I am curious if anybody out there is using LEM in conjunction with a Threat Intelligence feed? I realize that LEM doesn't currently accept any of the feed protocols; however, I have seen that some feeds provide human readable dashboards which can then be used in conjunction with a SIEM such as LEM.
↧
Using a Threat Intelligence Feed with LEM?
↧
LEM Linux agent connects but no logs
I am struggling with getting a Open SuSE Linux server to log to my LEM.
Details:
- LEM 5.4
- Linux Client 5.3.1
- Linux OpenSuSE 11.2
It installed and even connected to the console. I created the Pam, Audit and Apache tools and they start with no problems.
netstat shows the established connection to my LEM
But I get NO log traffic at all.
This server is across a Firewall and I believe I have the proper ports open, 37890 & 37892
Still nothing.
Any idea what I might be missing?
Thanks
Brian
↧
↧
How to reduce footprint of Windows Service accounts
Hi there,
I was wondering whether anyone had any advice on how to tune out the volume of events received from Service Accounts?
I have followed the auditing policy as per https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Audit_Policies_and_Best_Practices_for_LEM
However, we have applications like BizTalk and Solarwinds Orion, which constantly sends authtentication logs to our LEM for Service Account activity being logged to the Windows Security log.
Obviously I could stop the audit log on those servers, but that defeats the purpose really of having LEM and will not do our PCI any good. It would also mean disabling on the DC's which I wouldn't want to do.
Any best practise for managing this noise would be greatly apprecaited.
Regards
Adam
↧
FIM Compliance with Log & Event Manager
I am curious how the FIM capabilities of LEM meet specific compliance requirements, specifically as it pertains to PCI DSS 3.0?
- Does the Windows FIM capabilities meet PCI DSS 3.0 requirements?
- Can you meet PCI FIM requirements on Linux using LEM just by tracking the logs?
I am curious as I would love to consolidate tools and be able to satisfy all of my FIM requirements with LEM if possible.
Thanks in advance for any help on this!
↧
LEM agent question
Does the spop.conf query its info directly from a file on the LEM box? For some reason when installing the agent on a brand new machine the spop.conf is populating with the old appliance IP address. When LEM was first installed it was using .164 as its IP. We have since moved the vm to a beefier box and re-deployed it with an IP of .167. I can ping the DNS name just fine, and have verified there are no stale records showing the old .164 address. I can also telnet to port 37891,37890,37892 via the new IP. Ultimately I can edit the spop.conf and manually change the IP to .167 but it's very annoying. The user guide mentions clearing the agent certificate but so far I have not found any in the local cert stores. (Edit: This must be done when deleting the spop folder within the ContegoSPOP folder.) I can also manually edit the .conf file and use the DNS name as well w/o issues. But where is it getting its initial query? IE NioComNetworkParent Making install request to: x.x.x.164
↧
↧
Creating an alert if source is always the same?
I'm trying to generate an alert if there are multiple failed login attempts from the same IP address, regardless of the username. The part I'm having trouble with is telling LEM to only alert if it's from the same IP address. In the parameters I know to put * for all, or a specific word, but not sure how to say "if same IP address".
In the Rule Creation this is what I have the Correlations set for:
UserLogonFailure
AND
UserLogonFailure.SourceMachine = ?????
↧
Need LEM agent UNinstaller
Where can I get the manual uninstaller for the LEM agent? It does no good to tell me to get it from the customer portal because I was just evaluating the software.
Would be nice if you would make the uninstall work under Add / Remove Programs like any other decent program out there.
↧
Kaspersky Endpoint 10
I am trying to get LEM to monitor our Kaspersky administration server.
I have the Kaspersky Administration Kit connector enabled on the node that is our Kaspersky Administration server. I am not sure if I have it setup correctly though because I am not seeing any events from the connector. I also read that WMI is another way to go besides using this Kaspersky Administration Kit connector. How would one go about configuring WMI? (if it is the better option)
I came across this article Kaspersky Security Center Antivirus which has a template to download. How do you install the template?
Thanks for any help in advanced.
↧
Agents unable to connect with LEM server
Hi,
I've installed LEM agent in few servers within my environment and a small number of them are in disconnected status in LEM. My verification from spoplog has shown below error:
(Thu Nov 27 11:04:08 SGT 2014) II:INFO [AgentMessageCentralImpl] {XML Communication Worker - 3:40} Initiating reconnect with the manager
(Thu Nov 27 11:04:08 SGT 2014) EE:ERR [AgentMessageCentralImpl] {SPOP:8} Did not receive reply for request with id 1 in given timeout.
(Thu Nov 27 11:04:08 SGT 2014) WW:WARNING [AgentMessageCentralImpl] {SPOP:8} Unable to establishConnection with the Manager. Reason java.io.IOException: Did not receive HelloReply.
(Thu Nov 27 11:04:08 SGT 2014) II:INFO [AgentMessageCentralImpl] {SPOP:8} Initiating reconnect with the manager
(Thu Nov 27 11:04:28 SGT 2014) EE:ERR [AgentMessageCentralImpl] {XML Communication Reconnector - 1:43} Did not receive reply for request with id 2 in given timeout.
(Thu Nov 27 11:04:28 SGT 2014) WW:WARNING [AgentMessageCentralImpl] {XML Communication Reconnector - 1:43} Unable to establishConnection with the Manager. Reason java.io.IOException: Did not receive HelloReply.
(Thu Nov 27 11:04:31 SGT 2014) EE:ERR [NioSelectorOnClient] {NioComNetworkParent:45} Connection status: Unable to complete nio connection to address 10.133.82.221/37892 Connection timed out: no further information
(Thu Nov 27 11:04:31 SGT 2014) WW:WARNING [NioCenterOnClient] {NioComNetworkParent:45} Closing Nio Center: Nio Thread has stopped
I'm not sure what has caused this error. My research has not returned any convincing answer. Anyone has faced this issue before? Please help
↧
↧
LEM Agent Node Not Show
Hi, I'm new with Solarwinds LEM.
I try to adding Agent node, The Agent is already installed on my Windows system but the node is not appear in my LEM Console.
I closed the firewall, check the Agent service is started, restart Windows Server and reinstall the Agent.
Could you please help me? Thank you.
PS. My Windows is 10 and 2012 R2.
↧
Kaspersky Security Center Connector
We have completed the configuration of Kaspersky connector in our LEM appliance (v6.3.1), we would like to know whether the connector is working fine and all Kaspersky Security Center events were reflected to LEM. Can someone share any information how to validate if the connector is effective?
↧
MS Azure Logs
Are there any plans to collect data from MS Azure
The sort of things I am interested in are NSG logs and Azure Key Vault access logs
↧
Cannot login LEM web portal
I am doing a LEM POC and creating some rules and configurations.
however, the web console becomes slower and slower,
finally, i cannot control the appliance.
we have tried to refresh the web portal, use another web browser, and restarted the virtual appliance,
however, all the method cannot resume the web management console, it only shows "Finishing Console Layout" for a long time!
anyone has the experiences on th
↧
↧
TriGeo/LEM Alert Rule - User Lockout...how to add DC info?
I have a TriGeo/LEM rule that kicks off it an end user's account is locked out after so many attempts and it works great. I would like to have the email also include which domain controller it pulled that information from if possible. This could help us determine at what location this person was at at that time. Another nice to have would be from what machine the attempt was made from. If this is possible I could use some help on getting the actions dialog properly populated.
Thank you.
Steve
↧
Why is IP Protocol 103 PIM alerts being triggered
I am getting repeated security alerts in LEM stating that IP Protocol 103 PIM is being detected as a "non-standard protocol or event" but I'm not sure what is triggering the alert or how to mitigate it. I am aware that PIM is a multicast protocol, and I also know that there is a security vulnerability in some Cisco switch IOS versions involving this protocol when it is coupled with a few other protocols like SWIPE, but I don't think that my switch is running the vulnerable IOS version : IP Protocol 103 (PIM) Activity: Attack Signature - Symantec Corp.
All of these alerts are being generated from Snort for one particular switch. Is it possible that Snort isn't recognizing the PIM protocol so it is marking it as suspicious?
Has anyone else had this issue, and if so, how did you fix it?
↧
How to monitor activity by users of the admin group
can someone tell me how to create a rule in LEM to show activity by the administrator user or users in the admin group. Or is there perhaps a report in the SW LEM reports module?
thank you......Rick
↧
How to customized reports solarwinds LEM
Hi All How to customized reports solarwinds LEM ?
example :
↧
↧
Crystal Reports with LEM Database
Install full version of Crystal Reports and I am unable to connect to the LEM Oracle Database to customize reports.
This seems like something that someone has successfully done.
Unsuccessful attempts with tech support.
John
↧
LEM: Temp filesystem is over 90% full
I'm new at managing our company's Log & Event Manager application and am trying to discover the cause of a problem that I've noticed over the past couple of days where LEM will display an incident notification stating "managermonitor warning! disk usage: the temp filesystem is over 90% full". The incident can be viewed under the Security > Incidents filter.
I've figured out how to clear the temp directory and was able to do so successfully yesterday. Upon arriving to work this morning, I noticed that the temp directory is full again, but I don't know why.
Here is the output of the diskusage command.
cmc> appliance
cmc::acm# diskusage
Checking Disk Usage (this could take a moment)... ....oo.oo.oo.oo.oo.oo.oo.
Partition Disk Usage:
LEM: 43% (1.2G/3.0G)
OS: 46% (1.3G/3.0G)
Logs/Data: 90% (199G/234G)
Temp: 95% (5.3G/5.9G)
Database Queue(s): 5.1G (12679286 alerts queued, 187196 alerts waiting in memory)
Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
Console Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
DataCenter Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
EPIC Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
Forensic Database Queue: 2.1M (0 data queued, 0 data items waiting in memory)
Logs: 11G
Tool Profiles Message Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
When I use the cleantemp command and look through the directories in /tmp, I see that only one of the directories holds nearly all of the data that is filling up the temp space. That directory is called "Standard_Local_Database". It now contains 641 ".qa" files after having been cleared out around 24 hours ago. Based on the timestamps, it appears that a new file is created and stored here once per minute.
What is the best course of action for troubleshooting what's causing the temp directory to fill up so quickly? Thanks.
↧
Integrating Cisco Nexus switch with LEM
I am trying to integrate Cisco Nexus 5K switches with LEM as a syslog node, but having no luck. Does LEM support NX-OS? I found the attached, which was very helpful while integrating an ASA, but doesn't talk to NX-OS. Any help is much appreciated.
↧