marcusmm8

Also, the "last connected" timestamp should reflect last event sent and not when the agent last rebooted?

How does Zscaler need to be configured in order for the connector to recognize the log? Solarwinds is not an option under the Zscaler configuration jhynds​

curtisi​ any thoughts here?

Unfortunately this is still not working. I set the feed type to CSV, refreshed the 'tool maintenance by alias' report after about 30 minutes for the last 24 hours, and no unmatched data. I have also ran an ndepth report for the connector name "zscaler" (that is the name i provided to the connector), and no results other…

ability to do a "MAX" search, to search for the last event for a workstation/network device

* global filters * ability to view groups in the monitor (PCI vs non PCI would be helpful)* Ability to view groups in ndepth search (which group does the workstation/server belong to) to assist in false positive * ndepth search view to resemble "monitor" vs current list view * HTML5

Unfortunately that output did not work.the LEEF output type would generated the below:

thanks. I had already added the feed and the first part, but i did not try the LEEF output yet; ill try that. attached are the other output types:

internal is class A. When a person VPNs, is this categorized as suspicious DNS? Thanks for the help.

thank you curtisi​.. In what scenario is receiving 192.168.1.1 in the destination IP acceptable? Seems to appear to be a generic linksys router? i.e. vpn?

How would that look like?

i currently have a ticket open. I did mention that IT is currently adding agents to workstations, yet to determine if this is causing the messaging

Thoughts here? This is a user workstation. Same event log id (4656), but for a directory recursive monitor by FIM (PCI template) Event FieldInformationEvent NameFileAuditFailureEventInfoFile open failed "C:\Windows\System32\mfc42u.dll" user "XXXXXXXX$"InsertionIPXXXXXXXXXXManagerLEMDetectionIPXXXXXXXXInsertionTime15:50:27…

( ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationPort = 53 ) ) AND ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationMachine outside::{ "Windows Server 2003 - DC" } ) ) ) AND ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationMachine outside::{ "Windows Server 2008/2012 - DC" } ) ) I ran the above, one of the…

no sorry

the message is still the same once i click "scan for nodes", i have opened a support ticket also just in case.

I do see Audit failures corresponding to the 4656 under security. Many relate to plugplaymanager.

There was nothing under the operation log.

will i be able to see logs from users? similar to smartview tracker?

Can I use a connector group vs a UDG for approved DNS server?

good idea... anyone? curtisi​ any thoughts? I have the below for ASA and checkpoint. Though approaching it from an event occurrence is also a good idea. Checkpoint throws a session error when it is unable to connect. For ASA i used the tool offline/online ? (still testing this one)

on My end I see mystery node IP address for VPN, i have not seen strings yet. Are you on 6.2.1?

Verify the customer portal but below is the doc on the hotifx: SolarWinds Log & Event Manager version 6.2 HotFix 2 - Now Available

It may vary.. from HP customer experience to others

in the LEM, the 4957 event shows, but I do not see the task category. This would help in editing the auditing in windows server 2008.

Thats the correct field. In the windows event viewer, I see the task category of :MPSSVC Rule-Level Policy Change. (sub category), but in the LEM I do not see this?

Once i logged off and then back in.... i no longer see that

SolarWinds Log & Event Manager (LEM) 6.3.0 Release Notes - SolarWinds Worldwide, LLC. Help and Support

Good idea. I have opened a ticket, although this may require additional research since i am not sure of what other events may have been impacted by the upgrade by checkpoint.

thanks jamesatloop1​.. What would indicate an issue there? (where do i see if a service is blocked?