npatterson · IT Manager

Hello, I think this need to be revisited as the need for the connector is becoming even greater as Covid as allowed work from home the new norm. I have three requests are linking to connectors would befit all customer of SolarWinds. 1) Simple documentation of what each connector parses will help us a customer develop rules…

What connector are your using the FIM agent or is this syslog from Linux? It would be better to know what tool alias this is coming will help determine what field and data the connector has.

Setup Rsyslog in Linux using TCP Syslog for better log collection. Set up profiles by applications so that you can set the connectors per application later on when you expand. For windows ensure the logging in enable via GPO as the defaults setting in windows does not always capture both success and failure attempts. With…

I know this is very delay in response but the should be checking the windows security log not application logs as it related to login. I assume that the account Active directory as this is a exchange server. That being said does the external IP consistence might have been a smtp relay server set with the user account.…

1. First thing I would do is review that are agent based and want are agentless base Nodes. The reason for this is you know what is being forward to your sem (Push) compared to what is being take from a node (Pulled) Look under managed Connectors for list of connectors for push data you can later filter by the tool alias…

The easiest way to to find search is is using the following: ProviderSID = "scheduled-search" to a search this will show all schedule search only issues this does not tell you who has schedule them. You then will have to narrow down depends on how many people you have for users. Might just be easier to ask to login to each…

First you must make a time of day group from 1am to 6am this is under configure time of day group Second make sure the auditing for success and failure is enable this varies on OS windows it under group policy to make sure that it tracked. Recommend narrow to select system first for trial to clean up noise aka false…

Login to SEM via SSH and check the log files is local is configure correctly for example if the syslog is local4 check the rawlogs local4 to ensure it register correctly. Check the log file is point to the right path. The sem agent 

I currently have the SEM port running through a reverse Proxy so no VPN required. The issues might be that IP address from VPN does not match the profile on in SEM. If it connect via DNS name the name resolution is not matching. Try seeing the config it by IP address or DNS name. This could be causing the issue as the…

MS SQL Audit Logs are parse in the window security log section. MS application logs are only for agent based installed for the actually server That is the limitation I see my the latest version of SEM

I think this is the right track please note the log retention is only for systems that contain PHI authentication authorization so separating the PHI data source from non-PHI that do not fall into the 6-year retention might help as well. For example collection syslog on switches or say access points do not have access to…

Looks like a routing issue with possible VLANs. login into SEM via SSH and run some ping commands to the other side. Might have to add some static routes to make sure what is the native VLAN on trunk on both sides. 

Ok let start with the if you have a single instance of SEM Yes you will have downtime as the device need to reboot? How long the downtime is max 15 minutes. How to upgrade vmware image I recommend the upgrade ISO approach for simply method less like to have issues. As any good IT professional will tell you backup first…

This means the path is not right in connector. ssh to SEM and goto appliance >> checklogs and see if the snort alert log has data? this is option 3. If there is data then it will display file path to but in connector. If not the snort logs are in one of the other 24 logs files find the right one and add the path.

This is only on he login screen which meets most of the requirement for notifications. If you are regulatory requirements you may need to look at alternative solution like if user a load balancer or reverse proxy to add a banner or something of the sort.

When setting up the connection you must make sure the right path is set. /var/log/local0.log default this is the path in SolarWinds not the endpoint where the logs are being received if set to different log you must change according to parse. if you SSH to SEM and look under appliance check logs there are all the location…

There are two different snort rules on is for direct device typically Linux with snort second one is syslog snort. This allows for snort rules to be send via syslog to you SEM. For Snort connector there has been 32 revision of this connected the problem is that there is not log of what as changed in these revision so you…

If you have the connection profile already you can use the "any alert" event Field "detection IP" and for the list use the connection profile you made to make sure is set to contain filter by connection profile machines.

SEM connectors do not track all event ids but the majority. So I recommend looking at the connect config file on end point to determine which event id is tracks. Next step is to ensure that enhanced auditing via goo or local policy is enable for event listed. This increase visibility into you system. As for is hardening…

I have about 8 virtual domains via one IP address using MFT gateway proxy it works well simple by having the DNS names on your public point to the same IP address for your Serv-U gateway device. The Gateway being in a DMZ will then be polled for the Serv-U server and match the corresponding Virtual domain assigned.

Due to the nature of SEM connectors customization will not work as the connectors are configured in a way to looks for standard commands. This is down via RegEx parsing so you answer at this time is NO

simply type PING <enter> then it will prompt for ip or hostname <enter> the amount of packets you want to send <enter> That is it.

This maybe be easier to simply enable ETW and IIS logging in IIS as this will show up in the windows Security Event logs 

This is a very open-ended question are we talking about endpoints or the SEM itself? For SEM itself -change the CMC SSH password if you have not from the default. -enableTLS -replace certificate you proper domain certs. -enable the active directory and SSO configuration so logins are listed in AD -depending on deployment…

There is no built-in PAM tool this is simply a rule you configure to monitor and check for accounts you deem privileged in an Active Directory Group or hardcode the username names to filter. This is also dependent on having an agent installed on the computer to monitor. Logon Failures to Administrative Accounts is a select…

this is the one link in 2023.4RC1 so sorry that is all I have

here is the link https://downloads.solarwinds.com/solarwinds/Release/SEM/SolarWinds-SEM-Agent-MacOSInstaller.zip how that helps

The new release candidate 2023.4RC1 has added time of day group editing in the sem console. 

I had a support issue for a while that did not resolve I finally found a solution that worked. First I upgraded to 2023.2.1 does fixed the issues I also archived backups after 6 months using the SSH logmarchive (only one time then turned it off) This purged some old records now seems the issue is resolved now. For…

how many eps are you receiving and do you have any backup of logs being done if so what is the frequency. I just recently purged so old logs in the archive and then the problem seems to have disappeared. This does depend on your retention and search practices though. Are you capturing raw logs too?