twuk

Thanks for splitting this connector out on v 6.2 I can now monitor my remote sites, Solar Winds does listen!

This is a great idea and probably easy to do in a Windows environment

But then there is no record, it is better to have a pre-filter, It should be a filter request

would work well with auditors too

I have a feature request open for FIM to address the differing amounts of windows read events created when a file is opened (one per thread). What I want is a FIM event that triggers when >1 windows event is created, furthermore I want to ignore the NT\Authority events and focus on the DOMAIN\user event. I have also…

So in theory they can call 3 days in a row at any time (the "ghost" could be on another call, at lunch, taking a comfort break, on not in the USA or Philippines time zone) and then close the call? What if the user has a voicemail system (we have one and I have NEVER had a message left by SolarWinds support) are they…

Yes the AND / OR functionality helps here I use this to differentiate between domain account password resets for people (that I want to know about as soon as the change is made) and computers (that I am happy to just log and review later)

I was going to suggest user defined groups until I saw the /8 I have suggested being able to make the groups from a csv

That's it Fantastic! Thanks so much for that

do you know where I get the members of Leavers AD group part from?

Hi yes I can Ill play around with them and see what data I get Thanks

Thanks for the reply I think we are covered on the other methods at the perimeter, its just USB I want to log. Any help really would be appreciated.

I get the windows event codes from https://www.ultimatewindowssecurity.com/ Ones I use are Domain Admins Group additions and deletions using Auditable Group Events.EventInfo" = Member "*" (added/deleted) from group "XXXXXXXX\Domain Admins" This emails me when users are added or removed from domain admins Domain passwords…

I am not questioning the quality of support just the process, tickets should not be closed without customer consent, usually followed up with a rating method of some sort

Hi and thanks for the work you put in to this Do I have to edit this in any way I get an alert on Error The Value in the comparison table is not available

We had similar issues with agents and come to the same conclusion, we then had a different issue with the amount of dhcp addresses we use, essentially our users are quite mobile within our networks and its not unusual to see the same machine with 3 or 4 ip addresses in a day depending on which VLAN they are connected to I…

I agree with mark88, I use LEM on two domains

To do this I use correlations DeleteDomainMember.ProviderSID = *4726* AND DeleteDomainMember.EventInfo NOT= *$* The $ bit just filters out machine accounts other useful ones are Disable accounts Userisable.ProviderSID = *4725* AND UserDisable.EventInfo NOT= *$* Add to groups (works with removed too) Auditable Group…

Hi Chadd I have raised this too with the guys from SolarWinds on the stand at InfoSec in London and with the LEM support department manager in the US it would be a huge benefit to us too

In the monitor tab go to filters and expand Overview > and select LEM Internal Events Wait until you see the Event InternalRuleFired with the EventInfo The 'Authentication Traffic but No Agent' rule fired Pause and select the event (Make sure the event is highlighted) In the top right hand corner Explore drop down, choose…

custom connectors would be awsome

I have issues with nodes disconnecting, the guys at solarwinds seem to think its because I use DHCP and VLANs, I'm not very impressed with the whole agent-lem experience, which is a shame as I think it could be the greatest asset to this SEIM. My guess is you'll have to open a support ticket.

I am still seeing workstations appearing as universal nodes also I keep having about half my agents offline the whole agent system is flawed also it seems their is very little interest in the product from SolarWinds given the amount of development, blogs, roadmaps "what we are working on" and updates

Have you tried Auditable Group Events.EventInfo I use the strings Member "*" removed from group "DOMAIN\Group Name" Member "*" added to group "DOMAIN\Group Name"

To Solar Winds credit they assigned a specialist to all the calls that were closed that I considered still open. The engagement was a complete success and closed my longest issue which was splitting the events caused by windows firewall from the other windows logs 6.2 fixed this

Maybe this SolarWinds tool would help Download a FREE trial of Event Log Forwarder for Windows from SolarWinds

I have a feature request open for FIM to address the differing amounts of windows read events created when a file is opened (one per thread). What I want is a FIM event that triggers when >1 windows event is created, furthermore I want to ignore the NT\Authority events and focus on the DOMAIN\user event. I have also…