This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Mystery Nodes - LEM

I am having mystery nodes added and I have no idea how to get rid of them. See screenshots below.

LEM_nodes1.png

I moused over the line to get the pop-up showing the full string. Also note that another entry, partially obscured, is just "172" for IP address and "0" for hostname.

LEM_nodes2.png

The above three node entries appear to just be components of an email function. How are they getting detected as nodes?

This thread appears to be the same problem I am having:Unknown Nodes , but since that thread is unanswered and a year old, I thought I would start another thread.

Can anyone direct me where to go within LEM to clean this up?

  • I have noticed the same thing and have identified that this occurs when someone VPNs. The agent node should reflect a node you recognize either by name or IP.

  • Marcus,

    Which kind of entry did you see related to VPN connections? Was it the mail function related ones, the partial ip address ("172") ones, or long string ones?

  • on My end I see mystery node IP address for VPN, i have not seen strings yet. Are you on 6.2.1?

  • I have seen this before when a rule creates an Incident or Infers an alert and the wrong field is being used as "DetectionIP" in the Rule Action.  In one case, someone had "DetectionTime" in the "DetectionIP" field, so the LEM was adding a node a second until the license was consumed.

    Alternatively, it could be that something is sending logs in a format we're not expecting (maybe a bad connector config?) and so part of the log event is getting normalized as the DetectionIP and added as a node.  Any idea what the source is for the logs?  Are the right connectors configured?

  • Curtisi,

    Thanks for the direction, I'll look more at my rules fields.

    As for the connectors and log sources, I assume they are correct. I simply installed the LEM agent on the Windows machines and set switches and Linux machines to send syslog messages on standard UDP 514.

  • I wonder if it's the Linux syslog is part of it.  Have you tried the Linux Agent?

  • Good questions here.  Most times a mystery node comes in if a object has multiple communication IPs and the logs come out of different interfaces.  My suggestion would be to audit why the email appliance has multiple IPs and if you can customize what port the logs are sent from if these are SYSLOG sources.  If is a Windows log source make sure you do not have traps or syslogs coming out if you are also using the LEM agent  That will add weird duplicate sources.

    Hope that helps.  Let me know.

    Thanks

  • I try to keep as few agents on my devices as possible, when I have alternatives. If the problem resurfaces, I may try this option.

  • I deleted the mystery nodes, and so far they haven't come back... so far. In the past, they've come back, but this seems to be a longer period of time. I did review all my rules and alerts, and disabled a few that I'm not concerned about or are not applicable. Maybe I incidentally fixed the problem?

    Unfortunately I was not very scientific at all about my efforts, so have no good info to report :-(. Like the post from last year, this one might end just as "the problem went away." My apologies to any future Google searchers!

    Thanks again to all for suggestions-- all avenues very instructional about the workings of LEM.