jhynds ✭✭✭✭✭

Hi Timothy - have you tried restarting your LEM manager? Jamie

Hi, LEM cannot collect logs via WMI & the template mentioned above is a Server & Application Monitor template. SAM can monitor your Kaspersky server via WMI & can monitor services, processes, TCP port availability, etc. LEM can collect logs from your Kaspersky server. The LEM connector is applied to the agent & connects to…

Does Maximo have the ability to syslog or how does the logging work? If you can submit a Support ticket and include a log sample, we can determine the feasibility of building a connector.

Using a filter is the easiest way, just click on the filter icon for Title and can do an equals or contains search from there:

Hi Guys, As Nicole mentioned, there's a few steps required in order to get the logs into LEM. 1. Go to the Event log and right click on “EXE and DLL” and change the log location to be no spaces: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXEandDLL.evtx 2. Now go into registry and add the key you will…

Hi Xiang, LEM requires an agent to be installed on your Windows/Linux servers in order to transmit (and also compress & encrypt) event logs to the LEM appliance. It is not possible to transmit the event logs to the LEM appliance without the agent. Kiwi Syslog can leverage the Event Log Forwarder for Windows,​ however this…

Hi All, Java 8u131 should now appear after a synchronization. Can you please let me know if you are still experiencing issues after a sync. Jamie

Hi James, Java 8u131 was added to the Patch Manager catalog yesterday. I am not aware of a 8u132 update, Java 8u131 is the latest version. Jamie

Hi, LEM includes an OSSEC response log connector which captures any actions taken by OSSEC, however we do not currently have an OSSEC-HIDS connector. Assuming your LEM is under maintenance, it is best to raise a support ticket to submit a connector request - they will require a log sample & information such as log file…

Hi Marcos - the 'unable to resolve username' issue is a known issue with Windows event logging for services. The username was included in older OS's such as Server 2003 but the functionality was removed since Server 2008. The only way to audit who stopped/started a service is to setup the auditing on a per-service basis,…

There are some additional steps required in order to monitor logs within 'Applications and Services'. You can view the steps required for a similar connector here: Success Center On the Log Properties you will need to check for any spaces in the log path and remove, although I don't believe there are spaces in the path. As…

This is a known issue that we are actively working on. Please follow the steps here​ to resolve the issue in the interim. Apologies for any inconvenience caused!

Hi, Your condition for a filter/rule would look something like this: Assuming you are collecting logs from a proxy/firewall/router to obtain information on URL hits? Can you see those logs within LEM? If so, you could be able to filter based on WebTrafficAudit & the source machine field should contain information on the…

Could you please send me your case number and I can see where it's at?

I just looked into your support ticket, and can see that a member of the team is going to schedule a WebEx with you to investigate the root cause. I'll keep an eye on the case to ensure you get a satisfactory outcome. If there's anything you need just let me know.

Hey Itco... It sounds like the secondary DCs do not have the audit policies in place to create event logs for changes. Please see this KB for information on configuring the Audit Policy: To set Windows Audit Policy using Group Policy Object Editor: * Expand Computer Configuration > Windows Settings > Security Settings >…

This is a known bug in LEM 6.3.1 which we are working to resolve, JIRA case LEM-2001. I cannot commit to a time frame at present but I'll make sure to keep you updated on progress. Please feel free to ping me directly if you wish to discuss at any time. -Jamie

Are your WSUS and Patch Manager servers running different operating systems? That's a common cause of mismatch errors, and you can see some guidance around it here. Useful information in this KB also. 

RDP traffic information (Remote user logon and logoff) - There is an out of the box filter called 'Remote User Logons'. It is based on UserLogon.LogonType=*Remote* Workstation Logon/Logoff - Windows does not generate a specific Event ID for workstation authentication. You would need to create a user defined group which…

Thanks for reporting this bug. Is this only happening to your user directory with 1000 entries, or is it happening on other directories too?

When migration to rules to the new console, we focused primarily on out the box tags but the ability to manage tags and create custom tags is certainly an area for future improvement as we continue to focus on the new console. When you say your custom tags went missing under Rules - did they disappear from the Flash…

Hey Bill! We don't currently offer a large license that you can divide between multiple SEM appliances, each license is bound to a single SEM appliance. However, I can certainly discuss your situation with your Account Manager in an effort to find a solution for you. Will reach out privately to discuss further.

Moving away from Flash is absolutely the top priority in LEM. We are continuing to work on our first step away from Flash via the 'LEM Events Console' which will allow you to interact with both realtime and historic log data via a new HTML5 UI. I'll be sharing more information on Thwack as soon as I can.

We introduced a new method to remove older versions of Java as part of an update task. You can view the steps here: How to uninstall previous Java 8 versions using Patch Manager - SolarWinds Worldwide, LLC. Help and Support

Hi Jeff, I'm sorry to hear that your Technical Support experience hasn't been satisfactory. Can you please provide me with your Case Number & I'll ensure it's dealt with accordingly. Jamie

What information do you need to monitor for the Local Security Groups? There's some Event ID's that specifically related to Local Security Groups, for example Event ID 4732​ will tell you that a user has been added to a local security group. You you then build filters in SEM to capture those events, and include the group…

Can you check is User Account Control is enabled within Windows? This can sometimes cause problems during the install, so I'd recommend disabling it when installing Kiwi Web Access. MSDN offers a potential workaround too by running a .bat which calls the installer, steps outlined here, but I'd check UAC first. 

We're currently working on support for SQL 2017/2019, however while we're working that, you could use SQL Extended Events and send them to the Windows Event Log. SEM includes a SQL Application Log connector which would then parse those logs. See here for steps on how to enable logging to Windows Events on the SQL side:…

Hi Ravi - this blog post goes into some additional detail: Security Event Manager Appliance Security and Data Protection​ If there's a specific question you have around the SEM appliance security just let me know.

Hi Daniel, LEM does not currently include a connector for the 3PAR. I suggest that you create a Support Ticket & they will raise a feature request for a 3PAR connector. They will ask you for a log sample along with other information such as rotation, user manuals, use cases. The more information you can provide, the better…