Re: Agent Log Forwarding?
So, if I read that right, you've defined... A → B → C. Can communication go back? Is it just that one direction or can we do...? A ↔ B ↔ C If B can communicate both ways with A and C, it seems like...
View ArticleRe: suspicious DNS traffic rule
thank you curtisi.. In what scenario is receiving 192.168.1.1 in the destination IP acceptable? Seems to appear to be a generic linksys router? i.e. vpn?
View ArticleRe: Windows OS Rules
Curtisi Thanks for your reply. I followed the same steps but not able to get the time sync. In our infra, most of the WIndows host i..e Server 2008 R2 and we are PCI compliance company. We want to...
View ArticleRe: Windows OS Rules
Go to Build --> Rules in the LEM, open the Compliance section and pick PCI. That will highlight the rule templates for PCI. Turn them on at your discretion.
View ArticleRe: suspicious DNS traffic rule
Is your internal network a class C? If not, could be a VPN or someone has a device plugged into the network that they ought not to, maybe?
View ArticleRe: suspicious DNS traffic rule
internal is class A. When a person VPNs, is this categorized as suspicious DNS? Thanks for the help.
View ArticleICYMI: LEM Live Training Courses
Hey all, I saw this in announcements and wanted to make sure you saw it here. A LEM course has been added to the live training course repertoire. More info in the announcement, and some good feedback...
View ArticlenDepth : find source of AD account deletion
I want to get builld an nDepth filter to find the source of an active directory account deletion. I wouldn't mind getting email alerts for this either. but primarily I need to build an nDepth filter...
View ArticleClik here to view.
Re: Log Forwarder Syslog Message Text missing
I contacted support and it's a known bug in 1.2. Dev are working on it. I was instructed to use version 1.1.19 which worked fine for me on 2008/2008R2/2012 R2 ;P)
View ArticlePowershell event logging
PowerShell v5 has improvements for logging and a new Event Group PowerShell (in v2 the group was called Windows PowerShell)It would be really useful to have a connector for this
View ArticleRe: suspicious DNS traffic rule
Only if the VPN is using TCP port 53. I mean, this might be crazy talk, but the point of that rule is to identify suspicious traffic...maybe you have some and need to investigate where the class C...
View ArticleCisco ASA and syslog severity levels
What severity level is recommended for Cisco ASA? Thoughts? We are seeing dropped connection and this feels informational. Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring...
View ArticleRe: nDepth : find source of AD account deletion
To do this I use correlationsDeleteDomainMember.ProviderSID = *4726* AND DeleteDomainMember.EventInfo NOT= *$* The $ bit just filters out machine accountsother useful ones are Disable...
View ArticleRe: Cisco ASA and syslog severity levels
There are some messages only logged at higher levels (max = 7) that CAN be useful, so based on experience with a lot of customers that's where the initial recommendation got set. Starting at one step...
View ArticleClik here to view.
Re: nDepth : find source of AD account deletion
I'll give those a shot, thank you for the help twuk!
View ArticleClik here to view.
Re: Windows Log Subscriptions
Would using Windows Event forwarding to a central server which has the log forwarder save on LEM agent licenses?
View ArticleClik here to view.
Clik here to view.
How do I search a string in a log?
I'm using LEM on a client. But not this bringing the logs. And I need to know how to search for a string (word) within the logo. How to do this?
View Article