Can you confirm what facility (e.g. local1, local2, etc) the Synology device is transmitting logs to? Using the checklogs command you should be able to browse to that facility and validate that syslog from Synology is hitting the facility. Once you get that far, we can concentrate on getting the connector started to parse the logs.
↧
Re: Connector Discovery Failed
↧
Separate database of Network and System Logs
We have SEM environment in our organization and seems like firewall logs consume a lot of disk space
Is there a way to separate the database of network logs(firewalls) and windows logs? or maybe limit the number of days that I can store for the network logs?
↧
↧
Re: Non-Business Hours Filter Not Actually Filtering
Hola @ikchang
Yo tenía tu mismo problema y lo logre solucionar creando el filtro en la consola HTML pero adicional tuve que borrar todos los grupo de time-of-day-set que yo había creado, cree de nuevo el grupo time-of-day-set y esta funcionando. Me encontré con esta nota en la guía de configuración, espero sea de tu ayuda.
↧
Question about licensing and stuff for jhynds and everyone really...
We're using LEM/SEM on some of our networks right now. We're wanting to standardize on LEM/SEM but the licensing is maybe an issue. I have many isolated enclave that are small. It doesn't make sense for small networks with maybe 5 machines on it to have 5k$ instance. Suppose I have many of these. Is there a way solarwinds can do a quantity discount on small licenses all grouped together so I can standardize on it? Does solarwinds ever do like MS and other big companies and offer selling a large number of nodes and let me divide it up how I see fit? Could I then do a true up each year and be subject to audit any time? This could be a lot of business for SW but I'm concerned it might not be possible because of mass of small enclaves I have. I hope there's a way to make this work somehow?
Thanks,
Bill
↧
Re: Question about licensing and stuff for jhynds and everyone really...
Hey Bill! We don't currently offer a large license that you can divide between multiple SEM appliances, each license is bound to a single SEM appliance. However, I can certainly discuss your situation with your Account Manager in an effort to find a solution for you. Will reach out privately to discuss further.
↧
↧
Re: SEM\LEM not showing all events
Last I heard their dev team was still working on this. I'm going to send them another message to see if they have anything new
↧
Re: Finding PowerShell activity with LEM
Hi mikosmall ! Sorry to be digging up an old thread, but I'm wondering if you are able to share a little bit more detail about how you're capturing this info.
Appreciate it!
↧
Re: SEM\LEM not showing all events
From my experience with LEM/SEM, unless you have a small organization, Solarwinds is right, LEM/SEM is not the tool for what you want to do. Once you are getting above about 1.2 million events every 10min, SEM begins to have performance issues, and it's even worse if you start building filters with the all events. In most medium size businesses, if you're logging handshakes, connection builds and teardowns, etc. plus all of the other logs that are normally sent or retrieved from other tools, you will easily go over a million events every 10 minutes. We work with our engineers to strictly enforce sending security/audit logging to SEM to try to keep events under 1.5 million events every 10 min. and performance doing searches, and even just running flash is pretty sketchy at best. Your milage may differ, but that's been my experience.
↧
Re: SEM\LEM not showing all events
That's my understanding as well, sadly however that's not what the account manager told my boss when she was on the phone with him. We were looking for something that would hold all our log files and allow us to sort through them to track down a variety of problems. One of our biggest issues is trying to do a root cause analyst when issues occur. I often bring up STP on our network devices as an example because that was one such issue that this system should have helped me resolve. I had installed a new switch, configured it properly but never checked to make sure it wasn't going to be the root. That new switch became the root and ended up disabling the ether channel I had on another causing the now only 1GB link to overload bringing the network to its knees on several occasions. Sadly it took me almost a month to track down as it was random and by the time I got into the network to figure it out the problem was resolved. When we were originally looking for an application we had considered several different applications, Splunk being one of them. However considering the price and the idea that LEM would do exactly what we wanted we chose LEM.
I understand this could potentially crash the system if I gather too many alerts but I'm confident I can do exactly what you do, only send to LEM what I want to gather. I honestly would much rather be in control over this than hard limitations. With that said I did just get an email from support telling me that the connector is finished with instructions on how to install.
But first I need to contact Support to figure out why the VM keeps crashing. Once I get all this done I'll write up something pretty and post here for any future person having the same issue
↧
↧
How to get Windows 10 system with a Docker Container sending logs to the SEM?
We have a couple of Windows 10 workstations that are running Docker containers. The agents installs successfully on the base Windows systems and picks up the correct OS, IP address and License type (Workstation). The agents show online and have the normal four connectors running that our other Windows 10 systems have (Windows Active Response, Application Log, Security Log and System Log). But they do not have correct host name; instead they display with node name of host.docker.internal in place of the actual host name. Also the SEM does not have the log data from these Windows 10 workstations. If I look at the configuration of the Connectors, it is the same as on the Windows 10 systems that are reporting correctly, but are not running a Docker container. Is there a special configuration need for these systems?
At this point, we just want to collect the logs from the Windows 10 workstations. The Docker containers are just being used for testing/evaluation at the moment.
Thanks in advance for your help.
↧
Re: How to get Windows 10 system with a Docker Container sending logs to the SEM?
Haven't played with docker in Windows, but ultimately I imagine it's going to need to work about the same as a regular Windows machine would or it won't work (I didn't see anything specific to Docker support for the SEM agent).
So firstly, if you want to look at the host name sending logs, you may need to check the details on where the agent would acquire the name (spoiler alert, it's from the system, so likely it's just taking the name of your docker/environmental variables):
That article details a few switches you can try to get the name you would expect, or maybe find and update the source to be what you'd expect.
If you're not interested in getting the logs directly after all, then you need to make sure that the containers are passing through the logs. The agent is going to read the logs of the local System/Application/Security I'd imagine, so unless the containers are writing their logs to the root machine somehow, I'm not sure how the agent would see them.
↧
Re: Finding PowerShell activity with LEM
Hey scott.driver you can use GPO to set up a policy to log PowerShell events (see Configure PowerShell logging to see PowerShell anomalies in Splunk UBA - Splunk Documentation ). And install sysmon on the hosts (Sysmon - Windows Sysinternals | Microsoft Docs ). For the sysmon install you could use GPO or PowerShell. I did it manually because I didn't have that many hosts. After those are running, install the LEM agent on each host and add a new connector in LEM. You should have everything working at that point. Did that answer your question Scott?
↧
Re: Finding PowerShell activity with LEM
Awesome sauce! I am familiar with some of the other sysinternals, but haven't worked with sysmon.
Thanks mikosmall!!!
↧
↧
Re: SEM\LEM not showing all events
At the end of the day those connector tools are just a big list of regex rules that parse the incoming event and decide what type of event they are and break out all the parts of the message for normalization. I've felt hackish before and exported mine out and imported back in a modified version as a new connector profile, but obviously that kind of thing is unsupported.
↧
Re: How to get Windows 10 system with a Docker Container sending logs to the SEM?
Most likely I believe that installing docker creates a new network interface (used internally for Docker) on the device with the different hostname and network parameters and the agent messages are being associated with that interface instead of the one you are expecting. This is not too different from the case where a laptop will show up twice because it sends traffic via the wired and wireless NIC's, and I bet a similar solution would work here where you can specify the interface to use or just hard code the host you want it to show up as.
↧
Re: How to get Windows 10 system with a Docker Container sending logs to the SEM?
Thank you both for your helpful responses. I'm doing some testing with the options, and I think you have pointed me in the direction of how to solve it.
↧
Re: SEM\LEM not showing all events
I wish I had a better understanding of doing just that. This program feel vastly different than the other SolarWinds products I've used.
But on a plus side I did manage to get my problem resolved and it was just about what you have done, except I didn't do it. The Dev team over at SolarWinds managed to write me up a new connector, gave me instructions on how to upload it and … with a tech support call managed to get the switches using it. I'm still confused as to how this all works but what your saying makes sense, all that connector does is filter out information. This new connector doesn't do any of that, just posts the raw data. With that said I'm guessing I've increased my events from say 10 a week per switch to around 10k, well below what my system can handle but we shall see as I start increasing what is sent. That procedure, well that's an entirely different subject
For those having the same problem, I wish I could give you a step by step on how to resolve this but it required getting the connector from SolarWinds
↧
↧
Start script for the Linux (SEM) agent on v7 of Oracle Linux (systemd based)
I am looking at the Linux agent installation documentation (below) and it applies to v6 of Linux (configuring a script in /etc/init.d).
Installed SEM version = 2019.4
Install the SEM Agent on Linux and Unix
It also notes:
To configure the SEM Agent to start automatically on boot, add /etc/init.d/swsem-agent
(or swsem-agent) to your list of startup scripts.
Does the installation provide a default template script?
Thanks,
Randy
↧
Re: thwack Store
I purchased a THWACK backpack late last year. Recently, the zipper on one of the front pouches came apart. Do the backpacks have any guarantee associated with them?
↧
Forward Multiple SEMs to One Location
We have 2 SEM installs in our environment because of network constraints and latency. A 500 and a 100.
Is there any way to get the SEM 100 to send it's events to the SEM 500 so that we can build an overall dashboard and only check one place instead of logging into 2 websites?
↧