wolram

Support should have at least opened up a case for you on this one that way it can get tied to the known issue. Also they may actually have a workaround for you too.

Ill post the full link until Capt. Obvious‌ gets a chance to mofify the main post. Thanks for the post Mateusz O http://downloads.solarwinds.com/solarwinds/Release/HotFix/LEM-v6.2.0-HotFix2.zip

Also if you ar up to the latest version of LEM the 6.2 Installer works without needing to use compatibility mode now. Compatibility mode can always be used as a fallback in case there are any issues.

What type of firewall is this? It sounds like it is Checkpoint and not something that is sending syslog. The connector watches the syslog log file that the firewall sends data to and does not care what data is being sent to it.

There is currently no way to remove that 10MB limit, but if you can reduce what you are querying then that may help to be below the limit. Reports were meant for the larger sets of data collection.

No new vm is required. It is just a name change from LEM to SEM. LEM 6.4, 6.5 and 6.6 can be directly upgraded to SEM 6.7

I have not seen something like this in a long time. It could be a corrupted profile. I would suggest you make sure you are on the latest version and if you are still seeing it then contact support and see if they can help you out.

There is a Checkpoint connector for syslog messages from Checkpoint EdgeX listed as "Checkpoint Edge X Firewall". It is possible it may work with the one you are asking about. Sometimes venders use the same core messages for other brands of their devices. If that one does not work then your best bet is to put in a…

Please open a support case with your logs, so that we can adjust things since it looks like what they changed it to is matching something else now. Make sure to point out which ones are coming in as ServiceInfo that should be remapped to PolicyModify. Thanks.

InternalRuleFired events will say which rule made it fire with the InferrenceRule field. I would suggest you run a ndepth query to look for that event in the timeframe that you see the email firing or look at your filter for Internal events and look at the InternalRuleFired event Also if the InternalRuleFired event is in…

If it is not listed as a connector then this would be a Feature Request to add this coverage. Best thing to do would be to open up a support case because they will be wanting to collect information from you. There is a normalization process to map the log lines to proper events. Additionally support may suggest that you…

I would look at your Windows Application Event log for USB Defender events. USB Defender will log to the Windows Application Event log everything that is told is seen by the operating system. Inside that message is a ton of details that may lead you down the path as to why it is still being accepted. Perhaps it is coming…

You are actually running into a fixed issue that some were running into with an update that happened from Microsoft on Windows 10. * I would make sure you are on the latest version which is 6.7.2 and make sure that agent is on the latest 6.7.2 version as well. That should solve your issue. * Other option, after getting…

Have you checked your Directory Service connector? It sounds like something you inputed that uses your credentials needs to have it's password updated, and my guess would be the Directory Service connector.

Call support Your database is not inserting data and is queuing up. I can see that by the line: "Database Queue(s): 5.1G (12679286 alerts queued, 187196 alerts waiting in memory)" Note sometimes this can happen if your system has been offline and all of the agents are sending in their queued up data, but from what you are…

Also make sure you set the Cisco ISE to send the data at max length 8196. It is in the settings of Cisco ISE syslog sending. Otherwise you will be sending truncated lines.

Also you can find links to older release notes usually at the bottom of the latest release notes (There is a link at the top to the Version History section at the bottom as well) http://www.solarwinds.com/documentation/lem/docs/releasenotes/releasenotes.htm

When the installer runs it needs to also talk to services on the machine and the registry. It may be that it thought everything was good, but in fact it was unable to add the service using sc.exe or make a change for that service in the registry. Normally that comes down to remote permissions to add services using or…

Hard one because MSFT is logging it as a change Windows Security Log Event ID 4719 - System audit policy was changed

In 6.3.1 this can be modified to suit your needs on when an event fires into a logfile that is watched with Manager Monitor. The logic is when the event gets fired from the system which you can configure in the cmc. The percentage is not listed in that rule. The != parts are intended to stop a false positive that happened…

If you just right click and remove node in the console then they will reconnect in 2 minutes. You need to do an uninstall of the agent either via Add/Remove programs or the Remote Agent Uninstaller.

Hi barzillo, That is a very odd situation. I would contact support since there is nothing in hotfix 4 that would have done this situation. It sounds like you have a rule that may be firing on a start event that is doing an active response of closing a program out.

This is most likely a connector that is seeing a certain field and mapping it to DetectionIP. Ways to fix: 1. Make sure your connectors are up to date 2. Open a support ticket if your connectors are up to date, so they can help identify the connector that is doing this and helping get you a fix

The change from LEM to SEM had name changes in many areas, but there are still many spots that will still say LEM. Going forward more things will change to say SEM. Your upgrade is fine this is not an issue.

Hi, I do not see screenshot of IBM's settings. Did you make sure that it is setup to send the logs to the SEM appliance? Something has to be done on the IBM side first or we will not receive the logs. Do you see the ip address of the device in any of the logs that you had a screenshot of? Have you asked IBM where it sends…

Hi, The listing shows devices that we know have the same log format for this connector. Many times they have the same OS on these devices that log things in the same way. Based on what you are saying it sounds like the format is not the same format as the others. Your best bet would be to open up a support case and they…

You could always try to send it to a Kiwi syslog sever. Then you could do a wireshark in between if it is not getting there.

The only way right now would be to go into the browser and disable 1.0 and 1.1. Then it will use 1.2 from your browser.

Hi, You have a couple of options. * Update your connectors. Looks like 107 might be the latest version for that connector.* You can setup the SEM to have it automatically keep your connectors up to date on a daily basis. * If updating your connectors does not help out then open up a case with support for unmatched data in…

It will not reinstall the agent, but will install the latest version in its place. So if the agent was already installed with the latest it will copy those same files over and reconnect. If it was an older version of the agent then it will copy over the newer files and reconnect as the newer version. It is ok to do this,…