10 Replies Latest reply on Jul 29, 2016 11:09 AM by ehumphrey

    Mystery Nodes - LEM

    ehumphrey

      I am having mystery nodes added and I have no idea how to get rid of them. See screenshots below.

      LEM_nodes1.png

      I moused over the line to get the pop-up showing the full string. Also note that another entry, partially obscured, is just "172" for IP address and "0" for hostname.

      LEM_nodes2.png

      The above three node entries appear to just be components of an email function. How are they getting detected as nodes?

       

      This thread appears to be the same problem I am having:Unknown Nodes , but since that thread is unanswered and a year old, I thought I would start another thread.

       

      Can anyone direct me where to go within LEM to clean this up?

        • Re: Mystery Nodes - LEM
          marcusmm8

          I have noticed the same thing and have identified that this occurs when someone VPNs. The agent node should reflect a node you recognize either by name or IP.

          • Re: Mystery Nodes - LEM
            curtisi

            I have seen this before when a rule creates an Incident or Infers an alert and the wrong field is being used as "DetectionIP" in the Rule Action.  In one case, someone had "DetectionTime" in the "DetectionIP" field, so the LEM was adding a node a second until the license was consumed.

             

            Alternatively, it could be that something is sending logs in a format we're not expecting (maybe a bad connector config?) and so part of the log event is getting normalized as the DetectionIP and added as a node.  Any idea what the source is for the logs?  Are the right connectors configured?

            2 of 2 people found this helpful
            • Re: Mystery Nodes - LEM
              Adam Stephen

              Good questions here.  Most times a mystery node comes in if a object has multiple communication IPs and the logs come out of different interfaces.  My suggestion would be to audit why the email appliance has multiple IPs and if you can customize what port the logs are sent from if these are SYSLOG sources.  If is a Windows log source make sure you do not have traps or syslogs coming out if you are also using the LEM agent  That will add weird duplicate sources.

               

              Hope that helps.  Let me know.

               

              Thanks

              • Re: Mystery Nodes - LEM
                ehumphrey

                I deleted the mystery nodes, and so far they haven't come back... so far. In the past, they've come back, but this seems to be a longer period of time. I did review all my rules and alerts, and disabled a few that I'm not concerned about or are not applicable. Maybe I incidentally fixed the problem?

                 

                Unfortunately I was not very scientific at all about my efforts, so have no good info to report :-(. Like the post from last year, this one might end just as "the problem went away." My apologies to any future Google searchers!

                 

                Thanks again to all for suggestions-- all avenues very instructional about the workings of LEM.