Hi everyone,
so I am establishing new rules in LEM and need some advice. I would like to monitor all access to certain servers. Firstly I wanted to ask what other information should I be monitoring other than logging? The other questions is my current rule layout.
At the moment I have UserLogin AND rule and UserLogin.insertionIP=*server name* OR rules for the specific server. At the moment the only logging I'm getting is polling from Orion trying to get info from the server. How can I configure it to be looking for actual users accessing the servers? EX. the sys admins or anyone else with or without access?
Thank you!
Nickolas