papaquette

I'm currently running into issue trying to use FIM to monitor folder access and send email alerts. A feature like that would make implementing that a lot easier. Even only letting us configure the Re-Infer (TOT) option for only 1 event in the Correlation Time would do a lot.

Hi, just to let you know that I tested this and it doesn't work. The Step 3 rule never fires, so the loop never occurs. I tested with LEM 6.3.1 hotfix 7.

This is an old thread, but I'm wondering why a way to do a threshold of one isn't available. I'm not finding any info so far that explains it. Is it a technical issue/performance issue prevention thing or just an interface limitation that the Re-Infer (TOT) option is in the advanced correlation window ? Seems to me that…

My issue about the loss of event data was in the event you want to rollback by restoring the snapshot. If you do, all the events gathered after the snapshot would be lost. Thanks for the feedback!

Also, you may want to add UserLogonFailure.DestinationAccount is the same in the advanced threshold settings if you want the rule to trigger after 3 failed attemps by the same user account, if not it will trigger after 3 failed logons by any user in the group.

I found this article that seems to imply that it would work with SQL 2016, but not clearly. Configure MSSQL Auditor on a LEM Agent - SolarWinds Worldwide, LLC. Help and Support Will reach out to support, but in the mean time if anyone has got this already working, let me know! Thanks!

Yes, that's kind of a way I was thinking of doing it, however so far I have not been successful. I created a rule that watches if the file monitoring rule fires 10 times in 30 seconds, and if it triggers it adds a specific value to a user defined group. Then I modified my file monitoring rule to fire if that specific value…

Hi, the vpxd.log on the vCSA should be similar to the one produced on a Windows installation. The paths differ a bit (see below article) but for the vCSA, logs would be syslog forwarded to LEM. Also the vpxd.log on the vCSA is a link to a numbered vpxd-#.log file. VMware Knowledge Base I'll message you if you require a…

I'd like to try the VMware vCenter 6.0+ VPXD Logs connector, but I do not see it under the Appliance's connectors. It's only available on Agent Nodes. Does this mean it was only developped for a vCenter Server installation on a Windows Server with a LEM Agent installed ? Because if you are running it as a virtual…

Hi, some things: 1. In your advanced threshold settings you are looking for same DetectionIP, which is the machine from where the event comes from. For AD logons, that would be your DC(s). You may want to look at the SourceMachine field instead (see #2) 2. Is your LEM getting UserLogonFailure events ? You may want to do an…

It's 2019! Don't live in the past!

I was able to use Correlation Time in a satisfactory manner for my issue, but I will keep in mind the use of user-defined groups to stop a rule from triggering. The problem with that solution though was that the condition to stop the rule from being triggered doesn't exist fast enough to prevent being spammed with alerts.…