Hi curtisi,
I am using the audit logs to monitor the file changes and its working as expected.
But i am also looking for the log, which user has made the change, unfortunately i only get the log when the file changes happen but not about the user who made that.
Can you help me how to achieve this!!!!.
Thanks in Advance,
Sumanth S.
Hello,
When trying to install the latest AIR Console for SEM management (version 6.7.1), I get the following error:
I have the latest stable release of Adobe AIR (version 32.0.0.125)
Any hints or only a support case can resolve this ?
Thanks
Unless the new version has a bad certificate in the build (which support would likely have to confirm) you can try these steps:
That was correct.
The bad thing is that upon uninstall/reinstall of local desktop console, you have to go all over the Scheduled Searches and add the schedule again.
Importing them does does not save their scheduled run time too.
I'm facing the same problem that you are with STIG requirements on SQL databases. I've mitigated this by creating two separate audits. One includes all required STIG audit groups with the exception of 'SCHEMA_OBJECT_ACCESS_GROUP'; I've limited this to a reasonable log file size and number of files to last until my weekly backup where my logs would then be offloaded to my backup server.
The second audit I run is only for the 'SCHEMA_OBJECT_ACCESS_GROUP'. I've allocated the size and number of files I am able to support. In this way, I do have the audit enabled.. I just don't let it overwhelm my system; I do not retain more than a few hours of logs for this audit. I know its not completely meeting the intent of the STIG... but all the noise generated in that log renders its output nearly useless and in the end it is better to have a functioning server than to execute a DoS on yourself.
If you ever find a way to exclude SQL_Agent processes from being logged or some other useful way of filtering out the garbage generated, please let me know.
Thanks!
I fixed this, it ended up being an issue on the firewall. Allowed traffic and it worked like a charm.
I have been making an effort to get our LEM/SEM logs in order so we can start shaping and alerting the information it is giving us. One problem I have run into is we are getting a huge number of UserLogon and UserLogoff events under both "Local Account Authentication/Changes" and "User Logons" under "Authentication". I will see 3 or 4 copies of the same log hit SEM for the same user on the same remote server with the only difference ever being a slight change between DestinationLogonID. I will attach a redacted example of a logon and logoff to this thread as an example.
How do you all deal with the constant logon/logoff events while still staying PCI or HIPAA compliant?
Hello!
The SEM UX team is doing some work on the nDepth page, and would be interested in learning about what improvements should be made.
If you'd like to participate, send me a PM or email and we can figure out a time to chat. The 1-hour calls are typically run over WebEx, where you'll share you screen to point at areas of the dashboard that you like or dislike.
Participants will receive 3,000 THWACK points and (more importantly) the opportunity to influence the direction of the product.
Hope to hear from you soon!
Ashley Orr, UX Researcher
Hi there...I have worked on LEM before, but its been awhile. I am trying to find if I create a rule and not specify a group to target for systems or users, will that rule apply for every nodes thats added in the LEM ? Can you please advice me in that ? I have been watching videos about creating rules, but when tried to search for that specific part of rule creation, I couldnt find. Hence please let me know. Appreciate your input.
I advise posting a screenshot of your rule.
Sounds right.
Take a simple rule, logon failure. If you specify the event type, but nothing for source/destination machine, etc, it will apply to every machine/group.
If you want to limit it to a specific group, you need to add that into the rule correlation.
I am needing to create a monitor with a filter condition that would query a custom local security group on a file server.
I know that using a Active Directory domain group or even a SEM group would be easier and probably even suggested, but due to some constraints in my environment, that solution does not give me the results i am looking for in response times.
I have tested the monitor I have created with both Active Directory domain groups or even a SEM groups and it works great, so I know the logic of my monitor is good, I was wondering if a local group could be used in their place.
Has anyone had any experience with using server local security groups in this way?
I have an OpenShift 3.9 cluster that is configured with an EFK stack with fluentd log collectors.
I can configure the fluentd daemon set to offload application and operation OpenShift logs to an external syslog collector (RHEL 7 Server via Port 514) .
Can I configure the fluentd daemon set to offload these logs to a LEM Server via Port 514 as well?
And if I can then can LEM search these logs?
Is there a connector for fluentd? Check the list. Maybe send these logs to rsyslog or syslog, forward them to the LEM Linux server. syslog forwarding.
jrouviere, thank you for your reply. tstark@logixhealth.com, it was just a general question, but didnt have any specific clarification in a rule.
Hi there...I am trying to edit a rule to have an IP or host name detected when a user was added to administrator group. Previously created rule (by another person) doesnt have the IP or host name to detect, when the event is triggered. I am trying to edit that rule & also added another "send email message action & I cannot add an action or $data, $info, $user information in that new action. Can you please advice me in that in order to add those information. I have attached the screenshot of the rule. Appreciate your assistance.
Thank you for looking into that, I was able to add info by following this link - https://support.solarwinds.com/SuccessCenter/s/article/Send-Email-Message-Action-in-Rule-Creation
I will definitely look into that. Thank you for the information!
Hi Everyone,
First time poster to these forums.
I have the SEM Appliance running on an Industrial Control Network and I would like to add McAfee Antivirus to it. I've used Linux for years and I understand the implications of not having AntiVirus on it as well as the false-sense-of-security Linux can provide simply because it isn't an easy target. That being said, I've run Linux for >10 years without an issue. However, I don't want to mess up the installation or operation of SEM... Is it OK to load it, or should I leave it without AV protection?
Thank y'all in advance for any advice you may be able offer me. You are all greatly appreciated!
Thank you,
Don Brown
Sr. Mfg. IT Engineer
Has anyone been able to setup a way to automatically pause alerts when a vulnerability scan is run. These scans do produce a tremendous amount of noise and flood our alerting system.