3 Replies Latest reply on Sep 26, 2013 10:00 AM by garrethcoleman

    Monitoring Web Traffic with LEM


      Hello Thwack Community,


      This is my first post/ question though I have been lurking on the board to get my questions answered for about 60 days since getting my new position. I am new to Solarwinds and LEM as most of my experience in the past has been with Arcsight, which is a very different product.


      So my question is, I am attempting to create a rule or filter that will allow me to watch for Google calendar activity (basically people syncing their Outlook calenders inside the organization to their Google calenders)


      I looked into this and I found the official Microsoft document on how to go about doing this located here at this link


      I followed the instructions using my own Google calendar, to determine how it worked

      Through my reading I believe what occurs is a cross download and referencing of that .ics file you see at the end of the URL, which updates the calendar with each other’s info.

      - Is there a way to set an alert for this .ics file getting traded over the network?

      - Alternatively the URL contains /ical/ is there a way to write an alert for this?

      I understand how it works I just don't know how to properly write a rule/filter for the traffic to alert me if the action is occurring. Any input or assistance would be great

        • Re: Monitoring Web Traffic with LEM



          There is two possible scenarios where you could potentially track this information.


          1) monitor web traffic through proxy / firewall - If you are routing your web traffic from users through a proxy or firewall which logs traffic, get the syslog events to send to LEM and identify the interesting events. You can choose to filter these in the monitor, or apply a rule to take action when this event triggers the rule.


          2) Check that this is logged on the workstation - This will be more costly as you will need to then purchase a licence for the workstations you want to monitor, as an agent would need to be deployed to each workstation in question. There is a possibility that Outlook logs to an event log this type of activity.


          I would pursue option 1. It looks as though you have already done this too and have identified that the URL contains /ical/.


          The simplest way to create a rule, is to build an nDepth query first to prove you can correlate on the event you are trying to configure the trigger for.


          Start with a keyword seach for /ical/ and it will most likely take you to an event "WebTrafficAudit".


          Refine this:


          Create a User-Defined Group and add an entry for /ical/


          Perform an nDepth query for the following criteria


          WebTrafficAudit.URL CONTAINS /ical/



          If this returns the expected results, build a new rule and set the correlation to the same as the above, specify a correlation time and appropriate action.



          NOTE: Be very careful about using email alerts as you could end up flooding your inbox, or someone elses notifying of this event. Also take caution about what active responses you do perform too as these can be quite destructive if you get them wrong.


          Always put into test mode before enabling the rule and monitor the rule in the monitor window under rule activity filter. It will show here if the rule has been fired.



          Remember to activate the rules if you make a change or add one or the agent nodes will not get the update to the rules.


          Hope that this helps.



          1 of 1 people found this helpful
            • Re: Monitoring Web Traffic with LEM

              Thanks for the quick reply Garreth.


              I actually do have nodes deployed on all of the workstations that i am interested in throwing alerts for.


              What would be the process for monitoring a single workstation for this type of traffic, or a group of workstations with nodes deployed on them?

                • Re: Monitoring Web Traffic with LEM

                  Firstly, you would have to identify if the event is being logged to an event log. If the workstation are Windows 7, there is a plethora of event logs which are turned off by default. Identify which to turn on and get testing to prove the events are generated.


                  Next you can go to LEM, Manage Nodes, select the node and click the gear icon and open the connectors config. Have a look for a matching connector, else you will need to make a new one and match up the log location on the connector to where it is saved on the workstation. I have yet to try this, but suspect that you can clone the Windows Application Log connector/ add a new one and change the name of the log to the same name as the log you are going to configure the agent to send events from.


                  If the above doesn't work, it will be a case of raising a ticket to SolarWinds to see if it is possible. It will be good if you could report your findings and I am sure that it is very much possible.


                  All the best on your discovery.