• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 22 subscribers
  • Views 238 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Using *$* In Rules & Additional Questions

jessaraea

Hey Thwack community -

How does the LEM interpret *$* when used in a rule or a query? I am in the process of working on fine tuning a rule for Admin Logon Failures after hours. It's pulling local admins as well as local users in general. I am essentially wanting ALL admin logon failures to show this would include locally and domain level Admins. So i am curious how to incorporate that and remove the unwanted monitoring of general user logon failures during those times.

Also - there are services running on my teams SQL databases and the login's are being logged as "\". I get a lot of these per night and was curious if anyone had experience getting these out of your logs for similar rules.

  • 0

    You have multiple questions here, so I'm going to break them out:

    I think there have been reported quirks with this in the past, but currently doing a search with my LEM I'm able to search for a $ as a litteral character.  So if I search *<machine name>$* it returns only the expected machine names (note this is a default MS configuration so hopefully your admin accounts don't have the $ as part of the convention or that may muddy the waters a bit).

    Next, you ask about sorting out the admins vs regular logons.  There are several ways to do this.  For starters, you can create User Defined Groups (UDGs) which you may need to do for your local admin logins if they're a different name other than administrator.  Secondly, you can pull in your domain admins via the Directory Service Query groups by pointing it at the default Domain Admins group or if you have created another group to track those users.

    Here are a couple of KBs on groups if you need them.  Please note there is also a template rule for this for Critical Account Logon Failures that pretty much does this already and can be quickly modified.

    Using Active Directory groups in LEM rules and filters - SolarWinds Worldwide, LLC. Help and Support

    Getting Started with User-Defined Groups - SolarWinds Worldwide, LLC. Help and Support

    Finally for the last piece this isn't something that you're going to be able to resolve from the LEM side.  You can validate this information by reviewing the local logs directly (if the Security logs, look in your event viewer or if it's another SQL log look at that source).  I once had more information, but can't seem to find it at the moment so if you have a screenshot of the raw log, or information about the event ID and description I may be able to find more specific information for you otherwise you can reach out to Support directly and they should be able to show you this on your local logs.  Unfortunately that's not something that the LEM is going to fill in the gaps on if it is being sourced from the local logs directly.

    There may be other explanations so getting Support to review it directly or posting additional information could help identify it.

  • 0 in reply to jrouviere

    Thanks!

    The KB's are great. It's been a little bit since i originally posted this but by trial and error and watching some videos on the LEM I have made some headway. My teammates within infrastructure are working on the reason for those logs and yes - it makes sense that the LEM wouldn't be able to clarify those details.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.