Quantcast
Channel: THWACK: Message List - Security Event Manager (SEM) - Formerly Log & Event Manager
Viewing all 5385 articles
Browse latest View live

3COM Switch events not populating

January 21, 2020, 8:12 am
$
0
0

Hello,

 

First post here. I have setup a 3Com Baseline Switch 2928-SFP Plus to send logs to my SEM appliance.

 

I know it is sending because I've SSH'ed into the appliance, viewed the local log and I see raw data there.

 

I have my connector setup for 3Com switch, log file "/var/log/local7.log" where I saw the raw data and output set to RAW + Normalized so I see everything not just the normalized data.

 

I go to non-agent nodes, I get nothing.

 

I try to add Syslog nodes based on the switch's IP, but no nodes found.

 

When I click on the "i" icon to the right of my connector it says "Gathers events from the following 3com switches: 4400, 4500, 4500G, 4800G, 5500, 5500G, 7750, 8800, S7900E." So am I to understand my switch is not supported?

 

Any ideas... anyone?

Search

Re: 3COM Switch events not populating

January 21, 2020, 11:26 am
$
0
0

Hi,

 

The listing shows devices that we know have the same log format for this connector.  Many times they have the same OS on these devices that log things in the same way.

 

Based on what you are saying it sounds like the format is not the same format as the others.  Your best bet would be to open up a support case and they can take a look.

Re: Finding PowerShell activity with LEM

January 10, 2020, 6:35 am
$
0
0

Hey scott.driver you can use GPO to set up a policy to log PowerShell events (see Configure PowerShell logging to see PowerShell anomalies in Splunk UBA - Splunk Documentation ). And install sysmon on the hosts (Sysmon - Windows Sysinternals | Microsoft Docs ). For the sysmon install you could use GPO or PowerShell. I did it manually because I didn't have that many hosts. After those are running, install the LEM agent on each host and add a new connector in LEM. You should have everything working at that point. Did that answer your question Scott?

LEM 6.5 quit processing local4

January 30, 2020, 1:35 pm
$
0
0

We have multiple ASAs logging to LEM 6.5. We experienced an outage causting the server hosting LEM to crash. LEM console boots normally but no records are being processed by LEM. I can run a checklogs and verify data is being written to [16]: Syslog local4 Log. LEM Console is showing no data for the nodes. I can't locate any good troubleshooting documents. It appears the connector won't start even though it is configured correctly. I've got a ticket open, it is taking a while to get picked up. Any help would be appreciated.

Re: LEM 6.5 quit processing local4

February 3, 2020, 4:06 am
$
0
0

I just looked into your support ticket, and can see that a member of the team is going to schedule a WebEx with you to investigate the root cause. I'll keep an eye on the case to ensure you get a satisfactory outcome. If there's anything you need just let me know.

Failed Authentication Attempts

February 3, 2020, 9:06 am
$
0
0

Is anyone else seeing multiple events logged for the same failed authentication attempt?

 

When one user fails to authenticate to a server, there are sometimes 5+ events that appear, all within one second of each other. It's sorta making it tough to determine which behaviors are abnormal and deserve IR team focus. It may be something I've configured incorrectly - not gonna lie, I'm still not great at this. lol

 

Thanks in advance for any advice anyone can offer!

Re: LEM 6.5 quit processing local4

February 4, 2020, 7:51 am
$
0
0

Support tries clearing the indexes on the database, then restarting it. The next step he just recreated the connector. That seemed to ultimately solve the issue.

Secondary interfaces on agent nodes eating up licenses!

February 4, 2020, 8:01 am
$
0
0

I have an issue I've noticed becoming a problem for me.  Many of windows agents nodes that have secondary network interfaces are all showing up as non agent nodes in addition to the main agent node in manage nodes.  This makes one machine eat up more than one license from my license pool.  I have many developers that add weird extra interfaces to their windows machines and each one when it sends traffic shows up as a new node in manage nodes.  Why are secondary interfaces costing me against my license?  Shouldn't the agent be smart enough to know it's the same machine in the database?

 

Regards,

 

Bill

Search

Re: LEM 6.5 quit processing local4

February 4, 2020, 8:15 am
$
0
0

That was quick I'm glad you got it worked out!  Mark the solution so everyone knows now!

 

Bill

Re: SEM\LEM not showing all events

February 4, 2020, 8:22 am
$
0
0

I'd be curious to know what you've done like this mesverrum sounds interesting... have you tried to make one from scratch before or figured out the syntax pretty well now?

 

Bill

Re: SEM\LEM not showing all events

February 4, 2020, 4:25 pm
$
0
0

I was modifying an existing template as a one-off, but the syntax I was messing with was basically just regex with capture groups.  Building the logic wasn't rocket science but to build one completely from scratch would be a pretty significant amount of work to create all the rules.

Re: Secondary interfaces on agent nodes eating up licenses!

February 5, 2020, 4:10 am
$
0
0

Hey Bill - if there's logs being transmitted from the additional interfaces, they will appear in SEM based on the source IP of those logs. However, I'd recommend creating a support ticket as there are tweaks that can be made to the agent config files which *should* deal with the issue. 

Re: Secondary interfaces on agent nodes eating up licenses!

February 5, 2020, 8:45 am
$
0
0

Thanks!  I will do just that because I have developers that create random interfaces all day long and it's killing my licences.

 

Bill

Checkpoint 80.30

February 10, 2020, 11:47 am
$
0
0

Has anyone integrated SEM to Checkpoint SMS 80.30 using NG LEA? I currently have a NG LEA connector connected to Checkpoint firewall version R77; will this connector interfere with connecting to an R80.30 firewall if it is stopped while i'm attempting to transition to the 80.30?

I keep receiving the following error.

The SIC infrastructure was unable to establish the connection.

Update to SEM 2019.4 went really smooth...

February 11, 2020, 6:28 am
$
0
0

The new HTML5 interface is getting better and better!  Now if we can get licensing to a little more flexible we'll be really in good shape!  I love the SEM upgrade process.  SEM really is a compact virtual appliance.  It's amazing what all can fit in that iso.

Search

SEM Agent installation on WIndows 2019 DC (domain controller)

February 11, 2020, 5:13 am
$
0
0

Hi,

 

like in subject I have problem with installation SEM 2019.4 agent on my new domain controller. Could anybody see that error (in attachment)?

 

Bartek

SEM Appliance Security Information

February 12, 2020, 1:16 am

How to upgrade LEM 6.3.1 to the last

February 12, 2020, 4:07 am
$
0
0

Hello,

 

I have a need to upgrade my LEM 6.3.1 to SEM 2019.4.

LEM is mounting in VMware.

Please can anyone help me?

 

Thanks

Re: How to upgrade LEM 6.3.1 to the last

February 12, 2020, 5:14 am

How to Integrate SEM (LEM) to IBM XGS 3100 (IPS/IDS)

February 12, 2020, 12:51 am
$
0
0

I required to integrate SEM LEM with IBM XGS 3100 (IPS/IDS) to have logs on SEM. Help required.

Viewing all 5385 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>