Hi-I have a bit of a unique requirement in that we'd like to deliver a fully redundant system, and that includes deploying LEM, if possible. Is it possible to have 2 separate appliances aggregating data from the same client machines? I don't see anyway to connect a single client to more than one manager, or any way to run two appliances in any kind of primary/standby configuration. Is this accurate? Can anyone come up with an alternative solution?
↧
Solarwinds LEM redundancy
↧
4656 event log with FIM on windows 7 machine filter
I get the event below from a windows 7 workstaion frequently. Thoughts?
| Event Field | Information |
| OperationType | ObjectOpenFailure |
| AccessProperties | Mask: - |
| ServingProcess | {0x314,0} |
| OperationID | {00000000-0000-0000-0000-000000000000} |
| ObjectHandleID | 0x0 |
| ObjectName | PlugPlaySecurityObject |
| ObjectType | Security |
| ObjectServer | PlugPlayManager |
| PrivilegesExercised | 0x2 |
| AccessRequested | Unknown specific access (bit 1) |
| DestinationLogonID | |
| DestinationDomain | |
| DestinationAccount | |
| SourceLogonID | 0x2cebe |
| SourceDomain | BBBBBBB |
| SourceAccount | ZZZZZZZ |
| ExtraneousInfo | |
| ProviderSID | Microsoft-Windows-Security-Auditing 4656 |
| InferenceRule | |
| ToolAlias | Vista Security |
| Severity | 3 |
| DetectionTime | 12:50:08 Thu Apr 28 2016 |
| InsertionTime | 12:50:09 Thu Apr 28 2016 |
| DetectionIP | XXXXXX |
| Manager | YYYYYYY |
| InsertionIP | XXXXXX |
| EventInfo | Object open failed "PlugPlayManager (Security) PlugPlaySecurityObject" |
| Event Name | ObjectAuditFailure |
↧
↧
LEM 6.3.1 Hotfix 7 Now Available
DownloadAvailable:
Hotfix 7 addressesthefollowingissues:
- Windows Workstations appearing as Universal Nodes
- Checkpoint R80.10 unable to transmit logs to LEM due to upgraded cryptography libraries
- QualysGuard Scan Reporter failing to transmit logs to LEM
- User Settings Corruption
ToInstallHotfix 7 ontheLEMAppliance:
1. UsingtheLEMConsoleoranSSHclient (suchasPuTTY), logintoCMC.
a. Atthecmc> prompt, enter: manager
b. Atthecmc::manager# prompt, enter: hotfix
2. Followtheinstructionsonyourscreen, providingthenetworkpathtoyourHotfix 7 filesandtheappropriatecredentialswith readaccesstothispath.
a. For example: \\server\share\unzipped_hotfix_folder\hotfix
b. If you receive a message stating that no upgrades were found, ensure that you entered the correct path to the files. When completed, a cmc: prompt appears.
3. Reboottheappliance.
a. Exitthecmc::manager# promptoratthecmc# prompt, enter: appliance
b. Attheprompt, enter: reboot
CumulativeHotfix
ThefollowingfixesfromHotfixes 1-6arealsoincludedinthisHotfix:
- Expired certificate for connector updates causing Automatic Connector Updates to fail. Hotfix 6 needs to be applied to restore Automatic Connector Updates functionality. Manual connector update steps can be found here.
- Updated the partition delete process to prevent it from running before the LEM Manager starts up.
- Null Pointer Exception error caused by the partition delete process.
- Fixed a hard-coded credential vulnerability (CWE Classification 798). Removed hardcoded passwords and hash digests that were discovered within the LEM appliance. These credentials were only accessible via root access. SolarWinds is not aware of any instances of this vulnerability being actively exploited and would like to credit Josh Hardin and Matt Bergin at KoreLogic for reporting the vulnerability. To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM v6.3.1 & applying the latest Hotfix. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use. To report a potential vulnerability to SolarWinds, please email PSIRT@solarwinds.com
- Updates to improve logging and enhance supportability.
- Upgraded Tomcat to version 8.0.44
- Fixed an issue with free disk calculations
- Upgraded the SSH library to support AES encryption by default.
- Windows Server 2016 nodes are now labeled properly in the LEM console. Previously, the LEM console listed computers running Windows Server 2016 as
Windows NT (unknown).
- Scheduled nDepth search results limited to 50,000 events.
- Fixed Import Cert error when importing certificate after command failure.
- Fixed an issue that display the IP address instead of the FQDN/hostname in 'All Installed Agents'.
- Fixed an issue when anL4 Database appliance started with only 128MB of memory.
- Updates the Java platform to the latest version.
- Fixed an out-of-memory issue that occurs when sending alerts to the console. The fix improves performance when a large number of events are sent to the console.
- Fixed agent-manager communication issues - periodic disconnect and others.
- Fixed an issue with nDepth log retention (logging missing date in raw records).
- Fixed an issue that prevents logging into LEM if using User Principal Name with a custom alias or SAM Account Name with NetBIOS.
- Added the ability to use sub-alias LDAP environments.
- Removed field limitations in the normalized alert database.
- Fixed a log rotate issue that causes connectors to stop working if log lines are too long.
- Fixed a single sign-on issue that occurs if a Kerberos ticket is unusually long because a user belongs to many groups.
- Added the ability to configure custom LDAP groups for authentication.
- Set an agent memory limit for agents upgraded from older versions.
- The threat-feeds server certificate changed - LEM cannot download thread-feeds IPs.
- Unable to use a domain containing a dash in the LDAP configuration.
- Unable to recover a password when HTTP is disabled.
- Exceptions during a fast evaluation are not logged.
Notes:
- This fix is applicable to LEM 6.3.1 only.
↧
EventDSC.log
This file located in C:\Windows\SysWOW64\ContegoSPOP\lib has grown to 42GB and is causing the C drive on one of our servers to run out of space.
On other servers the file is only 7 kb and we are at a lost as to what caused this. Any insight into this would be appreciated.
↧
What is CMC Credential ?
Hi all,
I am new to LEM, can somebody tell me what exactly is CMC Credential and where do I find it ? Am I able to reset CMC password ? Because previous user didn't leave any documentation.
Thanks in advance
↧
↧
Log & Event Manager Report Install
I am trying to install the Manager Report and giving me errors. I am newbie to this product and still trying to figure out how things work. any help is appreciated.
thank you,
These are errors come up:
- Task Scheduler did not start - when click on icon
- logon failed Error Code: -2147189179 - when try to run a report.
↧
LEM Storage Capacity Alert
Currently evaluating LEM to replace our existing SIEM. We have a requirement that says we have to be alerted when our log storage disk capacity reaches 80%.
While we could do this within VMWare, we have this configured internally on our current SIEM but I'm not seeing how to configure this in LEM.
Anyway to do this internally in LEM?
Thank you.
↧
Issues with authenticating to AD.
Hello.
I am attempting to connect to LEM for AD login, but am having issues with authenticating to the DC.
Below is a screen shot of my test to see if it connects to the AD. I can ping the LEM server and the DC and vice versa.
Heres my actual config for the connection to the DC server. I test the connection and all I receive is a small note on the bottom right stating 'sending connector comment...done.'
I guess its running. I start the app and then try to add AD groups and receive the following error message:
I have followed the instructions as per solarwinds, but not got anywhere. Do I need to look on the server or the front facing gui?
↧
LEM v6.3.1 HOT FIX 4 IS NOW AVAILABLE
DownloadAvailable:
http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip
Hotfix 4 addressesthefollowingissues:
- Multiplevulnerabilityissues
- Agent-Managerconnectiontimeouts
- Incorrectfreediskspacevalueswhenrawloggingisenabled
- Somelogconnectorsrunningslowly
ToInstallHotfix 4 ontheLEMAppliance:
1. UsingtheLEMConsoleoranSSHclient (suchasPuTTY), logintoCMC.
a. Atthecmc> prompt, enter: manager
b. Atthecmc::manager# prompt, enter: hotfix
2. Followtheinstructionsonyourscreen, providingthenetworkpathtoyourHotfix 4 filesandtheappropriatecredentialswithReadaccesstothispath.
- a. Forexample: \\server\share\unzipped_hotfix_folder\hotfix
- b. Ifyoureceiveamessagestatingthatnoupgradeswerefound, ensurethatyouenteredthecorrectpathtothefiles. Whencompleted, acmc: promptappears.
3. Reboottheappliance.
a. Exitthecmc::manager# promptoratthecmc# prompt, enter: appliance
b. Attheprompt, enter: reboot
ToinstallHotfix 4 ontheLEMAgents, useoneofthefollowingmethods:
1. Usetheauto-upgradefeaturetoautomaticallyupgradeAgentsifthefeatureisenabled.
2. Iftheauto-upgradefeatureisdisabled, oriftherearecommunicationissuesbetweenagentsandtheLEMManager, followthemanualinstallationstepsincludedinthe "InstallHotfix 4 onAgents (manualsteps)" sectionoftheReadMeincludedinthehotfixdownload.
MitigationandUpgrades
To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM, v6.3.1 & applying Hotfix 4. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use.
VulnerabilityOverview
Asofthedateofthisannouncement, SolarWindsisnotawareofanyinstancewherea vulnerabilityremediedinHotfix 4 hasbeenactivelyexploited.
CommonVulnerabilitiesandExposures (CVE) identifiersforthevulnerabilitiesremediedarenotavailableatthetimeofthisannouncement, butwillbeaddedonceassignedbyaCVENumberingAuthority.
CreditStatement
SolarWindswouldliketocreditBakerHamiltonatBishopFox, MattBergin&HankLeiningeratKoreLogic&MehmetInceforreportingthesevulnerabilities.
ToreportapotentialvulnerabilitytoSolarWinds, pleaseemailPSIRT@solarwinds.com
Descriptions
CMCcommandinjection– allowsanattackertoinjectcommandstoescapetherestrictedshell.
Arbitrarycommandinjection– allowsanauthenticatedusertoexecutearbitrarycommandsfromtheCMCrestrictedshell - CVE-2017-7647
AccessControl– allowsanauthenticatedusedtobrowsetheLEMserver’sfilesystemandreadcontentsofarbitraryfiles - CVE-2017-7646
PostgresDatabaseService– allowshardcodedcredentialsaccesstothePostgresdatabaseserviceviaIPv6. IPv4 isnotaffectedbythisvulnerability.
ArbitraryFileRead– allowsanattackertoedittheSSHlogonbanner&readarbitraryfiles.
PrivilegeEscalation– allowsanattackertoruncertaincommandsasaprivilegeduser - CVE-2017-5198 & CVE-2017-5199.
CumulativeHotfix
ThefollowingfixesfromHotfix 1, Hotfix 2, andHotfix 3 arealsoincludedinthisHotfix:
- SchedulednDepthsearch resultslimitedto 50,000 events.
- FixedImportCerterrorwhenimportingcertificateaftercommandfailure.
- FixedanissuethatdisplaytheIPaddressinsteadoftheFQDN/hostnamein 'AllInstalledAgents'.
- FixedanissuewhenanL4 Databaseappliancestartedwithonly 128MBofmemory.
- UpdatestheJavaplatformtothelatestversion.
- Fixedanout-of-memoryissuethatoccurswhensendingalertstotheconsole. Thefiximprovesperformancewhenalargenumberofeventsaresenttotheconsole.
- Fixedagent-managercommunicationissues - periodicdisconnectandothers.
- FixedanissuewithnDepthlogretention (loggingmissingdateinrawrecords).
- FixedanissuethatpreventsloggingintoLEMifusingUserPrincipalNamewithacustom alias orSAMAccountNamewithNETBIOS.
- Addedtheabilitytousesub-aliasLDAPenvironments.
- Removedfieldlimitationsinthenormalizedalertdatabase.
- Fixedalogrotateissuethatcausesconnectorstostopworkingifloglinesaretoolong.
- Fixedasinglesign-on SSO issuethatoccursifaKerberosticketisunusuallylongbecauseauserbelongstomanygroups.
- AddedtheabilitytoconfigurecustomLDAPgroupsforauthentication.
- Setanagentmemorylimitforagentsupgradedfromolderversions.
- Fixedotheragent-managercommunicationissues.
- Additionalimprovementstoassistcustomersupport, includingimprovedlogging & addeddiagnostics.
- Thethreat-feedsservercertificatechanged - LEMcannotdownloadthread-feedsIPs.
- UnabletouseadomaincontainingadashintheLDAPconfiguration.
- UnabletorecoverapasswordwhenHTTPisdisabled.
- Exceptionsduringafastevaluationarenotlogged.
Notes:
- ThisfixisapplicabletoLEM 6.3.1 only
↧
↧
SEM Agent Memory issues
We recently upgraded our SEM appliance from LEM 6.6.0 to SEM 6.7.0. After the upgrade, the appliance went through all of the client nodes (we only use this on windows servers) and upgraded their agents to 6.7.0 as well.
After this, we noticed that some of our servers were running with very high memory & the process was Javaw.exe. Removing the SEM agent (using the uninstaller) also stopped the javaw.exe process and brought the memory right back down. It seems that there might be memory issues/leak with this client? I have now uninstalled the 6.7 agent from all of our nodes (windows 2008R2 and 2012R2) and will be testing reinstalling the previous client (6.6)
Has anyone else has a similar issue & is able to give any advice?
Thanks!
↧
USB Defender
Needing help configuring USB Defender. I have followed all the steps to configuring it, but neither see an alert in the console nor are unauthorized USB devices shut down on the client machine. Here is what I've done:
- Created a white list of approved devices (based on the Hardware ID value in Windows),
- Uploaded the white list to the USB Defender Local Policy.
- Enabled both USB Defender Local Policy and Windows Active Response connectors on test node.
- Cloned and enabled Detach Unauthorized USB Device rule.
Any help is much appreciated!
↧
Is there any way to update the LEM appliance IP a windows agent is pointed to easily?
I have some windows agents that have the LEM appliance IP ending in .85 and I need the agent to point to .185 instead. I thought rerunning the remote installer on the list of hosts would fix this but it's not. Is there some command line flags I can pass the installer to make it update the LEM appliance IP the agent is using? I tried just rerunning the remote installer but the agents just keep using the old .85 IP. I'm not going to log into 600 machines to just delete those 6 files and restart the service.
↧
Windows Server 2016 | LEM Agent 6.4 | some Connectors run, others don't run
Hi,
we use Windows 2016 Server in our environment and LEM 6.4.
We have installed die LEMAgent an die Windows 2016 Server with die Windows Installer from LEM (local installation).
There are 4 Connectors connected to the LEMAgent, but only 2 connectors I can start:
(1) Windows Active Response --> RUN
(2) Windows Security Log --> RUN
(3) Windows Application Log --> DON'T RUN
(4) Windows System Log --> DON'T RUN
I try something, but it is not possible to start the Connector for Application und System Log from Windows.
Has anyone an idea? With the other Windows Systems (XP, 2012SRV, 2008SRV, WIN10, WIN7, ..) we have no problems with the connectors.
↧
↧
Monitor ExtendedEvents and SQLAudits in SQL Server
There is a good discussion on how to use an old deprecated approach to monitoring SQL Server (audits) that uses a trace (SQLAuditor.exe) but the trace misses much of the information required by the STIGs. Meanwhile, with the STIG, we generate a great deal of information (I've seen it reach 20 GIG a day but we found a way to reduce that) and we are looking for a tool that will help us monitor the massive amount of audit files (*.sqlaudit and *.xel) that SQL Server 2016 generates. The trace is cool - I like it, but unfortunately, it doesn't meet the requirement of the STIGs for SQL 2016.
What am I missing?
↧
Palo Alto threat logs
Hi,
We have recently integrated one of our firewall into LEM. We would like to have an email alert for the team if a single source IP produces 3 or more unique alerts/attacks. But when checking in LEM console, it seems that we are only receiving traffic logs and URL logs but not threat logs. Is there any specific configuration that we need to check for Palo Alto or LEM to receive threat logs? Would really appreciate if someone can confirm if this is possible.
Thanks in advance!
Neil
↧
using Solar Winds LEM report server
Hi all,
please share me the way to use effectively of the report server of Solar Wind LEM(e.g how to extract the log of privileged account access )
↧
Multiple Failed Login attempts by different users but same IP
Does anyone know how to setup a filter and/or rule that will notice multiple failed login attempts by multiple users (before account lockout) originating from same IP within a certain time frame?
Thanks,
Jeremy
↧
↧
Finding PowerShell activity with LEM
How can you use LEM (nDepth?) to locate servers or desktops that have initiated a powershell instance/script?
↧
Cisco ASA and syslog severity levels
What severity level is recommended for Cisco ASA? Thoughts? We are seeing dropped connection and this feels informational.
solarwinds appears to recommend "debugging"?
Integrate Cisco network devices with SolarWinds LEM - SolarWinds Worldwide, LLC. Help and Support
↧
Top 6 SANS Essential Categories of Log Reports 2013 in LEM
SANS released an updated list of their critical log categories recently. Some good recommendations especially if you're new to log management.
The 6 Categories of Critical Log Information
How easily can these be achieved using LEM?
Can the LEM team include them in the LEM ready made filters as a new filter group for example?
OT, SANS also had their top 20 critical security controls last year. I think it's a good marketing opportunity for Solarwinds to show how their products can be used to achieve these controls.
↧