Hi,
I have a Cisco Firepower virtual appliance, and try to see log into LEM. I have configure Syslog as I found here : Configure a FireSIGHT System to Send Alerts to an External Syslog Server - Cisco
On the LEM side, I cannot found any log, or information. I try to reconfigure the connector, but without success.
Any one have installed LEM and Firepower.
More info :
Asa with FP module - Connect to Firepower applicance
Firepower Appliance - Same vlan that ASA, and LEM
Regards,
JS
I'm currently using EventSentry to alert me if drives on Windows 2008/2012 virtual machines are running below 5% available space. Can I use LEM to replace EventSentry?
Hi All,
How can I update the LEM agent config on a Windows Server if I change the server's IP? The new IP is not updated in the Node Manager. Is reinstalling LEM agent the only way to update IP?
Hi everyone,
I'm having an issue where I setup a rule to block an IP address using the Block Active Response on SW LEM:
Using the Block IP Active Response - SolarWinds Worldwide, LLC. Help and Support
The rule fires, we get a pop-up message on the machine that receiving the effect of the rule, but the rule's operation
fails and shows the following error message on SW LEM:
See attachment.
I checked my credentials (they have read-write access), I did a SSH connection to the FortiGate (FGT) and it was
successful, I changed the SSH port, I unrestricted the SSH on the appliance, etc.
NOTHING.
Any help is appreciated.
Thanks!
On a clean install of agent for Windows x64 on Windows 8.1, I can't get the agent to work. Error as below:
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} Java version: 1.8.0_131 Java home: C:\WINDOWS\SYSTEM32\ContegoSPOP\jre6.3.1.hotfix5
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} Heap: 0.24 GB, cpus: 4
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} OS: Windows 8.1;6.3;x86
(Mon Nov 20 16:05:18 SGT 2017) WW:WARNING [LEMSlf4jConfigurationManager] {main:1} Can't load logging prefs classpath*:/debug-default.conf
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [StatusMonitorAndController] {main:1} Starting StatusMonitor
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} Event memory was set to: 1000
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} Events per queue was set to: 100000
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} Starting TriGeo Agent (Release 6.3.1) build [hotfix5]
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} build server version string: 6.3.1.hotfix5.831957
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [InDepthConfigProps] {SPOP:9} nDepth enabled via default because InDepthEnable not present
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [InDepthConfigProps] {SPOP:9} indepth.conf not found at C:\WINDOWS\SysWOW64\ContegoSPOP\indepth.conf
(Mon Nov 20 16:05:18 SGT 2017) WW:WARNING [RawDataClient] {SPOP:9} Status Inactive
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [UpdateClient] {SPOP:9} OS signature: Windows 8.1;6.3;x86
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [UpdateClient] {SPOP:9} Update Bootstrap initialized
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} Initializing database
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} Database Initialized
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {Initialize Communications:11} Initializing Agent communications
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} Initializing ConnectorAPI
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} adding filename: Windows Active Response.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} windowstoolfile: Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [BuffBytesOneReaderOneWriter] {Initialize Communications:11} CommDataQueue BBS configured to queue directory: spop\q\CommDataQueue
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopComm] {Initialize Communications:11} Operating System: Windows 8.1;6.3;x86
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} adding filename: Windows Active Response.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} windowstoolfile: Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConnectorControllerModuleImpl] {Initialize Connectors:14} SESSIONS_LOCATION: C:\Windows\SysWOW64\ContegoSPOP\6.3.1.hotfix5\ext\
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConnectorControllerModuleImpl] {Initialize Connectors:14} TOOLS_LOCATION: C:\Windows\SysWOW64\ContegoSPOP\6.3.1.hotfix5\ext\
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ToolManagerImpl] {Initialize Connectors:14} Starting connector Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} adding filename: Windows Active Response.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} windowstoolfile: Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} adding filename: Windows Active Response.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} windowstoolfile: Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ComStoreInfo] {Initialize Communications:11} store values: alias: 1112220 trustedStore: spop\hierarchy.trigeo privateStore: spop\private.trigeo
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [WindowsCommandsSession] {Initialize Connectors:14} Windows Actions Loaded
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ToolManagerImpl] {Initialize Connectors:14} Connector Windows Active Response started: true
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {Initialize Connectors:14} Initializing FAST
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Initializing
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ComModule] {ComModuleSpop:18} We are not installed yet, certificates missing
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Loaded connector pack : C:\WINDOWS\SysWOW64\ContegoSPOP\tools\ntapplication.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Loaded connector pack : C:\WINDOWS\SysWOW64\ContegoSPOP\tools\ntsecurity.xml
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [ComModuleSpop] {ComModuleSpop:18} autoInstall: name=win-vlsespa3iqs, ipAddress=169.254.129.232, eventAddress=/169.254.129.232
(Mon Nov 20 16:05:19 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Loaded connector pack : C:\WINDOWS\SysWOW64\ContegoSPOP\tools\ntsystem.xml
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Loaded connector pack : C:\WINDOWS\SysWOW64\ContegoSPOP\tools\vistasecurity.xml
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Online
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:06:19 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:06:19 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
(Mon Nov 20 16:06:49 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:06:49 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:07:48 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:07:48 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
(Mon Nov 20 16:08:48 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:08:48 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:09:48 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:09:48 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
(Mon Nov 20 16:11:48 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:11:48 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:13:39 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:13:39 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
(Mon Nov 20 16:17:39 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:17:39 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:18:39 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:18:39 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
We currently use Log & Event Manage (LEM) and came across their Security Information & Event Management (SIEM) tool. The product pages are mostly buzz-words and both use pictures and videos showing the LEM interface. Google doesn't help much so wondering if anyone knows the difference between LEM and SIEM?
I can't tell if SIEM is just an add-on for LEM, if it's LEM but rebranded, or if they have completely different uses.
Hey guys,
What connector would you guys use to monitor changes made to a file on a Linux host? Specifically a log file.
I would like to be able to generate events noting the changes made to said file. Is there a connector that can handle this?
Thanks,
Diogenes
Hi,
Can anyone tell me how to set up a rule to track group policy changes? This is for tracking admin users who modify the Group Policy Object(I am not talking about creating a new one or renaming an existing one).
I would like the rule to email with the following information:
User who changed it, Time of change and Group Policy Object modified.
Thanks
Is there a way to create a group SNMP alert? From what we are seeing, based on our install of Solarwinds, we are only able to create an SNMP send alert within each alert string. Is there a way to create a top level snmp trigger, so we can send it to our Spectrum Server? Or does each one have to be created individually?
Secondly and thirdly, if the answer is "yes', can we get pointed in the right direction, for an answer? Or even pointed to the all encompassing book/location that discusses how to do things such as create snmp sends and get the data sent over to our Spectrum Server?
Thank you
D.R.
Hi there,
I am trying to install LEM agents remotely on Windows machines using Windows remote agent installer. The machines I am trying to install agents on were not found automatically by the agent installer. So I used "get hosts from a text file" where I typed the IP addresses of the machines. The agents are installed successfully but I cant see them in the nodes console. Even when I install machines that were found automatically were installed successfully, but I cant see them in the nodes console as well.
Thanks for your help in advance.
Almost like the McAfee Connector. I basically just point it to the scan.log and can receive the data that populates in the log file.
Does anyone know how to setup a filter and/or rule that will notice multiple failed login attempts by multiple users (before account lockout) originating from same IP within a certain time frame?
Thanks,
Jeremy
There is a good discussion on how to use an old deprecated approach to monitoring SQL Server (audits) that uses a trace (SQLAuditor.exe) but the trace misses much of the information required by the STIGs. Meanwhile, with the STIG, we generate a great deal of information (I've seen it reach 20 GIG a day but we found a way to reduce that) and we are looking for a tool that will help us monitor the massive amount of audit files (*.sqlaudit and *.xel) that SQL Server 2016 generates. The trace is cool - I like it, but unfortunately, it doesn't meet the requirement of the STIGs for SQL 2016.
What am I missing?
Hi,
I am currently configuring LEM to monitor a small industrial network, (containing 12 devices).
Firstly can someone please confirm that LEM is capable of receiving SYSLOG data.
If so, is this a generic acceptance or does the device have to be configured as an "Appliance -> Tool".
I am trying to receive SYSLOG entries from 2 firewalls (Hirschmann Eagle 20 Tofino firewalls).
These firewalls allow me to set a SYSLOG server address, Source Port and Destination Port (the latter two both set as 514). Along with a choice of UDP, TCP & TLS.
I have previously had to perform a sensor tool upgrade to be able to get information from a similar firewall (Hirschmann Eagle 20 firewall) do I need to get a new tool update.
I've attached the xml file used to update the LEM for the previous firewall, this is still installed but does not function with the new firewalls.
lastly I have confirmed that the firewall SYSLOG functionality performs correctly by using a trial version on Kiwi which displayed the entries with no problems.
any help or information is much appreciated.
Thanks for reading,
Lewis
Does anyone have insight into how MS Audit Policy can be used to capture failed 'Run as Administrator' attempts without having to install LEM agents on all workstations?
I've been attempting to capture these events for a couple days now and can't figure out how or if it can be done. We currently have our Default Domain Controller Audit Policy set to capture both successful and failed Logon events. Standard user logon failures are being captured just fine in both the Security Event logs on our DCs and in LEM. However, failed authentications using the Windows 'Run as Administrator' feature don't seem to be captured anywhere on our DCs and, therefore, in LEM either. I would think that these types of authentication events would have to be capable of being logged on the DCs if the account being used in the 'Run as' box is a domain account. We tried setting the Special Logon policy to success and failure as well, but this also failed to capture the events in question.
Does anyone have experience with this particular issue? Any help would be greatly appreciated.
If a workstation was compromised and someone was banging away on an elevated account via the 'Run as' command, it would be nice to be notified with more than just the account lockout event since the account lockout event wouldn't necessarily be from the same device that the failed authentication attempts were from.
Thanks!
Hi, After installing Log and Event Manager Reports, while running a report, its showing this error: Logon failed. Error code: -2147189176, What is this error and how can it be resolved so I can run reports?
I'm new at managing our company's Log & Event Manager application and am trying to discover the cause of a problem that I've noticed over the past couple of days where LEM will display an incident notification stating "managermonitor warning! disk usage: the temp filesystem is over 90% full". The incident can be viewed under the Security > Incidents filter.
I've figured out how to clear the temp directory and was able to do so successfully yesterday. Upon arriving to work this morning, I noticed that the temp directory is full again, but I don't know why.
Here is the output of the diskusage command.
cmc> appliance
cmc::acm# diskusage
Checking Disk Usage (this could take a moment)... ....oo.oo.oo.oo.oo.oo.oo.
Partition Disk Usage:
LEM: 43% (1.2G/3.0G)
OS: 46% (1.3G/3.0G)
Logs/Data: 90% (199G/234G)
Temp: 95% (5.3G/5.9G)
Database Queue(s): 5.1G (12679286 alerts queued, 187196 alerts waiting in memory)
Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
Console Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
DataCenter Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
EPIC Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
Forensic Database Queue: 2.1M (0 data queued, 0 data items waiting in memory)
Logs: 11G
Tool Profiles Message Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
When I use the cleantemp command and look through the directories in /tmp, I see that only one of the directories holds nearly all of the data that is filling up the temp space. That directory is called "Standard_Local_Database". It now contains 641 ".qa" files after having been cleared out around 24 hours ago. Based on the timestamps, it appears that a new file is created and stored here once per minute.
What is the best course of action for troubleshooting what's causing the temp directory to fill up so quickly? Thanks.
I get the event below from a windows 7 workstaion frequently. Thoughts?
| Event Field | Information |
| OperationType | ObjectOpenFailure |
| AccessProperties | Mask: - |
| ServingProcess | {0x314,0} |
| OperationID | {00000000-0000-0000-0000-000000000000} |
| ObjectHandleID | 0x0 |
| ObjectName | PlugPlaySecurityObject |
| ObjectType | Security |
| ObjectServer | PlugPlayManager |
| PrivilegesExercised | 0x2 |
| AccessRequested | Unknown specific access (bit 1) |
| DestinationLogonID | |
| DestinationDomain | |
| DestinationAccount | |
| SourceLogonID | 0x2cebe |
| SourceDomain | BBBBBBB |
| SourceAccount | ZZZZZZZ |
| ExtraneousInfo | |
| ProviderSID | Microsoft-Windows-Security-Auditing 4656 |
| InferenceRule | |
| ToolAlias | Vista Security |
| Severity | 3 |
| DetectionTime | 12:50:08 Thu Apr 28 2016 |
| InsertionTime | 12:50:09 Thu Apr 28 2016 |
| DetectionIP | XXXXXX |
| Manager | YYYYYYY |
| InsertionIP | XXXXXX |
| EventInfo | Object open failed "PlugPlayManager (Security) PlugPlaySecurityObject" |
| Event Name | ObjectAuditFailure |
I'm getting this FIM error "Driver stopped and disabled on startup" from one Windows node? Anyone can suggest a solution on this issue?
I am having difficulty finding information on what alerts need to be given from LEM to satisfy our auditors. I am aware of what needs to be monitored and have my LEM setup for monitoring.
It is the alerting I am having issues with. What alerts need to be given, specifically. I know any monitored file change, or read or write, or permission change but that would be several thousand alerts a day.
As an example, I have a file server. I have the FIM connector setup with the PCI template (C:\, Windows, System32 for ini, exe, dll, bat and such) C:\Program files and 2 directories which hold PCI data.
Directory 1.) Holds credit card data. Auditors say must monitor for all file reads, creates, writes and deletes and permission changes. Hundreds of FIM events per day just for this directory
Directory 2.) Holds voice recording files. Auditors also say must monitor for all file reads, creates, writes and deletes and permission changes. There is an automated process that downloads, extracts then copies fresh voice files into the monitored directory. We are a call center, thousands of calls per day generate thousands of voice files. These files generate logs that the the files are created first as .tmp files, then new permissions are assigned to them (Inherited from directory permissions).
To make a long story short, the auditors only repeat like parrots all file reads, creates, writes and deletes must generate an alert and I have no idea what I can exclude and still keep them happy.
I appreciate and direction on this, we are really stuck
EZguine