Issue with custom LEM report

June 24, 2013, 7:51 am

≪ Previous: Network Events Widget - What is it looking for?

With the new 5.6 Upgrade, it appears to have broken some custom reports we created. Whether that's just my error or not, I don't know. I got login errors when I tried to view them, which led me to believe that the database change caused the error.

I have begun rebuilding the reports by using the base reports and using the Select Expert. Most reports have been ok, but I have one report that seems to be working differently. The report is User Log On, RPT2003-02-6. When I generate the report and use the Select Expert, I am able to get the results I am looking for. When I save the report as a Crystal Report, it appears to be saving the data, as the file size is much larger than the others that are working as they were previously. When I attempt to run the new custom report, I get 0 results, even for the same time period that I selected when I created the report.

In addition, your Select Expert fields are really messed up. They work properly when you put in the correct data, but the auto-populated lists are WAY off. I've seen Account showing up for Authentication Package, Detection IP for Source Machine, and many others. If I put in the correct search terms for the field, the Select Expert works as expected.

↧

nDepth graph days mixed up

September 3, 2014, 9:37 am

≫ Next: Managing multiple LEM appliances

≪ Previous: Issue with custom LEM report

Does anyone know how this happens?

↧

Managing multiple LEM appliances

September 3, 2014, 11:22 am

≫ Next: Multiple Failed Login attempts by different users but same IP

≪ Previous: nDepth graph days mixed up

As we expand our number of LEM appliances I am finding I need a method for centralized management and I am curious what the best way to do this would be? We are a solution provider that implements these appliances for our clients so this will continue to be a growing problem as long as we use LEM as our SIEM solution.

I understand that it's possible to use one console to manage multiple managers; however, I have not found a good place where this is documented. I would like to know what the capabilities are, what the limitations are, what the security implications are (is the data encrypted, etc) and what the network requirements are for the communications are. Does the document for that exist and where might I find it (I should note that I did actually look for this documentation but was unable to find it)?

I know I had discussed some of this a while back with nicole pauls but I was unable to find that thread.

Thanks in advance for any help on this!

↧

Multiple Failed Login attempts by different users but same IP

June 13, 2014, 4:44 pm

≫ Next: TripWire Connector: How to use?

≪ Previous: Managing multiple LEM appliances

Does anyone know how to setup a filter and/or rule that will notice multiple failed login attempts by multiple users (before account lockout) originating from same IP within a certain time frame?

Thanks,

Jeremy

↧

TripWire Connector: How to use?

December 12, 2012, 1:07 pm

≫ Next: LEM and Deep Packet Inspection?

≪ Previous: Multiple Failed Login attempts by different users but same IP

We have setup a TripWire Enterprise server on a Windows system and I would like to see how the TripWire connector in LEM works. It's not immediately clear to me which logs I should be pointing this at and if I should be pointing it to systems running the TripWire agent or the TripWire Enterprise server?

I would love if somebody could provide me with this details; also having that level of information on the connector itself would be really helpful.

Thanks in advance for any help on this!

↧

LEM and Deep Packet Inspection?

September 9, 2014, 9:59 am

≫ Next: LEM Thoughts of the Week: How do your Security, Network, and Systems teams work together?

≪ Previous: TripWire Connector: How to use?

Now that SolarWinds has rolled out Deep Packet Inspection with NPM is there any possibility in moving that capability over to LEM?

My reason for asking is because I am curious if LEM has a possible future in USM (Unified Security Management)? Since it already has log data and is moving into FIM as well it doesn't seem unreasonable to assume LEM could be a fully capable USM.

↧

LEM Thoughts of the Week: How do your Security, Network, and Systems teams work together?

July 18, 2014, 9:03 am

≫ Next: snort output server setup

≪ Previous: LEM and Deep Packet Inspection?

Okay, so it's not exactly "of the week" when it's been a while since I posted the last one. We're back from our temporary lack of good ideas for discussion.

Lately we've been thinking a lot about how security and ops (network/systems) teams work together. From the ivory tower, it looks like security is getting operationalized as a lot of security stuff gets more high visibility and has more impact on what network/systems teams are doing. That means network/systems folks have to deal with and think about and involve security earlier on, rather than having it be a "versus" game where security teams are notified after the fact or not as embedded in decision making. We're also hearing more about security and network/systems teams having to share or have access to the same tools.

With log data, it's especially relevant, since that data has usefulness across both teams. Operational teams are using log data for root cause analysis and troubleshooting when a problem occurs, monitoring of basic stuff that doesn't come through in performance analysis (or doesn't come through as quickly, for example "that service just tripped that event log message that means it's going to go non-responsive" rather than waiting for it to actually go non-responsive), and tracking things that could put systems at risk for botched configs or problems (software installs, user/group changes, services, files being changed). Security teams are using log data for both historical analysis (and compliance) and tactical analysis in real-time.

Performance and availability data has traditionally been the place of Operations teams, but sometimes these two issues overlap, and one could be used to inform the other. Our first SolarWinds Labs episode ([VIDEO] SolarWinds Lab Episode #1: Virus in a Haystack) talked about a company whose firewall was spinning out of control causing performance issues, but actually turned out to be a security problem. Performance data is like a canary in a coal mine for discover stuff like Denial of Service attacks, too.

There's still a place for the security team - someone needs to be the single wringable neck/team for thinking that way, knowing how to be responsible with firewall policies or compliance or incident response - but it seems like it's trending more toward the same way each team has an "Exchange Guy" and a "Cisco Gal." It's best that many people know these duties so everyone can share responsibility and in the case of security it's thought of every step of the way. Along with that, there's the reality that on many teams the Security Dude is just one person.

What do you guys think? How do your teams work together? Are they using the same tools, do you wish they could? How do you see it changing in your organization as security becomes everyone's problem?

↧

snort output server setup

August 26, 2014, 7:18 am

≫ Next: Best way to backup Log & Event Manager?

≪ Previous: LEM Thoughts of the Week: How do your Security, Network, and Systems teams work together?

I have a physical snort box, and I am trying to get it to send logs to my SolarWinds LEM, I set it to the output to the IP of the SolarWinds LEM but it doesn't pick up anything. I am using OpenSuse 13.1 in the snort.conf file I have put the output to the LEM server, is there anyone that has successfully set this up to work. I want it to work using a physical Snort Box and sending the logs to the LEM server to receive logs so that it can capture traffic on the IDS Scan/Attack Activity on LEM for monitoring.

I have tried many different combos with no luck, my Snort is creating logs but the LEM server isn't receiving them even though I point it to that server. I just need the correct configuration so that the LEM can start logging.

Any help would be greatly appreciated, remember this is not with the Snort on the LEM, this would be from a Snort Box.

Thank You,

Marcel

↧

Best way to backup Log & Event Manager?

September 5, 2012, 6:52 am

≫ Next: Monitor specific event ID using LEM

≪ Previous: snort output server setup

We use Acronis vmProtect to backup our virtual machines and one of the problems I have is the ability to backup the Solarwinds Log & Event Manager virtual appliance. We get the same error from vmProtect every time we try to backup this VA. Here is the error:

Task 'SOLARWINDS LEM' failed: 'Failed to create a backup.

Additional info:

--------------------

Error code: 3

Module: 435

LineInfo: 555b5abba09501ab

Fields:

Message: Failed to create a backup.

--------------------

Error code: 32786

Module: 114

LineInfo: 28314c961de7d334

Fields:

Message: Failed to prepare for backing up.

--------------------

Error code: 353

Module: 149

LineInfo: a71592046cb2c5f6

Fields:

Message: Failed to back up the group.

--------------------

Error code: 2

Module: 218

LineInfo: 338a407ad20e0987

Fields:

Message: Error occurred while running the backup and recovery engine.

--------------------

Error code: 1080

Module: 1

LineInfo: d1ab7fa1e56ec823

Fields:

Message:

--------------------

Error code: 13

Module: 149

LineInfo: d1ab7fa1e56ec9a4

Fields:

Message: Failed to perform the requested operation.

--------------------

Error code: 103

Module: 83

LineInfo: a859dd78cc91df4b

Fields:

Message: Failed to open the virtual machine ([vm3-sas] SolarWinds Log +Jg- Event Manager/SolarWinds Log +Jg- Event Manager.vmx).

--------------------

Error code: 253

Module: 83

LineInfo: c7610e0a857bedf4

Fields:

Message: VMware error: 'Remote method call failed.'.

--------------------

Error code: 32

Module: 0

LineInfo: c7610e0a857bedf4

Fields:

Message: Awaiting task 'CreateSnapshot' has failed. Reason: fault.SystemError.summary.

--------------------'.

Acronis blames vmware and they are right because in vSphere if I try to take a snapshot with quiesce file system checked, it fails immediately. If I take a snapshot without this option checked it does work... however Acronis does not have any provision to support non-quiesced snapshots. The reason I got from them is because such snapshots are in most cases useless as they contain non-consistent data. To make it consistent there should be either pre/posts commands running inside the VM which flush the data from memory to the disks prior to snapshot, or have some guest Agent which does this job (in case of Windows there must be VSS writers handling also). We are considering adding the special handling to support non-quiesced snapshots, however it will anyway's be a workaround rather than a normal solution.

One of the issues with this appliance is that vmware tools is not installed. The console seems to have a proprietary shell so getting in there and building vmware tools doesn't seem to be an option.

I'm wondering what are you guys doing just to backup this virtual appliance? Thanks for the help!

↧

Monitor specific event ID using LEM

April 25, 2013, 12:10 am

≫ Next: Managing multiple LEM appliances

≪ Previous: Best way to backup Log & Event Manager?

Hi,

How can I monitor specific event ID and send email alert when that event occur.

Let say I want monitor when a service stop in Application log and send an email alert.

your guidance are very much appreciated.

Thanks

↧

Managing multiple LEM appliances

September 3, 2014, 11:22 am

≫ Next: LEM Filters & Alerts Technical Reference

≪ Previous: Monitor specific event ID using LEM

I know I had discussed some of this a while back with nicole pauls but I was unable to find that thread.

Thanks in advance for any help on this!

↧

LEM Filters & Alerts Technical Reference

May 23, 2012, 9:27 am

≫ Next: Using a Threat Intelligence Feed with LEM?

≪ Previous: Managing multiple LEM appliances

Hey All,

I wanted to make you aware of a new document we've posted up on the docs page titled "Using SolarWinds Log & Event Manager (LEM) Filters & Alerts". This document is focused on real-time monitoring with filters, but also has a lot of really useful background info. This doc comes to us courtesy Andy McBride over in SolarWinds Technical Support.

Included in this 9-page read are:

A diagram describing how log messages navigate the LEM system to end up in your database, filters, and rules
How (and why) log messages get transformed into the alert data you see in your console
A primer on troubleshooting agents and connectors to get the right data coming into your LEM system
Info about what filters are and why they are useful

The diagram alone might be worth the few-second download for the visual among you

Questions about alerts, filters, and LEM? Post 'em and we'll answer.

↧

Using a Threat Intelligence Feed with LEM?

August 26, 2014, 11:48 pm

≫ Next: LEM and Deep Packet Inspection?

≪ Previous: LEM Filters & Alerts Technical Reference

I am curious if anybody out there is using LEM in conjunction with a Threat Intelligence feed? I realize that LEM doesn't currently accept any of the feed protocols; however, I have seen that some feeds provide human readable dashboards which can then be used in conjunction with a SIEM such as LEM.

↧

LEM and Deep Packet Inspection?

September 9, 2014, 9:59 am

≫ Next: LEM: Create notification of AD account lockout

≪ Previous: Using a Threat Intelligence Feed with LEM?

Now that SolarWinds has rolled out Deep Packet Inspection with NPM is there any possibility in moving that capability over to LEM?

↧

LEM: Create notification of AD account lockout

May 24, 2012, 8:59 am

≫ Next: Rule Request - Admins Browsing the Web

≪ Previous: LEM and Deep Packet Inspection?

How can I setup a notification alert when a user is locked out of Active Directory?

I am using SolarWinds Log & Event Manager 5.4

Thanks

↧

Rule Request - Admins Browsing the Web

September 11, 2014, 10:50 am

≫ Next: Log Event Manager issue

≪ Previous: LEM: Create notification of AD account lockout

I need a rule that checks for admins logging on servers and browsing the web. Is this possible?

↧

Log Event Manager issue

March 24, 2014, 1:08 am

≫ Next: How do I get MAC addresses in an alert when an AP goes down?

≪ Previous: Rule Request - Admins Browsing the Web

Please help me that how could i add the node in LEM even i configured the cisco swtich with following parameters

logging on

logging host 192.168.2.1

But i am unable to add the node in LEM.

What other configuration required for LEM on cisco switch.

I appreciate your help.

Thanks

↧

How do I get MAC addresses in an alert when an AP goes down?

September 12, 2014, 10:55 am

≫ Next: Sophos blocking lem webpage

≪ Previous: Log Event Manager issue

I am having trouble getting the MAC address for an AP in an alert when the AP goes down. I am using ${AP_MAC} but it's coming out blank. Does anyone know how to get the mac address?

Thanks,

Nuruddin

↧

Sophos blocking lem webpage

June 25, 2013, 4:46 pm

≫ Next: PURGE DATA SOLARWINDS LEM

≪ Previous: How do I get MAC addresses in an alert when an AP goes down?

bHello everyone, my enterprise is using Sophos endpoint security and when I attempt to login to the lem web page I click connect the small bar that shows up bellow the button moves but it will never connect. when I turn Sophos real time protection off I am able to login, this seems strange as no quarantine items show up and nothing in the Sophos log indicates why it was blocked. obviously turning off Sophos isn't an option, as is adding the lem ip to the trusted list. So im wondering, what can be done?

↧

PURGE DATA SOLARWINDS LEM

December 12, 2013, 8:34 am

≫ Next: Creating a Custom Filtered Report

≪ Previous: Sophos blocking lem webpage

Hi Guys

anyone know how i can purge growing data (logs) for maintenance the appliance??

Regards

↧