Beruflich Dokumente
Kultur Dokumente
Table of Contents
Chapter 1: Introduction
LEM Architecture
LEMManager
Chapter 2: Requirements
10
11
11
12
12
13
Ops Center
13
Monitor
14
Explore
14
15
Build
17
17
Manage
17
Adding Devices
18
Agent Installation
19
20
i
20
Troubleshooting
22
Additional Information
22
23
24
Which Do I Pick?
24
25
25
26
Troubleshooting
27
Additional Information
28
Adding Filters
29
Which Do I Pick?
29
29
30
30
Troubleshooting
31
Additional Information
32
Adding Rules
32
32
33
34
Troubleshooting
35
Additional Information
36
Analyzing Data
36
Which Do I Pick?
37
37
38
38
40
ii
Table of Contents
41
42
42
42
46
48
48
49
50
50
52
52
52
53
54
54
54
56
59
60
Widgets
60
User Details
62
62
62
Node Details
62
62
63
63
Widget Manager
63
Widget Builder
64
iii
68
69
69
70
Resizing a widget
72
72
73
Chapter 7: Monitor
74
74
76
78
Filter Creation
80
81
Events
82
83
83
Highlighting Events
84
85
86
Removing Events
87
88
90
Chapter 8: Explore
91
nDepth
91
92
92
93
Opening nDepth
93
94
96
iv
Table of Contents
97
99
101
101
Histogram Features
102
103
104
105
106
106
107
108
110
110
111
111
112
113
113
114
114
114
115
116
116
117
117
117
118
118
v
119
120
120
120
121
121
122
123
123
124
127
Utilities
129
Explorer Types
130
NSLookup Explorer
132
Traceroute Explorer
132
Whois Explorer
133
134
Chapter 9: Build
135
Groups
135
Group types
135
137
137
Rules
139
139
139
140
142
Rule Tagging
142
Users
143
143
vi
Table of Contents
143
144
145
146
147
147
Details Pane
149
150
150
152
License Recycling
153
153
156
156
156
157
158
159
160
161
162
163
163
164
167
168
169
169
171
171
vii
176
Deleting Users
176
177
179
179
184
187
188
189
Pausing Filters
190
190
191
Copying a Filter
192
Importing a Filter
193
Exporting a Filter
193
Deleting a Filter
194
195
195
195
195
196
197
Responding to Events
197
198
200
200
200
Exploring events
202
202
203
viii
Table of Contents
204
204
205
205
205
206
206
206
208
210
211
212
Saving a Search
213
214
214
215
216
216
217
217
219
220
Managing Connectors
221
222
224
225
225
226
227
228
ix
Features of FIM
229
229
230
Monitors
231
231
Editing Monitors
231
231
Deleting a Monitor
231
Adding Conditions
232
Editing Conditions
232
Deleting Conditions
233
233
Managing Widgets
235
235
235
236
237
238
239
239
240
Setting up an Appliance
240
240
242
Removing an Appliance
242
Managing Connectors
243
243
243
244
245
Table of Contents
Requirements
245
245
246
Managing Groups
246
246
Editing a Group
247
Cloning a Group
247
Importing a Group
248
Exporting a Group
249
Deleting a Group
249
250
251
253
253
253
255
255
Deleting DS Groups
256
256
257
258
259
259
259
260
262
262
263
263
263
xi
265
265
265
266
267
268
269
270
270
271
271
272
274
274
275
275
Managing Rules
276
Creating Rules
276
277
Advanced Thresholds
278
280
280
281
281
281
282
284
287
Editing Rules
290
Subscribing to a rule
291
xii
Table of Contents
Enabling a rule
293
294
Activating rules
297
Disabling a rule
297
Cloning rules
299
Importing a rule
299
Exporting rules
300
Deleting Rules
301
302
303
304
305
307
About Reports
308
Opening Reports
309
309
Default commands
310
310
311
312
313
Table of preferences
313
314
315
317
319
321
321
322
Industry options
323
xiii
326
327
329
329
329
330
331
332
333
333
334
335
Exporting a report
336
Reports features
337
338
340
Grouping reports
341
342
343
Creating a sub-group
343
Managing reports
345
345
346
346
Printing reports
347
Printing a report
347
348
349
350
350
xiv
Table of Contents
350
351
351
Report Errors
354
354
355
356
358
360
Step 5: Stating when the system can or cannot run the task
362
365
368
370
370
370
371
372
374
374
374
Viewing reports
375
375
376
377
379
380
381
383
383
383
xv
384
384
385
385
386
386
388
388
389
390
390
391
392
394
394
395
396
398
Contacting Support
398
399
Appendix B: Events
402
Event types
403
Asset Events
403
Audit Events
407
Incident Events
425
Internal Events
426
Security Events
431
482
485
513
xvi
Table of Contents
Logging on to CMC
513
515
516
518
519
522
522
522
524
524
551
581
583
584
Connector Categories
584
Configuring Sensors
590
Configuring Actors
593
596
599
601
601
Operator tips
602
Table of operators
602
603
604
604
Notifications table
605
608
626
628
Additional Information
629
Configuring Default Batch Reports on Windows 7, 8 and Windows Server 2008, 2012
Computers
630
630
630
631
632
Daily Reports
633
Weekly Reports
633
634
635
636
Configuring your LEM Appliance Log Message Storage and nDepth Search
638
640
641
642
644
647
650
652
654
Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data
655
Enabling Windows File Auditing in Windows
656
659
661
663
Using Directory Service Groups to account for Windows users, groups, and computer
accounts.
665
Extended Description
665
xviii
Table of Contents
Uses
666
Filters
666
Rules
666
667
668
Report Formats and their Corresponding Numbers Listed in a LEM Scheduled Report INI
File
669
Troubleshooting LEMAgent Connections
671
676
Additional Information
681
683
683
685
685
Contacting Support
686
688
691
Additional Information
692
693
695
697
699
701
704
Using Time of Day Sets to Pinpoint Specific Time Frames in Filters and Rules
708
711
713
715
xix
717
Chapter 1: Introduction
SolarWinds Log & Event Manager (LEM) is a state-of-the-art virtual appliance that
adds value to existing security products and increases efficiencies in
administering, managing and monitoring security policies and safeguards on your
network.
SolarWinds LEM is based on brand new concepts in security. You can think of it
as an immunity system for computers. It is a system that is distributed throughout
your network to several points of presence that work together to protect and
defend your network. SolarWinds LEM responds effectively with focus and speed
to a wide variety of threats, attacks, and other vulnerabilities.
SolarWinds LEM collects, stores and normalizes log data from a variety of
sources and displays that data in an easy to use desktop or web console for
monitoring, searching, and active response. Data is also available for scheduled
and ad hoc reporting from both the LEM Console and standalone LEM Reports
console.
Some common use cases for SolarWinds LEM include the following:
l
Correlating network traffic from a variety of sources using filters and rules.
l
l
Chapter 1: Introduction
Agents are installed on workstations, servers, and other network devices where
possible. Agents communicate the log data from each devices security products
to the LEM virtual appliance. These security products include anti-virus software,
network-based intrusion detection systems, and logs from operating systems.
When an Agent cannot be installed on a device, that device can be set to send its
log data to the LEM Manager for normalization and processing. Examples of
devices that cannot host Agent software include firewalls, routers, and other
networking devices.
LEM accepts normalized data and raw data from a variety of devices. LEM agent
connectors normalize the data before sending the data to the LEM manager. Nonagent devices send their log data in raw form to the LEM manager. The following
diagram shows this flow of data and the ports involved. Once normalized, log data
is processed by the LEM Manager, which provides a secure management
clearinghouse for normalized data. The Managers policy engine correlates data
based on user defined rules and local alert filters, and initiates the associated
actions when applicable.
These actions can include notifying users both locally in the Console and by
email, blocking an IP address, shutting down or rebooting a workstation, and
passing the alerts on to the LEM database for future analysis and reporting within
the Reports application.
LEM Architecture
The LEM architecture is uniquely designed for gathering and correlating logs and
events in real-time at network speed and further defend the network using LEMs
Active Response Technology. The figure below illustrates the typical log sources
and LEM software components. It also illustrates the direction in which
communication is initiated and the network protocols used
LEMManager
LEMManager
The LEM Manager is a result of the Virtual Appliance that is deployed, it consists
of the following key components:
l
Hardened Linux OS
Web server
Correlation engine
For Network Device log sources such as routers, firewalls, and switches, LEM
relies on these devices sending Syslog messages to the Syslog server running
on the LEM appliance.
Chapter 1: Introduction
For Servers and Applications LEM largely relies on a LEM Agent installed on
these servers. The LEM Agent has a negligible footprint on the server itself, and
provides a number of benefits to ensure logs are not tampered with during
collection or transmission while being extremely bandwidth friendly.
For Workstations, the LEM Agent used on Windows workstations is the same as
the one used for Windows servers.
Other SolarWinds solutions like Network Performance Monitor (NPM), Server &
Application Monitor (SAM) and Virtualization Manager (VMan) can send
performance alerts as SNMP Traps to LEM. LEM can correlate these performance
alerts with LEM events.
You can install the LEM Reports Console on any number of servers to schedule
the execution of over 300 audit-proven reports. From a security standpoint, the
command service > restrictreports can be used to limit the IPs that can run these
reports
Network devices can send Syslogs to LEM Manager over TCP or UDP. The
direction of this communication is from the network device to the LEM
Manager.
LEM Agents installed on servers and workstations initiate TCP connections
to the LEM Manager, so the Agents push data to the LEM Manager.
Automatically evaluate your traffic against a comprehensive, opensource database of malicious IP addresses
Get real-time historical visibility of traffic from known bad actors using
rules, filters, and search
Ensure you always the newest, most up-to-date connectors for all
devices.
Customer-requested improvements
o
LEM Virtual Appliance details from the LEM Console for effective
resource allocation
New connectors for Kareio, Blue Coat, Proofpoint, GENE6, and more
Chapter 2: Requirements
Chapter 2: Requirements
Different sized installations may require greater or fewer resources. For detailed
information on sizing and resource requirements, refer to the "Requirements"
section of the Log & Event Manager Deployment Guide.
Before installing, always make sure your hardware and software meet
the minimum requirements.
Requirements
l
CPUspeed
2 GHz
Memory
8 GB
Chapter 2: Requirements
Requirements
Windows Vista
Windows 7
Windows 8
CPUSpeed
Memory
1 GB
5 GB
Environment
Variables
Desktop console
Adobe Air 18
Requirements
Flash Player 15
l
In Explore, you'll find utilities for investigating events and their details.
The following topics briefly explain the role of each view of the Console, the
views primary uses, and where to get information on performing key tasks within
that view. Topics are arranged here in an order that will help you understand the
most fundamental items first, such as events, event filters, and widgets. They then
progress to more advanced features, such as exploring events, and creating
Groups and rules.
To open a view:
l
l
l
l
To open the Ops Center view (to work with widgets), click Ops Center .
To open the Monitor view (to view, manage, and create filters), click
Monitor.
To open the Explore view (to work with explorers), click Explore .
To open the Explore view (to search or view event data or log messages),
click Explore and then select nDepth.
To open the Explore view (to view additional utilities), click Explore and
then select Utilities.
To open the Groups view (to build and manage Groups), click Build and
then select Groups.
To open the Rules view (to build and manage policy rules), click Build and
then select Rules.
To open the Users view (to add and manage Console users), click Build
and then select Users.
To open the Appliances view (to add and manage appliances), click
Manage and then select Appliances.
To open the Nodes view (to add and manage Agents), click Manage and
then select Nodes.
Click one of the grids column headers to sort the grid by that column. If the
column header shows an upward arrow, it means the column data is
sorted in ascending order (alphabetically, or from lowest to highest: A to Z, 1
to 0).
If the column header shows a downward arrow, it means the column data
is sorted in descending order (reverse alphabetical, or from highest to
lowest: Z to A, 0 to 1).
Click the column header again to sort the grid by the same column, but in
reverse order.
Press and hold the Ctrl key; then click another column header. You can tell
how the table is sorted by the small and arrows in the column headers,
and by the little numbers (1 and 2) that appear next to them. An up
arrow means the column is sorted in ascending order. A down arrow
means it is sorted in descending order. Then numbers state the column sort
order. 1 is the first sort, 2 is the second sort, and so on.
10
If a secondary columns sort order is in the wrong direction, press the Ctrl
key and click the column header again. This will reverse the columns sort
order.
By pressing Ctrl and then clicking the Name column, you can also sort the
tool names in ascending or descending order. In the example shown here,
the Name column was sorted in ascending order, so the specific tools
would appear in alphabetical order within each tool category.
11
12
Ops Center
Use the Ops Center tab as a real-time graphical overview of the events on your
network. The Ops Center includes the following useful components:
l
13
Monitor
Use the Monitor tab to view all of the monitored events on your network in real
time. Monitor includes the following useful components:
l
l
l
l
To apply a filter to the Monitor event stream, select a default or custom filter
from the Filters list.
To view the Event Details for a specific event in the event stream, select the
event in the event stream.
To change the widget the Widgets pane displays for a filter:
1. In the LEM Console, select the Monitor tab.
2. Select the filter you want to modify in the Filters pane.
3. Click the menu at the top of the Widgets pane, and then select the widget you
want that filter to display.
Explore
Use the Explore tab menu to access several analysis utilities to get additional
information about the events you see in the LEM Console. Use the nDepth option
14
Use the Utilities option in the Explore menu to access several IT analysis
utilities, including:
l
Whois
NSLookup
Traceroute
1. Find the event or search result you want to explore further, and then select it.
2. Click the Explore menu on the Event Grid or nDepth title bar (next to
Respond), and then select the utility you want to use.
To execute a blank Whois, NDLookup, or Traceroute task in the LEM
Console:
1. Click the Explore tab on the navigation bar, and then select Utilities.
2. Click the Explore button on the Utilities title bar , and select the utility you
want to use.
3. Complete the form for the utility, and then click Search.
Collecting and displaying flow data
LEM supports flow exports from both NetFlow and sFlow devices. Use the Flow
Explorer in the LEM Console to viewgraphs, charts, and grids, including the
following.
15
16
Build
Build
Use the Build tab menu options to customize LEM behavior. The Build menu
consists of the following options:
l
For additional information about the Users and Groups options in the Build
menu, see:
l
Manage
Use the Manage tab menu to access details about your LEM architecture. The
Manage menu consists of the following options:
l
1. In the LEM Console, click the Manage tab, and then select Appliances.
2. Click the Login tab on the Properties pane.
17
Capital letters
Lower-case letters
Numerals (0-9)
5. Click Save.
Adding Devices
Click the
Configure your IT devices to work with LEM using one of two options:
l
l
Install the LEM Agent on computers that allow third party software. SolarWinds
provides LEM Agents for these operating systems:
18
Agent Installation
Linux
Mac OS X
Solaris on Intel
Solaris on Sparc
HPUX on PA
HPUX on Itanium
AIX
Agent Installation
The LEM Agent is a necessary component to monitor local events on the
computers on your network. Install the LEM Agent on servers, domain controllers,
and workstations. The LEM Agent then captures log information from sources
such as Windows Event Logs, a variety of database logs, and local antivirus logs.
The LEM Agent also allows LEM to take specific actions that you use rules to
define. You can also trigger actions manually from the LEM Console using the
Respond menu.
Installing a LEM Agent:
1. Click the Add Nodes to Monitor link in the LEM Console Getting Started
wizard, or visit the SolarWinds Customer Portal for a complete list of available
downloads.
2. Download the appropriate installer, and then run it on the computer(s) you
want to monitor.
Note: If you are deploying LEMAgents to Windows computers, you can use the
Remote Agent Installer for a faster deployment.
View and manage installed LEM Agents in the Nodes view of the LEM Console.
The LEM Agent for Windows includes several pre-configured connectors so you
immediately start to see data from these computers after you have installed the
LEM Agent. By default, the LEM Agent for Windows includes the following preconfigured connectors:
19
20
21
Troubleshooting
If you have configured a device to log to the LEM appliance, but you cannot
determine the exact logging location, check the logging facilities on the LEM
appliance to determine where your data is going.
To check the logging facilities on the LEM appliance:
1. Connect to your LEM appliance using the VMware console view, or an SSH
client such as PuTTY.
2. To connect your appliance through SSH, log in as the CMC user, and provide
the appropriate password.
3. To connect your appliance using VMware,selectAdvanced
Configurationon the main console screen, and then pressEnterto get to the
command prompt.
4. At thecmc>prompt, enterappliance.
5. At thecmc::acm#prompt, enterchecklogs.
6. Enter an item number to select a local facility to view.
7. Look for indications of specific devices logging to this facility, such as the
product name, device name, or IP address.
8. After you have determined the facility your device is logging to, configure the
connector with the corresponding Log File value.
For additional troubleshooting tips related to LEM Agents or remote logging
devices, see:
l
l
Additional Information
For additional information about configuring devices to monitor with LEM, see
See "Leveraging LEM" on page 42
For additional information about installing LEM Agents on a variety of operating
systems, see the local and remote installations in Additional configuration and
integration information.
22
Configure and manage tools at the profile level to reduce the amount of
work you have to do for large LEM Agent deployments.
Create filters, rules, and searches using your Connector Profiles as Groups
of LEM Agents. For example, create a filter to show you all Web traffic from
computers in your Domain Controller Connector Profile.
Complete the two procedures below to create a Connector Profile using a single
LEM Agent as its template.
To create a Connector Profile using a LEM Agent as a template:
1. Configure the tools on the LEM Agent to be used as the template for your
new Connector Profile. These tools will be applied to any LEM Agents that
are later added to the Connector Profile.
2. Click the Build menu, and then select Groups.
3. Click the + menu, and then select Connector Profile.
4. Name the new Connector Profile and enter a profile description.
5. Select the LEM Agent you want to use as your template from the Template
list next to the Description field.
6. Click Save.
To add LEM Agents to your new Connector Profile:
1. Locate the new Connector Profile in the Build > Groups view.
2. Click the gear icon next to your Connector Profile, and then select Edit.
3. Move LEM Agents from the Available Agents list to the Connector Profile by
23
Verifying Data
Click the
Now that LEM is collecting your log data, use nDepth and LEM Reports to search,
analyze, and report on that data. In most cases, use the nDepth Explorer in the
LEM Console to search and analyze your data. Use the stand-alone LEM Reports
application to report on your data.
Which Do I Pick?
Use nDepth if you want to perform immediate search or analysis tasks, or create
specific custom PDF reports. Use nDepth to:
l
l
Use LEM Reports if you want to view or schedule fixed reports for regulatory and
compliance purposes or to:
24
Automate reporting
Provide proof that you are auditing log and event data to auditors
Schedule formatted reports for LEM Reports to run and export automatically
icon
3. Click the Explore tab from anywhere in the LEM Console, and then select
nDepth.
Consult nDepth for several analytical connectors that it summarizes on both its
dashboard and toolbar. Use this view to:
l
l
l
l
Additional Information
For additional information about how to use nDepth to search and analyze your
data in the LEM Console, consult the following resources.
For examples of how to execute nDepth searches, see the following:
25
For additional information about how to save nDepth searches for future use, see
Save nDepth searches to quickly execute frequent queries.
For additional information about how to export nDepth search results in CSV or
PDF format, see Export nDepth results in custom or text formats for retention and
ad hoc reporting.
For additional information about configuring your LEM appliance to store and
search original log data, see:
l
Configuring Your LEM Appliance for Log Message Storage and nDepth
Search
Using your LEM Console to view and search original log messages
Run Master, Detail, or Top level reports according to how much information
you need
Use Select Expert to filter your report data by specific values, such as
computer name, IP address, or user name
Export reports into several formats, including PDF, CSV, and RPT
To get started with LEM Reports, filter the reports listing by the industries or
requirements relevant to your network. Then, the next time you open LEM
26
Troubleshooting
Reports, access your custom list of reports by clicking Industry Reports on the
main view.
To filter the reports list by industry or requirement:
1. Open LEM Reports.
2. On the Settings tab, click Manage, and then select Manage Categories.
3. Select your industries and requirements in the left pane. Mix and match as
necessary. For example, if you are a school that accepts credit card
payments, select Education, FERPA, and PCI.
4. Click OK.
5. To view the filtered list of reports, click the Category menu back on the
Settings tab, and then select Industry Reports.
Select which reports to run based on their values in the Level column on the
Settings tab:
l
Master: Reports at this level contain all of the data for their category. For
example, the master-level Authentication report contains all authenticationrelated data.
Detail: Reports at this level contain information related to a specific type of
event. For example, the Authentication Failed Authentications detail-level
report only contains data related to "Failed Authentication" events.
Top: Reports at this level display the top number of occurrences for a
specific type of event. Use the default top number, or Top N, of 10, or
customize this when you run the report.
Troubleshooting
If you have installed LEM Reports, but are unable to open the application or run
reports, complete the following procedures to troubleshoot the issue.
To troubleshoot application launch errors on computers running Windows Vista,
Windows7, and Windows Server 2008:
1. Uninstall LEM Reports and Crystal Reports v11 Runtime.
2. Reinstall both components as Administrator.
3. Adjust the LEM Reports properties to run the program in Windows XP
compatibility mode and as an administrator:
27
Additional Information
For additional information about how to run, schedule, and configure formatted
compliance and security reports using LEM Reports, consult the following
resources.
l
For information about installing LEM Reports on computers without the LEM
Console, see Configuring LEM Reports on Computers without the LEM Console.
For information about how to schedule several best practice compliance and
security reports, see:
l
l
For additional information about working with individual reports in LEM Reports,
see:
28
Adding Filters
Adding Filters
Click the
Filters group and display events that your LEM Agents and remote logging
devices send to LEM. They are based on events, which are the normalized
version of these network events. For LEM, the terms "events" and "alerts" are
interchangeable. View these events in real time on the Monitor tab in the LEM
Console.
Which Do I Pick?
Create filters when you want to group a particular type of event. The following are
just a few examples of what you might create a filter to catch:
l
Create rules when you want LEM to take some kind of action in response to one
or more events. In many cases, you base rules on several events that LEM
correlates to trigger an action, but you can also configure a rule to look for a single
event. Rule actions include, but are not limited to:
l
Sending an email
Blocking an IP address
29
All Events: This filter does not have any specific conditions, so it captures
all events, regardless of the source or event type.
User Logons: This filter has a single condition that means, "UserLogon
Exists." It captures all events with the event type "UserLogon" and nothing
else not user log offs, not user logon failures.
button at the top of the Filters pane, and then select Edit.
4. If you make any changes to the filter, click Save. Otherwise, click Cancel.
Rule scenarios: Determine whether you have the right events to create a
rule for a specific scenario.
Daily problems: Get a head start on operational problems like account
lockouts by seeing the events in real time.
30
Troubleshooting
button at the top of the Filters pane, and then select New
Troubleshooting
If you have created a filter, but it is not capturing the expected events, check the
All Events filter to ensure the events are making it to the LEM Console.
To use the All Events filter to troubleshoot custom filters:
1. In the LEM Console, click the Monitor tab.
2. Click All Events in the Filters pane.
3. Locate an event you expected to see in your custom filter. If necessary,
pause the filter and sort it by any of the column headers.
4. If you locate a related event, verify the field-value combinations in the event
match the ones you used in your filter. For example, if your filter is looking
for *firewall* in the ConnectorAlias field, ensure the Connector Alias field in
your event contains the word firewall.
5. If you cannot locate a related event, verify one of your monitored devices is
logging the event, and that the device is sending its events to LEM. For
example, create another filter to show all events from the specific device
using the ConnectorAlias or DetectionIP event field.
31
Additional Information
For a general procedure and video addressing how to create filters in the LEM
Console, see Creating Filters for Real-time Monitoring in Your LEM Console.
For additional information about how to create filters for specific events, devices,
or time frames, see:
l
Use Time of Day Sets to pinpoint specific time frames in filters and rules
Adding Rules
Click the
Rules correlate events that your LEM Agents and remote logging devices send to
LEM, and assign automatic actions or responses to those events. These actions
differentiate filters from rules: filters only display events, while rules instruct LEM
to take action. Rule actions include, but are not limited to:
l
Sending an email
Blocking an IP address
32
4. On the Clone Rule dialog, select a Custom Rules folder and rename the rule
if you wish, and then click OK.
5. In the Rule Creation view, customize the rule further if necessary, select
Enable at the top of the form, and then click Save.
6. Back in the main Rules view, click Activate Rules to sync your local changes
with the LEM appliance.
Example: Change Management
Create a change management rule to notify you anytime a user makes any kind of
change to your network configurations. Examples of such network changes
include:
l
Create a general change management rule, similar to the filter illustrated in the
previous section, to instruct LEM to notify you anytime any user makes a
configuration change, or create a more specific rule to only fire for specific users,
groups, or types of changes.
Note: An important rule of thumb is, "If you can see it in your LEM Console, you
can build a rule for it." Remember to use your filters as a starting-place as you
consider creating custom rules.
To create a rule that sends you an email anytime someone adds a user to an
administrative group:
1. In the LEM Console, click the Build tab, and then select Rules.
2. Click the plus
3. Enter an appropriate name for the rule, such as New Admin User.
4. Populate the rule's Correlations box with an appropriate event or event group.
For this example, use a NewGroupMember.EventInfo Equals *admin*
condition to fire anytime LEM gets a NewGroupMember event with the text,
admin anywhere in the EventInfo field:
a. Click Events>on the left pane.
33
b. At the top of the Events list, enter NewGroupMemberto search for that
event, and then select it in the list.
c. In the Fields: NewGroupMemeberlist, find EventInfo, and then drag it
into the Correlations box.
d. In the text field (denoted by a pencil icon in the Correlations box), enter
*admin* to account for all variations on the word "administrator."
5. Leave the Correlation Time box as-is so your rule fires anytime LEM captures
this type of event.
6. Add the Send Email Message action to the Actions box:
a. Click Actions on the left pane.
b. Find Send Email Message, and then drag it into the Actions box.
c. Select a template from the Email Template menu.
d. Select a LEM user from the Recipients menu.
e. Drag and drop event fields or constants from the left pane into the Send
Email Message form to complete the action.
Note: Always use event fields for the event(s) present in the Correlations box. For
example, use NewGroupMember.DetectionTime to populate the
DetectionTime field in this example.
7. Select Enable at the top of the Rule Creation form, and then click Save.
8. To sync your local changes with the LEM appliance, click Activate Rules
back in the main Rules view.
After you enable and activate this rule, the LEM appliance sends an email
anytime someone adds a user to any group in Active Directory that contains the
text, "admin" in its name.
For more detailed information about how to create LEM rules to take action on
your network, see Creating Rules from Your LEM Console to Take Automated
Action.
Other Rule Scenarios
Countless scenarios may warrant a rule. Consider these combinations of rules
and actions:
34
Troubleshooting
l
l
Basically, any activity or event that can pose a threat to your network might
warrant a LEM rule.
Troubleshooting
If you have created a rule, but you are not getting the expected results, verify the
following to track down the root cause:
1. Check for the requisite events on the Monitor tab. For example, if your rule is
based on the NewGroupMember event, see if you can find one in the All
Events or default Change Management filter.
2. If you do not see the requisite events, troubleshoot your devices and
connectors to get the events into LEM. Otherwise, continue troubleshooting
here.
3. Check for an InternalRuleFired event in the SolarWinds Events filter.
4. If you do not see an InternalRuleFired event for your rule, check the following
to continue troubleshooting. Otherwise, skip to Step 5 to continue.
l
Did you modify the Correlation Time or Response Window in your rule?
Is the time on your device more than 5 minutes off from the time on your
LEM appliance?
5. If you see an InternalRuleFired event for your rule, but the rule LEM does not
respond as expected, check the following, according to the action you
configured:
35
Send Email Message: Verify you have configured and started the Email
Active Response connector on the LEM appliance.
Send Email Message: Verify you have associated an email address for the
LEM user you selected as your email recipient.
Agent-based Actions: Verify you have installed the LEM Agent on the
computer you want LEM to respond to.
Block IP:Verify you have configured the active response connector for the
firewall you want to use to take this action. The active response connector is
separate from the data gathering connector.
For more detailed information about how to troubleshoot LEM rules and active
responses, see Troubleshooting LEM Rules and Email Responses.
Additional Information
For a general procedure and video addressing how to create and clone rules in
the LEM Console, see Creating Rules from Your LEM Console to Take
Automated Action
For additional information about the active responses available for LEM rules,
see:
l
Analyzing Data
Click the
Now that LEM is collecting your log data, use nDepth and LEM Reports to search,
analyze, and report on that data. In most cases, use the nDepth Explorer in the
LEM Console to search and analyze your data. Use the stand-alone LEM Reports
application to report on your data.
36
Which Do I Pick?
Which Do I Pick?
Use nDepth if you want to perform immediate search or analysis tasks, or create
specific custom PDF reports. Use nDepth to:
l
l
Use LEM Reports if you want to view or schedule fixed reports for regulatory and
compliance purposes. Use LEM Reports to:
l
Automate reporting
Provide proof that you are auditing log and event data to auditors
button
3. Click the Explore tab from anywhere in the LEM Console. Then selectnDepth.
Consult the nDepth dashborad and toolbar for information on several analytical
connectors. Use this view to:
37
l
l
l
l
For additional information about how to save nDepth searches for future use, see
Save nDepth searches to quickly execute frequent queries
For additional information about how to export nDepth search results in CSV or
PDF format, see "Export nDepth results in custom or text formats for retention and
ad hoc reporting."
For additional information about configuring your LEM appliance to store and
search original log data, see:
l
38
To get started with LEM Reports, filter the reports listing by the industries or
requirements relevant to your network. Then, the next time you open LEM
Reports, access your custom list of reports by clicking Industry Reports on the
main view.
To filter the reports list by industry or requirement:
1. Open LEM Reports.
2. On the Settings tab, click Manage, and then select Manage Categories.
3. Select your industries and requirements in the left pane. Mix and match as
necessary. For example, if you are a school that accepts credit card payments,
select Education, FERPA, and PCI.
4. Click OK.
5. To view the filtered list of reports, click the Category menu back on the
Settings tab, and then select Industry Reports.
Select which reports to run based on their values in the Level column on the
Settings tab:
l
Master: Reports at this level contain all of the data for their
category. For example, the master-level Authentication report
contains all authentication-related data.
Detail: Reports at this level contain information related to a specific
type of event. For example, the Authentication Failed
39
Top: Reports at this level display the top number of occurrences for
a specific type of event. Use the default top number, or Top N, of 10,
or customize this when you run the report.
Troubleshooting
If you have installed LEM Reports, but are unable to open the application or run
reports, complete the following procedures to troubleshoot.
To troubleshoot application launch errors on computers running Windows Vista,
Windows7, and Windows Server 2008:
1. Uninstall LEM Reports and Crystal Reports v11 Runtime.
2. Reinstall both components as Administrator.
3. Adjust the LEM Reports properties to run the program in Windows XP
compatibility mode and as an administrator:
a. Right-click the LEM Reports shortcut on your desktop or in the
SolarWinds Log and Event Manager program group in your Windows
Start menu, and then select Properties.
b. Click the Compatibility tab.
c. Select Run this program in compatibility mode for, and then select
Windows XP (Service Pack 3).
d. Select Run this program as an administrator.
e. Click OK.
4. Launch LEM Reports.
To address "Logon failed. Database Vendor Code 210" errors:
Add the computer running LEM Reports to the list of authorized reporting
computers. By default, the LEM appliance restricts all access to LEM Reports. To
allow specific computers to run LEM Reports or remove all reporting restrictions,
complete the proceduresdescribed in Configuring Report Restrictions.
40
For information about installing LEM Reports on computers without the LEM
Console, see Configuring LEM Reports on Computers Without the LEM Console.
For information about scheduling several best practice compliance and security
reports, see:
l
l
For additional information about working with individual reports in LEM Reports,
see:
l
41
Requirements
Operating System
AIX, Linux, Solaris, Windows Vista, Windows 7, Windows 8, Windows Server 2000, WindowsServer 2003,
Windows Server 2008
CPUSpeed
Memory
512 MB RAM
42
Software/Hardware
Requirements
1 GB
Environment Variables
43
5. Locate the connector you want to configure in the list. Use the Refine
Results pane on the left if necessary.
6. Click the gear
Use Connector Profiles to maintain and monitor multiple domain controllers in the
LEM Console. Connector Profiles allows you to configure and modify connector
settings at the profile level, and they also provide a group by which you can filter
your event traffic coming into your SolarWinds LEM Console from your
SolarWinds LEM Agents. Use the procedures below to create a Connector Profile
based on a single SolarWinds LEM Agent and a corresponding filter to monitor
44
10. Locate the SolarWinds LEM Agents you want to add to your Connector
Profile in the Available Agents pane, and click the arrow next to them to add
them to the Contained Agents pane.
11. If you are finished adding SolarWinds LEM Agents to your Connector
Profile, click Save.
Creating a filter for all activity from the computers in a Connector Profile:
1. Open the SolarWinds LEM Console and log into the SolarWinds LEM
Manager as an administrator or auditor.
45
2. Click Monitor.
3. Click the
button on the Filters pane (left), and then click New Filter.
5. Select the folder where you want to save the cloned rule, and then click OK.
6. Select Enable at the top of the Rule Creation window, next to the
Description field.
46
7. Click Save.
8. Back on the main Rules screen, click Activate Rules.
Tuning Windows Logging for LEM Implementation
After you have installed and configured you SolarWinds LEM Agents, optimize
your SolarWinds LEM deployment by tuning Windows to log the specific events
you want to see in your SolarWinds LEM Console and store on your SolarWinds
LEM database. Use the recommendations below to get started with this tuning
process.
Note: Set group and local policies according to the needs of your environment.
We provide recommendations to illustrate common, but not universal, use cases.
For additional information about tuning Windows logging, see the Microsoft
TechNet knowledge base. .
Default Domain Policy
Configure logging for default domain policy in Windows as recommended in the
following table.
Policy
Yes
Yes
Yes
Yes
Not defined
Yes
Yes
Not defined
Yes
Yes
Not defined
Yes
No
Yes
Yes
47
Policy
Success Failure
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
48
Firewalls from popular vendors such as Cisco, Check Point, and Juniper can be
integrated with SolarWinds LEM appliances. For more information, the
SolarWinds knowledgebase.
If your firewall vendor is not listed here, search for your vendor in the SolarWinds
knowledge base. If documentation is not available, please contact SolarWinds
Support.
6. Replace the Alias value with a more descriptive connector alias. For
example, PIX Firewall.
7. Use firewall somewhere in the Alias field to ensure the default Firewall filter
captures your firewall data.
8. Verify the Log File value matches the local facility defined in your firewall
settings.
9. Click Save.
49
button on the Filters pane (left), and then click New Filter.
50
TCPPortScan event, which the SolarWinds LEM Console displays in the default
Security Events filter. Use these events to monitor suspicious network traffic and
potentially take action against an external source.
Cloning and enabling the PortScans rule:
1. Open the SolarWinds LEM Console and log into the SolarWinds LEM
Manager as an administrator.
2. Click the Build tab, and then click Rules.
3. Enter PortScans (one word) in the search box at the top of the Refine
Results pane.
4. Click the gear
5. Select the folder where you want to save the cloned rule, and then click OK.
6. Select Enable at the top of the Rule Creation window, next to the
Description field.
7. Optionally, to tune the rule to be more appropriate for your environment,
consider the following:
l
51
52
5. Select the folder where you want to save the cloned rule, and then click OK.
6. Select Enable at the top of the Rule Creation window, next to the
Description field.
7. Click Save.
8. Back on the main Rules screen, click Activate Rules.
53
54
6. Select the folder where you want to save the cloned rule, and then click OK.
7. Select Enable at the top of the Rule Creation window, next to the
Description field.
55
56
57
8. Verify that the value in theLog Filefield matches the folder in which the logs
are stored on your database server, and then clickSave.
9. Click the gear
button next to the new instance of the connector ,
indicated by an icon in the Status column, and then click Start.
10. Repeat these steps for theMSSQL 2000 Application Logconnector .
11. ClickCloseto close the Connector Configuration window.
Creating a SolarWinds LEM Rule to Send Notifications of Microsoft SQL Database Change Attempts
Clone and enable the MSSQL Database Change Attempt rule to track when
users attempt to change properties on a monitored Microsoft SQL database. The
default action for this rule is to generate a HostIncident event, which you can use
in conjunction with the Incidents report to prove to auditors that you are auditing
the critical events on your network. See "Leveraging the Incidents Report in
Security Audits" on page 59
Clone and enable the MSSQL Database Change Attempt rule to track when
users attempt to change properties on a monitored Microsoft SQL database. The
default action for this rule is to generate a HostIncident event, which you can use
in conjunction with the Incidents report to prove to auditors that you are auditing
the critical events on your network.
Cloning and enabling the MSSQL Database Change Attempt rule:
1. Open the SolarWinds LEM Console and log into the SolarWinds LEM
Manager as an administrator.
2. Select the Build tab, and then click Rules.
3. Enter MSSQL Database Change Attempt in the search box at the top of
the Refine Results pane.
4. Click the gear
5. Select the folder where you want to save the cloned rule, and then click OK.
6. Select Enable at the top of the Rule Creation window, next to the
Description field.
7. Click Save.
8. Back on the main Rules screen, click Activate Rules.
58
59
Widgets
Each widget represents a high-level graphical view of specific network activity.
Widgets are designed to present important high-level information at a glance.
Most widgets filter the data source for what you are graphing in the widget.
Name
Description
Widget Manager
Getting Started
60
Name
Node Health
Description
A view of the status of each device being monitored by LEM.
thwack Community & Sup- Access to useful information from the thwack comport
munity.
Top 10 Events
Help
Custom Widget
Top 10 Nodes by # of
Events
Top 10 Users by # of
Events
Network Events by
Source Machine
Data Simulator
61
User Details
User Details
From the Top 10 Users widget, click on a user to open the User Details page.
Every user has a User Details page that displays all related information, including
all events, for that user.
The User Details page contains the User:Details and User:All Events widgets.
Select by time
Color-coding allows you to easily pick out events that might need attention. A
green line on a graph represents informational events, a yellow line represents
warning events, and a red line represents critical events.
Node Details
From the Top 10 Nodes, click a node to open the Nodes Details page. The Nodes
Details page displays overview information on every device that is monitored by
LEM.
The Nodes Details page contains the Node:Details, Node:Connectors Applied,
and Nodes:All Events widgets.
Node: Details Widget
Represents the detailed information about the specified node such as Node IP,
Node Name, Last Event etc.
62
Provides a list of connectors which are configured for the specified node
Select by time
Color-coding allows you to easily pick out events that might need attention. A
green line on a graph represents informational events, a yellow line represents
warning events, and a red line represents critical events.
Widget Manager
In the Ops Center, master widgets reside in the Widget Managers Categories
list. Dashboard widgets reside on the dashboard. Dashboard widgets cannot be
saved in the Widget Manager.
Name
Filters
pane
Description
Widgets are organized by filter. You can use the Filters pane to
view, add, and edit the master widgets that are associated with
each filter, and to create dashboard widgets from each master
widget.
The Name column lists each filter that has one or more master
widgets. The Count column states how many master widgets are
associated with each filter. You can also sort the columns of the
Filters pane.
63
Widget Builder
Name
Description
Opens the Widget Builder, so you can add a new master widget to
the selected category.
Opens the Widget Builder for the widget that is currently selected
in the Widgets pane. The Widget Builder lets you edit the
widgets settings.
Widgets
pane
The Widgets pane is used to view the master widgets that are
associated with each filter. You can also use this pane to create
dashboard widgets and to delete master widgets from the selected
filter.
Add to
This button adds a copy of the master widget that is currently
Dashboard shown in the Widgets pane to the dashboard.
Delete
Widget
This button deletes the master widget that is currently shown in the
Widgets pane. Deleting a master widget does not delete any of the
dashboard widgets that came from that widget.
Widget Builder
This topic explains how to use the Widget Builder, which is used to add a new
widget or edit the configuration of an existing widget.
The following table explains each field on the Widget Builder.
Field
Description
Name
Type a name for the widget. This name will appear in the
widgets title bar.
Filter
64
Field
Description
widget will not display any chart information until the filter is
turned back on.
Description
Visual Configuration
Visualization Select the type of chart or graph you wantPie, Bar, Line, Table,
Type
etc. Select Table for those times when a table of values is a
useful way to view the data. You can display a widget with any of
these display types at any time. However, some display types
may not make sense for some widgets, depending on the
widgets content.
Color/
Color
Palette
X-Axis Label If desired, type a label for the chart or graphs horizontal axis.
Y-Axis Label If desired, type a label for the chart or graphs vertical axis.
Preview
The Preview section shows what the widget will look like, based
on the options you have selected in the Visual Configuration
section.
Data Configuration
Field
Select a data field you want reported from those that are available
in the selected data source.
Show
65
Widget Builder
Field
Description
l
Sort
Split By
If you want a third dimension in the chart, select another data field
from those that are available in the selected data source.
This fields sort order is ascending.
Limit
Scope
Select a value for the scope. This is the time frame reported by
the chart or graph. The scope is always measured backward from
the moment the chart is refreshed. For example, a scope of 30
66
Field
Description
minutes means the last 30 minutes.
The scope can be measured in Seconds, Minutes (default),
Hours, or Days. For events that happen frequently, choose a
narrow scope. For events that happen rarely, choose a large
scope.
Resolution
Select the time value that defines the tick marks that are to be
used on the charts horizontal X-axis. This field is required when
Versus is a Time Field.
For example, if you are looking at 30 minutes of data, a
Resolution of 5 Minutes means the bars or line chart data points
are drawn in 5 minute increments. In charts with wider scope, the
resolution could be hours or even days.
This option is disabled for widgets that are not reporting timebased data.
Refresh
Select the rate at which you want the widget to refresh its visual
display. This is necessary because the Console is monitoring
real-time data. Therefore, you need to periodically refresh the
chart.
Save
Cancel
Widgets act as shortcuts to the event filters that are their data sources. This
means you can open the source filter directly from a widget. You do this by
clicking the specific line, bar, or pie wedge of chart that interests you. The
corresponding filter then opens in the Monitor view. The filter lists only the events
67
Function
Opens the widget in the Widget Builder, so you can edit its settings.
Flips the widget, so you can configure its presentation format.
Refreshes the widgets data.
Expands (maximizes) the widget to fill the desktop.
Restores the widget from its maximized size to its default size.
This button has two functions:
l
In normal dashboard mode, this button deletes the widget from the
dashboard.
When you are editing a flipped widget, this button closes the
widgets edit mode, and returns it to its normal desktop view.
68
69
filter again.
Note: It is possible for you to select an item in the widget that is no longer shown
in the Monitor's event grid. That is, the filter may actually show fewer events than
appear in the widget. This can happen if the widget's scope is broader than the
filter's scope. In this case, the filter may no longer have some of the data shown
by the widget, because the filter has had to make room for new data.
Remember, the widget's scope can be different than the filter's scope. The widget
tracks statistics about events that occurred over time (and perhaps a very large
time frame). The filter tracks only a certain quantity of events for a time frame that
may be much smaller than the widget's scope.
To think about it another way: the Console filters are aware of 10,000 events at a
time. With every refresh interval, a widget looks at those 10,000 events to draw a
line, bar, or wedge that matches the right count for that time. Those 10,000 events
are also displayed in the corresponding filter. But when the Console gets to
10,000 events, the widget doesn't "erase" any data points it has already drawn,
but the filter has to remove the oldest events from the grid to make room for new
data.
70
you are working with and the type of data it is reporting. For example, widgets that
only report data in one dimension may be limited to a pie chart, while information
in two dimensions can be reported in a bar chart or a line chart.
To edit a widgets presentation from the dashboard:
1. In the Ops Center dashboard, locate the widget you want to work with.
2. Click the configure
3. The widget flips over to display its configuration options, as shown here.
71
Resizing a widget
Resizing a widget
You can view widgets in full-screen mode or in their normal size. You can also
change the size of a widget to make it taller or wider. However, the widgets
different sizes must conform to the dashboards standard geometry.
To resize a widget:
In the Ops Center dashboard, drag the lower-right corner of the widget in any
direction. As you resize the widget, the surrounding widgets rearrange
themselves to make room for the larger one. Upon releasing the mouse button,
the widget snaps to the closest size allowed by the desktops geometry.
To show a widget in full-screen mode:
In the Ops Center dashboard, click the Maximize
toolbar. The widget takes up the entire dashboard.
72
In the Ops Center, master widgets always reside in the Widget Managers
Categories list. Dashboard widgets always reside on the dashboard.
Dashboard widgets cannot be saved in the Widget Manager.
In the Monitor view, each master widget appears in the Widgets pane for
the filter that acts as its data source. Dashboard widgets do not appear in
the Monitor views Widgets pane.
73
Chapter 7: Monitor
The Monitor view is the heart of the LEM Console. As the name implies, it is used
for monitoring your network activity. In Monitor, you create filters and widgets that
group and display different events that come from your Agents, Managers, and
network devices.
Events are messages created from Agent, Manager, and network device log
entries. These log entries are processed (or normalized) to extract information
and display the data in a common column/field-based format, rather than the often
convoluted format you see in the source data. These normalized events are sent
from the Agent to the Manager for processing. At the Manager, the events are
processed against your Rules, sent to your Database for archiving, and sent to
the LEM Console for monitoring.
Description
Filters button
Click the Filters button to alternately show and hide the Filters
pane.
Filters pane
Stores all of the filters that you can apply to the Consoles
event messages.
l
74
Chapter 7: Monitor
Name
Events grid
Description
Agents monitor each configured data source on your network.
The Agents then send events to your Managers. The
Console's events grid displays every event that is logged to
each Manager the Console is connected to.
The grids title bar displays the name of that filter that is
currently applied. By default, incoming events always appear
at the top of the grid. This allows the Console to always show
the most recent event activity first.
Pause/Resume This button toggles to pause or resume the event traffic that is
currently being reported by the filter.
This button lets you highlight rows in the events grid with a
particular color. Highlighting can serve as a helpful visual
reference point for marking and locating specific events in the
grid.
The gear button in each row opens a menu of commands that
you can perform on the item that is currently selected in the
grid. You can use these commands to mark messages as read
or unread, to remove messages, or to copy event information.
Sort ( )
Filter
Notifications
pane
75
Name
Description
pane behaves exactly like the status bar's Notifications tab.
Widgets pane
This pane displays the widgets associated with the filter that is
currently applied to the events grid. Widgets automatically
refresh themselves to reflect changes in events grid filtering.
You can use this pane view the different widgets associated
with the filter, change a widgets visualization type (bar chart,
pie chart, line graph, etc.), create a new widget, edit an existing
widget, or save a widget to the Ops Center dashboard.
Event Details
and
Description
Notifications
76
Chapter 7: Monitor
You can turn filters on and off, pause filters to sort or investigate their events,
perform actions to respond to events, and configure filters to notify you when they
capture a particular event. Filters can also display widgets, which are charts and
graphs that visually represent the event data. Widgets are described in more
detail below.
LEM ships with many commonly used filters that support best practices in the
security industry. However, you can create your own custom filters, or modify
existing filters to meet your needs. There is no limit to the number of filters a
LEMConsole can contain.
Filters are managed in the Filters pane. The Filters pane stores all of the filters
that can be applied to the Consoles events grid.
Filter Attributes
The number next to each filter shows the total number of events that are currently
associated with that filter. Positioning your pointer over a filter displays a Tooltip
that briefly describes the purpose of each filter, when such a description is
available. Any filters that appear in italics are currently turned off.
You can use the Filters pane to do any of the following tasks:
l
Create your own custom filters and reconfigure existing filters to meet your
needs.
77
Turn filters on and off, and pause them to stop the flow of event traffic.
Copy filters.
Description
Default
status
Admin Account
Authentication
Off
All Events
On
Change
Management
On
Denied ACL Traffic Displays events for network traffic that has been
administratively denied.
Off
Off
Failed Logons
On
Off
78
Chapter 7: Monitor
Filter
Description
Default
status
Firewall
On
FTP Traffic
IDS
On
Incidents
On
Network Events
On
Proxy Bypassers
Off
Rule Activity
On
Security Events
On
On
SMTP Traffic
On
SNMP Traffic
On
Subscriptions
On
Events
On
79
Filter Creation
Filter
Description
Default
status
Unusual Network
Traffic
USB-Defender
User Logon
(interactive)
User Logons
Virus Attacks
Off
Off
Web Traffic
Spyware
Off
On
On
Filter Creation
The Monitor view has a Filter Creation tool where you create and edit your own
custom event filters, as well as edit any existing filters. Use this form to name,
80
Chapter 7: Monitor
Description
This accordion pane is called the list pane. It contains
categorized lists of the events, event groups, event variables,
groups, profiles, and constants that you can use when creating
conditions for your filters
If more than one Manager is linked to the Console, each item in
the list pane lists the Manager it is associated with. Therefore,
some list items may appear to be listed multiple times. But in
reality, they are listed once for each Manager. Events are
universal to all Managers,so they do not show a Manager
association.
Filter
Use the top part of the form to name and describe the filter, so
81
Events
Name
Description
Conditions
box
Use this box to define the conditions for the data that is to be
reported by the filter. You configure conditions by dragging items
from the list pane into the Conditions box.
Notifications Use this box to define how the Console is to event users of event
box
events, such as sound, pop-up message, etc.
Undo/Redo
Click the Undo button to undo your last desktop action. You can
click the Undo button repeatedly to undo up to 20 steps.
Click the Redo button to redo a step that you have undone. You
can click the Redo button repeatedly to redo up to 20 steps.
You can only use Undo or Redo for any steps you made since
the last time you clicked Save.
Save/Cancel Click Save to save your changes to a filter, close Filter Creation,
and return to the events grid.
Click the Cancel button to cancel any changes you have made to
a filter since the last time you clicked Save, exit Filter Creation,
and return to the events grid. If you have any unsaved changes,
the system prompts you to confirm that you want to cancel.
Events
The topics in this section explain how to use the events grid to apply filters to
incoming event traffic. It also explains how to use the events grid to pause, sort,
82
Chapter 7: Monitor
highlight, copy, read, remove, explore, and respond to events to take preventive
or corrective action.
83
Highlighting Events
Highlighting Events
In the Monitor views events grid, you can highlight events to call attention to
them or mark them for future reference. This allows the events to really stand out
as you scroll through the contents of the grid. You can highlight multiple events at
the same time. You can also choose the color you want for each set of events you
are highlighting.
To highlight events:
1. Open the Monitor view.
2. In the Filters pane, click to select the filter you want to work with. The events
grid displays the filter you have selected.
3. On the events grid toolbar, click Pause to temporarily stop any incoming
events.
Note: It is not required to pause a filter to highlight its events; however, it is
convenient. Pausing temporarily stops the flow of event traffic (freezing any
event movement in the grid) so you can easily select each item.
4. In the events grid, click to select the events you want highlighted.
5. On the events grid toolbar, click the arrow next to the highlight
button.
6. Use the color picker to select the highlight color you want. You can also
type the hexadecimal value of any color in the Web-safe color palette. In the
grid, the selected events become highlighted in the color you chose.
84
Chapter 7: Monitor
85
86
Chapter 7: Monitor
Command
Description
Mark
Unread
Mark
Read
Mark All
Unread
Mark All
Read
Removing Events
When needed, you can remove individual events from a filter, or all of the events
from a filter. You may want to do this to clean a filter of historical information that is
no longer important to you.
To remove individual events:
87
The Event Details view displays detailed information about the event that is
currently selected in the grid. If more than one event is selected, it shows the
properties of the last event to be selected.
The Event Description view displays a written description of the last event
to be selected in the grid.
You can also use this pane to create a filter based on the selected event, or to
scroll through the contents of the events grid.
88
Chapter 7: Monitor
Button
Description
Click this button to create a new filter that captures the currently
selected event type. Upon doing so, the Monitor view opens,
with the new filter open in the events grid. The new filter appears
in the Filters pane, under the last selected filter. If needed, you
can edit the filter so it captures events of an even more specific
nature.
Click these buttons to move up and down among the events in
the event event grid. The pane shows detailed technical
information about each event that is selected. This lets you view
the technical details and written descriptions of each event in the
grid.
Remember, you can also use your keyboard's up () and down
() arrow keys:
l
89
Button
Description
Click this button to open the panes Event Details view. This
view shows detailed information about each of the selected
event's data fields. The actual fields that appear here vary,
according to the event type that is currently selected. For
example, network-oriented events show fields for IP addresses
and ports. Account-oriented events show account names and
domains.
Click this button to open the panes Event Description view,
which provides a detailed written description of the event type
that is currently selected.
Click the Print button to print this information from either view.
Name
Description
Debug
Normal
Audit
Normal
Notice
Suspicious
Critical
90
Chapter 8: Explore
The Console's Explore area has two views:
l
The nDepth view contains a powerful search engine that lets you search all
of the event data or the original log messages that pass through a particular
Manager. The log data is stored in real time, as it originally occurs from
each host (network device) and source (application or tool) that is monitored
by the Manager.
nDepth summarizes and displays search results with several different visual
tools that can also be combined into a customizable dashboard. The tools
are intuitive and interactiveyou can point and click to view information or
refine your searches. Each graphical tool provides an alternative view of the
same data, so you can examine your data from several perspectives. You
can also view and explore a text-based view of the actual data.
nDepth employs drag-and-drop tools that let you configure simple or even
complex search criteria. You can use these tools to dig deeper into your
findings by adding search conditions, or by appending text to existing
search strings. nDepth also includes a tool called Search Builder that lets
you configure complex search criteria using the same sort of drag-and-drop
interface found in Filter Creation.
Many of the explorers are utilities used for finding out more about event
specific details, such as looking up IP addresses, domain names, and host
names. The Event explorer lets you view all of the events related to an
event message. It is designed to help you visualize how the event occurred
and the system's response to that event. You can follow the chain of events
that caused the event, and help determine its root cause.
The Utilities view contains several utilities, called explorers. You can think
of this view as a center for investigating events and their details.
nDepth
nDepth is a powerful search engine that lets you search all of the event data or
the original log messages that pass through a particular Manager. The log data is
91
Chapter 8: Explore
stored in real time, as it originally occurs from each host (network device) and
source (application or tool) that is monitored by the Manager. You can use nDepth
to conduct custom searches, investigate your search results with a graphical
tools, investigate event data in other explorers, and take action on your findings.
l
l
Search either normalized event data or the original log messages. You can
also use nDepth to explore log messages that are stored on a separate
nDepth appliance.
Intuitively view, explore, and search significant event activity. nDepth
summarizes event activity with simple visual tools that you can use to easily
select and investigate areas of interest.
Use existing filter criteria from the Monitor view to quickly create similar
searches.
Create your own custom widgets for the nDepth Dashboard.
Conduct custom searches. You can also create complex searches with the
Search Builder, which is a tool that behaves just like the Filter Builder. You
can also save any search, and then reuse it at any time by clicking it.
92
In Events mode, nDepth summarizes and explores your event data. This is
the normalized data that appears in the Monitor view and is stored in the
LEM database.
In Log Messages mode, nDepth summarizes and explores the raw log
messages that are going into nDepth Log Storage from the original event
logs. This mode is intended for customers who have specific data analysis
needs, and who fully understand how to interpret the raw log messages that
are generated by their network devices and tools.
Note: The virtual appliance must be configured to store log message data. For
more information, see Configuring Your LEM Appliance for Log Message
Storage.
Be aware that data storage is limited. If you have not configured a CMCoption for
archiving data, LEM will delete the oldest data to make room for new data.
The topics in this chapter explain how to perform a basic searches with nDepth,
how to use nDepth's graphical tools, how to use nDepth with other explorers, and
how to respond to your findings.
Opening nDepth
You can open nDepth several ways. You can open the Explore >nDepth view
directly to conduct custom searches. Or you can open nDepth from an existing
data source, such as an event field or another explorer (NSLookup, Whois, and
Traceroute, and Flow), to search for similar events or data.
93
Chapter 8: Explore
By default, the nDepth search time is for the last 10 minutes (the end time is now,
and the start time is 10 minutes ago).
In the Monitor views event grid, select the event row or field you want
to explore.
In the Event explorers Event Details pane, event map, or event grid,
click the item or field you want to explore.
In an explorer, select the data source you want to explore.
Description
Alternately hides and opens the History and Saved Searches
panes.
History pane Shows recent Explore activity. This pane is shared between the
Utilities view and the nDepth view..
Saved
Searches
pane
Lists any searches that you have saved. To begin using one of
these searches, click it to run that search. You can edit, schedule, and save changes to your saved searches. You can also
save variations on these searches as new searches.
nDepth
explorer
Use this window to create and run your searches, and to view,
explore, and respond to your search results.
94
Name
Undo/Redo
Description
Click the Undo button to undo your last action. You can undo up
to 20 actions.
Click the Redo button to redo a step that you have undone. You
can redo up to 20 actions.
Respond
Explore
Search bar
List pane
95
Chapter 8: Explore
Name
Description
quickly configure complex searches.
Two of these lists appear only in nDepth:
l
Histogram
Explorer
Toolbar
Use to select the nDepth explorer view you want to work in.
96
Description
Mode
Use this toggle switch to select how you intend to enter the search
selector string for your queries:
l
Select Drag & Drop Mode (upper position) to drag items from
the list pane or the Result Details view directly into the search
box. This is the recommended position, as it is it the easiest to
use.
Select Text Input Mode (lower position) to type a search string
directly in the search box. In this mode, the search box also
shows the text version (or search string) of any search that is
being run or configured in Search Builder or the Saved
Searches pane.
97
Chapter 8: Explore
Name
Search
box
Description
This box contains your search conditions. You can enter search
conditions a number of different ways.
Click a delete button next to a condition or a group to remove that
condition or group from the current search configuration.
AND
OR
The search bar includes AND and OR operators. These operators let
you include AND and ORrelationships between conditions and
groups of conditions, when you have multiple conditions in your
search string. Click the operator icon to toggle between ANDand OR
relationships.
Group
When you have a group of conditions, the search bar displays the consummary ditions as a summary. To see the actual conditions, point to them. A
ToolTip appears that shows each condition in the group.
Click this Delete All button to delete the entire contents of the search
box, so you can begin a new search.
Click this button to begin a search, or to stop a search that is in
progress.
l
Click
to begin searching.
Time
In the time selector, select a time frame for the search. If needed, you
selector can create your own custom time frame.
Data
Use this toggle switch to choose the data you want to nDepth to
selector explore:
l
98
Name
Description
Events position.
View
Description
Tree Map
Opens the Tree Map, which shows the items that appear
most often in the data as a series of categorized boxes. The
box categories correspond with the those data categories
found in the Refine Fields list.
The size of a box within each category is associated with its
relative frequency. The more often an item occurs, the larger
its box appears. If a box is small, you can point to it to open a
ToolTip that shows its contents. You can also click a box to
create or append a search based on that item.
99
Chapter 8: Explore
Tool
View
Description
Bar Charts Opens the Bar Charts* view, which is a group of widgets that
shows your most frequent data items as a series of bar
charts. The size of each bar corresponds with the item's relative frequency. The more often an item occurs, the larger its
bar appears. You can point to a bar to show information
about it. You can also click a bar to create or append a
search based on that item.
Line
Charts
Pie Charts Opens the Pie Charts* view, which is a group of widgets that
shows your most frequent data items as a series pie charts.
The size of each pie wedge corresponds with the item's relative frequency. The more often an item occurs, the larger its
wedge appears. You can point to a wedge to show information about it. You can also click a wedge to create or
append a search based on that item.
Bubble
Charts
Result
Details
100
Tool
View
Search
Builder
Description
Opens nDepth's Search Builder, which is a graphical
interface used to create and refine complex searches. You
can drag items from the nDepth's list pane directly into
Search Builder's Conditions box to quickly configure
complex searches. With a few minor differences, Search
Builder behaves just like the Filter Creation tool.
*In any explorer view, if a particular chart configuration does not logically apply to
the data you are exploring, that chart will be disabled.
A new search always adds a history item. If you click an earlier history item, the
system takes you back to that search; it does not make a new item. As soon as
you change something in nDepth and perform a new search, that search
becomes a new history item.
101
Chapter 8: Explore
to move the search period, to zoom in to a period to take a closer look, or zoom
out to see high-level activity.
Histogram Features
The histogram has the following features:
l
l
l
l
l
The title bar shows the total number of events that were reported by the
search, as well as the search's time frame.
The gray zones preview results that are outside the search's time frame.
Each vertical bar in the histogram shows the total number of events that
happened within the corresponding period.
Time is provided in 24-hour (military) time.
Pointing to a bar shows the total number of events in that interval, as shown
above.
Clicking a bar opens a pop-up window that shows a histogram for that bar's
interval. Depending on range of the search's time frame, these intervals can
be as little as 5-seconds. Pointing to a bar shows the total number of events
102
Clicking a bar opens a pop-up window to show a histogram for that bar's
interval
l
When you are in the Result Details view, the histogram shows two dashed
vertical lines. These lines are markers that indicate where you are in the
histogram for each page of the search results. The lines show the times of
the first and last event on the current Result Details page.
By default, the pointer shows the time of the first result on the page. If you
select an event in the Result Details box, the pointer shows the time of that
event.
If you are looking at the search results of events number 1-200, the left line
shows the time of event number 1, and the right line shows the time of event
number 200. If you click event number 150, the pointer shows the time
that event occurred.
103
Chapter 8: Explore
Drag the slider to the left to move the period to an earlier starting point.
Drag the slider to the right to move the period to a later starting point.
As you move the slider, a ToolTip displays the period's midpoint time.
3. Click
to run the search for the new time frame.nDepth automatically
refines the search and refreshes the data to show only the events from the
new time frame. Moving the period automatically changes the search bar's
time selector to Custom.
4. If desired, click
104
Drag the left slider to change the time frame's start time. When you
release the slider, a ToolTip shows the new start time.
Drag the right slider to change the time frame's end time. When you
release the slider, a ToolTip shows the new end time.
3. Click
to run the search for the new time frame.nDepth automatically
refines the search and refreshes the data to show only the events from the
new time frame. Changing the time frame automatically changes the search
bar's time selector to Custom.
4. If desired, click
105
Chapter 8: Explore
Description
The number to the far left is a counter for each event that is
reported in the nDepth search results. Each event gets its own
number.
Each row represents a different event. To make viewing easier,
each event appears with an alternating gray or white background.
The number of events that appear depend entirely on your search
conditions.
Data and
time stamp
106
Name
Description
Event details The rest of the information in the box is made up of event details.
You can select these details to refine your nDepth search, to
explore them with other explorers, or to respond to them with an
active response.
Name
Event
number
Description
The number to the far left is a counter for each log message
(or event)that is reported in the nDepth search results.
Each event gets its own number.
Each row represents a different event.To make viewing
easier, each event appears with an alternating gray or
white background. The number of events that appear
depend entirely on your search conditions.
Data and
time stamp
Log message
The first line of event displays the actual log message that
matched your search criteria.
107
Chapter 8: Explore
Item
Name
Description
Host
The network device the message came from (that is, the
Manager or appliance that is storing the message).
ToolId
ToolType
Do this
Selecting data
Highlight a continuous
character string
Select a continuous
character string
108
To
Do this
the row). When the row is selected, an orange
highlight bar appears to the left of the row.
Select a character string in the data. Then doubleclick the selected string to add it to the search box.
Select a character string in the data; then drag it into
the search box.
Add conditions to an
existing search
109
Chapter 8: Explore
You can select specific values, and pass them into the value-based
explorers, such as Whois, NSLookup, and Traceroute. For example, you
could investigate a suspicious IPaddress with these explorers to learn more
about that IP address.
When you are viewing data in Events mode, each row in the search results
represents the data for an individual event. You can select the row for an
event you want to explore, and then pass the row into the Event Explorer to
explore that event.
110
1. In the Result Details view, select the character string you want to respond
to. When selected properly, the character string is surrounded by an orange
box.
2. In the Respond menu, select which response you want to take.
If nDepth is in Events mode, the event or the selected text appears in the
Respond form.
3. Complete the Respond form, as applicable for the response.
111
Chapter 8: Explore
Description
Event Name
Detection IP
Inference Rule
Insertion IP
The Manager or Agent that first created the event. This is the
source that first read the log data from a file or other source.
IP Address
Manager
The name of the Manager that received the event. For data
generated from an Agent, this is the Manager the Agent is
connected to.
Provider SID
A unique identifier for the original data. Generally, the Provider SID field includes information that can be used in
researching information on the event in the originating network device vendor's documentation.
Severity
Tool Alias
User Name
112
Field
Description
shows all the places that user names appear in event data.
Description
The node the log message came from (that is, the LEM or
Agent that collected the message for forwarding to nDepth).
HostFromData The originating network device (if different than the node) that
the message came from. Normally, Host and HostFromData
are the same, but in the case of a remote logging device (such
as a firewall) this field reports the original remote device's
address.
ToolId
ToolType
Tool category for the tool that generated the log message.
nDepth's Word Cloud. You can use the sliders on the lower bar to filter the items
shown in the World Cloud.
113
Chapter 8: Explore
nDepth's Word Cloud summarizes your event activity by showing the top 100
keyword phrases that appear in your event messages. Phrases appear in a size
and color that relates to their frequency:
l
icon.
The top bar is a color gradient that goes from red (hot)to blue (cool). These
colors correspond with the colors of the phrases shown in the Word Cloud.
The lower bar controls which parts of the gradient the Word Cloud is
allowed to show. You can use this bar to filter the World Cloud so that it only
shows that section of the gradient you want to see. By default, the Word
Cloud shows everything associated with the entire gradientall items that
are hot, cool, and in between.
114
To hide hot items, drag the lower bar's left-hand slider to the right.
To hide cool items, drag the lower bar's right-hand slider to the left.
To restore the Word Cloud, drag the sliders back to their far-left and far-right
positions.
115
Chapter 8: Explore
When you are working with events, the Tree Map organizes itself into
categories based on common event data fields.. Most categories
correspond with actual event fields, as they appear in the Monitor view.
When you are working with log messages, the Tree Map organizes itself
into categories based on common log message data fields.
Note: Some data categories may not always be present. If there is no event
activity associated with a particular data category or field, it will not appear in the
Tree Map.
The size of each box corresponds with the relative frequency of its occurrence. So
the more often a detail occurs, the larger its box appears.
Click to select an item from the Tree Map as a search condition. If a box is too
small to show its contents, point to it to open a ToolTip that shows its contents.
116
icon.
Click the
Note: Even when maximized, a Tree Map category can show very small
items within it. Don't forget, if a box is too small to show its contents, you can
point to it to open a ToolTip that shows its contents.
To restore a category to its proportional size:
l
Click the
117
Chapter 8: Explore
Description
From a main nDepth view (such as Word Cloud, Tree View, or Result
Details), this button add the view to the nDepth Dashboard as a widget.
From the nDepth explorer toolbar, you can point to a chart view and then
click this button to add a specific chart widget to the nDepth Dashboard.
Adds a new widget to the current chart view.
This button adds the widget to the nDepth Dashboard. This button only
appears on widgets in their various chart views.
Refreshes the widget so it displays the latest data.
118
Icon
Description
This button is only enabled when the chart properties have changed. If you
edit a chart's configuration, the Console does not have the data to draw the
chart until you refresh its data.
Opens the nDepth Widget Builder so you can edit or reconfigure the
widget.
Minimizes the widget to it appears as a title bar at the bottom of the view.
To restore the widget, scroll down to the bottom of the view, and then click
the widget's title bar.
Toggles the widget between being its normal size and being maximized to
fill the current view.
Deletes the widget from the view. Once deleted, the widget cannot be
restored; you must re-create it.
119
Chapter 8: Explore
2. Click an item on a widget. A new search string associated with the widget
item appears in search box.
To append an existing search string with an item from a widget:
l
icon.
120
icon.
button.
121
Chapter 8: Explore
if you ever remove them from the Dashboard, you can use this procedure to
restore them.
To add a main nDepth view to the Dashboard:
1. Open the Explore >nDepth view.
2. On the nDepth explorer toolbar, click the view you want to add to the
Dashboard.
3. On the view's title bar, click the gear
Dashboard.
4. The view now appears as a widget at the bottom of the nDepth Dashboard.
122
icon.
123
Chapter 8: Explore
The search bar and the Search Builder show different views of the same search
configuration
To switch from the search bar to Search Builder:
l
124
Search Builder
The following table describes each main features of Search Builder.
Item
Name
Description
Undo/Redo Click the Undo button to undo your last action. You can
undo up to 50 steps.
Click the Redo button to redo a step that you have undone.
You can redo up to 50 steps.
Search bar The search box shows the current state of the search you are
building. If you have a complex search, the search box
shows its configuration as a "summary."If you want to view
the complete text of the search, switch the search bar to Text
125
Chapter 8: Explore
Item
Name
Description
Input Mode, which shows the current search configuration
as a search string.
List pane
Histogram
pane
Conditions Use this box to define the conditions for the data that is to be
box
reported by the filter. You configure conditions by dragging
items from the list pane into the Conditions box. For more
information,
This is the Add Group button. It appear at the top of every
group box. Click it to create a new group within the group
box. A group within a group is called a nested group.
Each group is subject to AND and OR relationships with the
groups around it and within it. By default, new groups appear
with AND comparisons.
This is the Delete button. It appears at the top of every
Group box. When you point to a condition, it also appears
126
Item
Name
Description
next to that condition. Click this button to delete a condition
or a group. Deleting a group also deletes any groups that are
nested within that group.
Group
127
Chapter 8: Explore
Drag the item from the list pane into the Conditions box.
Note: By default, the Conditions box includes a "this item exists" condition.
To use it, type or paste the search string you want to search for into the text
box. Or you can replace this condition by dragging an item from the list pane
on top of it.
4. If the list item contains a variable field (such as a field for an IP address, a
constant value, or an empty text box), type the specific value you want to
search for.
Note: Search Builder will show you if a particular configuration is invalid. If
a condition field is yellow (left), it means the search's current configuration is
invalid. If a condition field is red (right), it means the condition does not
apply to the type of data you are currently searching. For example, perhaps
you are trying to search log messages with conditions that are meant for
event data.
6. Repeat Steps 2 and 3, dragging new items into the appropriate group
boxes, as needed.
7. Select the appropriate AND and ORoperators for each group to configure
the search to your needs.
8. When you are satisfied with the search conditions, click
128
to run the
Utilities
search.
You can click
After a few moments, nDepth returns the search results. To see the search
results, do one of the following:
l
Utilities
The following table describes the key features of the Explore >Utilities view.
Name
History pane
Description
The History pane displays a record of your explorer viewing
history. Selecting an item in the history list displays the
corresponding explorer event in the Explorer pane.
Click the History button to alternately show and hide the
History pane. When needed, you can delete individual history
items from the history list. The Reset button lets you remove all
items from the history list..
Utilities pane
The Utilities pane shows the explorers that are currently open.
You can have multiple explorers open at the same time.
Cascade
button
Respond
menu
This menu lets you take action to respond to the event or event
field that is the subject of the active explorer. You can also use
the Respond menu to take action even when no explorer
windows are open or active.
This menu behaves exactly as it does in the Monitor views
129
Chapter 8: Explore
Name
Description
event grid.
Explore menu This menu contains options to open the other explorers. You
can use it to further explore the event message or event field
that is the subject of the active explorer. Or you can open a
blank explorer to manually enter the item you want to explore.
Explorer
windows
Minimized
explorers
>buttons
Beginning from the active explorer window, you can use these
buttons to cycle through the other open explorer windows. Click
to go to the previous window. Click >to go to the next
window.
Explorer Types
The Console contains the following explorers.
Explorer
Description
Event
The Event explorer, which can only be opened from the Monitor
view, allows you to view all of the events that are related to the event
that is currently selected in the Console. The Event explorer
displays both sequential and concurrent events. That is, you can
view the events that occurred before, during, and after the event
occurred. You can also monitor events in real time, to see where
they came from and where they are going. Use this explorer when
you need to know what caused the rule to fire.
Whois
130
Explorer Types
Explorer
Description
domain that corresponds to the IP that caused that rule to fire.
The Flow explorer lets you perform flow analysis to determine which
IP addresses or ports are generating or receiving the most network
traffic. You can also analyze the volume of data (in bytes or packets)
that is transferring to or from a given IP address or port number on
your network. The explorer reports this information in easy-to-read
graphs and tables.
For example, if you see a strange IP address at the top of the Flow
explorers activity list, you can select the desired bar on the graph or
a row in the table, and then choose the Whois explorer from the
Explore menu to find out what that the IP address is and why it is
transmitting so much data.
nDepth
nDepth is a powerful search engine that lets you search all of the
event data or the original log messages that pass through a particular Manager. The log data is stored in real time, as it originally
occurs from each host (network device) and source (application or
tool) that is monitored by the Manager.
Both Explore views have a Respond menu and an Explore menu that you can
use with any of the explorers:
l
The Respond menu lets you take corrective action on an event or other
information presented in an explorer, such as shutting down a workstation
when you see a problem reported in the Console.
131
Chapter 8: Explore
The Explore menu lets you explore use any of the other explorers to
investigate a particular event, event detail, nDepth search result, or other
explorer finding.
NSLookup Explorer
The NSLookup explorer is a network utility that is designed to resolve IP
addresses to host names, and host names to IP addresses. Use this explorer
whenever you need to know a name that corresponds to the IP address that
caused the rule to fire. For example, it resolves a name like SolarWinds.com to
an IP address.
In the example shown here, we opened the NSLookup explorer for an event field
that has an IP address of 192.168.168.10 (which appears in the Search field).
The explorer retrieved the corresponding host name, which is
grendel.corp.SolarWinds.com.
Opening the NSLookup explorer adds an item to the Explore views History
pane. The new item has a NSLookup explorer
icon.
Traceroute Explorer
The Traceroute explorer is a network utility that is designed to trace the network
links from your host computer to the destination you specify. Use this explorer
whenever you need to determine the network connections between yourself and
the IP address that caused the rule to fire.
132
Whois Explorer
In the example shown here, we used the Traceroute explorer on the IP address of
192.168.167.1. It shows you the hops between your computer and that IP
address. In this example, connecting to that IP address required two hops.
Opening the Traceroute Explorer adds an item to the Explore views History
pane. The new item has a Traceroute explorer
icon.
Whois Explorer
The Whois explorer is a network utility that is designed to identify the source of an
IP address or domain name based on how it is registered with domain and
network authorities. This explorer contacts the central databases for IP addresses
and domain names and returns the results of any of your searches. It can tell you
where something is located physically in the world, and who actually owns the
device youre searching for. For example, use this explorer if you need to know
who owns a domain that corresponds to the IP address that caused a rule to fire.
133
Chapter 8: Explore
The example on the left shows the results for an IP address. The example on the
right shows the results for the SolarWinds domain name, SolarWinds.com. From
these, you can find out who owns the IP address and where the server is hosted.
Opening the Whois Explorer adds an item to the Explore views History pane.
The new item has a Whois explorer
icon.
134
Chapter 9: Build
The Build menu contains three views: Groups, Rules, and Users. Use these
views to configure the related components on the LEM appliance. Since these
components reside on the appliance, they are universal and available to all
console users from any computer. The sections in this chapter address the
features of each Build view in detail.
Groups
The Build >Groups view is used to create, name, configure, and organize groups
of parameters. You may then choose from these Groups when configuring filters
(in Filter Creation) and rules (in Rule Creation) to include or exclude the specific
elements defined within each Group.
Each Group you create only applies to the Manager that is selected when you
create the Group. If you need a similar Group for another Manager, you must
create it separately with that other Manager; or you must export the Group, and
then import it from the other Managers Groups grid.
Group types
You can use the Build >Groups view to create any of the Groups listed in the
following table.
Group type
Description
EventGroups Event Groups are custom families of events that you can save as
a Group. You can then associate the Event Group with your rules
and filters. For example, you might create an Event Group made
up of similar events that all need to trigger the same response
from the Console. When you apply the Event Group to a rule, the
Console implements the same rule when any one of the events
in the Group occurs.
Directory
Service
135
Chapter 9: Build
Group type
Description
service (DS) Groups. Once connected, you can synchronize your
DS Groups with LEM and apply them to your rules and filters. DS
Groups allow you to match, include, or exclude events to specific
users or computers, based on their DS Group membership.
In most cases, DS Groups are used in rules and filters as a type
of white list or blacklist for choosing which users or computers to
include or to ignore. When used by a filter, a DS Group lets you
limit the scope of the events included in the filter to those users
or computers that have membership in a particular Group.
Email
Template
State
Variables
Time of Day
Sets
Time of Day Sets are specific groups of hours that you can
associate with rules and filters. Time of Day Sets allow them to
take different actions at different times of day.
For example, if you define two different Time of Day Sets for
Working Hours and Outside Working Hours, you can assign
different rules to each of these Time of Day Sets. For instance,
you may want a rule that automatically shuts down the offending
computer and events your system administrator via email.
Connector
Profiles
136
Group type
Description
events, information, or data fields based on their membership in
a particular Group. In most cases, User-Defined Groups are used
in rules and filters as a type of white list or blacklist for choosing
which events to include or to ignore.
Description
The gear button in each row opens a menu of commands that
you can perform on the item that is currently selected in the grid.
It has commands for editing, cloning, exporting, and deleting the
selected Group.
Type
Name
Description
Created By
Displays the name of the Console user who created the Group.
Displays the name of the Console user who last modified the
Group.
Modified
Date
Manager
137
Chapter 9: Build
Description
Click Reset to return the form and the Groups grid to their
default settings.
Use this field to perform keyword searches for specific Groups.
To search, type the text you want to search for in the text box.
The grid displays only those Groups that match or include the
text you entered.
Type
Select the type of the Group you want to work with (Connector
Profile, User-Defined Group, Time of Day Set, etc.) to have the
grid display only Groups of that type.
Manager
Select a Manager to have the grid display only the Groups that
are associated with that Manager.
Created By
Select the name of the Console user who created the Group to
have the grid display only Groups from that user.
Created Date
Range
Modified By
Select the name of the Console user who last modified the
Group to have the grid display only Groups modified by that
user.
Modified Date Type or select a date range to have the grid display only
Range
Groups that were modified on or within that date range.
138
Rules
Rules
The Consoles Build > Rules view is used to create, configure, and manage your
rules. Rules are used to monitor and respond to event traffic. They allow you to
automatically notify or respond to security events in real time, whether you are
monitoring the Console or not. When an event (or a series of events) meets a
rule's conditions, the rule automatically prompts the Manager to take action, such
as notifying the appropriate users, or performing a particular active response
(such as blocking the IP address or stopping a particular process).
The Console ships with a set of pre-configured rules that you can begin using
immediately. However, you can use the view's Rule Creation connector to create
your own custom rules and your own variations on any existing rules.
Description
The gear button in each row opens a menu of commands that you
can perform on the item that is currently selected in the grid.
These commands let you edit, enable, disable, test, clone, and
delete the selected rule.
Enabled
Indicates whether or not the rule is enabled and ready for use with
your policies.
means the rule is enabled and is in active use.
139
Chapter 9: Build
Column
Description
means the rule is disabled, and is not in use.
Test
Name
The name of the folder (in the Folders pane) in which the rule is
stored.
Created By
Created
Date
Modified By The name of the Console user who last modified the rule.
Modified
Date
The date and time on which the rule was last modified.
Manager
140
Description
Click Reset to clear the form. This returns the form and the Rules
grid to their default settings.
Use this Search field to perform keyword searches for specific
rules. To search, type the text you want to search for in the text box.
The grid displays only those rules whose Name fields match or
include the text you entered.
Enabled
Click this check box to show only those rules that are Enabled.
Clear this check box to show both Enabled and Disabled rules.
Test
Click this check box to show only those rules that are in test mode.
Clear this check box to show rules that are both in and out of test
mode.
Manager
Select a Manager to have the grid display only the rules that are
associated with that Manager.
Created
By
Select the name of the Console user who created the rule to have
the grid display only rules created by that user.
Created
Date
Range
Type or select a date range to have the grid display only rules that
were created within that date range.
Modified
By
Select the name of the Console user who last modified the rule to
have the grid display only rules modified by that user.
Modified
Date
Range
Type or select the begin and end date range to have the grid
display only rules that were modified on or within that date range.
The connectors in Rule Creation are very similar to those found in Filter
Creation. However, filters report event occurrences; rules act on them. There is
no harm if you create a filter that is unusual or has logic problems. But this is not
the always case with rules. Rules can have unexpected and sometimes
141
Chapter 9: Build
unpleasant consequences if they are not configured exactly as you intend them to
be.
Inexperienced users should use caution when creating rules. Creating filters is an
excellent way to familiarize yourself with the logic and connectors needed to
create well crafted rules. You should only begin configuring rules after you are at
ease with configuring filters. Even then, always test your rules before
implementing them.
There are a default set of Rule Categories & Tags, and you can also create
your own customizable ones. New rule categories and tags that are created
can be added or removed from your list of categories/tags at any time.
Activity Types, Authentication, Change Management, Compliance, Devices,
Endpoint Monitoring, IT Operations and Security categories are available
pre-defined categories
Rule templates have been separated into their own view and categorized
into all of the appropriate categories and tags, making them much easier to
find and use
Rule Tagging
The Rule Tagging feature allows you to add, change, or remove tags from
existing or newly created rules. Rules may have several different categories and
tags.
If you have a rule that you want to appear in several different category locations,
you can use the tag feature to have it display in those locations.
To tag a rule:
1. Select an existing Rule Template or create a new Rule.
2. Click the Add Tags... link
3. Select the categories and tags.There are many default tags or you can
142
Users
create a custom tag to suit your needs.
4. Click OK.
Users
The Users view is used to manage the system users who are associated with
each Manager. By adding email addresses for each user, the Console can notify
users of event conditions by email.
This topics in this section describe the key features of the Users view, the
meaning of each column in the Users grid, and how to refine the Users grid.
Description
Refine
Results
This form behaves like a search engine. It lets you apply filters to
the Users grid to reduce the number of users it shows.
Users grid
The Users grid displays all of the system users who are
associated with each Manager throughout your network.
Click this button to add a new user.
User
This pane displays detailed information about the user who is
Information currently selected in the grid, including the users role, password
information, and contact information. When editing a user, the User
Information pane turns into an editable form.
Description
l
Use the Edit command to edit the users settings and contact
information.
143
Chapter 9: Build
Column
Description
l
Status
User Name Displays the name the user uses to log on to the Manager.
First Name Displays the users first name.
Last Name Displays the users last name.
Role
Displays the user role that has been assigned to the user.
Last Login States the date and time the user last logged on to the system.
Description
Reset
Click Reset to return the form and the Users grid to their
default settings.
Manager
Select the Manager you want to work with. By default, the grid
displays All Managers.
Role
Select the user role you want to work with. By default, the grid
displays All roles.
Last Login
Date Range
Type or select the begin and end date range to display the
users who have logged in within that date range.
144
3. Click the View Role button. The Privileges form appears, showing the
users system privileges for his or her assigned role. This information is
provided here for reference purposes and cannot be changed.
4. When you are finished viewing the roles privileges, click Close to return to
the Console.
145
Managers
Database servers
Logging servers
Network sensors
nDepth servers
The Appliances view is primarily concerned with Managers, even though other
appliances may appear in your appliance list. Once a Manager is in place, you
can use this view to do the following:
l
146
Description
Appliances This grid lists all of the Managers and other network appliances
grid
LEM is monitoring. Use this grid to add, configure, or remove
appliances; to configure Manager connectors and Manager policy;
and to connect to and disconnect from Managers.
Click this button to add a new Manager or network appliance to the
Console.
Click the gear button at the top of the grid to access commands
applicable to multiple selections in the grid and other commands
not requiring a grid selection.
Click this button to copy the grid's information about your Managers
to the clipboard, so you can paste it elsewhere, such as Microsoft
Excel for analysis or the Remote Agent Installer for updates.
Description
Opens a menu of commands you can perform on the selected
appliance, such as: Login, Logout, Configure, Connectors (for
connecting products to the appliance), Policy (for assigning event
distribution policy), and Delete.
The Login, Logout, Connectors, and Policy options apply only
when you have a Manager selected. If you have a Manager
selected but are not connected, only the Login, Configure, and
Delete commands are available.
Status
147
Column
Description
means Connected/Logged In.
means Disconnected/Logged Off.
Icon
Name
Type
Manager
Database
Logging Server
Network Sensor
Version
Platform
For Managers, this column displays the user name that is currently
logged on to that Manager.
148
Details Pane
The Details pane displays essential information about an appliance, such as its
name, connection status, and IP address.
To view an appliances details:
1. Open the Manage > Appliances view.
2. If needed, log into the Manager you want to work with.
3. In the Appliances grid, click to select the Manager or appliance you want to
work with.
4. If the Details/Properties pane is not already open, click the open pane
button at the bottom of the window.
The Details pane displays information about the Manager or appliance you have
selected.
Field
Description
Platform
CPU Reservation
Number of CPUs
Memory Allocation
Memory Reservation
Status
Name
Type
149
Field
Description
Database Server, nDepth, Logging Server, or
Network Sensor.
Version
IP Address
Port
If the Login on console startup option is checked, the system uses this
data to automatically connect to the Manager whenever the Console is
150
opened.
l
If you manually log in to a Manager from the Appliances grid, the system
uses this data to connect the Manager so you dont have to complete the log
in dialog box.
Use the following table to complete the Properties panes Login tab.
Option
Description
Username
Password
Login on
console
startup
Select this check box to have LEM automatically log you into
the Manager upon opening the LEM Console. If you prefer to
manually log on, then clear this check box.
Save
Credentials
Reconnect on
disconnection
Try to
reconnect
every xx
seconds
151
Option
Description
Timeout
reconnection
attempts after
xx tries
Save
Cancel
Description
Total Nodes
Total Unused
Nodes
Displays the number of nodes that have not yet been allocated.
Total Agent
Nodes
Maintenance
Displays the date your current maintenance contract with
Expiration Date SolarWinds Support expires.
For more information on activating your SolarWinds LEMlicense, see "Going
from evaluation to production" in the SolarWinds Log & Event Manager Quick
Start Guide..
152
License Recycling
Each time a VM desktop is created, an agent connects to LEM and a license is
used. This continues to happen as desktops are created and destroyed,
eventually causing all licenses to be used up. License recycling allows you to
collect and reuse licenses from nodes that have not sent an event to the LEM
manager within a specified amount of time.
To enable license recycling:
1. Select the Enable license recycling checkbox.
2. Select a defined time frame from the options shown for when to recycle
license if a node has not sent an event.
3. Select when you would like the system to check for recyclable licenses.
4. Select the nodes to be checked.
Description
Password Policy
Minimum
Password
Length
Must meet
complexity
requirements
153
Option
Description
l
l
Remote Updates
Enable Global This check box indicates whether or not the Manager can
Automatic
automatically update its Agents with new software.
Updates
l Select this check box to have the Manager automatically
issue the latest software updates to qualifying Agents as
they become available.
l
Select how many Agents the Manager can update at one time.
The default value is 10.
If the number of Agents that require updates is greater than the
154
Option
Description
value you have entered here, the remaining Agents will be
queued for updating as soon as an update slot becomes
available.
Set the value for the amount of time before a timeout request is
initiated.
Seconds
Set the value for the amount of time before a timeout request is
initiated.
Send usage
Select this checkbox to send statistics to SolarWinds.
statistics to
SolarWinds to
help us
improve our
products
Threat Intelligence
Allow LEM to
detect threats
based on list
of bad IP
addresses
155
Many data sources generate events that are difficult to control at a granular
level; or, they generate events of little or no value. You are better off
removing these events from the system to reduce the volume and noise
being sent to your Console and database. By configuring event distribution
policy, you can disable (exclude) specific event types, at the event level,
from being sent to any or all of these destinations. The data sources will
continue to generate these events, so you can always enable them at any
time. Until then, the selected system destinations will ignore them.
There may be events that you want to monitor in the LEM Console, but do
not need for long-term storage and reporting. In this case, you can use event
distribution policy to disable database storage for certain events, while
enabling processing by the Console.
156
to work with, and then click Policy. The Event Distribution Policy for
[Manager] window appears.
If you open the Event Distribution Policy window while another user is
currently using it, a Policy Locked message appears. You can choose to
take over the window, or to view it in read-only mode. Any Full User can
unlock any other user.
The following table describes the key features of the Event Distribution Policy
window.
Item
Description
157
Item
Description
Check
Boxes
Export
Button
In the Event/Field list, click any node to show its lower-level event
type nodes.
In the Event/Field list, double-click any event type row to show its
lower-level event type nodes.
158
3. Once you have found the event type you want, configure it as follows:
l
Select the rows Console check box to have that event type appear in
the LEM Console.
Select the rows Database check box to have that event type stored in
the local database.
Clear a check box to exclude the event type from that particular
destination.
Upon saving, the Applying Changes status bar appears. Updating the
Manager with the new event policy configuration changes can take
anywhere from 30 seconds to several minutes.
159
1. In the Event/Field grid, locate the event type that is a parent to the event
types you want to configure.
2. In the parent row, define the policy by selecting or clearing the Console,
Database, Warehouse, and Rules check boxes.
3. Click the rows gear
The Console pushes, or propagates, the parent rows check box settings
down to each of its lower-level event types in the node tree hierarchy.
l
If you select one or more of the parent rows check boxes, the Console
selects the same check box settings for each related lower-level event
type in the node tree. Upon saving, the policy begins sending the
child event types to the selected destinations.
If you clear any of the parent rows check boxes, the Console disables
the same check box settings from each related lower-level event type
in the node tree. Upon saving, the policy stops sending those event
types to those destinations.
4. Click OK to save your changes. The Console implements the new policy.
160
4. In the File Name box, type a name and file type for the exported file. In the
file name, include a file type of .xls to save the file as a Microsoft Excel
spreadsheet.
5. Click Save to save the file. The Console saves the file to the folder and with
the file name you specified. You may now view the Managers policy
information in a spreadsheet file, such as Excel.
161
Windows event ID
TCPTrafficAudit
IPTrafficAudit
UDPTrafficAudit
IMCPTrafficAudit
ICMPTrafficAudit
5152, 5156
PPTPTrafficAudit
5152
The Provider SID value in these alerts match the format, Windows Security
Auditing Event ID, where Event ID is one of the Windows Event IDs listed below.
Event ID
Event description
5152
5154
5156
5157
162
Event ID
Event description
5158
5159
l
l
l
l
163
Name
Description
Sidebar
Click the Sidebar button to alternately hide and open the Refine
Results pane.
Refine
Results
pane
By default, the Nodes grid shows all Nodes that are associated with
all of your Managers. The Refine Results pane lets you apply filters
to the Nodes grid to reduce the number of Nodes it shows. This way,
you can show only those Nodes that are associated with a particular
Manager, Connector Profile, status, etc.
Nodes
grid
The Nodes grid lists all of the Agent and Non-Agent nodes that are
associated with each Manager and appliance that is monitored by the
LEM Console. You can also Add a New Node and Scan for a New
Node with the buttons in the toolbar.
Description
Add Node
164
Column
Description
Nodes
The gear button in each row opens a menu of commands
that you can perform on the item that is currently selected in
the grid.
l
Status
Description
Agent is Connected to a Manager.
Node Name
Agent Node
USB
165
Column
Version
Description
The version number of the Node software.
Note: This column is blank for non-Agent nodes.
OS
Profile
FIM
Status
Description
Updates Enabled
At least 1 FIM Connector or FIM Connector Profile configured for this Node
and driver disabled
Node is not assigned to a FIM Connector or FIM Connector Profile. Connector is not configured and running.
Description
166
Column
Description
Icon
Status
Current
Description
The Agent's software is current.
ID
Manager
Install Date
The time and date the Agents was first installed and connected to the Manager.
Last Connected
The time and date the Agent was last connected to the
Manager.
167
168
4. Configure the new node and select Start to start the node.
Description
Reset
Click Reset to clear the form. This returns the form and the Agents
grid to their default settings (showing all Agents for all Managers.)
Search
Use this field to perform a keyword search for a specific Agent in the
Name field. To search, type the text you want to search for in the text
box. The grid displays only those Agents that match or include the text
you entered.
Manager Select the Manager you want to work with. Select All to include
Agents from every Manager.
Profile
Select the Connector profile you want to work with. Select All to
include Agents from every Connector Profile.
169
Field
Description
Node
Status
Select the connection status of the Agents you want to work with
(Connected or Not Connected). Select All to include both.
Version Select the version of the software on the Agent. Select All to include
Agents of every version.
OS
USB
170
171
Description
In the upper-right corner of the form, select the Manager this
user will be associated with.
User Name Type the users system user name. This is the name the user
will use when logging into the Manager.
Note: User names admin_role,audit_role, and reports_
role cannot be used.
First Name Type the users first name.
Last Name Type the users last name.
Password
172
Field
Description
l
Confirm
Password
Role
View Role
After selecting a user role, you can click the View Role
button to open the Privilegesform, which shows the system
privileges for that role. This information is provided here for
reference purposes and cannot be changed.
173
Field
Description
It is always a good idea to test each email address to confirm
that it has been entered correctly and that it works properly.
To add the users email address:
1. Click the add button.
2. In the box that appears (shown here), type the users
email address and then click Save.
174
5. Select the Organizational Unit and Group where you want to add the user.
6. Select the user you want to add from the Available Users column, and then
click Select User.
7. Select a LEM Role in the User Information form. Click View Role to see
details about each role.
8. Enter a user description. If you change the Description field, your changes
only apply to the LEM user account, not the Active Directory account.
9. Click Save.
To create users from an Active Directory group:
1. Open your LEM console and authenticate to your LEM appliance.
2. Configure the Directory Service Query connector on your LEM appliance if
you haven't already. For additional information, see Configuring the
Directory Service Query Connector
3. Click Build , and then select Users.
4. Click the plus
5. Select the Organizational Unit to which the group you want to add belongs.
6. Select the group you want to add from the Available Groups column, and
then click Select Group.
7. Select a LEM Role in the User Information form. Click View Role to see
details about each role.
Note: If you want members of this group to have different LEM user roles, change
their roles individually after you complete this procedure.
8. Enter a description for these users if you want. If you change the Description
field, your changes only apply to the LEM user accounts, not the Active
Directory accounts.
9. Click Save.
175
Click to select the user you want to work with. Then click the rows
gear
Below the grid, the User Information pane displays the users current
settings and becomes an editable form.
3. Make the necessary changes to the User Information form.
4. Click Save.
To delete a users email address:
1. Open the Build >Users view.
2. In the Users grid, click to select the user you want to work with.
3. Click the rows gear
Deleting Users
Follow this procedure to delete a user from a Manager.
To delete a user:
176
Note: You cannot delete the admin user from the system.
4. At the Confirmation prompt, click Yes to delete the user; otherwise, click
No. The user is removed from the Users list. This user is no longer
authorized to use the Manager.
177
178
Events: Drag a single Event into your Conditions to filter for any
instance of the Event you specify. This type of Condition does not
require a value.The field at the top of the Events list is a search box.
Event fields: Drag an Event field into your Conditions to filter for any
Event that contains the value you specify.
Events: Drag a single Event into your Conditions to filter for any instance of
the Event you specify. This type of Condition does not require a value.The
field at the top of the Events list is a search box.
179
Event fields: Drag an Event field into your Conditions to filter for any Event
that contains the value you specify.
Features of the List Pane
l
The list pane is the accordion list on the left side of Filter Creation, Rule
Creation, and the nDepthexplorer.It contains categorized lists of events, Event
Groups, event fields, Groups (from the Groups grid), profiles, and constants that
you can use when creating conditions for your filters, rules, and search queries.
If more than one Manager is linked to the Console, each item in the list pane lists
the Manager it is associated with. Therefore, some list items may appear to be
listed multiple times. But in reality, they are listed once for each Manager. Events
are universal to all Managers, so they do not show a Manager association.
The following table describes the contents of each list in the list pane. They are
listed in the order in which they appear. If a list does not apply to a particular view,
then it will not appear in that view.
List
Refine
Fields
Description
This list only appears with nDepth. It categorizes and lists the top
100 data details for each listed field found within your nDepth
search results. The details change, depending on whether you
180
List
Description
are searching event data or log messages. You can use these
details to create, refine, or append nDepth search conditions.
l
l
l
Managers
In Drag & Drop Mode, you can drag an item from this list
into the search box to include that item in the search string.
181
List
Description
l
Events
When using Search Builder, you can drag an item from this
list into the Conditions box.
The Events list includes all of the Consoles event types. You
can show the events either of two waysas a hierarchical node
tree, or as an alphabetized list. Both views contains the same
eventsthey are just presented differently.
You can search either view. To do so, begin typing a word or
phrase in the box at the top of the list. The Events list will refresh
to show any event types that include your word or phrase. Then
use the list to select each event type that you want to include as a
filter condition or a rule correlation.
In the Events list, click this button to display the list as a
hierarchical node tree. This is the Events list's default view. This
view also has the following attributes:
l
In the Events list, click this button to list event types alphabetically, regardless of their position in the hierarchy.
Event
Groups
Fields
The Fields list displays those data fields that apply to whichever
event is selected in the Events or Event Groups list.
UserDefined
182
List
Groups
Description
groups of preferences used in rules and event filters that allow
you to match, include, or exclude events, information, or data
fields based on their membership with a particular Group. In most
cases, User-Defined Groups are used in rules as a type of white
list or blacklist for choosing which events to include or to ignore.
User-Defined Groups are created in the Group Builder.
Connector
Profiles
This list displays all the different Connector Profiles that apply to
the Managers. Connector Profiles are groups of Agents that have
common Connector configurations. You can use them to have
your rules and filters include or exclude the Agents associated
with a particular profile.
Connector Profiles are created in the Groups grid.
Directory
Service
Groups
Time Of Day This list displays all of the different Time Of Day Sets that apply
Sets
to the Managers. Time Of Day Sets are specific groups of hours
that you can associate with rules and event filters. You can use
them to have your filters include or exclude messages that occur
during the hours associated with a particular Time of Day Set, or
to have your rules take different actions at different times of day.
Time of Day Sets are created in the Groups grid.
Note: This list does not appear in nDepth.
State
Variables
This list displays all of the different State Variables that apply to
this Manager. The upper box lists the names of State Variables.
The lower box lists the various fields that apply to whichever
State Variable is selected in the upper box.
183
List
Description
State Variables are created within the Groups grid.
Note: This list only applies to rules.
Subscription This list displays all of the Console user names, and the Manager
Groups
each user is currently associated with. Each name in the list
represents the list of rules that each individual user is subscribed
to. By adding a Subscription Group to a filter, you can build the
filter so that it only displays events messages that are related to
specific rules that a particular user is interested in (or subscribed
to).
Subscription groups are created in the Rules grid.
Note: This list only applies to filters and nDepth searches.
Constants
This list displays the three types of constants that rules and filters
can use for comparing event datatext, number, or time.
Actions
This list displays all of the active responses that a rule can
initiate, such as sending an email message, sending a pop-up
message, blocking an IP address, etc.
Note: This list only applies to rules.
Notifications This list includes the various notification methods the Console
can use to announce an event message for the filter. You can
have the Console display a pop-up message, display the new
event as unread, play a sound, or have the filter name blink. If
needed, you can configure multiple notification methods for the
same filter.
Note: This list only applies to filters.
184
Name
Description
Individual groups (and the entire Conditions box) can be
expanded or collapsed to show or hide their settings:
l
l
185
Item
Name
Description
Once a group is properly configured, you may want to collapse
it to avoid accidentally changing it.
This is the Add Group button. It appear at the top of every
group box. Click it to create a new group within the group box. A
group within a group is called a nested group.
Each group is subject to AND and OR relationships with the
groups around it and within it. By default, new groups appear
with AND comparisons.
This is the Delete button. It appears at the top of every Group
box. When you point to a condition, it also appears next to that
condition. Click this button to delete a condition or a group.
Deleting a group also deletes any groups that are nested within
that group.
Event
variable
Operators Whenever you drag a list item or a field next to event variable,
an operator icon appears between them. The operator states
how the filter is to compare the event variable to the other item
to determine if the event meets the filters conditions.
l
List item
List items are the various non-event items from the list pane.
You drag and drop them into groups to define conditions based
186
Item
Name
Description
on your Time Of Day Sets, Connector Profiles, User-Defined
Groups, Constants, etc.
Some event variables automatically add a blank Constant as its
list item. You can overwrite the Constant with another list item,
or you can click the Constant to add a specific value for the
constant. For example, clicking a text Constant turns the field
into an editable text box so you can type specific text. The text
field also allows wildcard characters.
Note that each list item has an icon that corresponds to the list it
came from. These icons let you to quickly identify what kinds of
items are defining your filters conditions.
Nested
group
AND
OR
187
a different group.
The filter group opens to list the filters that are available for that group.
3. On the Filters pane, click the plus
button and then click New Filter. The
Monitor view changes from showing the event grid to showing the Filter
Creation connector. The connector shows a new filter with the name of
[New Filter].
4. In the Name box, type a name for the filter. This is the name that will be
used to identify the filter in the Filters pane.
5. In the Lines Displayed box, type or select the total number of events that
are to be displayed in this filter. You can use the up and down arrow buttons
to the right of the box to select a value. The default value is 1000 lines. You
can select up to a maximum of 2000 lines.
6. In the Description box, type a brief description of what the filter does, or the
situation for which the filter is intended.
7. Use the list pane and the Conditions box to configure the conditions that
define the filter. These are conditions between events, Event Groups, event
fields, and other components.
8. If you want special notification whenever the filter captures an event event,
drag an option from the Notifications list to the Notification box. Then
configure the notification method.
9. Click Save to save the filters settings.
10. If applicable, use the Filter Status section to verify, troubleshoot, and
resolve any problems with the filters logic. When finished, the new filter
appears in the filter group you selected in Step 2.
188
189
Pausing Filters
At any time, you can pause a filter to stop the stream of event messages that are
appearing on that filter. This allows you to inspect a set of event messages
without being interrupted by new incoming messages. You can pause each filter
independently, or you can pause every filter on the Console.
To pause a filter:
1. Open the Monitor view.
2. In the Filters pane, click to select the filter you want to pause.
The event grid changes to display the filter you selected.
3. Do either of the following:
l
In the Filters pane, the word Paused appears next to the filter.
To pause all filters:
1. Open the Monitor view.
2. On the Filters pane, click the gear
In the Filters pane, the word Paused appears next to every filter, except
those that have been turned off.
190
In the Filters pane, the word Paused is replaced by the number of events
that are currently associated with the filter.
To resume running all filters:
1. Open the Monitor view.
2. On the Filters pane, click the gear
button and then click Resume All.
In the Filters pane, the word Paused is replaced by the number of events
that are currently associated with each filter.
191
Copying a Filter
You can copy a filter. This allows you to quickly create variations on existing
filters, or the same the same filter in multiple filter groups.
To copy a filter:
1. Open the Monitor view.
2. In the Filters pane, open the filter group that contains the filter you want to
copy.
3. Now open the filter group that is to receive the copied filter.
4. In the first folder, click the filter you want to copy. Then press Ctrl while
dragging the filter to the group that is to receive the copy. A copy of the filter
appears in the new filter group.
192
Importing a Filter
To create a variation of the original filter:
1. In the Filters pane, click the select the newly copied filter.
2. Click the Filters pane gear
Importing a Filter
Event filters are saved on the workstation that is running the Console. If you move
to another workstation, the filters will not follow. However, you can export the
filters from one workstation and import them into another workstation. This allows
you to move filters from one Console to another, so that another user can use the
same filters on their Console, too. It also allows you to import filters that are
provided by SolarWinds You may import more than one filter at a time.
To import a filter:
1. Open the Monitor view.
2. In the Filters pane, select the filter group that is receive the new filters.
3. On the Filters pane, click the gear
button and then click Import
Filters.The Select Filter File(s) to Import form appears.
4. In the Look In box, browse to the folder that contains the filters you want to
import.
5. Select the filter files you want to import, and then click Open. To select
multiple files, press Ctrl key while clicking each file you want to import.
The imported filters appears in the filter group you selected in Step 2.
Exporting a Filter
When needed, you can export a filter. Exporting does not remove the filter; it
copies the filter to another location. Exporting filters is useful for the following
reasons:
193
You can move filters from one Console workstation to another, so that
another Console users can use the same filters.
You can save a export your filters to a computer folder or network folder for
archival purposes.
You can provide SolarWinds with a copy of a filter for technical support or
troubleshooting purposes.
Filters are exported from the Filters pane. You may export only one filter at a time.
To export a filter:
1. Open the Monitor view.
2. In the Filters pane, select the filter you want to export.
3. On the Filters pane, click the gear
4. In the Browse For Folder form, browse to the folder in which you want to
save the exported file. If needed, you can click Make New Folder to create
a new folder for the file.
5. Click OK. The system exports the folder file to the folder.
Deleting a Filter
When needed, you can delete a filter, which removes the filter from the both the
event grid and the Filters pane. Deleting a filter also deletes all of the widgets
associated with that filter.
Use caution when deleting a filter. The only way to restore it and its widgets is to
recreate them.
To delete a filter:
1. Open the Monitor view.
2. In the Filters pane, click to select the filter you want to delete.
3. Do either of the following:
l
button.
194
4. At the confirmation prompt, click Yes. The filter is deleted and no longer
appears in the Filters pane.
3. A new filter group appears, and its title bar is an editable text box.
4. Type a name for the new group and then press Enter.
5. The new filter group appears in the Filters list. Filter groups are listed in the
order in which you create them. However, you can rearrange them, as
desired.
Double-click the title bar of the filter group you want to rename.
Click to select the title bar of the filter group you want to rename. Click
the Filters pane gear
195
Click the filter you want to move; then drag and drop it just below the
title bar of the group that is to receive the filter.
Open the filter group that is to receive the filter. Then drag the filter
from its original group into position in the new group.
196
button.
4. At the confirmation prompt, click Yes. The filter group and all of its filters are
deleted and no longer appear in the Filters pane.
Responding to Events
The event grids Respond menu lets you take direct action on a particular event
message. Each Respond command opens the Respond form. The Respond
form includes data from the field you selected and options for customizing the
action, just as you would configure a rules active response in Rule Creation.
The Respond menu is context-sensitive. The event type or cell that is currently
selected in the event grid determines which responses you may choose from.
1. In the Monitor views event grid, click the specific cell of the event message
you want to respond to.
2. Click the event grids Respond menu, and then select the type of response
you want to make. You can choose between All Actions and a list of
commonly used actions. The Respond form appears, which has three main
sections:
3. In the middle of the form, complete the actions configuration fields. You can
do this by typing text into each field, by dragging and dropping information
197
from the forms event information section, or some combination of the two.
4. Click OK to execute the action. Otherwise, click Cancel.
You can also use a combination of typing and drag and drop to configure an
action.
To place event information into a field:
Follow this procedure to add content to a blank configuration field or to replace
the content of an existing configuration field.
1. In the Respond forms event information grid, scroll to locate the field that
contains the data element needed to configure the action.
2. Click the data and then drag it into the appropriate action configuration field
(in the middle of the Respond form). The the new data element appears in
198
199
200
Description
Event Details Click this button to alternately open and close the Event Details
pane.
Event Details The Event explorer's Event Details displays information about
pane
the event is currently selected in the event map or the event
grid.
l
You can also copy text from this pane and paste it into
explorers to explore specific data.
This pane works exactly like Event Details pane in the Monitor
view.
Event map
The event map displays a graphical view of the event you are
exploring, as well as the related events that came before and
after the central event. The event you are exploring appears in
the middle. Prior events appear to the left. Events that follow
appear to the right. You can double-click any event to move that
event to the middle, which allows you to view its relationship
with other events.
Stop
Next/Previous You can step through the events in the map by clicking the Next
and Previous buttons.
Pane divider
Drag this bar up or down to resize the event map and event grid
panes.
Event grid
The event grid provides a tabular version of the event map. The
events are listed chronologically, from earliest to latest.
Clicking an event in the grid highlights the corresponding item
in the event map. The information pane also changes to show
201
Name
Description
information about the event you have selected.
You can sort the event grid by each of its columns, so long as
you click Pause first.
Scroll bars
The vertical and horizontal scroll bars let you quickly scroll
through the information pane, larger event maps, and the event
grid. For example, you can use the event grids scroll bars to
view the full range of events and all of the data associated with
each event.
Exploring events
The event grids Explore menu lets you use an explorer to investigate a particular
event or one of its data fields.For example, if you select an InsertionIP cell, your
explorer options include the Whois, Traceroute, and NSLookup explorers. If you
click the EventInfo cell, your only explorer options is nDepth, because only that
explorer can search the raw data for a random string.
To explore an event:
1. Open the Monitor view.
2. In the Filters pane, select the filter you want to work with. The event grid
displays the filter you have selected.
3. In the event grid, click the row (or cell) you want to explore.
4. In the filter's Explore menu, select the explorer you want to work with. The
Explore view appears, showing the explorer you selected. The explorer
contains the data for the cell you selected.
202
Click Prev (previous) to move the previous event in the map to the
center position.
Click Next to move the next event in the map to the center position.
203
Meaning
An event from the Audit Event tree.
An event from the Security Event treee.
An event from the Asset Event tree.
An event from the Incident Event tree.
An event from the Internal Event tree that is not related to rules or active
response activity.
An internal command that indicates the system has taken action to
respond to an event.
Rule activity, either from a rule in test mode, or from a rule that has initiated
an actual active response.
Meaning
The event occurred before the central event shown in the event map.
The event occurred during (as part of) the central event.
The event occurred after the central event shown in the event map.
204
l
l
l
l
Click an event in the grid to highlight the corresponding item in the event
map. The information pane also changes to show information about the
event you have selected.
When needed, you can use the vertical scroll bar to view all of the events.
Use the horizontal scroll bar to view all of the data fields associated with a
particular event. This same data also appears in the information pane, but
as text.
Click an individual cell in the grid to explore that field.
Point to an individual cell in the grid to see a ToolTip that displays the
complete contents of the cell.
205
two different views to show the properties of the event that is currently selected in
the event map or the event grid:
l
The Event Details view displays detailed information about the event that is
currently selected in the grid. If more than one event is selected, it shows the
properties of the last event to be selected.
The Event Description view displays a written description of the last event
to be selected in the grid.
You can also use this pane to create a filter based on the selected event, to scroll
through the contents of the event grid, or to explore specific event data with other
explorers.
The Event Details pane displays information about the event you selected.
206
Button
Description
Click this button to create a new filter that captures the currently
selected event type. Upon doing so, the Monitor view opens, with
the new filter open in the event grid. The new filter appears in the
Filters pane, under the last selected filter. If needed, you can edit
the filter so it captures events of an even more specific nature.
Click these buttons to move up and down among the events in the
event event grid. The pane shows detailed technical information
about each event that is selected. This lets you view the technical
details and written descriptions of each event in the grid.
Remember, you can also use your keyboard's up () and down ()
arrow keys:
l
Click this button to open the panes Event Details view. This view
shows detailed information about each of the selected event's
data fields. The actual fields that appear here vary, according to
the event type that is currently selected. For example, networkoriented events show fields for IP addresses and ports. Accountoriented events show account names and domains.
Click this button to open the panes Event Description view,
which provides a detailed written description of the event type that
is currently selected.
2. In the event map or the event grid, select the event you want to explore.
3. In the Event Details pane's Information column, click the event field you
want to explore.
4. In the Explore list, select the explorer you want to work with. The explorer
207
appears, with the field data you selected appearing the Search box.
5. If you are using the nDepth Explorer, click Search. The other explorers
begin searching automatically.
Select Events (left position) to search the normalized event data that
appears in the Monitor view.
Select Log Messages (right position) to search the actual log entries
that are recorded on your network products' log files. If this position is
disabled, it means your equipment does not have the capacity to store
and search the original log messages.
3. Use the search bar's far-left toggle switch to select how you want to enter
the search string:
208
Select Drag & Drop Mode (upper position) to drag items from the list
pane or the Result Details view directly into the search box. This is
the recommended position, as it is it the easiest to use and the best
way to avoid mistakes.
Select Text Input Mode (lower position) to type search strings directly
in the search box.
4. In the search box, enter your search string. By default, the search box
includes a "this item exists" condition, so you can begin searching right
away, without having to drag and drop anything. To use this condition, click
an item on one of nDepth's graphical tools, or type or paste a search string
directly in the text box.
In Drag & Drop Mode, the search box indicates when a particular
configuration is invalid:
l
5. If you select more than one condition, determine the AND/OR relationship
between each condition. Click the operator icon to toggle between ANDand
OR relationships.
By default, searches use AND operators for each condition in the search
string. But there is one exceptionif you are selecting multiple items from a
widget, it defaults to an ORrelationship for the group of items from that
widget.
6. In the time selector, select the time frame for which you want to search the
data. By default, nDepth reports your network event activity over the last 10
minutes (the end time is now, and the start time is 10 minutes ago).
See create your own custom time frame.Be aware that the longer the time
frame, the more numerous your search results will be.
7. Click the Search
209
D&D Text
Do this
Clear a search from the On the search bar, click the round Delete
search box
button (next to the
button).
All
Add a search
Click an item in a graphical tool to add that
condition from a widget item to the search box.
or other graphical tool
Add a search
condition
from the list pane
to clear
210
Mode
To
D&D Text
Do this
search bar with its search configuration.
This is because the search bar and the
Search Builder are different views of the
same search.
Add a search
Select a character string from the data.
condition from the Res- Then double-click the string to add it to the
ult Details view
search box.
211
To
Delete an individual
search condition
Do this
Click the
string.
Example:
Use this method to delete Severity = 4.
To delete a group of
conditions
Click the
Example:
Use this method to delete the OR group containing the
two Insertion IPs.
Example:
Use this method when you want to delete the entire
search string to begin a new search.
Do this
Click the date.
212
Saving a Search
To
Do this
Go to an earlier Click .
month
Go to a later
month
Click .
Go to an earlier Click .
year
Go to a later
year
Click .
Select a
different time
Note: You can use your keyboards up, down, right, and left arrows to move
within the calendar and to select a time.
3. To close the calendar, click anywhere outside of its boundary.
Saving a Search
You can save any search that you create so you can reuse it at any time. Saved
searches include your entire search string as well as the time frame you have
selected.
To save a search:
1. In nDepth, perform a search as described above, until your results are
satisfactory.
2. Click the gear
form appears.
button and then click Save As. The Save This Search
3. In the Search Name box, type a name that will easily help you remember
the focus of this search. You can type up to 200 characters.
4. Click OK. Your search appears in the Saved Searches pane. Saved
213
214
3. Customize your report in the nDepth Export window using the following
options.
a. Use the navigation bar at the bottom to preview your search results in
the default format.
b. Use Insert Page Before Current Page on the navigation bar to add a
blank report page.
c. Use Toggleorientation on the navigation bar or on an individual
report page thumbnail to switch between portrait and landscape page
orientation.
d. Click Items on the left to open a list of report items that you can drag
into your report body.
e. Click Saved Layouts on the right to open a list of options related to
saving and applying report layouts.
f. Hover over report pages and other elements, such as titles, graphs,
and text, to access additional configuration options. Options to clear
215
all page contents, enter static text, and delete pages or other elements
appear as you hover over each element.
g. Drag charts and graphs to rearrange them in the report body.
4. Click Export to PDF to export the report in the Preview pane.
5. In the Save PDF As window, choose a destination and file name for your
report.
6. Click Save.
216
D&D Text
Do this
Clear a search On the search bar, click the round Delete All
from the search ton (next to the
button).
box
Add a new
search
but-
217
Mode
To
Do this
D&D Text
Add a search
Click an item in a graphical tool to add that item to
condition from a the search box.
widget or other
graphical tool
Add a search
condition
from the list
pane
Add a search
Configure a search with Search Builder. Search
from
Builder automatically populates the search bar with
Search Builder its search configuration. This is because the
search bar and the Search Builder are different
views of the same search.
Add a search
condition from
the Result
Details view
Type a search
string
Perform the
search
218
The following table explains how to delete search conditions directly from the
search bar. For the examples in this table, suppose you have a set of search
conditions that looks like this:
Severity = 4
AND
(InsertionIP = SolarWinds-demo50 OR
InsertionIP = intrepid )
Item
To
Delete an individual
search condition
Do this
Click the button next to the condition in the
search string.
Example:
Use this method to delete Severity = 4.
To delete a group of
conditions
Click the
Example:
Use this method to delete the OR group containing
the two Insertion IPs.
Example:
Use this method when you want to delete the entire
search string to begin a new search.
219
Do this
Click the date.
Go to an earlier Click .
month
Go to a later
month
Click .
Go to an earlier Click .
year
Go to a later
year
Click .
Select a
different time
Note: You can use your keyboards up, down, right, and left arrows to move
within the calendar and to select a time.
3. To close the calendar, click anywhere outside of its boundary.
220
Managing Connectors
Managing Connectors
Use the following procedure whenever you need to open the Connector
Configuration form. This form is used for the following reasons:
l
button and
221
To remove the Agent from the Connector Profile and configure its
connectors separately, click Agent Connector Configuration.
The Connector Configuration for [Agent] form appears. You may
now add the connector instances for each network security product or
device this Agent is to monitor or interact with on the Agents
computer.
Configure the connector settings for each sensor that is to gather data from
a network security products event logs.
Configure the connector settings for each actor that is to initiate an active
response from a network security product or device.
222
The
The
The Properties pane opens as an editable form. The fields on the form vary
from one connector to another, in order to support the product or device you
are configuring. For new instances, the form displays the default connector
settings needed to configure the associated product or device. In most
cases, you can save the connector with its default settings; however, you
can change the settings, as needed.
5. Complete the Properties form, as needed. To assist you, we have prepared
some reference tables that explain the meaning of each field you may
encounter in the Properties form.
6. Click Save to save the connector configuration as a new connector
instance; otherwise, click Cancel. Upon saving, the following things happen
in the connectors grid:
l
223
icon
icon
The
icon in the Status column means the connector instance is
stopped. All new connector instances automatically have a status of
Stopped. To begin using the connector, you must start it.
After a moment, the system starts the connector instance. Upon starting, the
connectors Status icon changes to . The selected connector instance is
now running.
224
After a moment, the system stops the connector instance. When the
connectors Status icon changes to , it means the connector has stopped.
Once a connector instance has been stopped, it can be edited, deleted, or
restarted, as needed. The connector instance will remain stopped until you
restart it.
225
226
5. At the confirmation prompt, click Yes to delete the connector instance. After
a moment, the connector instance disappears from the Connectors grid.
Note: Do not recreate this connector until it has been completely removed. It
may take up to two minutes for the connector to be deleted from your
system.
Configure and manage connectors at the profile level to reduce the amount
of work you have to do for large LEM Agent deployments.
Create filters, rules, and searches using your Connector Profiles as Groups
of LEM Agents. For example, create a filter to show you all Web traffic from
computers in your Domain Controller Connector Profile.
Complete the two procedures below to create a Connector Profile using a single
LEM Agent as its template.
To create a Connector Profile using a LEM Agent as a template:
1. Configure the Connectors on the LEM Agent to be used as the template for
the new Connector Profile. These connectors are applied to any LEM
Agents that are later added to the Connector Profile.
2. Click Build , and then select Groups.
3. Click the
227
1. Locate the new Connector Profile in the Build > Groups view.
Click the gear button
1. Move LEM Agents from the Available Agents list to the Connector Profile by
clicking the arrow next to them.
2. If you are finished adding LEM Agents to your Connector Profile, click Save.
3. The connector configurations set for the template agent will be applied to
any agent added to the Connector Profile.
Using an Agent to edit a Connector Profile
You can use an Agent that is a member of a Connector Profile as a vehicle for
editing that profiles connector settings. You can add new connector instances to
the profile, or edit or delete its existing instances. Use caution when editing a
Connector Profile. The changes you make will apply to every Agent that is a
member of that profile.
You can also edit a ConnectorProfile's connector settings from the Manage >
Agents view.
To use an Agent to edit a Connector Profiles connector settings
1. Open the Manage >Agents view.
2. In the Agents grid, click to select the Agent that is in the Connector Profile
you want to edit.
3. Click the gear
button and then click Connectors. The Agent
Connector Configuration prompt appears to warn you that the Agent
belongs to a Connector Profile.
4. Click Connector Profile. The Connector Configuration for [Connector
Profile] form appears. You may now begin adding, editing, or deleting the
Connector instances that are associated with that Connector Profile.
228
Features of FIM
free of compromise and to ensure critical data is not being changed by
unauthorized modifications of systems, configurations, executables, log and audit
files, content files, database files, and web files. If FIM detects a change in a file
you are monitoring, it is logged. LEM then takes those logs and performs the
configured action. Correlation rules can be built to act as a second-level filter to
only actively send an alert to certain patterns of activity (not just single instances),
and when an alert is triggered, the data is in context with your network and other
system log data With a SIEM like LEM, you can also respond with administrative
action.
Features of FIM
l
l
l
On Windows (XP, Vista, 7, 8, Server 2003, 2008, 2012), monitors for realtime access and changes to files and registry keys and WHO changed them
Allows you to configure the logic of files/directories and registry keys/values
to monitor for different types of access (create, write, delete, change
permissions/metadata)
Provides the ability to standardize configurations across many systems
Provides monitoring templates which can be used to monitor the basics.
Also allows the option of creating and customizing your own monitors.
Provides templates for rules, filters, and reports to assist in including FIM
events quickly
229
If files are moved. Usually when users move directories into other
directories.
Zero-day exploits, which is an attack that takes advantage of security
vulnerabilities the same day the vulnerability becomes known. FIM can
trigger an alert letting you know there has been a file change by a potential
malware or Trojan and can automatically stop the running malware process.
Advanced Persistent Threats by inserting a granular, file-based auditing into
the existing event stream to pinpoint attacks and help block them in
progress.
3. Enter FIM in the Refine Results pane. The search results in FIMRegistry
and also FIM File and Directory.
4. Select either a FIM file and Directory or a FIM Registry.
5. Click the gear
icon next to the FIM Connector profile you want to work
with, then select New to create a new connector. The Connector
Configuration window displays.
6. Select a Monitor from the Monitor Templates pane, and then click the gear
icon and select Add to selected monitors. The Monitor Template then
moves to the Selected Monitor pane.
7. Click Save, or click Add Custom Monitor to modify the monitor to your
requirements.
230
Monitors
Monitors
Monitors allow you to configure rules for which files to watch, and which actions to
watch for those files. Different monitoring templates have been provided to use
right away, and to assist in creating custom templates or configurations.
Adding Custom Monitors
1. Click Add Custom Monitor in the Connector Configuration window.
2. Enter a Monitor Name.
3. Enter a Description for the monitor.
4. Click Add New. The Add Condition window displays. See See "Adding
Conditions " on page 232 for more information on how to add conditions to
monitors.
Editing Monitors
1. Select a Monitor from the Selected Monitors pane.
2. Click the gear
3. Click Remove. The monitor is then removed from the Selected Monitors
pane.
231
Adding Conditions
1. Click Add New in the Conditions window.
2. Click Browse to select a File and Directory or a Registry key to watch.
3. Click OK.
4. Select whether the files are recursive or non-recursive. Refer to the table
below for more information.
Recursive
Non-recursive
232
Deleting Conditions
233
com.solarwinds.lem.fim.minifilter.fsLogLocation for a
file and directory connector. This appears as
%SystemDrive%\\Mylocation\\FileSystem in the
config file.
com.solarwinds.lem.fim.minifilter.registryLogLocation
for a registry connector . This appears as C:\\My
other log location\\Registry in the config file.
Sleep Time
234
Managing Widgets
Tool Version This is the release version for this connector. This is read-only
information for reference purposes.
Enable Connector Upon
Save
When this option is selected, the connector starts when you click
Save.
Managing Widgets
The topics in this section explain how to use the Widget Manager to create and
manage your widgets.
At the top of the Ops Manager view, click Widget Manager to alternately
open and close the Widget Manager.
The Widget Manager includes the Filters pane and the Widgets pane.
235
settings. It also allows you to save a copy of the new widget to the Ops Center
dashboard.
To create a new master widget from the Ops Center:
1. Open the Ops Center view.
2. If needed, click Widget Manager to open the Filters and Widgets panes.
3. Click the
l
l
In the Filters pane, the Count value of the associated filter increases
by one to account for the new widget.
The new widget appears in the Widgets pane for the associated filter.
The next time you open the widgets source filter in the Monitor view,
the new widget will appear in the Widgets panes widget list.
If you selected the Save to Dashboard option, a copy of the widget
also appears in the Ops Center dashboard.
236
237
Drag the panes scroll bar left or right to browse the filter's widgets.
5. When you find the widget you want to add to the dashboard, do either of the
following:
l
238
4. At the confirmation prompt, click Yes. The widget is deleted from the
dashboard.
Note: If needed, you can readily recreate the dashboard widget, so long as
you do not delete the master widget it came from.
239
symbol.
240
Field
Description
Username
Password
Appliance
Type
Connection Type the port number the Console must use to communicate
Port
with the Manager network appliance or the database. The
secure port number is 8443. This value will default to 8080
for virtual appliances in the evaluation phase.
Note: This field only applies when the Appliance Type field
is set to Manager.
Model
Level
Service
Tag
Icon Color
Reset
At any time, you can click Reset to reset the form to its
default settings.
241
5. Click Connect to add the appliance and close the form. Otherwise, click
Cancel to return to the Console without adding the appliance.
6. Enter the IP Address of the virtual appliance and then click Connect.
Note: The LEM desktop software requires that you change your LEM
password after installation. This password must be between 6 and 40
characters, and must contain at least one capital letter and one number. The
default username/password is Admin/Password.
7. Click OK.
Click Copy Selected to copy the data for the selected appliances.
Click Copy All to copy the data for every appliance in the grid.
The appliance data is now copied to your clipboard, where it can be pasted
into another application.
Removing an Appliance
When needed, you can remove a Manager or other network appliance from the
Console.
To remove an appliance:
242
1. At the top of the Console, click Manage, and then click Appliances.
2. In the Appliances grid, click to select the appliance you want to remove.
3. Click the gear
Managing Connectors
Configuring Manager Connectors (general procedure)
Follow this procedure to configure a Managers connectors (sensors and actors).
It lets the Manager monitor and interact with the supported security products or
devices that are installed on or remotely logging to the Manager computer.
To configure a Managers connectors:
1. Start the LEM Console.
2. Open the Manage >Appliances view.
3. If you have not already done so, add and configure each Manager you will
be using with your network.
4. Log on to the Manager you want to work with.
5. Open the Connector Configuration for [Manager] form.
6. Add a connector instance for each of the products event log sources.
7. When you are finished, start the Connector instance.
8. Repeat Steps 6 and 7 for each product or device that is logging to the
Manager computer.
9. Repeat Steps 48 for each Manager, until you have configured Connectors
for each point on your network.
243
244
An email server that allows the LEM Manager to relay email messages
through it
User credentials for your email server only if your email server requires
internal users to authenticate to send email
245
Extraneous Info: Information about the failure. For example, server not
reachable, authentication issue, etc.
You can modify the configuration of the connector to make sure you are using the
correct information
Managing Groups
Adding a New Group
1. Open the Build >Groups view.
2. In the Groups grid, click
create
The Group Details pane opens to show an editable form for the Group type
you have selected.
3. In the Name box, type a name for Group.
4. In the Description box, type a brief description of the Group and its
intended use.
5. In the Manager list, select the Manager on which the Group is to reside.
6. Complete the rest of the form to configure the Group.
7. When you are finished, click Save. The new Group appears in the Groups
grid.
246
Editing a Group
Editing a Group is very much like creating a new one. The only difference is that
you are reconfiguring an existing item.
To edit a Group:
1. Open the Build >Groups view.
2. In the Groups grid, do one of the following:
l
button for the Group you want to edit and click Edit.
The Edit pane opens as an editable form, showing the selected Groups
current configuration.
3. Make any necessary changes to the Edit form to reconfigure the Group.
4. When you are finished, click Save.
The revised Group is applied to the Manager and appears in the Groups
grid.
Cloning a Group
Cloning a Group lets you copy an existing Group, but save it with a new name.
Cloning allows you to quickly create variations on existing Groups for use with
your rules, filters, and Agents.
Cloned Groups must be for the same Manager as the original Group. That is, you
cannot clone a Group from one Manager for use with another Manager.
To clone a Group:
1. Open the Build >Groups view.
2. In the Groups grid, click to select the Group you want to clone.
3. Click the rows gear
button and then click Clone. The newly cloned
Group appears in the Groups grid in the row just below the original Group.
A clone always uses the same name as the Group it was cloned from,
followed by the word Clone. For example, a clone of the Disk Warning
247
Importing a Group
Group would be called Disk Warning Clone. A second clone of the Disk
Warning Group would be called Disk Warning Clone 2, and so on.
4. Edit the cloned Group, as needed, to give it its own name and to assign its
own specific settings.
Importing a Group
You can import Groups from a remote source into the Groups grid. You can
import a Group that you have exported from another Manager, or you can import
Groups that are provided by SolarWinds. You may import only one Group at a
time.
To import a Group:
1. Open the Build >Groups view.
2. On the Groups grid connector bar, click the gear
Import.The Open form appears.
3. In the Look In box, browse to the folder that contains the Group file you
want to import.
4. Do either of the following:
l
Click to select the file you want to import, and then click Open.
The Group appears in the Groups grid and in the Group Details form for
editing.
5. In the Group Details form, select the Manager this Group is to be assigned
to.
6. Make any other desired changes in the GroupDetails form.
7. Click Save to send the Group to the Manager.
8. If you are working with Email Templates or State Variables, drag the new
Group from the Groups grid into the folder (in the Folders pane) that is to
store the Group.
248
Exporting a Group
When needed, you can export Groups. Exporting Groups is useful for three
reasons:
l
Once exported, you can import the Group into another Manager.
You can save a copy off of the Manager for any reason.
You can provide SolarWinds with a copy of your Group for technical support
or troubleshooting purposes.
Deleting a Group
When needed, you can delete any of your Groups.
To delete a Group:
1. Open the Build > Groups view.
2. In the Groups grid, select the Group you want to delete.
3. Click the rows gear
4. At the confirmation prompt, click Yes to delete the Group. The item
disappears from the Groups grid.
249
250
The Events box lists alerts in a hierarchical tree. You may need to open the
nodes in the alert tree to see the alert you are looking for.
6. In the Events list, select each alert that you want to include in this Group.
l
Note: In the node-tree view, you can Ctrl+Click to select (or clear)an alert
and all of the alerts below that item (that is, its child alerts). For example,
press Ctrl and click Security Event to select Security Event and all of its
child alerts.
7. Click Save. The new Event Group appears in the Groups grid.
Event List Features
The following table explains how to use each feature of the Events list.
Icon
Description
Click this button to display the Events list as a hierarchical node tree.
Then use the list to select each alert type that you want to include in this
Group. This is the default view.
This view also has the following attributes:
l
Lower-level alert types are hidden by nodes in the alert tree. To open
a node, click the >icon. This displays the nodes next level of alerts.
251
Icon
Description
l
Using the search box displays the alert and its parent alert types, so
you can see how the alert appears in the alert hierarchy.
You can Ctrl+Click to select (or clear)an alert and all of the alerts
below that item (that is, its child alerts). For example, if you press Ctrl
and click Security Event, you will select Security Event and all of
its child alerts.
This icon represents a closed (or collapsed) alert node in the alert tree
hierarchy. Each time you see this icon, it means the alert node contains
lower-level alerts.
To open a node, click it. Opening the node expands the alert tree,
displaying the next level of related alerts.
This icon represents an open (or expanded) alert node in the alert tree
hierarchy. Each time you see this icon, the node is displaying its related
lower-level alerts.
To close (or collapse) the node, click it. This collapses the alert tree at that
level, hiding its lower-level alerts.
This item has not been selected; nor have any of its lower-level items.
This item has been selected; but not any of its lower-level items.
This item has not been selected, but one or more if its lower-level items
has been selected.
This item has been selected, and so have one or more of its lower-level
items.
252
253
3. In the Manager list (the upper-right drop-down list), select the Manager that
is going to use the DSGroups.
4. In the other drop-down list, select the directory services domain you want to
work with.
The form displays the actual contents (folders and Group categories) of your
directory service system:
l
Each folder to the left contains the Group categories that are
associated with that area of your directory service. You can click a
254
5. In the folder list, click the Group category you want to work with.
6. In the Available Groups list, do the following:
l
l
Click the check box for each Group you want to synchronize with LEM.
Clear the check box for each Group you want to remove from
synchronization.
7. Repeat Steps 5 and 6 until you have selected all of the DS Groups you want
synchronized with LEM.
8. Click Save.
The system synchronizes the DS Groups to LEM and adds them to the
Groups grid. The DS Groups are now ready for use with your rules and
filters.
255
Deleting DS Groups
DS Group. The following table describes the meaning of each grid column.
Column
Description
Type
Name
Deleting DS Groups
You can delete DS Groups from the Console, just as you would any other Group.
Deleting a DS Group does not remove the Group from your original directory
service. You can restore a DS Group at any time if you ever need to use it again.
256
Click
and then click Email Template to add a new email
template
Double-click the email template you want to edit.
The Email Template form appears. If you are editing an existing template,
the form shows any parameters that have already been configured for the
template.
3. In the Manager list, select the Manager on which this template resides. If
you are editing an existing template, this field shows the Manager this
template is associated with.
4. In the Name box, type a name for the template. This should be a name that
makes it easy to identify the type of event that has occurred, or where or to
whom the email message is going.
257
5. In the From box, type whom the message is from. Typically, this is
SolarWinds or Manager.
6. In the Subject line, type a subject for the message. Typically, you will want
a subject that indicates the nature of the alert event.
7. Click Save to save the template.
3. Repeat Steps 1 and 2 for each parameter you want to capture in this
message.
4. Click Save so save your changes to the template.
To delete a parameter:
1. In the Parameters list, select the parameter you want to delete.
2. Click the Delete
button.
258
259
The State Variables pane opens as an editable form. If you are editing an
existing State Variable, the form shows any fields that have already been
configured.
260
6. In the Name box, type a name for the State Variable field.
7. In the Type list, select the type of State Variable the field representsText,
Number, or Time.
8. Click the left Save button to save the field; otherwise, click Cancel. The new
State Variable field appears in the State Variables grid, showing the fields
name and comparison type.
9. Repeat Steps 58 for each field you want to add to the State Variable.
10. Click the rightmost Save button to save the State Variable settings.The new
261
State Variable appears in the Groups grid and the Rule Builders State
Variables list. You can now incorporate this State Variable whenever you
add or edit a rule.
262
263
The Edit pane opens, showing the Time of Day Set form.
3. In the Name box, type a name for the new Time of Day Set.
4. In the Description box, type a brief description of the Time of Day Set and
its intended use.
5. In the Manager list, select the Manager on which this Time of Day Set is to
reside. If you are editing an existing Group, this field shows the Manager on
which it resides.
The form has a time grid that lets you define a Time of Day Set for the
Manager. The time grid is based on a one-week period, and is organized as
follows:
l
l
It has seven rows, where each row represents one day of the week.
It has 24 numbered columns, where each column represents one hour
of the day. The white column headers represent morning hours
(midnight to noon). The shaded column headers represent evening
hours (noon to midnight).
Each column has two check boxes that divide each hour into two halfhour (30-minute) periods.
Together, the rows, columns, and check boxes divide an entire week into
30-minute periods.
6. In the time grid, click to select the half-hour periods that are to define this
Time of Day Set. For assistance, see the table in the topic, below.
7. Click Save. The new Time of Day Set appears in the Groups grid.
264
265
The Edit pane opens, showing the User-Defined Group form. If you are
editing an existing User-Defined Group, the form shows any parameters that
have already been configured for the Group.
266
5. In the Manager list, select the Manager on which this Group resides. If you
are editing an existing Group, this field shows the Manager on which it
resides.
6. Make any necessary additions, changes, or deletions to the Groups
Element Details grid.
7. Click Save to save your changes to the User-Defined Group.
button.
Description
Name
Data
267
The new element appears in the data element grid. Note that the table
displays each elements name, data element, and description.
6. Repeat Steps 35 for each data element you want to add to the Group.
268
Do this
Select a
period
Select a
group of
periods
Click and drag to select a range of periods. You can drag up, down,
or diagonally.
Move a
block of
selected
hours
Click the block of hours you want to move, holding down the mouse
button so the pointer turns into a grabbing hand. Then drag the
hour block into its new position.
Duplicating Press the Ctrl key. Then click the block of hours you want to copy,
a block of holding down the mouse button so the pointer turns into a
selected
grabbing hand. Then drag a copy of the hour block into position.
hours
Invert your Click the Invert button to select the opposite hours of the ones you
selection
have manually selected
This feature is useful when you want to select all but a few hours of
the day. You can select the hours that do not apply to the Time of
Day Set, and then click Invert to automatically select all of the
269
To
Do this
hours that do apply to the Time of Day Set. For example, if you have
your business hours selected, clicking Invert would select
everything outside of your business hours.
Delete a
selected
period
Click the check box to clear that selection. You can also click and
drag over a range of selected periods to clear those selections.
270
In this procedure, you will create, name, describe, and select a template for the
new Connector Profile.
To create a Connector Profile:
1. Open the Build >Groups view.
2. On the Groups grid connector bar, click
and then click Connector
Profile. The Connector Profile form appears.
271
Now you will select the Agents that are to be members of the Connector Profile.
These Agents are governed by the Connector Profiles connector configuration.
272
The Connector Profile form contains two list boxes. The Available Agents box
lists each Agent that is associated with the Manager but is not in the Connector
Profile. The Selected Agents box lists those Agents that are in the Connector
Profile.
To add Agents to a Connector Profile:
1. In the Groups grid, locate the new Connector Profile you just created.
2. Double-click the Connector Profile to re-open it. The profile appears in the
Connector Profile form. As you can see, the Agent you selected as a
template appears in the Selected Agents list, by default.
3. In the Available Agents list, select an Agent that you want to add to the
Connector Profile. Or, in the Selected Agents list, select an Agent that you
want to remove from the Connector Profile.
4. Use the appropriate arrow button to add or remove Agents to or from the
profile, as described in the following table.
Button
Function
Moves the selected Agent from the Available Agents list to the
Selected Agents list (and into the profile).
Moves all Agents from the Available Agents list to the Selected
Agents list (and into the profile).
Removes the selected Agent from the Selected Agents list to the
Available Agents list (and out of the profile).
Removes all Agents from the Selected Agents list to the
Available Agents list (and out of the profile).
5. Click Save to save the Connector Profile. Upon saving, the system applies
the template Agents connector configuration to every other Agent that you
added to the profile.
Note: If you remove an Agent from a Connector Profile (that was previously
saved with that profile), the Agent retains the profile's connector
configuration, but will no longer have membership in the profile.
Troubleshooting tip
273
(Not Running), it is
To correct this problem, you may want to add another connector instance to the
profiles connector catalog that points to the alternative logging path. Or, you can
create a new profile that has the alternative logging path.
274
The Connector Profile pane opens, showing the Agents that are in the
profile.
4. At the bottom of the Connector Profile pane, form, click Edit
Connectors.The Connector Configuration for [Connector Profile] form
appears. The forms Connectors grid contains all of the connector
instances that define the Connector Profile.
275
Managing Rules
At times, not all of the Agents in a profile will use the same logging path for
a particular connector. You can verify this by checking the Agents
configured connector status. If a connector has a status of
(Not
Running), it is likely that connector has a different logging path.
To correct this problem, you may want to add another instance to the
connector profiles connector catalog that points to the alternative logging
path. Or, you can create a new profile that has the alternative logging path.
6. Repeat this procedure for each connector instance you want to reconfigure.
7. Click Close to return to the Groups grid.
Managing Rules
The topics in this section explain how to manage your rules. Many management
tasks can be done from the Rules grid, or in Rule Builder as you are configuring
a rule.
Creating Rules
In the Build > Rules view, the Rule Creation tool is used to configure new rules
and to edit existing rules.
Like filters, you create rules by configuring conditions between alert variables
other components, such as Time of Day Sets, User-Defined Groups, Constants,
etc. However, rules go a step further. They let you correlate alert variables with
other alerts and their alert variables.
By correlate, we mean you can specify how often and in what time frame the
correlations must be met before the rule is triggered. The combined correlations
dictate when the rule is to initiate an active response.
You can configure rules to fire after multiple alerts occur. The Manager will
remember alerts if they meet the rule's basic conditions. It waits for the other
conditions to be met, too. If they are, the Manager fires the rule. The rule does not
take action until the alerts meet all of the conditions and correlations defined for
that rule.
The possibilities for rules are endless. Therefore, this section describes how to
create rules only in very general terms. This section is not intended to be a
276
tutorial, but rather a reference for you to fall back on if you are unclear about how
any part of Rule Creation works. dea
Caution: Practice with filters before creating rules
The connectors in Rule Creation are very similar to those found in Filter
Creation. However, filters report event occurrences; rules act on them. There is
no harm if you create a filter that is unusual or has logic problems. But this is not
the always case with rules. Rules can have unexpected and sometimes
unpleasant consequences if they are not configured exactly as you intend them to
be.
Inexperienced users should use caution when creating rules. Creating filters is an
excellent way to familiarize yourself with the logic and connectors needed to
create well crafted rules. You should only begin configuring rules after you are at
ease with configuring filters. Even then, always test your rules before
implementing them.
The Rule Creation view is a different view of the Rules view that allows
you to configure and edit policy rules.
The rule window is the window that you will use to view, configure, and edit
your policy rules.
The Correlations box is a component of the rule window that is used to
configure the specific correlations that define the rule.
The following table descries the key features of the Rule Creation connector. The
topics that follow discuss some of these features in greater detail.
Name
Back to
Rules
Listing
Description
Click this button to hide Rule Creation and return to the Rules grid.
Rule Creation remains open in the background, so you can return to
it to continue working on your rules.
In the Rules grid, clicking Back to Rule Creation will return you to
Rule Creation.
277
Advanced Thresholds
Name
Description
List pane The list pane is the accordion list to the left. It contains categorized
lists of the components you can use when configuring policy rules.
It behaves exactly like the list pane in Filter Creation. To view the
contents of a component list, click its title bar. To add a component to
a rule, select it from its list and then drag it into the appropriate
correlation box.
Rule
window
Each rule you create or edit appears in its own rule window. This is
where you configure name, describe, configure, edit, test, verify, and
enable each rule.
You can have multiple rule windows open at the same time. You can
also minimize, maximize, resize, and close each window, as
needed.
Minimized
rule
window
bar
Any minimized rule windows appear in the bar at the bottom of the
Rule Creation pane, behind the active rule window. Each minimized
window shows the name of its rule. Clicking a minimized rule opens
that rule in the Rule Creation pane.
Advanced Thresholds
Whenever a Group threshold or the Correlation Time forms Events within box
has a value greater than 1, the Set Advanced Thresholds button becomes
enabled. This button opens the Set Advanced Thresholds form, so you can
define an alert event threshold and the re-inference period for that threshold. The
threshold tells the Manager which specific alert fields to monitor to determine if a
valid alert event has occurred (i.e., when to count the alert).
For example:
l
When the threshold event counter increases to the number shown in the Events
box, the threshold itself becomes true and triggers the next set of conditions in the
rule.
278
button.
279
6. Click
The field and its modifier appear in the Selected Fields grid.
7. Repeat Steps 2 6 for any additional threshold fields.
8. Click OK to save the fields to the threshold and close the form; otherwise,
click Cancel.These fields now raise the threshold for the correlation event
and its active response to occur.
3. In the Available Fields list, select the appropriate alert, and then the alert
field.
4. in the Select Modifier list, select the new modifier for the field (Same or
Distinct).
5. Click
The corrected field and its modifier appear in the Selected Fields box.
6. Click OK to close the form.
Deleting a threshold field
1. Click
2. In the Selected Fields list, select the field you want to delete.
280
button.
281
The top left of the Actions box shows the name the action that is to be
taken. In most cases, the Actions form will prompt you for specific
parameters about the computer, IP address, port, alert, user, etc., that is to
receive the action.
3. Use the list pane to assign the appropriate alert field or constant to each
parameter:
l
282
To assign rule subscribers, click the Subscribe list, and then click the
check box for each user who is to subscribe to the rule.
If you want to use the rule immediately upon saving it, select the
Enabled check box.
If you want to operate the rule in test mode before fully activating it,
select the Test check box. It is highly recommended that you operate
each new rule in test mode to confirm that the rule behaves as
expected.
11. When you are satisfied with the rules configuration, click Save.
Note: You can also click Apply to save your changes without closing the
form.
The Rules grid appears. The new rule appears in the Rules grid and in the
Folders pane, in the folder you designated for the rule.
12. To begin using (or testing) the revised rule, click Activate Rules.
283
The following table describes each key feature and field of a rule window.
Item
Name
Title bar
Description
Each rule you create or edit appears in its own
configuration window. Upon naming a rule, the windows
284
Item
Name
Description
title bar displays the name of the rule. You can also use
the title bar to minimize, maximize, and resize rule
window. Minimized rule windows appear at the bottom of
the Rule Creation pane.
Name
on
in
Select the folder (in the Folders pane) in which the rule is
to be stored.
Description
Enable
Select this check box to enable the rule. Clear this check
box to disable the rule.
Test
Select this check box to place the rule in test mode. Clear
this check box to take the rule out of test mode.
Note: You must enable a rule before you can test it.
Subscribe
Rule Status
285
Item
Name
Description
l
l
Correlations
Correlation
Time
Actions
286
Item
Name
Description
administrator, or blocking an IP address.
Undo/Redo
Save/Cancel/
Apply
287
Name
Description
Groups can be expanded or collapsed to show or hide their settings:
l
From the Events, Event Groups, or Fields list, drag an alert, Event
Group, or alert field into the Correlations box. This is called the alert
variable. A rule can have multiple alerts and Event Groups in its
correlation configuration.
You can think of an alert variable as the subject of each group of
correlations. As alerts stream through the Manager, the rule analyzes
the values associated with each alert variable to determine if the alert
meets the rules conditions. If so, the Manager either initiates an
active response, or stores the alert for comparison with other alerts
that may occur within the rule's allotted time frame.
288
Name
Description
Operators Whenever you drag a list item or a field next to alert variable, an
operator icon appears between them. The operator states how the
filter is to compare the alert variable to the other item to determine if
the alert meets the rules conditions.
l
List item
List items are the various non-alert items from the list pane. You drag
and drop them into groups to define rule correlations based on your
Time Of Day Sets, Connector Profiles, User-Defined Groups,
Constants, etc.
Some alert variables automatically add a blank Constant as its list
item. You can overwrite the Constant with another list item, or you
can click the Constant to type or select a specific value for the
constant.
Note that each list item has an icon that corresponds to the list it
came from. These icons let you to quickly identify what kinds of items
are defining your ruless correlations.
Threshold The Threshold section lets you define a threshold for the
correlations in a Group box. You can think of a threshold as a
correlation frequency for the grouping; that is, the number of times the
events defined by the group must occur within a specified period
before the rule takes effect.
A group threshold behaves exactly like the threshold in the
Correlation Time box.
This is the Set Advanced Threshold button. Whenever a group
thresholds number of Events within [time] is greater than 1, this
button becomes enabled so you can open the Set Advanced
Thresholds form. This form lets you specify advanced threshold
289
Editing Rules
Name
Description
fields and define an advanced response window for the alert fields
within the grouping.
Rule correlations and groups of correlations are subject to AND and
OR comparisons. If you click an AND operator, it changes to an OR,
and vice versa.
AND
OR
Editing Rules
Whenever you need to edit a rules name or configuration, you use the Rule
Creation connector to make the necessary changes to the rule. When needed,
you can edit multiple rules at the same time.
It is not necessary to disable a rule before editing it. When you edit a rule, you are
editing a local copy until you save and activate it. If the rule was enabled when
you began editing it, it will continue to be enabled while you work on the new
version. When you save the new version and then click Activate Rules, the
Manager replaces the original rule with the new version.
To open rules for editing:
1. Open the Build >Rules view.
2. In the Folders pane, click the folder that contains the rules you want to edit.
The Rules grid displays the rules associated with the selected folder and its
sub-folders.
3. In the Rules grid, click to select the rule (or rules) you want to edit.
4. Open the rules for editing as follows:
l
To edit a single rule, either double-click the rule, or click the row's gear
button and then click Edit.
290
You can proceed in a read-only fashion, which allows you to see the details
of a rule.
You can break the lock and take control over the rule, which means the
other person will not be able to save any changes he or she makes to the
rule.
If you want to use the rule immediately upon saving it, select the
Enable check box.
If you want to try the rule in test mode, select the Test check box.
2. Click Save.
The Rules grid appears.
3. To begin using (or testing) the rules new configuration, click Activate
Rules.
Subscribing to a rule
You can assign rules to specific Console users, which means those users will
subscribe to those rules. This means the system will notify the subscribing users'
Consoles each time one of the subscribed-to rules triggers an alert. The alerts will
appear in their Monitor views alert grid.
291
Subscribing to a rule
Rule subscriptions can be used in conjunction with filters and reports to monitor
activity for specific rules. Each user can subscribe to as many different rules as
needed.
You can assign subscriptions in Rule Creation while you are creating the rule, or
anytime later directly from the Rules grid.
To manage rule subscribers from the Rules grid:
1. Open the Build >Rules view.
2. In the Folders pane, click the folder that contains the rule you want to work
with.
3. In the Rules grid, select the rules you want to work with.
4. On the Rules grid connectorbar, click Subscribe.
The Subscribe list opens. It only includes those Console uses who are
associated with the same Manager as the selected rule.
A check box with a gray background means the user already subscribes to
one or more of the selected rules, but not all of them.
5. Select the check box for each Console user who is to subscribe to the
selected rules:
l
Select an empty user's check box to have that user subscribe to all of
the selected rules.
Clear a gray user's check box to remove the user's subscription to all
of the selected rules.
Clear a gray user's check box and then select it again, to have that
user subscribe to all of the selected rules. Remember, these users are
already subscribed to some rules, but not all of them. This procedure
assigns all of the selected rules to that user.
As you can see, if you have multiple rules selected, each subscription
change affects every selected rule.
6. Click Subscribe again to close the list. The selected Console users now
subscribe to the selected rules.
To add rule subscribers from Rule Creation:
292
Select the check box for each Console user who is to subscribe to this
rule.
Clear the check box for each subscriber who is no longer to subscribe
to this rule.
Enabling a rule
The Manager only uses rules that are enabled. It ignores all other rules.
Therefore, the Manager cannot use rules until you enable them. You can enable
rules from the Rules grid, or directly from Rule Creation. In either case, the
Enable check box lets you turn a rule on and off.
Note: In the Rules grid, you can enable multiple rules at the same time. However,
this command acts as a toggle on each individual rule that is selected. For
example, if one rule is disabled and another is enabled, performing this command
on both rules at the same time will invert the settings of both rules. So the first rule
would become enabled, and the second would become disabled. Therefore,
when performing this command on multiple rules, you will typically want to select
only those rules that already have the same Enabled/Disabled state.
To enable rules from the Rules grid:
1. Open the Build >Rules view.
2. In the Folders pane, select the folder that contains the rules you want to
enable.
3. In the Rules grid, select the rule (or rules) you want to enable.
293
294
typically want to select only those rules that already have the same Test On/Test
Off state.
To place rules in test mode in the Rules grid:
1. Open the Build >Rules view.
2. In the Folders pane, select the folder that contains the rules you want to
test.
3. Check the rules' Enabled status. If any of the rules you want to test show a
"disabled"
button and
button and
295
To remove a single rule from test mode, click the row's gear
button and then click Test Off.
To remove multiple rules from test mode, click the grid's gear
button and then click Test Off.
296
4. On the Rule Builder connectorbar, click Activate Rules. The rule is now
fully functional.
Activating rules
Whenever you create a new rule or change an existing rule, you are working on a
local copy of the rule. The Manager has no way of using the rule change until
you activate it. Activating a rule tells the Manager to reload the enabled rules it is
working on, which allows it to upload up the changes you just made. You must
activate rules whenever you create a new rule, edit an existing rule, or make
changes to a rules Enabled/Disabled or Test On/Test Off status. Otherwise, the
Manager will not recognize the change.
To activate rule changes, both the Rules grid and Rule Creation have an
Activate Rules command. This command sends any new rule changes to the
Manager for immediate use. In Rule Creation, the Activate Rules command
leaves Rule Creation open so you can continue working.
To activate rules from the Rules grid:
1. Open the Build >Rules view.
2. Many any necessary changes to your rules.
3. On the Rules grid connectorbar, click Activate Rules.
The Manager activates any new rule changes and begins processing all
enabled rules.
To activate rules from Rule Creation:
l
Disabling a rule
The Manager will continue to use any active rules, so long as they are enabled. If
needed, you can easily turn off rules by disabling them. However, the Manager
297
Disabling a rule
will continue to use those rules until you activate their new disabled status with
the Activate Rules command.
Note: In the Rules grid, you can disable multiple rules at the same time.
However, this command acts as a toggle on each individual rule that is selected.
For example, if one rule is disabled and another is enabled, performing this
command on both rules at the same time will invert the settings of both rules. So
the first rule would become enabled, and the second would become disabled.
Therefore, when performing this command on multiple rules, you will typically
want to select only those rules that already have the same Enabled/Disabled
state.
To disable rules from the Rules grid:
1. Open the Build >Rules view.
2. In the Folders pane, select the folder that contains the rules you want to
disable.
3. In the Rules grid, select the rule (or rules)you want to disable.
4. Disable the rules as follows:
l
In the Rules grid, the Enabled column for each rule shows a disabled
icon to indicate the rules are now inactive.
5. Click Activate Rules. The Manager stops processing the disabled rules.
To disable a rule from Rule Creation:
1. Open the rule you want to disable in Rule Creation.
2. Clear the Enable check box.
3. Click Save. The Rules grid appears.
4. Click Activate Rules. The Manager stops processing the disabled rule.
298
Cloning rules
The Clone command lets you copy any existing rule, make changes to the copy,
and then save the copy with a new name in one of your Custom Rules subfolders.
The benefit of cloning is that you can quickly create variations on existing rules.
You clone a preconfigured rule, such as a rule from the Rules or NATO5 Rules
folder, and then adjust the cloned copy to suit your specific needs.
Note: A cloned rule must be for the same Manager as the original rule. That is,
you cannot clone a rule from one Manager and save it for another Manager.
To clone rules:
1. Open the Build >Rules view.
2. In the Folders pane, click the folder that contains the rule you want to clone.
3. In the Rules grid, click to select the rule you want to clone.
4. Click the row's gear
appears.
5. In the Clone Name box, type a name for the cloned rule.
6. In the Folders list, select which Custom Rules folder is to store the cloned
rule.
7. Click OK to save the cloned rule; otherwise, click Cancel.
The newly cloned copy of the rule automatically opens in Rule Creation so
you can begin making changes.
Importing a rule
You can import a rule from a remote source into a particular rule folder. For
example, you may want to import a rule from one Manager to another. Or you can
import a rule that is provided by SolarWinds. You may only import one rule at a
time.
To import a rule to a rule folder:
299
Exporting rules
3. In the Look In box, browse to and open the folder that contains the rule you
want to import.
4. Select the rule file you want to import.Rrule files are always .xml files.The
file you selected appears in the File Name box.
5. Click Open to import the file; otherwise, click Cancel. The Import Rules
form appears.
6. In the Manager list, select which Manager the imported rule is to be
associated with.
7. In the Folders list, click to select the rule folder that is to store the imported
rule. You will need to click a folders >icon to view its sub-folders.
8. Click Import. The system imports the rules into the designated rule folder.
Exporting rules
Exporting rules is useful for three reasons:
l
You can export a rule from one Manager and import it into another Manager.
You can export rules to provide SolarWinds with a copy of your rule for
technical support or troubleshooting purposes.
You can export multiple rules at the same time. The rules will be saved to a new
folder that contains each rule.
To export rules:
1. Open the Build >Rules view.
2. In the Folders pane, select the folder that contains the rule you want to
export. The Rules grid displays the rules in that folder.
300
Deleting Rules
When needed, you can easily delete rules. You can delete one rule at a time, or
you can delete multiple rules. Deleting a rule is permanent. Once a rule is
deleted, it can only be restored by re-creating it or by importing a previously
exported rule.
To delete rules:
1. Open the Build >Rules view.
2. In the Folders pane, select the folder that contains the rule you want to
delete.The Rules grid displays the rules in that folder.
3. In the Rules grid, select the rule (or rules) you want to delete.
301
5. At the Confirm Delete prompt, click Yes to delete the rules; otherwise, click
No. The rules disappear from the Rules grid.
6. Click Activate Rules to notify the Manager that the rules were deleted.
302
Name
Description
Sidebar
button
Click the Sidebar button to alternately hide and open the forms
Refine Results pane.
Refine
Results
pane
By default, the Connectors grid shows all of the products that are
supported. The Refine Results pane lets you apply filters to the
grid to reduce the number of products it shows. This way, you can
show only those products that are configured for use with this
Agent, or that are associated with a particular product category or
status (Running or Stopped).
Connectors The Connectors grid lists all of the sensor and actor connectors
grid
that are available to each Agent. These connectors are what allow
LEM to monitor and interact with your network security products
and devices.
Connectors are organized by category and product name. Each
connector is named after the third-party product it is designed to
configure for use with LEM.
Click this button to create a new connector instance the sensor or
actor that is currently selected in the Connectors grid.
Properties
pane
303
Column
Description
The gear button opens a menu of commands that apply to the
connector that is currently selected in the grid.
Status
Description
A blue connector icon represents a sensor for a particular product. The
sensor displays the name of the product it is designed to monitor.
Each connector instance (or alias) that is currently configured to monitor
that product is listed below the connector. If no connector instances are
listed, it means the product, on this Agent computer, has not been
configured for use with LEM.
Whenever you select a sensor in the grid, the lower pane displays the
connectors name and a description of the sensor, when available.
The orange connector icon represents an actor for a product that can
perform an active response. The actor displays the name of the product it
is designed to interact with.
Each connector instance (or alias) that is currently configured to initiate an
active response on that product is listed below the connector. If no
connector instances are listed, it means the product, on this Agent
computer, has not been configured for use with LEM.
304
Icon
Description
Whenever you select an actor in the grid, the lower pane displays the
connectors name and a description of the actor, when available.
This icon represents a configured instance of a sensor connector. Each
sensor can have more than one instance, where each configuration is
identified by a different name, called an alias. In the grid, each configured
connector instance appears below its connector.
Whenever you select a sensor connector instance in the grid, the lower
pane displays the sensor connectors name, and the connector instances
name (or alias) and configuration settings. The Status column displays
each instances current statusStopped ( ) or Running ( ).
This icon represents a configured instance of an actor connector. Each
actor can have more than one instance, where each configuration is
identified by a different name, called an alias. In the grid, each configured
connector instance appears below its connector.
Whenever you select an actor connector instance in the grid, the lower
pane displays the actor connectors name, and the connector instances
name (or alias) and configuration settings. The Status column displays
each instances current statusStopped ( ) or Running ( ).
305
Field
Reset
Search
Description
Click Reset to clear the form and return the Connectors grid to its
default state (showing all connectors).
Use this field to perform keyword searches for specific products,
such as Cisco or McAfee. To search, type the text you want to
search for in the text box. Then press Enter or click the magnifying
glass symbol. The grid displays only those products that match or
include the text you entered.
Configured Select this check box to have the Connectors grid show only
Connectors those connector instances that are currently configured for the
Manager or Agent you are working with.
Clear this check box to have the grid list both configured and
unconfigured connectors.
Category
Status
306
Description
Menu
Button
Click the Menu Button to open, save, or print a report, and to see
everything else you can do with a report. This button has a similar
function to the File menu used by earlier Windows programs.
Quick
Access
Toolbar
Ribbon
The Ribbon is designed to help you quickly find the commands that
you need to complete a task. Commands are organized in logical
groups that are collected together under tabs. Each tab relates to a
type of activity, such as running and scheduling reports, or viewing
and printing reports. To save space, you can minimize the Ribbon,
showing only the tabs.
Settings Use the commands on this tab to choose the reports you want to run,
tab
open, and schedule, and to configure reports and the reports data
source settings.
View tab Upon opening or running a report, the Ribbon automatically switches
to the View tab, which has a toolbar for printing, exporting, resizing,
307
Name
Description
and viewing the report.
If you click the View tab without having opened a report, the Preview
pane shows a blank page. If you click the View tab and you have run
a report, the Preview pane displays the contents of the report.
Grouping You can use the yellow bar above the grid to group, sort, and
bar
organize the reports list.
Report
list/
Preview
pane
About Reports
Reports allows you to select which Manager or data warehouse you want to
report on, select the reports you want to run, and schedule when you want to run
the reports. The system then automatically generates the reports according to
your schedule and settings.
You can run reports two different ways:
l
308
Opening Reports
Reports can take quite a bit of time to run. The larger the report, the
longer it takes. SolarWinds recommends that you schedule any reports
that you intend to run frequently.
Reports features
Managing reports
Viewing reports
Printing reports
Opening Reports
1. Click the Start button and then click All Programs.
2. Point to the SolarWinds folder, click the Reports shortcut.
After a moment, Reports appears.
309
Default commands
By default, the Quick Access Toolbar shows the commands listed in the following
table.
Button Command Description
Open
Run
Refresh
Report
List
Exit
You are not limited to the Quick Access Toolbars default commands. You can
customize the toolbar by adding or removing any command shown on the Ribbon.
In this manner, you can customize the toolbar with the commands you use most
often.
310
The Quick Access Toolbar can be located in either of two placesin the upperleft corner of the window, next to the Reports Button (its default location), or below
the Ribbon. If you don't want the toolbar to be displayed in its current location, you
can move it to the other location.
To move the Quick Access Toolbar:
311
To move the toolbar below the Ribbon, click Show Quick Access
Toolbar Below the Ribbon.
To move the toolbar above the Ribbon, click Show Quick Access
Toolbar Above the Ribbon.
312
Press Ctrl+F1.
Description
Configure
313
Preference /
Option
Primary Data
Source
Description
Select this option to choose the default data source that is to
be used for running reports whenever the Reports window is
opened.
The option you select here becomes the default setting in
the Data Source list. At any time, you can select a different
data source and then run reports from that source. But
whenever you reopen the Reports window, it defaults to the
data source you have selected here.
Syslog Server
Data
Warehouse
Data Source
Data Source
Use this list to select the data source that you want to run
reports against. When you select a data source here, it
temporarily overrides the Primary Data Source (default) you
have selected as the Primary Data Source in the
Configure list. For more information, see See "Running
Reports on Demand" on page 351
314
3. In the Primary Data Source list, select the default data source.
4. Click Test Connection to have the system perform a ping test a to confirm
that a connection to the data source has been established. A test is not
required, but highly recommended.
During the test, the OK button will become disabled.
l
If the test succeeds, the OKbutton will become enabled, and the
status area below the Test Connection button will read: "Ping
Test...success."
If the test fails, an error message will occur. If the test fails, see See
"Troubleshooting Database Connections" on page 319
5. Click OK.
Configuring a syslog server
Use this procedure to have a Manager send report log information to a syslog
server. A syslog server records all report-related events and application
315
messages. It logs basic report activity, such as who is running reports, which
reports are being run, which database a report is drawing from, when each report
is run, when each report is complete, and any error messages that occur if a
report generates errors.
By default, the syslog server is set to the Primary Manager, but it can be set to any
server running a standard syslog service. However, the server must have an
Agent installed so it can communicate with the Manager.
To configure a syslog server:
1. Open Reports.
2. On the Settings tab, in the Preferences group, click Configure and then
select Syslog Server. The Set Syslog Server form appears.
3. In the Syslog Server (Host Name) box, type the servers host name.
4. Click Test.
The system performs a ping test to confirm that a connection has been
established. You must test the connection before the server can be
accepted. A successful test does not confirm if the host is actually a syslog
server.
l
If the ping test succeeds, it will retrieve and display the host IP
address and a message appears, stating: "The Ping Test succeeded."
If the ping test fails, a message appears to tell you so. In this case,
confirm that you have entered the correct host name and that it
matches a valid DNSentry.
316
Description
Warehouse
Name (Host
Name)
317
Field
Description
Port
Number
Database
Type
Security
Timeout for
database
connection
test x sec.
Set as
Primary
Data Source
Host IP
Address
Do not ping
318
Field
Description
Connect
with
Warehouse
Name
Connect
with IP
Address
No
Warehouse
Test
Connection
Description
Correction
Manager ping
timed out.
319
Error message
Description
Correction
entered the
warehousess Host
Name properly. Make
sure it matches a valid
DNS entry.
l
Sending the
authentication
packet failed.
Could not flush
socket buffer.
Login incorrect.
320
The Industry Setup tab lets you select the industries and areas of
regulatory compliance that are of interest to your company. Reports that are
related to the options you select then appear in the Industry Reports list.
The Favorites Setup tabs Search view lets you list, sort, and group the
report list by industry and regulatory area. It highlights reports that are
321
The Favorites Setup tabs Favorites view displays your current list of
favorite reports. You can use this view to sort and group your favorite reports
to locate a specific report. When needed, this view is also used to remove a
report from your list of favorites.
322
Industry options
The Reports for section now lists only those standard reports that support
the regulatory areas you have selected.
6. To remove reports for any industry or regulatory area, simply click to clear
the corresponding check box.
7. Click OK to save your changes and close the window.
In the Category list, the Industry Reports option now lists the standard
Reports that support the industries and regulatory areas you have selected.
Industry options
Industry reports are standard reports that are designed to support the compliance
and auditing needs of certain industries. Currently, SolarWinds provides reports
that support the financial services industry, the health care industry, and the
accountability reporting needs of publicly traded companies. The following table
describes which compliance and auditing areas are specifically supported.
Supported
industry
Description
Education
FERPA
Federal
CoCo
DISA STIG
FISMA
323
Supported
industry
NERC-CIP
Description
Reports in this category support compliance with the North
American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) reliability standards.
Finance
CISP
COBIT
GLBA
NCUA
324
Industry options
Supported
industry
Description
through the National Credit Union Share Insurance Fund
(NCUSIF), a federal fund backed by the United States
government.
PCI
SOX
General
GPG13
ISO 17799/
27001/27002
Healthcare
HIPAA
325
326
As you can see, the Search view looks just like the Industry Setup tab.
The Classifications area lists those industries and regulatory areas that are
supported by standard Reports. The Reports Matching Search Criteria
box lists every standard SolarWinds report. If a report appears highlighted in
green, it means the report is in your Favorite Reports tab.
5. In the Classifications area, select the check box for each industry or
regulatory area your company is concerned with.
6. Click the Search button below the left frame.
The Reports Matching Search Criteria box displays all of the standard
reports that support the options you have selected. For example, if you
selected Finance, it lists only those reports that are associated with
Finance. If you selected Finance and PCI, it lists every report that is
associated with either Finance or PCI.
If needed, you can also organize the report list by sorting, filtering, and
grouping the report list.
Step 2: Adding a report to your list of favorites
1. In the report list, locate the report you want to add to the Favorite Reports
list.
2. Do either of the following:
l
The Favorite Reports list now includes the report as one of your favorites.
Removing a report from the Favorite Reports tab
When needed, you can use the Manage Categories form to remove a report from
the Favorite Reports list. This does not delete the report; the report remains in its
original category. For example, if you remove a favorite report that originally came
from the Standard Reports list, it remains listed in the Standard Reports list.
This means you can restore the report as a favorite at any time.
To remove a report from the Favorite Reports list:
327
1. Open Reports.
2. On the Settings tab, in the Report Categories group, click the Manage
button and then click Manage Categories.
The Manage Categories form appears.
3. Click the Favorites Setup tab.
4. Click the Favorites button.
The window displays your current list of favorite reports. If there are a lot of
reports, you can sort, filter, and group the report list to locate the specific
report you want to remove.
5. In the report list, select the report you want to remove from the Favorite
Reports list. Then do either of the following:
l
328
329
On the Settings tab, in the Report Categories group, click the Category
list and then select a report category.
The window displays the list of reports in that category. If you select a
different category, the reports list changes to display the reports that are in
the new category.
The following table describes each option in the Category list.
Tab
Description
Standard This list displays the standard set of reports that ship with the
Reports
SolarWinds system and are supported by SolarWinds
technical support. Most standard reports capture specific
event data that occurs during a particular period.
Industry
Reports
Custom
Reports
This list displays any custom reports that you created, or that
SolarWinds created for your company, to meet a specific
need.
Standard and custom reports are essentially the same thing.
They are run and scheduled in the same manner. The only
difference is that custom reports are undocumented, as they
are created specifically by you or for you.
While SolarWinds supports any custom reports they make for
your company, SolarWinds does not support any custom
reports that you make yourself.
Favorite
Reports
330
The system takes you to the first report title that matches the letters you have
typed. For example, if you clicked Standard Reports and began typing
even, the system takes you to Event Summary, which is the first matching
report title.
5. From here, you can scroll down to the exact report you are looking for.
331
1. In the reports list, click to select the report you want to work with.
2. Do either of the following:
l
In the report grid, position the mouse pointer over the report you have
selected.
On the Settings tab, in the Report Selection group, click Report
Properties.
332
1. On the Reports window, click the report filter you want to use as a starting
point.
2. At the bottom of the filter, click the Customize button.
The Filter Builder form appears.
333
3. Use the forms buttons to select the column, column option, and specific
conditions that define the filter.
In the example shown above, the filter displays only those reports where the
Category column equals Audit, and the Type column equals
Authentication.
4. Click OK or Apply to apply the filter. Otherwise, click Cancel.
Saving a custom report filter
334
3. Use the Save in list to locate and select the folder you want to store the filter
in.
4. In the File name box, type a name for the filter.
5. Click Save.
The filter is now saved and available for later use.
Opening a saved custom report filter
335
3. Use the Look in list to locate and open the folder that contains the custom
filter. Then click to select the filter.
4. Click Open.
5. The custom filters configuration appears in the Filter Builder form.
6. On the Filter Builder form, click OK or Apply.
The custom filter is applied to the report list.
Exporting a report
Use this procedure to export the report shown in the Reports windows Preview
pane. You can choose to export the report as a Adobe Portable Document File
(.PDF), a Crystal Reports RPT file, as HTML, as a Microsoft Excel file, or as
several other common file formats. SolarWinds officially supports PDF and RPT
formats.
To export a report:
1. In the Reports window, open or run the report you want to export.
The report appears in the Preview pane.
336
Reports features
3. In the Format list, select the fine type in which you want to save the report.
The Description box at the bottom of the form describes each file format
that you choose.
4. Use the Destination list to browse to the folder in which you want to save
the file.
5. Click OK.
The system save the file to the folder and in the format that you selected.
Reports features
The topics in this section describe the key features of the Reports window, its
Menu Button, its Quick Access Toolbar, and its Ribbon.
337
Description
Menu
Button
Quick
Access
Toolbar
338
Item Name
Description
locations. For more information, see See "Using the Quick
Access Toolbar" on page 309
Ribbon
Settings
tab
View tab
Grouping
bar
You can use the yellow bar above the grid to group, sort,
and organize the reports list. For more information, see
See "Grouping reports" on page 341
Report list/
Preview
pane
339
Item Name
Description
Upon opening or running a report, this section changes
into a report Preview pane that displays the report. In
Ribbon also automatically switches to the View tab, which
has a toolbar for printing, exporting, resizing, or viewing
the report.
In Reports, the Menu Button opens a menu that lets you execute the most
common report commands. The following table describes each command in the
Menu Button menu.
Menu option
Description
Open Report
Export Report
Schedule
340
Grouping reports
Menu option
Description
running the selected report in the Report list.
Print Report
Printer Setup
Refresh
Report List
Exit
Grouping reports
You can sort the Reports windows report list into groups of reports by dragging
one or more column headers into grouping box above the report list. This feature
allows you to quickly organize and display groups of reports that fall into very
specific categories.
For example, suppose you want to group the reports by Category. By simply
dragging the Category column header from the report list into the grouping box,
you can rearrange the report list into groups that are defined by items from the
Category column, as shown here.
341
Decide which column is to define the report groupings. Then drag that
column header into the Drag a column header here to group by that
column area above the report list.
Before
342
After
Click a node to display a list of reports that fall within that grouping. To close
the node, simply click it again.
Creating a sub-group
1. Drag another column header into the Drag a column header here to
group by that column area.
343
Place the new column header above the existing header to have the
new header act as the primary grouping. In the example shown above,
the report list would be grouped by Level and then Type.
Place the new column header below the existing header to have the
new header act as the secondary grouping. In the example shown
above, the report list would be grouped by Type and then Level.
The report list refreshes to display two levels of nodesone level of nodes
for the primary group, and one set of nodes for the secondary group.
344
Managing reports
Managing reports
The following topics explain how to edit a scheduled report task, how to delete a
schedule from a task, and how to delete a scheduled report task.
345
346
Printing reports
1. Open Reports.
2. On the Settings tab, in the Report Categories group, click the Category
list and then select either Standard Reports or Custom Reports.
The grid displays all of the reports in the category you have selected.
3. In the grids Report Title column, click the name of the scheduled report that
has a task you want to delete.
4. On the Settings tab, in the Report Selection group, click Schedule.
The Report Scheduler Tasks window appears.
5. In the Task Description list, select the scheduled report task you want to
delete.
6. Click Delete.
7. At the confirmation prompt, click Yes. Otherwise, click No to keep the
scheduled report task.
8. Click Close to close the Report Scheduler Tasks form.
Printing reports
You can print any report shown in the Reports windows Preview pane.
Printing a report
1. In the Reports window, open or run the report you want to print.
The report appears in the Preview pane.
2. On the View tab, in the Output group, click Print.
The Print form appears.
3. Select the printer and any print options you want.
4. Click Print.
The report is printed according to the print options you selected.
347
3. Select the Paper, Orientation, Margin, and Printer options you want.
348
A preview section at the top of the form displays a thumbnail version of the
report with the options you have selected.
4. Click OK.
The report is printed according to the print options you selected.
349
Click a filtered column header's drop-down list and select a different filter
option.
In the status bar below the report list, click the filters drop-down arrow .
Then select a different filter option from your list of most commonly used
filters.
The report list refreshes to display the list with the new filter.
Turning off report filters
In the Reports window, when you are finished with a report filter, you can turn it
off. Turning off a filter refreshes the report list so that it displays the list without that
column filter. You can turn off a single filter or all of the filters at once.
350
Clear the check box next to the filter in the status bar.
The report list refreshes to display the list without that column filter.
To turn off all of the filters:
l
Click the
The report list refreshes to display the list without any filters.
On-demand reports are those reports that you run only when you need
them.
Scheduled Reports are reports that you configure to automatically run on
their own, on a particular schedule, and without intervention.
All Reports are scheduled and run in the same manner. The following procedures
explain the methods for running on-demand reports and scheduled reports.
Reports can take quite a bit of time to run. The larger the report, the longer it takes
to run. For that reason, it is recommended you schedule any reports you intend to
run frequently.
Running Reports on Demand
1. Open Reports.
2. On the Settings tab, in the Preferences group, click the Data Source list
and then select the Manager that is to be the data source for the report. This
step is only needed if you are selecting a data source that is different from
the Primary (default) Data Source.
351
3. In the Report Categories group, click the Category list and select the
report category you want to work with.
The report list displays all of the reports in the category you have selected.
4. In the report list, locate the report you want to run. Then do any of the
following:
l
Click to select the report. Then on the Settings tab, in the Report
Selection group, click Run.
Click to select the report. Then on the Quick Access Toolbar, click the
Run button.
Depending on the report you selected, you may be prompted to enter certain
report parameters, such as a start date/time, an end date/time, and a range.
In this case, the Enter Parameter Values form appears.
352
Description
Start
Date/Time
Type or select the reports start date and time. The time
is optional. Click the Now button to populate these fields
with the current date and time.
End
Date/Time
Top N
6. Click OK. The report appears in the Preview pane and the Ribbon changes
to the View tab. You can use the View tab to print, export, view, resize, and
353
354
3. Set the schedule parameters. This states when the scheduled report is to
run.
4. Apply any advanced scheduling options, if desired.
5. Select settings that define when the SolarWinds system can and cannot run
the task.
6. Apply the scheduled report to the data source (Manager) for which you want
a report. Then define the scope, which is the period you want to the report to
cover. When the system runs the report, it retrieves any pertinent events that
occurred within the period defined by the scope.
7. Finally, select any export options for the report. This allows you to export to
the folder of your choice, and in a format that is easy to read and print. If you
do not export the report, it will automatically print to your default printer.
Each step of this process is fully explained in the following numbered topics. You
must repeat this process for each report you want to schedule.
Step 1: Selecting the report you want to schedule
In this step, you will select the report you want to schedule, then open the Report
Scheduler Tasks window.
To begin scheduling:
1. Open Reports.
2. On the Settings tab, in the Report Categories group, click the Category
list and select the report category you want to work with.
The report list displays all of the reports in the category you have selected.
3. In the Report Title column, locate the report you want to schedule. Then do
any one of the following:
l
Click the report you want to schedule. Then on the Menu Button
menu, select Schedule Report.
The Report Scheduler Tasks window appears. Use this window to add,
edit, and delete your scheduled report tasks.
355
Note that the Event Summary box shows only the tasks that apply to the
report you selected in Step 3.
Step 2: Adding a new scheduled report task
Here, you will name and configure the new scheduled task that is associated with
this report.
To create a scheduled task:
1. To add a new report schedule, click the Add button.
The Enter Scheduler Task Description form appears.
2. In the Task Description box, type a name for the report, then click OK.
At this point, the task scheduler form appears. The form takes the name of
the report to indicate which report you are scheduling.
356
Description
Run
Normally, you will not change the default setting. But if you
do, use this box to type the path to the argument that
initiates the task settings for this report. If needed, click the
Browse button to locate the correct folder and file.
Start in
Normally, you will not change the default setting. But if you
do, use this box to type the path to the Reports executable
file (.exe).
Comments
Run as
357
Field
Description
Then click the Set password button to set up a password
for the current user to run the report. This step is required
for the scheduler to work properly.
Enabled
(scheduled
task runs
at specified
time)
Now you will create the actual report schedule. The settings on the Schedule tab
tell the system when to run the report.
If needed, you can create multiple schedules for each report that are within the
same scope. For example, perhaps you would like to run an event summary
report for the current week and have it display the running total for the week at
each hour. You could set the report to Week: Current and have multiple
schedules that run on an hourly schedule and on a twice-daily schedule.
To schedule a report:
1. Click the Schedule tab. For new tasks, the tab states that the task is not
scheduled.
2. Click the New button to create a new schedule for the report.
The schedule shown above appears by default. You will create a new
schedule by modifying this default schedule with the various boxes in the
Schedule tab.
358
Description
Schedule
Task
Start time
Every
Type or select how often you want to run the task based
on your selection in the Schedule Task box above. For
example, for a daily report, you can run the report every
day, every 2 days, every 3 days, etc. For a weekly
report, you can run the report every week, every 2
weeks, etc.
Show
Select this check box if you will have more than one
359
Field
Description
multiple
schedules
If you clicked the Schedule tabs Advanced button, then the Advanced
Schedule Options form appears (shown here). This form provides you with
complete control over your report schedules. For example, you can schedule start
and end dates for the report, or set a task to repeat for a set period of time.
360
Description
Start Date
End Date
Repeat task
Every
Time
Duration
If the task is
still running,
stop it at this
time.
361
Note: The following image displays the valid and invalid date formats for
reports.
In the example shown above, the configured report will run every four hours,
starting on Monday, August 18, and running through Sunday, August 30.
Each time the task runs, the system will stop it if it continues to run for more
than one hour.
3. Click OK to save your changes and exit the form; otherwise, click Cancel.
You return to the task scheduler form.
Step 5: Stating when the system can or cannot run the task
In this topic, you will use the Settings tab to select options that state when the
362
Step 5: Stating when the system can or cannot run the task
system can and cannot run the task.
To define when the system can or cannot run the task:
1. Click the Settings tab to fine tune the options for this task.
Description
Scheduled
Task
Completed
363
Field
Description
task if it exceeds 72 hours. If you leave this check box
clear, then the system continues running the task until
it is complete.
Idle Time
Power
Management
364
Field
Description
power.
Select Wake the computer to run this task to have
the system run the computer at normal power to run the
scheduled report task. If you leave this check box clear
(not checked), then the report will not run until the next
scheduled time after the computer is removed from
sleep.
Once you have added your scheduled report tasks, you can assign the task to a
particular data source (a Manager) and define the tasks scope. The scope is the
event period you want the report to cover. When the system runs the report, it
retrieves any pertinent events (that the report covers) that occurred within the
period defined by the scope.
To assign the tasks data source:
1. In to the Report Scheduler Tasks windows Task Description list, select
the report schedule you want to assign.
365
366
1. In the Date Range list, select the date range you want the report to cover for
this task and this data source.
In the example shown above, the date range is Day: Today. This means
the report will cover the period from 12:00:00 AM to 11:59:59 PM of the
current date.
For a more complex example, suppose you chose Week: Previous as the
date range. The scheduled report would contain information from the last full
week, from 12:00:00 AM the last Monday to 11:59:59 PM the last Sunday.
For example, if today is Wednesday the 11th, the task runs from 12:00:00
AM on the 2nd to 11:59:59 PM on the 8th.
The following table describes each option in the Date Range list.
Date range
Description
Day: Today
Day:
Yesterday
Week: Current Run from one week ago to the current time.
Week:
Previous
Month:
Current
Month:
367
Date range
Description
Previous
User Defined
Use this option to run any other report scopes. You can
use this option to schedule reports for arbitrary periods,
or for periods that are outside of the conventional scope
of a day, week, or month.
2. In the Start Time and End Time boxes, type or select a start time and end
time for reporting events that occurred on this Manager. The report will only
show those events that occurred on the Manager within this period.
Note: If you select a Week or a Month scope, you cannot edit the Start
Date/Time and End Date/Time.
3. The Count Settings area only applies to count-based reports, such as Top
20 reports. In the Number of Items box, type or select the number of items
you want the report to track.
4. To configure the report so that it automatically exports to a file, continue to
See "Step 7: Exporting a scheduled report" on page 368 below. Otherwise,
click Save.
Step 7: Exporting a scheduled report
Finally, you can have the report utility automatically export a scheduled report in
Adobes Portable Document Format (.PDF) to the folder of your choice. If you do
not choose to export a scheduled report, then the system will print the report to
your default printer each time it runs.
To export a scheduled report to a file:
1. Open the Report Scheduler Tasks window, if you have not already done
so.
2. In the Task Description box, select the scheduled report task you want to
export.
3. On the Report Settings tab, select the Export check box. This enables the
368
other fields in this section. This section allows you to name and export this
report in the format and folder of your choice when the task scheduler runs
this report.
4. In the Format list, select the file format in which you want to export the
report.
5. Click the folder icon next to the File Name box. Browse to the folder where
you want to save the report, then type a unique file name for the report.
If the report has multiple schedules, then give each schedules exported
report a different name. Otherwise, the exported filenames files will
overwrite each other, or they will increment according to the If File Exists
setting, causing it to be difficult to readily identify the different schedules
reports.
6. In the If File Exists list, choose one of the following options:
l
Select Increment to store the new report along with any previous
versions of the report in the folder. The Report Console increments
each report by appending the report filename with an underscore and
a digit. For example, the first increment is [FileName]_1.pdf, the
second is [FileName]_2.pdf, and so on.
Select Overwrite to have each new version of the report overwrite the
previous version of the report in the folder.
7. Click Save.
8. Click Close to close the Report Scheduler Tasks window and return to the
Reports window.
9. Repeat sections See "Step 2: Adding a new scheduled report task" on page
356 through See "Step 7: Exporting a scheduled report" on page 368 for
each report you want to schedule and assign to a particular data source.
369
In the Reports window has a Search tool that you can use to search for key words
or phrases in text-based reports.
This tool only works when you are viewing a text-based view of a report in the
Preview pane. You cannot use this tool with graphical-only reports, or the default
graphical view that is displayed when you first run the report.
Viewing the text-based details of a report
Do either of the following:
l
Open a page that is past the graphical section of the report, into the report
content pages.
On the View tab, click the Tree button to open the reports list of sub-topics.
Then click the content-based sub-topic to jump to that section of the report.
For more information, see See "Viewing reports" on page 375
370
4. In the Find what box, type the text you want to search for.
5. Select Match whole word only to search for entire words that match,
omitting matching letters within words.
6. Select Match case to make the search sensitive to uppercase or lowercase
letters.
7. In the Direction area, click Up to search from where you are now to the start
of the document, or click Down to search from where you are now to the end
of the document.
8. Click Find Next.
The tool locates the next instance of the text in the report and highlights it for
easy viewing.
9. Continue clicking Find Next for each remaining instance of the text you
want to find.
10. When you are finished, click Cancel to close the Search form.
371
clear the error prompt, return to the Select Expert, and delete the time-based
filter. To filter by time and date, you must run the report with the specified range.
(missing or bad snippet)
Running a query with the Select Expert tool
1. In Reports, open or run the report you want to work with.
The report appears in the Preview pane.
2. On the View tab, in the View group, click Select Expert.
The Select Expert form appears.
372
You can click the Browse button to bring up a list of available fields that you
can select with the tool.
4. Select the field you want to query, then click OK.
The Select Expert form appears. The first tab displays the field name you
have selected. It lists the query options for that field and has an adjacent list
where you can select a specific value.
5. In the tabs left-hand list box (or boxes), select a query option for the field.
Then, in the adjacent right-hand list box, select a specific value for the field.
If needed, you can click the Browse Data button to see a complete list of
values that are present in the report for that field. From the Browse Data
box, you can select a value; then click Close to apply that value to the
query.
6. Repeat Steps 3 5 for each field you want to add to the query.
7. Click OK to close the form and apply the query; otherwise, click Cancel.
373
The new report appears in Preview frame. If needed, you can use the
Preview frames toolbar to save or export the report.
Restoring the original report
When you are through querying a report with the Select Expert tool, you can
restore the report to its original state.
To turn off the Select Expert settings:
1. On the View tab, in the View group, click Select Expert.
The Select Expert form appears.
374
Viewing reports
Click a column header once to sort the report list by that column in
ascending (alphabetical) order.
The column header shows an upward arrow. This arrow means the report
list is sorted by this column in ascending order.
Click the column header again to sort the report list by that column in
descending (reverse alphabetical) order.
The column header shows a downward arrow. This arrow means the
report list is sorted by this column in descending order.
Viewing reports
The topics in this section explain how to open, view, and manipulate a report
image shown in the Reports Preview pane.
Opening your saved reports
Whenever a report is saved or exported to .rpt format, you can use the Open
command to reopen and view the reports contents. This applies to scheduled
reports that the system has run and saved, as well as on-demand reports that you
have run and exported for later viewing.
To open a saved report:
1. Open Reports.
2. Do one of the following:
l
375
3. Use the Open Report File form to explore to the report file you want to view.
Note: If the report cannot be found where it is expected, be sure you have
selected Crystal Reports (*.rpt) in the File type list.
4. Select the file and then click Open.
The report opens in the Reports Preview pane. You may now view, search,
resize, print, or export the report, as needed.
Viewing the sections of a master report
Some of SolarWindss standard reports are master reports. A master report is a
report made up by a series of sub-topics, where each sub-topic contains a
specific set of details about the higher-level master topic. Together, these topics
make up the whole report, just like individual chapters make up a book.
When a report has more than one sub-topic, a sub-topic pane appears on to the
left of the Reports windows Preview pane. The sub-topic pane lists the subtopics that are found in the report. If you click a sub-topic, the Preview pane
displays the first page of that section of the report.
To view a section of a master report:
l
376
In this example, the Preview pane is showing the Authentication report. The
sub-topic pane shows this report has sub-topics on suspicious
authentications, authentication failures, user logons, user logoffs, user logon
failures, etc. Clicking a sub-topic displays that section of the report.
Hiding and showing a master reports sub-topic pane
Whenever you are previewing a master report (that is, a report that has lowerlevel topics), the View tabs Tree
button becomes enabled. You can use this
button to toggle between hiding and revealing the reports sub-topic pane.
To hide the sub-topic pane:
l
377
button.
378
button again.
379
3. In the Navigate group, use the toolbar to view the report, as described in the
following table.
Button
Function
Displays the first page of the report.
Displays the previous page of the report.
Displays the next page of the report.
Displays the last page of the report.
Displays the page number that is currently shown in
the Preview frame, as well as the total number of
pages in the report. If the Console has not yet tallied
the total number of pages, you will see how ever many
pages it is certain of and a + to indicate that there are
more pages.
To determine how many pages are in the report, click
the
button. This takes you to the last page of the
report, forcing the Console to determine how many
pages there are. It also causes the 1+ to display the
actual number of pages.
You can also use this feature to display a particular
page of the report. In the Page box, type a page
number you want to see and then press Enter. The
Preview frame then displays that page.
380
l
l
Select Page Width to have the width of the report page match that of
the Preview pane.
Select Whole Page to display the entire report page within the
Preview pane.
Select anything less than 100% to reduce the report accordingly. For
example, 50% displays the report at have its normal size.
Select 100% to display the report in its actual size.
Select anything greater than 100% to magnify the page accordingly.
For example, 200% displays the report at twice its normal size.
In the Zoom box, type a [number]% for the magnification you want,
and then press Enter. For example, type 33% to reduce the image to
one-third of its actual size. Or type 175% to magnify the report so it is
three-quarters larger than its normal size.
To stop running or loading a report that is progress, click the Stop button on
the status bar, in the lower-right corner of the Reports window.
381
382
Setting up the nDepth Appliance (if you are using a separate nDepth
Appliance to store original log messages).
Configuring your network connectors (sensors)for use with nDepth to store
original log messages.
383
you begin using nDepth. Contact SolarWinds Technical Support for instructions
on installing a separate appliance.
If you are not using a separate appliance, this procedure is not required, because
short-term log messages are stored directly on LEM.
How many days of live data will the LEM database store?
The number of days' worth of live data that the LEM database will store
varies for every implementation. The information below should help you
determine this number for your environment, while also promoting a more
detailed understanding of how the database works in general.
384
385
Logs: This figure represents the amount of space being utilized by the Syslog
store. This figure is included in the used figure noted above.
To figure out how much space is currently being utilized by your Event store,
subtract the Logs value from the used value.
Note: If you are storing original log messages in your LEM database, the
calculation above will show you the combined space being utilized by both your
Event and original log stores.
Database Maintenance Report
Run the Database Maintenance Report in LEM Reports to see a snapshot of your
current database utilization. For the sake of this discussion, note the following
sections:
Disk Usage Summary: This section provides disk usage figures as percentages
of the space allocated to the LEM database.
Disk Usage Details: This section provides the actual amounts related to the
percentages in the Disk Usage Summary section.
Database Time Span (days): Note the Event DB value in this section. This value
tells you how many days' worth of live Event data is currently stored on your LEM
database. For detailed information about this value, see the second page of the
Database Maintenance Report.
Note: The Other Files figure in the Database Maintenance Report consists
primarily of the data in the Syslog store noted above.
Backup your LEM virtual appliance on a regular basis. This will give you
"offline" storage for all of your LEM data stores and configuration settings.
386
Decrease the number of days for which Syslog/SNMP data is stored on your
LEM virtual appliance.
387
388
389
390
4. At the prompt Please enter the new hostname specify desired name of
your manager.
Note: If you dont want your LEM manager name to change, enter the
currently used hostname.
5. At the cmc::acm# prompt, enter exit.
6. At the cmc> prompt, enter manager.
7. At the cmc::cmm# prompt, enter exportcert.
8. Follow the prompts to export LEM CA certificate.
Note: An accessible network share is required. Once the export is
successful, you will see the following message: Exporting CA Cert to
\\server\share\SWICAert-hostname.crt ... Success.
9. At the cmc::cmm# prompt, enter enabletls.
391
392
393
394
Edit spop.conf so the LEM Agent calls the LEM appliance by its IP address
instead of its hostname. For instructions, see the spop.conf procedure later
in this section.
Change your DNS settings so the LEM Agent computer can resolve the
LEM appliance's hostname (recommended).
6. If you cannot ping the appliance by IP address, resolve any network or firewall
issues between the LEM Agent and appliance.
To edit spop.conf so the LEM Agent calls the LEM appliance by its IP address
(Windows):
1. Stop the SolarWinds Log and Event Manager Agentservice.
2. Delete thespopfolder(do not delete theContegoSPOPfolder):
l
32-bit computers:C:\Windows\System32\ContegoSPOP\spop
64-bit computers:C:\Windows\SysWOW64\ContegoSPOP\spop
395
C:\Windows\SysWOW64\ContegoSPOP\tools\readerState.xml
Troubleshooting Network Devices
l
Start by determining whether the device is sending data to the LEM appliance:
1. Connect to your LEM appliance using the VMware "console" view, or an
SSH client such as PuTTY.
2. If you're connecting to your appliance through SSH,log in as the CMC user,
and provide the appropriate password.
3. If you're connecting to your appliance using VMware,selectAdvanced
Configuration on the main console screen, and then press<Enter>to get
to the command prompt.
4. At thecmc>prompt, enterappliance.
5. At thecmc::acm#prompt, enterchecklogs.
6. Enter an item number to select a log file to view.
7. Check each log file that is not empty for evidence that the device is logging
to the appliance, such as the device's product name, device name, or IP
address.
396
397
Contacting Support
If you still do not see events from your network device after completing these
procedures, send a screenshot of your device's logging configuration screens to
SolarWinds Support.
398
Description
All Events
Events by Event
Type
Displays the total count of events per minute for the last 15
minutes.
Change Management
Failed Logons
Failed Logons by
User Account
399
Widget name/Filter
Description
Firewall
Firewall Events by
Firewall
Firewall Events by
Type
Incidents
Incidents by Rule
Name
Interactive Logons
by User Account
My Rules Fired by
Rule Name
Network Events
Network Events by
Source Machine
Network Event
Trends
Rule Activity
Rules Fired by Rule Displays the top 5 rules fired by rule name.
Name
Security Processes
Security Processes
by Agent
Subscriptions
SolarWinds Events
Displays all Internal events (events generated during operation of the LEM).
400
Widget name/Filter
Description
Unusual Network
Traffic
Unusual Network
Traffic by Destination
Unusual Network
Traffic by Source
USD Defender
USB-Defender Activ- Displays the top 5 Agents with the most USB-Defender
ity by Detection IP
events.
USB File Auditing
Displays the top 5 Agents with the most USB file auditing
events.
User Logons
User Logons by
Agent
User Logons by
Source Machine
User Logons by
User Account
Virus Attacks
Virus Attacks by
Source Machine
401
Appendix B: Events
This appendix describes every event type that is displayed in the Events Panel
and that can be configured with the Policy commands.
Note: LEM reports events in a hierarchical node tree, shown here. When you
click a node to open it, you will see that most nodes also have lower-level nodes.
Each node that has lower-level nodes is called a parent node. Similarly, all lowerlevel nodes below a particular parent node can be thought of as child nodes or
children to that parent node. Naturally, the term parent and child applies to the
node, relative to its position and role on the node tree. That is, a node can be a
child to one node, and a parent to others.
LEM automatically assigns alerts to the nodes of the alert tree based on the
specific nature of the alert and its severity.
402
Appendix B: Events
Event types
There are five types of events:
l
Asset Events
Asset Events deal with assets and asset scan results. They relate to the changing
state of different types of enterprise assets, including software, hardware, and
users. Asset information can come from centralized directory service connectors,
or it can be scan information from security scan connectors, including
403
Asset Events
Vulnerability Assessment and Patch Management connectors. Therefore, these
alerts indicate changes made to system configurations, software updates, patch
applications, vulnerability information, and other system events.
Each Asset Event is described below. For your convenience, they are listed
alphabetically.
AssetManagement
AssetManagement alerts are for gathering non-realtime data about system assets
(computer, software, users). The data will come from various sources, including
Directory Service connectors.
AssetManagement > MachineAsset
MachineAsset is a specific type of AssetManagement alert that indicates
additions, removals, and updates (including software installation) of specific
nodes that exist in the enterprise.
AssetManagement > MachineAsset > MachineAssetAdded
MachineAssetAdded alerts indicate a new presence of a node (host or network
device) in the enterprise.
AssetManagement > MachineAsset > MachineAssetRemoved
MachineAssetRemoved alerts indicate the removal of a node (host or network
device) from the enterprise.
AssetManagement > MachineAsset > MachineAssetUpdated
MachineAssetUpdated alerts indicate a change to an existing node (host or
network device) in the enterprise, including new software and software patch
installations on the node.
AssetManagement > MachineAsset > MachineAssetUpdated >
SoftwareAssetUpdated
SoftwareAssetUpdated alerts indicate an attempted software change (including
application of a software patch) to an existing node (host or network device) in the
enterprise, successful or failed.
AssetManagement > MachineAsset > MachineAssetUpdated >
SoftwareAssetUpdated > SoftwareAssetPatched
SoftwareAssetPatched alerts indicate a successful application of a software patch
to an existing node (host or network device) in the enterprise.
404
Appendix B: Events
405
Asset Events
GroupAssetMemberAdded alerts indicate an addition of a user member to a user
group that exists in the enterprise.
AssetManagement > UserAsset > GroupAssetUpdated >
GroupAssetMemberRemoved
GroupAssetMemberRemoved alerts indicate a removal of a user member from a
user group that exists in the enterprise.
AssetManagement > UserAsset > UserAssetAdded
UserAssetAdded alerts indicate a new presence of a user in the enterprise.
AssetManagement > UserAsset > UserAssetRemoved
UserAssetRemoved alerts indicate the removal of a user from the enterprise.
AssetManagement > UserAsset > UserAssetUpdated
UserAssetUpdated alerts indicate a change to a user that exists in the enterprise.
AssetScanResult
AssetScanResult contains alerts useful for data gathered from security scan
results (reports). These alerts are commonly gathered from Vulnerability
Assessment and Patch Management connectors.
AssetScanResult > ExposureFound
ExposureFound alerts indicate scan results that are not high risk but demonstrate
configuration issues or potential risks. These alerts may indicate exposures that
can potentially cause future exploits or have been common sources of exploits in
the past, such as common open ports or host configuration issues.
AssetScanResult > VulnerabilityFound
VulnerabilityFound alerts indicate scan results that demonstrate high risk
vulnerabilities. These alerts can indicate the presence of serious exposures that
should be addressed and can represent significant risk of exploit or infection of
enterprise assets.
GeneralAsset
GeneralAsset alerts are generated when a supported product outputs data that
has not yet been normalized into a specific alert, but is known to be asset issuerelated.
406
Appendix B: Events
Audit Events
Events that are children of AuditEvent node are generally related to normal
network activity that would not be considered an attack, compromise, or misuse of
resources. Many of the audit alerts have rules that can be used to threshold and
escalate normal behavior into something which may be considered a security
event.
Each Audit Event is described below. For your convenience, they are listed
alphabetically.
AuthAudit
Events that are part of the AuthAudit tree are related to authentication and
authorization of accounts and account ''containers'' such as groups or domains.
These alerts can be produced from any network node including firewalls, routers,
servers, and clients.
AuthAudit > DomainAuthAudit
DomainAuthAudit events are authentication, authorization, and modification
events related only to domains, subdomains, and account containers. These
alerts are normally operating system related, however could be produced by any
network device.
AuthAudit > DomainAuthAudit > NewDomainMember
NewDomainMember events occur when an account or account container has
been added to a domain. Usually, these additions are made by a user account
with administrative privileges, but occasionally a NewDomainMember alert will
also happen when local system maintenance activity takes place.
AuthAudit > DomainAuthAudit > DeleteDomainMember
DeleteDomainMember events occur when an account or account container has
been removed from a domain. Usually, these changes are made by a user
account with administrative privileges, but occasionally a DeleteDomainMember
alert will also happen when local system maintenance activity takes place.
AuthAudit > DomainAuthAudit > ChangeDomainMember
A ChangeDomainMember alert occurs when an account or account container
within a domain is modified. Usually, these changes are made by a user account
with administrative privileges, but occasionally a ChangeDomainMember alert
will also happen when local system maintenance activity takes place.
407
Audit Events
AuthAudit > DomainAuthAudit > ChangeDomainMember > DomainMemberAlias
DomainMemberAlias events happen when an account or account container
within a domain has an alias created, deleted, or otherwise modified. This event
is uncommon and is used to track links between domain members and other
locations in the domain where the member may appear.
The alias for a domain member has been changed.
AuthAudit > DomainAuthAudit > NewDomain
NewDomain events occur upon creation of a new trust relationship between
domains, creation of a new subdomain, or creation of new account containers
within a domain. Usually, these creations are done by a user account with
administrative privileges.
AuthAudit > DomainAuthAudit > ChangeDomainAttribute
ChangeDomainAttribute events occur when a domain type is changed. These
events are uncommon and usually provided by the operating system. Usually,
these changes are made by a user account with administrative privileges, but
occasionally a ChangeDomainAttribute alert will also happen when local system
maintenance activity takes place.
AuthAudit > DomainAuthAudit > DeleteDomain
DeleteDomain events occur upon removal of a trust relationship between
domains, deletion of a subdomain, or deletion of account containers within a
domain. Usually, these changes are made by a user account with administrative
privileges.
AuthAudit > GroupAudit
GroupAudit events are authentication, authorization, and modification events
related only to account groups. These alerts are normally operating system
related, however could be produced by any network device.
AuthAudit > GroupAudit > ChangeGroupAttribute
ChangeGroupAttribute events occur when a group type is modified. Usually,
these changes are made by a user account with administrative privileges, but
occasionally a ChangeGroupAttribute alert will also happen when local system
maintenance activity takes place.
AuthAudit > GroupAudit > DeleteGroup
408
Appendix B: Events
DeleteGroup events occur upon deletion of a new group of any type. Usually,
these deletions are made by a user account with administrative privileges.
AuthAudit > GroupAudit > DeleteGroupMember
DeleteGroupMember events occur when an account or group has been removed
from a group. Usually, these changes are made by a user account with
administrative privileges, but occasionally a DeleteGroupMember alert will also
happen when local system maintenance activity takes place.
AuthAudit > GroupAudit > NewGroup
NewGroup events occur upon creation of a new group of any type. Usually, these
additions are made by a user account with administrative privileges.
AuthAudit > GroupAudit > NewGroupMember
NewGroupMember events occur when an account (or other group) has been
added to a group. Usually, these additions are made by a user account with
administrative privileges, but occasionally a NewGroupMember alert will also
happen when local system maintenance activity takes place.
A new user, machine, or service account has been added to the group.
AuthAudit > MachineAuthAudit
MachineAuthAudit events are authentication, authorization, and modification
events related only to computer or machine accounts. These alerts can be
produced from any network node including firewalls, routers, servers, and clients,
but are normally operating system related.
AuthAudit > MachineAuthAudit > MachineAuthTicketFailure
MachineAuthTicketFailure alerts reflect failed computer or machine account ticket
events from network devices that use a ticket-based single-sign-on system (such
as Kerberos or Windows domains). Each alert will reflect the point on the network
where the computer or machine was attempting logon. In larger quantities, these
alerts may reflect a potential issue with a computer or set of computers, but as
individual events they are generally not a problem.
AuthAudit > MachineAuthAudit > MachineAuthTicket
MachineAuthTicket alerts reflect computer or machine account ticket events from
network devices monitored by Contego that use a ticket-based single-sign-on
system (such as Kerberos or Windows domains). Each alert will reflect the type of
device the logon was intended for along with all other relevant fields.
AuthAudit > MachineAuthAudit > MachineDisable
409
Audit Events
MachineDisable events occur when a machine account is actively disabled
and/or when an account is forcibly locked out by the operating system or other
authentication connector. These events are usually operating system related and
could reflect a potential issue with a computer or set of computers.
AuthAudit > MachineAuthAudit > MachineEnable
MachineEnable alerts reflect the action of enabling a computer or machine
account. These events are normally OS-related and will trigger when a machine
is 'enabled', normally by a user with administrative privileges.
AuthAudit > MachineAuthAudit > MachineLogoff
MachineLogoff alerts reflect computer or machine account logoff events from
network devices (including network infrastructure devices, where appropriate).
Each alert will reflect the type of device from which the user was logging off.
These alerts are usually normal events but are tracked for consistency and
auditing purposes.
AuthAudit > MachineAuthAudit > MachineLogonFailure
MachineLogonFailure alerts reflect failed computer or machine account logon
events from network devices (including network infrastructure devices, when
appropriate). Each alert will reflect the point on the network where the computer or
machine was attempting logon. In larger quantities, these alerts may reflect a
potential issue with a computer or set of computers, but as individual events they
are generally not a problem.
AuthAudit > MachineAuthAudit > MachineLogon
MachineLogon events reflect computer or machine account logon events from
network devices monitored by Contego (including network infrastructure devices,
when appropriate). Each alert will reflect the type of device that the logon was
intended for along with all other relevant fields. These events are normally
operating system related.
AuthAudit > MachineAuthAudit > MachineModifyAttribute
MachineModifyAttribute events occur when a computer or machine type is
changed. These events are uncommon and usually provided by the operating
system.
AuthAudit > MachineAuthAudit > MachineModifyPrivileges
410
Appendix B: Events
411
Audit Events
UserLogon alerts reflect user account logon events from network devices
monitored by Contego (including network infrastructure devices). Each alert will
reflect the type of device that the logon was intended for along with all other
relevant fields.
AuthAudit > UserAuthAudit > UserLogonFailure
UserLogonFailure alerts reflect failed account logon events from network devices
(including network infrastructure devices). Each alert will reflect the point on the
network where the user was attempting logon. In larger quantities, these alerts
may reflect a potential issue with a user or set of users, but as individual events
they are generally not a problem.
With SolarWinds policy, you can configure combinations of this event to escalate
to FailedAuthentication in the Security tree, reflecting the increase in severity of
the event over several occurrences.
AuthAudit > UserAuthAudit > UserModifyAttribute
UserModifyAttribute events occur when a user type is changed. These events are
uncommon and usually provided by the operating system.
AuthAudit > UserAuthAudit > UserModifyPrivileges
UserModifyPrivileges events are created when a user's privileges are elevated or
demoted based on their logon or activities they are performing. These events are
uncommon.
GeneralAudit
GeneralAudit alerts are generated when a supported product outputs data that
has not yet been normalized into a specific alert, but is known to be audit-related.
MachineAudit
MachineAudit alerts are used to track hardware or software status and
modifications. These events are generally acceptable, but do indicate
modifications to the client system that may be noteworthy.
MachineAudit > SoftwareInstall
SoftwareInstall alerts reflect modifications to the system at a software level,
generally an OS level (or equivalent, in the case of a network infrastructure
device). These alerts are generated when a user updates a system or launches
system-native methods to install third party applications.
MachineAudit > SoftwareInstall > SoftwareUpdate
412
Appendix B: Events
413
Audit Events
event the shutdown was unexpected, the event detail will note the information
provided by the connector related to the abnormality.
PolicyAudit
PolicyAudit events are used to track access, modification, scope change, and
creation of authentication, domain, account, and account container policies. Many
of these alerts reflect normal system traffic. Most PolicyAudit alerts are provided
by the Operating System.
PolicyAudit > NewAuthPolicy
NewAuthPolicy alerts occur when a new authorization or authentication package,
process, or logon handler is applied to an item (usually an account or domain). In
the operating system context, these events will often occur on boot as the system
initializes the appropriate authentication policies for itself.
PolicyAudit > PolicyAccess
PolicyAccess alerts reflect all levels of access to policy, mostly targeting domain,
account, access, and logon policy modifications.
PolicyAudit > PolicyAccess > PolicyModify
PolicyModify alerts reflect all types of modifications to contained policies, both at
a local and domain/account container level. In the context of a network
infrastructure device, this would be a modification to access control lists or other
similar policies on the device.
PolicyAudit > PolicyAccess > PolicyModify > DomainPolicyModify
DomainPolicyModify alerts are a specific type of PolicyModify alerts that reflect
changes to domain and account container level policies. These types of policies
are generally related to the operating system. Usually these modifications are
made by a user with administrative privileges, but occasionally these changes
can also be triggered by the local system.
PolicyAudit > PolicyAccess > PolicyScopeChange
PolicyScopeChange alerts are a specific type of PolicyAccess alert that reflect a
new scope or assignment of policy to users, groups, domains, interfaces, or other
items.
In the context of the operating system, these events are usually describing
elevation of user privileges according to predefined policies. The process of this
elevation is considered a scope change as the user is being brought under a new
scope of privileges appropriate to the type of access they are requesting (and
414
Appendix B: Events
being granted). These events may accompany or precede object or file opens,
including other policies.
PolicyAudit > PolicyAccess > GroupPolicyModify
GroupPolicyModify alerts are specific PolicyAccess alerts used to describe
modifications to account group policies. Usually these modifications are made by
a user with administrative privileges, but occasionally these changes can also be
triggered by the local system.
ResourceAudit
Members of the ResourceAudit tree are used to define different types of access to
network resources. These resources may be network bandwidth/traffic, files, client
processes or services, or other types of shared security-related 'commodities'.
ResourceAudit > FileAudit
FileAudit alerts are used to track file activity on monitored network devices,
usually through the Operating System or a Host-Based IDS. These events will
note success or failure of the requested operation.
ResourceAudit > FileAudit > FileAuditFailure
FileAuditFailure alerts are used to track failed file activity on monitored network
devices, usually through the Operating System or a Host-Based IDS. These
events will note what requested operation failed.
ResourceAudit > FileAudit > FileRead
FileRead is a specific FileAudit alert generated for the operation of reading files
(including reading properties of a file or the status of a file). These alerts may be
produced by any connector that is used to monitor the activity of file usage,
including a Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileRead > FileExecute
FileExecute is a specific FileRead alert generated for the operation of executing
files. These alerts may be produced by any connector that is used to monitor the
activity of file usage, including a Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileRead > FileDataRead
FileDataRead is a specific FileRead alert generated for the operation of reading
data from a file (not just properties or status of a file). These alerts may be
produced by any connector that is used to monitor the activity of file usage,
including a Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileWrite
415
Audit Events
FileWrite is a specific FileAudit alert generated for the operation of writing to a file
(including writing properties of a file or changing the status of a file). These alerts
may be produced by any connector that is used to monitor the activity of file
usage, including a Host-Based IDS and some operating systems.
ResourceAudit > FileAudit > FileWrite > FileDataWrite
FileDataWrite is a specific FileWrite alert generated for the operation of writing
data to a file (not just properties or status of a file). These alerts may be produced
by any connector that is used to monitor the activity of file usage, including a
Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileWrite > FileCreate
FileCreate is a specific FileWrite alert generated for the initial creation of a file.
These alerts may be produced by any connector that is used to monitor the
activity of file usage, including a Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileWrite > FileMove
FileMove is a specific FileWrite alert generated for the operation of moving a file
that already exists. These alerts may be produced by any connector that is used
to monitor the activity of file usage, including a Host-Based IDS and some
Operating Systems.
ResourceAudit > FileAudit > FileWrite > FileDelete
FileDelete is a specific FileWrite alert generated for the deletion of an existing file.
These alerts may be produced by any connector that is used to monitor the
activity of file usage, including a Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileWrite > FileAttributeChange
FileAttributeChange is a specific FileWrite alert generated for the modification of
file attributes (including properties such as read-only status). These alerts may be
produced by any connector that is used to monitor the activity of file usage,
including a Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileWrite > FileLink
FileLink is a specific FileWrite alert generated for the creation, deletion, or
modification of links to other files. These alerts may be produced by any
connector that is used to monitor the activity of file usage, including a Host-Based
IDS and some Operating Systems.
ResourceAudit > FileHandleAudit
416
Appendix B: Events
FileHandleAudit alerts are used to track file handle activity on monitored network
devices, usually through low level access to the Operating System, either natively
or with or a Host-Based IDS. These events will note success or failure of the
requested operation.
ResourceAudit > FileHandleAudit > FileHandleClose
FileHandleClose is a specific FileHandleAudit alert generated for the closing of
file handles. These alerts may be generated by a connector that has low-level file
access, such as an Operating System or some Host-Based IDS'.
ResourceAudit > FileHandleAudit > FileHandleCopy
FileHandleCopy is a specific FileHandleAudit alert generated for the copying of
file handles. These alerts may be generated by a connector that has low-level file
access, such as an Operating System or some Host-Based IDS'.
ResourceAudit > FileHandleAudit > FileHandleOpen
FileHandleOpen is a specific FileHandleAudit alert generated for the opening of
file handles. These alerts may be generated by a connector that has low-level file
access, such as an Operating System or some Host-Based IDS'.
ResourceAudit > FileSystemAudit
FileSystemAudit alerts reflect hardware to filesystem mapping events and usage
of filesystem resources. These events are generally normal system activity,
especially during system boot.
ResourceAudit > FileSystemAudit > MountFileSystem
MountFileSystem alerts are a specific type of FileSystemAudit that reflect the
action of creating an active translation between hardware to a usable filesystem.
These events are generally normal during system boot.
ResourceAudit > FileSystemAudit > UnmountFileSystem
UnmountFileSystem alerts are a specific type of FileSystemAudit that reflect the
action of removing a translation between hardware and a usable filesystem.
These events are generally normal during system shutdown.
ResourceAudit > NetworkAudit
Members of the NetworkAudit tree are used to define events centered on usage of
network resources/bandwidth.
ResourceAudit > NetworkAudit > ConfigurationTrafficAudit
417
Audit Events
ConfigurationTrafficAudit alerts reflect application-layer data related to
configuration of network resources. Included in ConfigurationTrafficAudit are
protocols such as DHCP, BootP, and SNMP.
ConfigurationTrafficAudit alerts generally indicate normal traffic, however, alerts
of this type could also be symptoms of misconfiguration, inappropriate usage,
attempts to enumerate or access network devices or services, attempts to access
devices that are configured via these services, or other abnormal traffic.
ResourceAudit > NetworkAudit > CoreTrafficAudit
CoreTrafficAudit alerts reflect network traffic sent over core protocols. Events that
are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP
protocols. Events of this type and its children do not have any application-layer
data.
Events placed in the parent CoreTrafficAudit alert itself are known to be a core
protocol, but are not able to be further categorized based on the message
provided by the connector.
ResourceAudit > NetworkAudit > CoreTrafficAudit > TCPTrafficAudit
TCPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the
protocol is known to be TCP.
TCPTrafficAudit alerts may indicate normal traffic inside the network, normal
traffic pass-through, denied traffic, or other non-application TCP traffic that is not
known to have any immediate attack basis.
ResourceAudit > NetworkAudit > CoreTrafficAudit > IPTrafficAudit
IPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the
protocol is known to be IP.
IPTrafficAudit alerts generally indicate normal traffic, however, alerts of this type
could also be symptoms of spoofs, routing issues, or other abnormal traffic.
Generally, for the abnormal traffic that is appropriate to escalate, a Contego Policy
has been defined to escalate this to an alert in the Security tree based on a
threshold.
ResourceAudit > NetworkAudit > CoreTrafficAudit > UDPTrafficAudit
UDPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the
protocol is known to be UDP.
418
Appendix B: Events
419
Audit Events
RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of misconfigured routing, unintended route
configuration, or other abnormal traffic.
ResourceAudit > NetworkAudit > NamingTrafficAudit
NamingTrafficAudit alerts are generated for network events related to the naming
of network resources and nodes, using protocols such as WINS and DNS.
NamingTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of inappropriate DNS authority attempts,
misconfiguration of naming services, and other abnormal traffic. In several cases,
for traffic that is appropriate to escalate, a Contego Policy has been defined to
escalate this to an alert in the Security tree based on a threshold.
ResourceAudit > NetworkAudit > FileSystemTrafficAudit
FileSystemTrafficAudit alerts are generated for network events related to requests
for remote filesystems, using protocols such as SMB and NFS.
FileSystemTrafficAudit alerts generally indicate normal traffic for networks that
have remote filesystem resources such as SMB and NFS shares; however, alerts
of this type could also be symptoms of attempts to enumerate shares or services,
misconfiguration of such resources, or other abnormal traffic. For networks that do
not have remote filesystem resources, these alerts will generally indicate
abnormal traffic.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit
ApplicationTrafficAudit alerts reflect network traffic that is mostly or all applicationlayer data. Events that are children of ApplicationTrafficAudit are also related to
application-layer resources.
Events placed in the parent ApplicationTrafficAudit alert itself are known to be
application-related, but are not able to be further categorized based on the
message provided by the connector or because they are uncommon and rarely, if
ever, imply network attack potential.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic
EncryptedTraffic alerts reflect application-layer traffic that has been encrypted and
is intended for a secure host. Included in EncryptedTraffic alerts are client and
server side application events, such as key exchanges, that normally occur after
the low-level session creation and handshaking have completed.
420
Appendix B: Events
421
Audit Events
FileTransferTrafficAudit alerts reflect application-layer data related to file retrieval
and send to/from remote hosts. Included in FileTransferTrafficAudit are protocols
such as TFTP and FTP.
FileTransferTrafficAudit alerts generally indicate normal traffic, however, alerts of
this type could also be symptoms of misconfiguration, inappropriate usage,
attempts to enumerate or access file transfer services, attempts to access devices
that require file transfer services for configuration, or other abnormal traffic.
ResourceAudit > NetworkAudit > PointToPointTrafficAudit
PointToPointTrafficAudit alerts reflect application-layer data related to point-topoint connections between hosts. Included in PointToPointTrafficAudit are
encrypted and unencrypted point-to-point traffic.
ResourceAudit > NetworkAudit > PointToPointTrafficAudit > PPTPTrafficAudit
PPTPTrafficAudit alerts are a specific type of PointToPointTrafficAudit alerts that
reflect application-layer encrypted Peer-to-Peer Tunneling Protocol activities.
Included in PPTPTrafficAudit alerts are tunnel creation, tunnel deletion, session
creation, and session deletion, among other PPTP-related events.
PPTPTrafficAudit alerts generally indicate normal traffic for networks that have
PPTP-accessible devices on the network; however, alerts of this type could also
be symptoms of inappropriate access, misconfiguration of the PPTP server or
clients, other communications errors, or other abnormal traffic. For networks that
do not have remote filesystem resources, these alerts will generally indicate
abnormal traffic.
ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit
RemoteProcedureTrafficAudit alerts reflect application-layer data related to
remote procedure services. Included in RemoteProcedureTrafficAudit are the
traditional RPC services used to service remote logons and file shares, and other
services which require remote procedure access to complete authentication, pass
data, or otherwise communicate.
RemoteProcedureTrafficAudit alerts generally indicate normal traffic for networks
that have remote procedure services on their network; however, alerts of this type
could also be symptoms of inappropriate access, misconfiguration of the remote
procedure services, errors in the remote procedure calls, or other abnormal traffic.
ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit >
RPCTrafficAudit
422
Appendix B: Events
423
Audit Events
ObjectLink is a specific ObjectAudit alert generated for the creation, deletion, or
modification of links to other objects. These alerts may be produced by any
connector that is used to monitor the activity of file and object usage, including a
Host-Based IDS and some Operating Systems.
ResourceAudit > ProcessAudit
ProcessAudit alerts are generated to track launch, exit, status, and other events
related to system processes. Usually, these events reflect normal system activity.
Process-related activity that may indicate a failure will be noted separately from
normal activity in the alert detail.
ResourceAudit > ProcessAudit > ProcessStop
ProcessStop is a specific type of ProcessAudit alert that indicates a process has
exited. Usually, ProcessStop reflects normal application exit, however in the
event of an unexpected error the abnormal state will be noted.
ResourceAudit > ProcessAudit > ProcessStart
ProcessStart is a specific type of ProcessAudit alert that indicates a new process
has been launched. Usually, ProcessStart reflects normal system activity
ResourceAudit > ProcessAudit > ProcessWarning
ProcessWarning is a specific type of ProcessAudit alert that indicates a process
has returned a 'Warning' message that is not a fatal error and may not have
triggered an exit of the process.
ResourceAudit > ProcessAudit > ProcessInfo
ProcessInfo is a specific type of ProcessAudit alert that reflects information
related to a process. Most of these events can safely be ignored, as they are
generally normal activity that does not reflect a failure or abnormal state.
ResourceAudit > ServiceAudit
ServiceAudit alerts are generated to track information and other events related to
system components. Usually, these events reflect normal system activity. System
service-related activity that may indicate a failure will be noted separately from
normal activity in the alert detail.
ResourceAudit > ServiceAudit > ServiceInfo
ServiceInfo is a specific type of ServiceAudit alert that reflects information related
to a service. Most of these events can safely be ignored, as they are generally
normal activity that does not reflect a failure or abnormal state.
ResourceAudit > ServiceAudit > ServiceStart
424
Appendix B: Events
ServiceStart events are a specific type of ServiceAudit alert that indicates a new
system service is starting.
ResourceAudit > ServiceAudit > ServiceStop
ServiceStop events are a specific type of ServiceAudit alert that indicates a
system service is stopping. This activity is generally normal, however, in the event
of an unexpected stop the abnormal state will be noted.
ResourceAudit > ServiceAudit > ServiceWarning
ServiceWarning is a specific type of ServiceAudit alert that indicates a service
has returned a 'Warning' message that is not a fatal error and may not have
triggered an exit of the service.
Incident Events
Incident Events reflect global enterprise-wide issues that should be raised for
system-wide visibility. These alerts generally reflect serious issues that should be
monitored and addressed. They are sub-categorized into different types of
Incidents Events that can provide more detailed information.
Because Incident Events are created by Rules, any combination of malicious or
suspicious traffic from any other single alert or combination of alerts can create an
Incident Event.
Each Incident alert is described below. For your convenience, they are listed
alphabetically.
HostIncident
HostIncident alerts reflect global enterprise-wide host system issues that should
be raised for system-wide visibility. These alerts are used to indicate issues on
hosts that should be tracked and addressed, including security and administrative
issues that apply specifically to host-based information.
HybridIncident
HybridIncident alerts reflect global enterprise-wide combined network and host
system issues that should be raised for system-wide visibility. These alerts are
used to indicate the combination of network and host-based issues that should be
tracked and addressed, including security and administrative issues that span
both network and host-based information.
NetworkIncident
425
Internal Events
NetworkIncident alerts reflect global enterprise-wide network system issues that
should be raised for system-wide visibility. These alerts are used to indicate
network-based issues that should be tracked and addressed, including security
and administrative issues that apply specifically to network-based information.
Internal Events
Events that are a part of the InternalEvent node are related to the operation of the
LEM system. Any events generated by the system relating to Active Response,
Internal users, or Internal errors will appear under one of the many children.
These alerts are for informational purposes and do not necessarily reflect
conditions that should cause alarm. Events that may reflect potential issues within
the system are specifically marked for forwarding to SolarWinds.
Each Internal Event is described below. For your convenience, they are listed
alphabetically.
InternalAudit
InternalAudit alerts reflect attempted accesses and changes to components of the
LEM system by existing SolarWinds users. Both successful and failed attempts
will generate alerts in this part of the tree.
InternalAudit > InternalAuditFailure
InternalAuditFailure is a specific type of InternalAudit alert that indicates failed
audit information. These alerts are generated when a user fails to view or modify
(including creation, update, and deletion) anything within the SolarWinds system.
The alert will include the user, type of access, and item being accessed.
InternalAuditFailure events are uncommon and can indicate an attempted
privilege escalation within the LEM system by unprivileged users.
InternalAudit > InternalAuditSuccess
InternalAuditSuccess is a specific type of InternalAudit alert that indicates
successful audit information. These alerts are generated when a user
successfully views or modifies (including creation, update, and deletion) anything
within the LEM system. The alert will include the user, type of access, and item
being accessed.
InternalCommands
InternalCommands alerts are only used internally with few exceptions. These
alerts are used for sending Commands through the system to complete active
responses.
426
Appendix B: Events
427
Internal Events
Events of the InternalFailure family providing more information will be generated
in addition to this event if the event is serious.
InternalInfo
Events within the InternalInfo family are related to events that are happening
within the system. Generally, these informational alerts are confirming or reporting
normal activity such as user updates, user logons, policy updates, and Agent
connection-related events.
InternalInfo > InternalAgentOffline
InternalAgentOffline alerts reflect detection of disconnection of an Agent to its
Manager. These alerts will happen when the Manager has detected that the
Agent closed the connection, whether that be due to network down time of the
Agent or due to a shut down of the Agent service.
InternalInfo > InternalAgentOnline
InternalAgentOnline alerts reflect successful connection of Agents to their
respective Managers. These alerts will happen when an Agent initiates
successful communication with the Manager, whether that be due to network
down time of the Manager or Agent or due to an update of the Agent in question.
InternalInfo > InternalDuplicateConnection
InternalDuplicateConnection alerts occur when an Agent has attempted to
connect to their given Manager more than once. Usually these alerts are triggered
by network issues on the Agent end, due to a possible asynchronous
disconnection detection (for example, the Manager was not able to detect the
Agent went offline, but the Agent service was restarted).
Usually this issue can be resolved by stopping the Agent service, waiting for the
InternalAgentOffline alert, and then restarting the Agent service.
InternalInfo > InternalInvalidConnection
InternalInvalidConnection alerts occur when an Agent that the Manager
recognizes, but cannot communicate with, attempts to connect. These alerts
usually reflect Agents that are missing an update that has already been applied to
the Manager.
Please ensure that the indicated Agent has been upgraded to the same release
version of the system that is installed on your Manager. If this alert persists:
uninstall and reinstall the Agent triggering the alert. This will force the Agent to reinitialize connection to the Manager.
428
Appendix B: Events
429
Internal Events
InternalToolOnline alerts reflect successful startup of an Internal Tool. These
alerts are generated after a connector has successfully created a log file reader
and has begun the reading process. Generally, an error in an attempt to start a
connector will produce an alert from the InternalFailure family providing more
information.
InternalInfo > InternalUnknownAgent
InternalUnknownAgent alerts occur when an Agent that the Manager does not
recognize has attempted to connect. Commonly, this alert is caused by removing
the Agent from the Console before removing the Agent service on the client.
These alerts may also be triggered during an upgrade process; in that case, they
may reflect Agents that have not yet been brought up to date.
Usually this issue can be resolved by Uninstalling and Reinstalling the Agent
triggering the alert. This will force the Agent to re-initialize connection to the
Manager.
InternalInfo > InternalUnsupportedAgent
InternalUnsupportedAgent alerts are generated when a valid Agent connects and
has not been upgraded to the same release version as the Manager. The Agent in
question failed to properly negotiate its connection or respond to a query and has
been assumed to be missing a feature required of it. Please ensure that the
indicated Agent has been upgraded to the same release version of SolarWinds
that is installed on your Manager. If this alert persists: uninstall and reinstall the
Agent triggering the alert, this will force the Agent to re-initialize connection to the
Manager.
InternalInfo > InternalUserLogoff
InternalUserLogoff alerts are generated when a user logs off or is disconnected
from the Console.
InternalInfo > InternalUserLogon
InternalUserLogon alerts are generated when a user successfully completes the
logon process to a Manager via the Console. Failed log-on attempts are produced
in a separate alert, InternalUserLogonFailure.
InternalInfo > InternalUserLogonFailure
InternalUserLogonFailure alerts are generated when a user has completed
initialization of a connection to the Console, but enters an incorrect user name
and/or password.
InternalInfo > InternalUserUpdate
430
Appendix B: Events
InternalUserUpdate alerts are generated when a user is modified and the update
has successfully been sent to the Manager, or when the update has failed to
apply. These updates include change or addition of an email address, change or
addition of a pager, and change or addition of blocked alerts from selected
Agents. Generally, an error in updating a user will also produce an alert from the
InternalFailure family.
InternalPolicy
InternalPolicy alerts reflect information related to correlation rules. These alerts
are used to indicate that a rule has been triggered, either in test mode or in normal
operating conditions.
InternalPolicy > InternalTestRule
InternalTestRule alerts reflect rule activity where a correlation rule has triggered
and is set in Test mode. It indicates the trigger of the rule and includes an
enumeration of what actions would take place, if any, if the rule were fully
enabled. To remove a rule from Test mode, clear the Test checkbox for the Rule
in the Rule Builder.
InternalPolicy > InternalRuleFired
InternalRuleFired alerts reflect rule activity, specifically where a correlation rule
has triggered. It indicates the trigger of the rule and includes an enumeration of
what actions were triggered in response to the correlation.
Security Events
Events that are a part of the SecurityEvent node are generally related to network
activity that is consistent with an internal or external attack, a misuse or abuse of
resources, a resource compromise, resource probing, or other abnormal traffic
that is noteworthy.
Security Event events indicate aggressive behavior that may lead to an attack or
resource compromise, or suspicious behavior that may indicate unauthorized
information gathering. LEM infers some Security Events from what is normally
considered audit traffic, but it escalates the events to alert status based on
thresholds that are defined by Rules.
Each Security Event is described below. For your convenience, they are listed
alphabetically.
AttackBehavior
431
Security Events
Events that are children of AttackBehavior are generally related to network activity
that may be consistent of an attack, misuse or abuse of resources, a resource
compromise, or other abnormal behavior that should be considered indicative of a
serious security event.
AttackBehavior > InferredAttack
InferredAttack alerts are reserved AttackBehavior alerts used for describing
attacks that are a composite of different types of alerts. These events will be
defined and inferred by Contego Policy.
AttackBehavior > ResourceAttack
Members of the ResourceAttack tree are used to define different types of
malicious or abusive access to network resources, where these resources may be
network bandwidth/traffic, files, client processes or services, or other types of
shared security-related 'commodities'.
AttackBehavior > ResourceAttack > NetworkAttack
Members of the NetworkAttack tree are used to define events centered on
malicious or abusive usage of network bandwidth/traffic. These events include
access to network resources, relaying attacks via network resources, or denial of
service behavior on network resources.
AttackBehavior > ResourceAttack > NetworkAttack > Access
Children of the Access tree define events centered on malicious or abusive usage
of network bandwidth/traffic where the intention, or the result, is inappropriate or
abusive access to network resources.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
ApplicationAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources where the related
data is mostly or all application-layer. Generally, ApplicationAccess alerts will
reflect attempted exploitation of weaknesses in server or client software, or
information that is restricted/prohibited by device access control or policy.
These alerts are generally provided by network-based intrusion detection
systems; in some cases, network infrastructure devices such as firewalls or proxy
servers may also provide them.
Events placed in the parent ApplicationAccess alert itself are known to be
application-related, but not able to be further categorized based on the message
provided by the connector or because they are uncommon.
432
Appendix B: Events
433
Security Events
connecting), applying updates or patches to file transfer servers and/or clients, or
the possible removal of the file transfer service or client application related to this
event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> FileTransferAccess > FTPInvalidFormatAccess
FTPInvalidFormatAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer file transfer traffic. Generally, these alerts will reflect attempted
exploitation of weaknesses in file transfer server or client software with the intent
of information gathering or low-level access to the server or client. These attacks
are always abnormal traffic that the file transfer server or client is not prepared to
respond to; attacks, such as buffer overflows, may also result in the server or
client software or system being halted.
These alerts are generally provided by network-based intrusion detection
systems, the file transfer server, or the client software itself. Appropriate response
to these alerts may entail better access control of file transfer servers (e.g.
restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to file transfer servers and/or clients, or
the possible removal of the file transfer service or client application related to this
event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> FileTransferAccess > FTPCommandAccess
FTPCommandAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer file transfer traffic. Generally, these alerts will reflect attempted
exploitation of weaknesses in file transfer server software with the intent of
information gathering or low-level access to the server or client. These attacks are
always abnormal command traffic that the file transfer server is not prepared to
respond to, but may provide access to (e.g. debug or legacy commands).
These alerts are generally provided by network-based intrusion detection
systems, the file transfer server, or the client software itself. Appropriate response
to these alerts may entail better access control of file transfer servers (e.g.
restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to file transfer servers and/or clients,
restriction of allowed commands, or the possible removal of the file transfer
service or client application related to this event.
434
Appendix B: Events
435
Security Events
may entail better access control of the SMTP server (e.g. restriction by IP address
and/or user name to ensure only trusted clients are connecting, especially for
SMTP servers that relay mail for external/remote entities), applying updates or
patches to SMTP servers, or the possible removal of the SMTP server related to
this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> MailAccess > MailTransferAccess > SMTPInvalidFormatAccess > SmailAccess
SmailAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer mail transfer traffic. Generally, these alerts will reflect attempted exploitation
of weaknesses in SMTP server software with the intent of information gathering or
low-level access to the server. These attacks are always abnormal traffic that the
SMTP server is not prepared to respond to; they may also result in the server
software or system being halted. The smail attack specifically attempts to execute
applications resulting in compromise of the SMTP server system.
These alerts are generally provided by network-based intrusion detection
systems, or the SMTP server software itself. Appropriate response to these alerts
may entail better access control of the SMTP server (e.g. restriction by IP address
and/or user name to ensure only trusted clients are connecting, especially for
SMTP servers that relay mail for external/remote entities), applying updates or
patches to SMTP servers, or the possible removal of the SMTP server related to
this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> MailAccess > MailTransferAccess > SMTPCommandAccess
SMTPCommandAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer mail transfer traffic. Generally, these alerts will reflect attempted
exploitation of weaknesses in SMTP server software with the intent of information
gathering or low-level access to the server. These attacks are always abnormal
command traffic that the SMTP server is not prepared to respond to, but may
provide access to (e.g. debug or legacy commands).
These alerts are generally provided by network-based intrusion detection
systems, or the SMTP server software itself. Appropriate response to these alerts
may entail better access control of the SMTP server (e.g. restriction by IP address
and/or user name to ensure only trusted clients are connecting, especially for
SMTP servers that relay mail for external/remote entities), applying updates or
436
Appendix B: Events
437
Security Events
These alerts are generally provided by network-based intrusion detection
systems, or the mail service itself. Appropriate response to these alerts may entail
better access control of mail services or servers (e.g. restriction by IP address
and/or user name to ensure only trusted clients are connecting), applying updates
or patches to the mail service, or the possible removal of the mail service related
to this event. Generally, the most appropriate response will be updates or patches
that can be retrieved from the Majordomo web site
(http://www.greatcircle.com/majordomo) or your operating system vendor.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> NewsAccess
NewsAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer news traffic (over protocols such as NNTP). Generally, these alerts will
reflect attempted exploitation of weaknesses in the news server or client software.
These alerts are generally provided by network-based intrusion detection
systems, the news server, or the client software itself. Appropriate response to
these alerts may entail better access control of news servers (e.g. restriction by IP
address and/or user name to ensure only trusted clients are connecting), applying
updates or patches to news servers and/or clients, or the possible removal of the
news service or client application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> PrinterAccess
PrinterAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer remote printer traffic. Generally, these alerts will reflect attempted
exploitation of weaknesses in the remote printer server or client software.
These alerts are generally provided by network-based intrusion detection
systems, the remote printer server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote printer servers
(e.g. restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to remote printer servers and/or clients,
or the possible removal of the remote printer service or client application related
to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> WebAccess
438
Appendix B: Events
439
Security Events
these alerts may entail applying updates or patches to web client software, or
restriction of incoming/outgoing web requests/responses to reflect the abusive
access.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> WebAccess > HTTPClientAccess > ProhibitedHTTPControlAccess
ProhibitedHTTPControlAccess alerts reflect malicious or abusive usage of
network resources where the intention, or the result, is gaining access to
resources via application-layer WWW traffic in which the information flow is from
server to client. Generally, these alerts will reflect attempted exploitation of
weaknesses in the client software or abuse and/or misuse of resources from
clients through client controls such as ActiveX and Java.
These alerts are generally provided by network-based intrusion detection
systems, the web client software itself, proxy servers, content filters, and/or
firewalls with capability to monitor incoming web traffic. Appropriate response to
these alerts may entail applying updates or patches to web client software, or
restriction of incoming/outgoing web requests/responses to reflect inappropriate
or abusive access.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> WebAccess > HTTPServerAccess
HTTPServerAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer WWW traffic where the information flow is from client to server.
Generally, these alerts will reflect attempted exploitation of weaknesses in the
server software or abuse and/or misuse of server resources.
These alerts are generally provided by network-based intrusion detection
systems, the web server or service software itself, and/or firewalls with the
capability to monitor incoming/outgoing web traffic. Appropriate response to these
alerts may entail better access control of web servers (e.g. restriction by IP
address and/or user name to ensure only trusted clients are connecting), applying
updates or patches to web servers, services, and/or clients, or the possible
removal of the web service or client application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> WebAccess > HTTPServerAccess > HTTPApplicationAccess
HTTPApplicationAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer WWW traffic in which the information flow is from client to server.
440
Appendix B: Events
441
Security Events
These alerts are generally provided by network-based intrusion detection
systems, the web server, the service software itself, and/or firewalls with
capability to monitor incoming/outgoing web traffic. Appropriate response to these
alerts may entail better access control of web servers or the service itself (e.g.
restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to web servers, services, dynamic
content, and/or clients, or the possible removal of the web service application or
dynamic content related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> WebAccess > HTTPServerAccess > HTTPApplicationAccess >
HTTPFileRequestAccess
HTTPFileRequestAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer WWW traffic in which the information flow is from client to server.
Generally, these alerts will reflect attempted exploitation of weaknesses in
applications running on top of server software that are related to remote
administration of sites, services, and/or systems with the intent of information
gathering or low-level filesystem access of the server or client.
These alerts are generally provided by network-based intrusion detection
systems, the web server, the service software itself, and/or firewalls with
capability to monitor incoming/outgoing web traffic. Appropriate response to these
alerts may entail better access control of web servers or the service itself (e.g.
restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to web servers, services, and/or clients,
or the possible removal of the web service application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> WebAccess > HTTPServerAccess > HTTPApplicationAccess >
HTTPServiceAccess
HTTPServiceAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer WWW traffic in which the information flow is from client to server.
Generally, these alerts will reflect attempted exploitation of weaknesses in
applications running on top of server software that are related to remote services
such as printing or console access.
These alerts are generally provided by network-based intrusion detection
systems, the web server, the service software itself, and/or firewalls with
442
Appendix B: Events
443
Security Events
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> RemoteConsoleAccess
RemoteConsoleAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer remote console service traffic (services such as telnet, SSH, and
terminal services). Generally, these alerts will reflect attempted exploitation of
weaknesses in the remote console server or client software.
These alerts are generally provided by network-based intrusion detection
systems, the remote console server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote console
servers (e.g. restriction by IP address and/or user name to ensure only trusted
clients are connecting), applying updates or patches to remote console servers
and/or clients, or the possible removal of the remote console service or client
application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
> TimeAccess
TimeAccess alerts reflect malicious or abusive usage of network resources where
the intention, or the result, is gaining access to resources via application-layer
remote time service traffic (using protocols such as NTP). Generally, these alerts
will reflect attempted exploitation of weaknesses in the remote time server or
client software.
These alerts are generally provided by network-based intrusion detection
systems, the time server, or client software itself. Appropriate response to these
alerts may entail better access control of remote time servers (e.g. restriction by IP
address and/or user name to ensure only trusted clients are connecting), applying
updates or patches to remote time servers and/or clients, or the possible removal
of the remote time service or client application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access >
ConfigurationAccess
ConfigurationAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
resource configuration traffic (using protocols such as DHCP, BootP, and SNMP).
Generally, these alerts will reflect attempted exploitation of weaknesses in the
configuration server or client software or attempts to gain system-level access to
configuration servers themselves. In the case of SNMP and similar configuration
444
Appendix B: Events
445
Security Events
another device or connector detects it). This is one type of what is commonly
referred to as a man-in-the-middle attack.
These alerts are generally provided by network-based intrusion detection
systems and network infrastructure devices such as firewalls or routers.
Appropriate response to these alerts may entail blocking or resetting the local or
remote user's connection/IP address, updates to network infrastructure devices, or
restriction of incoming/outgoing ICMP redirect requests/responses to reflect
inappropriate or abusive access. Appropriate methods of prevention of ICMP
redirect attacks would be to limit hosts who can broadcast ICMP Redirects across
network devices to correct routers and gateways, limit ingress and egress ICMP
traffic, and to make sure clients, servers, and network infrastructure devices are
current with regards to operating system or other networking software to ensure
that other attacks related to ICMP Redirect attacks of this type (such as denial of
service attacks) do not occur.
AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess >
IPFragmentationAccess
IPFragmentationAccess alerts reflect a specific type of CoreAccess alert where
the attack traffic is all IP and the intent is to mask possible malicious or abusive
data past an IDS or other detection device by using many IP fragments (usually
either much larger or smaller than normal fragments). The network infrastructure
devices handling the traffic will reassemble and pass on the traffic correctly,
however, an IDS on the network may not be able to detect the malicious traffic,
only the presence of fragments (if even that). The attack may be allowed to pass
through the network either incoming or outgoing, thereby eliminating one line of
defense. Normal IP fragmentation (data that has been taken apart because it is
too large based on network parameters) should not trigger an
IPFragmentationAccess alert.
Fragmentation alerts themselves are generally provided by network-based
intrusion detection systems and network infrastructure devices such as firewalls
or routers. Appropriate response to these alerts may entail blocking or resetting
the local or remote user's connection/IP address, applying updates or patches to
server and/or client software (especially the IDS), updates to network
infrastructure devices, or restriction of incoming/outgoing network
requests/responses to reflect inappropriate or abusive access.
AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess >
IPSourceRouteAccess
446
Appendix B: Events
447
Security Events
These alerts are generally provided by network-based intrusion detection
systems and network infrastructure devices such as firewalls or routers.
Response to IP Spoofing is difficult as the originating host may be alternating
spoofed hostnames or IP addresses in order to continually circumvent detection.
Initial appropriate response to these alerts may entail blocking or resetting the
local or remote user's connection/IP address, however this may prove ineffective
or unrealistic. Other responses may include applying updates or patches to server
and/or client software, updates to network infrastructure devices, or restriction of
incoming/outgoing network requests/responses to reflect inappropriate or abusive
access. Unfortunately, it may prove difficult to derail an attempted attack through
IP Spoofing, however, routing and firewalling policies should prevent further
access through spoofed addresses.
AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess >
TCPHijackAccess
TCPHijackAccess alerts reflect a specific type of CoreAccess alert where the
attack traffic is all TCP and the intent is to hijack a user's connection. TCP
Hijacking is done with the intent to take over another network user's connection
by sending malformed packets to 'confuse' the server into thinking that the new
user is the original user. In doing so, the original user gets removed from his
connection to the server and the new user has injected himself, taking over all
attributes the server assumed from the original - including levels of security and/or
trust. TCP Hijacking can be used to place future attack connectors on client
systems, gather information about networks and/or client systems, immediately
attack internal networks, or other malicious and/or abusive behavior.
These alerts are generally provided by network-based intrusion detection
systems; in some cases, network infrastructure devices such as firewalls or
routers may also provide them. Appropriate response to these alerts may entail
blocking or resetting the remote hijacker's connection/IP address, applying
updates or patches to server and/or client software, updates to network
infrastructure devices, or restriction of incoming/outgoing network
requests/responses to reflect inappropriate or abusive access.
AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess >
TCPTunnelingAccess
TCPTunnelingAccess alerts reflect a specific type of CoreAccess alert where the
attack traffic is all TCP and the intent is to tunnel a possible malicious or abusive
connection through other TCP traffic. TCP tunneling uses permitted TCP traffic to
bypass access policies on network devices, content filtering, monitoring, and
448
Appendix B: Events
449
Security Events
These alerts are generally provided by network-based intrusion detection
systems, the remote filesystem server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote filesystems
(e.g. restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to remote filesystem servers and/or
clients, or the possible removal of the remote filesystem service or client
application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess
> SMBAccess
SMBAccess alerts are a specific type of FileSystemAccess alert that reflects
malicious or abusive usage of network resources where the intention, or the
result, is gaining access to resources via SMB (server message block) remote
filesystem traffic. Generally, these alerts will reflect attempted exploitation of
weaknesses in the SMB server or client software or attempts to gain system-level
access to SMB servers themselves.
These alerts are generally provided by network-based intrusion detection
systems, the remote filesystem server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote filesystems
(e.g. restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to remote filesystem servers and/or
clients, or the possible removal of the remote filesystem service or client
application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access >
LinkControlAccess
LinkControlAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources where the related
data is low-level link control (using protocols such as ARP). Generally,
LinkControlAccess alerts will reflect attempted exploitation of weaknesses in
switching devices by usage of malformed incoming or outgoing data, with intent to
enumerate or gain access to or through switching devices, clients that are also on
the switching device, and entire networks attached to the switching device. In
some cases, a managed switch with restrictions on port analyzing activity may be
forced into an unmanaged switch with no restrictions - allowing a malicious client
to sniff traffic and enumerate or attack.
These alerts are generally provided by network-based intrusion detection
systems and network infrastructure devices with link level control (such as
450
Appendix B: Events
451
Security Events
resetting the local or remote user's connection/IP address, applying updates or
patches to server and/or client software, updates to network infrastructure
devices, or restriction of incoming/outgoing PPTP traffic requests/responses to
reflect inappropriate or abusive access.
AttackBehavior > ResourceAttack > NetworkAttack > Access >
RemoteProcedureAccess
RemoteProcedureAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
remote procedure call traffic (using protocols such as the traditional RPC
services, RMI, and CORBA). Generally, these alerts will reflect attempted
exploitation of weaknesses in the remote procedure server or client software or
attempts to gain system-level access to remote procedure servers themselves.
These alerts are generally provided by network-based intrusion detection
systems, the remote procedure server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote procedure
(e.g. restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to remote procedure servers and/or
clients, or the possible removal of the remote procedure service or client
application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access >
RemoteProcedureAccess > RPCPortmapperAccess
RPCPortmapperAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
remote procedure call traffic using the traditional RPC portmapper service.
Generally, these alerts will reflect attempted exploitation of weaknesses in the
remote procedure server or client software or attempts to gain system-level
access to remote procedure servers themselves.
These alerts are generally provided by network-based intrusion detection
systems, the remote procedure server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote procedure
(e.g. restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to remote procedure servers and/or
clients, or the possible removal of the remote procedure service or client
application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess
452
Appendix B: Events
453
Security Events
TrojanTrafficAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources
through malicious code commonly known as a Trojan Horse. This alert detects
the communication related to Trojans over the network (generally, 'trojaned'
clients calling home to the originator). Trojans are generally executables that
generally require no user intervention to spread and contain malicious code that
is placed on the client system and used to exploit the client (and return access to
the originator of the attack) or exploit other clients (used in attacks such as
distributed denial of service attacks).
These alerts are generally provided by a virus scanner, a network-based intrusion
detection system, or in some cases, the operating system or network infrastructure
devices such as firewalls and routers. Appropriate response to these alerts may
entail a quarantine of the node from the network to prevent internal attacks and
further compromise of the client system, updates of virus scanner pattern files on
this and other network nodes to prevent future or further infection, virus scans on
this and other network nodes to detect further infection if any has taken place, and
research into the offending Trojan to find out methods of removal (if necessary).
AttackBehavior > ResourceAttack > NetworkAttack > Access >
TrojanTrafficAccess > TrojanCommandAccess
TrojanCommandAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources
through malicious code commonly known as Trojan Horses. This alert detects the
communication related to Trojans sending commands over the network (infecting
other clients, participating in a denial of service activity, being controlled remotely
by the originator, etc.). Trojans are generally executables that generally require
no user intervention to spread and contain malicious code that is placed on the
client system and used to exploit the client (and return access to the originator of
the attack) or exploit other clients (used in attacks such as distributed denial of
service attacks).
These alerts are generally provided by a virus scanner, a network-based intrusion
detection system, or in some cases, the operating system or network infrastructure
devices such as firewalls and routers. Appropriate response to these alerts may
entail a quarantine of the node from the network to prevent internal attacks and
further compromise of the client system, updates of virus scanner pattern files on
this and other network nodes to prevent future or further infection, virus scans on
this and other network nodes to detect further infection if any has taken place, and
research into the offending Trojan to find out methods of removal (if necessary).
454
Appendix B: Events
455
Security Events
AttackBehavior > ResourceAttack > NetworkAttack > Denial
Children of the Denial tree define events centered on malicious or abusive usage
of network bandwidth/traffic where the intention, or the result, is inappropriate or
abusive access to network resources through a denial of service attack.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial
ApplicationDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is application-layer protocols. The intent, or the
result, of this activity is inappropriate or abusive access to network resources
through a denial of service attack. ApplicationDenial events may be attempts to
exploit weaknesses in software to gain access to a host system, attempts to
exploit weaknesses in network infrastructure equipment to enumerate or
reconfigure devices, or other denial of service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial
> FileTransferDenial
FileTransferDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is application-layer file transfer-related
protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is
inappropriate or abusive access to network resources through a denial of service
attack. FileTransferDenial events may be attempts to exploit weaknesses in file
transfer-related software to gain access to a host system, attempts to exploit
weaknesses in the software to enumerate or reconfigure, or other denial of
service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial
> MailDenial
MailDenial events are a specific type of Denial event where the transport of the
malicious or abusive usage is application-layer mail-related protocols (SMTP,
456
Appendix B: Events
IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the
result, of this activity is inappropriate or abusive access to network resources
through a denial of service attack. MailDenial events may be attempts to exploit
weaknesses in mail-related software to gain access to a host system, attempts to
exploit weaknesses in the software to enumerate or reconfigure, or other denial of
service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial
> MailDenial > MailServiceDenial
MailServiceDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is application-layer mail-related services
(majordomo, spam filters, etc.). The intent, or the result, of this activity is
inappropriate or abusive access to network resources through a denial of service
attack. MailServiceDenial events may be attempts to exploit weaknesses in mailrelated software to gain access to a host system, attempts to exploit weaknesses
in the software to enumerate or reconfigure, or other denial of service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial
> MailDenial > MailServiceDenial > MailSpamDenial
MailSpamDenial events are a specific type of Denial event where the transport of
the malicious or abusive usage is application-layer mail-related services (usually
SMTP). The intent, or the result, of this activity is inappropriate or abusive access
to network resources through a denial of service attack through excessive mail
relaying. MailSpamDenial events reflect excessive attempts to relay mail through
an SMTP server from remote sites that should not typically be relaying mail
through the server, let alone excessive quantities of mail. The goal of these
attacks may not be to enumerate or exploit weaknesses in the mail server, but to
relay as much mail through an open relay mail server as quickly as possible,
resulting in a denial of service attack.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by the mail server itself, firewalls, or other
network infrastructure devices. These alerts may indicate an open relay on the
457
Security Events
network or an attempt to find an open relay; appropriate response may be to close
access to SMTP servers to only internal and necessary external IP addresses.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial
> WebDenial
WebDenial events are a specific type of Denial event where the transport of the
malicious or abusive usage is application-layer web-related protocols (HTTP,
HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity
is inappropriate or abusive access to network resources through a denial of
service attack. WebDenial events may be attempts to exploit weaknesses in webrelated software to gain access to a host system, attempts to exploit weaknesses
in the software to enumerate or reconfigure, or other denial of service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial
CoreDenial events are a specific type of Denial event where the transport of the
malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or
the result, of this activity is inappropriate or abusive access to network resources
through a denial of service attack. CoreDenial events may be attempts to exploit
weaknesses in software to gain access to a host system, attempts to exploit
weaknesses in network infrastructure equipment to enumerate or reconfigure
devices, or other denial of service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
ChargenDenial
ChargenDenial alerts reflect a specific type of CoreDenial alert where the intent,
or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service via UDP chargen or echo services. This
attack attempts to exploit network infrastructure devices and hosts by pointing two
chargen or echo hosts at each other and forcing so many responses that the
network and hosts are flooded. In response to a request to the echo or chargen
port, the second device will send a response, which will trigger another request,
which will trigger a response, etc. The source of the initial request is a spoofed IP
address, which appears as one of the hosts which will be a party in the attack
458
Appendix B: Events
(sent to the second host). This will render both devices and possibly the network
they are on useless either temporarily or for a significant amount of time by the
sheer amount of traffic that is created.
ChargenDenial alerts are generally provided by network-based intrusion
detection systems and network infrastructure devices such as firewalls or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
ICMPFloodDenial
ICMPFloodDenial alerts reflect a specific type of CoreDenial alert where the
intent, or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service by an ICMP-based 'flood' attack (which
uses many very large ICMP packets). The network infrastructure devices handling
the traffic may pass on the traffic correctly, however, any vulnerable client or
device on the network may not be able to process the incoming traffic (it may use
up system resources to the point where the device is rendered useless and
cannot accept network connections). Normal ICMP Traffic should not trigger an
ICMPFloodDenial alert.
ICMPFloodDenial alerts are generally provided by network-based intrusion
detection systems and network infrastructure devices such as firewalls or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
ICMPFragmentationDenial
ICMPFragmentationDenial alerts reflect a specific type of CoreDenial alert where
the intent, or the result, of this activity is inappropriate or abusive access to
network resources through a denial of service attack by using many ICMP
fragments (usually either much larger or smaller than normal fragments). The
network infrastructure devices handling the traffic will reassemble and pass on
the traffic correctly, however, any vulnerable client on the network may not be
able to reassemble the fragmented traffic (it may overflow the stack, triggering a
host or service crash). Normal ICMP fragmentation (data that has been taken
apart because it is too large based on network parameters) should not trigger an
ICMPFragmentationDenial alert.
Fragmentation alerts themselves are generally provided by network-based
intrusion detection systems and network infrastructure devices such as firewalls
or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
ICMPSourceQuenchDenial
459
Security Events
ICMPSourceQuenchDenial alerts reflect a specific type of CoreDenial alert where
the intent, or the result, of this activity is inappropriate or abusive access to
network resources through a denial of service by an ICMP-based attack (which
uses many ICMP packets set to type 4 - Source Quench). The network
infrastructure devices handling the traffic may pass on the traffic correctly,
however, any client listening and responding to source quench traffic may be
slowed down to the point where rendered useless by way of correct response to
the quench request. Normal ICMP traffic (including single, normal, source quench
packets) should not trigger an ICMPSourceQuenchDenial alert.
ICMPSourceQuenchDenial alerts are generally provided by network-based
intrusion detection systems and network infrastructure devices such as firewalls
or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
IPFloodDenial
IPFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or
the result, of this activity is inappropriate or abusive access to network resources
through a denial of service by an IP-based 'flood' attack (which uses many very
large IP packets). The network infrastructure devices handling the traffic may pass
on the traffic correctly, however, any vulnerable client or device on the network
may not be able to process the incoming traffic (it may use up system resources to
the point where the device is rendered useless and cannot accept network
connections). Normal IP Traffic should not trigger an IPFloodDenial alert.
IPFloodDenial alerts are generally provided by network-based intrusion detection
systems and network infrastructure devices such as firewalls or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
IPFragmentationDenial
IPFragmentationDenial alerts reflect a specific type of CoreDenial alert where the
intent, or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service attack by using many IP fragments (usually
either much larger or smaller than normal fragments). The network infrastructure
devices handling the traffic will reassemble and pass on the traffic correctly,
however, any vulnerable client on the network may not be able to reassemble the
fragmented traffic (it may overflow the stack, triggering a host or service crash).
Normal IP fragmentation (data that has been taken apart because it is too large
based on network parameters) should not trigger an IPFragmentationDenial alert.
460
Appendix B: Events
461
Security Events
Requests to devices that will re-broadcast the traffic to internal devices. In
response to the broadcast Echo Request, all of the devices will send an ICMP
Echo Reply, which will effectively overflow the device. The destination of the
ICMP Echo Reply is a spoofed 'victim' IP address which will also be overflowed
by the actual replies sent to their host. This will render both devices useless either
temporarily or for a significant amount of time.
SmurfDenial alerts are generally provided by network-based intrusion detection
systems and network infrastructure devices such as firewalls or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
SnorkDenial
SnorkDenial alerts reflect a specific type of CoreDenial alert where the intent, or
the result, of this activity is inappropriate or abusive access to network resources
through a denial of service by a 'Snork' attack. A Snork attack attempts to exploit a
vulnerability in Windows NT devices by using the Windows RPC service and
sending packets to devices that will broadcast the traffic to other internal Windows
NT devices using RPC. In response to the broadcast, all of the Windows NT
devices will send another packet, and this process will continue until it effectively
overflows the device and possibly the network. The destination or source of the
initial packet is a spoofed 'victim' IP address which will create the illusion of
internal activity. This will render both devices useless either temporarily or for a
significant amount of time.
SnorkDenial alerts are generally provided by network-based intrusion detection
systems and network infrastructure devices such as firewalls or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
SynFloodDenial
SYNFloodDenial alerts reflect a specific type of CoreDenial alert where the intent,
or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service by a TCP-based 'flood' attack (which uses
many very large TCP packets with the SYN bit set). The network infrastructure
devices handling the traffic may pass on the traffic correctly, however, any
vulnerable client or device on the network may not be able to process the
incoming traffic (it may use up system resources to the point where the device is
rendered useless and cannot accept network connections). Normal TCP Traffic
(with or without the SYN flag) should not trigger a SYNFloodDenial alert.
SYNFloodDenial alerts are generally provided by network-based intrusion
detection systems and network infrastructure devices such as firewalls or routers.
462
Appendix B: Events
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
TeardropDenial
TeardropDenial alerts reflect a specific type of CoreDenial alert where the intent,
or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service by a teardrop attack (which uses many
overlapping IP fragments, usually either much larger or smaller than normal
fragments). The network infrastructure devices handling the traffic will reassemble
and pass on the traffic correctly, however, any vulnerable client on the network
may not be able to reassemble the fragmented traffic (it may be reassembled in
such a way that triggers a host or service crash). Unpatched Windows NT and
95/98 clients are especially vulnerable to this type of attack. Normal IP
fragmentation (data that has been taken apart because it is too large based on
network parameters) should not trigger a TeardropDenial alert.
TeardropDenial alerts are generally provided by network-based intrusion
detection systems and network infrastructure devices such as firewalls or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
UDPBombDenial
UDPBombDenial alerts reflect a specific type of CoreDenial alert where the
intent, or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service by a UDP-based 'bomb' attack (which uses
many large UDP packets). The network infrastructure devices handling the traffic
may pass on the traffic correctly, however, any vulnerable client or device on the
network may not be able to process the incoming traffic (it may be processed in
such a way that triggers a host or service crash). Normal UDP Traffic should not
trigger a UDPBombDenial alert.
UDPBombDenial alerts are generally provided by network-based intrusion
detection systems and network infrastructure devices such as firewalls or routers.
AttackBehavior > ResourceAttack > NetworkAttack > Denial >
ConfigurationDenial
ConfigurationDenial events are a specific type of Denial event where the
transport of the malicious or abusive usage is protocols related to configuration of
resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is
inappropriate or abusive access to network resources through a denial of service
attack. ConfigurationDenial events may be attempts to exploit weaknesses in
configuration-related software to gain access to a host system, attempts to exploit
463
Security Events
weaknesses in network infrastructure equipment to enumerate or reconfigure
devices, or other denial of service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > FileSystemDenial
FileSystemDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is remote filesystem-related protocols (NFS,
SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive
access to network resources through a denial of service attack. FileSystemDenial
events may be attempts to exploit weaknesses in remote filesystem services or
software to gain access to a host system, attempts to exploit weaknesses in
network infrastructure equipment to enumerate or reconfigure devices, or other
denial of service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > LinkControlDenial
LinkControlDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is link level protocols (such as ARP). The
intent, or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service attack. LinkControlDenial events may be
attempts to exploit weaknesses in link-level control software to gain access to a
host system, attempts to exploit weaknesses in network infrastructure equipment
to enumerate or reconfigure devices, or other denial of service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial >
RemoteProcedureDenial
RemoteProcedureDenial events are a specific type of Denial event where the
transport of the malicious or abusive usage is remote procedure-related protocols
(traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or
the result, of this activity is inappropriate or abusive access to network resources
through a denial of service attack. RemoteProcedureDenial events may be
464
Appendix B: Events
465
Security Events
TrojanTrafficDenial events may be attempts to exploit weaknesses in software to
gain access to a host system, attempts to exploit weaknesses in network
infrastructure equipment to enumerate or reconfigure devices, attempts to spread
the Trojan to other hosts, or other denial of service activities.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Relay
Children of the Relay tree define events centered on malicious or abusive usage
of network bandwidth/traffic where the intention, or the result, is relaying
inappropriate or abusive access to other network resources (either internal or
external). Generally, these attacks will have the perimeter or an internal host as
their point of origin. When sourced from remote hosts, they may indicate a
successful exploit of an internal or perimeter host.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Relay > DDOSToolRelay
DDOSToolRelay events reflect potential network traffic related to known
Distributed Denial of Service connectors. These connectors are used to relay
attacks to new remote (and possibly local) hosts to exploit or inundate the remote
host with data in an attempt to cripple it. Generally, these attacks will have a
perimeter or an internal host as their point of origin. When sourced from remote
hosts, they may indicate a successful exploit of an internal or perimeter host.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by firewalls or other network infrastructure
devices.
Appropriate response to these events may be to restrict the source from
accessing any external network, running a virus scanner or other detection utility
to detect and remove the presence of any relay connector (in some cases known
as a 'zombie'), and if necessary, to quarantine the source node from the network
to further isolate the issue. If these events are sourced from a completely external
network, blocking the remote host, better access control of clients, servers, and
services (e.g. restriction by IP address and/or user name to ensure only trusted
clients are connecting), application of updates or patches to servers and/or
466
Appendix B: Events
clients, or the possible removal of the service related to this event may also be
appropriate actions.
AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay
FileTransferRelay events reflect potential network traffic related to known attack
connectors that operate over file transfer protocols. These connectors are used to
relay attacks to new remote (and possibly local) hosts to exploit or abuse
services. Generally, these attacks will have a perimeter or an internal host as their
point of origin. When sourced from remote hosts, they may indicate a successful
exploit of an internal or perimeter host.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by the file transfer software itself, and firewalls
or other network infrastructure devices.
Appropriate response to these events may be to restrict the source from
accessing any external network, running a virus scanner or other detection utility
to detect and remove the presence of any relay connector, and if necessary, to
quarantine the source node from the network to further isolate the issue. If these
events are sourced from a completely external network, blocking the remote host,
better access control of file transfer servers (e.g. restriction by IP address and/or
user name to ensure only trusted clients are connecting), application of updates
or patches to file transfer servers and/or clients, or the possible removal of the file
transfer service or client application related to this event may also be appropriate
actions.
AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay >
FTPBounce
FTPBounce events are a specific type of FileTransferRelay related to known
attack connectors using file transfer protocols that are used to launder
connections to other services, redirect attacks to other hosts or services, or to
redirect connections to other hosts or services. Generally, these attacks will have
a perimeter or an internal host as their point of origin. When sourced from remote
hosts, they may indicate a successful exploit of an internal or perimeter host.
These alerts are generally provided by network-based intrusion detection
systems, but may also be provided by the file transfer software or service itself,
and firewalls or other network infrastructure devices.
Appropriate response to these events may be to restrict the source from
accessing any external network, running a virus scanner or other detection utility
to detect and remove the presence of any relay connector, and if necessary, to
467
Security Events
quarantine the source node from the network to further isolate the issue. If these
events are sourced from a completely external network, blocking the remote host,
better access control of file transfer servers (e.g. restriction by IP address and/or
user name to ensure only trusted clients are connecting), application of updates
or patches to file transfer servers and/or clients, or the possible removal of the file
transfer service or client application related to this event may also be appropriate
actions.
AttackBehavior > ResourceAttack > ServiceProcessAttack
Members of the ServiceProcessAttack tree are used to define events centered on
malicious or abusive usage of services or user processes. These events include
abuse or misuse of resources from malicious code placed on the client system.
AttackBehavior > ResourceAttack > ServiceProcessAttack > VirusAttack
VirusAttack alerts reflect malicious code placed on a client or server system,
which may lead to system or other resource compromise and may lead to further
attack. The severity of this alert will depend on the ActionTaken field, which
reflects whether the virus or other malicious code was successfully removed.
These alerts are usually provided by a virus scanner running on the client system.
Appropriate response to these alerts may entail a quarantine of the node from the
network to prevent further outbreak, updates of virus scanner pattern files on other
network nodes to prevent further outbreak, virus scans on other network nodes to
detect further outbreak if any has taken place, and research into the offending
virus to find out methods of removal.
AttackBehavior > ResourceAttack > ServiceProcessAttack >
VirusSummaryAttack
VirusSummaryAttack alerts reflect malicious code placed on a client or server
system, which may lead to system or other resource compromise and may lead to
further attack. The severity of this alert will depend on the ActionTaken field which
reflects whether the virus or other malicious code was successfully removed.
These alerts differ from VirusAttack in that they may be a composite of virus
events normally due to a scheduled scan on the client system as opposed to a
real-time scan.
These alerts are usually provided by a virus scanner running on the client system.
Appropriate response to these alerts may entail a quarantine of the node from the
network to prevent further outbreak, updates of virus scanner pattern files on other
network nodes to prevent further outbreak, virus scans on other network nodes to
468
Appendix B: Events
detect further outbreak if any has taken place, and research into the offending
virus to find out methods of removal.
GeneralSecurity
GeneralSecurity alerts are generated when a supported product outputs data that
has not yet been normalized into a specific alert, but is known to be security
issue-related.
SuspiciousBehavior
Events that are children of SuspiciousBehavior are generally related to network
activity that may be consistent of enumeration of resources, unexpected traffic,
abnormal authentication events, or other abnormal behavior that should be
considered indicative of a serious security event.
SuspiciousBehavior > AuthSuspicious
Members of the AuthSuspicious tree are used to define events regarding
suspicious authentication and authorization events. These events include
excessive failed authentication or authorization attempts, suspicious access to
unauthenticated users, and suspicious access to unauthorized services or
information.
SuspiciousBehavior > AuthSuspicious > FailedAuthentication
FailedAuthentication events occur when a user has made several attempts to
authenticate themselves which has continuously failed, or when a logon failure is
serious enough to merit a security event on a single failure.
SuspiciousBehavior > AuthSuspicious > GuestLogin
GuestLogin events describe user authentication events where an attempt was
made successfully or unsuccessfully granting access to a user that generally has
no password assigned (such as anonymous, guest, or default) and no special
privileges. Access of a user with this level of privileges may be granted access to
enough of the client system to begin exploitation.
These events are usually produced by a client or server operating system,
however may also be produced by a network-based IDS or network infrastructure
device when it is possible or appropriate.
SuspiciousBehavior > AuthSuspicious > RestrictedInformationAttempt
RestrictedInformationAttempt events describe a user attempt to access local or
remote information that their level of authorization does not allow. These events
469
Security Events
may indicate user attempts to exploit services which they are denied access to or
inappropriate access attempts to information.
SuspiciousBehavior > AuthSuspicious > RestrictedServiceAttempt
RestrictedServiceAttempt events describe a user attempt to access a local or
remote service that their level of authorization does not allow. These events may
indicate user attempts to exploit services which they are denied access to or
inappropriate access attempts to services.
SuspiciousBehavior > InferredSuspicious
InferredSuspicious alerts are reserved SuspiciousBehavior alerts used for
describing suspicious behavior that is a composite of different types of alerts.
These events will be defined and inferred by Contego Policy.
SuspiciousBehavior > ResourceSuspicious
Members of the ResourceSuspicious tree are used to define different types of
suspicious access to network resources, where these resources may be network
bandwidth/traffic, files, client processes or services, or other types of shared
security-related 'commodities'.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious
Members of the NetworkSuspicious tree are used to define events regarding
suspicious usage of network bandwidth/traffic. These events include unusual
traffic and reconnaissance behavior detected on network resources.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon
Children of the Recon tree reflect suspicious network behavior with intent of
gathering information about target clients, networks, or hosts. Reconnaissance
behavior may be valid behavior on a network, however, only as a controlled
behavior in small quantities. Invalid reconnaissance behavior may reflect
attempts to determine security flaws on remote hosts, missing access control
policies that allow external hosts to penetrate networks, or other suspicious
behavior that results in general information gathering without actively attacking.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate
Enumerate alerts reflect attempts to gather information about target networks, or
specific target hosts, by sending active data which will elicit responses that reveal
information about clients, servers, or other network infrastructure devices. The
470
Appendix B: Events
471
Security Events
service running, and other information gathering tactics that use FTP commands
to query. These enumerations may result in information being provided that can
allow an attacker to craft a specific attack against the FTP service that may work
correctly the first time - enabling them to modify their methodology to go on
relatively undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate > ApplicationEnumerate > MailEnumerate
MailEnumerate alerts reflect attempts to gather information about target hosts, or
services on target hosts, by sending active application-layer data to mail-related
services which will elicit responses that reveal information about the application
or host. This enumeration may be a LEMple command sent to the mail service to
attempt to fingerprint what is allowed or denied by the service, requests to the
mail service that may enable an attacker to surmise the version and specific
service running, and other information gathering tactics. These enumerations may
result in information being provided that can allow an attacker to craft a specific
attack against the mail service or application that may work correctly the first time
- enabling them to modify their methodology to go on relatively undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate > ApplicationEnumerate > MailEnumerate >
SMTPCommandEnumerate
SMTPCommandEnumerate alerts reflect attempts to gather information about
target hosts, or services on target hosts, by sending active application-layer data
to mail-related services which will elicit responses that reveal information about
the application. This enumeration specifically entails commands sent to the
SMTP service to attempt to fingerprint what is allowed or denied by the service,
requests to the mail service that may enable an attacker to surmise the version
and specific service running, and other information gathering tactics that use
SMTP commands to query. These enumerations may result in information being
provided that can allow an attacker to craft a specific attack against the mail
service that may work correctly the first time - enabling them to modify their
methodology to go on relatively undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate > ApplicationEnumerate > WebEnumerate
WebEnumerate alerts reflect attempts to gather information about target hosts, or
services on target hosts, by sending active application-layer data to web-related
services which will elicit responses that reveal information about the application
472
Appendix B: Events
or host. This enumeration may be a LEMple command sent to the web service to
attempt to fingerprint what is allowed or denied by the service, requests to the
web service that may enable an attacker to surmise the version and specific
service running, and other information gathering tactics. These enumerations may
result in information being provided that can allow an attacker to craft a specific
attack against the web service or application that may work correctly the first time
- enabling them to modify their methodology to go on relatively undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate > BannerGrabbingEnumerate
BannerGrabbingEnumerate alerts reflect attempts to gather information about
target hosts, or services on target hosts, by sending a request which will elicit a
response containing the host or service's 'banner'. This 'banner' contains
information that may provide a potential attacker with such details as the exact
application and version running behind a port. These details could be used to
craft specific attacks against hosts or services that an attacker may know will work
correctly the first time - enabling them to modify their methodology go on relatively
undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate > MSNetworkingEnumerate
MSNetworkingEnumerate alerts reflect attempts to gather information about target
hosts, or services on target hosts, by sending active data to Microsoft networking
services (using protocols such as NetBIOS and SMB/CIFS) that will illicit
responses that reveal information about the application, host, or target network.
This enumeration may be a LEMple command sent to the networking service to
attempt to fingerprint what is allowed or denied by a service, requests to a service
that may enable an attacker to surmise the version and specific service running,
requests to a service that may enable an attacker to fingerprint the target network,
and other information gathering tactics. These enumerations may result in
information being provided that can allow an attacker to craft a specific attack
against the networking service, host, or application that may work correctly the
first time - enabling them to modify their methodology to go on relatively
undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate > RemoteProcedureEnumerate
RemoteProcedureEnumerate alerts reflect attempts to gather information about
target hosts, or services on target hosts, by sending active data to Remote
473
Security Events
Procedure services (using protocols such as RMI, CORBA, and traditional RPC)
that will elicit responses that reveal information about the application or host. This
enumeration may be a LEMple command sent to the remote procedure service to
attempt to fingerprint what is allowed or denied by the service, requests to the
remote procedure service that may enable an attacker to surmise the version and
specific service running, and other information gathering tactics. These
enumerations may result in information being provided that can allow an attacker
to craft a specific attack against the remote procedure service or application that
may work correctly the first time - enabling them to modify their methodology to go
on relatively undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate > RemoteProcedureEnumerate > RPCPortmapperEnumerate
RPCPortmapperEnumerate alerts reflect attempts to gather information about
target hosts, or services on target hosts, by sending active data to the Portmapper
Remote Procedure service that will illicit responses that reveal information about
the application or host. This enumeration may be a LEMple command sent to the
portmapper service to attempt to fingerprint what is allowed or denied by the
service, requests to the portmapper service that may enable an attacker to
surmise the version and specific service running, and other information gathering
tactics. These enumerations may result in information being provided that can
allow an attacker to craft a specific attack against the portmapper service or client
application that may work correctly the first time - enabling them to modify their
methodology to go on relatively undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate > RemoteProcedureEnumerate > RPCPortScanEnumerate
RPCPortScanEnumerate alerts reflect attempts to gather information about target
hosts, or services on target hosts, by sending active data to Remote Procedure
services (using protocols such as RMI, CORBA, and traditional RPC) that will
elicit responses that reveal information about the application or host. This specific
type of enumeration is done by sending queries to RPC related ports to attempt to
fingerprint the types and specific services running, and may involve other
information gathering tactics. These enumerations may result in information being
provided that can allow an attacker to craft a specific attack against the remote
procedure service or application that may work correctly the first time - enabling
them to modify their methodology to go on relatively undetected.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Footprint
474
Appendix B: Events
475
Security Events
information that a probe may discover without enumeration of the specific
services or performing attack attempts.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan
CoreScan alerts reflect attempts to gather information about target networks, or
specific target hosts, by sending scans over core network protocols (TCP, IP,
ICMP, UDP) which will elicit responses that reveal information about clients,
servers, or other network infrastructure devices. The originating source of the
scan is generally attempting to acquire information that may reveal more than
normal traffic to the target would, information such as a list of applications
listening on ports, operating system information, and other information that a
probe may discover without enumeration of the specific services or performing
attack attempts.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > HostScan
HostScan alerts reflect attempts to gather information about specific target hosts
by sending scans which will elicit responses that reveal information about clients,
servers, or other network infrastructure devices. The originating source of the
scan is generally attempting to acquire information that may reveal more than
normal traffic to the target would, such as a list of applications on the host,
operating system information, and other information that a probe may discover
without enumeration of the specific services or performing attack attempts. These
scans generally do not occur across entire networks and generally have the intent
of discovering operating system and application information which may be used
for further attack preparation.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > ICMPQuery
ICMPQuery alerts reflect attempts to gather information about specific target
hosts, or networks, by sending ICMP-based queries that will elicit responses that
reveal information about clients, servers, or other network infrastructure devices.
The originating source of the scan is generally attempting to acquire information
that may reveal more than normal traffic to the target would, such as operating
system information and other information that a probe may discover without
enumeration of the specific services or performing attack attempts. These scans
generally do not occur across entire networks, contain many sequential ICMP
476
Appendix B: Events
packets, and generally have the intent of discovering operating system and
application information which may be used for further attack preparation.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > PingSweep
PingSweep alerts reflect a specific type of CoreScan alert that describe an
attempt to gather information about target networks, and hosts on those networks,
by sending ICMP or TCP ping packets to test whether hosts are alive. The
originating source of the scan is generally attempting to acquire information about
network topology or groups of specific hosts on the network and may have the
intent of gathering information for future attack attempts.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > PingSweep > ICMPPingSweep
ICMPPingSweep alerts reflect a specific type of CoreScan alert that describe an
attempt to gather information about target networks, and hosts on those networks,
by sending ICMP ping packets to test whether hosts are alive. The originating
source of the scan is generally attempting to acquire information about network
topology or groups of specific hosts on the network and may have the intent of
gathering information for future attack attempts.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > PingSweep > TCPPingSweep
TCPPingSweep alerts reflect a specific type of CoreScan alert that describe an
attempt to gather information about target networks, and hosts on those networks,
by sending TCP ping packets to test whether hosts are alive. The originating
source of the scan is generally attempting to acquire information about network
topology or groups of specific hosts on the network and may have the intent of
gathering information for future attack attempts.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > PortScan
PortScan alerts reflect attempts to gather information about target networks, or
specific target hosts, by sending scans over core network protocols (TCP, IP,
ICMP, UDP) that will elicit responses that reveal information about clients,
servers, or other network infrastructure devices. The originating source of the
scan is generally attempting to acquire information that may reveal more than
normal traffic to the target would, such as a list of applications listening on ports,
operating system information, and other information that a probe may discover
without enumeration of the specific services or performing attack attempts.
477
Security Events
Portscans specifically operate by sending probes to every port within a range,
attempting to identify open ports that may use applications or services that are
easy to enumerate and attack.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > PortScan > TCPPortScan
TCPPortScan alerts reflect attempts to gather information about target networks,
or specific target hosts, by sending scans over TCP that will elicit responses that
reveal information about clients, servers, or other network infrastructure devices.
The originating source of the scan is generally attempting to acquire information
that may reveal more than normal traffic to the target would, such as a list of
applications listening on ports, operating system information, and other
information that a probe may discover without enumeration of the specific
services or performing attack attempts. TCP portscans specifically operate by
sending TCP probes to every port within a range, attempting to identify open ports
that may use applications or services that are easy to enumerate and attack.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > PortScan > UDPPortScan
UDPPortScan alerts reflect attempts to gather information about target networks,
or specific target hosts, by sending scans over UDP that will elicit responses that
reveal information about clients, servers, or other network infrastructure devices.
The originating source of the scan is generally attempting to acquire information
that may reveal more than normal traffic to the target would, such as a list of
applications listening on ports, operating system information, and other
information that a probe may discover without enumeration of the specific
services or performing attack attempts. UDP portscans specifically operate by
sending UDP probes to every port within a range, attempting to identify open
ports that may use applications or services that are easy to enumerate and attack.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Scan > CoreScan > StackFingerprint
StackFingerprint alerts reflect attempts to gather information about specific target
hosts by sending a certain set of packets to probe a device's network stack, which
will elicit responses that reveal information about clients, servers, or other network
infrastructure devices. The originating source of the scan is generally attempting
to acquire information that may reveal more than normal traffic to the target would,
such as operating system information (including type and version) and other
information that a probe may discover without enumeration of the specific
478
Appendix B: Events
479
Security Events
the target network is visible. A Trojan may run a scan before attempting an attack
operation to test potential effectiveness or targeting information.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious >
UnusualTraffic
UnusualTraffic alerts reflect suspicious behavior on network devices where the
traffic may have no known exploit, but is unusual and could be potential
enumerations, probes, fingerprints, attempts to confuse devices, or other
abnormal traffic. UnusualTraffic may have no impending response, however, it
could reflect a suspicious host that should be monitored closely.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious >
UnusualTraffic > UnusualICMPTraffic
UnusualICMPTraffic alerts reflect ICMP-based suspicious behavior on network
devices where the traffic may have no known exploit, but is unusual and could be
potential enumerations, probes, fingerprints, attempts to confuse devices, or other
abnormal traffic. UnusualICMPTraffic may have no impending response,
however, it could reflect a suspicious host that should be monitored closely.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious >
UnusualTraffic > UnusualIPTraffic
UnusualIPTraffic alerts reflect IP-based suspicious behavior on network devices
where the traffic may have no known exploit, but is unusual and could be
potential enumerations, probes, fingerprints, attempts to confuse devices, or other
abnormal traffic. UnusualIPTraffic may have no impending response, however, it
could reflect a suspicious host that should be monitored closely.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious >
UnusualTraffic > UnusualProtocol
UnusualProtocol alerts reflect suspicious behavior on network devices where the
traffic is targeted at unknown, unassigned, or uncommonly used protocols. This
traffic may have no known exploit, but is unusual and should be considered
potential enumerations, probes, fingerprints, attempts to confuse devices, or other
abnormal traffic. UnusualProtocol may have no impending response, however, it
could reflect a suspicious host that should be monitored closely.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious >
UnusualTraffic > UnusualTCPTraffic
UnusualTCPTraffic alerts reflect TCP-based suspicious behavior on network
devices where the traffic may have no known exploit, but is unusual and could be
480
Appendix B: Events
481
Description
EventName
ConnectionName
ConnectionStatus
DetectionIP
DetectionTime
EventInfo
ExtraneousInfo
482
Description
useful for correlating or summarizing alert information in
addition to the EventInfo field.
Host
The node the log message came from (that is, the LEM or
Agent that collected the message for forwarding to
nDepth).
HostFromData
InferenceRule
InsertionIP
InsertionTime
The time the Manager or Agent first created the alert. This
time indicates when the data was read from a log file or
other source.
IPAddress
Manager
The name of the Manager that received the alert. For data
generated from an Agent, this is the Manager the Agent is
connected to.
Order
483
Description
central event shown in the event map.
means the event occurred after the central event
shown in the event map.
Protocol
ProviderSID
SourceMachine
SourcePort
ConnectorAlias
ConnectorId
ConnectorType
Username
484
Description
Version
3comswitch.xml
3Com Switch
7374
actianceusg.xml
activescout.xml
ActiveScout
7374
AIXauditlog.xml
AIX Audit
7405
AIXsyslog.xml
AIX Syslog
7426
AlliedTelesis.xml
7374
amavis.xml
AMaViS
7374
ApacheAccessLog.xml
Apache Access
7374
ApacheErrorLog.xml
Apache Error
7374
apcinfrastruxure.xml
APC InfraStruXure
7374
arraynetworksspx.xml
7374
aruba.xml
Aruba Wireless
Access Point
7374
aruba3x.xml
Aruba Wireless
Access Point 3x
7374
as400.xml
7453
astarosg.xml
7374
485
FileName
Description
Version
way
atlas.xml
7374
aventail.xml
SonicWALL Aventail
SSL VPN E-Class
7374
avgnetworkserver.xml
7374
avgnetworkserver.xml
7374
avgworkstation.xml
7374
AxcientUMC.xml
7380
BackupExecSR.xml
Symantec Backup
Exec System Recovery
7374
barracudaadmin.xml
Barracuda Admin
7374
barracudaNG.xml
Barracuda NG Firewall
(Phion Netfence)
7374
barracudaweb.xml
7374
BarracudaWebAppFW.xml
bind.xml
Bind
7374
biopassword.xml
BioPassword
7374
Bit9Parity.xml
7492
bladerackswitch.xml
Blade RackSwitch
7374
bluecoatproxySG.xml
7399
486
FileName
Description
Version
bluecoatproxysgwa.xml
7379
bordermanager.xml
Novell BorderManager
7374
bordermanagerwebproxy.xml
Novell BorderManager
Web Proxy
7374
Borderware.xml
Borderware Firewall
7374
brightstor.xml
7374
checkpointedgex.xml
Checkpoint Edge X
Firewall
7374
ciscoacsadminaudit.xml
7387
ciscoacsadminaudit.xml
7387
ciscoacsbackup.xml
7374
ciscoacsdbr.xml
7374
ciscoacsdbs.xml
7374
ciscoacsexpress.xml
7374
ciscoacsfailed.xml
7374
ciscoacspassauth.xml
7374
ciscoacspassword.xml
7374
487
FileName
Description
Version
ciscoacsradius.xml
7374
ciscoacsservmon.xml
7374
ciscoacssyslog.xml
7374
ciscoacssyslog5.xml
7374
ciscoacstacacc.xml
7374
ciscoacstacadmin.xml
7374
ciscoacsvoip.xml
7374
ciscocatos.xml
Cisco CatOS
7374
CiscoCSCSSM.xml
7374
CiscoCSCSSM63.xml
7374
ciscocss.xml
7374
CiscoFirewalls.xml
7443
CiscoIDS.xml
7374
CiscoIPSsdee.xml
7374
488
FileName
Description
CiscoNAC_CA.xml
cisconetworkregistrar.xml
7374
CiscoNXOS.xml
7395
CiscoVPN.xml
Cisco VPN
7374
ciscowlc.xml
7388
citrixnetscaler.xml
7374
CitrixSAG.xml
7374
CitrixXD.xml
Citrix XenDesktop
7374
CitrixXS_auth.xml
7374
CitrixXS_daemon.xml
7374
ClamAV.xml
ClamAV
7374
codegreenci.xml
CodeGreen Content
Inspection
7374
codegreenciuser.xml
CodeGreen Content
7374
489
Version
FileName
Description
Version
Inspection user
commandavwindows.xml
7374
CommandES.xml
Command for
Exchange Server
7374
consentrycontroller.xml
ConSentry Controller
7374
ContegoManagerMonitor.xml
Manager Monitor
7374
ContegoReports.xml
SWLEM Reports
7374
corenteawb.xml
Corente AWB
7374
cyberarkvault.xml
Cyber-Ark Vault
7374
cyberguard.xml
Cyberguard
7374
CyberoamUTM.xml
Cyberoam UTM
7374
dellPowerConnect.xml
Dell PowerConnect
Switches
7374
devicelockevents.xml
DeviceLock Audit
7374
devicelockevents.xml
DeviceLock Events
7374
digitalpersona.xml
DigitalPersona Pro
7374
dlinkdfl.xml
7374
dragonids.xml
Dragon IDS
7374
edmzpar.xml
7374
eeyeblinkep.xml
490
FileName
Description
Version
EFTServer.xml
7374
emcrecoverpoint.xml
EMC RecoverPoint
7374
enterasysswitch.xml
Enterasys C-Series
and N-Series Switches
7374
epo.xml
ePolicy Orchestrator
(ePO)
7380
epo45.xml
ePolicy Orchestrator
(ePO) 4.5+
7467
esafe.xml
eSafe
7374
esoft.xml
eSoft
7374
esxcfgfirewall.xml
7374
esxhostd.xml
7483
esxihostd.xml
7397
esxmessages.xml
7406
esxmessages.xml
7406
esxsecure.xml
7429
esxvmkernel.xml
7392
491
FileName
Description
Version
esxvmkernel.xml
7392
esxvmkwarning.xml
7374
extremeswitch.xml
Extreme Switch
7452
F5BigIPdaemon.xml
7374
F5BigIPhttpd.xml
7374
F5BigIPLTMgeneral.xml
F5BigIPmessages.xml
F5 BigIP messages
7374
FileSure.xml
FileSure
7374
FirePass.xml
7374
fireproof.xml
FireProof
7374
flexteller.xml
Flex Teller
7374
forefrontapp.xml
Forefront Security
Application Log (Client
Security, Exchange
and Sharepoint)
7374
forefrontEPAV.xml
forefrontSQLDB.xml
7374
forefrontsys.xml
7374
492
FileName
Description
Version
ity)
forescoutcounteractnac.xml
7374
fortigate25.xml
FortiGate 2.5
7374
fortigate28.xml
FortiGate 2.8+
7448
foundry.xml
Foundry
7374
freebsdauth.xml
FreeBSD Authentication
7374
freeradius.xml
FreeRADIUS
7374
freshclam.xml
FreshClam
7374
fsecureav.xml
F-Secure Anti-Virus 7
7374
GFIsim.xml
7374
globalscapeeftclient.xml
7374
globalscapeftp.xml
Globalscape Secure
FTP (W3C Extended
file format)
7407
GnatBox.xml
7415
GroupShield.xml
Group Shield/Outbreak
for Exchange Server
7374
hp_procurve.xml
493
FileName
Description
Version
hp_procurve_msm700_series.xml
HP MSM700 Series
Controller
7436
hpbladesystemenclosure.xml
HP BladeSystem
Enclosure local log
7374
hpbladesystemenclosure.xml
HP BladeSystem
Enclosure auth log
7374
hpstorwksmsa.xml
hpuxsyslog.xml
HP-ux Syslog
7374
HuaweiSwitches.xml
Huawei Switches
7374
iasradius.xml
7374
iasradius.xml
7374
IASsystem.xml
7374
IIS.xml
IIS.xml
IIS.xml
iisftp.xml
494
FileName
Description
Version
ingatesipfw.xml
Ingate Firewall
7374
InoculateIT60.xml
InoculateIT 6.0
7374
InoculateIT70plus.xml
InoculateIT 7.0+
7374
intrushield.xml
IntruShield
7490
ipfilter.xml
IP Filter
7374
iprism.xml
7374
ironportemailsecurity.xml
7374
ironportwebsecurity.xml
7374
ISA2004FirewallLog.xml
Microsoft ISA
2004/2006 Firewall
(ISA Server file format)
7374
ISA2004ProxyLog.xml
ISA2004W3CFirewall.xml
Microsoft ISA
2004/2006 Firewall
(W3C Server file
format)
7374
ISA2004W3CWebProxy.xml
7374
495
FileName
Description
ISA2006ProxyLog.xml
ISA2006W3CWebProxy.xml
7374
ISAApplication.xml
7374
ISAFirewallLog.xml
7374
ISAPackertFilterLog.xml
7374
isapi_redirect.xml
7374
ISAProxyLog.xml
7374
ISAW3CFirewallLog.xml
7374
ISAW3CPackertFilterLog.xml
7374
ISAW3CProxyLog.xml
7374
496
Version
FileName
Description
Version
issproventia.xml
7380
issrealsecure.xml
7380
jacocartcare.xml
JACO CartCare
7374
juniperidp30.xml
7374
juniperidp40.xml
7374
junipernsm.xml
Juniper NSM
7374
junipersbr_authaccepts.xml
7374
junipersbr_authaccepts.xml
7374
junipersbr_authrejects.xml
7374
junipersbr_authrejects.xml
7374
junipervgw.xml
7374
junos.xml
Juniper JUNOS
7455
KasperskyAdminKitDB.xml
Kaspersky Security
Center
7417
KasperskyAdminKitDB.xml
7417
497
FileName
Description
Version
kasperskyav.xml
Kaspersky Anti-Virus 6
7374
lancopestealthwatch.xml
Lancope StealthWatch
7374
linkproof.xml
LinkProof
7374
linuxauditd.xml
Linux Auditd
7374
linuxdhcpd.xml
DHCPd
7374
LogAgent.xml
7410
LOGbinderSP.xml
7374
LOGbinderSP.xml
7374
lotus8.xml
7374
MacOSXcrash.xml
Mac OS X
(crashreporter)
7374
MacOSXinstall.xml
Mac OS X (install)
7374
MacOSXmail.xml
Mac OS X (mail)
7374
MacOSXppp.xml
Mac OS X (ppp)
7374
MacOSXsecure.xml
Mac OS X (secure)
7374
MacOSXsystem.xml
Mac OS X (system)
7374
Made2Manage.xml
Made2Manage
7374
McAfeeAccessProtection.xml
7374
498
FileName
Description
Version
tection
McafeeAccessScanLogReader.xml
McAfee On Access
Scan v7.0
7374
McafeeActivityLog.xml
7374
mcafeeemailgateway.xml
7374
McAfeeMailScan.xml
7374
McAfeeNetShield.xml
McAfee NetShield
7374
McAfeeTotalProtection.xml
7374
McAfeeUpdateLogReader.xml
7374
McAfeeVSCLogReader.xml
McAfee VSC
7374
McafeeVSHHomeReader.xml
7374
McAfeeVSHLogReader.xml
7374
McAfeeVSHOnDemandReader.xml
7374
McAfeeVSHOnDemandReader.xml
7374
McAfeeWebEmail.xml
7374
mcafeewebgateway6x.xml
7374
meditech.xml
Meditech
7374
meditechemraccess.xml
7374
499
FileName
Description
Version
motorola_wlancontroller.xml
7374
moveit.xml
MOVEit Log
7444
moveit.xml
MOVEit Windows
Application Log
7444
msexchange.xml
Microsoft Exchange
Event Log
7411
msexchange.xml
Microsoft Exchange
Application Log
7411
msrras.xml
Microsoft RRAS
7374
mssecessentials.xml
Microsoft Security
Essentials
7374
mssqlapplicationlog.xml
7442
mssqlauditor.xml
7475
nagios.xml
Nagios
7374
nDepthLogMessage.xml
7374
neoaccelvpn.xml
7374
NeoterisVPN.xml
Neoteris VPN/Juniper
SA series
7374
NessusdMsgLog.xml
Nessus Message
7374
NessusdReport.xml
7374
500
FileName
Description
Version
NessusdReport.xml
Nessus Report
7374
nessusnbe.xml
7374
netaccess.xml
Net Access
7374
netfilter.xml
iptables / netfilter
7374
netgearFV.xml
Netgear FV Series
7374
netgearsslvpn.xml
netgearswitch.xml
Netgear Switch
7374
netilla.xml
Netilla VPN
7419
netiqdra.xml
7374
Netscreen.xml
Netscreen
7374
netscreen5.xml
Juniper/NetScreen 5
7491
netvanta.xml
Adtran NetVanta
Router
7374
netware65.xml
7374
netware65.xml
7374
netware4153.xml
7374
NetwareDB.xml
7374
501
FileName
Description
Version
networkbox.xml
7374
nitroips.xml
NitroSecurity IPS
7374
NitroIPSsnort.xml
7374
NOD32DB.xml
NOD32 Antivirus 4
Access Threat
7374
NOD32DB.xml
NOD32 Antivirus 4
Access Scan
7374
NOD32DB.xml
NOD32 Antivirus 4
Access Event
7374
NOD32DB.xml
NOD32 Antivirus 4
SQL Threat
7374
NOD32DB.xml
NOD32 Antivirus 4
SQL Scan
7374
NOD32DB.xml
NOD32 Antivirus 4
SQL Event
7374
nortel200series.xml
7374
nortelalteon.xml
Nortel Alteon
7374
nortelbaystack.xml
Nortel Baystack
7374
nortelcontivity.xml
Nortel Contivity
7374
nortelroutingswitch.xml
7374
nortelswitch4500.xml
502
FileName
Description
Version
nortelwss.xml
7374
norton.xml
Symantec Corp
Antivirus
7374
novellidentityauditDB.xml
7374
ntapplication.xml
Windows Application
Log
7423
ntdns.xml
7374
ntds.xml
ntfrs.xml
7374
ntsecurity.xml
Windows NT/2000/XP
Security Log
7374
ntsystem.xml
7446
nubridgesprotect.xml
NuBridges Protect
Token Manager
Engine
7374
nubridgesprotect.xml
NuBridges Protect
Resource Service
7374
nubridgesprotect.xml
7374
openbsdftpd.xml
OpenBSD FTPd
7374
OpenEdgeAudit.xml
OpenEdge Audit
7374
503
FileName
Description
Version
openldap.xml
OpenLDAP
7374
OpenSSH.xml
Open SSH
7374
OpenVMS.xml
HP OpenVMS 8+
7374
Opsec.xml
OPSEC(TM) / Check
Point(TM) NG LEA Client
7374
oracledatabase.xml
7374
oraclesyslog.xml
oraclewindows.xml
7441
OsirisHIMS.xml
7374
paloaltofirewall.xml
7463
PAM.xml
Linux PAM
7418
PandaSecurityForDesktopsDB.xml
7374
PassManPro.xml
7413
PatchLinkVulnDB.xml
pcanywhere.xml
pcAnywhere
504
7374
FileName
Description
Version
permeo.xml
Permeo VPN
7374
pointsecpc.xml
PointSec PC
7374
postfix.xml
Postfix
7374
proftpdaccess.xml
ProFTPD Access
7374
proftpdauth.xml
ProFTPD Auth
7374
proximorinoco.xml
7374
ptechinteract.xml
PowerTech Interact
7374
pureftpd.xml
Pure-FTPd
7374
qualysguard.xml
QualysGuard Scan
Report
7374
radwareappdirector.xml
Radware AppDirector
7374
RaritanDominion.xml
Raritan Dominion
Switch
7374
refleximc.xml
Reflex IMC
7374
RemotelyAnywhere.xml
RemotelyAnywhere /
LogMeIn
7374
RetinaStatusLog.xml
Retina
7374
rsaauthmanager71.xml
RSA Authentication
Manager 7.1
7374
safeatoffice.xml
7374
safeword.xml
SafeNet SafeWord
7374
samba.xml
Samba
7374
505
FileName
Description
Version
SanDiskCMC.xml
SanDisk CMC
7374
savantprotection.xml
Savant Protection
7374
SecureNet.xml
SecureNet IDS
7380
securespheredb.xml
7374
securespheresystem.xml
SecureSphere System
and Firewall Events
6.0
7374
securesphereweb.xml
SecureSphere Web
Application Firewall
6.0
7374
securid.xml
SecurID
7374
securidsyslog.xml
SecurID Syslog
7374
selinux.xml
SELinux
7374
sendmail.xml
Linux Sendmail
7374
sentriant.xml
Extreme Sentriant
7374
servuftp.xml
7374
servuftp.xml
7374
Sidewinder.xml
Sidewinder Firewall
7374
sidewinder61.xml
7401
SmoothWallUTM.xml
SmoothWall Unified
Threat Manager
7433
506
FileName
Description
Version
snmpdmessages.xml
7374
snort.xml
FortiSnort
7440
snort.xml
Snort
7440
snort.xml
SyslogSnort
7440
solarisbsm.xml
7374
solarissnare.xml
7374
solarissnare.xml
sonicsslvpn.xml
7391
sonicwall.xml
SonicWall
7465
sonicwalles.xml
sonicwallgmsdb.xml
SonicWall GMS
7374
Sophos.xml
7374
SophosDB.xml
7374
SophosDB.xml
7374
sophoses.xml
Sophos ES appliance
auth
7374
sophoses.xml
Sophos ES appliance
7374
507
FileName
Description
Version
SophosSNMP.xml
Sophos Anti-Virus
SNMP
7439
sophosws.xml
Sophos WS appliance
7374
SquidAccessLog.xml
7374
SquidGuardAccessBlock.xml
SquidGuard Access
Block Log
7374
stonegatefirewall.xml
StoneGate Firewall
v5.3 CEF
7374
sudolog.xml
sudo syslog
7374
sudolog.xml
sudo
7374
SW_Orion.xml
7380
sybari.xml
symantecep.xml
Symantec Endpoint
Protection 11
7445
SymantecGatewayIDS.xml
Symantec Gateway
IDS
7374
symantecwebsec.xml
7374
symmetricomsyncserver.xml
Symmetricom SyncServer
7419
thycoticsecretserver.xml
7374
timirror.xml
7374
508
FileName
Description
Version
tippingpoint.xml
7374
tippingpoint.xml
7374
tippingpoint.xml
Tippingpoint SMS
7374
tippingpoint_audit_system.xml
7374
tippingpointxseries.xml
Tippingpoint X505
7374
toplayer.xml
7374
trendDeepSecurity.xml
7374
trendimss.xml
Trend IMSS
7374
trendimssemgr.xml
7374
trendimssvirus.xml
7374
trendInterScan.xml
Trend InterScan
7374
trendmicroigsa.xml
7374
trendOfficeScan.xml
7374
trendScanMail.xml
Trend ScanMail
7374
trendServerProtect.xml
7374
tricipher.xml
TriCipher
7374
tw_enterprise.xml
Tripwire Enterprise
7374
ultravnc.xml
Ultra VNC
7374
Velociraptor.xml
Symantec Velociraptor
7374
509
FileName
Description
Version
1.5
velociraptor20.xml
Symantec Velociraptor
2.0
7374
velociraptor30.xml
Symantec Velociraptor
3.0
7374
vericeptmonitor.xml
Vericept Monitor
7374
VIPREBusiness.xml
VIPRE 5.0
7374
VIPREBusiness.xml
VIPREBusiness.xml
7374
VIPREEnterpriseDB.xml
7374
visneticfirewall.xml
VisNetic Firewall
7374
vistasecurity.xml
Windows 7/2008/Vista
Security Log
7449
vormetric.xml
Vormetric
7374
vsftpxfer.xml
vsftpd xferlog
7374
WatchguardFirewalls.xml
WatchGuard firewalls
7420
7374
websense.xml
7434
websenseDB.xml
7435
510
FileName
Description
websenseds.xml
WgFirebox.xml
WatchGuard Firebox
7429
WgSoho.xml
WatchGuard SOHO
7429
WgVclass.xml
WatchGuard Vclass
7374
WgVclassAlarm.xml
WatchGuard Vclass
(Alarm)
7374
WgVclassVpn.xml
WatchGuard Vclass
(VPN)
7374
WgXcore.xml
WatchGuard Xcore
7429
WgXCSauth.xml
7374
WgXCSsyslog.xml
7374
WgXedge.xml
WatchGuard Firebox X
Edge E-Series
7429
WindowsDHCPServer.xml
Windows DHCP
Server 2003
7374
WindowsDHCPServer.xml
Windows DHCP
Server 2000
7374
WindowsDHCPSystem.xml
Windows DHCP
Server
2000/2003/2008 System Log
7374
511
Version
FileName
Description
Version
WindowsDNSTraffic.xml
7374
windowsfirewall.xml
Windows Firewall
7374
WRGHostGateway.xml
Wescom Resources
Group's Host Gateway
Windows Log
7374
wsftpserver.xml
7374
xirruswifiarray.xml
7374
512
Logging on to CMC
To log on to CMC:
1. Connect to the Network Appliance either of two ways:
l
513
2. In the Host Name (or IP address) box, type the IP address of your Manager
(in this example, the IP address is 10.1.1.200).
3. Under Protocol, click SSH.
4. In the Port box, type 32022.
5. So you dont have to do this again, type Manager into the Saved Sessions
box, and then click Save.
6. Click Open.
Note: To reopen this connection for future sessions, double-click Manager
in the Saved Session box. The connection will reopen
7. Whether you connect remotely or physically, the system will prompt you for
your CMC user name and password.
514
Command
Description
activate
checklogs
cleantemp
clearsyslog
dateconfig
demote
Demotes the appliance to a secondary appliance in a high availability or disaster recovery configuration. The demoted appliance will disable running LEM services and resume replicating
its configuration information from the configured primary appliance.
diskusage
editbanner
exit
515
Command
Description
help
hostname
limitsyslog
netconfig
ntpconfig
Configures the Network Time Protocol (NTP) service on the virtual appliance for synchronization with a time server.
password
ping
Pings other IP addresses or host names from the virtual appliance to verify network connectivity.
promote
Promotes the appliance to the primary appliance in a high availability or disaster recovery configuration. The promoted appliance will take over LEM services until it is demoted with the
demote command.
reboot
setlogrotate
shutdown
top
tzconfig
516
Description
actortoolupgrade
archiveconfig
backupconfig
cleanagentconfig
configurendepth
dbquery
debug
exit
exportcert
exportcertrequest
help
importcenter
logbackupconfig
resetadmin
restart
517
Command
Description
stop
support
togglehttp
viewsysinfo
watchlog
518
Command
Description
exit
help
logmarchiveconfig
logmbackupconfig
restart
start
stop
Description
copysnortrules
disableflow
disablesnmp
enableflow
enablesnmp
519
Command
Description
SNMP is disabled on the Manager. This command enables
SNMP to allow integration with some security tools that can
only log using SNMP.
exit
getflowdbsize
help
restartsnort
restartssh
restrictconsole
restrictreports
520
Command
Description
allowable IP addresses or hostnames. Once the restriction
is in place, only the given IP addresses/hostnames are able
to create and view reports.
restrictssh
startssh
stopopsec
stopssh
521
522
523
Description
Authentication
Report
Authentication
Report Authentication
Audit
Authentication
Report Suspicious
Authentication
Authentication
Report - Top
524
RPT2003- Weekly
02.rpt
RPT2003- As
02-6-2.rpt needed
Title
Description
User Log On by
User
Authentication
Report - Top
User Log On
Failure by User
Authentication
Report SolarWinds
Authentication
Authentication
User Logoff events reflect account
RPT2003- As
Report - User Log logoff events from network devices
02-5.rpt
needed
Off
(including network infrastructure
devices). Each event will reflect the
type of device from which the user was
logging off. These events are usually
normal events but are tracked for
consistency and auditing purposes.
Authentication
User Logon events reflect user
Report - User Log account logon events from network
On
devices monitored by SolarWinds
(including network infrastructure
devices). Each event will reflect the
type of device that the logon was
intended for along with all other
relevant fields.
RPT2003- As
02-6.rpt
needed
Authentication
This report lists all account logon
Report - User Log events, grouped by user name.
On by User
RPT2003- As
02-6-1.rpt needed
Authentication
User Logon Failure events reflect
RPT2003- As
Report - User Log failed account logon events from
02-7.rpt
needed
On Failure
network devices (including network
infrastructure devices). Each event will
525
Title
Description
Change
Management General
Authentication:
Domain Events
Change
Management General
Authentication:
Domain Events Change Domain
Attribute
Change
Management General
Authentication:
526
RPT2006- As
20.rp
needed
Title
Description
Change
Management General
Authentication:
Domain Events Delete Domain
Member
Change
Management General
Authentication:
Domain Events Domain Member
Alias
527
RPT2006- As
20-01needed
3.rpt
Title
Description
Change
Management General
Authentication:
Domain Events DomainAuthAudit
Change
Management General
Authentication:
Domain Events New Domain
Change
Management General
Authentication:
Domain Events New Domain
Member
Change
Management General
Authentication:
Group Events
Change
Management General
Authentication:
528
RPT2006- As
20-01needed
6.rpt
RPT2006- As
20-02.rpt needed
Title
Description
Change
Management General
Authentication:
Group Events Delete Group
Change
Management General
Authentication:
Group Events Delete Group
Member
Change
Management General
Authentication:
Group Events Group Audit
Change
Management General
Authentication:
Group Events New Group
Change
Management General
Authentication:
529
RPT2006- As
20-02needed
2.rpt
Title
Description
Change
Management General
Authentication:
Machine Account
Events
Change
Management General
Authentication:
Machine Account
Events - Machine
Disabled
RPT2006- As
20-03needed
3.rpt
Change
Management General
Authentication:
Machine Account
Events - Machine
Enabled
RPT2006- As
20-03needed
1.rpt
Change
Management General
530
Title
Description
Authentication:
type is changed. These events are
Machine Account uncommon and usually provided by
Events - Machine the operating system.
Modify Attribute
Change
Management General
Authentication:
User Account
Events
Change
Management General
Authentication:
User Account
Events - User
Disabled
Change
Management General
Authentication:
User Account
Events - User
Enabled
Change
Management General
Authentication:
User Account
Events - User
531
RPT2006- As
20-04needed
2.rpt
Title
Description
Modify Attributes
Change
Management Network
Infrastructure:
Policy/View
Change
RPT2006- As
21.rpt
needed
Change
Management Windows/Active
Directory
Domains: Group
Created
RPT2006- As
22-01.rpt needed
Change
Management Windows/Active
Directory
Domains: Group
Deleted
RPT2006- As
22-02.rpt needed
Change
Management Windows/Active
Directory
Domains: Group
Events
RPT2006- As
22.rpt
needed
Change
This report includes changes to
Management Windows/Active Directory group
Windows/Active properties, such as the display name.
Directory
Domains: Group
Property Updated
RPT2006- As
22-03.rpt needed
Change
Management -
RPT2006- As
23.rpt
needed
532
Title
Description
Windows/Active
Directory
Domains:
Machine Events
Change
This report includes creations of
Management Windows/Active Directory machine
Windows/Active accounts.
Directory
Domains:
Machine Events Account Created
RPT2006- As
23-01.rpt needed
Change
This report includes deletions of
Management Windows/Active Directory machine
Windows/Active accounts.
Directory
Domains:
Machine Events Account Deleted
RPT2006- As
23-02.rpt needed
Change
This report includes disables of
Management Windows/Active Directory machine
Windows/Active accounts.
Directory
Domains:
Machine Events Account Disabled
RPT2006- As
23-03.rpt needed
Change
This report includes enables of
Management Windows/Active Directory machine
Windows/Active accounts.
Directory
Domains:
Machine Events Account Enabled
RPT2006- As
23-04.rpt needed
Change
RPT2006- As
23-05.rpt needed
533
Title
Description
RPT2006- As
23-06.rpt needed
Change
This report includes additions of
Management Windows/Active Directory machine
Windows/Active accounts to Organizational Units.
Directory
Domains:
Machine Events Added To OU
RPT2006- As
23-07.rpt needed
Change
This report includes removals of
Management Windows/Active Directory machine
Windows/Active accounts from groups.
Directory
Domains:
Machine Events Removed From
Group
RPT2006- As
23-08.rpt needed
Change
Management Windows/Active
Directory
RPT2006- As
23-09.rpt needed
534
Title
Description
Domains:
Machine Events Removed From
OU
Change
Management Windows/Active
Directory
Domains: New
Critical Group
Members
RPT2006- As
22-04.rpt needed
Change
Management Windows/Active
Directory
Domains: OU
Events
RPT2006- As
24.rpt
needed
Change
Management Windows/Active
Directory
Domains: OU
Events - OU
Created
RPT2006- As
24-01.rpt needed
Change
Management Windows/Active
Directory
Domains: OU
Events - OU
Deleted
RPT2006- As
24-02.rpt needed
Change
Management -
RPT2006- As
24-03.rpt needed
535
Title
Description
Windows/Active
Directory
Domains: OU
Events - OU
Properties
Update
Change
Management Windows/Active
Directory
Domains: User
Events
RPT2006- As
25.rpt
needed
Change
This report includes creations of
Management Windows/Active Directory user
Windows/Active accounts.
Directory
Domains: User
Events - Account
Created
RPT2006- As
25-01.rpt needed
Change
This report includes deletions of
Management Windows/Active Directory user
Windows/Active accounts.
Directory
Domains: User
Events - Account
Deleted
RPT2006- As
25-02.rpt needed
Change
This report includes disables of
Management Windows/Active Directory user
Windows/Active accounts.
Directory
Domains: User
Events - Account
Disabled
RPT2006- As
25-03.rpt needed
536
Title
Description
Change
This report includes enables of
Management Windows/Active Directory user
Windows/Active accounts.
Directory
Domains: User
Events - Account
Enabled
RPT2006- As
25-04.rpt needed
Change
Management Windows/Active
Directory
Domains: User
Events - Account
Lockout
RPT2006- As
25-05.rpt needed
Change
Management Windows/Active
Directory
Domains: User
Events - Account
Properties
Updated
RPT2006- As
25-06.rpt needed
Change
Management Windows/Active
Directory
Domains: User
Events - Added
To Group
RPT2006- As
25-07.rpt needed
Change
Management Windows/Active
Directory
Domains: User
RPT2006- As
25-08.rpt needed
537
Title
Description
Events - Added
To OU
Change
Management Windows/Active
Directory
Domains: User
Events Removed From
Group
RPT2006- As
25-09.rpt needed
Change
Management Windows/Active
Directory
Domains: User
Events Removed From
OU
RPT2006- As
25-10.rpt needed
RPT2003- Weekly
05.rpt
538
Title
Description
RPT2003- As
05-12.rpt needed
539
Title
Description
RPT2003- As
05-22.rpt needed
RPT2003- As
05-23.rpt needed
540
Title
Description
Based IDS'.
File Audit Events File Handle Open is a specific File
RPT2003- As
Handle Audit event generated for the 05-24.rpt needed
File Handle Open opening of file handles. These events
may be generated by a tool that has
low-level file access, such as an
Operating System or some HostBased IDS'.
File Audit Events File Link is a specific File Write event RPT2003- As
generated for the creation, deletion, or 05-45.rpt needed
File Link
modification of links to other files.
These events may be produced by
any tool that is used to monitor the
activity of file usage, including a HostBased IDS and some Operating
Systems.
File Audit Events File Move is a specific File Write event RPT2003- As
generated for the operation of moving 05-46.rpt needed
File Move
a file that already exists. These events
may be produced by any tool that is
used to monitor the activity of file
usage, including a Host-Based IDS
and some Operating Systems.
File Audit Events File Read is a specific File Audit event RPT2003- As
generated for the operation of reading 05-33.rpt needed
File Read
files (including reading properties of a
file or the status of a file). These
events may be produced by any tool
that is used to monitor the activity of
file usage, including a Host-Based
IDS and some Operating Systems.
File Audit Events File Write is a specific File Audit event RPT2003- As
generated for the operation of writing 05-47.rpt needed
File Write
541
Title
Description
542
Title
Description
RPT2003- As
05-54.rpt needed
Incident Events
RPT2006- Daily
19.rpt
Inferred Events
RPT2006- As
27.rpt
needed
Inferred Events
This report tracks events that are
by Inference Rule triggered by correlations, and orders
them by the correlation rule name.
RPT2006- As
27-01.rpt needed
Log
On/Off/Failure
Network Traffic
Audit
543
Title
Description
Network Traffic
Audit Application
Traffic by
Destination
Machine
RPT2003- As
06-11needed
2.rpt
Network Traffic
Audit Application
Traffic by
Provider SID
RPT2033- As
06-11needed
3.rpt
Network Traffic
Audit -
RPT2003- As
06-11needed
544
Title
Description
Application
grouped by source machine/IP.
Traffic by Source
Machine
1.rpt
Network Traffic
Audit Application
Traffic by Tool
Alias
RPT2003- As
06-11needed
0.rpt
Network Traffic
Audit Configuration
Traffic
Network Traffic
Audit Core Traffic
545
RPT2003- As
06-03.rpt needed
Title
Description
Network Traffic
Audit - Core
Traffic by
Provider SID
Network Traffic
This report lists all Core Traffic events RPT2003- As
Audit - Core
(such as TCPTrafficAudit), grouped by 06-03needed
Traffic by Source source machine/IP.
1.rpt
Network Traffic
Audit - Core
Traffic by Tool
Alias
Network Traffic
Encrypted Traffic Audit events reflect RPT2003- As
Audit - Encrypted application-layer traffic that has been 06-04.rpt needed
Traffic
encrypted and is intended for a secure
host. Included in Encrypted Traffic
Audit are client and server side
application events, such as key
exchanges, that normally occur after
the low-level session creation and
handshaking have completed.
Network Traffic
Audit Link Control
Traffic
546
Title
Description
Network Traffic
Audit Point to Point
Traffic
Network Traffic
Remote Procedure Traffic Audit
RPT2003- As
Audit - Remote
events reflect application-layer data
06-08.rpt needed
Procedure Traffic related to remote procedure services.
Included in Remote Procedure Traffic
Audit are the traditional RPC services
used to service remote logons and file
shares, and other services which
require remote procedure access to
complete authentication, pass data, or
otherwise communicate.
RemoteProcedureTrafficAudit events
generally indicate normal traffic for
networks that have remote procedure
services on their network; however,
events of this type could also be
symptoms of inappropriate access,
misconfiguration of the remote
procedure services, errors in the
remote procedure calls, or other
abnormal traffic.
Network Traffic
547
RPT2003- As
Title
Description
Audit - Routing
Traffic
Network Traffic
Audit Time Traffic
Network Traffic
Audit Top Application
Traffic by Source
RPT2003- As
06-01needed
2.rpt
Network Traffic
Audit Top Core Traffic
by Source
RPT2003- As
06-03needed
2.rpt
Network Traffic
Audit Web Traffic
548
needed
Title
Description
RPT2003- As
06-01needed
2.rpt
Network Traffic
Audit Web Traffic by
Provider SID
RPT2003- As
06-01needed
3.rpt
Network Traffic
This report lists all WebTrafficAudit
RPT2003- As
Audit - Web
events grouped by source machine/IP. 06-01needed
Traffic by Source
1.rpt
Machine
Network Traffic
Audit Web Traffic by
Tool Alias
RPT2003- As
06-01needed
0.rpt
Network Traffic
Audit Web URL
Requests by
Source Machine
RPT2003- As
06-01needed
5.rpt
Network Traffic
This report shows graphs of the most RPT2003- As
Audit frequently visited URLs for each client 06-01needed
Web URL
source machine.
4.rpt
Requests by
Source Machine Graphs
Resource
Configuration
549
RPT2003- Weekly
08.rpt
Title
Description
Resource
Configuration Domain
Authorization
Audit
Resource
Configuration Group Audit
Resource
Configuration Machine
Authorization
Audit
550
Title
Description
RPT2003- As
08-06.rpt needed
Resource
Configuration User
Authorization
Audit
RPT2003- As
08-05.rpt needed
Description
Authentication
Report Failed
Authentication
551
RPT2003- As
02-3.rpt
needed
Title
Description
Restricted
Information
Attempt
Authentication
Report Restricted
Service
Attempt
Console
Console Overview
Event
Summary Attack
Behavior
Statistics
552
RPT2003- As
02-4.rpt
needed
RPT2003- As
01-02.rpt needed
Title
Description
Event
Event Summary Sub Report Summary Authorization Audit Statistics
Authorization
Audit
Statistics
Event
Summary Graphs
Event
Event Summary Sub Report - Machine
Summary Audit Statistics
Machine Audit
Statistics
RPT2003- As
01-05.rpt needed
Event
Summary Policy Audit
Statistics
Event
Summary Resource
Audit
Statistics
Event
Summary Suspicious
Behavior
Statistics
Event
Summary Top Level
Statistics
553
RPT2003- As
01-07.rpt needed
RPT2003- As
01-01.rpt needed
Title
Description
Machine Audit
- File System
Audit - Mount
File System
Machine Audit
- File System
Audit Unmount File
System
554
Title
Description
Machine Audit
- Process
Audit Process Start
Machine Audit
- Process
Audit Process Stop
Machine Audit
- Process
Audit Process
Warning
RPT2003- As
09-035.rpt needed
RPT2003- As
09-040.rpt needed
Machine Audit
- Service
Audit Service Info
RPT2003- As
09-041.rpt needed
555
Title
Description
RPT2003- As
09-042.rpt needed
Machine Audit
- Service
Audit Service Stop
Machine Audit
- Service
Audit Service
Warning
Machine Audit
- System
Audit Software
Install
556
RPT2003- As
09-025.rpt needed
Title
Description
Machine Audit
- System
Audit System
Reboot
RPT2003- As
09-022.rpt needed
Machine Audit
- System
Audit System
Shutdown
RPT2003- As
09-023.rpt needed
Machine Audit
- System
Audit System Status
RPT2003- As
09-024.rpt needed
Machine Audit
USBDefender
Malicious
Code
557
RPT2003- Weekly
04.rpt
Title
Description
Malicious
Code Service
Process
Attack
Malicious
Code - Trojan
Command
Access
Malicious
Code - Trojan
Infection
Access
558
Title
Description
559
Title
Description
Malicious
Code Report Virus Traffic
Access
560
Title
Description
Network
Events: Attack
Behavior Access Access
Network
Events: Attack
Behavior Access Application
Access
561
RPT2003- As
11-02.rpt needed
Title
Description
Network
Events: Attack
Behavior Access Configuration
Access
Network
Events: Attack
Behavior Access - Core
Access
Network
Events: Attack
Behavior Access Database
Access
562
Title
Description
Network
Events: Attack
Behavior Access - File
System
Access
Network
Events: Attack
Behavior Access - File
Transfer
Network
Events: Attack
Behavior Access - Link
Control
Access
563
RPT2003- As
11-07.rpt needed
Title
Description
Network
Events: Attack
Behavior Access Naming
Access
Network
Events: Attack
Behavior Access News Access
Network
Point To Point Access events reflect
Events: Attack malicious or abusive usage of network
Behavior resources where the intention, or the
564
RPT2003- As
11-11.rpt needed
RPT2003- As
11-12.rpt needed
Title
Description
Network
Events: Attack
Behavior Access Remote
Console
Access
Network
Events: Attack
Behavior Access Remote
Procedure
Access
565
RPT2003- As
11-14.rpt needed
Title
Description
Network
Events: Attack
Behavior Access - Time
Access
Network
Events: Attack
Behavior Access - Virus
Traffic Access
566
RPT2003- As
11-17.rpt needed
Title
Description
Network
Events: Attack
Behavior Denial / Relay
Network
Events: Attack
Behavior Denial / Relay
- Application
Denial
567
Title
Description
Network
Events: Attack
Behavior Denial / Relay
Configuration
Denial
Network
Events: Attack
Behavior Denial / Relay
- Core Denial
Network
Events: Attack
Behavior Denial / Relay
- Denial
568
Title
Description
Network
Events: Attack
Behavior Denial / Relay
- File Transfer
Denial
Network
Link Control Denial events are a specific
Events: Attack type of Denial event where the transport
Behavior of the malicious or abusive usage is link
569
RPT2003- As
12-07.rpt needed
Title
Description
Network
Events: Attack
Behavior Denial / Relay
- Relay
570
RPT2003- As
12-09.rpt needed
Title
Description
Network
Events: Attack
Behavior Denial / Relay
- Routing
Denial
571
Title
Description
Network
Events: Attack
Behavior Denial / Relay
- Web Denial
Network
Events:
Suspicious
Behavior
Network
Events:
Suspicious
Behavior Application
Enumerate
572
Title
Description
Network
Events:
Suspicious
Behavior Core Scan
573
Title
Description
Network
Events:
Suspicious
Behavior Footprint
Network
Events:
Suspicious
Behavior General
Security
Network
Events:
Suspicious
Behavior Host Scan
574
RPT2003- As
07-06.rpt needed
Title
Description
575
Title
Description
Network
Events:
Suspicious
Behavior - MS
Network
Enumerate
Network
Events:
Suspicious
Behavior Network
Suspicious
Network
Events:
Suspicious
Behavior -
576
RPT2003- As
07-09.rpt needed
Title
Description
Port Scan
Network
Events:
Suspicious
Behavior Recon
Network
Events:
577
RPT2003- As
07-12.rpt needed
Title
Description
Suspicious
Behavior Remote
Procedure
Enumerate
Network
Events:
Suspicious
Behavior Scan
578
Title
Description
Network
Events:
Suspicious
Behavior Trojan
Scanner
579
Title
Description
580
RPT2003- As
18.rpt
needed
Description
Agent
Connection
Status
Agent
Connection
Status by
Agent
Agent
Connection
Summary
RPT2006- As
31-01.rpt requested
RPT2006- As
31-02.rpt requested
Agent
This report is a diagnostic tool used by
RPT2007- As
Maintenance Customer Support, and generally run only 32.rpt
requested
Report
at their request. This report displays
internal event data for possible
misconfigured agents.
Database
581
RPT2006- As
Title
Description
requested
List of Rules This report lists available rules for the Rule RPT2006- As
for Rule
Subscriptions.
29-02.rpt needed
Subscriptions
List of
This report lists the rules that users have
Subscription subscribed to.
Rules by
User
RPT2006- As
29-03.rpt needed
Tool
This report is a diagnostic tool used by
RPT2003- As
Maintenance Customer Support, and generally run only 13.rpt
needed
by Provider at their request. List of New Tool Data
events based on ProviderSID.
Tool
This report is a diagnostic tool used by
RPT2003- As
Maintenance Customer Support, and generally run only 14.rpt
requested
Detail Report at their request. The report displays a
summary of all SolarWinds error
messages received from various tools.
Tool
This report is a diagnostic tool used by
RPT2003- As
Maintenance Customer Support, and generally run only 13.rpt
requested
Report
at their request. The report displays a
582
Title
Description
Description
Daily
Weekly
As
needed
SolarWinds suggests that you run these reports only when needed
for specific auditing purposes, or when you need the details
surrounding a Priority event or a suspicious event.
As
These reports are diagnostic tools and should only be run at the
requested request of SolarWinds's technical support personnel.
583
Connector Categories
The following table describes the various categories of network security products
that can be connected to LEM. The Description column describes how the
connectors (sensors and actors) typically work with each type of product or
device. The Use with columns indicate if each product type requires Manager
connectors, Agent connectors, or both.
Use with
Category
Anti-Virus
Description
Managers Agents
Application
584
Use with
Category
Description
Managers Agents
585
Connector Categories
Use with
Category
Description
Managers Agents
586
Use with
Category
Description
Managers Agents
Network
Management
587
Connector Categories
Use with
Category
Operating
Systems
Description
Managers Agents
588
Use with
Category
Description
Managers Agents
System Scan
Reporters
System
Connectors
589
Configuring Sensors
Use with
Category
Description
Managers Agents
Access
sensors and actors for use with Virtual
Private Network (VPN) server products
that provide secure remote access to
networks. Normally, you will configure
these connectors on the Manager.
Web Server
Configuring Sensors
The following table describes each field youll find on the Connector
Configuration form when configuring sensors for data gathering connectors. The
actual fields that appear depend on the connector you are configuring. Not every
field appears with every connector. For convenience, the table is sorted
alphabetically by field name.
Field
Alias
Description
Type a name that easily identifies the application or
appliance event log file that is being monitored.
For active response connectors, we recommend you end the
alias with AR. For example, an alias for the Cisco PIX
Active Response connector might be Cisco PIX AR. This
allows you to differentiate the active response connector from
the data gathering connector.
Log File /
Log Directory
590
Field
Description
For most connectors, you can change the log file path, as
needed. However, some products write events to the
Windows Application Log or the Windows System Log. In
these cases, you are actually configuring the sensor that
monitors events that are written to that log file. For these
connectors, the Log File setting is disabled, and the system
automatically populates the Log File field with the name of
the Windows event log the sensor is monitoring.
In most cases, you should be able to use the default log file
path that is shown for the connector. These paths are based
on the default vendor settings and the product documentation
for each product. If a different log path is needed, type or
paste the correct path in the Log File box, or use the Browse
button to explore to correct folder or file.
If you are uncertain about which file path to use, either refer to
your original product documentation, or contact SolarWinds
Technical Support.
Note: If the product creates separate log files based on the
current date or some other fixed interval, you can either select
the log directory or any log file in that directory. If you select a
log file, LEM reads through the directorys log files in order,
from the file you selected to the most current file. The LEM
then reads new files as they are added.
nDepth Host
nDepth Port
591
Configuring Sensors
Field
Description
Daily: yymmdd.
Output
Server IP
Address/
[Product] IP
Address/
[Product]
Server
Sleep Time
592
Field
Description
Windows NT-based connectors automatically notify Windows
Event Log sensors of new events that enter the log file.
Should automatic notification stop for any reason, the Sleep
Time dictates the interval the sensor is to use for monitoring
new events.
Connector
Version
Wrapper Name
If the connector settings you need are not shown here, you are probably
configuring an active response connector. See "connector configuration tables,"
below. When you have finished configuring the connector settings, dont forget to
start the connector.
Configuring Actors
The following table describes each field you will find on the Connector
Configuration form when configuring actors for active response connectors.
Because each connector is product-based, the fields that appear depend on the
connector you are currently configuring. Not every field appears with every
connector. For convenience, the table is sorted alphabetically by field name.
Field
Advanced
Auth Port
Base URL
Block
593
Configuring Actors
Field
Timeout
for the blocks to expire from the firewall. A value of zero (0)
means never expire.
Client DN
Enable
Windows
Active
Response
From Zone
Incoming
Interface
Password /
Login
Password
Port Name /
Serial Port
Name
Remote
Connection
Type the firewall port used for connecting to and configuring the
firewall.
594
Field
Port
Server DN
Server Port
Server /
Server
Address /
IP Address /
[Product] IP
Address
SSLCA
Take Admin
Control
To Zone
connector
Configuration
Instance
(Alias)
Type a name that easily identifies the product that LEM is to act
on. For active response connectors, we recommend you end the
alias with AR. For example, an alias for the Cisco PIX Active
Response connector might be Cisco PIX AR. This allows you
to differentiate the active response connector from the data
gathering connector.
User Name /
Login User
Name
Type the user name needed to log onto and configure the
firewall. For some products, the user name must be the same
one that was used when the firewall was installed.
595
Use this connector to have the Agent write the specified event
data or text to the specified file.
How to
append
Select Newline to write the event data to the file so that each
event is on a distinct line (that is, one event per line), by
inserting a return or newline character.
Select No Newline to stream the event data to the file by
appending the new data immediately following any existing
data in the file.
Maximum file
size (MB)
Type the allowable maximum file size for the text file, in
Megabytes.
User Name
596
Field
Directory
Type the IP address or host name of your directory services
Service Server server (commonly, this is a domain controller).
Domain Name Type the fully-qualified domain name of your directory services
domain.
Password
Type the password for the above user name that is valid on the
configured domain and server for authenticating to the domain
and retrieving group information.
Directory
Service
Servers Port
Return
Type the name that you want to appear in the From field of
Display Name active response e-mail messages.
Port
Return
Address
Type the email address that you want to appear in the From
field of active response email messages.
Mail Host
Authentication Type the user name needed to access the internal email
Server
server, if required.
Username
Authentication Type the password needed to access the internal email server,
Server
if required.
Password
Test E-mail
Address
Type the e-mail address you want to use to test the Mail Host
assignment. When you click the Test Email button, a test
597
Field
Test Email
button
598
The Left field column lists each type of field you can drag into the
Conditions boxs left field.
The Right field column lists the corresponding field types that you can drag
into the Conditions boxs right field.
The Operators columns list the types of comparisons you can make
between left and right fields.
Operators
Left field
not
exists in in = > >= < <=
event
event group
Right field
text constant
subscription group
connector profile
user-defined group
599
time constant
Operators
Left field
not
exists in in = > >= < <=
time of day
number constant
text constant
subscription group
connector profile
user-defined group
time constant
text constant
Right field
time of day
number constant
connector profile
600
Operators
Left field
number constant
time constant
not
exists in in = > >= < <=
Right field
user-defined group
connector profile
user-defined group
connector profile
user-defined group
Click an operator to cycle through the various operators that are acceptable
for the current condition.
Ctrl+click an operator to show a list of operators you can choose from. Then
click to select the operator you want to use.
601
Operator tips
Table of operators
The following table describes each operator and how it should be interpreted
when used as a filter condition.
Operator Meaning
Exists
Not exist
Description
Use these operators to specify if a particular event or Event
Group exists. Read conditions with these operators as
follows: This [event/Event Group] must [exist/not exist].
Note: "Not exist" is only used in rules.
is in
is not in
Equals
602
Operator Meaning
Greater
than
Description
Read conditions with these operators as follows:
l
Greater
than OR
equal to
Less
than
l
l
Less
than OR
equal to
AND
OR
Filter groups and conditions, and rule groups and correlations, are all subject to
AND and OR conditions. By default, new groups, conditions, and correlations
appear with an AND condition. AND and OR conditions can surround nested
groups, and they can be used between groups on the same level to create
603
Description
If all of the conditions apply, report the event.
If x OR y OR z occurs, report the If any of the conditions apply, report the event.
event.
If (x AND y) OR z occurs, report
the event.
If (a AND b) OR (x AND y) OR
(z), occurs, report the event.
Condition1 AND
Condition2 AND Condition3
OR
Condition4 AND Condition5.
604
Notifications table
2. Drag one or more notification option from the Notifications list to the
Notifications box.
3. Configure each option, as described in the Notifications table, below.
Notifications table
The following table lists the various notification methods that can be employed to
notify a user that a filters event threshold has been met.
l
l
l
The Notification column lists each options that is available in the list panes
Notifications list. They are alphabetized for easy reference.
The Description column briefly states how each option behaves.
The Fields column explains the data fields that can be configured for each
option.
Notification
Display
Popup
Message
Description
Fields
605
Notification
Description
Fields
This option
displays new
events in the filter
with bold text.
Not applicable
Color
Click the Color button to open the Blink
Color form. Choose a color from one of
the three color palettes. Then click OK.
The filter name will blink in this color.
Time (ms)
Move the slider to select the amount of
time between blinks, in milliseconds.
Notify on x events received
Type the number of events the filter
must receive before the filter tab begins
blinking.
Repeat on x events received
The filter tab stops blinking once you
acknowledge it by selecting it. If you
want the tab to begin blinking again
after receiving repeated events, select
the Repeat on check box. Then in the
events received box, type how many
more events the filter should receive
606
Notifications table
Notification
Description
Fields
before it starts blinking again.
Play
Sound
Sound/Browse
To select a sound, click the Browse
button. Then use the Open form to
locate and select the sound file that you
want to use. Sound files must be of the
.wav file type.
When you are done, the name of the file
should appear in the Sound box. To
test the sound, click the play button.
Notify on x events received
Type the number of events the filter
must receive before displaying the
sound.
Repeat on x events received
If you want the sound to play again after
receiving repeated events, select the
Repeat on check box.
Then in the events received box, type
how many more events the filter should
receive before the filter plays the sound
another time.
607
The Left field column lists each type of field you can drag into the
Correlations boxs left field.
The Right field column lists the corresponding field types that you can drag
into the Correlations boxs right field.
The Operators columns list the types of comparisons you can make
between left and right fields.
Operators
Left field
not
not
exists exists in in = > >= < <=
event
event group
Right field
text constant
directory service
group
connector profile
user-defined group
608
Operators
Left field
not
not
exists exists in in = > >= < <=
time constant
number event field
Right field
time of day
number state
variable field
number constant
text constant
directory service
group
connector profile
user-defined group
609
Operators
Left field
not
not
exists exists in in = > >= < <=
time constant
number event group
field
Right field
time of day
number state
variable field
number constant
text constant
directory service
group
connector profile
user-defined group
610
Operators
Left field
not
not
exists exists in in = > >= < <=
time constant
number state
variable
text constant
number constant
time constant
Right field
time of day
number state
variable field
number constant
directory service
group
connector profile
user-defined group
directory service
group
connector profile
user-defined group
directory service
group
connector profile
user-defined group
611
Click an operator to cycle through the various operators that are acceptable
for the current condition.
Ctrl+click an operator to show a list of operators you can choose from. Then
click to select the operator you want to use.
Operator Tips
The following tips apply to operators:
l
Filter groups and conditions, and rule groups and correlations, are all subject to
AND and OR conditions. By default, new groups, conditions, and correlations
appear with an AND condition. AND and OR conditions can surround nested
groups, and they can be used between groups on the same level to create
complex filter conditions or rule correlations.
Filter groups and conditions, and rule groups and correlations, are all subject to
AND and OR conditions. By default, new groups, conditions, and correlations
appear with an AND condition. AND and OR conditions can surround nested
groups, and they can be used between groups on the same level to create
complex filter conditions or rule correlations.
612
Example
Description
If x OR y OR z occurs, report the If any of the conditions apply, report the event.
event.
If (x AND y) OR z occurs, report
the event.
If (a AND b) OR (x AND y) OR
(z), occurs, report the event.
Condition1 AND
Condition2 AND Condition3
OR
Condition4 AND Condition5.
Accountable
The following table lists the various actions a Manager can take to respond to
event events. These actions are configured in Respond form when you are
initiating an active response, and in the rules windows Actions box when you
are configuring a rule's automatic response.
The tables Action column lists the actions that are available. They are
alphabetized for easy reference. The Description column briefly states how the
action behaves. The Fields column lists the primary data fields that apply with
each action. Some data fields will vary, depending on the options you select.
Action
Add Domain
Description
Fields
613
Action
User To Group
Description
Fields
Agent
Select the event field or constant that
defines the Agent on which the group
to be modified resides.
To modify a group at the domain
level, specify a domain controller as
the Agent.
Group Name
Select the event field or constant that
defines the group that is to be
modified.
Username
Select the event field or constant that
defines the user who is to be added
to the group.
614
Action
Description
Fields
group.
Agent
Select the event field or constant that
defines the Agent on which the file to
be appended is located.
File Path
Select the event field or constant that
defines the path to the Agent file that
is to be appended with text.
Text
Select the event field or constant that
defines the text to be appended to
file.
Block IP
Create User
Account
615
Action
Description
Fields
Account Name
Select the event field or constant that
names the account that is to be
created.
Account Password
Select the event field or constant that
defines the password that is to be
assigned to the new account.
Create User
Group
Delete User
Account
Agent
Select the event field or constant that
defines the Agent on which the user
account is to be deleted.
To delete a user account at the
domain level, specify a domain
controller as the Agent.
Account Name
Select the event field or constant that
names the account that is to be
deleted.
Delete User
616
Agent
Action
Group
Description
Fields
Detach USB
Device
Agent
Select the event field or constant that
defines the Agent from which the
USB device is to be detached.
Device
Select the event field or constant that
defines the device ID of the USB
device that is to be detached.
Disable Local
User Account
617
Agent
Select the event field or constant that
defines the Agent on which the local
user is to be disabled.
Action
Description
Fields
Destination Account
Select the event field or constant that
defines the account that is to be
disabled.
Disable
Networking
Disable
Windows
Machine
Account
Enable Local
User Account
618
Agent
Select the event field or constant that
Action
Description
Fields
an Agent.
Enable
Windows
Machine
Account
Incident Event
Event
Select which Incident Event the rule
is to create.
Event Fields
From the list pane, select the events
and constants that define the
appropriate data elements for each
event fields The fields vary,
depending on which Incident Event
event is selected.
Infer Event
619
Event
Select which Event the rule is to
infer.
Event Fields
From the list pane, select the events
and constants that define the
Action
Description
Fields
appropriate data elements for each
event field. The fields vary,
depending on the which event is
selected.
Kill Process by
ID
Agent
Select the event field or constant that
defines the Agent on which the
process is to be terminated.
Process ID
Select the event field or constant that
identifies the ID number of the
process that is to be terminated.
Kill Process by
Name
Agent
Select the event field or constant that
defines the Agent on which the
process is to be terminated.
Process Name
Select the event field or constant that
identifies the name of the process
that is to be terminated.
Account Name
Select the event field or constant that
identifies the name of the account
that is running the process to be
terminated.
Agent
Select the event field or constant that
defines the Agent from which the
user is to be logged off.
Account Name
Select the event field or constant that
620
Action
Description
Fields
identifies the specific account name
that is to be logged off.
Modify State
Variable
State Variable
From the State Variables list, drag
the state variable that the rule is to
modify.
State Variable Fields
From the appropriate component list,
type or drag the data element that is
to be modified in the state variable.
The fields vary, depending on the
which state variable is selected.
Remove
Domain User
From Group
Remove Local
User From
Group
Agent
Select the event field or constant that
defines the Agent on which the group
to be modified resides.
Group Name
Select the event field or constant that
621
Action
Description
Fields
defines the group that is to be
modified.
User Name
Select the event field or constant that
defines the user who is to be
removed from the group.
User-Defined Group
From the User-Defined Groups list,
select the user-defined group from
which the specified data element is
to be removed.
Value
Select the event field or constant that
defines the data element that is to be
removed from the specified userdefined group. The fields will vary
according to which user-defined
group you select.
Reset User
Account
Password
622
Action
Description
Fields
Agent
Select the event field or constant that
identifies the Agent that is to be
rebooted.
Delay (sec)
Type the time (in seconds) after the
event occurs that the Manager is to
wait before rebooting the Agent.
Restart
Windows
Service
Agent
Select the event field or constant that
identifies the Agent on which the
Windows service will be restarted.
Service Name
Select the event field or constant that
identifies the name of the service that
is to be restarted.
Send Email
Message
Email Template
Select the template that the email
message is to use.
Recipients
Click the check boxes to select which
users are to receive the email
message.
Email Fields
Either drag a field from the
components list, or select a constant
from the components list to select the
appropriate data elements that are to
appear in each email template field.
The fields vary, depending on which
email template is selected.
623
Action
Send Popup
Message
Description
Fields
Agent
Select the event field or constant that
identifies the Agent that is to receive
the pop-up message.
Account Name
Select the event field or constant that
identifies the user account to receive
the message.
Message
Select the event field or constant that
defines the message that is to appear
on the Agents monitor.
Shutdown
Machine
Start Windows
Service
Agent
Select the event field or constant that
identifies the Agent on which the
Windows service is to be started.
Service Name
Select the event field or constant that
defines the Windows service that is
to be started.
Stop Windows
Service
624
Agent
Select the event field or constant that
identifies the Agent on which the
Action
Description
Fields
Windows service is to be stopped.
Service Name
Select the event field or constant that
defines the Windows service that is
to be stopped.
625
626
627
628
6. Click Actions on the components pane, and then locate Add User-Defined
Group Element.
7. Drag Add User-Defined Group Element into the Actions box.
8. Within the Add User-Defined Group Element, select the appropriate UserDefined Group, such as Authorized USBDevices. If you do not find the
User-Defined Group, perform the following:
a. Close the action and select Build > Groups.
b. Select the + button on the top right and to create your own UserDefined Group, or clone an existing group.
9. Populate the action using the alerts present in your Correlations. For the
USB example:
a. Select Authorized USB Devices from the User Defined Group menu.
b. Click Alerts on the components pane, and then verify that
SystemStatus is still selected.
c. Drag ExtraneousInfo from the Fields: SystemStatus list into the
blank Value field in the action.
10. Select Enable at the top of the Rule Creation window, and then modify the
Test and Subscribe settings if you want.
Putting a rule into Test allows the rule to function as needed, but the rule
will not perform any of the actions listed. In this example, it will not add any
information to the User-Defined Group.
11. Click Save at the bottom of the Rule Creation window.
12. Click Activate Rules at the top of the main Rules view.
Any time the event you defined in your rule occurs, the value you defined in the
Value field of the action gets added to the User-Defined Group you specified. In
the USB example, the attached device is added to the Authorized USB Devices
group.
Additional Information
For additional information about working with LEM rules, see Creating Rules from
your LEMConsole to Take Automated Action.
629
2. Open each of the BRPT*.ini files and make the following changes in a text
editor:
630
Replace the default value next to Manager1 with the hostname of the
LEM Manager or database appliance in your environment. Use the
hostname of your LEM database appliance if you have a dedicated
appliance to store your normalized LEM alert data.
Modify the ExportDest file path if you want to customize the location
to which LEM Reports saves the exported reports. The default file path
is %ProgramFiles%\SolarWinds Log and Event Manager
Reports\Export.
631
9. In the Add arguments (optional) field, enter the following, according to the
task being created:
Notes:
l
15. On the Properties window, select Run whether user is logged on or not.
16. Select Run with highest privileges.
17. Select the appropriate operating systems in the Configure fo menu, and
then click OK to save your changes and exit the Properties window.
18. Enter the Windows password for the user specified for this task, and then
click OK.
632
Daily Reports
l
EventSummary.pdf
SubscriptionsByUser.pdf
Incidents.pdf
NetworkTrafficAudit.rpt
Weekly Reports
l
MaliciousCode.rpt
NetSuspicious.rpt
NetAttackAccess.rpt
NetAttackDenial.rpt
Authentication.rpt
FileAudit.rpt
MachineAudit.rpt
ResourceConfiguration.rpt
Notes:
l
You can open reports with the .rpt extension in LEM Reports for filtering and
exporting. If you have another program, like Crystal Reports, associated
with this file format, you can access these reports with LEM Reports by
opening the Reports console first and then clicking Open on the Settings
tab.
If you create a scheduled report, you can remove the task from Windows
task scheduler, and the ini file will still be under the SchedINI directory. You
can change the name of the RPTxxxxx-x.ini to BRPTxxxxx-x.ini, and add
the file to the BatchDay.INI or the BatchWeek.INI.
633
634
635
636
8. When the new connector appears in the Connectors list, click the gear
next to it and click Start.
Note: The authorized devices in the local whitelist must also be in the UDG for
managers Detach Unauthorized USB rule or the rule on the manager enforces
detachment when the laptop is connected to the network. In reverse, if you are
using a blacklist and the device is in the USB Local Policy and not in the User
Defined Group of the rule, the device still detaches.
Having a device or user in one whitelist or blacklist and not in the other is not
recommended and yields inconsistent results.
637
Configuring your LEM Appliance Log Message Storage and nDepth Search
nDepth in this section refers to RAW data (original log), and is different from
the nDepth Search performed under Explore > nDepth in the Console.
If you enable original log storage (RAWdatabase storage) and enable
connectors to send data to both databases, LEM storage requirements may
double for the same retention period and extra resource reservations of at
least two additional CPUs and 8-16GB of RAM may be required.
Original log (RAW log storage) will not appear in the Monitor tab in the
Console. Rules can only fire on normalized data and not on RAW log data
being received.
To configure your LEM Manager to store original log files in their own
database:
Note: The following procedure must be completed prior to configuring any
connector to send log messages to your LEM appliance.
1. Log in to your LEM appliance using CMC credentials.
2. At the cmc> prompt, enter manager.
3. At the cmc::cmm# prompt, enter configurendepth and follow the prompts to
configure your LEM Manager to use an nDepth server:
a. Enter y at the Enable nDepth? prompt.
b. If you are prompted with Run nDepth locally? (Recommended),
enter y. This will configure a separate database on your LEM
appliance to store original log files.
c. If your LEM implementation consists of several appliances, follow
the prompts to complete the process for your dedicated database or
638
2. In the Connector Details pane, change the Output value to Alert, nDepth.
Leave the nDepth Host and nDepth Port values alone unless otherwise
instructed by Support. The Output values are defined as:
l
Alert: Sending
nDepth: Sending
639
Note: This is the default location for 64-bit operating systems. If you are
utilizing a 32-bit operating system, the default folder would be
C:\Program Files\SolarWinds Log and Event Manager
Reports\CustomReports
6. In the File name field, type a name for your filtered report that will allow you
to identify the report by the filename under Custom Reports, and click Save.
To see your new report in the Reports console:
1. On the Reports window, click the Settings tab.
2. From the Category list, select Custom Reports.
3. On the Quick Access Toolbar, click the Refresh Report List icon or press
F5. When the refresh completes, the new custom report will appear in the
list, displaying any changes made to its Properties.
You may now launch your custom report for any time frame.
640
641
642
1. Locate the new Connector Profile in the Build > Groups view.
2. Click the gear icon next to your Connector Profile, and then select Edit.
3. Move LEM Agents from the Available Agents list to the Connector Profile
by clicking the arrow next to them.
4. If you are finished adding LEM Agents to your Connector Profile, click Save.
The connector configurations set for the template agent will be applied to any
agent added to the Connector Profile.
643
Static text that lets you customize the appearance of the email
Dynamic text (parameters) that is filled in from the original event that
triggered the rule to fire
For example, when creating an Account Lockout template that will notify you
when an account is locked out, or automatically file a trouble ticket, fill in some
static text that describes the event and then use the dynamic text to describe the
account that was filled out from the original event, such as the username and
computer or domain controller they were locked out on.
Create templates that are specific to a type of event you are looking for to help
avoid creating one email template per rule. For example, you can have one
template for Account Modification that can be used to tell you when a user is
added/removed from a group, their password is reset, or other details are
changed. There is no limit to the number of templates.
To keep rules, events, and emails simple to manage, SolarWinds
recommends the following:
l
Create the email template with a name that describes the event.
In the email template subject and/or message, enter the event/rule name to
describe the event/alert.
When receiving the email, you can easily identify the email template used, the
rule that fired, and the event that caused the rule to fire.
To create a new email template:
1. Go to Build > Groups.
2. Click the + button at the top, and choose Email Template, or select one of
the existing Email Templates and clone the template, then modify the name
and parameters of the template.
644
3. In the Details pane, provide a name for your template. This will be used in
rules to reference the template.
4. To create dynamic text (parameters) for your rule:
a. Type a name in the Name field under the Parameters list and click
the + button. For example, DetectionIP, DestinationAccount,
EventInfo, and so on. This name is a reference to the actual event
data.
b. Repeat this for all the parameters you want to add.
Note: Each one of these is a variable that holds your data and places
it in the right location in the email. For example, for an Account
Lockout template, consider using the following parameters:
l
Time
Account
DC
Machine
645
646
647
Drag a Group from the list pane on the left over to replace the Text
Constant field. The most commonly used Groups include User
Defined Groups, Connector Profiles, Directory Service Groups, and
Time Of Day Sets.
Drag an Event field from an Event already present in your
Correlations over to replace the Text Constant field. This will result
in a parameter that states whether values from different Events in your
Correlations should match.
l
l
All rules require at least one action, though they can contain several if
you want.
Populate your action with Constants or Event fields as appropriate.
When you use Event fields in your Actions, follow the procedure
above for populating your Correlations, and be sure to use the same
Event or Event Group as is present in your Correlations.
For example: Since the Correlations in the rule illustrated above are
based on the UserLogon Event, the fields used in its Actions must
come from the UserLogon Event.
648
12. If the Rule Status below the Description field contains an error or
warning, click the status indicator to view additional details and address the
issue.
13. If you want your rule to be fully functional once it's on your LEM
Manager, select the Enable checkbox next to the Description field.
14. If you want to disable your rule's Actions to test its configurations,
select the Test checkbox.
Note: Rules must also be enabled for them to work in Test mode.
15. If you want your rule to generate a local notification for any LEM
Console user, select the user from the Subscribe list.
Note: This option also tracks the rule's activity in the Subscriptions report
in LEM Reports.
16. Click Save.
17. Once your rule is in your Custom Rules folder, click Activate Rules to sync
your local changes with the rules folders on your LEM Manager and allow
the new/changed rules to function properly.
Important:When enabling or disabling rules, no changes will take effect
until the Active Rules button is clicked.
Video
Click the
video icon to view the corresponding tutorial, which offers more
information on creating rules in the LEMConsole.
649
To allow logging into the Console for configuring LEM. A local user can be
created for login, or an Active Director user can be added for login. Adding
an AD user requires the Directory Service Query connector to have been
configured to access AD.
To allow rules to send an email when a particular event or alert happens.
SolarWinds recommends that you create distinct users for anyone who needs to
receive email notifications from the LEM manager. There is a number of common
ways this can be done:
l
If there are users who need to access the Log & Event Manager
Console, you can create an admin, auditor, or monitor user. Be sure to
associate an email address with each user.
l
l
l
Admin: Default user that cannot be deleted and has full access to
everything in the Console.
Note: SolarWinds does not recommend multiple users sharing the
Admin account for auditing purposes.
Auditor: User with read/write access to Monitor (filters) and read-only
access to rules
Monitor: User with read-only access to everything in the Console
Contact: User without access to everything in the Console. They are
unable to log in to the Console. This type of user is added for
purposes of sending emails to the user's email address and bringing
in distribution lists or cellular email-to-SMS addressees for texts.
Reports: Created to allow the SolarWinds Reports application secure
application to the LEM database when TLS authentication is enabled.
This type of user is unable to log in to and has no access to the
Console.
650
To set up users:
1. Go to Build > Users.
2. Click the + button on the top right, and select LEM User, or Directory
Service User.
3. Fill in the information at the bottom, which includes selecting the role for this
user.
Note: If you're creating a Contact user, you do not need to enter a password.
4. Add email addresses to the user by clicking + under Contact Information
and clicking Save.
Note: When adding an Active Directory user, most deployments of AD will
auto-populate the user's email address. You may not be able to
add/modify/delete the pre-populated email address. You will need to create
a new local user or use an existing user to add the email address to.
5. Click Save at the bottom once done.
651
652
Windows Event ID
5152, 5154, 5156, 5157, 5158, 5159
5152, 5154, 5156, 5157, 5158, 5159
5152, 5154, 5156, 5157, 5158, 5159
653
Windows Event ID
5152, 5156, 5157, 5158, 5159
5152, 5156
5152
Brief Description
Windows Filtering Platform blocked a packet
Windows Filtering Platform permitted an application or service to listen on a port for incoming
connections
Windows Filtering Platform allowed a connection
Windows Filtering Platform blocked a connection
Windows Filtering Platform permitted a bind to
a local port
Windows Filtering Platform blocked a bind to a
local port
654
655
656
Read attributes
Read permissions
12. Click OK in each window until you are back at the Windows Explorer
window.
13. Repeat these steps for all files or folders you want to audit.
Option 2
1. Open the LEMConsole and go to Manage >Appliances.
2. Select the gear on the left of a specific agent whose files you want to
monitor.
3. Search for File Integrity Monitoring (FIM) and select the gear on the left to
create a new FIM connector for this agent.
4. You may choose a pre-defined template from the Monitor Templates pane
or create a custom monitor by performing the following steps:
a. Click Add Custom Monitor in the Selected Monitors pane.
b. Assign a name and description (optional).
c. Click Add New Button.
d. Click Browse to search for the directory that you want to monitor, and
then click OK.
e. Specify which kind of files you want to monitor in the with mask field.
657
f. Select the boxes for which kind of operations you want to monitor in
the for these actions field, and click Save.
Note: You may repeat these steps for every directory or file type that
you want to monitor.
g. When the custom monitor is created, click Save and the new monitor
will appear in the Selected Monitors pane.
Note: You have the option to promote this custom monitor to a
template.
5. You can create a Connector Profile under Build > Groups to allow a
common group of connector configurations for agents that will be placed
under this profile.
658
To monitor accepted traffic, use the log target in your accept ACLs instead
of the buildup logging. This lets you control what accepted traffic you are
made aware of.
To monitor the information about the actual NAT, consider the event load
this will create. Plan a test phase where you turn it on, determine if it is
valuable to you for investigating.
659
Consider the nDepth original log message store, if you are interested in
unmodified log data (versus the normalized data). Note that this consumes
additional disk space.
Consider whether you need both buildups and teardowns, or just buildup
messages. The teardown NAT messages include the same info as the built
messages, along with some duration and size info that may or may not be
useful. A lot of colleges & universities that are using the built messages do
not rely on the teardown messages, they only need to know a connection
was established for verification/analysis/correlation.
Check your syslog data to determine and enable only those buildup and/or
teardown events are of use.
660
661
4. Select Disk file from the Destination list, and click OK.
5. If you want to set a page range for the exported report, select Page
Range and enter a From and To value.
6. Click OK.
7. Specify a folder and file name for the exported report.
8. Click Save.
Video
Click the
video icon to view the corresponding tutorial, which offers more
information on filtering and exporting LEM Reports.
662
Admin Accounts
Admin Groups
Sensitive Files
Service Accounts
Trusted IPs
663
664
Data
*Administrators*
*backup oper*
DNSAdmin*
665
Uses
Uses
The following are examples of default filters and rules that use the blank and
sample groups.
Filters
l
Note: The Domain Controllers (all) filter uses a Connector Profile in the constant
position by default, but you can replace it with a User-Defined Group or Directory
Service Group if the Tool Profile is not sufficient for your environment. For
additional information about Connector Profiles, see Creating Connector Profiles
to Manage and Monitor LEMAgents.
Rules
l
666
If you want to add new filters to the users Filters list, create or
import the filters as appropriate.
If you want to remove a filter from the users Filters list, point to the
filter and click the x that appears to the right.
667
668
Scheduled Report INI files are located in: Program Files\SolarWinds Log
and Event Manager Reports\SchedINI
The following list identifies the number assigned to each possible format for a
LEM report:
Number
1
2
3
4
5
6
7
8
9
10
11
12
Report Format
Excel: MS Excel 97-2000, with headings format
Exceldata: MS Excel 97-2000, data only format
HTML32: HTML version 3.2 format
HTML40: HTML version 4.0 format
PDF: Adobe Portable Document format
RTF: Rich Text Format
CSV: Separated Values Text format
TAB: Tab Separated text format
Text: Text based report format
Word: MS Word Document format
XML: XML Document format
RPT: Crystal RPT w/ Data format
669
Keyword=2009331
Filename=C:\Program Files\SolarWinds Log and Event Manager Reports\Reports\RPT2009-33-1.rpt
[DSNManager]
Manager1=sherman
[RptParams]
RptDateRangeDesc=DAY_P
RptDateRange=2
RptStartTime=12:00:00 AM
RptStopTime=11:59:59 PM
TopN=20
[Export]
DoExport=T
ExportDesc=EXCEL
ExportFormat=1
ExportDest=C:\Program Files\SolarWinds Log and Event Manager Reports\Export
ExportFileName=format1.xls
ExportOverWrite=INCREMENT
670
On Windows hosts:
1. Open Control Panel > Administrative Tools > Services.
2. Navigate to SolarWinds Log and Event Manager Agent.
3. Click Start (green Play button) if the LEM Agent is not running.
On Linux hosts:
1. Run ps ax | grep contego in a CLI terminal.
2. Look for ContegoSPOP.
3. If the LEM Agent is not running, run sudo /etc/init.d/swlemagent start.
4. Enter the root password if necessary.
On Mac hosts:
1. Run ps ax | grep -i trigeo in a CLI terminal.
2. Look for SWLEMAgent.
3. Run launchctl load
/Library/LaunchDaemons/com.trigeo.trigeoagent.plist.
if the
671
Check the LEM Agent is running the current version of the software.
The following are steps to check the version of a LEM Agent:
1. Open the most recent copy of spoplog.txt in a text editor from the
installation folder.
l
Windows: C:\Windows\system32\ContegoSPOP\
Linux: /usr/local/contego/ContegoSPOP/
Mac: /Applications/TriGeoAgent/
Intermittent connectivity
Contact Support if all conditions have been verified, and symptoms still
continue.
l
On Windows hosts:
1. Stop the SolarWinds Log and Event Manager Agent service
in Control Panel > Administrative Tools > Services.
2. Delete only the six (6) files *.xml and *.trigeo under the spop
folder in C:\Windows\system32\ContegoSPOP\
672
3. Delete the entry for the affected LEM Agent in the Manage >
Nodes pane in the LEM Console by clicking the gear icon next
to the entry, and then clicking Delete.
4. Restart the LEM Agent service.
If resetting fails, perform the following steps:
1. Stop the SolarWinds Log and Event Manager Agent service
in Control Panel > Administrative Tools > Services.
2. Delete the spop folder in C:\Windows\system32\ContegoSPOP\.
Important: Do not delete the ContegoSPOP folder.
3. Delete the entry for the affected LEM Agent in the Manage >
Nodes pane in the LEM Console by clicking the gear icon next
to the entry, and then clicking Delete.
4. Restart the LEM Agent service.
l
On Linux hosts:
1. Stop the swlem-agent service: /etc/init.d/swlem-agent stop
2. Delete the spop folder: rm -Rf
/usr/local/contego/ContegoSPOP/spop
3. Delete the entry for the affected LEM Agent in the Manage >
Nodes pane in the LEM Console by clicking the gear icon next
to the entry, and then clicking Delete.
4. Restart the swlem-agent service: /etc/init.d/swlem-agent
start
l
On Mac hosts:
1. Unload swlemagent.plist: launchctl unload
/Library/LaunchDaemons/com.swlem.swlemagent.plist
3. Delete the entry for the affected LEM Agent in the Manage >
Nodes pane in the LEM Console by clicking the gear icon next
to the entry, and then clicking Delete.
673
AgentLowPort=65320
AgentHighPort=65321
com.solarwinds.lem.communication.agentLowPort=65322
com.solarwinds.lem.communication.agentHighPort=65323
Re-install Agent
1. Either download the Remote Agent Uninstaller to uninstall an agent,
or use Programs & Features in the Windows control panel.
Notes:
l
674
Contact Support.
If this article does not resolve the issue, open a ticket with SolarWinds
Support for further assistance. Please be prepared with the the following
information:
l
Agent installer
LEM appliance
LEM Console
The most recent copy of spoplog.txt and the spop.conf file from the
Agent installation folder.
675
676
677
678
679
680
2. If you are using an SSH client, log in to your LEM virtual appliance using
your CMC credentials.
3. At the cmc> prompt, enter appliance.
4. At the cmc::acm prompt, enter dateconfig.
5. Press Enter through all of the prompts to view the current date and time
settings on your LEM applaince.
6. By default, the LEM receives a time synchronization from the VM host
computer. Without this, time on the LEM wil be off and rules may not fire.
You will need to disable the time sync on the VM host computer, and enable
the LEM to get time from an NTP server:
a. At the cmc::acm prompt, enter ntpconfig.
b. Press Enter to start the configuration script.
c. Enter the IP addresses of your NTP servers separated by spaces.
d. Enter y to verify your entry.
7. Enter exit twice to leave the CMC interface.
Additional Information
For general instructions for working with LEM Rules, see Creating Rules from
your LEMConsole to Take Automated Action. For additional information about
the specific procedures discussed in this article, see the following related articles
according to your need.
1 For additional
681
Additional Information
5 For additional
682
683
684
Group 2
Group 3
Group 4
Group 5
Group 6
Devices
Cisco ASA
Cisco IOS
Cisco PIX
Cisco Catalyst (CatOS)
Cisco Wireless LANController (WLC)
Cisco Nexus
Cisco VPN
Dell PowerConnect
685
Contacting Support
Contacting Support
If you are unable to resolve your issue using this article, open a ticket with
SolarWinds Support for further assistance. Please be prepared to provide the
following once you are in touch with a representative:
l
A copy of the LEM Report, Tool Maintenance by Alias, for the last 24 hours,
or the period during which the unmatched data was detected, and export in
Crystal Reports format (rpt).
For syslog devices: A sample of the logs currently being sent to LEM for
the affected connectorSee "1To generate a syslog sample from the LEM
appliance:" on page 687
686
1To
For Windows connectors: A copy of the entire event log in .evtx format,
and specify English when requested for the language option.
For database connectors (required): A sample of the event table
containing the events not being read, along with details about those events
For database connectors (optional): If possible, the schema for the
database
generate a syslog sample from the LEM appliance:
687
Note the complete file path and name, as it is required to use the active
response.
Configure the Append Text to File Active Response and Windows Active
Response connectors on each LEM agent on which you want to be able to use
this active response.
To configure the Append Text to File action in the rule:
1. Open your LEM console and log in to your LEMManager as an
administrator.
2. Create a new rule or edit an existing rule that triggers on a specific event.
3. Open the rule to edit, and select the actions in the left column.
4. Drag the Append Text to File action from the left to the Actions box under
the rule.
5. Open the Constants on the left, and then drag the Text field to the empty
box next to File Path under the Append Text to File action.
6. Using the same event stated in the Correlations, select the event from the
Events list on the left and drag the DetectionIP field from the Fields list to
the Agent under this action.
7. Fill in the directory structure in the File Path under this action, indicating the
name of the file.
688
8. The Test field under the Append Text to File will contain the text that you
are inserting into the file. If using plain text, drag the Text constant from the
left to the empty box in the Text field.
9. Save the rule.
To configure the Append Text to File Active Response connector on a LEM
Agent:
1. Open your LEM Console and log in to your LEM Manager as an
administrator.
2. Click the Manage tab, and then select Nodes.
3. Locate the LEM agent on which you want to enable the connector.
4. Click the gear icon to the left of the LEM agent, and then select
Connectors.
5. Enter Append Text to File in the Search box at the top of the Refine
Results pane.
6. Click the gear icon next to the connector, and then select New.
7. Enter a custom Alias for the new connector, or accept the default.
8. Specify whether you want the connector to append data to a new line in the
How to append menu.
9. Specify a Maximum file size(MB) or accept the default.
10. Click Save.
11. Click the gear icon next to the new connector, denoted by an icon in the
Status column, and then select Start.
12. Click Close to exit the Connector Configuration window.
To configure the Windows Active Response connector on a LEM Agent:
1. Open your LEM Console and log in to your LEM Manager as an
administrator.
2. Click the Manage tab, and then select Nodes.
3. Locate the LEM agent on which you want to enable the connector.
4. Click the gear icon to the left of the LEM agent, and then select Connector.
689
5. Enter Windows Active Response in the Search box at the top of the Refine
Results pane.
6. Click the gear icon next to the connector and then select New.
7. Enter a custom Alias for the new connector, or accept the default.
8. Click Save.
9. Click the gear icon next to the new connector, denoted by an icon in the
Status column, and then select Start.
10. Click Close to exit the Connector Configuration window.
690
Cisco PIX
Cisco ASA
Fortigate Firwalls
Juniper NetScreen
SonicWALL
Configure the Active Response tool for one of the firewalls listed above on your
LEM Manager.
To configure the Active Response connector for your firewall:
1. Open your LEM Console and log in to your LEM Manager as an
administrator.
2. Click the Manage tab, and then select Appliances.
3. Click the gear icon to the left of your LEM Manager, and then select
Connectors.
4. Select Firewalls from the Category list, and enter Active Response in the
Search box at the top of the Refine Results pane.
5. Click the gear icon next to the connector for your firewall, and then select
New.
6. Complete the Connector Configuration form according to your firewall's
specifications.
Note: Generally, all you will have to enter is your firewall address and
691
Additional Information
Additional Information
The Block IP active response creates a rule on your firewall to block the IP
addresses you specify. To allow an IP address through your firewall, delete or
modify the rule on your firewall as appropriate.
692
Disable Networking
Restart Machine
Shutdown Machine
Requirements
Configure the Windows Active Response connector on each LEM Agent on
which you want to be able to use these active responses.
To configure the Windows Active Response connector on a LEM Agent:
1. Open your LEM Console and log in to your LEM Manager as an
administrator.
2. Click the Manage tab, and then select Nodes.
3. Locate the LEM Agent on which you want to enable the connector.
4. Click the gear icon to the left of the LEM Agent, and then select
Connectors.
5. Enter Windows Active Response in the Search box at the top of the Refine
Results pane.
6. Click the gear icon next to the connector, and then select New.
693
7. Enter a custom Alias for the new connector, or accept the default.
8. Click Save.
9. Click the gear icon next to the new connector, denoted by an icon in the
Status column, and then select Start.
10. Click Close to exit the Connector Configuration window.
Create or clone rules to perform the action:
1. When creating or cloning a rule, locate the action in the lower left part of the
Rule Creation screen.
2. Drag the action under the rule Actions.
3. Fill in the appropriate fields.
Additional Information
Deploy your LEM Agents and configure the Windows Active Response
connector based on where you want to perform these actions. To perform actions
at the domain level, deploy a LEM Agent to at least one domain controller. To
perform actions at the local level, deploy a LEM Agent to each computer you want
to be able to respond to.
694
The icon in the USB column for your connected LEM Agents. A green
icon indicates USB Defender is installed.
If you have a long list of Nodes, filter your list using either the Node,
OS, or USB menu on the Refine Results pane. USB Defender can
only be installed on Windows Agents.
695
4. Click the gear icon to the left of the LEM Agent, and then select
Connectors.
5. Enter Windows Active Response in the Search box at the top of the Refine
Results pane.
6. Click the gear icon next to the connector, and then select New.
7. Enter a custom Alias for the new connector, or accept the default.
8. Click Save.
9. Click the gear icon next to the new connector, denoted by an icon in the
Status column, and then select Start.
10. Click Close to exit the Connector Configuration window.
Detach USBDevices
By default, USB devices are audited and the USBFile Audit Activity filter will
display those events. The filter is set for FileAuditAlerts.ProviderSID=*USB*
To monitor all USBdevice activity, create a filter for
AnyAlert.ProviderSID=*USB*
USB devices are not detached by default, so a rule must be configured to preform
the detach. There are several templates available under Build > Rules, Rule
Templates that can be cloned and modified as needed.
Additional Information
You can also enforce USB Defender policy locally using the USB Defender Local
Policy Connector. For more information, see Configuring the USB Defender Local
Policy Connector.
696
697
698
699
3. If you are selecting Kill Process by ID, populate two fields under the rule
action:
a. Select the processAudit event from the category on the left, and drag
the DetectionIP field on the left to the Agent Action field.
b. Drag the Event field or Constant and drop into the Process ID field
under the rule action.
4. If you are selecting Kill Process by Name, populate three fields under the
rule action:
a. Select the processAudit event from the category on the left, and drag
the DetectionIP field on the left to the Agent Action field.
b. Drag the Event field or Constant and drop into the Process Name
field under the rule action.
c. Drag the Event field that displays the SourceAccount, and drop into
the Account Name field under the rule action.
5. Save the rule, and then click Activate Rules.
Additional Information
The Kill Process Active Response functions according to the value in the
ProcessID field of the corresponding LEM alert. Use Kill Process By ID when
the ProcessID value is a number, and use Kill Process By Name when the
ProcessID value is a name.
Note: When you create LEM rules that utilize these actions, consider using both
to account for variations in Windows logging.
700
The setup.* installer file for the operating system on which you are
installing the LEM Agent. The file extension for the installer differs by OS.
A custom installer.properties file that contains your environmental variables.
Note: The remote agent installer does not work for this procedure. If you are
installing the agent on a system running Windows, use the local installer.
For more information about the requirements for installing and running the
SolarWinds LEM Agent, see Using the SolarWinds LEM Remote Agent Installer.
To obtain the setup.* file for the LEM Agent installer:
1. Download the installer from the SolarWinds Customer Portal:
a. Browse to
http://www.solarwinds.com/customerportal/LicenseManagement.aspx.
b. Log in with your SWID if necessary.
c. Find LEM in the product list, and then click Choose Download.
d. Find the appropriate installer on the list.
Note: The remote agent installer does not work for this procedure. If
you are installing the agent on a system running Windows, use the
local installer.
2. Extract the contents of the installer ZIP file to a local or network location.
3. Copy setup.* to a known location.
701
702
2. Run the command, setup -i silent using the active resource directory that
matches the folder that contains the two installer files. The command
immediately returns to the command prompt.
Notes:
l
The LEM Agent starts automatically and continues running until you uninstall or
manually stop it. It begins sending alerts to your LEM Manager immediately. For
LEM Agents on computers running Windows, the LEM Agent also appears in
Add/Remove Programs.
703
704
If you are running the installer from Windows XP/ 2003 and are
installing the agent on Windows XP/2003, it is not necessary to run as
administrator.
SolarWinds does not advise installing the agent on a Windows
7/8/2008/2012 from a Windows XP/2003 computer.
If you are installing version 6.1 or earlier versions of the agent on a
Windows 7/8 or 2008/2008 R2/2012, right-click on the installer file and
select Run as administrator.
If you are installing version 6.1 or earlier versions of the agent on a
Windows 8.1 or 2012-R2, perform the following:
a. Copy the local agent installer to the Windows computer hard
drive.
705
706
time prohibitive.
Note: The text file used for this option can contain hostnames,
fully qualified domain names or IP addresses, each on their own
lines. If DNS names are used, the computer running the installer
must be able to resolve them.
10. Select the checkboxes next to the computers on which you want to install a
LEM Agent.
11. Click Next.
12. Confirm the list provided is correct and click Next again.
13. Specify the Windows destination for the remote installation.
l
The default paths are provided for all supported Windows systems.
We strongly recommend using the default paths, as the LEM Agent
may not be recognized as a service by Windows if it is not installed in
a system folder.
The installer is set to automatically detect host operating systems by
default, but you can also specify an operating system if all of the target
hosts are running the same one.
707
Using Time of Day Sets to Pinpoint Specific Time Frames in Filters and Rules
When the agent starts, it will communicate to the LEM on an unsecure port 37890
to attempt to get a certificate. After obtaining the certificate, it will start
communicating to the LEM on secure port 37891 and/or port 37892.
If you encounter any issues with agent communications, SolarWinds suggests the
following:
l
l
Description
6:30 AM to 12:00 PM and 1:00 PM to 4:30 PM, Monday
through Friday
3:30 AM to 1:30 PM, 7 days a week
9:00 PM to 4:30 AM, 7 days a week
708
Name
Late Shift
Normal Shift
Reboot Cycle
Description
3:00 PM to 12:00 AM, 7 days a week
7:30 AM to 5:30 PM, 7 days a week
2:00 AM to 3:00 AM, Sunday only
709
Using Time of Day Sets to Pinpoint Specific Time Frames in Filters and Rules
To use a Time of Day Set in a filter or rule:
1. Locate the Alert or Alert Group you want to use in your filter or rule, and
then click it.
2. From the Fields list, locate DetectionTime and drag it into the conditions
area.
3. Click Time of Day Sets on the Components pane.
4. Locate the Time of Day Set you want to use and drag it into the conditions
area to replace the Text Constant field, which is denoted by a pencil icon.
5. If you want to see everything outside of the selected period, click the
operator between the field and your Time of Day Set in the conditions area.
The operator changes to Does Not Contain.
6. If you are finished creating or editing your filter or rule, click Save.
7. If you modified a rule, click Activate Rules on the main Rules view.
710
Requirements
Configure the Windows Active Response connector on each LEM Agent on
which you want to be able to use these active responses.
To configure the Windows Active Response connector on a LEM Agent:
1. Open your LEM Console and log in to your LEM Manager as an
administrator.
2. Click the Manage tab, and then select Nodes.
3. Locate the LEM Agent on which you want to enable the connector.
711
4. Click the gear icon to the left of the LEM Agent, and then select
Connectors.
5. Enter Windows Active Response in the Search box at the top of the Refine
Results pane.
6. Click the gear icon next to the connector, and then select New.
7. Enter a custom Alias for the new connector, or accept the default.
8. Click Save.
9. Click the gear icon next to the new connector, denoted by an icon in the
Status column, and then select Start.
10. Click Close to exit the Connector Configuration window.
Additional Information
Deploy your LEM Agents and configure the Windows Active Response
connector based on where you want to perform these actions. To perform actions
at the domain level, deploy a LEM Agent to at least one domain controller. To
perform actions at the local level, deploy a LEM Agent to each computer you want
to be able to respond to.
712
If you want to see all traffic from your device, select Any Alert from
the Event Groups list.
If you want to see all network traffic from your device, select
Network Audit Alerts from the Event Groups list.
If you want to see only Web traffic from your device, select
WebTrafficAudit from the Events list.
4. In the Fields list under where you just made your selection, locate
ToolAlias and drag it into the Conditions box.
5. In the text constant field, enter the Tool Alias related to the device you
want to track. Use asterisks (*) as wildcard characters to avoid having to
enter the entire value.
For example: The default Firewall filter uses similar logic. Its Conditions
read, Any Alert.ToolAlias = *firewall*. This assumes that the firewall
connector was configured with a ToolAlias that has firewall in the name.
6. Click Save.
7. If your filter doesn't work as expected, verify that the Tool Alias value
you used matches the Tool Alias for your device.
713
714
715
716
You may also select Success and Failure for Audit process tracking to monitor
critical processes such as the AV service or unauthorized programs such as
games or malicious executable files.
Note: Enabling auditing at the level of Audit process tracking will significantly
increase the number of events in the system logs. Therefore, Your LEM database
717
Setting
System
Security System Extension
No Auditing
System Integrity
IPsec Driver
No Auditing
No Auditing
Logon/Logoff
Logon
Logoff
Account Lockout
No Auditing
No Auditing
No Auditing
Special Logon
No Auditing
Object Access
718
File System
Registry
Kernel Object
No Auditing
SAM
No Auditing
Certification Services
No Auditing
Application Generated
No Auditing
Handle Manipulation
No Auditing
File Share
No Auditing
No Auditing
No Auditing
No Auditing
Privilege Use
Sensitive Privilege Use
Failure
No Auditing
No Auditing
Detailed Tracking
Process Termination
No Auditing
DPAPI Activity
No Auditing
RPC Events
No Auditing
Process Creation
No Auditing
Policy Change
719
No Auditing
No Auditing
Account Management
User Account Management
DS Access
Directory Service Changes
No Auditing
No Auditing
No Auditing
Failure
Account Logon
Kerberos Service Ticket Operations
Credential Validation
720
721