Clik here to view.
Re: File change monitoring in Linux
Hey Martin, we do have a couple of requests for OSSEC - one to cover just OSSEC alerts, one to cover the general events. The alerts one is higher on the list since the data is pretty well formatted and...
View ArticleRe: Windows Disk Monitoring
One way: Windows does have some default triggers that fire when the disk is "approaching capacity". You can adjust the threshold (I think by default it's 10% free?) in the registry and it'll fire...
View ArticleRe: Alert on Security event log clearing?
Is this different on Windows7 systems? On the test I ran it's coming up as HostIncident.EventInfo .
View ArticleRe: Alert on Security event log clearing?
The HostIncident is "inferred" when it sees the ObjectDelete (the infer/incident actions are intended to raise visibility of potential issues so that you can track them). If the rule is firing, it is...
View ArticleRe: Troube Adding 3Com Switches as Syslog Nodes
Are you using "Scan for New Nodes" to find them? It sounds like it found something, and you added the connectors, or configured them manually, but it's still not finding them? Here's the thing about...
View ArticleRe: Does LEM support IBM's RACF security and/or IBM's DB2 database security...
Backwards:API: No, we don't have an API for accessing config or event data just yet. DB2/RACF: We do have agents for AIX and a third-party product that can gather data from iSeries (system i, AS/400,...
View ArticleRe: Issue with AIX Connector
When you check the connector status, can you also take a look at that agent directly in Manage > Agents, then Gear for that agent > Connectors? It would be good to make sure that the Ops Center...
View ArticleRe: Unsusual or Suspicious Traffic
Generally, when they aren't generated by inferred alerts/rules, they are generated by devices that have a little more insight into the network and what's "normal", like a firewall or more commonly...
View ArticleRe: Unsusual or Suspicious Traffic
There's two elements to the secret decoder ring here - the connectors, which normalize data (categorize and parse into fields), then the alert taxonomy itself. We've heard this is a really common topic...
View ArticleRe: Unsusual or Suspicious Traffic
Where are you looking? Reports? Somewhere in the Console? (Will help me give a better answer to add to what's already been said)
View ArticleRe: Unsusual or Suspicious Traffic
I think the alert taxonomy is the piece that is the most confusing and often the invisible part of the process, it wasn't until weeks after using the product and a call to support before I was even...
View ArticleRe: Severity Levels: How are they determined?
Thanks, Nicole! That would be really helpful. Like, I said we are basically trying to set up filters for Warning and Critical events on Windows nodes. Thanks,Chrystal Taylorhttp://loop1systems.com
View ArticleRe: Severity Levels: How are they determined?
We have a couple of out of the box filters that try to capture generic warnings/critical events - where we have generic coverage for these events they have the word "Error" "Warning" "Critical" in...
View ArticleNew Log & Event Manager (LEM) Library & Support Page!
We've updated the Log & Event Manager (LEM) support page. This serves as a one-stop shop for all your LEM documentation, how-to's, troubleshooting, and more. You can add the page to your "links"...
View ArticleRe: Issue with AIX Connector
Hi nicole,Thanks for the reply, I´m already working with support for this.
View ArticleError message when adding Directory Service Group
Hello,As I'm working through setting up a device, I keep running into this error message when trying to add a DS Group. Unable to Retrieve GroupUnable to return: exception:...
View ArticleChanging the default port for LEM Cisco IPS 5+ connector
I've just stood up an eval version of LEM and have run into one issue. When I create a connector for Cisco IPS 5+ (SDEE), I cannot alter the port. We're not using 443, for ours and since this is greyed...
View ArticleLog and Event Manager
Hello everyone in Thwack community, I'm hoping someone might have the answers to a few questions I have in regards to LEM: 1. How does LEM achieve their 60:1 compression ratio for their DB2. With the...
View Article