Clik here to view.
Alerts on disabled account access
Hello, has anyone created an alert for an event that indicates that something is attempting to access a disabled Active Directory account? thank you, Rick
View ArticleRe: Broadcast Noise Filtering
Do you have some examples of the events that you're curious about? "Noise" is a little generic.
View ArticleRe: Alerts on disabled account access
Yep, see this thread: Alert on login attempts of disabled accounts
View ArticleRe: Broadcast Noise Filtering
I would think most of that should be filtered at the sending device. If the noise is expected or part of regular operation, it's not really essential to log broadcast messages like ARPs.
View ArticleRe: Broadcast Noise Filtering
Yes, I know that can be done. But what I am asking is what compliance standards like PCI/SOX/FISMA has to say about the broadcast traffic. Does it require to store all kind of traffic whether its...
View ArticleLocal PC Guest Account Notifications
In our domain, we have the local machine Guest account disabled and renamed through script/GPO. Our LEM console sends out 10-20 notices each day TriGeo Alert: "guest account is locked out @ time of...
View ArticleRe: Local PC Guest Account Notifications
we have seen this happen in our environment and have solved the issue by identifying a specific local folder shared to "everyone". When the user tries to access a file, it tries to authenticate to the...
View ArticleRe: Broadcast Noise Filtering
I don't know that I'd trust compliance advice from a forum, as no one here is certifiably a lawyer or auditor. I think the underlying question is, does any of that traffic pertain to personally...
View ArticleRe: File Share Audit Failures?
Hi Justin, The Windows Security connector does capture the 5140 event ID, however they are not mapped to the ObjectAuditFailure event name. Could you please raise a support ticket & provide them...
View ArticleClik here to view.
Re: Local PC Guest Account Notifications
That may the case for me as well. I typically remove the "Everyone" option and use "Authenticated Users" for share permissions, then have the security settings set specifically for groups/users. I...
View ArticleRe: LEM Linux agent connects but no logs
I have updated the answer - also check your logfile: /usr/local/contego/ContegoSPOP/spoplog.txt
View ArticleRe: LEM Linux agent connects but no logs
Delete the SPOP folder in the installation path: $ rm -R /usr/local/contego/ContegoSPOP/spopRestart the agent: $ /etc/init.d/swlem-agent restart
View ArticleCreating an alert if source is always the same?
I'm trying to generate an alert if there are multiple failed login attempts from the same IP address, regardless of the username. The part I'm having trouble with is telling LEM to only alert if it's...
View ArticleClik here to view.
Re: Creating an alert if source is always the same?
This can be accomplished with Advanced Correlation rules. These are hiding in the rules builder behind this gear: When you click on that, you'll get the option to have the LEM check if certain values...
View Articlecan i delete a device with syslogs services from LEM?
Hi! i have a problem, i can´t delete device from LEM Console.The device is a switch and use syslogs services for report to LEM.When i try to delete from LEM console,that device again appear.
View ArticleClik here to view.
Re: SolarWinds Log & Event Management support for Apple Macintosh systems
Hi Edwin - there is currently an issue with the LEM agent installer on macOS Sierra. As a workaround, do you have the agent installed on a previous version of macOS? You could copy the ContegoSPOP...
View ArticleClik here to view.
Re: can i delete a device with syslogs services from LEM?
Sounds like the device is sending data to LEM via syslog. As long as LEM sees syslog from a device, it'll keep re-adding it. You'll need to turn off the syslog sending on the device side.
View ArticleClik here to view.
Re: SolarWinds Log & Event Management support for Apple Macintosh systems
Would you mind sending instructions with paths as to where I can find these folders please
View Article