We are currently standing up a CentOS VM that will run as a Virtru Gateway. I recently added the SEM Agent to this device and it checked into our Manager with the Docker Container IP (172.x.x.x) instead of the VM's IP (192.x.x.x), which is causing it to fail to connect. Does anyone have any experience with how to get around this issue?
↧
Docker Container IP Causing Issues with SEM
↧
Re: SEM\LEM not showing all events
I'm assuming you've got the appropriate Cisco connector set up and pointing at local2 on the SEM?
If that's the case, one thought is that the spanning logs may not be normalized or they may be dropped. It's not super common, but there are instances where clearly junk messages would be dropped. Are you able to trigger something else that you would want to see to confirm it comes through? If you've got an unused port, can you up/down the port to see if you find those logs in the console?
↧
↧
Re: SEM\LEM not showing all events
I assume I have the correct connector setup and I have it setup as raw and normalized. Keep in mind I do see some events, but not everything. I'll try your idea about the ports here in a bit when I can get to the NOC
↧
Re: SEM\LEM not showing all events
Looks good to me.
I follow your description, but with some things I have a field of probabilities and don't want to make too few/many assumptions.
If you're getting some data, but not what you'd fully expect then I'd entertain the event normalization piece (data not being normalized for "reasons"), but it's a pretty small edge case so hopefully you'll be able to see real data for expected events.
If we were looking at it side by side we could probably figure it out in short order, so hopefully you see the events from your test which I'd say would make my theory be plausible, otherwise if you need it done in a crunch Support should be able to help demystify it pretty quickly.
Happy to keep discussing, just sometimes time is the more finite resource.
↧
Re: SEM\LEM not showing all events
So I ran the test and I see the status changes on LEM. I also got back UserLogonFailure: Logging to host (mymanagerIP) port 514 failed. I'll jump back into the switch and see if the UDP port is still configured (my firewall blocks UDP) but I am getting the status changes which tells me it is communicating (Originally I had setup the port as UDP but found firewall blocks so I moved to TCP so I might have both UDP and TCP configured)
Will report back
↧
↧
Re: SEM\LEM not showing all events
Fixed, re-ran test and I do see the events... just not everything. You maybe right, something is filtering out what is displayed, I just don't know how to change it. I'll call support in a bit, take notes and report back
↧
SolarWinds Resellers/Pricing Quotes?
Hi All,
My Company is looking for an SIEM in order to help us meet NIST 800-171 logging and monitor requirements, as well as general cyber security. We are interested in a few SolarWinds products and have requested a quote from the SolarWinds site itself, but have not gotten any response. Does any one know if there is a better way to get a price quote from SolarWinds or can recommend a 3rd party re seller?
Any information is greatly appreciated
↧
Re: SolarWinds Resellers/Pricing Quotes?
A member of our Sales team appears to have been in touch with one of your colleagues. Will send you a DM to discuss further.
↧
Re: Docker Container IP Causing Issues with SEM
It looks like the node was able to work it out on it's own after a few days, strange issue, but it seems to be happy for the moment. I just happened to log in and check the node and the IP had updates and the connection was green.
↧
↧
Connector Profile - FIM
I was wondering if anyone ran into this same issue and if it is a bug. I am attempting to make a connector profile. For the most part works fine. However, I want to add FIM File and Folder, along with FIM Registry as two additional connectors to my custom connector profile. However, it will let me pick PCI, Windows, monitoring, HIPPA, etc... however, there is no save and it says at the bottom must be performed from the SEM Events console.
Normally, an asset with an agent with out a connector profile, I would add the FIM capability through here. I tried to add FIM to the connector profile via the events console. However, I get an error saying this is not yet implemented. Is adding FIM to a connector profile not yet an option?
↧
Re: Connector Profile - FIM
The workflow to add FIM connectors to a profile isn't as easy as it should be at the moment because we've migrated FIM to our new interface but Connector Profiles have yet to be migrated. It will be more straight forward once Connector Profiles are migrated.
Configure an agent that isn't currently part of a profile with the required connectors (including FIM which has to be configured from the new interface). Then create a new Connector Profile and use that agent as a template:
Once you have the profile created, you should be able to add other agents to that profile from the new interface:
↧
New file to pull into SEM, set up rules.
I have a log file for HP Content Manager that I need to pull into SEM and create rules for it. At least that is the thinking here.
I put in a request for a connector, that was three months ago so I've got time to pursue other options.
Is there a way to create a connector or reuse another connector? Can we modify the XML files so another connector or general connector can read it?
We need to capture when people do certain tasks in the application, trigger an email so the app. team can research the issue.
Ideas and thoughts are much appreciated.
↧
Re: New file to pull into SEM, set up rules.
Could you please send me your case number and I can see where it's at?
↧
↧
Add List of Nodes to Connector Profile
In SEM, I've set up various Connector Profiles based on the monitoring needs of each group. However, I'm needing a better way to maintain this list without manually adding/removing nodes one at a time. Is there a way to add nodes to a Connector Profile from a text file (or CSV)? Or is there an even more automated method for dynamically managing nodes in connector profiles?
↧
Cleaning up LEM Internal Events
Hello,
I'm currently running SEM 6.7.1, and under the LEM Internal Events tab I'm receiving about 1000 events a minute. All the events are pretty much the same and have the same basic layout as follows:
NAME: InternalWarning
EVENT INFO: 2:The system cannot find the file specified.
DETECTION IP: Mostly user computers, but the occasional server as well.
Under the details we get some slight variation, but they all seem to be windows based:
ToolAlias: Windows System -or- Vista Security -or- Windows Application
ProviderSID: FastCenter normal error
Component: Windows System -or- Vista Security -or- Windows Application
This seems to be a pretty useless log that's just cluttering everything else up. I was wondering if anyone knew how to get rid of it or if I'm wrong and this log is actually very useful and the fact that I'm receiving so many indicates an issue in my environment.
Thanks,
Jared
↧
Re: Linux Agent Log File Location?
Update - it looks like the SW agent logs for Linux installs can now be found here: /opt/SolarWinds/Agent/bin/appdata/Logs/
↧
Re: Cleaning up LEM Internal Events
You are actually running into a fixed issue that some were running into with an update that happened from Microsoft on Windows 10.
- I would make sure you are on the latest version which is 6.7.2 and make sure that agent is on the latest 6.7.2 version as well. That should solve your issue.
- Other option, after getting your manager and agent to 6.7.2, is to remake the windows connector that you are getting this error on.
- If it is not fixed at that point you could call into support and have them help you out.
↧
↧
Importing Filter - SEM Console
After upgrading to SEM from LEM, I am still learning the differences between the old and new consoles (UI). In the new SEM Console, I don't see any way to import filters other people have made (or export for that matter) as you could in LEM. How to team members share their filters?
↧
Re: Importing Filter - SEM Console
Importing and exporting has yet to be migrated from the Flash interface to the new UI. In order to share filters, you will need to go to the Flash console, however any filters that are imported to the Flash console will appear in the new UI. Apologies its not a seamless workflow right now, but it will be straight forward once that functionality is migrated to the new UI.
↧
Re: Cleaning up LEM Internal Events
Upgrading to 6.7.2 did fix the issue. Thanks so much!
↧