How do I get MAC addresses in an alert when an AP goes down?
I am having trouble getting the MAC address for an AP in an alert when the AP goes down. I am using ${AP_MAC} but it's coming out blank. Does anyone know how to get the mac address? Thanks, Nuruddin
View ArticleRe: Using a Threat Intelligence Feed with LEM?
nicole pauls if you get a chance you should check out the service that the folks over at ThreatStream have put together. I just had a conversation with them today and what they have is pretty awesome....
View ArticleLEM Group Filters I Don't See
I've been using LEM for a while now and have a good number of alerts successfully built, so I am getting fairly comfortable with everything. One thing I have not been able to figure out is why I don't...
View ArticleConnection to directory service failed
Good Afternoon all I am running into an issue with my directory services query tool. I am not able to query AD for user groups. I have entered all the information correctly but if I run a test I get...
View ArticleFIM is setup. Getting .tmp alerts
I setup the file integrety management (FIM). However when I setup a directory to monitor I setup *.zipx files only. I wanted to be notified when a .zipx file in my directory was deleted. This...
View ArticleLEM as an alternative to purpose-built AD auditing products (ManageEngine,...
We're a LEM customer and are successfully leveraging it for some basic info now.In tandem, I've been running some trial/demo installations of other products that specifically target the AD/NTFS pieces...
View ArticleQuestion on "Correlation Time" in LEM Rules
I am trying to understand this section better. I need to send an email for when I have "host flapping" on an interface. Problem is, I need to alert on the first log (unique to device and port) but...
View ArticleUpgrade to 6.0.1 Flex error
When I load the GUI after the upgrade I get this error:Flex Error #1001: Digest mismatch with RSL https://10.162.1.40:8443/lem/rsl/TriGeoFlexFramework.swf. Redeploy the matching RSL or relink your...
View ArticleRe: Rule Request - Admins Browsing the Web
I need a rule that checks for admins logging on servers and browsing the web. Is this possible? said no Sysadmin ever!
View ArticleRe: How do I build my filters in LEM off of a report.
Unfortunately reports are pretty independent from the LEM console, so there's no push-button way to do this. Fortunately reports are easily reproduced or replicated by content that already exists in...
View ArticleRe: Rule Request - Admins Browsing the Web
Well... there's a couple of ways to go about it. One way would be to detect the User Logon, then the launch of a browser process (chrome, iexplore, firefox, etc) from the same user. That'd all rely...
View ArticleRe: diskusage stats
Very interesting. That's a big gap. There is some reserved space (5% of disk I think, to the OS) so the numbers don't always match up exactly, but 40% off is way off. Does it differ depending on what...
View ArticleRe: Upgrade to 6.0.1 Flex error
I hate this error. You can try clearing the cached flash object in this thing: Adobe - Flash Player : Settings Manager - Website Storage ... and your browser cache. Sometimes it's as simple as...
View ArticleRe: Question on "Correlation Time" in LEM Rules
So, here's the unfortunate deal.... we haven't exposed a way to do a threshold of one, which is what you need. You CAN do this:2 in 10 seconds (alert when you see two of the same event in 10...
View ArticleRe: LEM as an alternative to purpose-built AD auditing products...
One of the big difference is auditing and reverting change states. LEM relies on the events to tell you something has changed, whereas server change auditing products tend to do regular checks that may...
View ArticleRe: FIM is setup. Getting .tmp alerts
Can you post a screenshot or more details on the FIM monitor config you have set up? We can take a look and try to reproduce.
View ArticleRe: Connection to directory service failed
The most common case I see this with is using/not using the FQDN in the directory services setup. But, can you paste the full error from the InternalInfo event? The exception might have more details...
View Article