I'm sure there is a list somewhere. I've even seen a reference to a list in a blog but I can't find it.
Could someone help the blind man in the corner and point him in the right direction please.
↧
e-mail Template Parameter List
↧
SolarWinds Log & Event Management support for Apple Macintosh systems
As things stand now in order to run the SolarWinds legacy software Agent we have to relax Apple’s Security & Privacy Gateway policy as well as utilize legacy Java - are there plans to update the agent?
↧
↧
Ndepth query
Hi,
is it possible to create a query to search for any user who has logged into more that 3 pc's within the same hour?
Regads
Gary
↧
Possible to monitor disk space remaining?
I'm currently using EventSentry to alert me if drives on Windows 2008/2012 virtual machines are running below 5% available space. Can I use LEM to replace EventSentry?
↧
USB Defender
Needing help configuring USB Defender. I have followed all the steps to configuring it, but neither see an alert in the console nor are unauthorized USB devices shut down on the client machine. Here is what I've done:
- Created a white list of approved devices (based on the Hardware ID value in Windows),
- Uploaded the white list to the USB Defender Local Policy.
- Enabled both USB Defender Local Policy and Windows Active Response connectors on test node.
- Cloned and enabled Detach Unauthorized USB Device rule.
Any help is much appreciated!
↧
↧
LEM Reports
I have been having an issues over the past few days with LEM reports. If I try to run a report for weeks worth of data, the program eventually fails and comes back with out of system resources. Any ideas?
↧
Possible to monitor disk space remaining?
I'm currently using EventSentry to alert me if drives on Windows 2008/2012 virtual machines are running below 5% available space. Can I use LEM to replace EventSentry?
↧
LEM agent unable to connect Manager
Installed LEM agent on windows 7, but on the LEM manager can't discover the node. It seems there is a communication problem between agent and LEM appliance.
Below is a bit of the log event from the spoplog.txt file
===Begin==========
(Wed Feb 15 18:27:35 CST 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:21} Install request completed (not installed)
(Wed Feb 15 18:35:35 CST 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:21} Making install request to:
(Wed Feb 15 18:36:35 CST 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:21} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2626) ~[na:1.8.0_92]
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1321) ~[na:1.8.0_92]
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:373) ~[na:1.8.0_92]
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:778) [lem_core.jar:6.3.1.1083.746087]
at com.trigeo.core.communications.common.ComNetworkParent.sendParentViaCommandChannelForResponse(ComNetworkParent.java:241) [lem_core.jar:6.3.1.1083.746087]
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:166) [lem_core.jar:6.3.1.1083.746087]
at com.trigeo.core.communications.common.ComModule.autoInstall(ComModule.java:409) [lem_core.jar:6.3.1.1083.746087]
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:266) [lem_core.jar:6.3.1.1083.746087]
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:151) [lem_core.jar:6.3.1.1083.746087]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_92]
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52) [lem_util.jar:6.3.1.1083.746087]
(Wed Feb 15 18:36:35 CST 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:21} Install request completed (not installed)
====End===========
Any ideas?
↧
LEM - Mount error 13
I am able to mount a Windows share folder when I do a syslog export from LEM to my share folder.
But when I try to do an archive job to the same share folder path using the same credentials, it gives me mount error, permission denied.
Anyone ever experienced this before?
↧
↧
LEM agent question
Does the spop.conf query its info directly from a file on the LEM box? For some reason when installing the agent on a brand new machine the spop.conf is populating with the old appliance IP address. When LEM was first installed it was using .164 as its IP. We have since moved the vm to a beefier box and re-deployed it with an IP of .167. I can ping the DNS name just fine, and have verified there are no stale records showing the old .164 address. I can also telnet to port 37891,37890,37892 via the new IP. Ultimately I can edit the spop.conf and manually change the IP to .167 but it's very annoying. The user guide mentions clearing the agent certificate but so far I have not found any in the local cert stores. (Edit: This must be done when deleting the spop folder within the ContegoSPOP folder.) I can also manually edit the .conf file and use the DNS name as well w/o issues. But where is it getting its initial query? IE NioComNetworkParent Making install request to: x.x.x.164
↧
Broadcast Noise Filtering
Hello Everyone,
I would like to know the best practices to deal with the noise traffic. Can someone please help me to understand that what all traffic apart from broadcast traffic events are considered as a noise? Also how to deal with that? Should we filter that at the agent level or should we allow the noise traffic to reach to the SIEM and then filter out?
As per the compliance standards (PCI/FISMA/SOX etc), should noise traffic logs preserved? If yes for how long?
Regards,
KD
↧
Alerts on disabled account access
Hello, has anyone created an alert for an event that indicates that something is attempting to access a disabled Active Directory account?
thank you, Rick
↧
Alert on login attempts of disabled accounts
I am pretty new to LEM (6.3.1) and am having some problems setting up a new rule. I am trying to create a rule that will email me an alert when there is a login attempt of a disabled domain account. I have email and the Directory Services Connector working for other rules so I'm okay there. I have a Directory Services Group defined for the Domain group I created called "Disabled Accounts". My problem is I am not sure how to craft the Correlations to get LEM to alert on login attempts for that group.
I would rather learn this and not just be handed a solution so if anyone could point me in the right direction that would be great. I found nothing useful in the User Guide nor the KB's on Solarwinds site but if there is something in either place that I missed that answers my question a link/page number would be perfect.
thank you
Arch
↧
↧
Local PC Guest Account Notifications
In our domain, we have the local machine Guest account disabled and renamed through script/GPO.
Our LEM console sends out 10-20 notices each day
TriGeo Alert: "guest account is locked out @ time of day"
or
User Account Modification: "guest account automatically locked out"
Is this normal? I really would just need to know if this account is ever enabled or tried to log in to a machine.
↧
can i delete a device with syslogs services from LEM?
Hi!
i have a problem, i can´t delete device from LEM Console.
The device is a switch and use syslogs services for report to LEM.
When i try to delete from LEM console,that device again appear.
↧
LEM Linux agent connects but no logs
I am struggling with getting a Open SuSE Linux server to log to my LEM.
Details:
- LEM 5.4
- Linux Client 5.3.1
- Linux OpenSuSE 11.2
It installed and even connected to the console. I created the Pam, Audit and Apache tools and they start with no problems.
netstat shows the established connection to my LEM
But I get NO log traffic at all.
This server is across a Firewall and I believe I have the proper ports open, 37890 & 37892
Still nothing.
Any idea what I might be missing?
Thanks
Brian
↧
Creating an alert if source is always the same?
I'm trying to generate an alert if there are multiple failed login attempts from the same IP address, regardless of the username. The part I'm having trouble with is telling LEM to only alert if it's from the same IP address. In the parameters I know to put * for all, or a specific word, but not sure how to say "if same IP address".
In the Rule Creation this is what I have the Correlations set for:
UserLogonFailure
AND
UserLogonFailure.SourceMachine = ?????
↧
↧
SolarWinds Log & Event Management support for Apple Macintosh systems
As things stand now in order to run the SolarWinds legacy software Agent we have to relax Apple’s Security & Privacy Gateway policy as well as utilize legacy Java - are there plans to update the agent?
↧
FIM Compliance with Log & Event Manager
I am curious how the FIM capabilities of LEM meet specific compliance requirements, specifically as it pertains to PCI DSS 3.0?
- Does the Windows FIM capabilities meet PCI DSS 3.0 requirements?
- Can you meet PCI FIM requirements on Linux using LEM just by tracking the logs?
I am curious as I would love to consolidate tools and be able to satisfy all of my FIM requirements with LEM if possible.
Thanks in advance for any help on this!
↧
vCenter Logging
How can I get vCenter logs into LEM?
I am running vCenter version 5.0 on a Windows host.
If you are running vCenter Server Appliance 5.0 this might help you( virtuallyGhetto: Forwarding vCenter Server Logs to a Syslog Server )
This article explains how to configure esx hosts to syslog events into LEM ( SolarWinds Knowledge Base :: Integrating VMware ESXi with SolarWinds LEM )
↧