Hi All,
How can I check LEM log retention settings? I've already read some discussion about this and learned that LEM is configured to automatically purge the oldest logs, but how can I check if our LEM appliance can still keep up with our log retention policy (6 months for example)? I need to check cause we are planning to add more nodes to our LEM and we need to make sure that we are not sending more than enough logs that LEM can handle considering the log retention issue.
Thanks!
Nelson
So Microsoft allows third parties to get the alert logs forwarded to their respective SIEM systems.
Does Solarwinds offer an Azure connector?
I don't see such a connector so if it exists please point it out to me.
Since I don't see the connector is there any plan to offer one at some point?
Having a central location for alerts would be nice instead of having to login to Azure to view the logs.
Also being able to offload to LEM would allow a bit longer storage than the 30 day window.
This is what I am referring to:
Azure Log Integration SIEM configuration steps – Microsoft Azure Security and Compliance
A LEM connector would be useful.
I haven't been able to find the setting whereby I can configure the SNMP read-only community string for the LEM appliance, so that I can monitor its health/set up alerting etc through Solarwinds NPM. I looked in the console via SSH but nothing jumped out at me.
Has anyone else come upon this issue?
Thanks,
Pradeep
I am having difficulty finding information on what alerts need to be given from LEM to satisfy our auditors. I am aware of what needs to be monitored and have my LEM setup for monitoring.
It is the alerting I am having issues with. What alerts need to be given, specifically. I know any monitored file change, or read or write, or permission change but that would be several thousand alerts a day.
As an example, I have a file server. I have the FIM connector setup with the PCI template (C:\, Windows, System32 for ini, exe, dll, bat and such) C:\Program files and 2 directories which hold PCI data.
Directory 1.) Holds credit card data. Auditors say must monitor for all file reads, creates, writes and deletes and permission changes. Hundreds of FIM events per day just for this directory
Directory 2.) Holds voice recording files. Auditors also say must monitor for all file reads, creates, writes and deletes and permission changes. There is an automated process that downloads, extracts then copies fresh voice files into the monitored directory. We are a call center, thousands of calls per day generate thousands of voice files. These files generate logs that the the files are created first as .tmp files, then new permissions are assigned to them (Inherited from directory permissions).
To make a long story short, the auditors only repeat like parrots all file reads, creates, writes and deletes must generate an alert and I have no idea what I can exclude and still keep them happy.
I appreciate and direction on this, we are really stuck
EZguine
We have setup a TripWire Enterprise server on a Windows system and I would like to see how the TripWire connector in LEM works. It's not immediately clear to me which logs I should be pointing this at and if I should be pointing it to systems running the TripWire agent or the TripWire Enterprise server?
I would love if somebody could provide me with this details; also having that level of information on the connector itself would be really helpful.
Thanks in advance for any help on this!
I've been poking around in LEM trying to figure out how to get this to occur; it should be as simple as searching for the Event IDs. We want to get an alert when the Security event log for Server 2003 / 2008 is cleared. What's the best way to create this rule? I'm not sure if this falls under MachineAudit, Security Alert, or...
Almost like the McAfee Connector. I basically just point it to the scan.log and can receive the data that populates in the log file.
I have gone through the install process of using the LEM install tool. I have one server that will not load a node into the LEM monitor. There are no errors during the process of the installation and the LEM install tool indicates successful installation. Suggestions?
The server in question: Server 2008R2 standard.
thanks,
Mike
I am able to mount a Windows share folder when I do a syslog export from LEM to my share folder.
But when I try to do an archive job to the same share folder path using the same credentials, it gives me mount error, permission denied.
Anyone ever experienced this before?
DownloadAvailable:
http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip
Hotfix 4 addressesthefollowingissues:
ToInstallHotfix 4 ontheLEMAppliance:
1. UsingtheLEMConsoleoranSSHclient (suchasPuTTY), logintoCMC.
a. Atthecmc> prompt, enter: manager
b. Atthecmc::manager# prompt, enter: hotfix
2. Followtheinstructionsonyourscreen, providingthenetworkpathtoyourHotfix 4 filesandtheappropriatecredentialswithReadaccesstothispath.
3. Reboottheappliance.
a. Exitthecmc::manager# promptoratthecmc# prompt, enter: appliance
b. Attheprompt, enter: reboot
ToinstallHotfix 4 ontheLEMAgents, useoneofthefollowingmethods:
1. Usetheauto-upgradefeaturetoautomaticallyupgradeAgentsifthefeatureisenabled.
2. Iftheauto-upgradefeatureisdisabled, oriftherearecommunicationissuesbetweenagentsandtheLEMManager, followthemanualinstallationstepsincludedinthe "InstallHotfix 4 onAgents (manualsteps)" sectionoftheReadMeincludedinthehotfixdownload.
MitigationandUpgrades
To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM, v6.3.1 & applying Hotfix 4. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use.
VulnerabilityOverview
Asofthedateofthisannouncement, SolarWindsisnotawareofanyinstancewherea vulnerabilityremediedinHotfix 4 hasbeenactivelyexploited.
CommonVulnerabilitiesandExposures (CVE) identifiersforthevulnerabilitiesremediedarenotavailableatthetimeofthisannouncement, butwillbeaddedonceassignedbyaCVENumberingAuthority.
CreditStatement
SolarWindswouldliketocreditBakerHamiltonatBishopFox, MattBergin&HankLeiningeratKoreLogic&MehmetInceforreportingthesevulnerabilities.
ToreportapotentialvulnerabilitytoSolarWinds, pleaseemailPSIRT@solarwinds.com
Descriptions
CMCcommandinjection– allowsanattackertoinjectcommandstoescapetherestrictedshell.
Arbitrarycommandinjection– allowsanauthenticatedusertoexecutearbitrarycommandsfromtheCMCrestrictedshell - CVE-2017-7647
AccessControl– allowsanauthenticatedusedtobrowsetheLEMserver’sfilesystemandreadcontentsofarbitraryfiles - CVE-2017-7646
PostgresDatabaseService– allowshardcodedcredentialsaccesstothePostgresdatabaseserviceviaIPv6. IPv4 isnotaffectedbythisvulnerability.
ArbitraryFileRead– allowsanattackertoedittheSSHlogonbanner&readarbitraryfiles.
PrivilegeEscalation– allowsanattackertoruncertaincommandsasaprivilegeduser - CVE-2017-5198 & CVE-2017-5199.
CumulativeHotfix
ThefollowingfixesfromHotfix 1, Hotfix 2, andHotfix 3 arealsoincludedinthisHotfix:
Notes:
I am trying to get the Crystal reports that show on two lines to export into a single line per record so i can squish the data around in excel. Any thoughts?
Specifically, i am looking at the failed logins report and I want the account names to show in a single column so I can do things like easily tell the number of times a particular account was attempted or the variety of account names per server that were attempted. this will help me look for outliers and potentially problematic attack vectors I need to fortify or adjust.
Thanks!
I upgraded from 5.7 to 6.0. Tried to assign a connector to a node and got this error:
Retry Count exceeded for handleAgentResponse.
Giving up.
When I go back into the connectors, it looks like it was created, but it won't start. Removing that connector and trying to re-add produces the same problem. I see that there was a connector update download along with this one; the documentation says that the LEM upgrade itself includes the connectors but is the additional download required?
We have a Cisco FirePOWER unit that we want to poll information from and place in a dashboard so that it is easy to see what is going on with FirePOWER. I have been looking and haven't found too much information on how to connect these two applications, but one thing that seems like it would work would be to connect using eStreamer. Does anyone know if this is an option or not and if so how to implement it? If its not an option is there any other way to display FirePOWER information in SolarWinds?
Thanks in advance!
On a clean install of agent for Windows x64 on Windows 8.1, I can't get the agent to work. Error as below:
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} Java version: 1.8.0_131 Java home: C:\WINDOWS\SYSTEM32\ContegoSPOP\jre6.3.1.hotfix5
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} Heap: 0.24 GB, cpus: 4
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} OS: Windows 8.1;6.3;x86
(Mon Nov 20 16:05:18 SGT 2017) WW:WARNING [LEMSlf4jConfigurationManager] {main:1} Can't load logging prefs classpath*:/debug-default.conf
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [StatusMonitorAndController] {main:1} Starting StatusMonitor
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} Event memory was set to: 1000
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {main:1} Events per queue was set to: 100000
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} Starting TriGeo Agent (Release 6.3.1) build [hotfix5]
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} build server version string: 6.3.1.hotfix5.831957
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [InDepthConfigProps] {SPOP:9} nDepth enabled via default because InDepthEnable not present
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [InDepthConfigProps] {SPOP:9} indepth.conf not found at C:\WINDOWS\SysWOW64\ContegoSPOP\indepth.conf
(Mon Nov 20 16:05:18 SGT 2017) WW:WARNING [RawDataClient] {SPOP:9} Status Inactive
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [UpdateClient] {SPOP:9} OS signature: Windows 8.1;6.3;x86
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [UpdateClient] {SPOP:9} Update Bootstrap initialized
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} Initializing database
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} Database Initialized
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {Initialize Communications:11} Initializing Agent communications
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {SPOP:9} Initializing ConnectorAPI
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} adding filename: Windows Active Response.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} windowstoolfile: Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [BuffBytesOneReaderOneWriter] {Initialize Communications:11} CommDataQueue BBS configured to queue directory: spop\q\CommDataQueue
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopComm] {Initialize Communications:11} Operating System: Windows 8.1;6.3;x86
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} adding filename: Windows Active Response.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} windowstoolfile: Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConnectorControllerModuleImpl] {Initialize Connectors:14} SESSIONS_LOCATION: C:\Windows\SysWOW64\ContegoSPOP\6.3.1.hotfix5\ext\
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConnectorControllerModuleImpl] {Initialize Connectors:14} TOOLS_LOCATION: C:\Windows\SysWOW64\ContegoSPOP\6.3.1.hotfix5\ext\
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ToolManagerImpl] {Initialize Connectors:14} Starting connector Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} adding filename: Windows Active Response.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} windowstoolfile: Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} adding filename: Windows Active Response.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ConvertToolSettings] {Initialize Connectors:14} windowstoolfile: Windows Active Response
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ComStoreInfo] {Initialize Communications:11} store values: alias: 1112220 trustedStore: spop\hierarchy.trigeo privateStore: spop\private.trigeo
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [WindowsCommandsSession] {Initialize Connectors:14} Windows Actions Loaded
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ToolManagerImpl] {Initialize Connectors:14} Connector Windows Active Response started: true
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [SpopModule] {Initialize Connectors:14} Initializing FAST
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Initializing
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [ComModule] {ComModuleSpop:18} We are not installed yet, certificates missing
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Loaded connector pack : C:\WINDOWS\SysWOW64\ContegoSPOP\tools\ntapplication.xml
(Mon Nov 20 16:05:18 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Loaded connector pack : C:\WINDOWS\SysWOW64\ContegoSPOP\tools\ntsecurity.xml
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [ComModuleSpop] {ComModuleSpop:18} autoInstall: name=win-vlsespa3iqs, ipAddress=169.254.129.232, eventAddress=/169.254.129.232
(Mon Nov 20 16:05:19 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Loaded connector pack : C:\WINDOWS\SysWOW64\ContegoSPOP\tools\ntsystem.xml
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Loaded connector pack : C:\WINDOWS\SysWOW64\ContegoSPOP\tools\vistasecurity.xml
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [FastCenter] {Initialize Connectors:14} Online
(Mon Nov 20 16:05:19 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:06:19 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:06:19 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
(Mon Nov 20 16:06:49 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:06:49 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:07:48 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:07:48 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
(Mon Nov 20 16:08:48 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:08:48 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:09:48 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:09:48 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
(Mon Nov 20 16:11:48 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:11:48 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:13:39 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:13:39 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
(Mon Nov 20 16:17:39 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Making install request to: 10.14.2.71
(Mon Nov 20 16:17:39 SGT 2017) II:INFO [ComNetworkParent] {ComModuleSpop:18} bound to local port: 0
(Mon Nov 20 16:18:39 SGT 2017) EE:ERR [NioComNetworkParent] {ComModuleSpop:18} EXCEPTION: {}
java.io.EOFException: null
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2917)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1502)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
at com.trigeo.core.communications.common.ComNetworkParent.writeMessageToCommandChannel(ComNetworkParent.java:639)
at com.trigeo.core.communications.common.ComNetworkParent.sendInstallRequestAndWaitForResponse(ComNetworkParent.java:167)
at com.trigeo.core.communications.common.ComNetworkParent.installRequest(ComNetworkParent.java:137)
at com.trigeo.core.communications.spop.ComModuleSpop.autoInstall(ComModuleSpop.java:310)
at com.trigeo.core.communications.spop.ComModuleSpop.doInstall(ComModuleSpop.java:443)
at com.trigeo.core.communications.common.ComModule.setUp(ComModule.java:212)
at com.trigeo.core.communications.spop.ComModuleSpop.run(ComModuleSpop.java:516)
at java.lang.Thread.run(Thread.java:748)
at com.trigeo.util.TriGeoThread.run(TriGeoThread.java:52)
(Mon Nov 20 16:18:39 SGT 2017) WW:WARNING [NioComNetworkParent] {ComModuleSpop:18} Install request completed (not installed)
I have look through the troubleshoot guide and gathered information based on it
Our RHEL servers are currently connected to the LEM as shown in the LEM console,
have verified that no firewall is between these devices as all the ports are opened,
Started the connector for Linux such as PAM and OpenSHH.
In the LEM Internal Events, the InternalToolOnline shown Started FAST reader for the connectors I have configured and started.
But there are still no logs coming in from the RHEL agents
Client Details
LEM Version: 6.3.1hotfix7
Agent Version: 6.3.1hotfix5
Linux OS: Linux 2.6.32-279.37.2.el6.x86_64
Web Console: SolarWinds-LEM-v6.3.1
Installer Files
LEM Installer: SolarWinds-LEM-v6.3.1-Evaluation-HyperV
Agent Installer: SolarWinds-LEM-v6.3.1-HF5-Linux64AgentInstaller
Console Installer: SolarWinds-LEM-v6.3.0-Console & SolarWinds-LEM-v6.3.0-AdobeAIR
Base on this article:https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/LEM_with_Linux_x64_Agents_show_no_logs
We have verified that our RHEL servers syslog has a non-standard date header format.
We also verified changing the syslog to a non-standard date header format from a standard one will cause the LEM to stop capturing log from the RHEL agents.
However, We are not comfortable in changing the non-standard to a standard one for LEM to take in the logs.
Therefore,
is there any alternatives for this issue?
Is it possible to configure the LEM Agents to take into account of our current Syslog format?
If yes, configuration will only take place in /usr/local/contego/ContegoSPOP?
--------------------------------------------------------------------------------------------------------------------------------------------------------
Okay things have changed.
We have managed to get one of our client devices to change to a standard/default date header for the syslog.
And the logs are sent to LEM and displayed on the Console
May I confirm if the SolarWinds Agent require Default Date Header for Syslog?
As for the LinuxConnector, I am using OpenSSH and PAM for /var/log/secure
May I know which connector can I use for /var/log/messages and /faillog
Would appreciate any help provided.
I am having consistent problems with slow nDepth searches that often timeout on one of my LEM appliances. I have called SW Support and thus far they haven't been able to find anything wrong with my system. The system handles about 7 million events per day which I have been told isn't a lot in comparison with what it's designed for. My search is looking for any successful logins for a group of IP addresses (known bad IP addresses). If I try to search for anything more than a day it fails which is a problem as I often need to search over a week or several weeks which doesn't seem like an unreasonable use case.
I am curious if anybody else has experienced this type of problem and if so what, if anything, was done to resolve it.
Thanks in advance for any feedback!
DownloadAvailable:
http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip
Hotfix 4 addressesthefollowingissues:
ToInstallHotfix 4 ontheLEMAppliance:
1. UsingtheLEMConsoleoranSSHclient (suchasPuTTY), logintoCMC.
a. Atthecmc> prompt, enter: manager
b. Atthecmc::manager# prompt, enter: hotfix
2. Followtheinstructionsonyourscreen, providingthenetworkpathtoyourHotfix 4 filesandtheappropriatecredentialswithReadaccesstothispath.
3. Reboottheappliance.
a. Exitthecmc::manager# promptoratthecmc# prompt, enter: appliance
b. Attheprompt, enter: reboot
ToinstallHotfix 4 ontheLEMAgents, useoneofthefollowingmethods:
1. Usetheauto-upgradefeaturetoautomaticallyupgradeAgentsifthefeatureisenabled.
2. Iftheauto-upgradefeatureisdisabled, oriftherearecommunicationissuesbetweenagentsandtheLEMManager, followthemanualinstallationstepsincludedinthe "InstallHotfix 4 onAgents (manualsteps)" sectionoftheReadMeincludedinthehotfixdownload.
MitigationandUpgrades
To mitigate these issues, SolarWinds recommends upgrading to the latest version of LEM, v6.3.1 & applying Hotfix 4. SolarWinds also recommends changing the CMC password to ensure default credentials are not in use.
VulnerabilityOverview
Asofthedateofthisannouncement, SolarWindsisnotawareofanyinstancewherea vulnerabilityremediedinHotfix 4 hasbeenactivelyexploited.
CommonVulnerabilitiesandExposures (CVE) identifiersforthevulnerabilitiesremediedarenotavailableatthetimeofthisannouncement, butwillbeaddedonceassignedbyaCVENumberingAuthority.
CreditStatement
SolarWindswouldliketocreditBakerHamiltonatBishopFox, MattBergin&HankLeiningeratKoreLogic&MehmetInceforreportingthesevulnerabilities.
ToreportapotentialvulnerabilitytoSolarWinds, pleaseemailPSIRT@solarwinds.com
Descriptions
CMCcommandinjection– allowsanattackertoinjectcommandstoescapetherestrictedshell.
Arbitrarycommandinjection– allowsanauthenticatedusertoexecutearbitrarycommandsfromtheCMCrestrictedshell - CVE-2017-7647
AccessControl– allowsanauthenticatedusedtobrowsetheLEMserver’sfilesystemandreadcontentsofarbitraryfiles - CVE-2017-7646
PostgresDatabaseService– allowshardcodedcredentialsaccesstothePostgresdatabaseserviceviaIPv6. IPv4 isnotaffectedbythisvulnerability.
ArbitraryFileRead– allowsanattackertoedittheSSHlogonbanner&readarbitraryfiles.
PrivilegeEscalation– allowsanattackertoruncertaincommandsasaprivilegeduser - CVE-2017-5198 & CVE-2017-5199.
CumulativeHotfix
ThefollowingfixesfromHotfix 1, Hotfix 2, andHotfix 3 arealsoincludedinthisHotfix:
Notes:
I'm currently using EventSentry to alert me if drives on Windows 2008/2012 virtual machines are running below 5% available space. Can I use LEM to replace EventSentry?
Adobe Announces Flash Distribution and Updates to End | WebKit
Hopefully this is a good enough reason to get the wheels spinning @ Solarwinds.
As there seems to be little update on progress for MSSQL Auditor support for SQL 2017, I want to ask if we can expect any approximate timeline of when this will happen ?
Even on ticket support, I am left in dark over this, with no timeframe available.
It's frustrating to not have support for a widely adopted SQL server version, which is around for ~2.5 years (since Oct 2, 2016)
Has anyone managed to make this work (maybe with a workaround) ?
If not, what is the alternative way you use to check MSSQL 2017 logs ?
jhynds can you expand on your hint from this thread >