This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

traffic but no agent

How do you identify workstations/servers with traffic but no LEM agent? Using some of the rules as a basis does not seem to work?

  • Hi,

    can you provide some example of what you mean?

    Do you have the workstations/servers sending logs to LEM? For agentless devices you have to configure the device usually to send logs/events to LEM, and it will then identify that a new device is sending it information. LEM will then attempt to assign connectors that would be able to normalize the data for you (or you do discovery and then assign a connector yourself).

  • In the monitor tab go to filters and expand Overview > and select LEM Internal Events

    Wait until you see the Event InternalRuleFired with the EventInfo The 'Authentication Traffic but No Agent' rule fired

    Pause and select the event (Make sure the event is highlighted)

    In the top right hand corner Explore drop down, choose Event and a details page opens with what I believe is the data you are looking for

    I use the Air Console but I hope its the same in the browser console

    • Authentication Traffic but No Agent - The LEM has received an authentication event, probably from a Domain Controller, originating from a system that does not have an Agent installed (compare source machine with list of Agents) and fires an alert
    • DHCP but no Agent - The LEM has received an address assignment event, probably from a DHCP server, but the requesting machine has no Agent
    • User Logon but no Agent - Like Authentication traffic, but specifically looking for user logons, where Auth traffic might include Kerberos tickets or other authentication traffic

    All of these rules operate on the assumption that all machines in a given environment will have the LEM agent deployed, so any traffic from a machine without the Agent is therefore suspicious.  If you're not deploying the LEM agent to every machine (eg, you choose not to monitor workstations), these rules will generate a lot of noise and false alarms.  You'll either need to turn them off or modify them to work in your environment.