The certificate that gets exported ought to match, but only really matters if you're running the Adobe Air console.
Are you access the LEM via IP or hostname? Does the DNS name in your network match the hostname you assigned to the LEM appliance? If the name in the URL bar doesn't match the LEM hostname (because you're using the IP or a DNS mis-match) then the self-signed certificate that LEM uses will cause those browser errors. Most people just click the red link and move on.
I've trying accessing using the IP and the hostname both with the same result.
DNS name and hostname match as well.
When comparing the two certificates it just looks like the web console certificate hasn't been updated and is still using the certificate it had while it was the evaluation version.
The below response from Solarwinds Support solved the problem:
Are you referring to getting rid of the certificate error when you first load the console?
If so, the certificate that gets exported is a child certificate. So what you will need to do is click on the lock on your address bar and view the certificates and then select the certification path. Then select the top certificate and select view certificate information.
Then go to the Details tab and copy to file. Once you have that certificate you will need to have that signed by your internal CA and then installed on your machine to resolve the certificate error
Is this is trick question?
Look like you are using UserLogonFailure in the correlation, but FailedAuthentication to populate the email message.
The fields in the email must appear in the correlation.
thanks
Amit
Loop1 Systems
Hi Curtisi,
Fortinet and Sonicwall last 4 days did not send any syslog in LEM, see below error below " Error processing log message".
Any advise?
Thank you.
Hi Team,
Question: Up to now (in new version 6.1.0)
The full version of Crystal Reports XI is required to complete the tasks(report customization)?
Added a link to you LEM question as well as more information to help adoption of the new Threat Intelligence standards implemented late last year. I think this could be an opportunity to increase the value of LEM as a SIEM for a number of industries that now rely on Threat Intel, and possibly build on a Threat Response type platform.
Link to the Poll:
The new STIX and TAXII open standard along with Soltra Edge a (Collect/Create Threat Repositories) also provide a means to share threat intelligence across member organizations anonymously. This would not limit Solarwinds to one threat source.
Solrta Edge is free to deploy, there are plenty of paid and free open sources to pull intelligence.
Some integration ideas with Solarwinds Products:
LEM - Threat Intel Sharing and receiving, actions/alerts based on rules (more data to correlate off of, and use actions to automate)
NCM - Automate updating firewall, routers, email gateway blacklists based on rules setup in LEM (more integration between Solarwinds products)
Threat Response Manager- Possibly a new Solarwinds module that would integrate with LEM/NCM or be standalone
Feature Request: Threat Intelligence Feed
Feature Poll: Would you be interested in importing Open/Closed Source Cyber Threat Intelligence into Solarwind's Products
References:
STIX -Structured Threat Information Expression
TAXII -Trusted Automated Exchange of Indicator Information
https://www.fsisac.com/article/fs-isac-and-dtcc-announce-soltra-strategic-partnership
No, you can customize and schedule reports using the tools that come with the LEM.
[VIDEO] Filtering and Exporting SolarWinds LEM Reports to Quickly Find Events of Interest
Hi Curtisi,
thank you for always answering may question, i got the answer yesterday to my colleague but your video is a must clear.
Hi,
I am looking to do something similar. Did this fix the issue for you? thanks
So the time and date on the event were correct and didn't match the "Detection Time" reported by LEM?
If that's the case, I'd open a support ticket to have them look at this.
Do you have a screenshot to share? What kind of events are associated with these 'bogus' nodes?
No, if the LEM sees data with an IP, it'll treat it as a new source and add a node for that. You'll need to resolve the bogus source to prevent the data from coming back.
Is there any documentation of how i can do this? I did a nslookup but get the message that the device has no domain and it is offline.
We currently use non-persistent provisioned XenApp servers that build off of a single image so that we can spin up servers as needed. We followed the procedure to delete the certificate data as suggested in a previous question but are now seeing the server duplicate daily whenever they connect rather than reconnecting as the previously used entry. This makes a daily chore of cleaning up the prior nodes that are disconnected. Is there anyway to help LEM attempt to identify the agents via another means like system name or another identifier?
No I don't have a screenshot. I don't see the old events anymore.
I am configuring our SourceFire 3ds system to forward syslog information to LEM.
The default facility in SourceFire is alert, the LEM connector by default has a path of /var/log/alert.log
When I perform a checklog command on the appliance there is no alert log listed in the available files. Does this get created on its own somehow?
Can you create your own? Or do you just change the facility and log path to match one of the log locations listed.
thanks
You probably need to find the right the log path. "alert" isn't a facility, it's a priority, so I think you're missing the other half - it's most likely one of the local facilities, or something like user.log.
if it's something you're syslogging, though, you might be able to press the "Scan for New Nodes" button and go from there. If enough messages have been sent it should be able to auto-configure.
If they keep coming back after you delete them, it's because new events are coming in with that DetectionIP value from one of your log sources. LEM uses DetectionIP to determine when a host is sending data to another that's picked up by LEM. We'll have to track down what that log source is to see if we can figure out why it's happening. If you double click on that node from Manage>Nodes it should do a quick search for that node's IP anywhere in your data, though if it's been too long you might have to dig farther back in time.