Re: Rules no longer firing
I am going to have to try something. Again today none of the rules were working. This LEM appliance VM seems to drift about 20 minutes in around 15 hours…. Doesn’t that seem excessive? Thx.Joe
View ArticleClik here to view.
Re: Correlation time questions
Thanks curtisi I set it to ServiceWarning.ToolAlias = Windows Application and will wait and see.
View ArticleLEM shutdown Windows Machine at admin logon failure
Hi folks, Im very very new in LEM, I started to work with this SIEM this week and my boss tell me to conduct a demo with a customer next week. So, i did configured an Cisco ASA connector and active...
View ArticleClik here to view.
Re: LEM shutdown Windows Machine at admin logon failure
I have two thoughts: First, it's possible that the machine that's "Detecting" the error is your Domain Controller, which hopefully doesn't have Active Response enabled. Perhaps you should try using...
View ArticleRe: Correlation time questions
Another note - when you use two different event types/groups in the correlation rule, it's trying to correlate them WITH each other - looking for one of one and one of another. Best bet is to use the...
View ArticleLEM Log Archiving?
I am curious if there is a way to archive your logs off LEM in such a way that it moves the logs out of the LEM database and into an archive freeing up the space in the LEM database? I am thinking...
View ArticleRe: LEM Thoughts of the Week: Does Compliance Actually Make you More Secure?
I think compliance makes you a bit more secure as it forces you to have certain things in place. The problem here is that security is a mindset; you need to want to have security if you are going to...
View ArticleRe: LEM Log Archiving?
Hmm, alas no, not exactly. The LEM archive of the normalized data will basically replicate any data that isn't already on the archive store, and it'll grow forever (more or less, as long as it can push...
View ArticleRe: LEM Log Archiving?
Yeah, my thought was spinning up a 2nd appliance and importing the data into there if no other supported model was available. One idea going forward might be to have LEM connect to the archive file via...
View ArticleRe: LEM Log Archiving?
That's what I was thinking as well with using the remote storage directly, I just don't know if the performance would be good enough over CIFS for it to be usable for search/reporting. (All of the LEM...
View ArticleRe: LEM Log Archiving?
So I guess one way of working my way around it is once the DB is full and throwing out the oldest events I can do a new backup every week. While that wouldn't empty out the active LEM DB it would...
View ArticleClik here to view.
Re: LEM shutdown Windows Machine at admin logon failure
Hi Curtisi, thanks for your answer. The machine im tryng to made the Windows active response is a windows 2008 server, its not configured as a Domain Controller or part of any domain at all ( its a...
View ArticleRe: LEM shutdown Windows Machine at admin logon failure
If you go to EXPLORE --> nDEPTH, and search for events matching the rule correlation, what do you get? What do these events have in the Destination Machine field? Does it all look correct? When...
View ArticleLEM Thoughts of the Week: Tell Your Favorite "Found in the Logs" Story
Some of our favorite moments with LEM have been the stuff that people had no idea was happening or to look for that they uncovered for the first time now that all their data was consolidated. Did you...
View ArticleRe: LEM Thoughts of the Week: Tell Your Favorite "Found in the Logs" Story
Sent one that said "IT is on their way"... suddenly he logged off and walked away. <VBG>.. I like these stories. Makes ya wonder if the "offender" felt that he (I'm assuming here.. safe...
View ArticleRe: LEM Thoughts of the Week: Does Compliance Actually Make you More Secure?
This question started me thinking… “more” implies that you have an additional amount of security than you did before you were compliant. So while compliance does imply a minimum level of security, it...
View ArticleRe: LEM Thoughts of the Week: Does Compliance Actually Make you More Secure?
Yeah, it seems like the general case is: in a perfect world, compliance doesn't make you more secure because you already are. But, in reality, compliance CAN make you more secure because you can't get...
View ArticleClik here to view.
Re: LEM Thoughts of the Week: Tell Your Favorite "Found in the Logs" Story
Makes ya wonder if the "offender" felt that he (I'm assuming here.. safe assumption, eh?) was above rules and regulations, or never read the dialogs to begin with.From what I've heard from folks in...
View ArticleRe: LEM - action - forward syslog event to NCM syslog for RTCD
I am facing the same issue. Have you submitted a feature request or found another workaround? We have several sites with their own syslog server and one central NCM server that we want to configure...
View ArticleRe: LEM - action - forward syslog event to NCM syslog for RTCD
njoylif Perhaps a more desirable method. Cisco devices can use a filtering facility to send the syslog when some leaves conf t session, but ONLY that syslog message. Send that over to your Orion....
View Article