Quantcast
Channel: THWACK: Popular Discussions - Security Event Manager (SEM) - Formerly Log & Event Manager
Viewing all 5911 articles
Browse latest View live

How to monitor activity by users of the admin group

$
0
0

can someone tell me how to create a rule in LEM to show activity by the administrator user or users in the admin group.  Or is there perhaps a report in the  SW LEM reports module?

 

thank you......Rick


Connecting SolarWinds to Cisco FirePOWER using eStreamer

$
0
0

We have a Cisco FirePOWER unit that we want to poll information from and place in a dashboard so that it is easy to see what is going on with FirePOWER. I have been looking and haven't found too much information on how to connect these two applications, but one thing that seems like it would work would be to connect using eStreamer. Does anyone know if this is an option or not and if so how to implement it? If its not an option is there any other way to display FirePOWER information in SolarWinds?

 

Thanks in advance!

LEM to SEM????

$
0
0

I was recently given the task to "upgrade" LEM to SEM 6.7, does this require creating a new VM or a "update" applied to the exsisting LEM?

LEM Log Retention settings

$
0
0

Hi All,

 

How can I check LEM log retention settings? I've already read some discussion about this and learned that LEM is configured to automatically purge the oldest logs, but how can I check if our LEM appliance can still keep up with our log retention policy (6 months for example)? I need to check cause we are planning to add more nodes to our LEM and we need to make sure that we are not sending more than enough logs that LEM can handle considering the log retention issue.

 

Thanks!

Nelson

Login failed LEM reports

$
0
0

i am trying to get all log messages from the LEM reports. I installed the Reports and Crystal runtime file on my computer which was not a big issue. But everytime i try to add a manager i can"t ping the connection. Gives me the error that Ping failed. I ignored the ping error and continued to run the a report. But then i get this error telling me that the logon failed with an error code.

Logon Failed.PNG

I did some research and found a few thing about this issue. I already all those thing but nothing so far. I am still using the trial version which i don't think should be the issue.

Need your help guys.

SEM Agent Memory issues

$
0
0

We recently upgraded our SEM appliance from LEM 6.6.0 to SEM 6.7.0. After the upgrade, the appliance went through all of the client nodes (we only use this on windows servers) and upgraded their agents to 6.7.0 as well.

 

After this, we noticed that some of our servers were running with very high memory & the process was Javaw.exe. Removing the SEM agent (using the uninstaller) also stopped the javaw.exe process and brought the memory right back down. It seems that there might be memory issues/leak with this client? I have now uninstalled the 6.7 agent from all of our nodes (windows 2008R2 and 2012R2) and will be testing reinstalling the previous client (6.6)

 

Has anyone else has a similar issue & is able to give any advice?

 

Thanks!

LEM upgrade - not enough space in /var

$
0
0

how do you clean out space to be able to upgrade?

How does the Block IP active response work for multiple connected firewalls?

$
0
0

I'm somewhat new to LEM and was looking at using the Block IP active response in a rule. I don't see any option in the rule builder to select which of the LEM connected firewalls I want to block the IP on. If I start this rule will it attempt to block the specified IP on all of my firewalls or just the one the log came from? I'd really like to block the IP logged from the external firewall on the internal one but I'm not sure this is possible.

 

Thank you,

Shane Isbister


Filter NT Authority\System

$
0
0

I am running 6.2.0RC1. I have FIM running on a file server and pointing to one folder. I get a lot of events with NT Authority\System in it. One file opened creates 8 events. 5 of 8 are from NT\System

Because they dont tell me anything about who did what i am trying to filter it out. I have set this filter but still get them. I have tried SYSTEM with * and without

Any ideas?

 

File Audit showing user as NT AUTHORITY\SYSTEM

$
0
0

I have set up a FileAudit filter but all logs are showing the user as NT AUTHORITY\SYSTEM. I installed the hotfix suggested in this post: Re: file audit nt authority but it hasn't worked?

Alert on login attempts of disabled accounts

$
0
0

I am pretty new to LEM (6.3.1) and am having some problems setting up a new rule.  I am trying to create a rule that will email me an alert when there is a login attempt of a disabled domain account.  I have email and the Directory Services Connector working for other rules so I'm okay there.  I have a Directory Services Group defined for the Domain group I created called "Disabled Accounts".  My problem is I am not sure how to craft the Correlations to get LEM to alert on login attempts for that group.

 

I would rather learn this and not just be handed a solution so if anyone could point me in the right direction that would be great.  I found nothing useful in the User Guide nor the KB's on Solarwinds site but if there is something in either place that I missed that answers my question a link/page number would be perfect.

 

thank you

Arch

How to set up LEM collection Microsoft Exchange log?

$
0
0

Hello everyone, i had already knew LEM can collection Microsoft Exchange 2007 logs, so i installed Windows agent in the Exchange Server, then start these two Tools within LEM:

1.png2.png

Will it be ok? What other neededto configureit? And I want to know whether LEM collection Microsoft Exchange log need for agent like SQL Server?

LEM Log Retention settings

$
0
0

Hi All,

 

How can I check LEM log retention settings? I've already read some discussion about this and learned that LEM is configured to automatically purge the oldest logs, but how can I check if our LEM appliance can still keep up with our log retention policy (6 months for example)? I need to check cause we are planning to add more nodes to our LEM and we need to make sure that we are not sending more than enough logs that LEM can handle considering the log retention issue.

 

Thanks!

Nelson

Critical Account Logon Failure

$
0
0

Greetings,

 

I came across a thread (https://thwack.solarwinds.com/thread/66209) that described a modified filter that would be good at catching someone trying to guess user passwords without locking accounts.  I created a filter, and as a test I had one of the schema/domain/enterprise admins attempt a logon but purposely fat finger the password. Nothing was caught.  I'm a LEM newb, so is there a more experienced LEM-er (or is it LEM-ming?) that could check my filter below and let me know where I may have gone astray?  I first built this with the UserLogonFailure.DestinationAccount events, but that wasn't catching anything, so I added the UserLogonFailure.SourceAccount events, but that didn't catch anything either.

 

If this looks ok (<gasp> which I doubt), could there be an Audit Policy that is not turned on?

 

Thanks!

Auditing Group Policy Changes

$
0
0

Hi,

 

Can anyone tell me how to set up a rule to track group policy changes?  This is for tracking admin users who modify the Group Policy Object(I am not talking about creating a new one or renaming an existing one).

 

I would like the rule to email with the following information:

 

User who changed it, Time of change and Group Policy Object modified.

 

Thanks


Need help in identifing and blocking SQL injection attempts

$
0
0

I have tried searching the existing questions and discussions and have not really found a complete answer.

 

I have found in LEM the existing item under groups called "XSS and SQL Injection Vectors". (For some reason it is listed under User Defined Group.

I have created a rule template called "Template: SQL Injection Attempt" and cloned that to a rule called "SQL Injection Attempt". I added a email notification and then enabled the rule.

 

The thing is I can not tell if it is working correctly. Is there a way to setup a test, or test that rule against last weeks data?

Monitor ExtendedEvents and SQLAudits in SQL Server

$
0
0

There is a good discussion on how to use an old deprecated approach to monitoring SQL Server (audits) that uses a trace (SQLAuditor.exe) but the trace misses much of the information required by the STIGs.   Meanwhile, with the STIG, we generate a great deal of information (I've seen it reach 20 GIG a day but we found a way to reduce that) and we are looking for a tool that will help us monitor the massive amount of audit files (*.sqlaudit and *.xel) that SQL Server 2016 generates.   The trace is cool -  I like it, but unfortunately, it doesn't meet the requirement of the STIGs for SQL 2016.

 

What am I missing?

Need LEM agent UNinstaller

$
0
0

Where can I get the manual uninstaller for the LEM agent? It does no good to tell me to get it from the customer portal because I was just evaluating the software.

 

Would be nice if you would make the uninstall work under Add / Remove Programs like any other decent program out there.

Brocade ICX

$
0
0

Hey All,

 

New to the Solar Winds LEM.... Trying to get my Brocade ICX's to log to it. So far no luck. Tried the different canned connectors for Brocade and then tried the Add Node just choosing Brocade as the vender. Also tried no vendor. Nothing is working. Just says it can't a new node. I have verified via sniffer that the ICX is sending messages and I have the right IP.

 

Any guidance would be very helpful.

 

Thanks!

LEM High Availability

$
0
0

I can not find any docs or details for LEM High Availability setup but see a mention in the user guide, how is this done?

 

Thanks

Tony

Viewing all 5911 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>