npatterson · IT Manager

I have not had any issues currently but I using Hyper-V instead of VMware. Have idea to at least to rule out issues considering in virtualized add second network card for management with different IP. Make sure you exclude SFTP from that IP address and see if there is an improvement.

On live events, Goto rules activity use the search bar type email address it should tell you which rule fire and send the email.

The first way I found to find reports that contain the dataset you want for example failed login attempts. Select the time range for the report with keywords from Crystal reports by finding a report that has the information you require. Run the report please note I have these reports scheduled to run every day for certain…

Not to sure about exchange logs but I would check if exchange is authenticating about to DC for authentication as well. If this is only a handful of users I still think clear the credential manager is your best chance in getting rid of the reoccurring bad password attempts

Yes but SMB verify against a DC for authentication therefore would show in the DC logs a security failures as well. It get recorded in to places not just one. This are trigger as logins and and logouts in the security logs of DC security logs from my experience. if its also exchange is M365 or on premises I check if there…

What type of information your are looking to retrieve? I offset some daily routines by setup of reports to gather the data I need but it depend on the type of data you searching for. I have used many programs each have there own unique problems. Prebuilt query are effective if there are very granular because 100K of event…

you must login to the console of the Virtual Appliance using the CMC login login into manager section and you can update the certificate from here you will need to have the new cert on a share drive that is accessible to the appliance. 

Check the users computer and credential manager and have them delete the saved password for servers. If there is a incorrect password store for example SMB share it will fail and ask them to re enter the correct details while not updating the stored password I had this several times with other people have recent password…

For the Connector of Windows Application does not parse everything you need to determine if that event is register in the XML file of the connector This is located in C:\Windows\SysWOW64\ContegoSPOP\tools for all connector xml files windows application is listed as ntapplication.xml search for the event ID will tell you if…

Check under this file Windows Application Log Example C:\Windows\SysWOW64\ContegoSPOP\tools\ntapplication.xml This show all the events that are recognized but the version of your connector This will require I little understand of XML but you could use the find command and use the event ID Current I do not see this Event ID…

We will need a little more context for the request meaning the mask field in only one field in the create inclusion. First, you need a path for every drive c:\,d:\, etc Next depth contain in all files recursive mean subdirectory as well Lastly for the type of action read/write/create/delete. Please note the read field on…

We will need a little more context for the request meaning the mask field in only one field in the create inclusion. First, you need a path for every drive c:\,d:\, etc Next depth contain in all files recursive mean subdirectory as well Lastly for the type of action read/write/create/delete. Please note the read field on…

Actually, I used this article from Solarwinds was very useful on windows to configure logs Advanced setup If your windows focused environment you want to make sure your windows event are configured correctly to that SEM can pull the logs. 

You can use the VM windows server to be a Syslog forwarder to SEM I have done this with FortiGate firewalls considering to are not changing the Syslog formats the SEM connector has no issues with parse the data. You can do this via windows netsh portproxy command for the simplest method that built into windows.

I think this is will more a manual task as you will have to look for the last login enter from before the crash. Which event type are you using to pull data for the alert. For example, the Host Incident event has different information Userlogonfailure event so you could link correlate data from the new different event for…

This depends on what connector you are using. if you want the x-forwarded logs this is in the IIS Advanced connector for your reference

OK I know there is audit event logs on the domain controller (these is per each domain controller) You must make sure the Auditing is configured to track. (https://rlevchenko.com/2017/03/17/how-easy-is-it-to-track-group-policy-changes-using-the-event-log/) the Event ID is: * Event ID Range: 4000–4007: This range covers…

Hello Garen, If you want to get more information on who is access the file you must make sure that the logging options are enabled either group policy edit on your AD or change the local policy on the server to enable the access details. Typically these are found in windows security event logs for the details you want.…

Rule is true when UserDisable.EventInfo is equal to *Account Lock* AND UserDisable.SourceAccount is equal to "*[account name]*" make note of * before and after Click or drag an item from the left panel.And whole rule occurs at least 1x in 30 sec in 5 min window this is a copy of the lockout rule with the condition when…

I notice you only want to to check DC and I would recommend creating a connection profile under nodes to gather all the DC in one group This you can follow what the process of the that was listed above but also filter by connection profile so into checks DCs. This should cut down on the noise of other agents on your sem.

I would also like to mention that waiting for the person to connect to VPN for an agent to upload logs might not be as useful. I recommend use reverse proxy and forward a public port into sem to access logs from a computer not connected to the VPN. This will have more semi-real time approach to tracking issues. If the…

I will set a GPO to auto lock screen after Idle item was this would prevent this. https://community.spiceworks.com/topic/1416384-gpo-to-lock-the-computer-after-10-minutes-of-inactivity that would be more affective. Once they connect to VPN the gpo will be applied if there are domain controlled computers.

This might be a result of t SMB share that someone is trying to access remotely I have similar issues with this is the past. Does the server have and shares published? If it does then someone is trying to access without authenicationing. Hope that helps.

I have been running this on windows 2019 Hyper -V for a year or so with no issues. Windows 2016 and 2019 nothing has changed in ways of hyper-V roles. Hope that helps

First, you must determine the Syslog format aka brand what ID if using from your source. Goto To Nodes >> Manage Connectors Look for the brand-specific connector this is the hard part because some might have more than one the seem correct. Next, you must determine which local you have set to from the source. You have the…