Connector Updates failing

July 28, 2017, 1:52 pm

≫ Next: LEm with Cisco Firepower / Firesight syslog

≪ Previous: FIM Alerts for PCI compliance

$

0

0

Just recently I have been receiving an error when attempting to update my connectors. The error reads:

 

"Error while updating connectors for manager"

 

When I click Show More, I get:

 

"Synchronization with connectors repository has failed."

 

When I do a search in nDepth, the ExtraneousInfo section shows:

 

"Repository synchronization failed, probably offline"

 

 

This has worked in the past. My Threat Intelligence updates still work. There have been no firewall changes in the recent past.

 

Any thoughts or suggestions would be appreciated.

 

Thanks!

---

LEm with Cisco Firepower / Firesight syslog

December 20, 2017, 8:58 am

≫ Next: Top 6 SANS Essential Categories of Log Reports 2013 in LEM

≪ Previous: Connector Updates failing

$

0

0

Hi,

 

I have a Cisco Firepower virtual appliance, and try to see log into LEM. I have configure Syslog as I found here : Configure a FireSIGHT System to Send Alerts to an External Syslog Server - Cisco

 

On the LEM side, I cannot found any log, or information. I try to reconfigure the connector, but without success.

 

Any one have installed LEM and Firepower.

 

More info :

 

Asa with FP module - Connect to Firepower applicance

Firepower Appliance - Same vlan that ASA, and LEM

 

 

Regards,

 

JS

Top 6 SANS Essential Categories of Log Reports 2013 in LEM

February 5, 2014, 11:59 pm

≫ Next: Sending syslog/events from Bit9 parity to Solarwinds LEM

≪ Previous: LEm with Cisco Firepower / Firesight syslog

$

0

0

SANS released an updated list of their critical log categories recently. Some good recommendations especially if you're new to log management.

 

The 6 Categories of Critical Log Information

 

How easily can these be achieved using LEM?

Can the LEM team include them in the LEM ready made filters as a new filter group for example?

 

OT, SANS also had their top 20 critical security controls last year. I think it's a good marketing opportunity for Solarwinds to show how their products can be used to achieve these controls.

http://www.sans.org/critical-security-controls/

Sending syslog/events from Bit9 parity to Solarwinds LEM

April 25, 2012, 7:51 am

≫ Next: F5 ASM and LEM - is there a connector?

≪ Previous: Top 6 SANS Essential Categories of Log Reports 2013 in LEM

$

0

0

Has anyone had success doing this? We are having a hard time making this work.

F5 ASM and LEM - is there a connector?

January 7, 2016, 12:35 pm

≫ Next: LEM v6.3.1 HOT FIX 4 IS NOW AVAILABLE

≪ Previous: Sending syslog/events from Bit9 parity to Solarwinds LEM

$

0

0

Anyone aware of a connector being available for LEM for F5 ASM?  It could be great to get all the WAF logging over to LEM as opposed to just the management and LTM traffic.

 

If there isn't one, anyone out there have suggestions or experience in rigging up something different in LEM to capture these logs?

 

Thanks!

LEM v6.3.1 HOT FIX 4 IS NOW AVAILABLE

April 10, 2017, 7:48 am

≫ Next: LEM Licensing

≪ Previous: F5 ASM and LEM - is there a connector?

$

0

0

DownloadAvailable:

http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip

 

Hotfix 4 addressesthefollowingissues:

• Multiplevulnerabilityissues
• Agent-Managerconnectiontimeouts
• Incorrectfreediskspacevalueswhenrawloggingisenabled
• Somelogconnectorsrunningslowly

 

ToInstallHotfix 4 ontheLEMAppliance:

 

1. UsingtheLEMConsoleoranSSHclient (suchasPuTTY), logintoCMC.

a.  Atthecmc> prompt, enter: manager

       b.  Atthecmc::manager# prompt, enter: hotfix

 

2. Followtheinstructionsonyourscreen, providingthenetworkpathtoyourHotfix 4 filesandtheappropriatecredentialswithReadaccesstothispath.

1. a. Forexample: \\server\share\unzipped_hotfix_folder\hotfix
2. b. Ifyoureceiveamessagestatingthatnoupgradeswerefound, ensurethatyouenteredthecorrectpathtothefiles. Whencompleted, acmc: promptappears.

 

3. Reboottheappliance.

     a.  Exitthecmc::manager# promptoratthecmc# prompt, enter: appliance

     b.  Attheprompt, enter: reboot

 

ToinstallHotfix 4 ontheLEMAgents, useoneofthefollowingmethods:

 

1. Usetheauto-upgradefeaturetoautomaticallyupgradeAgentsifthefeatureisenabled.

 

2. Iftheauto-upgradefeatureisdisabled, oriftherearecommunicationissuesbetweenagentsandtheLEMManager, followthemanualinstallationstepsincludedinthe "InstallHotfix 4 onAgents (manualsteps)" sectionoftheReadMeincludedinthehotfixdownload.

 

MitigationandUpgrades

To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM, v6.3.1 & applying Hotfix 4. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use.

 

VulnerabilityOverview

Asofthedateofthisannouncement, SolarWindsisnotawareofanyinstancewherea vulnerabilityremediedinHotfix 4 hasbeenactivelyexploited.

 

CommonVulnerabilitiesandExposures (CVE) identifiersforthevulnerabilitiesremediedarenotavailableatthetimeofthisannouncement, butwillbeaddedonceassignedbyaCVENumberingAuthority. 

 

CreditStatement

SolarWindswouldliketocreditBakerHamiltonatBishopFox, MattBergin&HankLeiningeratKoreLogic&MehmetInceforreportingthesevulnerabilities.

 

ToreportapotentialvulnerabilitytoSolarWinds, pleaseemailPSIRT@solarwinds.com

 

Descriptions

CMCcommandinjection– allowsanattackertoinjectcommandstoescapetherestrictedshell.

 

Arbitrarycommandinjection– allowsanauthenticatedusertoexecutearbitrarycommandsfromtheCMCrestrictedshell - CVE-2017-7647

 

AccessControl– allowsanauthenticatedusedtobrowsetheLEMserver’sfilesystemandreadcontentsofarbitraryfiles - CVE-2017-7646

 

PostgresDatabaseService– allowshardcodedcredentialsaccesstothePostgresdatabaseserviceviaIPv6. IPv4 isnotaffectedbythisvulnerability.

 

ArbitraryFileRead– allowsanattackertoedittheSSHlogonbanner&readarbitraryfiles.

 

PrivilegeEscalation– allowsanattackertoruncertaincommandsasaprivilegeduser - CVE-2017-5198 & CVE-2017-5199.

 

CumulativeHotfix

ThefollowingfixesfromHotfix 1, Hotfix 2, andHotfix 3 arealsoincludedinthisHotfix:

• SchedulednDepthsearch resultslimitedto 50,000 events.
• FixedImportCerterrorwhenimportingcertificateaftercommandfailure.
• FixedanissuethatdisplaytheIPaddressinsteadoftheFQDN/hostnamein 'AllInstalledAgents'.
• FixedanissuewhenanL4 Databaseappliancestartedwithonly 128MBofmemory.
• UpdatestheJavaplatformtothelatestversion.
• Fixedanout-of-memoryissuethatoccurswhensendingalertstotheconsole. Thefiximprovesperformancewhenalargenumberofeventsaresenttotheconsole.
• Fixedagent-managercommunicationissues - periodicdisconnectandothers.
• FixedanissuewithnDepthlogretention (loggingmissingdateinrawrecords).
• FixedanissuethatpreventsloggingintoLEMifusingUserPrincipalNamewithacustom alias orSAMAccountNamewithNETBIOS.
• Addedtheabilitytousesub-aliasLDAPenvironments.
• Removedfieldlimitationsinthenormalizedalertdatabase.
• Fixedalogrotateissuethatcausesconnectorstostopworkingifloglinesaretoolong.
• Fixedasinglesign-on SSO issuethatoccursifaKerberosticketisunusuallylongbecauseauserbelongstomanygroups.
• AddedtheabilitytoconfigurecustomLDAPgroupsforauthentication.
• Setanagentmemorylimitforagentsupgradedfromolderversions.
• Fixedotheragent-managercommunicationissues.
• Additionalimprovementstoassistcustomersupport, includingimprovedlogging & addeddiagnostics.
• Thethreat-feedsservercertificatechanged - LEMcannotdownloadthread-feedsIPs.
• UnabletouseadomaincontainingadashintheLDAPconfiguration.
• UnabletorecoverapasswordwhenHTTPisdisabled.
• Exceptionsduringafastevaluationarenotlogged.

 

Notes:

• ThisfixisapplicabletoLEM 6.3.1 only
  

LEM Licensing

February 5, 2015, 10:22 pm

≫ Next: LEM Linux Supported Versions

≪ Previous: LEM v6.3.1 HOT FIX 4 IS NOW AVAILABLE

$

0

0

Hi,

New to the LEM Licensing concepts .. thereby seeking some clarifications here ..

 

Is my understanding coorect -

1. One Network switch or a router consumes 1 node license

2. One Security device like Firewall or VPN Concentrator consumes 1 node license

3. One Domain Controller server consumes 1 node license

4. One Application server with 1 interface also consumes 1 node license

5. One Application server with 2 interfaces consumes 2 node licenses ??

6. One Syslog Server consumes 1 node license ??

 

Have referred to the foll link but still would like to make sure that I am not undersizing or oversizing the licenses.

SolarWinds Knowledge Base :: How does the LEM Manager use node licenses?

 

Kindly help clarify

regards

LEM Linux Supported Versions

November 8, 2018, 9:57 am

≫ Next: Block IP Address on FortiGate's Firewall Failing

≪ Previous: LEM Licensing

$

0

0

HI,

 

Can anyone please confirm me that SolarWinds LEM supports OpenSUSE version 42.0 Linux version???

 

Thanks

 

 

 

@jhynds

@prawij

---

Block IP Address on FortiGate's Firewall Failing

June 28, 2016, 8:49 am

≫ Next: LEM Linux Agent Installer

≪ Previous: LEM Linux Supported Versions

$

0

0

Hi everyone,

 

I'm having an issue where I setup a rule to block an IP address using the Block Active Response on SW LEM:

 

Using the Block IP Active Response - SolarWinds Worldwide, LLC. Help and Support

 

The rule fires, we get a pop-up message on the machine that receiving the effect of the rule, but the rule's operation

fails and shows the following error message on SW LEM:

 

See attachment.

 

I checked my credentials (they have read-write access), I did a SSH connection to the FortiGate (FGT) and it was

successful, I changed the SSH port, I unrestricted the SSH on the appliance, etc.

 

NOTHING.

 

Any help is appreciated.

 

Thanks!

LEM Linux Agent Installer

May 21, 2018, 11:45 am

≫ Next: Nodes have the agent installed, but no nodes are showing.

≪ Previous: Block IP Address on FortiGate's Firewall Failing

$

0

0

What's the required version of Java for the LEM 6.3.1 linux64 agent installer?

Nodes have the agent installed, but no nodes are showing.

July 2, 2019, 7:28 am

≫ Next: Need help with correlating two events

≪ Previous: LEM Linux Agent Installer

$

0

0

I have a trial version of SEM installed as a test, the windows installer instals ok, the server is configured and can ping ip addresses, but the nodes aren't showing on the GUI.

I've left it around 45 minutes for the nodes to communicate with the server, but they're not there.  do I have to do anything else?  Such as a reboot or anything?

Need help with correlating two events

July 17, 2015, 9:26 am

≫ Next: Pros & Cons of encrypted (bitlocker) removable media and LEM

≪ Previous: Nodes have the agent installed, but no nodes are showing.

$

0

0

We have a client that would like to get emailed alerts when an account with administrative privileges logs in. I've found two events that occur together that indicate the use of an administrative account (Windows Event ID's 4624 and 4672). For example, Event ID 4624 says "Logon "<domain>\ryan.butler"", and Event ID 4672 says "Privilege assigned to new logon "<domain>\ryan.butler"". I would like to build a rule for if those two events occur for the same username within a short period of time, send an email alert. Is there a way to do this? See attached screenshots for the two events.

Pros & Cons of encrypted (bitlocker) removable media and LEM

February 29, 2016, 5:51 am

≫ Next: System Audit Policy Changed - 22 alerts

≪ Previous: Need help with correlating two events

$

0

0

Our team has been working on some rules to mitigate threats from removable media. We have had good success with file monitoring, read/writes, and actively responding to executable attempts from flash drives and other removable media.  Our point of contention arises when we work to meet another requirement of providing our federal users encrypted removable media. Once we initiate the Group Policy to bitlocker the USB drives, all visibility to read/write cycles and executable attempts to the device becomes invisible to LEM. In other words, once the drive is encrypted we can't see the traffic to and from the drive any longer.

 

Has anyone else attempted to implement this scenario? Did you have success?

System Audit Policy Changed - 22 alerts

July 29, 2016, 10:07 am

≫ Next: LEM use cases

≪ Previous: Pros & Cons of encrypted (bitlocker) removable media and LEM

$

0

0

Combed the LEM documentation, couldn't find a clue (it might be ind documentation somewhere, I couldn't find it after an hour of digging)

 

This morning I got 22 TriGeo alerts in this pattern:

 

system audit policy changed: logon/logoff (network policy server) at 2016-07-29 04:52:40.0
system audit policy changed: logon/logoff (account lockout) at 2016-07-29 04:52:40.0
system audit policy changed: logon/logoff (ipsec extended mode) at 2016-07-29 04:52:40.0
system audit policy changed: logon/logoff (ipsec quick mode) at 2016-07-29 04:52:40.0

... and so on.

 

A sampling of the nDepth view of this is attached. (Host name mostly obscured, but I left a little bit visible so we can see that it's the same host).

 

To me it seems like something restarted, and the policies were just enumerated again, or something, but I want to know what is going on. I can't respond to my boss with unconfirmed theories.

 

Can anyone tell me what this is, or direct me to documentation that explains this?

 

Thanks

LEM use cases

September 26, 2017, 9:22 am

≫ Next: Can someone help on Network anomalies detection, bases on NETFLOW using solarwinds

≪ Previous: System Audit Policy Changed - 22 alerts

$

0

0

Hi all,

I'm new with LEM and consider it as a central console for future SOC in my current company

I just want to leave here my list of use cases and share in a future "how to" realize them

Don't hesitate to share your use cases (and description how you implemented them) that can be useful for community

I'd be glad to discuss this topic as detailed as possible

 

So, my list (is updating):

 

Encryption

1. Encryption traffic identified (List of sources that are allowed to receive encryption traffic is needed)
2. SSL-certificate of web-site XXX is expired soon
3. Remote user (VPN) is trying to use expired SSL-certificate

 

User activity monitoring

1. Any activity after working hours
2. New user created (OS/Application/Device): Who (admin/service account name) / where 'who' account created new user (AD, app etc.) / Date:Time when 'who' account entered to the 'where' / Connection type to 'where' (intranet, VPN) / IP:DNS:OS of remote host that was used to connect to 'where' / Object that was read:modified / What exactly was entered / Date:Time of exit:disconnection
3. User added into Administrative group
4. User changed his password very soon (X days after last change)
5. User changed his password during virus/DDos/etc/ attack
6. User privileges were changed
7. User was deleted
8. Unsuccessful Logon is more then X times per minute
9. Unsuccessful Logon with expired/blocked credentials is more then X times per minute
10. Successful root (Unix OS) Logon
11. Root: Logging every command / shell command
12. Logon without AD/Radius/Kerberos etc. (e.g. local accounts)
13. Unregistered external device connected
14. Workstation Logon under one account and then logon to the target system under another (e.g. login attempt not under the account from the list of admins)
15. Connection via VPN under one account and further access to the target system under another one
16. Attempt to connect a user to a website with a low reputation
17. Running TeamViewr-like connection (notification before connection is established). Attempting to connect to specific ports (TeamViewer = 5938)
18. Similar account login from different geographical places
19. Multiple login failures from the same username ip address to the same destination and followed by success
20. If on leave/ex-employee user credentials have been used in anyway
21. Often use admin accounts logon on the same host
22. Sudo actions (“sudo: … COMMAND=…” “FAILED su”)
23. Service failure (“failed” or “failure”)
24. Changing the user certificate
25. Authentication with a revoked certificate
26. User left an office but his account is in use

 

Information systems

1. Start, stop or pause logging of events on each IS
2. Create or delete system-level objects, such as database tables or stored procedures
3. Changing the integrity of files and detecting changes to the event logs
4. Changing the configuration of the OS and / or service
5. The time difference between NTP1 and NTP2 compared to an external source is greater than X s
6. NTP1 / 2 became inaccessible to host
7. Integration with vulnerability scanners
8. Increased viral activity -> active sessions on the IP
9. Exceeding the average load of external channels by 10%
10. Excess of the average antivirus response rate for a certain period
11. The rule is triggered on IDS / IPS
12. XSS Attacks identified
13. SQL injection identified
14. Hostile email attachments identified
15. Restart/Shutdown critical servers
16. Any config changed
17. LEM Agent has been tampered
18. If an infected machine receives an SSH log in attempt
19. What recent servers were attacked with an exploit against a recent scan of the same server
20. OS fingerprint event has occurred by an attacker
21. Auditing has been removed, changed or altered
22. Access to any device from other than the admin or authorized users
23. if the firewall has critical policy change (now this differ from one brand to another as you might not find the same naming of the event in all brands the same)
24. If x number of changes have been made on a firewall over x period of time by x user
25. If machine's time has changed
26. Track on each new virus detected on the environment

 

Networks

1. Channels between sites went down
2. Unsuccessful attempts to connect to a VPN hub
3. Attempts to break into L2VPN / IPSec tunnels
4. Network scanning (nmap, scanners, bruteforce, epidemics, DDOS, etc.)
5. Mass attempts to connect to IS from an untrusted network
6. Mass attempts to connect to IP with IP not from the whitelist
7. Installing a VPN connection from untrusted countries
8. Changing the configuration of network equipment
9. Ping Sweep
10. If a new port has opened on the firewall for in/out traffic
11. If FTP site has been accessed from unknown address
12. If tunneled data is detected on the network
13. If RAR files are being continuously uploaded in some fixed partition size format
14. If online messengers are used to chat and transfer files
15. If malicious traffic is seen hitting critical servers of the infra
16. detecting bit torrent or P2P traffic
17. If a remote session was taken to a critical server for more than an hour
18. Network resources have been accessed in non working hours
19. taking sessions ssh, telnet etc on non standard port
20. Attacks on internet gateways
21. Bandwidth and protocol usage (“limit … exceeded”, “CPU utilization”)
22. Detected attack activity (“attack from”)
23. Administrator access (“AAA user …”, “User … locked out”, “login failed”)

---

Can someone help on Network anomalies detection, bases on NETFLOW using solarwinds

June 27, 2018, 9:26 am

≫ Next: How to monitor Windows 10 system processes and services

≪ Previous: LEM use cases

$

0

0

Can someone help on Network anomalies detection, bases on NETFLOW using solarwinds

How to monitor Windows 10 system processes and services

August 30, 2018, 4:19 am

≫ Next: Login failed LEM reports

≪ Previous: Can someone help on Network anomalies detection, bases on NETFLOW using solarwinds

$

0

0

How to monitor Windows 10 processes and services and stop them using Solarwinds LEM 6.3.1?

Can we prevent Microsoft Zero Day windows 10 Vulnerability by monitoring system processes in LEM?

Login failed LEM reports

July 14, 2015, 11:54 am

≫ Next: Cisco ASA and syslog severity levels

≪ Previous: How to monitor Windows 10 system processes and services

$

0

0

i am trying to get all log messages from the LEM reports. I installed the Reports and Crystal runtime file on my computer which was not a big issue. But everytime i try to add a manager i can"t ping the connection. Gives me the error that Ping failed. I ignored the ping error and continued to run the a report. But then i get this error telling me that the logon failed with an error code.

I did some research and found a few thing about this issue. I already all those thing but nothing so far. I am still using the trial version which i don't think should be the issue.

Need your help guys.

Cisco ASA and syslog severity levels

June 15, 2016, 6:33 am

≫ Next: Threat Intelligence with LEM

≪ Previous: Login failed LEM reports

$

0

0

What severity level is recommended for Cisco ASA? Thoughts? We are seeing dropped connection and this feels informational.

 

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Logging [Cisco ASA 5500-X Series Firewalls] -…

 

solarwinds appears to recommend "debugging"?

 

Integrate Cisco network devices with SolarWinds LEM - SolarWinds Worldwide, LLC. Help and Support

Threat Intelligence with LEM

July 13, 2016, 7:13 am

≫ Next: External Threat database

≪ Previous: Cisco ASA and syslog severity levels

$

0

0

How threat intelligence with LEM works for Syslog traffic received from Firewall/UTM? 

 

Does it check IP reputation with external threat database or downloads and stores threat database locally on SIEM?

If it checks with external database, does it check for each source/destination IP every time?

If it has checked the reputation of one IP once and found it good/bad, if the request from same IP is received in let's say 1 hour or so, will it again go and check with external database? I mean for every request.

Does it keep a cache of IP Reputation? If yes, how frequently it updates?

Which all external threat database it checks with?