Re: Need help with correlating two events
Are they Domain Admins, or just Local Admins, or both? You could possibly do this more simply if you wanted to by looking for domain admins and ANY local account logins (since presumably on a domain...
View ArticleRe: Need help with correlating two events
That seemed to me like it might be an issue as well, as the "Destination Account" field is different between the two events (one with domain, one without). Would this not be possible to do then in this...
View ArticleRe: Need help with correlating two events
This video @ 1:20 shows an example of configuring Active Directory with LEM - [VIDEO] How To Use Log and Event Manager to Alert on Unauthorized Access - it's about something else before/after that, but...
View ArticleRe: Need help with correlating two events
That all makes sense, but I've already used the basic config tool to add our own domain info in LEM. This is for a client that is in our LEM console. How would I go about pulling the domain information...
View ArticleRe: Need help with correlating two events
Ah - two options - You'd need to connect to their AD to pull in that info (LEM can connect to multiple domains, but you have to be able to connect to a DC, which is kind of a bummer if it's over a WAN...
View ArticleRe: Need help with correlating two events
Their DC has an agent and is in LEM, and I'm sure I need to use a connector to get this? But not sure of how?
View ArticleClik here to view.
Re: Alert DB of the Database Maintenance Report
Curtis, I am running LEM v6.0.1 I have attached the first and last pages of a Database Maintenance Report. T.J. First page of Database Maintenance Report ReportLast page of Data Maintenance Report
View ArticleRe: Need help with correlating two events
Usually we configure AD to connect directly from the LEM appliance, but you can try configuring it on the agent. If you go to Manage > Nodes, then select the agent on their network, then select...
View ArticleNull Session Enumeration
I would like to alert if any thing or anyone attempts Null Session Enumeration against Active Directory. This is two fold since I want to know if it is being done and want to stop it if possible....
View ArticleClik here to view.
Re: Null Session Enumeration
I might have found the answer for Snort but not LEM. From The Anatomy of a Attack Identify Null Sessions with IDSIf the registry changes or firewall rules mentioned earlier break the functionality of...
View ArticleRe: Null Session Enumeration
you may be looking for this Event?NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host
View ArticleLEM connector for crossbeam and Daemon log file in the lem server
Hello, I'm having trouble getting traps from crossbeam to the LEM, what we noticed is that the xb sends its messages to the Daemon log on the lem server (through the cmc) and it does not forward them...
View ArticleRe: Null Session Enumeration
I am going to test this and see if it shows up in the logs this week. If it works I will monitor Security Log ID 4625 and alert if it is logged when anything attemps Null Session Enumeration (NSE)....
View ArticleClik here to view.
Need to extract top web users from TMG logs using LEM
Hi all,We just purchased Solarwinds to for our log monitoring. There is new requirement to extract monthly top 10 web users through TMG 2010 logs using LEM. Just wandering if anybody using LEM for...
View ArticleRe: LEM connector for crossbeam and Daemon log file in the lem server
You probably want to open a support ticket for a connector request, but if you're okay with it, can you run an EXPORTSYSLOG and pull the DAEMON log off the LEM and attach it here? I can test it...
View ArticleRe: Need to extract top web users from TMG logs using LEM
I'd try using the "Network Traffic Audit - Web Traffic by Source Machine" report. What this tells you is the most # of hits through the proxy server by source, but it doesn't tell you anything about...
View ArticleRe: Null Session Enumeration
For reference - in LEM, 4625 will either appear as MachineLogonFailure or UserLogonFailure, depending on whether the account name has a $... I'm not sure how the null SID and other details will appear,...
View ArticleRe: Null Session Enumeration
I will be working with a team to generate fresh logs in the Lab. When I get the logs I will definitely know what I should search and find. I hope to have more on this tomorrow. Until then try the...
View ArticleCrystal Report for customization
Hi Team, I would like to seek your assistance/advise.Please confirm where we can get the FULL edition of Crystal Report which is suggested if we want to add a NEW(not listed on build-in report). Is it...
View Article