Re: Prevent mass file operations?
I have seen clients use LEM primarily a reporting SEIM with limited active response. In one instance of an active response, the user was locked out of the network - and the user happened to be the...
View ArticleClik here to view.
Re: LEM Reporting - How to build reports on explicit data-sets?
The only time I have seen this type of specific reporting is with a company who had crystal reports developer on staff. To generate the specific event, at least in syslog, I have used the kiwi syslog...
View ArticleRe: Ideal system requirements and settings for LEM
First thing is to do is to send the All Events filter to nDepth. This will give you the number of events per 10 mins. TImes that by 6 to give you the number of events per hour. Check the LEM...
View ArticleRe: Prevent mass file operations?
If you're deleting hundreds or thousands of files, you should be able to kill the operation, as Windows continues to check account and permissions as it processes each file.
View ArticleRe: Ideal system requirements and settings for LEM
Another way is the Database Maintenance Report - it should be very fast to run since it's only checking the metadata on the indexed data, not actually pulling the results.
View ArticleRe: LEM Reporting - How to build reports on explicit data-sets?
In this case I was really hoping to use the reports because I can have it save out to a UNC path which can then be made available to a client to look at their reports. The problem is I need a way to...
View ArticleRe: LEM Reporting - How to build reports on explicit data-sets?
Using the kiwi syslog generator would be good; however, I manage LEM in a lot of different environments and I would rather not put that tool in each of those environments as well.
View ArticleRe: Ideal system requirements and settings for LEM
Thank you. Could you explain the Alert Partition Information section in the Database Maintenance Report?Aka: Key, first and last ID, low and high manager, event count and spanThe advice about nDepth...
View ArticleClik here to view.
Re: new syslog node
Even if it not a valid vendor, LEM will save all syslogs it receives it. Without the proper connector, it will not parse the data - but you can still search the raw syslog using nDepth. Amit...
View ArticleRe: new syslog node
Hi I have the same problem with mska, My firewall is not in the node vendor list. When I add node using the "Add node" button, I choose "All vendors" and let LEM scans for me. After a long scan, it...
View ArticleClik here to view.
Re: new syslog node
anthonychlee and mska: Regardless of vendor, the first step is to configure your syslog device to send syslog to the LEM. If you haven't done that, scanning for new nodes won't ever find anything....
View ArticleRe: new syslog node
Thanks, curtisi. I managed to read the syslog using nDepth. Will contact my vendor regarding the request of creating a new connector.
View ArticleClik here to view.
Network Devices Node Ip and node name disapeared
Dears,Kindly note that this issue happening with the majority of the nodes (Network Devices) as attached in screenshot IP and Devices Name disapeared .
View ArticleRe: Prevent mass file operations?
curtisi, speaking of disabling accounts, how is LEM able to accomplish this? I mean, for actions like "Disable Domain User Account" or even "Remove Domain User from Group", how does LEM obtain the...
View ArticleClik here to view.
Re: LEM Reporting - How to build reports on explicit data-sets?
I called and talked with support today and they confirmed that this is not possible.
View ArticleRe: LEM Reporting - How to build reports on explicit data-sets?
I'm not sure why - all the fields for the report should show up in the select expert, so even though you haven't seen say DestinationAccount of npauls, you should be able to add a target criteria of...
View ArticleRe: How do I create a filter in the monitor for connector profiles?
What you probably want is:<whatever events you want>.DetectionIP = <connector profile> e.g.:Any Alert.DetectionIP = <connector profile> That way you're specifying 'show me any event...
View ArticleRe: Prevent mass file operations?
Using the LEM agent on the system, which runs as SYSTEM. On a DC that means we can do domain-level operations, on the local system, it means we can do system-level operations.
View ArticleRe: Prevent mass file operations?
You could also use logoff user if you've got an agent on the system, it might interrupt them... all of these things are after the fact, but if they are doing a lot of damage you could catch it...
View Article