Clik here to view.
Scan for new node running for hours
Hi there, Thanks for reading. I'm seeing a node discovery is running for a few hours now. It appears to be active but my network just isnt' that big! I'm checking the CLI to see if messages from...
View ArticleConfigure data compression?
Is there a way to configure LEM data compression in such a way to maintain more and/or less uncompressed data? Lets say I have a case where I want to have one month of uncompressed data available to...
View ArticleRe: Scan for new node running for hours
Fixing the immediate problem: SSH into the LEM and issue a Reboot. Okay, I'm going to put this here for all time (or until we change this): Friends don't let friends "Scan for New Nodes"! I'm going to...
View ArticleClik here to view.
Re: Configure data compression?
Thanks curtisi; exactly what I thought. I have gone ahead and submitted a feature request HERE for the ability to do this myself.
View ArticleHow LEM manages logs with different time zone or no time zone
There would be a case where appliances being managed are in different countries and in different time zones and LEM is in different time zone. Product like fortigate doesnt give time zone information...
View ArticleRe: How LEM manages logs with different time zone or no time zone
LEM converts everything to Unix Epoch, so time zone doesn't matter.
View ArticleRe: Need LEM agent UNinstaller
That worked great for me but having over 100 systems it is taking awhile to remove but as long as I don't have to restart said boxes I'll be OK with that.
View ArticleRe: How LEM manages logs with different time zone or no time zone
The DetectionTime value is taken from the log, and effectively a timestamp with timezone is assigned to stamp an absolute time at the time the log is read (say, at the agent, syslog server, or if...
View ArticleClik here to view.
Filtering ASA messages by source interface or mapped address
I have a scenario where we are migrating connections between providers, and during the process both old and new public IP's are valid. In this situation traffic can enter from either outside2 (old...
View ArticleRe: Filtering ASA messages by source interface or mapped address
Changing the normalization would be a feature request to Support. You can setup LEM to collect the raw messages, take a look here:Configure your LEM appliance for log message storage and nDepth search
View ArticleLEM getting alerts from some DCs but not others?
I've been setting up alerts for changes made in the Domain Admin group and everything is going well - I have rules to send emails immediately, filters to view in the Monitor section real-time, and...
View ArticleRe: Filtering ASA messages by source interface or mapped address
Thanks for the response. I already have LEM configured to collect raw messages, but I guess I'm not sure now how I search the raw data. This line from the link you provided is what's confusing: nDepth...
View ArticleClik here to view.
Re: Filtering ASA messages by source interface or mapped address
When you enable the raw log capture, you'll have a new option in the Explore --> nDepth screen to look exclusively at the raw logs.
View ArticleRe: LEM getting alerts from some DCs but not others?
Hey Itco... It sounds like the secondary DCs do not have the audit policies in place to create event logs for changes. Please see this KB for information on configuring the Audit Policy: To set Windows...
View ArticleRe: Saved nDepth Searches Not Really Saved?
I have been playing around a little bit with this to try to reproduce your problem but I am unable to. When I select a saved search from the bottom left Saved Searches menu, and then make a change to...
View ArticleRe: Sorting by field within a user-defined group
I assume you are talking about the Result Details window of an nDepth search? Sadly there is no way to change how the Result Details window displays its data to you, even to sort it. But you can export...
View ArticleRe: Palo Alto and Fortigate Logs
If anyone gets the figured out I would like to know what they did. We are adding some fortinet devices that I would love to monitor through LEM, but the data is not coming out nicely or usable at all.
View ArticleBest endpoint protection and hardening for LEM VM?
We want to stay extremely hardened, so I'm wondering what might be the best endpoint real-time anti-malware software I can run on our Log & Event Manager VM? Any other hardening suggestions for LEM?
View ArticleRe: Is there a list of LEM Best Practices, or Most Common Rules?
I do not think there is an FAQ out there that has common rules or best practices for the LEM product specifically. You can probable find some stuff that is SIEM generic though out there somewhere....
View Article