3 Replies Latest reply on Dec 27, 2016 11:45 AM by curtisi

    traffic but no agent

    marcusmm8

      How do you identify workstations/servers with traffic but no LEM agent? Using some of the rules as a basis does not seem to work?

        • Re: traffic but no agent
          silverwolf

          Hi,

          can you provide some example of what you mean?

          Do you have the workstations/servers sending logs to LEM? For agentless devices you have to configure the device usually to send logs/events to LEM, and it will then identify that a new device is sending it information. LEM will then attempt to assign connectors that would be able to normalize the data for you (or you do discovery and then assign a connector yourself).

          • Re: traffic but no agent
            twuk

            In the monitor tab go to filters and expand Overview > and select LEM Internal Events

             

            Wait until you see the Event InternalRuleFired with the EventInfo The 'Authentication Traffic but No Agent' rule fired

             

            Pause and select the event (Make sure the event is highlighted)

             

            In the top right hand corner Explore drop down, choose Event and a details page opens with what I believe is the data you are looking for

             

            I use the Air Console but I hope its the same in the browser console

            • Re: traffic but no agent
              curtisi
              • Authentication Traffic but No Agent - The LEM has received an authentication event, probably from a Domain Controller, originating from a system that does not have an Agent installed (compare source machine with list of Agents) and fires an alert
              • DHCP but no Agent - The LEM has received an address assignment event, probably from a DHCP server, but the requesting machine has no Agent
              • User Logon but no Agent - Like Authentication traffic, but specifically looking for user logons, where Auth traffic might include Kerberos tickets or other authentication traffic

               

              All of these rules operate on the assumption that all machines in a given environment will have the LEM agent deployed, so any traffic from a machine without the Agent is therefore suspicious.  If you're not deploying the LEM agent to every machine (eg, you choose not to monitor workstations), these rules will generate a lot of noise and false alarms.  You'll either need to turn them off or modify them to work in your environment.