How do you identify workstations/servers with traffic but no LEM agent? Using some of the rules as a basis does not seem to work?
Hi,
can you provide some example of what you mean?
Do you have the workstations/servers sending logs to LEM? For agentless devices you have to configure the device usually to send logs/events to LEM, and it will then identify that a new device is sending it information. LEM will then attempt to assign connectors that would be able to normalize the data for you (or you do discovery and then assign a connector yourself).
In the monitor tab go to filters and expand Overview > and select LEM Internal Events
Wait until you see the Event InternalRuleFired with the EventInfo The 'Authentication Traffic but No Agent' rule fired
Pause and select the event (Make sure the event is highlighted)
In the top right hand corner Explore drop down, choose Event and a details page opens with what I believe is the data you are looking for
I use the Air Console but I hope its the same in the browser console
All of these rules operate on the assumption that all machines in a given environment will have the LEM agent deployed, so any traffic from a machine without the Agent is therefore suspicious. If you're not deploying the LEM agent to every machine (eg, you choose not to monitor workstations), these rules will generate a lot of noise and false alarms. You'll either need to turn them off or modify them to work in your environment.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.