5 Replies Latest reply on Mar 24, 2015 5:23 PM by nicole pauls

    LEM doesn't know how to handle file share audit events

    tmart

      So I have file share auditing enabled on a file server.  The event log collects data every time a share is accessed and the events in the event viewer are easily readable and contain all of the information I need.   When those events get pushed to the LEM server, I get pretty useless data from LEM.  

       

      From the event log entry I get the following required information:

       

      Account name

      Account domain

      Source address

      Source port

      Share name

      Share Path

       

       

      In LEM I get nothing but the event info which just says an object access event occurred, it does not tell me the source address, source port, share name, or the share path.  It does give me the account name and domain but those are only displayed within the eventinfo line, they are not listed under SourceAccount, DestinationAccount,DestinationDomain or any other areas so I cannot sort by user in nDepth which is critical.

       

       

      So basically LEM omits any actual useful data from these events...   Is there a way to change how LEM handles these events or am I just screwed?

        • Re: LEM doesn't know how to handle file share audit events
          curtisi

          First thing, I'd suggest updating your connectors.  I think we already addressed this in a new connector revision for Windows Security events.

           

          If that doesn't work, you'll need to work with Support so they can get the dev team involved to re-write how the connector normalizes the data.

            • Re: LEM doesn't know how to handle file share audit events
              tmart

              Well I followed the instructions to update the connector package, the SSH console leads me to believe it was successful although I do not have the filter "InternalToolOnline" like the instructions say I should so I have no way of telling for certain if it worked.

               

              Needless to say, it did not fix anything with File Share Audit events.    In your experience if I tried to get the Support team to contact the dev team to design a connector that works with file share auditing, how long of a turnaround time are we to expect?   I'm pretty disappointed that the LEM tool has been around for this many years and nobody has decided file share audit events were important enough to write a connector for yet...

                • Re: LEM doesn't know how to handle file share audit events
                  curtisi

                  It's possible that the share events were different when the connector was written (a lot changed between Server 2003 and Server 2008) and no one has brought this up yet.

                   

                  The usual SLA promised is 4 to 6 weeks, but in my experience things are usually much quicker.  That SLA is also for new tools, not for tuning existing tools.  You'll want to grab an EVTX export of some of the events you care about, though.

              • Re: LEM doesn't know how to handle file share audit events
                darragh.delaney

                If you need something in the meantime you could check out LANGuardian. It captures file activity from network traffic so you don't need to worry about auditing on your file servers. Demo available here. Maybe the trial version would suffice while you are waiting for an update for LEM.


                LANGuardian can be integrated with the Orion platform. You could embed reports as you can see in our online demo or you can also setup a syslog output which LEM could process.

                 

                File-Activity.PNG

                • Re: LEM doesn't know how to handle file share audit events
                  nicole pauls

                  I was just looking at these events the other day - they are relatively new so I think they didn't quite get mapped 100%. As curtis said if you can submit what you're seeing in the event log and what you're seeing in LEM, we should be able to make them match relatively quickly. (Best is a .evtx sample so we can cross-reference directly.)