Thanks

You may be able to accomplish this by editing the syslog-ng.conf directly but you would have to root it. Which would void your contract anyway. Like @curtisi said LEM doesn't have that functionality.

You will have to add the filter first. Then add the filter from Widget manager.

Not currently no.

We have this installed and running in our SQL clustered environment. We have the plugin installed directly on our SQL servers. However you should be able to deploy it to a specific machine then plug in your server/instances to audit. This is all done through the MSSQL Auditor config program. As far as best practice goes we…

Your aliases are set in your connector. Since my alias is "ASA". I would use this when creating my filter.

Whats in your # syslog entry in your snort.conf? It should look something similar to the following. output alert_syslog: 1.1.1.1:514, LOG_AUTH LOG_ALERT. We have ours going to user.log You also want to make sure your running snort with the -s flag. Which will allow it to be sent to a syslog. You would also then set up a…

This is handled under the policy settings. Manage -> appliances -> gear/edit -> policy. Then you can tweak your settings.

What does your email template look like? I suspect you will have to modify the variables a bit in order to add the info you need.

I used the guide to set up the actions/rules. Thank you for that. Do I then have to set up a rule in LEM to see the logs in the GUI? I can see the logs from our Tripwire box logging to /var/log/local4 on our LEM box but for some reason I don't see them in the LEM web console. 

Count me in.

I'm assuming you have enabled auditing. http://knowledgebase.solarwinds.com/kb/questions/3454/How+to+enable+file+auditing+in+Windows Here is what our filter looks like. We have it set up to track deletions, creations, traversals...etc. The joys of PCI. You could probably get away with:

You will need to set up the local policy connector: http://knowledgebase.solarwinds.com/kb/questions/3277/What+can+the+LEM+Agent+do+when+it%27s+disconnected+from+the+LEM+Manager%3F SolarWinds Knowledge Base :: Configuring the USB Defender Local Policy Connector

This is very similar to our set up. We all have access to the same tools. We all get the incident alerts..etc. The line becomes blurred however when we have to show our auditors separation of duty. Along with that, there's the reality that on many teams the Security Dude is just one person.

Should the RC have updated the node agent versions as well? Because it did not. I have auto updates enabled.

I'm not sure if this will help you at all. But we had a custom (corporate colored) scheme. After Installing NPM and re-running the config wizard due to some other issues I guess it reset this/removed it? Not sure. Our WebSettings table was referencing a StyleSheet that no longer existed. I changed the SettingValue to one…

Yes please post results if you have a ticket open. We are experiencing the same error message. Even when trying to change the color scheme under settings. 

First of all congrats on the little one. Yes and they are the ultimate destroyers of "free" time. I don't have much to say about it since we are guilty of it. Although we do make attempts to change them regularly. Google Terry Childs. Should we all take it that extreme. Probably not, but kudos to him. I worked for a…

Same issue. Wish it could be disabled.

While my SIO would disagree with me. I would say YES. If you are already protecting your data and following best security practices it makes the audit process much easier . It's definitely made us more aware of possible vulnerabilities in our environment. We are much more pro-active in adhering to security standards and…

We have this set up for UserModifyAttribute. The rule specifically says monitor change attempts to a MSSQL database. I will be attempting this in the next few weeks. Did you ever get this set up?

Does your windows share contain spaces? Samba may not like that or if it does are you adding quotes to it? We had issues with that in the past and once we changed to a simple root \\server\share path the issue went away.

USB defender never detaches a USB device unless you have set up a rule to do so. All it does is generate events related to USB mass storage devices.

According to the 5.7 release notes the following vulnerability was fixed. Not sure which CVE that relates to though. LEM apache vulnerabilities - http delete and get allowed

For network devices you need to go to manage -> appliances. Then set up your connector from there. Make sure the logging facility line in your router matches the log file. logging facility local2 Then you need to set up a filter to capture the traffic. The easiest is to set up a new filter and choose any alert -> tool…

5.6.0 is out.