• State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 22 subscribers
  • Views 365 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEM - Ghost Nodes.

FormerMember
FormerMember

Hello,

I have a problem what I haven't can solved, in LEM appears several nodes like this: (Imagen LEM.PNG)

  • 1491920600000
  • 1491920604000
  • 1491920581000
  • .
  • .
  • .

All nodes differents except for the seventh  number before (1491920....), in the console the nodes doesn't report to me nothing (Report.PNG).

But when I try to delete the nodes, other nodes appers equal like before eliminated with the same seventh numbers of nomenclature.

If I block that nodes, again appears.

How can I fix this?

attachments.zip
  • 0

    This is most likely a connector that is seeing a certain field and mapping it to DetectionIP.

    Ways to fix:
    1. Make sure your connectors are up to date

    2. Open a support ticket if your connectors are up to date, so they can help identify the connector that is doing this and helping get you a fix

  • 0

    First off, the numbers look like Unix Epoch Seconds.

    Epoch Converter - Unix Timestamp Converter

    1491920600000 = Tuesday, April 11, 2017 2:23:20 PM GMT

    First problem: it looks like something in the network (assuming this is a recent problem) thinks it's April.

    Second problem: somehow, the "Detection Time" field is getting normalized as a "Detection IP."  LEM is seeing these new "IPs" and adding nodes for them

    I'm gonna guess there's one of two things happening:

    1. You have a syslog device sending data to LEM and that data is getting parsed with the wrong connectors, so LEM thinks an IP is supposed to be where the TIME is showing up.  Updating the connectors and reviewing the connectors you have configured on the LEM appliance would be a good plan of action.  You probably have connectors you don't need running, so that could be part of the issue.
    2. You have a rule configured somewhere that has "DetectionTime" in a "DetectionIP" field.  If you go to your Monitor tab and look at the "Rule Activity" filter, what's going on there?  Maybe check recently fired rules and make sure that all the fields match up correctly.
  • FormerMember
    0 FormerMember in reply to curtisi

    Thanks for help!

    • First:
      • Support told me about this it can be a problem of "Random Node Display in LEM" and they give me the URL: Random node displays in LEM - SolarWinds Worldwide, LLC. Help and Support and disable the option of the connector "SecureAuth idP".
      • In the instruction said something check with nDepth the results of particulary the ToolAlias field.
      • In that sample I can see in the ToolAlias a information of the connector "SecureAuth idP Connector Discove".
      • So, in the connector of the appliance, I disabled the second option of "SecureAuth idP Connector Discovery 2".
    • Second: It's working, I can delete that nodes and they doesn't appear again.

    curtisi​ The connector doesn't work updated, that is true about I don't needed that connector function.

    LEM SEcureAu.PNG

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.