Re: Sending windows event to centralized source(Kiwi?) and then forwarding.
This looks interesting, i will test it out. The only issue i foresee is that LEM will see all events as coming from one system.
View ArticleRe: Sending windows event to centralized source(Kiwi?) and then forwarding.
The detection IP should stay the same regardless of it being forwarded.
View ArticleRe: Sending windows event to centralized source(Kiwi?) and then forwarding.
Yeah, I think your biggest risk are things like events where the SIDs/GUIDs get posted into the event, and those SIDs/GUIDs need to be translated on the local system for them to come across as full...
View ArticleAlert on login attempts of disabled accounts
I am pretty new to LEM (6.3.1) and am having some problems setting up a new rule. I am trying to create a rule that will email me an alert when there is a login attempt of a disabled domain account....
View ArticleRe: Supporting additional Log Data Sources
If you can find a connector, you win. If not, you can send a sample to SolarWinds support and they'll generate a new one for you that you can drop in.
View ArticleFortigate 200D Active Response Operation Error
getting the active response operation error when trying to block IP's from within LEM. its configured default with the ssh and user name and password i have confirmed is working and correct with...
View ArticleClik here to view.
Re: Alert on login attempts of disabled accounts
Okay, so in an effort to not put the answer on a platter... I have a test domain and I have some disabled accounts. I tried to mstsc from one server to another with a disabled account, and in LEM I...
View ArticleClik here to view.
Re: Fortigate 200D Active Response Operation Error
That TTY field is only relevant if you're making a serial connection. Assuming you have SSH selected, it shouldn't be an issue. What you may need to do is trigger the action, then run a debug on the...
View ArticleRe: Alert on login attempts of disabled accounts
Thank you so much for the reply. With your help I think I am almost there. The thing I have right now is that in the correlations it says (UserAuthTicket.ExtraneousInfo=”0x12”) I clicked on the “=”...
View ArticleRe: Alert on login attempts of disabled accounts
Correct, so I'd do *0x12* in the box, drop the quotes.
View ArticleRe: Alert on login attempts of disabled accounts
I am all set. I now receive an email when a disabled domain user account is used to try to login. Thank you for stepping me through it. I think I understand a lot of different aspects of the rule...
View ArticleLEM AD Connector support for binding
The biggest issue I have had with the LEM connector besides the one I have already seen mentioned having to use the FQDN to sign in, is the fact that it wants to discover and display the entire forest...
View ArticleLEM Reports
I have been having an issues over the past few days with LEM reports. If I try to run a report for weeks worth of data, the program eventually fails and comes back with out of system resources. Any...
View ArticleRe: LEM Reports
Take a look at this: Best Practices for LEM Memory Allocation tldr - sounds like you may need to give your LEM box more resources. If you run the same report for a day's timeframe and it returns data...
View ArticleClik here to view.
Re: LEM Reports
LEM keeps the last seven days worth of data uncompressed to make Reporting and searching faster. The assumption is that you'll more frequently want to be investigating what just happened, not ancient...
View ArticleRe: LEM Reports
Also best to run Database Maintenance Report to keep track of just how many events/logs ARE you sending to the LEM. It may be a LOT more then a user is aware of.
View ArticleRe: LEM Reports
So I tried to first just up the resources to 32GB of RAM but had no luck. So i Just deiced to schedule the report to run the report on Saturday morning of the current week. Thanks for the help.
View ArticleClik here to view.
Re: Palo Alto Firewall + LEM = Random Nodes?
Hello i am having problem geting my syslog from the palo alto to lem can anybody help.?
View ArticleClik here to view.
Re: Palo Alto Firewall + LEM = Random Nodes?
Sure, have you checked out this article? Integrate Palo Alto firewalls with LEM - SolarWinds Worldwide, LLC. Help and Support
View ArticleWindows Agent Spiking CPU Utilization to 100% on Windows 10
We recently upgraded all of our call center PC's from Windows 7 to Windows 10. We immediately ran into issues where the LEM agent was maxing out CPU utilization causing the PC's to freeze up to the...
View Article