3 Replies Latest reply on Sep 23, 2016 5:13 PM by nicole pauls

    LEM ver 6.2.1 - nDepth search by Name and by IP return different results - Why is that?

    campbell3336

      Internal audit is performing searches on a sample set of network devices and noticed that we get different results (both record count and event types) when performing an nDepth search by IP address or by Name (within the IP address field).  Can anyone explain why that is...   The device is a virtual machine.  By IP address we see events such as:  MachineLogon, UserAuthTicket and InternalToolOnline.  By Name we see many more (yet different) event types:  PolicyModify, ServiceWarning, ServiceStop, ServiceStart, ObjectAudit, ServiceInfo, ProcessStop and InternalToolOnline.

       

      Any assistance in understanding why this is would be greatly appreciated.

        • Re: LEM ver 6.2.1 - nDepth search by Name and by IP return different results - Why is that?
          nicole pauls

          The easiest answer is that some events are logged by name while others are logged by IP, but let me back up and explain

           

          The "IP Address" field is effectively a shorthand field that is the same as saying "DetectionIP OR InsertionIP OR SourceMachine OR DestinationMachine OR... " for all fields where LEM knows IP addresses/hostnames are found regardless of event type, so it's like an easy way to say "if you see this IP or hostname anywhere in the event, return that event to me."

           

          Since different data sources can log events differently, when you search for an IP or hostname in the IP Address field, what you might find is that IP/hostname is found in log messages from OTHER devices. Those OTHER devices might only know it by its IP address (like a network device) while some will know it only by its hostname/NetBIOS name (like other windows PCs if it's a windows PC) while others might have both (like a DC if it's a windows PC).

           

          All of that means you'll see different results when searching by IP or hostname, but it's kind of the nature of the beast. Not all log sources do DNS resolution, so you kind of get what you get. You could search for both with an OR (IP Address = hostname OR IP Address = IP).

           

          Alternatively if what you actually want are all events that system has reported (not all events from all sources that have that IP address in them), you would probably be interested in searching by either DetectionIP or InsertionIP.

          1 of 1 people found this helpful
            • Re: LEM ver 6.2.1 - nDepth search by Name and by IP return different results - Why is that?
              campbell3336

              Let me backup as well and explain the goal/objective.  I am an IT Auditor testing our system of internal controls against policy and reporting on what I find.

              The topic is Logging.  Our policy states anything attached to our network is to be logged to our centralized SIEM solution (Solarwinds LEM).    Each week a sample a set of network devices (switches, routers, firewalls, etc..) and servers (windows, linux, etc..) from an inventory list are selected and I perform manual nDepth searches for evidence of log data. In this initial phase, I am just looking for evidence some log records exists.  In the next phase, we’ll be testing for the type of log records we actually log.   The second piece is probably a whole different discussion topic as to the proper setup of logging on devices/servers using best practices.

               

              So I’m looking for any log records generated by my sample device/machine.  It sounds from your explanation that what I really  need is (IP Address = hostname OR IP Address = IP) in my search string.

               

              Question:  Can you clarify the meaning behind the different fields.  While they appear obvious, it wasn’t obvious that “IP Address” consisted of all of these.

              Detection IP

              Insertion IP

              SourceMachine

              DestinationMachine

               

              Question:  Is this documented anywhere within the Solarwinds manuals?  If so, could you cite your source please.  Trust but verify ☺

               

              Thanks!

              1 of 1 people found this helpful
                • Re: LEM ver 6.2.1 - nDepth search by Name and by IP return different results - Why is that?
                  nicole pauls

                  If you're looking to verify that a given device is generating logs, what you most likely want is DetectionIP = <device IP or hostname, depending on what gets logged>. That will only show you events that come from that device, rather than events generated on another device. It would be the best way to demonstrate a device is logging.

                   

                  For example, to find events from the server named 'dc01' with IP '192.168.10.140', I would look for:

                  DetectionIP = "dc01*" OR "DetectionIP = "192.168.10.140"

                  (this covers the case where some logs on that source are using the IP instead of the hostname)

                   

                   

                  DetectionIP: this is the IP address that the log file includes as the originating device. For example, if you're syslogging your firewall to the LEM appliance, the firewall's IP will be DetectionIP. (Sometimes these can be names, sometimes IPs, it depends on what the device sends with the log) EVERY event type has this field.

                  • Searching for "DetectionIP = <hostname>" means "show me events that originated from <hostname>"

                   

                  InsertionIP: this is the IP address/name of the "trusted" LEM endpoint. If it's an agent, it'll be the agent's name/IP, if it's the appliance, it'll be the appliance's name/IP.  In the example of logging syslog data to the appliance, the appliance's name/IP will be InsertionIP. (These are commonly names, but if you look in your console you'll see what to expect) EVERY event type has this field.

                  • Searching for "InsertionIP = <hostname>" means "show me events that were received by agent or manager <hostname>

                   

                  SourceMachine: several key events have this field, including logon/off activity and network activity. This is the originating source of the traffic/event, and is provided by the log data. For example, the source of network traffic, or the location someone was logging on from. NOT every event type has this field, but a large number do.

                  • Searching for "SourceMachine = <hostname>" means "show me events where the SourceMachine field (source of the event/attack) was <hostname>"

                   

                  DestinationMachine: similar to the above - this is the destination of the traffic/event, provided by the log data. For example, the destination of the network traffic, or the location someone was logging on TO. NOT every event type has this field, but a large number do.

                  • Searching for "SourceMachine = <hostname>" means "show me events where the SourceMachine field (source of the event/attack) was <hostname>"

                   

                  And, finally, searching for "IP Address = <hostname>" means "show me events where ANY of the above conditions were met for <hostname>".

                   

                  That <hostname> could be the originating source, the agent/appliance, the source of the event/attack, or the destination of the event/attack. Since it could be anywhere in the event, it doesn't tell you that device is logging (necessarily), but it does tell you it was either the source/destination OR originator of an event.

                   

                  Well... I honestly don't know if this is documented and wouldn't be surprised to find that it's not. The LEM User Guide is probably your best bet. Feel free to verify with the support team, though! I worked on LEM from its inception up to about a year ago when I left SolarWinds so most of my advice is from internal knowledge and experience. Not much of the fundamentals have changed, yet anyway!