2 Replies Latest reply on Jul 18, 2017 8:30 PM by jessaraea

    Using *$* In Rules & Additional Questions


      Hey Thwack community -


      How does the LEM interpret *$* when used in a rule or a query? I am in the process of working on fine tuning a rule for Admin Logon Failures after hours. It's pulling local admins as well as local users in general. I am essentially wanting ALL admin logon failures to show this would include locally and domain level Admins. So i am curious how to incorporate that and remove the unwanted monitoring of general user logon failures during those times.


      Also - there are services running on my teams SQL databases and the login's are being logged as "\". I get a lot of these per night and was curious if anyone had experience getting these out of your logs for similar rules.

        • Re: Using *$* In Rules & Additional Questions

          You have multiple questions here, so I'm going to break them out:


          I think there have been reported quirks with this in the past, but currently doing a search with my LEM I'm able to search for a $ as a litteral character.  So if I search *<machine name>$* it returns only the expected machine names (note this is a default MS configuration so hopefully your admin accounts don't have the $ as part of the convention or that may muddy the waters a bit).


          Next, you ask about sorting out the admins vs regular logons.  There are several ways to do this.  For starters, you can create User Defined Groups (UDGs) which you may need to do for your local admin logins if they're a different name other than administrator.  Secondly, you can pull in your domain admins via the Directory Service Query groups by pointing it at the default Domain Admins group or if you have created another group to track those users.


          Here are a couple of KBs on groups if you need them.  Please note there is also a template rule for this for Critical Account Logon Failures that pretty much does this already and can be quickly modified.


          Using Active Directory groups in LEM rules and filters - SolarWinds Worldwide, LLC. Help and Support


          Getting Started with User-Defined Groups - SolarWinds Worldwide, LLC. Help and Support


          Finally for the last piece this isn't something that you're going to be able to resolve from the LEM side.  You can validate this information by reviewing the local logs directly (if the Security logs, look in your event viewer or if it's another SQL log look at that source).  I once had more information, but can't seem to find it at the moment so if you have a screenshot of the raw log, or information about the event ID and description I may be able to find more specific information for you otherwise you can reach out to Support directly and they should be able to show you this on your local logs.  Unfortunately that's not something that the LEM is going to fill in the gaps on if it is being sourced from the local logs directly.


          There may be other explanations so getting Support to review it directly or posting additional information could help identify it.

          1 of 1 people found this helpful