• State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 22 subscribers
  • Views 434 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Does LEM delete local event logs?

zacleopard

Hi All,

I've come to an organisation that is using Log and Event Manager and my predecessor, who was part of the installation by a third party, is no longer at the company.

To put it bluntly, we don't particularly like the product and find it a pain to use and would like to be able to view events in the server event logs.

Here lies my problem, when i look for a particular event 4740 (account lockout), there are none listed since (I presume) when LEM was installed.

I am able to see current events in LEM of this type and i have checked that auditing is turned on in group policy so I can only imagine that LEM is polling and deleting the logs.

If this is the case, how can i prevent this?

Regards

  • 0

    zacleopard,

    I'm sorry you are finding the product difficult to use. I'd be happy to schedule some time to give you a quick intro to the product and how to use it. There is a learning curve but I find that once customers get over that initial bump, they find it very powerful. Of course, we are always working to improve this.

    No, LEM does not delete the local logs. It's possible that the server you are looking at isn't the same one that processed the account lockout event. If you go to Explore - nDepth then change from "Drag & Drop" mode to "Text Input" you can do a search on the event ID and it will show you all of the events. Once you are more familiar with the product, the Drag & Drop mode will be faster, but sometimes it's easier for people new to the product to start with the text input.

    TextInputMode.JPG

    Next, you probably want to change the view to see the logs instead of the charts. At the very bottom of the screen there is a row of icons that allows you to visualize the data in different ways. Try changing to the Results Detail view to see the matching events.

    ResultsDetail.JPG

    Once you are viewing the full results, it should be clear which machine is logging the account disable messages. I would double check that it's the machine you expect. If the logs are really not on that server, you'll need to check for other reasons why. I hope that helps, but if not, let me know!

    Mav

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.