Hello,

After reading this article SolarWinds Knowledge Base :: Creating a Custom Filtered Report have a feeling that LEM report is not strong side of Solarwind.

Few thing i didnt like:

1) Quote: "Note: Starting with Windows Vista, Windows stopped allowing file properties to be edited in the fashion described below. As a workaround, consider editing the file properties on an XP system to ensure your custom report displays properly in the Reports console."

Windows XP? Its Done, no support for Windows XP. So to configure "advanced" report i have to leave Windows XP virtual pc. It's not good solution at all.

2) I have to create report first and then I have choice "Select Expert". No good.

Anyone can disagree with me? Or maybe i'm not getting something....

Thanks for future comment.

Andrew.

We would like to create a report for VPN logins/logouts and also have a real time alert for when someone is logged in or out.  The device is a Cisco ASA.  Any help on whether this is possible or not and where to start, what fields to look, what to query, etc. would be great.

Hi All,

How can I check LEM log retention settings? I've already read some discussion about this and learned that LEM is configured to automatically purge the oldest logs, but how can I check if our LEM appliance can still keep up with our log retention policy (6 months for example)? I need to check cause we are planning to add more nodes to our LEM and we need to make sure that we are not sending more than enough logs that LEM can handle considering the log retention issue.

Thanks!

Nelson

I recently purchased LEM50.  I have two groups of servers sending events to LEM.  Some require 90 day retention and some require 13 months retention.  It appears that my only option is to retain all logs for 13 months, even those I only need for 90 days.  Is this true? 

Does LEM support any form of distributed architecture that would allow you to have collectors at different locations and/or networks where the data is then rolled up into a single interface for visualization, searching and reporting?

Hello,

I have installed LEM v 5.7.0 for testing. 

As a first step, I am trying to add a new node (Cisco router) but it's failing. I have configured the router to send syslog and I can see the packets using wireshark.

However, the device doesn't appear on the web interface. I get the following message:

No nodes found

LEM has not found any new nodes or connectors in the Syslog files that are being monitored.

If you are expecting messages from new nodes, please check to make sure the device is configured correctly to send Syslog messages to LEM. It may also take some time for the node to send a Syslog message.

What am I missing? I have followed the steps mentioned in the tutorial.

Thanks,

Justine.

I've been using LEM for a while now and have a good number of alerts successfully built, so I am getting fairly comfortable with everything.  One thing I have not been able to figure out is why I don't see the same "Filter Groups" in "Monitor" as is visible at about the 25:20 mark of this webinar:

Continuous Compliance with SolarWinds Log & Event Manager - YouTube

In the video, there are filter groups for IT Operations, Security, Compliance, etc. in the presenter's "Monitor" view.  In my "Monitor" view my own LEM I only see one group named "Default Filters".  Is there something I configure, download, import, etc., that provides additional groups and/or a different view?

Thanks,

Craíg

When I try to run my Reports 6.0 I get error msg: "The Crystal Reports run-time engine is missing" and  sometimes, "cslibu-2-0-0.dll missing".   Uninstalled, Re-ran ReportsAndCrystal.exe, deleted dir, reinstalled, ran under admin.  Any other ideas welcomed before I call support.

Hey all,

I'm setting up Log & Event Manager for the first time and I can't seem to figure out how to properly collect the logs I want from a windows DHCP server. I want to be able to collect the logs that show configuration changes to DHCP (reservations, scope changes, etc).

Prelim info:

DHCP running on Windows Server 2008 R2 Standard.

Solarwinds LEM 5.5.0

LEM client 5.3.1

In collectors for the node I see that there are really two options:

1. Windows DHCP Server 2000/2003/2008 System Log

2. Windows DHCP Server 2003

The first collector (DHCP Server 2xxx System Log) is just looking at the System Log and only shows stuff about the service itself (service failed to start, ip pools full, etc)

The second collector looks at the logs in C:\Windows\System32\dhcp, which only show all the dhcp assign/renew/expire requests. Important, but still not what I want.

What I really want is to collect to the logs from: C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Dhcp-Server%4Operational.evtx (or from Event Viewer: "Applications and Services Logs">Microsoft>Windows>DHCP-Server>Microsoft-Windows-DHCP Server Events/Operational). This contains all the auditing logs about scope changes, adding/deleting reservations, and other configuration changes along with the user doing the modifications.

Am I missing something or is there no collector in LEM that can collect these logs?

Thanks!

We've updated the Log & Event Manager (LEM) - Updated September 16, 2014 support page.  This serves as a one-stop shop for all your LEM documentation, how-to's, troubleshooting, and more.  You can add the page to your "links" or bookmark the page so you'll always have it handy.

Hope this helps, as always!

Danielle

Does the spop.conf query its info directly from a file on the LEM box?  For some reason when installing the agent on a brand new machine the spop.conf is populating with the old appliance IP address.  When LEM was first installed it was using .164 as its IP.  We have since moved the vm to a beefier box and re-deployed it with an IP of .167.  I can ping the DNS name just fine, and have verified there are no stale records showing the old .164 address.  I can also telnet to port 37891,37890,37892 via the new IP.  Ultimately I can edit the spop.conf and manually change the IP to .167 but it's very annoying.  The user guide mentions clearing the agent certificate but so far I have not found any in the local cert stores.  (Edit: This must be done when deleting the spop folder within the ContegoSPOP folder.) I can also manually edit the .conf file and use the DNS name as well w/o issues.  But where is it getting its initial query? IE NioComNetworkParent Making install request to: x.x.x.164

I have a physical snort box, and I am trying to get it to send logs to my SolarWinds LEM, I set it to the output to the IP of the SolarWinds LEM but it doesn't pick up anything. I am using OpenSuse 13.1 in the snort.conf file I have put the output to the LEM server, is there anyone that has successfully set this up to work. I want it to work using a physical Snort Box and sending the logs to the LEM server to receive logs so that it can capture traffic on the IDS Scan/Attack Activity on LEM for monitoring.

I have tried many different combos with no luck, my Snort is creating logs but the LEM server isn't receiving them even though I point it to that server. I just need the correct configuration so that the LEM can start logging.

Any help would be greatly appreciated, remember this is not with the Snort on the LEM, this would be from a Snort Box.

Thank You,

Marcel

Hey All,

Since we haven't had any LEM discussions yet, I thought I'd post a quick how-to on setting up custom notifications. There's a couple of really common use cases for going beyond the out of the box Log & Event Manager users and email templates:

1. You've got more than one user and you'd like to be notified about different things.
2. You'd like to change the appearance of the notification emails to include more (or less!) information.
   
3. You've got someone who needs notifications, but doesn't need to view real-time data (for example, a helpdesk user).
4. You've got an automated system that you use to triage alerts/incidents (for example, a trouble ticketing system).

First of all, you'll want to set up users for anyone who needs to receive notifications. We see a lot of common ways this is done:

1. If you've got people who need to access the Log & Event Manager Console, you can create an admin, auditor, or monitor user - just be sure to associate an email address with their user.
   
2. If you've got an external system (i.e. for trouble ticketing/incident handling) or person who doesn't need to access the Console, you can create a contact user - again, be sure to associate an email address.
3. If you want to be sure you're notifying everyone in your IT organisation of the same thing at the same time, you can associate a distribution list email address with any of the above types of users.

To set up users, go to Build > Users. Click the + button on the top right, then fill in the information at the bottom - if you're creating a Contact user, you don't need to enter a password. Add email addresses to the user by clicking the + button under "Contact Information" and click the nearby Save button. When you're done, click the bottom-most Save button.

Whew, now that we've got the boring stuff out of the way, let's talk templates. Email templates let you customize the appearance of email notifications when they are triggered as responses in your Rules. An email template is actually two components:

1. Static text that lets you customize the appearance of the email.
   
2. Dynamic text (parameters) that is filled in from the original event that triggered the rule to fire.

For example, if I'm creating an Account Lockout template that will notify me when someone's account gets locked out (or automatically file a trouble ticket so the Helpdesk can take care of it), I'll want to fill in some static text that describes the event (say, "Account Locked!") and then use the dynamic text to describe the account that got filled out from the original event (say, the username and computer or domain controller they were locked out on). Generally, I create templates that are specific to a "type" of event  that I'm looking for - that keeps me from having one email template per  rule, which can get out of hand. For example, I have one template for "Account Modification" that can be used to tell me when a user is added/removed from a group, their password is reset, or other details are changed. There's no limit to the number you can have, so do whatever works for you.

To create a new email template, go to Build > Groups. Click the + button at the top, and choose Email Template.

1. First, provide a Name for your template - remember this, you'll use it in rules to reference the template.
   
2. To create dynamic text (parameters) for your rule, type in a name, then click the + button underneath the Parameters box to add it to the list; repeat for all the parameters you want to add. Each one of these is kind of like a variable that will "hold" your data and place it in the right location in the email. For my Account Lockout template, I used Time (always handy to have a timestamp), Account (for the user that was locked), DC (so I knew where they were originally locked), and Machine (so I know what Windows thinks was the source of the original logon failures, in case I need to do further investigating). 
3. Type how you'd like the Subject to appear in the Subject box. If you'd like to specify static text, just type it in. To add a parameter, you can either type in the name as it appears in the parameters list (with the dollar sign), or you can drag from the parameters list into where you want it to appear in the subject. Yes, you really CAN use your dynamic text (parameters) here! That means I could  have a subject that included the user's account name, source, or any  other text from the originating event. In my case, I chose a fixed subject line and just typed "Account Lockout" in the Subject box (that way Outlook groups them all together for me in conversation view).
   
4. Type how you'd like the body of the message to appear in the Message box. Again, if you'd like to specify static text, just type it in. To add a parameter, you can either type in the name as it appears in the parameters list (with the dollar sign), or you can drag from the parameters list into where you want it to appear in the subject. In my case, I kept it simple, and went with: Account $Account locked out at $Time on DC $DC from computer $Machine. If your email is going to be consumed by a trouble ticketing system, make sure the format of your email matches whatever your ticketing system is expecting, some are more flexible than others.
   
5. Click the big Save at the bottom to save all that work.

Still with me? Good. Let's go use that fancy new template over in our rules. Head over to Build>Rules and create a rule for your template by clicking the + button and building out your rule logic, OR if you're following my Account Lockout example, you can clone our out of the box NATO5 rule by navigating to NATO5 Rules > Change Management > Windows/Active Directory > Users.To clone, select the User Account Lockout (Updated) rule and go to the left side/rule's Gear and click Clone; select a folder from your Custom Rules folder and click OK. When you clone, the rule automatically opens for you - handy!

To associate your template with the rule, you'll need to add or edit a Send Email Message Action.

1. To create a new Send Email Message Action (if you have more than one specified, multiple email messages will be sent), navigate to Actions in the list on the left, and drag Send Email Message into the orange Actions box on the right side. If you make a mistake, or decide you want to clear out the actions and start over, no worries! Hover over any action and click the upper right hand X. Didn't mean to do that? No worries, again! Click the Undo button to bring it back.
2. In either case - editing an existing Send Email Message Action or starting with a new one - select your new template from the Email Template dropdown (if you forgot the name, you can always go back to Build>Groups real quick and dig it up - the rule will still be waiting for you with no lost work when you come back to Build>Rules).
   
3. Click on the Users dropdown and check the box next to the users you want to be notified about this event. (If you forgot those, don't stress - head back to Build>Users and take a peek. The rule will still be waiting.) 
4. Here's where it gets fun. You'll see the dynamic text (parameters) you specified in the Email Template over here in the Send Email Message action. You can fill them out with the fields from the rule by dragging and dropping the fields from the Alerts/Alert Groups area, just like building a rule. In my Account Lockout example, I'm using the UserDisable alert, so I'll go over to Alerts and type in UserDisable in to the search box (because I'm pretty lazy) and click on it to select, or navigate to GenericAlert>AuditAlert>AuthAudit>UserAuthAudit>UserDisable (now you know why I'm so lazy, say that 3 times fast). Drag over the DetectionTime field into the Time variable, the SourceMachine field into the Machine variable, the DestinationMachine into the DC variable, and the DestinationAccount field into the Account variable. 
5. Make sure your rule is enabled by checking the Enable checkbox. You can also use the Test checkbox/mode if you're not sure how your rule will behave - you'll see InternalTestRule alerts in the Console to let you know it was triggered and what it would have done. I'm feeling pretty confident, so I'm going to leave Test mode off, check Enable, and don't forget to click Save.
6. Don't forget this step! You'll see that the Activate Rules button is enabled in the top right corner. We let you batch up all your rules changes in case you want to make multiple changes before changing the running state of the manager. So, be sure to click Activate Rules to tell the Console to send your changes to the manager and enable them. 

At this point, your rule is active, your template's all set up, and you're ready to go. Next time your rule fires, you should have an email (well, someone should!) that matches the format you've specified above.

Common gotchas:

1. How do I know the rule is being triggered? Check your Console for InternalRuleFired alerts, either by using nDepth or a filter. Those alerts will show you what rule was triggered and when. 
2. Rule not being triggered when it should be? Check your rule logic, but also check your timestamps. Your appliance or virtual appliance host layer might need to be configured for NTP. By default, rules won't fire when incoming data drifts more than 5 minutes from the appliance's clock.
3. Rule being triggered but emails aren't being sent? Make sure you've got the Email Active Response connector configured on your manager appliance by going to Manage > Appliances, then clicking the leftmost Gear icon, going to Tools, then System Tools and Email Active Response.  Click Gear>New to create a new tool, or click Gear>Stop and Gear>Edit to edit the configuration if you see a mistake. Always click Save and Gear>Start to start/restart the tool. If you typed in a test email address, you can click Test after starting to send a test mesage.

This is a topic we cover in our Rules and Actions training session (in more depth), but it's not something you do every day which makes it super easy to forget until you really need it. :)

I setup the file integrety management (FIM).  However when I setup a directory to monitor I setup  *.zipx files only.  I wanted to be notified when a .zipx file in my directory was deleted.

This directory holds zipx files that are added to every night.  When I get notified I am getting alerts about .tmp files and only one zipx file.  Any ideas what needs to be done to correct this?  Currently have Directory (delete) and file (delete) setup.

I am trying to understand this section better.  I need to send an email for when I have "host flapping" on an interface.  Problem is, I need to alert on the first log (unique to device and port) but not the duplicates that will follow for at least an hour.

How in the world do I set that in the "Correlation Time" section?

I watch many video's but so far none talk about this section, they all say "This is an advanced feature not needed her"...

Thanks

We're a LEM customer and are successfully leveraging it for some basic info now.

In tandem, I've been running some trial/demo installations of other products that specifically target the AD/NTFS pieces of a network, with reporting, scheduling, etc. of canned and non-canned reports for compliance, change oversight, and other purposes.

Since the information these products and LEM uses are seemingly the same at the source, I'm curious if there are folks out there using LEM to glean at least some of the information that these focus products offer. I know that LEM is not specifically targeted as an AD/NTFS auditing solution - and historical change data on AD objects seems elusive to accurately capture - but I'm sure there must be some amount of overlap here.

Thanks for any info!

We've tried to configure 3 servers to get IIS to log into the LEM without success.

1 server is running Server 2008 with IIS 7.
2 servers are running Server 2003 with IIS 6.

I believe that we have the correct log directories for each server. And I have confirmed that IIS is running under the connectors for each server/node. I have tried searching for information on this and have not been able to locate anything that has helped.

I would appreciate it if you would be able to help me out! 

Case # 526393

Greetings,

I just rolled out SLEM 6.0 (and updated the agents) and turned on the new FIM feature.  In theory this is an awesome thing to have, but it's proving to be useless to me at the moment.

Every single file audit that I have going only references NT AUTHORITY\SYSTEM as the user that is accessing any file.  This includes me local and remote (SMB) to the server.

It's actually not even showing my access or modification of a file / folder in hand.

I submitted a ticket with no response yet, was curious to know if anyone here has seen the issue themselves.

Thanks,

I new to the LEM world and have a buch of question about the app. We are trying to build all of our filter off one of the reports, lets say the Financial  SOX report. How do I import each item in this report into a filter(multiple filters) on my LEM console is this possible?

Why does disk usage stats say only 50% for Logs/Data (via diskusage command) but it is not retaining the logs older then 2 months?

Am I missing something?

Partition Disk Usage:

        LEM:             43% (1.2G/3.0G)

        OS:              39% (1.1G/3.0G)

        Logs/Data:       50% (232G/492G)

        Temp:             5% (230M/5.9G)

Database Queue(s): 12K (No alerts queued, 21937 alerts waiting in memory)

Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)

Console Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)

DataCenter Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)

EPIC Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)

Logs: 26G