• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 22 subscribers
  • Views 292 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Need to understand nDepth,correlation,events,filter and alerts

reply.prak

Hi LEM Group,

1) I am new for LEM. can anyone please explain that how i can create a rule in LEM that every command and events of firewall(auditing) will be there. firewall i am using is fortinet. however traffic logs are coming but audit logs are not there. like which user hs loged in and what policy he has changed etc.

2) what all we can do from filter.i created a filter for windows file deletion(specific file) and it is showing under monitor tab/console now how will i create rule and action for that?

3)  sun solaris integration is possible with LEM?

4) will appreciate if  some example of correlation rules...

Best Regards

Prak

  • 0

    Okay, here we go:

    1) This is probably going to be something to do with what auditing and logging you have the firewall set to collect, and what it does with that collection.  The LEM collects logs passively, so if you're not sending the LEM user audit logs, it's not going to see them.  You're probably going to have to check out Fortinet's docs to make sure your configuration is right for collecting and sending that information.

    2) It sounds like you might benefit from checking out some of the LEM training materials, and seeing if that helps with the task at hand.  There's a wealth of stuff here: Log & Event Manager (LEM) - Updated July 15, 2014 You may also want to check out the LEM video playlist on YouTube: Log & Event Manager (LEM) - YouTube, like this video on how to create rules:

    My one pro-tip on rules would be this: never ever use the Any Alert Event Group on a rule.  It'll chew up memory, and can crash the LEM.

    3) Yes!  You can get the Agent installers for Sun Solaris from the customer portal or from this link: SolarWinds Knowledge Base :: Additional LEM downloads for version 6.0

    2014-07-16 07_30_11-Solarwinds Customer Portal Downloads.png

    There should be a readme in that download on how to deploy the Agent.

    4) Samples of rules are provided in the LEM console itself.  Go to Build Rules, pick a category or Tag and look at the Rule Templates.  These are provided as samples to help you get started with configuring the LEM.

    2014-07-16 07_33_32-SolarWinds Log and Event Manager Console.png

  • 0

    Hi Kurtsi,

    thanks for the nice explanation about product. actually i am stuck with creating rules however able to create filters but when i am trying to create a rule from template say for "bad login attempts 2-3 within 30 seconds to my AD server" must be fired a rule with action email hat states a clear text that what is happend.

  • 0 in reply to reply.prak

    You may want to call into the help desk and open a ticket so we can setup a GoToMeeting and look at your request in some detail.

  • 0 in reply to curtisi

    working rules now...enjoying with LEM.....  emoticons_happy.png

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.