martindl76

That, my friend would be a nice feature. Someone correct me if I am wrong, but I do not believe that capability is available yet. What you can do though as an alternative is create a spreadsheet somewhere (in SharePoint preferably) with all of the same data as in the whitelist. Then add a link in your email to the list.…

Happy Alerting!

The NIST database is always a good starting point. The HIPAA Security Rule Toolkit - NIST http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

After reading the reply it begins to make sense. The nodes that are detected mostly are related to Symantec Endpoint logs. We are forwarding Symantec Endpoint 11 logs to LEM. I am assuming LEM is seeing the different source IP (Symantec) and machines (Symantec Clients). This may account for the issue. So if my…

Now I know, and knowing is half the battle....

Here is a sample of my config file for snort.debian.conf DEBIAN_SNORT_STARTUP="boot" DEBIAN_SNORT_HOME_NET="[Use commas between multiple addresses]" DEBIAN_SNORT_OPTIONS="-A fast -I -N --nolock-pidfile" DEBIAN_SNORT_INTERFACE="eth1" DEBIAN_SNORT_SEND_STATS="true" DEBIAN_SNORT_STATS_RCPT="root"…

If you want to audit files on a Windows machine you will have to enable "file auditing" in your Security Policy. It is well advised to do some research on the Advanced Audit settings so that you can audit specifically the actions on files you are looking auditing for. Also, just enabling the audit settings in the policy…

I hope I understand your question correctly Jeremy. When you create your whitelist use the data collected in Solarwinds as a template for creating your whitelists. This will ensure that Solarwinds can match the data in the whitelist with the data it is receiving in the event logs. Once you do this then you can use your…

Hello bkeeley, First I would tell you that UserEnable and UserDisable are distinct Events in Solarwinds. So you would create your rule with these events. Then when you narrow down your filter you must make sure that you use the DestinationAccount field to filter by user , of course unless you are more interested in who…

I suggest you look into LEM's auditd connector tool. You may be able to use auditd to monitor actions on files. Here is a link that may help Chapter�32.�Introducing an Audit Rule Set It is for Suse but auditd works the same around the board......GoodLuck! Oh, it would be nice for Solarwinds to build a connector to Ossec…

I would "as networkjr" suggested, check your VM resource allocations. The new upgrade is now compatible with unlimited resource allocation. This was not the case with the previous version where you had to set strict limits. It sounds like a resource usage problem.

The questions I would ask are: 1) How new is you installation? 2) Have you configured a NTP server correctly from the LEM device? 3) Have you configured the time correctly? 4) Are you getting the events in the database? Can you search them in ndepth? I had similar problems after an initial install and it was related to the…