Hey All,

I wanted to make you aware of a new document we've posted up on the docs page titled "Using SolarWinds Log & Event Manager (LEM) Filters & Alerts". This document is focused on real-time monitoring with filters, but also has a lot of really useful background info. This doc comes to us courtesy Andy McBride over in SolarWinds Technical Support.

Included in this 9-page read are:

• A diagram describing how log messages navigate the LEM system to end up in your database, filters, and rules
• How (and why) log messages get transformed into the alert data you see in your console
• A primer on troubleshooting agents and connectors to get the right data coming into your LEM system
• Info about what filters are and why they are useful

The diagram alone might be worth the few-second download for the visual among you

Questions about alerts, filters, and LEM? Post 'em and we'll answer.

Hey guys,

I have been using the Solardwinds suite for the last 4 days and so far so good it is a great product.

I just have a quick question regarding the alerts configurations.

I want that based on an event (node down) the server would trigger the following actions:

• Send an email (Ok, Done, no big deal)
• Send an SNMP trap

THe problem is that the SNMP trap is not readable by the remote server and I guess it should need a MIB in order to decrypt the SNMP trap.

Is it possible to export the MIBS in solardwinds ??

Thanks a lot

I am curious if anybody out there is using LEM in conjunction with a Threat Intelligence feed?  I realize that LEM doesn't currently accept any of the feed protocols; however, I have seen that some feeds provide human readable dashboards which can then be used in conjunction with a SIEM such as LEM.

Hi,

Can you please advise if it is possible to collect the logs from Checkpoint firewalls running on Splat or Nokia platforms and pass them to LEM so they can be viewed without the need to log onto the firewalls directly?

Thanks,

Ross

We would like to create a report for VPN logins/logouts and also have a real time alert for when someone is logged in or out.  The device is a Cisco ASA.  Any help on whether this is possible or not and where to start, what fields to look, what to query, etc. would be great.

Inside LEM verison 6.0, when generating nDepth queries, I can export the results in PDF format. However, when emailing, there is only one option of sending it via a .csv file. I was told by LEM support that I need to submit a feature request through this forum. So, here is my requirement.

Sonner this is incorporated, the better it is.

Thanks.

Vinaya

Other than removing the command lines from a router/switch/firewall, is there any other way a LEM Administrator can restrict nodes from obtaining a license?  I understand from the console, an Administrator can restrict the IPs that connect to LEM using the Standalone Desktop Console.  Another example, an Administrator can restrict the IPs that can run the LEM Reports.  Is there a way to restrict which devices obtain a universal license from the Standalone LEM Console/Web Console?  One that does not require the removing of the commands pointing a device syslogs to LEM?

Thank you,

T.J.

Hi all,

Pretty noob to LEM....

Our LEM seems to freeze every now and then....Is there a way of setting up a cron job to either re-start the manager service or reboot the appliance nightly or every other day?

It seems that there is now access to shell if I am not mistaken...

Comments are much appreciated

I've created a LEM rule to block access to mspaint.exe from a specific computer and pop up a message with a reason, unfortunately my rule seems to do absolutely nothing.

I've attached a screenshot of my config, if you could take a look and tell me where I'm going wrong I'd be very grateful!

Thanks

Hey all,

I'm setting up Log & Event Manager for the first time and I can't seem to figure out how to properly collect the logs I want from a windows DHCP server. I want to be able to collect the logs that show configuration changes to DHCP (reservations, scope changes, etc).

Prelim info:

DHCP running on Windows Server 2008 R2 Standard.

Solarwinds LEM 5.5.0

LEM client 5.3.1

In collectors for the node I see that there are really two options:

1. Windows DHCP Server 2000/2003/2008 System Log

2. Windows DHCP Server 2003

The first collector (DHCP Server 2xxx System Log) is just looking at the System Log and only shows stuff about the service itself (service failed to start, ip pools full, etc)

The second collector looks at the logs in C:\Windows\System32\dhcp, which only show all the dhcp assign/renew/expire requests. Important, but still not what I want.

What I really want is to collect to the logs from: C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Dhcp-Server%4Operational.evtx (or from Event Viewer: "Applications and Services Logs">Microsoft>Windows>DHCP-Server>Microsoft-Windows-DHCP Server Events/Operational). This contains all the auditing logs about scope changes, adding/deleting reservations, and other configuration changes along with the user doing the modifications.

Am I missing something or is there no collector in LEM that can collect these logs?

Thanks!

To quote the "What are we working on now" thread for LEM from 2011:

"SolarWinds Orion Platform Product Integration: Escalating Events from LEM to Orion via SNMP Traps

Since we're in the business of what makes sense to customers, we're also adding the ability to go the other direction and share events from LEM upstream to Orion via SNMP traps. This feature can also be use to escalate to non-SolarWinds products - if you've got a trouble ticketing system or other network management system that accepts SNMP traps as alerts, you can escalate LEM events up to those systems as well. Some of the ways this can be useful are:

• Use log data to detect a problem, and automatically raise a condition in Orion to take advantage of workflow you've already built.
• Share knowledge from LEM to Orion without providing access to all of your sensitive security and operations log data.
• Take advantage of LEM's log data parsing to forward only log events of interest to Orion, instead of asking Orion to store 100% of log data for that one or two events you're interested in in that context."

What progress has been made on this?

Thank you.

Hi Geeks,

The timezone in x-axis is incorrect.

When mouse-over the bar, the time is correct indeed

Would you tell me how to fix it?

Below is my screenshot

Thanks

Hi All,

I'm sure I've missed something fundamentally obvious, but I can't seem to track it down either via documentation, Thwack searches, or just poking around in the UI.

Our developers use custom event logs on our Windows servers, resulting in an application log for each service, or type of service.  These event logs are all handled by the Windows Event log service, and are stashed in the same place the Windows Event log stores its own logs.  The problem I'm having is trying to find out how to get LEM to return the logs for those custom lot files.

I had assumed it was a connector I'd have to create, but under the Category of "Operating System" there are several Windows related logs which are created by default (System, Security, and Application).  If I try to create a new one, it will not let me change the log name, so I cannot get it to look at one of these custom logs.

What am I missing? Or am I looking at this entirely wrong?

Thanks

When I try to run my Reports 6.0 I get error msg: "The Crystal Reports run-time engine is missing" and  sometimes, "cslibu-2-0-0.dll missing".   Uninstalled, Re-ran ReportsAndCrystal.exe, deleted dir, reinstalled, ran under admin.  Any other ideas welcomed before I call support.

Greetings,

I just rolled out SLEM 6.0 (and updated the agents) and turned on the new FIM feature.  In theory this is an awesome thing to have, but it's proving to be useless to me at the moment.

Every single file audit that I have going only references NT AUTHORITY\SYSTEM as the user that is accessing any file.  This includes me local and remote (SMB) to the server.

It's actually not even showing my access or modification of a file / folder in hand.

I submitted a ticket with no response yet, was curious to know if anyone here has seen the issue themselves.

Thanks,

I have several nodes located in various timezones.  Currently all events reflect the local time of my appliance.  Is it possible to configure the LEM settings such that the DetectionTime of an event reflects the local time of the node that generated the event?

Hey All,

Since we haven't had any LEM discussions yet, I thought I'd post a quick how-to on setting up custom notifications. There's a couple of really common use cases for going beyond the out of the box Log & Event Manager users and email templates:

1. You've got more than one user and you'd like to be notified about different things.
2. You'd like to change the appearance of the notification emails to include more (or less!) information.
   
3. You've got someone who needs notifications, but doesn't need to view real-time data (for example, a helpdesk user).
4. You've got an automated system that you use to triage alerts/incidents (for example, a trouble ticketing system).

First of all, you'll want to set up users for anyone who needs to receive notifications. We see a lot of common ways this is done:

1. If you've got people who need to access the Log & Event Manager Console, you can create an admin, auditor, or monitor user - just be sure to associate an email address with their user.
   
2. If you've got an external system (i.e. for trouble ticketing/incident handling) or person who doesn't need to access the Console, you can create a contact user - again, be sure to associate an email address.
3. If you want to be sure you're notifying everyone in your IT organisation of the same thing at the same time, you can associate a distribution list email address with any of the above types of users.

To set up users, go to Build > Users. Click the + button on the top right, then fill in the information at the bottom - if you're creating a Contact user, you don't need to enter a password. Add email addresses to the user by clicking the + button under "Contact Information" and click the nearby Save button. When you're done, click the bottom-most Save button.

Whew, now that we've got the boring stuff out of the way, let's talk templates. Email templates let you customize the appearance of email notifications when they are triggered as responses in your Rules. An email template is actually two components:

1. Static text that lets you customize the appearance of the email.
   
2. Dynamic text (parameters) that is filled in from the original event that triggered the rule to fire.

For example, if I'm creating an Account Lockout template that will notify me when someone's account gets locked out (or automatically file a trouble ticket so the Helpdesk can take care of it), I'll want to fill in some static text that describes the event (say, "Account Locked!") and then use the dynamic text to describe the account that got filled out from the original event (say, the username and computer or domain controller they were locked out on). Generally, I create templates that are specific to a "type" of event  that I'm looking for - that keeps me from having one email template per  rule, which can get out of hand. For example, I have one template for "Account Modification" that can be used to tell me when a user is added/removed from a group, their password is reset, or other details are changed. There's no limit to the number you can have, so do whatever works for you.

To create a new email template, go to Build > Groups. Click the + button at the top, and choose Email Template.

1. First, provide a Name for your template - remember this, you'll use it in rules to reference the template.
   
2. To create dynamic text (parameters) for your rule, type in a name, then click the + button underneath the Parameters box to add it to the list; repeat for all the parameters you want to add. Each one of these is kind of like a variable that will "hold" your data and place it in the right location in the email. For my Account Lockout template, I used Time (always handy to have a timestamp), Account (for the user that was locked), DC (so I knew where they were originally locked), and Machine (so I know what Windows thinks was the source of the original logon failures, in case I need to do further investigating). 
3. Type how you'd like the Subject to appear in the Subject box. If you'd like to specify static text, just type it in. To add a parameter, you can either type in the name as it appears in the parameters list (with the dollar sign), or you can drag from the parameters list into where you want it to appear in the subject. Yes, you really CAN use your dynamic text (parameters) here! That means I could  have a subject that included the user's account name, source, or any  other text from the originating event. In my case, I chose a fixed subject line and just typed "Account Lockout" in the Subject box (that way Outlook groups them all together for me in conversation view).
   
4. Type how you'd like the body of the message to appear in the Message box. Again, if you'd like to specify static text, just type it in. To add a parameter, you can either type in the name as it appears in the parameters list (with the dollar sign), or you can drag from the parameters list into where you want it to appear in the subject. In my case, I kept it simple, and went with: Account $Account locked out at $Time on DC $DC from computer $Machine. If your email is going to be consumed by a trouble ticketing system, make sure the format of your email matches whatever your ticketing system is expecting, some are more flexible than others.
   
5. Click the big Save at the bottom to save all that work.

Still with me? Good. Let's go use that fancy new template over in our rules. Head over to Build>Rules and create a rule for your template by clicking the + button and building out your rule logic, OR if you're following my Account Lockout example, you can clone our out of the box NATO5 rule by navigating to NATO5 Rules > Change Management > Windows/Active Directory > Users.To clone, select the User Account Lockout (Updated) rule and go to the left side/rule's Gear and click Clone; select a folder from your Custom Rules folder and click OK. When you clone, the rule automatically opens for you - handy!

To associate your template with the rule, you'll need to add or edit a Send Email Message Action.

1. To create a new Send Email Message Action (if you have more than one specified, multiple email messages will be sent), navigate to Actions in the list on the left, and drag Send Email Message into the orange Actions box on the right side. If you make a mistake, or decide you want to clear out the actions and start over, no worries! Hover over any action and click the upper right hand X. Didn't mean to do that? No worries, again! Click the Undo button to bring it back.
2. In either case - editing an existing Send Email Message Action or starting with a new one - select your new template from the Email Template dropdown (if you forgot the name, you can always go back to Build>Groups real quick and dig it up - the rule will still be waiting for you with no lost work when you come back to Build>Rules).
   
3. Click on the Users dropdown and check the box next to the users you want to be notified about this event. (If you forgot those, don't stress - head back to Build>Users and take a peek. The rule will still be waiting.) 
4. Here's where it gets fun. You'll see the dynamic text (parameters) you specified in the Email Template over here in the Send Email Message action. You can fill them out with the fields from the rule by dragging and dropping the fields from the Alerts/Alert Groups area, just like building a rule. In my Account Lockout example, I'm using the UserDisable alert, so I'll go over to Alerts and type in UserDisable in to the search box (because I'm pretty lazy) and click on it to select, or navigate to GenericAlert>AuditAlert>AuthAudit>UserAuthAudit>UserDisable (now you know why I'm so lazy, say that 3 times fast). Drag over the DetectionTime field into the Time variable, the SourceMachine field into the Machine variable, the DestinationMachine into the DC variable, and the DestinationAccount field into the Account variable. 
5. Make sure your rule is enabled by checking the Enable checkbox. You can also use the Test checkbox/mode if you're not sure how your rule will behave - you'll see InternalTestRule alerts in the Console to let you know it was triggered and what it would have done. I'm feeling pretty confident, so I'm going to leave Test mode off, check Enable, and don't forget to click Save.
6. Don't forget this step! You'll see that the Activate Rules button is enabled in the top right corner. We let you batch up all your rules changes in case you want to make multiple changes before changing the running state of the manager. So, be sure to click Activate Rules to tell the Console to send your changes to the manager and enable them. 

At this point, your rule is active, your template's all set up, and you're ready to go. Next time your rule fires, you should have an email (well, someone should!) that matches the format you've specified above.

Common gotchas:

1. How do I know the rule is being triggered? Check your Console for InternalRuleFired alerts, either by using nDepth or a filter. Those alerts will show you what rule was triggered and when. 
2. Rule not being triggered when it should be? Check your rule logic, but also check your timestamps. Your appliance or virtual appliance host layer might need to be configured for NTP. By default, rules won't fire when incoming data drifts more than 5 minutes from the appliance's clock.
3. Rule being triggered but emails aren't being sent? Make sure you've got the Email Active Response connector configured on your manager appliance by going to Manage > Appliances, then clicking the leftmost Gear icon, going to Tools, then System Tools and Email Active Response.  Click Gear>New to create a new tool, or click Gear>Stop and Gear>Edit to edit the configuration if you see a mistake. Always click Save and Gear>Start to start/restart the tool. If you typed in a test email address, you can click Test after starting to send a test mesage.

This is a topic we cover in our Rules and Actions training session (in more depth), but it's not something you do every day which makes it super easy to forget until you really need it. :)

Hi all,

We currently have monitoring processes that logon to our servers continuously to monitor the overall health of the server.  This turns into thousands of unnecessary events flowing into LEM.  Is there a way to filter these alerts at the Agent level to where they do not forward to the Manager?  Here is additional criteria:

- We have to ensure that these events hit the Security Log locally on the server (can't filter them there)

- We are open to receiving the events on the Manager side and then trashing them (no display in the console, alerting, or storage) based on the Source Machine and Source Account used to Logon. 

Any help is appreciated.

As we expand our number of LEM appliances I am finding I need a method for centralized management and I am curious what the best way to do this would be?  We are a solution provider that implements these appliances for our clients so this will continue to be a growing problem as long as we use LEM as our SIEM solution.

I understand that it's possible to use one console to manage multiple managers; however, I have not found a good place where this is documented.  I would like to know what the capabilities are, what the limitations are, what the security implications are (is the data encrypted, etc) and what the network requirements are for the communications are.  Does the document for that exist and where might I find it (I should note that I did actually look for this documentation but was unable to find it)?

I know I had discussed some of this a while back with nicole pauls but I was unable to find that thread.

Thanks in advance for any help on this!

Can someone tell me what the Network Events Widget is supposed to be looking for? What activity kicks it off? I would love for LEM to sniff traffic or even show any network activity that takes place from server to server or application to application. This would be good to see what ports are being used. Can LEM do this? I'm still in EVAL mode, and since I've had LEM, this widget has displayed 0 information.