Let me backup as well and explain the goal/objective. I am an IT Auditor testing our system of internal controls against policy and reporting on what I find.
The topic is Logging. Our policy states anything attached to our network is to be logged to our centralized SIEM solution (Solarwinds LEM). Each week a sample a set of network devices (switches, routers, firewalls, etc..) and servers (windows, linux, etc..) from an inventory list are selected and I perform manual nDepth searches for evidence of log data. In this initial phase, I am just looking for evidence some log records exists. In the next phase, we’ll be testing for the type of log records we actually log. The second piece is probably a whole different discussion topic as to the proper setup of logging on devices/servers using best practices.
So I’m looking for any log records generated by my sample device/machine. It sounds from your explanation that what I really need is (IP Address = hostname OR IP Address = IP) in my search string.
Question: Can you clarify the meaning behind the different fields. While they appear obvious, it wasn’t obvious that “IP Address” consisted of all of these.
Detection IP
Insertion IP
SourceMachine
DestinationMachine
Question: Is this documented anywhere within the Solarwinds manuals? If so, could you cite your source please. Trust but verify ☺
Thanks!