SolarWinds LEM - no email alerts for changes to Domain Admins

April 6, 2017, 6:48 am

I am currently running a 30 day trial of LEM. I have the environment fully configured including an agent installed on our domain controller. I have other rules set up and successfully firing email alerts for things like failed login attempts on our cisco switches, changes to firewall policies, etc.

I would like to receive an email alert when a user is added to Domain Admins or any of the other "high privilege" accounts in AD. I found the training video that explains exactly how to do this, however I cannot get the Rule to fire thus no email is being sent. If I go to Monitor and select Group Changes filter, I can see the event:

However under Rule Activity I do not see the rule that I configured.

I tried cloning the rule template per the video's instructions and also creating a rule from scratch but neither rule will fire.

Here is one of the rules, created by cloning the template:

I have saved and activated the rules.

Other rules are being triggered and firing emails for syslog events, this is the first AD-related rule I have tried.

Does anyone have a suggestion? Thank you.

↧

HDD Space warnings

April 21, 2016, 3:31 pm

≫ Next: LEM & Syslog Levels

≪ Previous: SolarWinds LEM - no email alerts for changes to Domain Admins

Anyone know of an easy way to set up alerts from the LEM so that it will email alerts when a hdd drops below 15% available?
Edit: I know there is a rule for "disk nearly full" but I would like to adjust that from the default to 15%. Additionally, my main concern is 2008 R2 and 2012 R2 servers.

↧

LEM & Syslog Levels

June 25, 2012, 4:06 am

≫ Next: Registering locking and unlocking of workstations

≪ Previous: HDD Space warnings

I'm currently trying LEM, it's successfully collecting data from my Active Directory DC's and DHCP servers. I'm now considering pointing some of our network equipment at LEM and was wondering what Syslog level I should set them at. I understand (from this video) Solarwinds recommend setting Syslog to debug, which would generate a great deal of data, however what impact is this likely to have on the performance of the devices running Syslog at debug level ?

I'm assuming the recommendation is focused primarily on getting as much information into LEM as possible, however as with most things, it's probably a balancing act of wait of data against performance impact.

Any guidance you can offer me would be gratefully received.

↧

Registering locking and unlocking of workstations

June 29, 2016, 2:12 pm

≫ Next: LEM to SEM????

≪ Previous: LEM & Syslog Levels

Hello Fellow Thwackers,

I am trying to see if I can register locking and unlocking of workstations. This is more of an automated way to do a little grassroots testing, but wanted to see if it could be down. I know it is Microsoft-Windows-Security Auditing 4800/4801, but I am not sure that LEM is built to capture that information. Has anybody tried this? If so, what is in your bag of tricks to make this happen.

Help????

↧

LEM to SEM????

May 22, 2019, 1:01 pm

≫ Next: Fortimail And FortiWeb Logging

≪ Previous: Registering locking and unlocking of workstations

I was recently given the task to "upgrade" LEM to SEM 6.7, does this require creating a new VM or a "update" applied to the exsisting LEM?

↧

Fortimail And FortiWeb Logging

July 8, 2019, 1:46 am

≫ Next: Alert on login attempts of disabled accounts

≪ Previous: LEM to SEM????

Hi,

has anyone successfully setup the fortimail or fortiweb to successfully log on SEM?

i am running the latest update for the virtualised appliances of both.

i can see the logs passing the firewall and going to the LEM. I just cant get the console to show the info through the connectors.

Am i missing something? Any help would be appreciated.

Regards

Paul Dyball

↧

Alert on login attempts of disabled accounts

February 27, 2017, 4:04 pm

≫ Next: How to collect log information from TM Officescan

≪ Previous: Fortimail And FortiWeb Logging

I am pretty new to LEM (6.3.1) and am having some problems setting up a new rule. I am trying to create a rule that will email me an alert when there is a login attempt of a disabled domain account. I have email and the Directory Services Connector working for other rules so I'm okay there. I have a Directory Services Group defined for the Domain group I created called "Disabled Accounts". My problem is I am not sure how to craft the Correlations to get LEM to alert on login attempts for that group.

I would rather learn this and not just be handed a solution so if anyone could point me in the right direction that would be great. I found nothing useful in the User Guide nor the KB's on Solarwinds site but if there is something in either place that I missed that answers my question a link/page number would be perfect.

thank you

Arch

↧

How to collect log information from TM Officescan

June 12, 2017, 6:46 am

≫ Next: Possible to monitor disk space remaining?

≪ Previous: Alert on login attempts of disabled accounts

I found a KB talking about how LEM collects TM Officescan log information.

Set up Officescan syslog messages with LEM - SolarWinds Worldwide, LLC. Help and Support

However, Officescan Server 11 doesn't support sending out log in syslog format actually........

Any one is using LEM to collect Officescan's logs?

Thanks

↧

Possible to monitor disk space remaining?

March 26, 2015, 6:10 pm

≫ Next: Cisco ASA and syslog severity levels

≪ Previous: How to collect log information from TM Officescan

I'm currently using EventSentry to alert me if drives on Windows 2008/2012 virtual machines are running below 5% available space. Can I use LEM to replace EventSentry?

↧

Cisco ASA and syslog severity levels

June 15, 2016, 6:33 am

≫ Next: Is it possible to import Windows Security Event log into LEM from a node without LEM agent?

≪ Previous: Possible to monitor disk space remaining?

What severity level is recommended for Cisco ASA? Thoughts? We are seeing dropped connection and this feels informational.

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Logging [Cisco ASA 5500-X Series Firewalls] -…

solarwinds appears to recommend "debugging"?

Integrate Cisco network devices with SolarWinds LEM - SolarWinds Worldwide, LLC. Help and Support

↧

Is it possible to import Windows Security Event log into LEM from a node without LEM agent?

November 9, 2017, 10:26 am

≫ Next: LEM Crystal Report and Chinese displayed as "?????"

≪ Previous: Cisco ASA and syslog severity levels

OK, so here's the scenario. Due to internal company policy I cannot install native LEM agent on our Domain Controller (Windows 2012). So that means I cannot just add this node to LEM console and start collecting events, set up rules, etc, etc... Now, instead, I was offered the following workaround - run a scheduled task on DC every few hours and export the Security Event Log from DC to another location where I can go and grab it and - if possible - import into LEM. The Security Event Log can be exported in CSV format or native format.

I've scanned the LEM User manual and the messages on Thwack here, but I am not sure if this is supported. Is it? How can I import this data into LEM? The location where it is being exported to is on a file server which does have LEM agent up and running. Does it matter? Should I contact support to help me with this setup?

Thanks.

↧

LEM Crystal Report and Chinese displayed as "?????"

June 20, 2013, 10:48 pm

≫ Next: Block ALL USB Devices! Bwaahaha!

≪ Previous: Is it possible to import Windows Security Event log into LEM from a node without LEM agent?

good day！

EncounteredtwoproblemswithLEM：

1. LEM's reportthathow to customize? Whether to supportCrystal Reports,Crystal ReportsHowLEMdataretrieval?

Need to look atthe past monthdaily18:00 -06:00User loginfailurelog,Currentlyonly viewa period of timeallfailed loginlog, no way to filter time

2. LEMis not displayed correctlyChinese,Thehowto adjust the configuration?

↧

Block ALL USB Devices! Bwaahaha!

November 13, 2013, 8:33 am

≫ Next: Configuring Cisco ASA Syslog to LEM

≪ Previous: LEM Crystal Report and Chinese displayed as "?????"

Hi,

I want to block absolutely all USB devices except keyboards and mice - I have created a rule but it does not appear to work!

The rule is quite simple -

Correlations: Systemstatus.EventInfo="Attached" SystemStatus.ProviderSID="USB"

Correlation Time: Events Within: 30 seconds Response Window: 5 minutes (default)

Actions: Detach USB Device - Agent: SystemStatus.InspectionIP Device: SystemStatus.ExtraneousInfo

Rule is enabled and shows no errors.

I am a bit of a beginner with this and would appreciate any help and comments.

Thanks,
Alan

↧

Configuring Cisco ASA Syslog to LEM

January 12, 2016, 12:00 pm

≫ Next: Connecting SolarWinds to Cisco FirePOWER using eStreamer

≪ Previous: Block ALL USB Devices! Bwaahaha!

Hello all.

New Net Admin here looking to get syslog events logging in LEM. So far, I have followed the configuration knowledge base: "Integrating Cisco PIX and Cisco ASA Firewalls with SolarWinds LEM" and believe that it is configured correctly. The real-time monitor is logging correctly inside the ASA, however these events are not being sent to LEM. Additionally, when adding this Cisco ASA firewall as a node, it is not found. ACLs appear to be correctly configured to allow this traffic from the LEM server. The point that needs the most clarity is the Logging Facility and the log file location portions of the instruction, which I have configured to logging facility 18 and set the log file to log18. Any additional tips/tricks to get this all up and running is also greatly appreciated!

Thanks,

Matt

↧

Connecting SolarWinds to Cisco FirePOWER using eStreamer

May 1, 2017, 1:44 pm

≫ Next: LEM v6.3.1 HOT FIX 4 IS NOW AVAILABLE

≪ Previous: Configuring Cisco ASA Syslog to LEM

We have a Cisco FirePOWER unit that we want to poll information from and place in a dashboard so that it is easy to see what is going on with FirePOWER. I have been looking and haven't found too much information on how to connect these two applications, but one thing that seems like it would work would be to connect using eStreamer. Does anyone know if this is an option or not and if so how to implement it? If its not an option is there any other way to display FirePOWER information in SolarWinds?

Thanks in advance!

↧

LEM v6.3.1 HOT FIX 4 IS NOW AVAILABLE

April 10, 2017, 7:48 am

≫ Next: LEm with Cisco Firepower / Firesight syslog

≪ Previous: Connecting SolarWinds to Cisco FirePOWER using eStreamer

DownloadAvailable:

http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip

Hotfix 4 addressesthefollowingissues:

Multiplevulnerabilityissues
Agent-Managerconnectiontimeouts
Incorrectfreediskspacevalueswhenrawloggingisenabled
Somelogconnectorsrunningslowly

ToInstallHotfix 4 ontheLEMAppliance:

1. UsingtheLEMConsoleoranSSHclient (suchasPuTTY), logintoCMC.

a. Atthecmc> prompt, enter: manager

b. Atthecmc::manager# prompt, enter: hotfix

2. Followtheinstructionsonyourscreen, providingthenetworkpathtoyourHotfix 4 filesandtheappropriatecredentialswithReadaccesstothispath.

a. Forexample: \\server\share\unzipped_hotfix_folder\hotfix
b. Ifyoureceiveamessagestatingthatnoupgradeswerefound, ensurethatyouenteredthecorrectpathtothefiles. Whencompleted, acmc: promptappears.

3. Reboottheappliance.

a. Exitthecmc::manager# promptoratthecmc# prompt, enter: appliance

b. Attheprompt, enter: reboot

ToinstallHotfix 4 ontheLEMAgents, useoneofthefollowingmethods:

1. Usetheauto-upgradefeaturetoautomaticallyupgradeAgentsifthefeatureisenabled.

2. Iftheauto-upgradefeatureisdisabled, oriftherearecommunicationissuesbetweenagentsandtheLEMManager, followthemanualinstallationstepsincludedinthe "InstallHotfix 4 onAgents (manualsteps)" sectionoftheReadMeincludedinthehotfixdownload.

MitigationandUpgrades

To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM, v6.3.1 & applying Hotfix 4. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use.

VulnerabilityOverview

Asofthedateofthisannouncement, SolarWindsisnotawareofanyinstancewherea vulnerabilityremediedinHotfix 4 hasbeenactivelyexploited.

CommonVulnerabilitiesandExposures (CVE) identifiersforthevulnerabilitiesremediedarenotavailableatthetimeofthisannouncement, butwillbeaddedonceassignedbyaCVENumberingAuthority.

CreditStatement

SolarWindswouldliketocreditBakerHamiltonatBishopFox, MattBergin&HankLeiningeratKoreLogic&MehmetInceforreportingthesevulnerabilities.

ToreportapotentialvulnerabilitytoSolarWinds, pleaseemailPSIRT@solarwinds.com

Descriptions

CMCcommandinjection– allowsanattackertoinjectcommandstoescapetherestrictedshell.

Arbitrarycommandinjection– allowsanauthenticatedusertoexecutearbitrarycommandsfromtheCMCrestrictedshell - CVE-2017-7647

AccessControl– allowsanauthenticatedusedtobrowsetheLEMserver’sfilesystemandreadcontentsofarbitraryfiles - CVE-2017-7646

PostgresDatabaseService– allowshardcodedcredentialsaccesstothePostgresdatabaseserviceviaIPv6. IPv4 isnotaffectedbythisvulnerability.

ArbitraryFileRead– allowsanattackertoedittheSSHlogonbanner&readarbitraryfiles.

PrivilegeEscalation– allowsanattackertoruncertaincommandsasaprivilegeduser - CVE-2017-5198 & CVE-2017-5199.

CumulativeHotfix

ThefollowingfixesfromHotfix 1, Hotfix 2, andHotfix 3 arealsoincludedinthisHotfix:

SchedulednDepthsearch resultslimitedto 50,000 events.
FixedImportCerterrorwhenimportingcertificateaftercommandfailure.
FixedanissuethatdisplaytheIPaddressinsteadoftheFQDN/hostnamein 'AllInstalledAgents'.
FixedanissuewhenanL4 Databaseappliancestartedwithonly 128MBofmemory.
UpdatestheJavaplatformtothelatestversion.
Fixedanout-of-memoryissuethatoccurswhensendingalertstotheconsole. Thefiximprovesperformancewhenalargenumberofeventsaresenttotheconsole.
Fixedagent-managercommunicationissues - periodicdisconnectandothers.
FixedanissuewithnDepthlogretention (loggingmissingdateinrawrecords).
FixedanissuethatpreventsloggingintoLEMifusingUserPrincipalNamewithacustom alias orSAMAccountNamewithNETBIOS.
Addedtheabilitytousesub-aliasLDAPenvironments.
Removedfieldlimitationsinthenormalizedalertdatabase.
Fixedalogrotateissuethatcausesconnectorstostopworkingifloglinesaretoolong.
Fixedasinglesign-on SSO issuethatoccursifaKerberosticketisunusuallylongbecauseauserbelongstomanygroups.
AddedtheabilitytoconfigurecustomLDAPgroupsforauthentication.
Setanagentmemorylimitforagentsupgradedfromolderversions.
Fixedotheragent-managercommunicationissues.
Additionalimprovementstoassistcustomersupport, includingimprovedlogging & addeddiagnostics.
Thethreat-feedsservercertificatechanged - LEMcannotdownloadthread-feedsIPs.
UnabletouseadomaincontainingadashintheLDAPconfiguration.
UnabletorecoverapasswordwhenHTTPisdisabled.
Exceptionsduringafastevaluationarenotlogged.

Notes:

ThisfixisapplicabletoLEM 6.3.1 only

↧

LEm with Cisco Firepower / Firesight syslog

December 20, 2017, 8:58 am

≫ Next: SolarWinds LEM Log Retention Unavailable

≪ Previous: LEM v6.3.1 HOT FIX 4 IS NOW AVAILABLE

Hi,

I have a Cisco Firepower virtual appliance, and try to see log into LEM. I have configure Syslog as I found here : Configure a FireSIGHT System to Send Alerts to an External Syslog Server - Cisco

On the LEM side, I cannot found any log, or information. I try to reconfigure the connector, but without success.

Any one have installed LEM and Firepower.

More info :

Asa with FP module - Connect to Firepower applicance

Firepower Appliance - Same vlan that ASA, and LEM

Regards,

↧

SolarWinds LEM Log Retention Unavailable

March 19, 2019, 8:17 am

≫ Next: LEM Log Retention settings

≪ Previous: LEm with Cisco Firepower / Firesight syslog

Hello,

I have taken over the LEM appliance and am the new administrator for the tool. From my understanding, the LEM appliance should house all of the logs up to a certain date. Our organization has allegedly configured a 365 day retention period. When I do an nDepth search for all logs (no filters), I can only pull back maybe a weeks worth of logs. Does anyone know where the files could be headed or where it can be accessed? I looked at the Hyper-V supporting LEM and I see massive file dumps under the SolarWinds LEM Alert DB Archive, so is this the data?

Please let me know where I could possibly look.

Thank you,

↧

LEM Log Retention settings

June 30, 2014, 12:58 am

≫ Next: SEM Console install error - Certificate Problem !

≪ Previous: SolarWinds LEM Log Retention Unavailable

Hi All,

How can I check LEM log retention settings? I've already read some discussion about this and learned that LEM is configured to automatically purge the oldest logs, but how can I check if our LEM appliance can still keep up with our log retention policy (6 months for example)? I need to check cause we are planning to add more nodes to our LEM and we need to make sure that we are not sending more than enough logs that LEM can handle considering the log retention issue.

Thanks!

Nelson

↧

SEM Console install error - Certificate Problem !

July 11, 2019, 6:03 am

≫ Next: Cisco ISR Router(cisco ISR4351/K9) with Solarwinds LEM

≪ Previous: LEM Log Retention settings

Hello,

When trying to install the latest AIR Console for SEM management (version 6.7.1), I get the following error:

I have the latest stable release of Adobe AIR (version 32.0.0.125)

Any hints or only a support case can resolve this ?

Thanks

↧