Store and Retrieve Windows Event Logs
Our security posture requires that we store Windows Event Logs (Application, System and Security) for one year. I am still relatively new to LEM, so am not sure archiveconfig will meet this requirement...
View ArticleRe: Create Rule to warn when no events are received - Offline Node
Hello,I don't believe what you are looking for is possible to do in LEM. There is no feature which let's you pick 0 event in LEM. [you would have to submit a feature request for this].There are...
View ArticleRe: Store and Retrieve Windows Event Logs
I'de recommend looking through the following article to get a good understanding about LEM retention, there is no option which lets you pick how many days in total it should store the event logs for....
View ArticleRe: traffic but no agent
Hi, can you provide some example of what you mean?Do you have the workstations/servers sending logs to LEM? For agentless devices you have to configure the device usually to send logs/events to LEM,...
View ArticleClik here to view.
Re: Store and Retrieve Windows Event Logs
Good articles, silverwolf, thanks. So it sounds like it is not possible to re-import backed up logs to our current LEM virtual appliance. Is that correct? Currently we only have one Manager (virtual...
View Articlewant help to create a rule in LEM
Hi, I was just creating a rule in LEM in which i want multiple events clubbed in, like an alert /rule will fire if three failed login attempts -two attempts from same user and one attempt from...
View ArticleRe: Store and Retrieve Windows Event Logs
Yes, you need a separate manager to restore logs. The new manager, however, does not require a license. LEM licenses are consumed when you have new data coming from sources, so since there'll be no...
View ArticleFilter assistance handling multiple accounts targeting one system, and one...
I’m trying to build a couple LEM filters. We’ve got 2 different filters we need to make, to accomplish the following…. * Failed login attempts of multiple accounts, in a short period of time, on one...
View ArticleClik here to view.
Re: Filter assistance handling multiple accounts targeting one system, and...
You can't really do these things directly in a filter as filters don't give you the correlation time options that you have when creating rules. What you could do is create rules that match these items...
View ArticleHow to configure the Windows server and Linux server not to install the Agent...
Buy LEM and KIWI SYSlog, due to environmental requirements cannot be installed on the Windows server and Linux server Agent, need how to operate in the case of not to install the Agent, send logs to...
View Articlecorrelation rule for windows login
Dear Friends, I just want to create a rule for windows domain controller login attempt.if three failed attempts from same machine and then passed logon attempt from same machine, should alert a rule....
View ArticleClik here to view.
Re: Filter assistance handling multiple accounts targeting one system, and...
Thanks! i'll give that a shot. A tip of the hat to you, sir.
View ArticleRe: correlation rule for windows login
Hey, I've attached a rule which meets your use case (kudos to curtisi for the rule). You can import it into your existing rule set & edit if required. Any questions let me know.
View ArticleRe: How to configure the Windows server and Linux server not to install the...
Hi Xiang, LEM requires an agent to be installed on your Windows/Linux servers in order to transmit (and also compress & encrypt) event logs to the LEM appliance. It is not possible to transmit the...
View ArticleRe: correlation rule for windows login
Thanks Jhynds/curtisi. ...Actually I tried but its not firing any rule. I would request if could you explain this rule first? actually I tried to minimize the time window.response window by 1 minute ,...
View ArticleRe: correlation rule for windows login
Can you share a printscreen with us of what you've set up in the rule conditions? I would suggest first thing first -> create a filter with the exact same conditions that you have in your rule, then...
View ArticleClik here to view.
Re: want help to create a rule in LEM
Hi, Can you provide printscreens of what you mean? I am slightly confused on what it is you are not seeing and are seeing.
View ArticleRe: Issues with LEM. Advice would be very much appreicated. (ASAP)
If your goal is to send an email when a certain event is logged in Windows, you could do that a little differently. Read these: Getting event log contents by email on an event log trigger – John Howard...
View ArticleClik here to view.
Issue - Rule Creation Logic vs nDepth Logic
I've been having an issue working with nDepth to perform log searches vs. working in the Rule builder. When I create a Rule, the logic allows me to pull in logs from various different event sources,...
View Article