Clik here to view.
Re: USB Defender stopped and then USB Defender running?
Well, the Agent will attempt to restart the USB Defender service when it stops. Why it's stopping, I don't know...
View ArticleRe: ChangeDomainMember; what is going on?
Hi Nicole The ProviderSID is Microsoft-Security-Auditing 4742 Thanks Jack
View ArticleRe: USB Defender stopped and then USB Defender running?
Possibly. Can I just ignore these events then? Thanks
View ArticleRe: What functionality is lost when a demo license expires?
its a fact that it stops collecting, but what happens to the data already collected and showing on the lem console, can it be manipulated?
View ArticleConsequence of older version of agent?
I know that since version 5.7, auto-update of the LEM agents is supported across most platforms.We're currently on LEM 6.1 (the most current). However, if we still have systems running older versions...
View ArticleRe: Consequence of older version of agent?
I don't know if there are immediate issues, but the updated agents are always stream-lined and patched. If there were security concerns between manager and agent, those would be fixed in new released....
View ArticleClik here to view.
Help eliminate Alert Email Overload
We have a rule setup to alert us when one of our PCI workstations agent goes offline. We set it up to only alert us if the agent has been offline for an hour, so we don't get false positives for...
View ArticleHow does the Block IP active response work for multiple connected firewalls?
I'm somewhat new to LEM and was looking at using the Block IP active response in a rule. I don't see any option in the rule builder to select which of the LEM connected firewalls I want to block the IP...
View ArticleRe: Consequence of older version of agent?
curtisi, as always, your response is appreciated. Would it be fair to say that by staying with an older version of the LEM agent, it's possible that the agent could lose communication with the manager...
View ArticleClik here to view.
Re: Consequence of older version of agent?
As security expectations advance and change, it's completely conceivable that some future iteration of the LEM manager will use encryption or communication methods that the old versions of the Agent...
View ArticleRe: Custom Reporting on Groups of Nodes?
We have had requests to use "containers" (groups, AD groups, etc) in reports, but so far adding them manually is the best we can do. Some customers with crystal reports have used things like text...
View ArticleRe: How does the Block IP active response work for multiple connected firewalls?
If the Block IP active response sends the command to all connected firewalls then this could lead to undesirable results such and double entries in the firewall that logged the event. This...
View ArticleRe: Help eliminate Alert Email Overload
Maybe I am not explaining the event very well, as I don't thing an InternalAgentOffline.DetectionTime < InternalAgentOnline.DetectionTime would help, as the offline was already preceding the online....
View ArticleRe: How does the Block IP active response work for multiple connected firewalls?
It'll only broadcast the command if you've got an active response connector configured, and there might be some nuances to each firewall as to whether that matters - with Cisco IOS we do route to null,...
View ArticleRe: Help eliminate Alert Email Overload
I agree, it won't eliminate them - but once you're IN the chain of events there's a small chance it might reduce them. LEM isn't deterministic unless you tell it to, so unless you specify the...
View ArticleRe: Consequence of older version of agent?
This is definitely possible as we EOL versions. We're generally more generous than we could be, but we rely on the EOL policy (which should give you 12-18 months to upgrade your agents) when we make...
View ArticleCheck out the LEM Contest - Submit a Cool Rule for Chance to Win a Cool Prize
Hey LEM folks, We've just put up a new Thwack contest you might be interested in: Rule Your Log Data Contest. Create or tweak an existing rule to do something cool, submit it to the contest, and you're...
View ArticleAlmost identical rules - one fires, one doesn't?
I've made two rules, one that sends an email notification when an agent goes offline, and one when an agent goes online (see attached rules.png). When I watch in the monitor tab and stop the agent, I...
View ArticleReport for nodes and their configured connectors?
Is there a LEM report that shows all of the nodes and each of their configured connectors?
View Article