whpd

Curious as to how you are integrating it with Sophos AV. We are running Sophos AV (looks like version 10.3). I have the agent installed on the server and I have a the SophosSNMP and the Sophos Enterprise 3.0 connectors enabled. I haven't really seen any useful data coming from it (at least from Sophos). Any suggestions on…

That's a bit disappointing, but thanks for replying.

I'm just going to throw in my $0.02 and say I think it would be awesome to have Orion/LEM integration. I'm not much of a fan of using Flash, so if you could just throw a hook into Orion (an LEM tab) and use HTML5 or something similar to essentially display the same type of information, it would seem to work pretty well for…

The best advice I have for you is how I began figuring out what else I could add for more descriptive emails. Go find the actual instance of the alert that triggered your non-descriptive email. Once you find that, you'll see all the fields that it has for that type of event. Go to the event template (clone it to a special…

Sounds good. That's what I'm thinking. I use a static IP, so I'll need to run the netconfig. Thanks again!

YESS!! This is it. With what you put in there and curent value = 3 I'm able to actually get the correct values I'm looking for! (Oh and look another failed drive). It's funny. Once you see it once, it's pretty simple. I'm setting up a PSU alert now too. Also, if anyone happens to search for this later on, if you go into…

Awesome. According to this, I got all of them from my previous efforts (minus one that I already knew about and am keeping in it's current state). I like this query, thank you for this. Just curious, what is statusdescription==0 actually mean?

Typically what I have to do is find the events using an nDepth search or in the monitor, and gather the data from that and make the rule match all the fields that way. It's possible your alert is set to look for certain types of events, but it doesn't account for other kinds (the ones you're looking for). It's not…

VMware licensing certainly would need to be considered before going the FT route. The more cumbersome/time consuming route (that I could think of at least) would be to configure everything twice (pushed syslogs going to both appliances and those with installed agents configured on both LEM appliances). Though I'd imagine…

It would seem that there would be a way to use some custom table pollers to query for virtual servers and their status. I don't really have experience building such a poller, only using them and building alerts from them, but perhaps I can try to look into it.

I'm looking into the same thing. It would pain me to set up trap forwarding on all our physical servers, but would certainly be a possibility. I just set it on a few servers with already failed disks or ones that I know are most likely to fail soon. How have you set up your alerts if can share?

I have the status=3 part (custom table poller current status Current Value is = 3). What I can't seem to get is the specific poller that looks for drive status. I can trigger based on 'Custom Poller Assignment ID', but I can't seem to find a way to determine what Assignment IDs relate to. There are a bunch of pre-existing…

After the original post, I did begin to experiment with alerting on 'Custom Table Poller Current Status'. I felt like I was getting a bit closer, but I'm still not able to narrow down the alerts properly. I've been out for a few days, but just took a look at your post and was able to properly get the views displaying…

Awesome, thanks. So I'm assuming to do so you have to remove the old NIC(s), add the new one, reboot and then run the network config from the console?

Not sure what you mean. Using the steps I outlined in my first self-reply I was able to find the majority of the nodes in question, but if I would have started by doing what chad.every said, I think I would have basically gotten to the same end. The SQL query seems to work. It should basically return the nodes in question.…

A further update... I happened upon some further Cryptolocker (4) info { Cisco Talos Blog: Threat Spotlight: CryptoWall 4 - The Evolution Continues } and decided to add a bit more to my monitoring. One extra thing I am now looking for is FileAttributeChange.FileName == *\HELP_YOUR_FILES.* and FileCreate.FileName ==…

That is a useful guide. I don't think I had previously seen that one. Thanks for linking it.

I think that is a Netscaler connector. I've actually just minutes ago got our Netscaler reporting on multiple failed login attempts now. It took a while to get both the Netscaler forwarding the proper information and learning how to create events/alerts, but I can spare the pain of learning for someone else if it's…

Awesome! I was wondering this myself.

Thanks. One other question, would it be better to swap hostnames/IP before or after I install/configure Solarwinds on the new server?

I've installed the HP SIM software and have it manage/monitor a few machines but I found it terribly cumbersome to use and the documentation poor. Since I was more familiar with Orion I wanted to to try to see if I could utilize that instead.

Just wondering if anyone still uses these pollers. I have tried implementing them and creating alerts for them in the latest Orion NPM, but am having difficulty in doing so.

This isn't a direct answer to my question, but I went through manually and tried to find the ones I can. For anyone else looking for an answer, this is what I did (will have to suffice until I can find a better answer). If you go to manage nodes, sort by status (maybe reverse sort) and look for nodes with something other…

Seeing this thread piqued my interest to see what it is that y'all are actually monitoring on your Exchange servers? Just Windows Applicatoin/System logs? Are you able to forward any Exchange specific logs? I'm not monitoring any Exchange info and this thread isn't really doing a great job of convincing me to do so, but I…

Forgetting to click the "apply rule" button always gets me. Don't forget to check that.

I wanted to update as I have started to develop a way to monitor for Cryptolocker activity on our file servers. It's taken a fair bit of testing and is certainly not complete, but I also wanted to pass this knowledge on as a starting point for anyone who might be interested in doing the same on their networks. I used the…

Hey, I just so happened to be looking for something else on my LEM appliance and noticed something you might be interested in. I was connected via SSH and in the "appliance" menu I see the following (see screenshot): There are two options that you might find interesting... promote and demote. Both of which refer to a…

Not sure if this is exactly what you are looking for, but for syslog type forwarding, you could just set multiple targets on the senders. You'd have to set up the same installed/agented clients and connectors as well. Not a perfect solution, but might fulfill your requirements. Might be possible to forward all logs from…

I don't think there is a way to reduce the actual events that FIM is recording. If you are sending an alert for each time you have a FIM event, you should be able to reduce the amount of emails sent by editing the rule that is sending those emails and modifying the 'correlation times' to however high still triggers an…

I'd also like to see LEM create some XenApp connectors.