LEM User Guide

Copyright © 2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC and its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered trademarks of their respective companies. LEM 6.2 9/1/2015 Table of Contents Chapter 1: Introduction 1 How LEM Works 1 LEM Architecture 2 LEM Manager 3 Protocols and Communication Direction 4 What is New in LEM 6.2.0 4 Chapter 2: Requirements 6 Virtual appliance minimum resource requirements 6 Desktop and reports consoles software requirements 7 Web console software requirements 7 Chapter 3: Introduction to the Console 8 Opening Views in the Console 8 Working with Grids 9 Rearranging Grid Columns 9 Sorting a Grid by its Columns 10 Logging In and Out of Managers 11 Logging Into a Manager 11 Logging Out of a Manager 12 Logging Out of the LEM Console 12 Chapter 4: Basic LEM Procedures 13 Ops Center 13 Monitor 14 Explore 14 Collecting and displaying flow data 15 Build 17 Rules – Additional Details 17 Manage 17 Adding Devices 18 Agent Installation 19 Configuring Non-Agent Devices 20 i LEM User Guide Configuring Connectors for Agent and Non-Agent Devices 20 Troubleshooting 22 Additional Information 22 Creating Connector Profiles to manage LEM Agents: Verifying Data 23 24 Which Do I Pick? 24 nDepth: A Fully Integrated IT Search Solution Additional Information 25 25 LEM Reports: For Compliance and Historical Reporting Needs 26 Troubleshooting 27 Additional Information 28 Adding Filters 29 Which Do I Pick? 29 Use the Default Filters as Examples 29 Other Filter Scenarios 30 Example: Change Management 30 Troubleshooting 31 Additional Information 32 Adding Rules 32 Use Pre-configured Rules to Get Started 32 Example: Change Management 33 Other Rule Scenarios 34 Troubleshooting 35 Additional Information 36 Analyzing Data 36 Which Do I Pick? 37 nDepth: A Fully Integrated IT Search Solution 37 Additional Information – nDepth 38 LEM Reports: For Compliance and Historical Reporting Needs Troubleshooting 38 40 ii Table of Contents Additional Information – LEM Reports 41 Chapter 5: Leveraging LEM 42 Monitoring Windows Domain Controllers for Brute Force Hacking Attempts 42 Configuring the SolarWinds LEM Agent 42 Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts 46 Monitoring Firewalls for Port Scans and Malformed Packets 48 Setting a Firewall to Log to a LEM Appliance 48 Configuring a Firewall Connector on a LEM Manager 49 Viewing Network Traffic from Specific Computers 50 Creating a LEM Rule to Notify of Potential Port Scanning Traffic 50 Monitoring Antivirus Software for Viruses that are Not Cleaned 52 Setting Antivirus Software to Log to a LEM Appliance 52 Configuring the Antivirus Connector on a LEM Manager 52 Creating a LEM Rule to Track When Viruses Are Not Cleaned 53 Monitoring Proxy Servers for Suspicious URL Access 54 Setting Proxy Server to Log to a SolarWinds LEM Virtual Appliance 54 Configuring a Proxy Server Connector on a SolarWinds LEM Manager 54 Monitoring Microsoft SQL Databases for Changes to Tables and Schema 56 Leveraging the Incidents Report in Security Audits 59 Chapter 6: Ops Center 60 Widgets 60 User Details 62 User: Details Widget 62 User: All Events Widget 62 Node Details 62 Node: Details Widget 62 Node:Connectors Applied Widget 63 Node: All Events Widget 63 Widget Manager 63 Widget Builder 64 iii LEM User Guide Viewing specific widget data 68 Refreshing widget data 69 Opening a filterfrom a widget 69 Editing a widget’s chart presentation 70 Resizing a widget 72 Viewing a widget’s legend 72 Where to find widgets 73 Chapter 7: Monitor 74 Monitor View Features 74 Filters and Filter Groups 76 Standard LEM Filters 78 Filter Creation 80 Features of Filter Creation 81 Events 82 Applying a Filter to the Events Grid 83 Sorting the Events Grid 83 Highlighting Events 84 Copying Event Data to the Clipboard 85 Marking Events as Read and Unread 86 Removing Events 87 Using the Event Details/Event Description Pane Event Severity Levels 88 90 Chapter 8: Explore 91 nDepth 91 nDepth's Visual Tools 92 nDepth's Primary Uses 92 Exploring Events vs. Log Messages 93 Opening nDepth 93 Opening nDepth From Another Data Source 94 Scheduled Saved Searches 96 iv Table of Contents nDepth's Search Bar 97 nDepth Explorer Toolbar 99 nDepth's History Pane 101 Using the nDepth Histogram 101 Histogram Features 102 Searching the Activity Associated with a Particular Histogram Bar 103 Moving the Search Period 104 Changing the Period's Start and End Time 105 Using Result Details 106 Interpreting Search Results in Events Mode 106 Interpreting Search Results in Log Messages Mode 107 Adding Search Strings from Result Details 108 Using Explorers with Result Details 110 Responding to Result Details 110 Exporting Result Details Data to a Spreadsheet 111 Common nDepth Data Fields 111 Common Data Fields Categories in Events Mode 112 Common Data Field Categories in Log Messages Mode 113 Using the Word Cloud 113 Opening the Word Cloud 114 Viewing Statistics in the Word Cloud 114 Filtering the Contents of the Word Cloud 114 Exploring Items in the Word Cloud 115 Using the Tree Map 116 Opening the Tree Map 116 Resizing Tree Map Categories 117 Exploring items in the Tree Map 117 Using nDepth widgets 117 Default nDepth Chart Widgets 118 nDepth Explorer and Widget Icons 118 v LEM User Guide Viewing a widget's details 119 Creating a search string from a widget item 120 Adding new nDepth Widgets 120 Editing nDepth Widgets 120 Adding a Chart Widget to the nDepth Dashboard 121 Adding a main nDepth view to the nDepth Dashboard 121 Using Search Builder 122 Opening Search Builder 123 Switching from the Search Bar to Search Builder 123 Search Builder features 124 Configuring a Search with Search Builder 127 Utilities 129 Explorer Types 130 NSLookup Explorer 132 Traceroute Explorer 132 Whois Explorer 133 Manually Exploring an Item 134 Chapter 9: Build 135 Groups 135 Group types 135 Groups View Features 137 Refining the Groups Grid 137 Rules 139 Rules View Features 139 Rules Grid Columns 139 Refine Results Form 140 Rule Categories and Tags 142 Rule Tagging 142 Users 143 Users View Features 143 vi Table of Contents Users Grid Columns 143 Refining the Users Grid 144 Viewing a User’s System Privileges 145 Chapter 10: Manage 146 Appliances View Features 147 Appliances Grid Columns 147 Details Pane 149 Configuring a Manager's Properties 150 The Login Tab 150 The License Tab 152 License Recycling 153 The Settings Tab 153 Configuring Event Distribution Policy 156 Practical Uses for Event Distribution Policy 156 Opening the Event Distribution Policy Window 156 About the Event Distribution Policy Window 157 Configuring Event Distribution Policy 158 Pushing event policy to lower-level event types 159 Exporting a Manager’s Event Policy 160 Improving performance with event filtering (Windows only) 161 Table of Alerts with Windows Security Auditing Provider SIDs 162 Adding and Editing Nodes 163 Nodes View Features 163 Nodes Grid Columns 164 Adding a Syslog Node 167 Scan for New Nodes 168 Adding Nodes Manually 169 Refining the Agents Grid 169 Chapter 11: Adding and controlling users and groups Adding New Users 171 171 vii LEM User Guide Editing User Settings 176 Deleting Users 176 Restricting LEM Reports 177 Chapter 12: Utilizing the Console 179 Creating filters for real-time monitoring 179 Creating conditions to filter event reporting 184 Creating a New Filter 187 Editing an Existing Filter 188 Cloning an Existing Filter 189 Pausing Filters 190 Resuming Paused Filters 190 Turning Filters On and Off 191 Copying a Filter 192 Importing a Filter 193 Exporting a Filter 193 Deleting a Filter 194 Managing Filter Groups 195 Adding a New Filter Group 195 Renaming a Filter Group 195 Rearranging Filter Groups 195 Moving a Filter From One Group to Another 196 Deleting a Filter Group 197 Responding to Events 197 Using the Respond Form’s Drag and Drop Functionality Review events with the Event explorer 198 200 Opening the Event explorer 200 Event Explorer features 200 Exploring events 202 Using the Event Map 202 Reading an Event Map 203 viii Table of Contents Event Map Legend 204 Using the Event Grid 204 Viewing information in the event grid 205 Exploring From the Event Grid 205 Using the Event Details Pane 205 Opening and Closing the Event Details Pane 206 Viewing an Event’s Event Details 206 Exploring From the Event Details Pane 206 Performing nDepth Searches 208 Creating Search Conditions 210 Deleting Items From Search Strings 211 Creating Custom time frames 212 Saving a Search 213 Using a Saved Search 214 Making Changes to a Saved Search 214 Exporting nDepth Search Results to PDF 215 Exploring Search Results from Graphical Views 216 Taking Action on Event Details 216 Deleting a Saved Search 217 Creating Search Conditions 217 Deleting Items From Search Strings 219 Creating Custom time frames 220 Managing Connectors 221 Adding New Connector Instances 222 Starting a Connector Instance 224 Stopping a Connector Instance 225 Editing a Connector Instance 225 Deleting a Connector Instance 226 Creating Connector Profiles to Manage and Monitor LEM Agents File Integrity Monitoring Connectors 227 228 ix LEM User Guide Features of FIM 229 What can FIM detect? 229 Adding a FIM Connector 230 Monitors 231 Adding Custom Monitors 231 Editing Monitors 231 Promoting a Monitor to a Template 231 Deleting a Monitor 231 Adding Conditions 232 Editing Conditions 232 Deleting Conditions 233 FIM Connector Advanced Settings 233 Managing Widgets 235 Opening and Closing the Widget Manager 235 Creating New Master Widgets 235 Editing Master Widgets 236 Adding Widgets to the Dashboard 237 Deleting Master Widgets 238 Editing a Dashboard Widget 239 Deleting Dashboard Widgets 239 Chapter 13: Advanced Configurations 240 Setting up an Appliance 240 Adding Appliances to the Console 240 Copying Appliance Data 242 Removing an Appliance 242 Managing Connectors 243 Configuring Manager Connectors (general procedure) 243 Configuring Agent Connectors (general procedure) 243 Using Connector Profiles to Configure Multiple Agents 244 Configuring email active response connectors 245 x Table of Contents Requirements 245 Configuring the email active response connector 245 Testing the Email Active Response Connector 246 Managing Groups 246 Adding a New Group 246 Editing a Group 247 Cloning a Group 247 Importing a Group 248 Exporting a Group 249 Deleting a Group 249 Configuring Event Groups 250 Event List Features 251 Configuring Directory Services Groups 253 How to Use Directory Services Groups 253 Synchronizing Directory Service Groups with LEM 253 Viewing a Directory Services Group Members 255 Directory Services Group Grid Columns 255 Deleting DS Groups 256 Configuring Email Templates 256 Step 1: Creating the Email Template 257 Step 2: Adding Message Parameters 258 Step 3: Creating the message 259 Managing email template folders 259 Configuring State Variables 259 Adding new State Variable fields 260 Editing State Variable fields 262 Deleting State Variable fields 262 Managing State Variable Folders 263 Configuring Time of Day Sets 263 Configuring a Time of Day Set 263 xi LEM User Guide Selecting periods in the time grid 265 Configuring User-Defined Groups 265 Examples of User-Defined Groups 265 Configuring a User-Defined Group 266 Adding data elements to a User-Defined Group 267 Editing a data element in a User-Defined Group 268 Deleting a data element from a User-Defined Group 269 Configuring Connector Profiles 270 Connector Profile Rules 270 Creating a Connector Profile (general procedure) 271 Step 1: Selecting a template for the profile 271 Step 2: Selecting the Agents that are members of the profile 272 Editing a Connector Profile’s Connector Settings 274 Opening a Connector Profile’s Settings 274 Adding a New Connector Instance 275 Editing a Connector Profile’s Connector Settings 275 Managing Rules 276 Creating Rules 276 Rule Creation Features 277 Advanced Thresholds 278 Editing threshold fields 280 Deleting a threshold field 280 Using the Actions box 281 Using constants and fields to make actions flexible 281 Configuring a Rule’s Actions 281 Adding a New Rule 282 Rule Window Features 284 Correlations Box Features 287 Editing Rules 290 Subscribing to a rule 291 xii Table of Contents Enabling a rule 293 Placing rules in test mode 294 Activating rules 297 Disabling a rule 297 Cloning rules 299 Importing a rule 299 Exporting rules 300 Deleting Rules 301 Connector Configuration Features 302 Connectors Grid Columns 303 Connectors Grid Icons 304 Refining the Connectors Grid 305 Chapter 14: Reports 307 About Reports 308 Opening Reports 309 Using the Quick Access Toolbar 309 Default commands 310 Customizing the Quick Access Toolbar 310 Moving the Quick Access Toolbar 311 Minimizing the Ribbon 312 Configuring Report Preferences 313 Table of preferences 313 Selecting a (default) Primary Data Source 314 Configuring a syslog server 315 Configuring a Data Warehouse 317 Troubleshooting Database Connections 319 Managing report categories 321 Manage Categories form 321 Selecting reports for specific industries 322 Industry options 323 xiii LEM User Guide Creating a list of favorite reports 326 Removing a report from the Favorite Reports tab 327 Viewing Historical Reports 329 Working with report lists 329 Viewing lists of reports by category 329 Locating a report by title 330 Viewing a report’s properties 331 Creating a list of favorite reports 332 Custom report filters 333 Creating a custom report filter 333 Saving a custom report filter 334 Opening a saved custom report filter 335 Exporting a report 336 Reports features 337 Key features of the Reports window 338 Using the Menu Button 340 Grouping reports 341 Creating a report group 342 Viewing the reports within a group 343 Creating a sub-group 343 Managing reports 345 Editing a scheduled report task 345 Deleting a schedule from a task 346 Deleting a scheduled report task 346 Printing reports 347 Printing a report 347 Setting up printer preferences 348 Filtering report lists 349 Filtering a report list 350 Changing a filter setting 350 xiv Table of Contents Turning off report filters 350 Running and Scheduling Reports 351 Running Reports on Demand 351 Report Errors 354 Scheduling Reports (process overview) 354 Step 1: Selecting the report you want to schedule 355 Step 2: Adding a new scheduled report task 356 Step 3: Scheduling the Report 358 Step 4: Selecting Advanced Scheduling Options 360 Step 5: Stating when the system can or cannot run the task 362 Step 6: Assigning the data source and scope 365 Step 7: Exporting a scheduled report 368 Searching reports for specific text 370 Viewing the text-based details of a report 370 Using the Search tool 370 Using the Select Expert tool 371 Running a query with the Select Expert tool 372 Restoring the original report 374 Sorting, filtering, and grouping report lists 374 Sorting the report list 374 Viewing reports 375 Opening your saved reports 375 Viewing the sections of a master report 376 Hiding and showing a master report’s sub-topic pane 377 Viewing the pages of a report 379 Magnifying and reducing report pages 380 Stopping a report in progress 381 Chapter 15: Setting up an nDepth Appliance Using a separate nDepth appliance 383 383 Installing a Separate nDepth Appliance 383 xv LEM User Guide Configuring Network Connectors for Use with nDepth 384 Alternate Storage Methods 384 Where to Find the Numbers 385 Disk Usage Summary 385 Log Storage Maintenance Report 386 Alternate Storage Methods 386 Chapter 16: Enabling Transport Layer Security 388 Enabling Standalone LEM Appliance 388 Setting up a Dedicated LEM User for Reports Accessing 389 Configuring Reports Application 390 Enabling TLS on a LEM Manager with a Dedicated Database Appliance 390 Enabling TLS on LEM Database 391 Importing Certificates into the Manager and Database 392 Chapter 17: Troubleshooting 394 Troubleshooting Disconnected or Missing LEM Agents 394 Troubleshooting Connected LEM Agents 395 Troubleshooting Network Devices Logging to LEM 396 Troubleshooting Devices Logging to a Log File on the Appliance 398 Contacting Support 398 Appendix A: Standard Widget Tables 399 Appendix B: Events 402 Event types 403 Asset Events 403 Audit Events 407 Incident Events 425 Internal Events 426 Security Events 431 Appendix C: Appendix Event Data Fields 482 Appendix D: Connector Categories 485 Appendix E: CMC Commands 513 xvi Table of Contents Logging on to CMC 513 Using the CMC 'appliance' menu 515 Using the CMC 'manager' Menu 516 Using the CMC 'ndepth' menu 518 Using the CMC 'service' Menu 519 Upgrading LEM Connectors 522 Updating connectors using the LEM Console 522 Updating connectors using the CMC interface 522 Appendix F: Report Tables 524 Table of Audit reports 524 Table of Security reports 551 Table of Support Reports 581 Report schedule definitions 583 Appendix G: Connector Configuration Tables 584 Connector Categories 584 Configuring Sensors 590 Configuring Actors 593 Setting up a Notification System 596 Appendix H: Filter Configuration Tables 599 Comparing Values with Operators 601 Selecting a new operator 601 Operator tips 602 Table of operators 602 Examples of AND and OR conditions 603 Configuring event filter notifications 604 Selecting the notification method 604 Notifications table 605 Appendix I: Rule Configuration Tables 608 Appendix J: Additional Configuration and Troubleshooting Information 626 Auto-populating User-Defined Groups Using a LEM Rule xvii 628 LEM User Guide Additional Information 629 Configuring Default Batch Reports on Windows 7, 8 and Windows Server 2008, 2012 Computers 630 Choosing a Reports Computer 630 INI File Preparation 630 Scheduling the Reports to Run 631 Default Report Schedules 632 Daily Reports 633 Weekly Reports 633 Configuring LEM Reports on Computers without the LEM Console 634 Configuring Report Restrictions 635 Configuring the USB Defender Local Policy Connector 636 Configuring your LEM Appliance Log Message Storage and nDepth Search 638 Creating a Custom Filtered Report 640 Creating a Filter for a Specific Event Type 641 Creating Connector Profiles to Manage and Monitor LEM Agents 642 Creating Email Templates in the LEM Console 644 Creating Rules from your LEM Console to Take Automated Action 647 Creating Users in the LEM Console 650 Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy 652 Table of Descriptions by Event ID 654 Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data 655 Enabling Windows File Auditing in Windows 656 Enabling LEM to Track Events 659 Filtering and Exporting LEM Reports 661 Getting Started with User-Defined Groups 663 Using Directory Service Groups to account for Windows users, groups, and computer accounts. 665 Extended Description 665 xviii Table of Contents Uses 666 Filters 666 Rules 666 Modifying Filters for Users with the Monitor Role 667 Output, nDepth Host, nDepth Port Fields 668 Report Formats and their Corresponding Numbers Listed in a LEM Scheduled Report INI File 669 Troubleshooting LEM Agent Connections 671 Troubleshooting LEM Rules and Email Responses 676 Additional Information 681 Troubleshooting Unmatched Data or Internal New Connector Data Alerts in the LEM Console 683 Troubleshooting Syslog Devices 683 Table of Conflicting Devices 685 Troubleshooting Agent Devices/Connectors 685 Contacting Support 686 Using the Append Text to File Active Reponse 688 Using the Block IP Active Response 691 Additional Information 692 Using the Computer-based Active Response 693 Using the Detach USB Device Active Response 695 Using the Disable Networking Active Response 697 Using the Kill Process Active Response 699 Using the SolarWinds LEM Local Agent Installer Non-interactively 701 Using the SolarWinds LEM Remote Agent Installer 704 Using Time of Day Sets to Pinpoint Specific Time Frames in Filters and Rules 708 Using the User-based Active Response 711 Viewing All Traffic from a Specific Device in the LEM Console 713 Windows Audit Policy and best practice 715 For Windows 7/8/2008/2012 (Sub-Category-Level Auditing): xix 717 Chapter 1: Introduction SolarWinds Log & Event Manager (LEM) is a state-of-the-art virtual appliance that adds value to existing security products and increases efficiencies in administering, managing and monitoring security policies and safeguards on your network. SolarWinds LEM is based on brand new concepts in security. You can think of it as an immunity system for computers. It is a system that is distributed throughout your network to several “points of presence” that work together to protect and defend your network. SolarWinds LEM responds effectively with focus and speed to a wide variety of threats, attacks, and other vulnerabilities. SolarWinds LEM collects, stores and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response. Data is also available for scheduled and ad hoc reporting from both the LEM Console and standalone LEM Reports console. Some common use cases for SolarWinds LEM include the following: l Correlating network traffic from a variety of sources using filters and rules. l Visualizing log data in dynamic graphs, charts and other widgets. l Monitoring USB mass storage device activity on network Agents. l l l Responding to countless threats, attacks and other vulnerabilities with easy to use point-and-click and automated active responses. Searching normalized log data for events of interest. Change Management and other security-related reporting for management and auditors. How LEM Works The SolarWinds LEM system is based on software modules called Agents, which collect and normalize log data in real time before it’s processed by the virtual appliance, and other non-Agent devices, which send their log data directly to the Manager for both normalization and processing. 1 Chapter 1: Introduction Agents are installed on workstations, servers, and other network devices where possible. Agents communicate the log data from each device’s security products to the LEM virtual appliance. These security products include anti-virus software, network-based intrusion detection systems, and logs from operating systems. When an Agent cannot be installed on a device, that device can be set to send its log data to the LEM Manager for normalization and processing. Examples of devices that cannot host Agent software include firewalls, routers, and other networking devices. LEM accepts normalized data and raw data from a variety of devices. LEM agent connectors normalize the data before sending the data to the LEM manager. Nonagent devices send their log data in raw form to the LEM manager. The following diagram shows this flow of data and the ports involved. Once normalized, log data is processed by the LEM Manager, which provides a secure management clearinghouse for normalized data. The Manager’s policy engine correlates data based on user defined rules and local alert filters, and initiates the associated actions when applicable. These actions can include notifying users both locally in the Console and by email, blocking an IP address, shutting down or rebooting a workstation, and passing the alerts on to the LEM database for future analysis and reporting within the Reports application. LEM Architecture The LEM architecture is uniquely designed for gathering and correlating logs and events in real-time at network speed and further defend the network using LEM’s Active Response Technology. The figure below illustrates the typical log sources and LEM software components. It also illustrates the direction in which communication is initiated and the network protocols used 2 LEM Manager LEM Manager The LEM Manager is a result of the Virtual Appliance that is deployed, it consists of the following key components: l Hardened Linux® OS l Syslog Server and SNMP Trap Receiver l High compression, search optimized database l Web server l Correlation engine For Network Device log sources such as routers, firewalls, and switches, LEM relies on these devices sending Syslog messages to the Syslog server running on the LEM appliance. 3 Chapter 1: Introduction For Servers and Applications LEM largely relies on a LEM Agent installed on these servers. The LEM Agent has a negligible footprint on the server itself, and provides a number of benefits to ensure logs are not tampered with during collection or transmission while being extremely bandwidth friendly. For Workstations, the LEM Agent used on Windows® workstations is the same as the one used for Windows servers. Other SolarWinds solutions like Network Performance Monitor (NPM), Server & Application Monitor (SAM) and Virtualization Manager (VMan) can send performance alerts as SNMP Traps to LEM. LEM can correlate these performance alerts with LEM events. You can install the LEM Reports Console on any number of servers to schedule the execution of over 300 audit-proven reports. From a security standpoint, the command service > restrictreports can be used to limit the IPs that can run these reports Protocols and Communication Direction Below is a summary of the protocols and communication direction. l l Network devices can send Syslogs to LEM Manager over TCP or UDP. The direction of this communication is from the network device to the LEM Manager. LEM Agents installed on servers and workstations initiate TCP connections to the LEM Manager, so the Agents push data to the LEM Manager. What is New in LEM 6.2.0 l l Threat intelligence feed o Automatically evaluate your traffic against a comprehensive, opensource database of malicious IP addresses o Get real-time historical visibility of traffic from known bad actors using rules, filters, and search Automatic connector updates o Enable automatic connector updates through the LEM Console. o Ensure you always the newest, most up-to-date connectors for all devices. 4 What is New in LEM 6.2.0 l Customer-requested improvements o LEM Virtual Appliance details from the LEM Console for effective resource allocation o NTLMv2 authentication support for backup and archive functionality o FileAudit Event report bug fixes and enhancements o New connectors for Kareio, Blue Coat, Proofpoint, GENE6, and more 5 Chapter 2: Requirements Chapter 2: Requirements Different sized installations may require greater or fewer resources. For detailed information on sizing and resource requirements, refer to the "Requirements" section of the Log & Event Manager Deployment Guide. Before installing, always make sure your hardware and software meet the minimum requirements. Virtual appliance minimum resource requirements Software/Hardware Virtualization platform Requirements l l VMware vSphere Hypervisor ESX/ESXi 4.0 or later Microsoft Hyper-V Server 2008 R2, 2012, and 2012 R2 CPU speed 2 GHz Memory 8 GB Hard drive space l 250 GB is advised for smaller deployments. l 2.0 TB is advised for larger deployments. 6 Chapter 2: Requirements Desktop and reports consoles software requirements Software/Hardware Operating system, and desktop and reports consoles Requirements l Windows Vista l Windows 7 l Windows 8 l l l Windows Server 2008 and 2008 R2 Windows Server 2012 and 2012 R2 Windows 10 CPU Speed 1 GHz Pentium III or equivalent Memory 1 GB Hard Drive Space 5 GB Environment Variables Ability to install all software with administrator rights Desktop console Adobe Air 18 Web console software requirements Software/Hardware Adobe Flash Supported browsers Requirements Flash Player 15 l Internet Explorer 8 and later The web console does not run on Internet Explorer 10 on Windows Server 2012. l Mozilla Firefox 10 and later l Google Chrome 17 and later 7 Chapter 3: Introduction to the Console The LEM Console is organized into different functional areas, called views. These views organize and present different information about the components that make up the LEM system. l In Ops Center, you'll find a dashboard view that presents visual representations of your data. l In Monitor, you'll filter and view event details. l In Explore, you'll find utilities for investigating events and their details. l l l In Build, you'll create critical components of LEM that function on a Manager for processing process data. In Manage, you'll manage properties associated with Agents and Managers, and configure data sources to integrate your network security data with LEM. Reports is a separate application. Its reporting tools let you run or schedule reports about the data that is stored in your LEM database. The following topics briefly explain the role of each view of the Console, the view’s primary uses, and where to get information on performing key tasks within that view. Topics are arranged here in an order that will help you understand the most fundamental items first, such as events, event filters, and widgets. They then progress to more advanced features, such as exploring events, and creating Groups and rules. Opening Views in the Console The Console is made up of multiple views, where each view has a special function. 8 Chapter 3: Introduction to the Console To open a view: l l l l l l l l l l To open the Ops Center view (to work with widgets), click Ops Center . To open the Monitor view (to view, manage, and create filters), click Monitor. To open the Explore view (to work with explorers), click Explore . To open the Explore view (to search or view event data or log messages), click Explore and then select nDepth. To open the Explore view (to view additional utilities), click Explore and then select Utilities. To open the Groups view (to build and manage Groups), click Build and then select Groups. To open the Rules view (to build and manage policy rules), click Build and then select Rules. To open the Users view (to add and manage Console users), click Build and then select Users. To open the Appliances view (to add and manage appliances), click Manage and then select Appliances. To open the Nodes view (to add and manage Agents), click Manage and then select Nodes. Working with Grids Grids are used throughout the Console. The following topics explain how to perform common tasks with grids, such as selecting rows and grid cells, resizing grid columns, rearranging grid columns, and sorting a grid by its columns. Rearranging Grid Columns When needed, you can rearrange the order in which grid columns appears. The columns will stay in their rearranged order until you exit the Console. Upon reopening the Console, the columns revert to their default order. To rearrange grid columns: Click the header of the column you want to move; then drag it to the right or left and drop it into the desired position. 9 Sorting a Grid by its Columns Sorting a Grid by its Columns You can sort the data in a grid by clicking its column headers. You can sort each column in ascending (alphabetical) order, or in descending (reverse alphabetical) order. In many cases, you can sort a grid by more than one column by using the Ctrl+click method. Note: Before sorting the Monitor view’s event grid, you must first click the grid’s Pause button to stop the incoming event traffic. When you are done, click Resume to continue receiving event traffic. To sort a grid: l Click one of the grid’s column headers to sort the grid by that column. If the column header shows an upward ▲ arrow, it means the column data is sorted in ascending order (alphabetically, or from lowest to highest: A to Z, 1 to 0). If the column header shows a downward ▼ arrow, it means the column data is sorted in descending order (reverse alphabetical, or from highest to lowest: Z to A, 0 to 1). l Click the column header again to sort the grid by the same column, but in reverse order. To sort a grid by multiple columns: l Press and hold the Ctrl key; then click another column header. You can tell how the table is sorted by the small ▲ and ▼ arrows in the column headers, and by the little numbers (1 and 2) that appear next to them. An “up” ▲ arrow means the column is sorted in ascending order. A “down” ▼ arrow means it is sorted in descending order. Then numbers state the column sort order. 1 is the first sort, 2 is the second sort, and so on. 10 Chapter 3: Introduction to the Console l If a secondary column’s sort order is in the wrong direction, press the Ctrl key and click the column header again. This will reverse the column’s sort order. By pressing Ctrl and then clicking the Name column, you can also sort the tool names in ascending or descending order. In the example shown here, the Name column was sorted in ascending order, so the specific tools would appear in alphabetical order within each tool category. Logging In and Out of Managers When first connecting to the web console, you are prompted to authenticate to the host manager. If you have additional managers associated with that console, log in to configure them or view their events. Logging out will disconnect you from additional managers in the web console. To disconnect from the host manager, close the browser window. Note: Only existing Administrator, Auditor, and Monitor Users can log on to the system. Contacts cannot log on to LEM. Logging Into a Manager 1. At the top of the LEM Console, click Manage and then click Appliances. 2. In the Appliances grid, click to select the appliance you want to work with. 3. Click the gear button and then select Login. Depending on the Manager’s Login tab settings (in the Properties pane), the LEM Console may automatically log you on to the appliance. Otherwise, the Login form appears. 4. In the Username box, type user name for this Manager. 5. In the Password box, type password for this Manager. 6. Click OK or press Enter to log on. A icon appears in the Manager’s Status column, indicating that you are logged on to that Manager. 11 Logging Out of a Manager Logging Out of a Manager 1. At the top of the Console, click Manage and then click Appliances. 2. In the Appliances grid, click the gear button for the Manager you want to log out of, and then select Logout. After a moment, a icon appears in the Manager’s Status column, indicating that you are no longer logged on to that Manager. Logging Out of the LEM Console Clicking the Logout button closes the Console window and disconnects the Console from any connected Managers. Logging out of the Console causes it to disappear to the Managers, but the Managers continue to gather information from their Agents. However, when you reopen the Console, it will not display the Manager and Agent event traffic that occurred when it was closed. Instead, the event grid will be blank. It is recommended that you keep the Console running either on your workstation or a secondary workstation to best monitor events on a daily basis. 12 Chapter 4: Basic LEM Procedures Click the video icon to view the corresponding tutorial, which introduces LEM and its basic tasks. Access your log and event data using the LEM web console or local desktop console. Both interfaces allow you to monitor your data in real time with filters, respond automatically to specific events with rules, and analyze events on your network with the nDepth search utility. Access all of these features and more on the navigation bar at the top of the LEM Console window. Ops Center Use the Ops Center tab as a real-time graphical overview of the events on your network. The Ops Center includes the following useful components: l l A customizable dashboard with several default charts and graphs, called widgets The Widget Manager to browse, edit, add, and pin widgets Informational widgets with links to videos, documents, and other resources To add a widget to the Ops Center dashboard: l 1. In the LEM Console, click the Ops Center tab. 2. Click Widget Manager in the upper-right corner. 3. Find and select a filter from the Categories list. 4. In the Widgets pane, scroll through the available widgets to put the widget you want in the main preview position. 5. Click Add to Dashboardin the upper-right corner. 6. To re-position the widgets on the dashboard, drag and drop them into a new position. To create a new widget using Widget Manager: 1. In the LEM Console, select the Ops Center tab. 13 Chapter 4: Basic LEM Procedures 2. Click Widget Manager in the upper-left corner. 3. Click the plus button ( + ) at the top of the Categories list. 4. Complete the Widget Builder form. 5. To pin the new widget to the dashboard, select Save to Dashboard. 6. Click Save. Monitor Use the Monitor tab to view all of the monitored events on your network in real time. Monitor includes the following useful components: l l l l l A real-time event stream to which you can apply event filters The Event Details pane, which displays the details for any event you highlight in the event stream A Widgets pane, which displays a graphical representation of the current filter, if available Several default filters to refine the data you see in the event stream A GUI filter editor, called Filter Creation, to create and edit event filters To apply a filter to the Monitor event stream, select a default or custom filter from the Filters list. To view the Event Details for a specific event in the event stream, select the event in the event stream. To change the widget the Widgets pane displays for a filter: 1. In the LEM Console, select the Monitor tab. 2. Select the filter you want to modify in the Filters pane. 3. Click the menu at the top of the Widgets pane, and then select the widget you want that filter to display. Explore Use the Explore tab menu to access several analysis utilities to get additional information about the events you see in the LEM Console. Use the nDepth option 14 Collecting and displaying flow data in the Explore menu to search and analyze the events on your network. nDepth includes the following useful components: l l l l A variety of clickable charts and utilities to view and refine search results A comprehensive toolbar to switch between multiple utilities and views A Result Details utility to view all of your search results in text format A PDF export utility to configure and export custom reports Use the Utilities option in the Explore menu to access several IT analysis utilities, including: l Whois l NSLookup l Traceroute Flow (sFlow and NetFlow) To execute a Whois, NSLookup, or Traceroute task from an event or search result in the LEM Console: l 1. Find the event or search result you want to explore further, and then select it. 2. Click the Explore menu on the Event Grid or nDepth title bar (next to Respond), and then select the utility you want to use. To execute a blank Whois, NDLookup, or Traceroute task in the LEM Console: 1. Click the Explore tab on the navigation bar, and then select Utilities. 2. Click the Explore button on the Utilities title bar , and select the utility you want to use. 3. Complete the form for the utility, and then click Search. Collecting and displaying flow data LEM supports flow exports from both NetFlow and sFlow devices. Use the Flow Explorer in the LEM Console to viewgraphs, charts, and grids, including the following. 15 Chapter 4: Basic LEM Procedures l Top Talkers by IANA-based Protocol l Top Talkers by Port l Top Talkers by Source/Destination Address l Top Talkers by Total Bytes l Top Talkers by Total Packets Refer to the manufacturer specifications to configure your devices to send Flow data to your LEM appliance. The LEM appliance supports data on the • 2100/UDP for NetFlow devices and 6343/UDP for sFlow devices. To enable flow collection and analysis on the LEM appliance: 1. Connect to your LEM virtual appliance using either the vSphere console view, or an SSH client like PuTTY. 2. If you are using an SSH client, log in to your LEM virtual appliance using your CMC credentials. 3. At the cmc> prompt, enter service. 4. At the cmc::scm# prompt, enter enableflow. 5. Enter y to confirm your entry.This command automatically restarts the Manager service on the LEM appliance. 6. To enable Flow analysis for Flow data collected on another computer, enter n and follow the prompts to specify the Flow collector. Otherwise, enter y. 7. Enter exit to return to the cmc> prompt. 8. Enter exit to log out of your LEM virtual appliance. To view Flow data in the LEM Console: 1. Open your LEM Console and log in to the LEM Manager as an administrator. 2. Open the Monitor, Utilities, or nDepth view. 3. Click the Explore menu, and then select Flow. The Flow Explorer presents data in graph, chart, or grid formats 16 Build Build Use the Build tab menu options to customize LEM behavior. The Build menu consists of the following options: l l l Groups: Create and manage lists of users, computers, and information. Rules: Create and manage rules that correlate events from different systems and instruct the LEM appliance to respond accordingly. Users: Create and manage LEM Console users. For additional information about the Users and Groups options in the Build menu, see: l Getting Started with User-Defined Groups l Creating Users in the LEM Console Rules – Additional Details View custom and pre-configured rules in the Rules view under the Build menu. The Rules view consists of the following useful components: l A GUI editor, just like Filter Creation l A community rule set, organized by event-centric categories l 35 active responses to assign to custom or pre-configured rules Manage Use the Manage tab menu to access details about your LEM architecture. The Manage menu consists of the following options: l Appliances: Add LEM appliances to monitor in the LEM Console, view your LEM license details, and configure global settings. Nodes: View and manage LEM nodes, including remote logging devices and LEM Agents. To set your LEM Console authentication preferences: l 1. In the LEM Console, click the Manage tab, and then select Appliances. 2. Click the Login tab on the Properties pane. 17 Chapter 4: Basic LEM Procedures 3. To enable the LEM Console to authenticate to your LEM appliance upon launch, enter your LEM Username and Password. 4. To enable the LEM Console to ask you for your LEM password upon launch, enter your LEM Username only. 5. Select Login Automatically Next Time. 6. Select Save Credentials. 7. Click Save. To set the global password policy for LEM users: 1. In the LEM Console, click the Manage tab, and then select Appliances. 2. Click the Settings tab on the Properties pane. 3. Adjust the Minimum Password Length according to your preference. 4. To require complex passwords for LEM users, select Must Meet Complexity Requirements. Note: Complex passwords must include any three of the following four character types: l Capital letters l Lower-case letters l Numerals (0-9) l Symbols (!, @, #, etc.) 5. Click Save. Adding Devices Click the video icon to view the corresponding tutorial. Configure your IT devices to work with LEM using one of two options: l l Install the LEM Agent and connectors directly on the device Set the device to log to LEM and then configure the appropriate connectors directly on the LEM appliance. Install the LEM Agent on computers that allow third party software. SolarWinds provides LEM Agents for these operating systems: 18 Agent Installation l Microsoft Windows (local and remote installers) l Linux l Mac OS X l Solaris on Intel l Solaris on Sparc l HPUX on PA l HPUX on Itanium l AIX Configure other devices, such as firewalls, routers, or switches to send logs directly to the LEM appliance using syslog or SNMP traps. Agent Installation The LEM Agent is a necessary component to monitor local events on the computers on your network. Install the LEM Agent on servers, domain controllers, and workstations. The LEM Agent then captures log information from sources such as Windows Event Logs, a variety of database logs, and local antivirus logs. The LEM Agent also allows LEM to take specific actions that you use rules to define. You can also trigger actions manually from the LEM Console using the Respond menu. Installing a LEM Agent: 1. Click the Add Nodes to Monitor link in the LEM Console Getting Started wizard, or visit the SolarWinds Customer Portal for a complete list of available downloads. 2. Download the appropriate installer, and then run it on the computer(s) you want to monitor. Note: If you are deploying LEM Agents to Windows computers, you can use the Remote Agent Installer for a faster deployment. View and manage installed LEM Agents in the Nodes view of the LEM Console. The LEM Agent for Windows includes several pre-configured connectors so you immediately start to see data from these computers after you have installed the LEM Agent. By default, the LEM Agent for Windows includes the following preconfigured connectors: 19 Chapter 4: Basic LEM Procedures l Windows Security Log (for the host OS version) l Windows Active Response l Windows Application Log l Windows System Log For other operating systems, or for broader coverage on your Windows computers, configure specific connectors to get exactly what you are looking for. Configuring Non-Agent Devices Non-Agent devices include any supported network or security device on which you cannot install a LEM Agent. Some common examples are firewalls, routers, and switches. To monitor these devices with LEM, configure each device to log to the LEM appliance using syslog or SNMP traps. Then, configure the appropriate connector on the LEM appliance using the LEM Console. Configuring Connectors for Agent and Non-Agent Devices The procedure for configuring connectors for Agent and non-Agent devices is generally the same. The major difference is where you find the configuration forms in the LEM Console. Complete the following procedure to configure connectors for all the devices you want to monitor with LEM. To configure connectors in the LEM Console: 1. In the LEM Console, click the Manage tab, and the select Appliances (for non-Agent connectors). 2. Click the gear button next to the LEM Node or Manager you want to configure, and then select Connectors. 3. To view or modify the configured connectors, select Configured in the Refine Results pane. 4. To find the connectors you need, use the search box and filter menus on the Refine Results pane. 5. After you've identified the connector to be configured, click the gear button next to it, and then select New. 20 Configuring Connectors for Agent and Non-Agent Devices 6. Complete the Connector Configuration form according to the device you're configuring. The following fields/descriptions are common for most connectors: l l l Alias: a "user friendly" label for your connectors Log File: the location of the log file the connector will normalize; this is a location on either the local computer (Agents) or LEM appliance (nonAgent devices) Output, nDepth Port: values used specifically for LEM environments that are configured to store original log messages; for additional ixxnformation, consult the resources at the end of this section 7. After completing the form, click Save. 8. In the Connectors list, click the gear icon next to the new connector (in the Status column), and then select Start. 9. After starting the connector, verify it is working by checking for events on the Monitor tab. To configure FIM connectors in the LEM Console: 1. In the LEM Console, click the Manage tab, and the select Nodes. 2. Click the gear icon next to the LEM Node you want to configure, and then select Connectors. 3. To find the connectors you need, enter FIM in the Refine Results search box. 4. Click the gear icon next to the connector to be configured, and then select New. 5. In the Monitor Templates area, click the gear icon next to the desired Monitor Template and select Add to selected monitors. The Monitor template moves to the Selected Monitors area. 6. After completing the form, click Save. 7. In the Connectors list, click the gear icon next to the new connector (denoted by an icon in the Status column), and then select Start. 8. After starting the connector, verify that it is working by checking for events on the Montior tab. 21 Chapter 4: Basic LEM Procedures Troubleshooting If you have configured a device to log to the LEM appliance, but you cannot determine the exact logging location, check the logging facilities on the LEM appliance to determine where your data is going. To check the logging facilities on the LEM appliance: 1. Connect to your LEM appliance using the VMware console view, or an SSH client such as PuTTY. 2. To connect your appliance through SSH, log in as the CMC user, and provide the appropriate password. 3. To connect your appliance using VMware, select Advanced Configuration on the main console screen, and then press Enter to get to the command prompt. 4. At the cmc> prompt, enter appliance. 5. At the cmc::acm# prompt, enter checklogs. 6. Enter an item number to select a local facility to view. 7. Look for indications of specific devices logging to this facility, such as the product name, device name, or IP address. 8. After you have determined the facility your device is logging to, configure the connector with the corresponding Log File value. For additional troubleshooting tips related to LEM Agents or remote logging devices, see: l l Troubleshooting LEM Agent Connections Troubleshooting Unmatched Dataor Internal New Tool Data events in your LEM Console Additional Information For additional information about configuring devices to monitor with LEM, see See "Leveraging LEM" on page 42 For additional information about installing LEM Agents on a variety of operating systems, see the local and remote installations in Additional configuration and integration information. 22 Creating Connector Profiles to manage LEM Agents: For additional information about how to tune Windows logging for your LEM deployment, see the following: l Windows Audit Policy and best practice l How to enable file auditing in Windows Creating Connector Profiles to manage LEM Agents: Create Connector Profiles to manage and monitor similar LEM Agents across your network. Two common use cases for creating Connector Profiles are. l l Configure and manage tools at the profile level to reduce the amount of work you have to do for large LEM Agent deployments. Create filters, rules, and searches using your Connector Profiles as Groups of LEM Agents. For example, create a filter to show you all Web traffic from computers in your Domain Controller Connector Profile. Complete the two procedures below to create a Connector Profile using a single LEM Agent as its template. To create a Connector Profile using a LEM Agent as a template: 1. Configure the tools on the LEM Agent to be used as the template for your new Connector Profile. These tools will be applied to any LEM Agents that are later added to the Connector Profile. 2. Click the Build menu, and then select Groups. 3. Click the + menu, and then select Connector Profile. 4. Name the new Connector Profile and enter a profile description. 5. Select the LEM Agent you want to use as your template from the Template list next to the Description field. 6. Click Save. To add LEM Agents to your new Connector Profile: 1. Locate the new Connector Profile in the Build > Groups view. 2. Click the gear icon next to your Connector Profile, and then select Edit. 3. Move LEM Agents from the Available Agents list to the Connector Profile by 23 Chapter 4: Basic LEM Procedures clicking the arrow next to them. 4. Click Save to finish adding LEM Agents to your Tool Profile. The connector configurations set for the template agent can now be applied to any agent added to the Connector Profile. For a list of supported Agent and non-Agent devices, see this comprehensive list of data sources for all your Logs & Events. For additional information about configuring LEM and your connectors to store original log messages, see the following: l l Configuring Your LEM Appliance for Log Message Storage and nDepth Search Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data Verifying Data Click the video icon to view the corresponding tutorial. Now that LEM is collecting your log data, use nDepth and LEM Reports to search, analyze, and report on that data. In most cases, use the nDepth Explorer in the LEM Console to search and analyze your data. Use the stand-alone LEM Reports application to report on your data. Which Do I Pick? Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to: l l Search your log data interactively Search for specific variables, such as user names, IP addresses, or specific events l Perform root-cause analysis l Troubleshoot specific issues l Explore data and produce custom PDF reports Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes or to: 24 nDepth: A Fully Integrated IT Search Solution l Automate reporting l Produce compliance reports l View reports based on specific regulatory compliance initiatives l Provide proof that you are auditing log and event data to auditors l Schedule formatted reports for LEM Reports to run and export automatically nDepth: A Fully Integrated IT Search Solution Open nDepth in the LEM Console in any of these three ways: 1. Select an event on the Monitor tab, click the Explore menu, and then select nDepth. 2. Select a filter in the Filters pane on the Monitor tab, click the gear at the top of the Filters pane, and then select Send to nDepth. icon 3. Click the Explore tab from anywhere in the LEM Console, and then select nDepth. Consult nDepth for several analytical connectors that it summarizes on both its dashboard and toolbar. Use this view to: l l l l Search original log messages (AKA "raw logs") or normalized events View search results in several charts and graphs, and add values from these visuals directly to your search just by clicking them Refine the time frame of your searches using pre-defined or custom ranges View the text output of your search results using the Result Details connector on the nDepth toolbar l Export your search results in CSV or fully-customizable PDF format l Save searches for future use Additional Information For additional information about how to use nDepth to search and analyze your data in the LEM Console, consult the following resources. For examples of how to execute nDepth searches, see the following: 25 Chapter 4: Basic LEM Procedures l How to create an nDepth query for all activity by a single user l Sending Filters to nDepth for Historical Search For additional information about how to save nDepth searches for future use, see Save nDepth searches to quickly execute frequent queries. For additional information about how to export nDepth search results in CSV or PDF format, see Export nDepth results in custom or text formats for retention and ad hoc reporting. For additional information about configuring your LEM appliance to store and search original log data, see: l l Configuring Your LEM Appliance for Log Message Storage and nDepth Search Using your LEM Console to view and search original log messages LEM Reports: For Compliance and Historical Reporting Needs LEM Reports is a stand-alone application that you install separately from the LEM Console. Access LEM Reports using a shortcut, if available, or by navigating to the SolarWinds Log and Event Manager application group in your Windows Start menu. Use LEM Reports to: l Run hundreds of pre-configured compliance and security reports l Schedule reports for LEM Reports to run automatically l Filter the reports list by industry or requirement l l l Run Master, Detail, or Top level reports according to how much information you need Use Select Expert to filter your report data by specific values, such as computer name, IP address, or user name Export reports into several formats, including PDF, CSV, and RPT To get started with LEM Reports, filter the reports listing by the industries or requirements relevant to your network. Then, the next time you open LEM 26 Troubleshooting Reports, access your custom list of reports by clicking Industry Reports on the main view. To filter the reports list by industry or requirement: 1. Open LEM Reports. 2. On the Settings tab, click Manage, and then select Manage Categories. 3. Select your industries and requirements in the left pane. Mix and match as necessary. For example, if you are a school that accepts credit card payments, select Education, FERPA, and PCI. 4. Click OK. 5. To view the filtered list of reports, click the Category menu back on the Settings tab, and then select Industry Reports. Select which reports to run based on their values in the Level column on the Settings tab: l l l Master: Reports at this level contain all of the data for their category. For example, the master-level Authentication report contains all authenticationrelated data. Detail: Reports at this level contain information related to a specific type of event. For example, the Authentication – Failed Authentications detail-level report only contains data related to "Failed Authentication" events. Top: Reports at this level display the top number of occurrences for a specific type of event. Use the default top number, or Top N, of 10, or customize this when you run the report. Troubleshooting If you have installed LEM Reports, but are unable to open the application or run reports, complete the following procedures to troubleshoot the issue. To troubleshoot application launch errors on computers running Windows Vista, Windows 7, and Windows Server 2008: 1. Uninstall LEM Reports and Crystal Reports v11 Runtime. 2. Reinstall both components as Administrator. 3. Adjust the LEM Reports properties to run the program in Windows XP compatibility mode and as an administrator: 27 Chapter 4: Basic LEM Procedures a. Right-click the LEM Reports shortcut on your desktop or in the SolarWinds Log and Event Manager program group in your Windows Start menu, and then select Properties. b. Click the Compatibility tab. c. Select Run this program in compatibility mode for, and then select Windows XP (Service Pack 3). d. Select Run this program as an administrator. e. Click OK. 4. Launch LEM Reports. To address "Logon failed. Database Vendor Code 210" errors: Add the computer running LEM Reports to the list of authorized reporting computers. By default, the LEM appliance restricts all access to LEM Reports. To allow specific computers to run LEM Reports or remove all reporting restrictions, complete the procedures in Configuring Report Restrictions. Additional Information For additional information about how to run, schedule, and configure formatted compliance and security reports using LEM Reports, consult the following resources. l See "Reports" on page 307 l See "Report Tables" on page 524 For information about installing LEM Reports on computers without the LEM Console, see Configuring LEM Reports on Computers without the LEM Console. For information about how to schedule several best practice compliance and security reports, see: l l Configuring Default Batch Reports Report Formats and their Corresponding Numbers listed in a LEM scheduled report .ini file For additional information about working with individual reports in LEM Reports, see: 28 Adding Filters l Filtering and Exporting LEM Reports l Creating a Custom Filtered Report Adding Filters Click the video icon to view the corresponding tutorial. Filters group and display events that your LEM Agents and remote logging devices send to LEM. They are based on events, which are the normalized version of these network events. For LEM, the terms "events" and "alerts" are interchangeable. View these events in real time on the Monitor tab in the LEM Console. Which Do I Pick? Create filters when you want to group a particular type of event. The following are just a few examples of what you might create a filter to catch: l All events from your firewalls l All events from your domain controllers l All events for a specific type of user l All events except for recurring, expected events Create rules when you want LEM to take some kind of action in response to one or more events. In many cases, you base rules on several events that LEM correlates to trigger an action, but you can also configure a rule to look for a single event. Rule actions include, but are not limited to: l Sending an email l Logging a user off l Shutting down a computer l Deleting an Active Directory group l Blocking an IP address Use the Default Filters as Examples The LEM Console includes several pre-configured filters on the Monitor tab. Examine the conditions of these filters to get a sense of how broad or specific filters can be. The following are two examples of these extremes: 29 Chapter 4: Basic LEM Procedures l l All Events: This filter does not have any specific conditions, so it captures all events, regardless of the source or event type. User Logons: This filter has a single condition that means, "UserLogon Exists." It captures all events with the event type "UserLogon" and nothing else – not user log offs, not user logon failures. To view the conditions of a default filter: 1. In the LEM Console, click the Monitor tab. 2. Select the filter you want to examine in the Filters pane. 3. Click the gear button at the top of the Filters pane, and then select Edit. 4. If you make any changes to the filter, click Save. Otherwise, click Cancel. Other Filter Scenarios Some scenarios may warrant a filter so you can monitor them more closely: l l l Change management events: Monitor configuration changes made to your network. High volume events: Watch for spikes of traffic, or unexpected off-peak traffic. Events of general interest: Keep track of logon failures and failed authentications. Note: A failed authentication is an event triggered by three logon failures by the same account within an extremely short period of time. l l Rule scenarios: Determine whether you have the right events to create a rule for a specific scenario. Daily problems: Get a head start on operational problems like account lockouts by seeing the events in real time. Example: Change Management Create a change management filter to monitor configuration changes users make to your network. Keep this filter general, as illustrated here, or refine it to show you only certain changes or changes made by certain users. To create a filter for all change management events: 30 Troubleshooting 1. In the LEM Console, click the Monitor tab. 2. Click the plus Filter. button at the top of the Filters pane, and then select New 3. Enter an appropriate name for the filter, such as Change Management Events. 4. Fill the filter's Conditions box with an appropriate event or event group. For this example, use an Event Group Exists condition to capture all events from a certain group: a. Click Event Groups on the left pane. b. Find the Change Management Events event group, and drag it into the Conditions box. 5. Click Save.The LEM Console takes you to the new filter on the Monitor tab. Examine the events here, and click an event to see more information in the Event Details pane. Troubleshooting If you have created a filter, but it is not capturing the expected events, check the All Events filter to ensure the events are making it to the LEM Console. To use the All Events filter to troubleshoot custom filters: 1. In the LEM Console, click the Monitor tab. 2. Click All Events in the Filters pane. 3. Locate an event you expected to see in your custom filter. If necessary, pause the filter and sort it by any of the column headers. 4. If you locate a related event, verify the field-value combinations in the event match the ones you used in your filter. For example, if your filter is looking for *firewall* in the ConnectorAlias field, ensure the Connector Alias field in your event contains the word firewall. 5. If you cannot locate a related event, verify one of your monitored devices is logging the event, and that the device is sending its events to LEM. For example, create another filter to show all events from the specific device using the ConnectorAlias or DetectionIP event field. 31 Chapter 4: Basic LEM Procedures Additional Information For a general procedure and video addressing how to create filters in the LEM Console, see Creating Filters for Real-time Monitoring in Your LEM Console. For additional information about how to create filters for specific events, devices, or time frames, see: l Quickly Creating a Filter for a Specific Event Type l Use Time of Day Sets to pinpoint specific time frames in filters and rules l Modifying Filters for 'Monitor' Users Adding Rules Click the video icon to view the corresponding tutorial. Rules correlate events that your LEM Agents and remote logging devices send to LEM, and assign automatic actions or responses to those events. These actions differentiate filters from rules: filters only display events, while rules instruct LEM to take action. Rule actions include, but are not limited to: l Sending an email l Logging a user off l Shutting down a computer l Deleting an Active Directory group l Blocking an IP address Use Pre-configured Rules to Get Started The LEM appliance includes hundreds of pre-configured rules. Use these rules to instruct LEM to respond to specific events on your network. To clone and enable a rule for use on your network: 1. In the LEM Console, click the Build tab, and then select Rules. 2. Use the Folders list or the Refine Results pane to browse, search, or filter for specific rules or scenarios. 3. After you find a rule you want to clone, click the gear and then select Clone. 32 button next to it, Example: Change Management 4. On the Clone Rule dialog, select a Custom Rules folder and rename the rule if you wish, and then click OK. 5. In the Rule Creation view, customize the rule further if necessary, select Enable at the top of the form, and then click Save. 6. Back in the main Rules view, click Activate Rules to sync your local changes with the LEM appliance. Example: Change Management Create a change management rule to notify you anytime a user makes any kind of change to your network configurations. Examples of such network changes include: l Adding, changing, or deleting users in Active Directory l Installing software on monitored computers l Changing firewall policy Create a general change management rule, similar to the filter illustrated in the previous section, to instruct LEM to notify you anytime any user makes a configuration change, or create a more specific rule to only fire for specific users, groups, or types of changes. Note: An important rule of thumb is, "If you can see it in your LEM Console, you can build a rule for it." Remember to use your filters as a starting-place as you consider creating custom rules. To create a rule that sends you an email anytime someone adds a user to an administrative group: 1. In the LEM Console, click the Build tab, and then select Rules. 2. Click the plus button in the upper-right corner. 3. Enter an appropriate name for the rule, such as New Admin User. 4. Populate the rule's Correlations box with an appropriate event or event group. For this example, use a NewGroupMember.EventInfo Equals *admin* condition to fire anytime LEM gets a NewGroupMember event with the text, admin anywhere in the EventInfo field: a. Click Events>on the left pane. 33 Chapter 4: Basic LEM Procedures b. At the top of the Events list, enter NewGroupMemberto search for that event, and then select it in the list. c. In the Fields: NewGroupMemeberlist, find EventInfo, and then drag it into the Correlations box. d. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account for all variations on the word "administrator." 5. Leave the Correlation Time box as-is so your rule fires anytime LEM captures this type of event. 6. Add the Send Email Message action to the Actions box: a. Click Actions on the left pane. b. Find Send Email Message, and then drag it into the Actions box. c. Select a template from the Email Template menu. d. Select a LEM user from the Recipients menu. e. Drag and drop event fields or constants from the left pane into the Send Email Message form to complete the action. Note: Always use event fields for the event(s) present in the Correlations box. For example, use NewGroupMember.DetectionTime to populate the DetectionTime field in this example. 7. Select Enable at the top of the Rule Creation form, and then click Save. 8. To sync your local changes with the LEM appliance, click Activate Rules back in the main Rules view. After you enable and activate this rule, the LEM appliance sends an email anytime someone adds a user to any group in Active Directory that contains the text, "admin" in its name. For more detailed information about how to create LEM rules to take action on your network, see Creating Rules from Your LEM Console to Take Automated Action. Other Rule Scenarios Countless scenarios may warrant a rule. Consider these combinations of rules and actions: 34 Troubleshooting l l l l l Respond to other change management events with the Send Email Message action. Respond to port scanning events with the Block IP action. Respond to isolated spikes in network traffic with the Send Email Message or Disable Networking action. Respond to users playing games on monitored computers with the Send Popup Message or Kill Process action. Respond to users attaching unauthorized USB devices to monitored computers using the Detach USB Device action. Basically, any activity or event that can pose a threat to your network might warrant a LEM rule. Troubleshooting If you have created a rule, but you are not getting the expected results, verify the following to track down the root cause: 1. Check for the requisite events on the Monitor tab. For example, if your rule is based on the NewGroupMember event, see if you can find one in the All Events or default Change Management filter. 2. If you do not see the requisite events, troubleshoot your devices and connectors to get the events into LEM. Otherwise, continue troubleshooting here. 3. Check for an InternalRuleFired event in the SolarWinds Events filter. 4. If you do not see an InternalRuleFired event for your rule, check the following to continue troubleshooting. Otherwise, skip to Step 5 to continue. l Is your rule enabled? l Did you modify the Correlation Time or Response Window in your rule? l Did you click Activate Rules after saving your rule? l Is the time on your device more than 5 minutes off from the time on your LEM appliance? 5. If you see an InternalRuleFired event for your rule, but the rule LEM does not respond as expected, check the following, according to the action you configured: 35 Chapter 4: Basic LEM Procedures l l l l Send Email Message: Verify you have configured and started the Email Active Response connector on the LEM appliance. Send Email Message: Verify you have associated an email address for the LEM user you selected as your email recipient. Agent-based Actions: Verify you have installed the LEM Agent on the computer you want LEM to respond to. Block IP:Verify you have configured the active response connector for the firewall you want to use to take this action. The active response connector is separate from the data gathering connector. For more detailed information about how to troubleshoot LEM rules and active responses, see Troubleshooting LEM Rules and Email Responses. Additional Information For a general procedure and video addressing how to create and clone rules in the LEM Console, see Creating Rules from Your LEM Console to Take Automated Action For additional information about the active responses available for LEM rules, see: l How does the Block IP active response work? l How does the Detach USB Device active response work? l How does the Append Text To File active response work? l How do the computer-based active responses work? l How do the user-based active responses work? l How do the Kill Process active responses work? l How does the Disable Networking active response work? Analyzing Data Click the video icon to view the corresponding tutorial. Now that LEM is collecting your log data, use nDepth and LEM Reports to search, analyze, and report on that data. In most cases, use the nDepth Explorer in the LEM Console to search and analyze your data. Use the stand-alone LEM Reports application to report on your data. 36 Which Do I Pick? Which Do I Pick? Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to: l l Search your log data interactively Search for specific variables, such as user names, IP addresses, or specific events l Perform root-cause analysis l Troubleshoot specific issues l Explore data and produce custom PDF reports Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes. Use LEM Reports to: l Automate reporting l Produce compliance reports l View reports based on specific regulatory compliance initiatives l Provide proof that you are auditing log and event data to auditors l Schedule formatted reports for LEM Reports to run and export automatically nDepth: A Fully Integrated IT Search Solution Open nDepth in the LEM Console in any of these three ways: 1. Select an event on the Monitor tab, click the Explore menu, and then select nDepth. 2. Select a filter in the Filters pane on the Monitor tab, click the gear at the top of the Filters pane, and then select Send to nDepth. button 3. Click the Explore tab from anywhere in the LEM Console. Then selectnDepth. Consult the nDepth dashborad and toolbar for information on several analytical connectors. Use this view to: 37 Chapter 4: Basic LEM Procedures l l l l Search original log messages (AKA "raw logs") or normalized events View search results in several charts and graphs, and add values from these visuals directly to your search just by clicking them Refine the time frame of your searches using pre-defined or custom ranges View the text output of your search results using the Result Details connector on the nDepth toolbar l Export your search results in CSV or fully-customizable PDF format l Save searches for future use Additional Information – nDepth For examples of how to execute nDepth searches, see: l How to create an nDepth query for all activity by a single user l Sending Filters to nDepth for Historical Search For additional information about how to save nDepth searches for future use, see Save nDepth searches to quickly execute frequent queries For additional information about how to export nDepth search results in CSV or PDF format, see "Export nDepth results in custom or text formats for retention and ad hoc reporting." For additional information about configuring your LEM appliance to store and search original log data, see: l l l "Configuring Your LEM Appliance for Log Message Storage and nDepth Search" "Using your LEM Console to view and search original log messages" "Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data" LEM Reports: For Compliance and Historical Reporting Needs LEM Reports is a stand-alone application that you install separately from the LEM Console. Access LEM Reports using a shortcut, if available, or by navigating to 38 LEM Reports: For Compliance and Historical Reporting Needs the SolarWinds Log and Event Manager program group in your Windows Start menu. Use LEM Reports to: l Run hundreds of pre-configured compliance and security reports l Schedule reports for LEM Reports to run automatically l Filter the reports list by industry or requirement l l l Run Master, Detail, or Top level reports according to how much information you need Use Select Expert to filter your report data by specific values, such as computer name, IP address, or user name Export reports into several formats, including PDF, CSV, and RPT To get started with LEM Reports, filter the reports listing by the industries or requirements relevant to your network. Then, the next time you open LEM Reports, access your custom list of reports by clicking Industry Reports on the main view. To filter the reports list by industry or requirement: 1. Open LEM Reports. 2. On the Settings tab, click Manage, and then select Manage Categories. 3. Select your industries and requirements in the left pane. Mix and match as necessary. For example, if you are a school that accepts credit card payments, select Education, FERPA, and PCI. 4. Click OK. 5. To view the filtered list of reports, click the Category menu back on the Settings tab, and then select Industry Reports. Select which reports to run based on their values in the Level column on the Settings tab: l l Master: Reports at this level contain all of the data for their category. For example, the master-level Authentication report contains all authentication-related data. Detail: Reports at this level contain information related to a specific type of event. For example, the Authentication – Failed 39 Chapter 4: Basic LEM Procedures Authentications detail-level report only contains data related to "Failed Authentication" events. l Top: Reports at this level display the top number of occurrences for a specific type of event. Use the default top number, or Top N, of 10, or customize this when you run the report. Troubleshooting If you have installed LEM Reports, but are unable to open the application or run reports, complete the following procedures to troubleshoot. To troubleshoot application launch errors on computers running Windows Vista, Windows 7, and Windows Server 2008: 1. Uninstall LEM Reports and Crystal Reports v11 Runtime. 2. Reinstall both components as Administrator. 3. Adjust the LEM Reports properties to run the program in Windows XP compatibility mode and as an administrator: a. Right-click the LEM Reports shortcut on your desktop or in the SolarWinds Log and Event Manager program group in your Windows Start menu, and then select Properties. b. Click the Compatibility tab. c. Select Run this program in compatibility mode for, and then select Windows XP (Service Pack 3). d. Select Run this program as an administrator. e. Click OK. 4. Launch LEM Reports. To address "Logon failed. Database Vendor Code 210" errors: Add the computer running LEM Reports to the list of authorized reporting computers. By default, the LEM appliance restricts all access to LEM Reports. To allow specific computers to run LEM Reports or remove all reporting restrictions, complete the proceduresdescribed in Configuring Report Restrictions. 40 Additional Information – LEM Reports Additional Information – LEM Reports For additional information about how to run, schedule, and configure formatted compliance and security reports using LEM Reports, consult the following resources. l See "Reports" on page 307 l See "Report Tables" on page 524 For information about installing LEM Reports on computers without the LEM Console, see Configuring LEM Reports on Computers Without the LEM Console. For information about scheduling several best practice compliance and security reports, see: l l Configuring Default Batch Reports on Vista/7/2008 Computers Report Formats and their corresponding numbers listed in a LEM scheduled report ini file For additional information about working with individual reports in LEM Reports, see: l Filtering and Exporting LEM Reports l Creating a Custom Filtered Report 41 Chapter 5: Leveraging LEM This chapter provides a series of use cases to get you started with SolarWinds LEM. Use these scenarios to ensure you have the most basic coverage in your environment, though the third party products you use or other variables in your network might be different than the ones provided in these examples. Monitoring Windows Domain Controllers for Brute Force Hacking Attempts Monitor the Windows domain controllers to track failed logon attempts to administrative accounts, which can be indicative of "brute force" or other hacking attempts. Also, gain visibility into account lockout, user and group modification, and other change management events across your network. Install a LEM Agent on all domain controllers to ensure the LEM Manager captures all of your domain events, even if they are not replicated across all of your domain controllers. View the events in the default Change Management filter in your LEM Console, and create custom filters to show all activity on these critical servers. Configuring the SolarWinds LEM Agent Install a LEM Agent and configure the appropriate connectors to monitor domain events on your network along with local events on the servers themselves. Use the procedures below to configure a SolarWinds LEM Agent on a single Windows domain controller. The following table provides the installation requirements for the LEM Agent: Software/Hardware Requirements Operating System AIX, Linux, Solaris, Windows Vista, Windows 7, Windows 8, Windows Server 2000, Windows Server 2003, Windows Server 2008 CPU Speed 450 MHz Pentium III or equivalent Memory 512 MB RAM 42 Chapter 5: Leveraging LEM Software/Hardware Requirements Hard Drive Space 1 GB Environment Variables The ability to install all software with administrator rights Installing a LEM Agent on a single Windows domain controller: 1. Download the SolarWinds LEM Agent installer for Windows. a. If you are a licensed LEM customer, download the installer from the SolarWinds customer portal. b. If you are an evaluation LEM customer, see . 2. Extract the contents of the installer ZIP file to a local or network location. 3. Run Setup.exe. 4. Click Next to start the installation wizard. 5. Accept the End User License Agreement and click Next. 6. Enter the hostname of your LEM Manager in the Manager Name field and click Next. Do not change the default port values. 7. Confirm the Manager Communication settings and click Next. 8. Specify whether to install USB-Defender with the LEM Agent and click Next. The installer includes USB-Defender by default. To omit this from the installation, clear the Install USB-Defender checkbox. Note: Install USB-Defender on every system. USB-Defender never detaches a USB device unless you have explicitly enabled a rule to do so. By default, USB-Defender simply generates events related to USB mass storage devices attached to your LEM Agents 9. Confirm the settings on the Pre-Installation Summary and click Install. 10. Once the installer finishes, click Next to start the LEM Agent service. 11. Inspect the Agent Log for any errors and click Next. 12. Click Done to exit the installer. 43 Configuring the SolarWinds LEM Agent The SolarWinds LEM Agent continues running on your computer until you uninstall or manually stop it. It begins sending events to your SolarWinds LEM Manager immediately. Configuring additional connectors on your SolarWinds LEM Agent: 1. Open your SolarWinds LEM Console and log into your SolarWinds LEM Manager as an administrator. 2. Click the Manage tab, and then click Nodes. 3. Locate the LEM Agent in the list. Use the Refine Results pane on the left if necessary. 4. Click the gear Connectors. button next to the LEM Agent (left), and then click 5. Locate the connector you want to configure in the list. Use the Refine Results pane on the left if necessary. 6. Click the gear button next to the connector (left), and then click New. 7. Modify the connector if necessary and then click Save. 8. Click the gear button next to the new instance of the connector , indicated by an icon in the Status column, and then click Start. 9. Click Close to close the Connector Configuration window. 10. Configure the following additional connectors on your Windows domain controllers, as applicable. l Windows Directory Service Log l Windows DNS Server Log Windows DHCP Server version Using Connector Profiles to Maintain and Monitor Multiple Domain Controller Agents l Use Connector Profiles to maintain and monitor multiple domain controllers in the LEM Console. Connector Profiles allows you to configure and modify connector settings at the profile level, and they also provide a group by which you can filter your event traffic coming into your SolarWinds LEM Console from your SolarWinds LEM Agents. Use the procedures below to create a Connector Profile based on a single SolarWinds LEM Agent and a corresponding filter to monitor 44 Chapter 5: Leveraging LEM activity on the computers in that profile. Note: Microsoft changed the way Windows computers log security events with their latest operating system releases. For that reason, SolarWinds LEM Agents on computers running Windows Server 2008, Windows Vista, or Windows 7 require different connectors than those Agents on computers running older operating systems. If you are running both old and new versions of these Windows operating systems in your environment, create a Connector Profile for each operating system. Creating a Connector Profile based on a single SolarWinds LEM Agent: 1. Install the SolarWinds LEM Agent software on all of the computers you want to end up in your new Connector Profile. 2. Configure a single SolarWinds LEM Agent to serve as the template for your Connector Profile. 3. In the LEM Console, select the Build tab, and then click Groups. 4. Click the button in the upper right, and then click Connector Profile. 5. Enter a Name and Description for the Connector Profile. 6. Select the recently configured SolarWinds LEM Agent from the Template list. 7. Click Save. 8. Locate your new Connector Profile in the Groups list. Use the Refine Results pane on the left if necessary. 9. Click the gear Edit. button next to your Connector Profile (left), and then click 10. Locate the SolarWinds LEM Agents you want to add to your Connector Profile in the Available Agents pane, and click the arrow next to them to add them to the Contained Agents pane. 11. If you are finished adding SolarWinds LEM Agents to your Connector Profile, click Save. Creating a filter for all activity from the computers in a Connector Profile: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator or auditor. 45 Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts 2. Click Monitor. 3. Click the button on the Filters pane (left), and then click New Filter. 4. Enter a Name and Description for the filter. 5. Click Event Groups on the components list (left). 6. Click Any Event. 7. In the Fields: Any Event list below, click and drag DetectionIP into the Conditions box (right). 8. Click Connector Profiles on the components list (left). 9. Click and drag your Connector Profile into the Conditions box (right), replacing the Text Constant field, which is denoted by a pencil icon. 10. Click Save. Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts Clone and enable the Critical Account Logon Failures rule to track failed login attempts to the default Administrator account in Windows. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network. Cloning and enabling the Critical Account Logon Failures rule: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Click the Build tab, and then click Rules. 3. Enter Critical Account Logon Failures in the search box at the top of the Refine Results pane. 4. Click the gear button next to the rule (left), and then click Clone. 5. Select the folder where you want to save the cloned rule, and then click OK. 6. Select Enable at the top of the Rule Creation window, next to the Description field. 46 Chapter 5: Leveraging LEM 7. Click Save. 8. Back on the main Rules screen, click Activate Rules. Tuning Windows Logging for LEM Implementation After you have installed and configured you SolarWinds LEM Agents, optimize your SolarWinds LEM deployment by tuning Windows to log the specific events you want to see in your SolarWinds LEM Console and store on your SolarWinds LEM database. Use the recommendations below to get started with this tuning process. Note: Set group and local policies according to the needs of your environment. We provide recommendations to illustrate common, but not universal, use cases. For additional information about tuning Windows logging, see the Microsoft TechNet knowledge base. . Default Domain Policy Configure logging for default domain policy in Windows as recommended in the following table. Policy Success Failure Not Defined Audit account logon events Yes Yes Audit account management Yes Yes Audit directory service access Audit logon events Not defined Yes Yes Audit object access Audit policy change Not defined Yes Yes Audit privilege use Not defined Audit process tracking Yes No Audit system events Yes Yes Default Domain Controller Policy Configure logging for your default domain controller policy in Windows as recommended in the following table. 47 Monitoring Firewalls for Port Scans and Malformed Packets Policy Success Failure Audit account logon events Yes Yes Audit account management Yes Yes Audit directory service access Yes Yes Audit logon events Yes Yes Audit object access1 Audit policy change Yes Yes Audit privilege use Yes Yes Audit process tracking Yes Yes Audit system events Yes Yes 1Audit object access is required for file auditing. For more information, see Enabling Windows File Auditing. For more information about the policies discussed above and how to configure their auditing, see Audit Policy and Best Practice. Monitoring Firewalls for Port Scans and Malformed Packets Monitor firewalls to detect port scans and other network attacks based on unusual traffic patterns and malformed packets. Also, gain visibility into web traffic and other network traffic events across your network. Configure your firewalls to log to your SolarWinds LEM appliance and set up the appropriate connector on your SolarWinds LEM Manager. View the events in the default Firewall filter in your SolarWinds LEM Console, and create custom filters to show traffic to or from specific computers. Setting a Firewall to Log to a LEM Appliance Set your firewall to log to your SolarWinds LEM appliance to centralize its log data with the rest of your SolarWinds LEM events. The process for doing this is different for each vendor, and it even differs across firewall versions. For that reason, we document each firewall separately, which is beyond the scope of this guide. 48 Chapter 5: Leveraging LEM Firewalls from popular vendors such as Cisco, Check Point, and Juniper can be integrated with SolarWinds LEM appliances. For more information, the SolarWinds knowledgebase. If your firewall vendor is not listed here, search for your vendor in the SolarWinds knowledge base. If documentation is not available, please contact SolarWinds Support. Configuring a Firewall Connector on a LEM Manager After you have set your firewall to log to your SolarWinds LEM appliance, configure the corresponding connector on your SolarWinds LEM Manager. Many of the firewall connectors are similar, though some will have a few unique settings. The procedure below explains how to set up a connector for a Cisco PIX firewall. To configure the Cisco PIX and IOS connector on your SolarWinds LEM Manager: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Click the Manage tab, and then click Appliances. 3. Click the gear button next to the SolarWinds LEM Manager (left), and then click Connectors. 4. In the Connector Configuration window, enter Cisco PIX in the search box at the top of the Refine Results pane. 5. Click the gear then click New. button next to the Cisco PIX and IOS connector, and 6. Replace the Alias value with a more descriptive connector alias. For example, PIX Firewall. 7. Use firewall somewhere in the Alias field to ensure the default Firewall filter captures your firewall data. 8. Verify the Log File value matches the local facility defined in your firewall settings. 9. Click Save. 49 Viewing Network Traffic from Specific Computers 10. Click the gear button next to the new instance of the connector, indicated by an icon in the Status column, and then click Start. 11. Click Close to close the Connector Configuration window. Viewing Network Traffic from Specific Computers Create custom filters to make specific firewall events more visible than others. For example, if you want to monitor all traffic coming from a specific computer more closely than other firewall traffic, create a filter for all network traffic coming from that source machine. Use Connector Profiles and other groups to broaden or refine the scope of custom filters like this. Creating a filter for all traffic from a specific computer: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator or auditor. 2. Click Monitor. 3. Click the button on the Filters pane (left), and then click New Filter. 4. Enter a Name and Description for the filter. 5. Click Event Groups on the components list (left). 6. Click Network Audit Events. 7. In the Fields: Network Audit Events list below, click and drag SourceMachine into the Conditions box (right). 8. Enter the computer's name into the Text Constant field, which is denoted by a pencil icon. Use a wildcard character (*) after the computer name to avoid having to enter the computer's fully qualified domain name. Note: Use a Connector instead of a Text Constant to filter for all network traffic coming from a group of similar computers. 9. Click Save. Creating a LEM Rule to Notify of Potential Port Scanning Traffic Clone and enable the PortScans rule to recognize suspicious firewall traffic that can be indicative of port scanning. The default action for this rule is to generate a 50 Chapter 5: Leveraging LEM TCPPortScan event, which the SolarWinds LEM Console displays in the default Security Events filter. Use these events to monitor suspicious network traffic and potentially take action against an external source. Cloning and enabling the PortScans rule: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Click the Build tab, and then click Rules. 3. Enter PortScans (one word) in the search box at the top of the Refine Results pane. 4. Click the gear button next to the rule (left), and then click Clone. 5. Select the folder where you want to save the cloned rule, and then click OK. 6. Select Enable at the top of the Rule Creation window, next to the Description field. 7. Optionally, to tune the rule to be more appropriate for your environment, consider the following: l l l l Subscribe to the rule to track its activity in the Subscriptions report. Increase the number of events in the Correlation Time box to modify how frequently the rule fires. Omit vulnerability scanners from the Correlations by changing the TCPTrafficAudit "exists" condition to TCPTrafficAudit .SourceMachine = Your Scanners, where Your Scanners is a User-Defined Group, Connector Profile, or Directory Service Group that represents that group of computers. Modify the default action or add additional actions to do things such as send an email message, or block an IP address. 9. If you are finished configuring your rule, click Save. 10. Back on the main Rules screen, click Activate Rules. 51 Monitoring Antivirus Software for Viruses that are Not Cleaned Monitoring Antivirus Software for Viruses that are Not Cleaned Monitor your antivirus software to track whether or not your antivirus solution is able to fully clean the viruses it detects. Configure your antivirus software to log to your SolarWinds LEM appliance and set up the appropriate connector on your SolarWinds LEM Manager. View the events in the default Virus Attack filter in your SolarWinds LEM Console. Setting Antivirus Software to Log to a LEM Appliance Set your antivirus software to log to your SolarWinds LEM appliance to centralize its log data with the rest of your SolarWinds LEM events. The process for doing this is different for each vendor, and it even differs across antivirus versions. For that reason, we document each antivirus solution separately, which is beyond the scope of this guide. You can integrate antivirus software from popular vendors such as Symantec, and McAfee with your SolarWinds LEM appliance. For more information, see the following: To find instructions on itegrating your vendor's antivirus software, search the SolarWinds knowledge base. If documentation is not available, please contact SolarWinds Support. Configuring the Antivirus Connector on a LEM Manager .To configure the Symantec Endpoint Protection 11 connector on your SolarWinds LEM Manager: 1. Replace the Alias value with a custom alias or accept the default. 2. Verify the Log File value matches the Log Facility defined in your antivirus settings. 3. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 4. Select the Manage tab, and then click Appliances. 5. Click the gear button next to your SolarWinds LEM Manager (left), and then click Connectors. 52 Chapter 5: Leveraging LEM 6. In the Connector Configuration window, enter Symantec Endpoint Protection in the search box at the top of the Refine Results pane. 7. Click the gear button next to the Symantec Endpoint Protection 11 connector, and then click New. 8. Click Save. 9. Click the gear button next to the new instance of the connector , indicated by an icon in the Status column, and then click Start. 10. Click Close to close the Connector Configuration window. Creating a LEM Rule to Track When Viruses Are Not Cleaned Clone and enable the Virus Attack – Bad State rule to track the state of virus attacks reported by your antivirus software. The Bad Virus State User-Defined Group defines a bad state as any virus that has not been fully cleaned by your antivirus software. That is, any virus that has been left alone, quarantined, or renamed. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network. Cloning and enabling the Virus Attack – Bad State rule: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Select the Build tab, and then click Rules. 3. Enter Virus Attack – Bad State in the search box at the top of the Refine Results pane. 4. Click the gear button next to the rule (left), and then click Clone. 5. Select the folder where you want to save the cloned rule, and then click OK. 6. Select Enable at the top of the Rule Creation window, next to the Description field. 7. Click Save. 8. Back on the main Rules screen, click Activate Rules. 53 Monitoring Proxy Servers for Suspicious URL Access Monitoring Proxy Servers for Suspicious URL Access Monitor proxy servers to track when users attempt to access suspicious websites by partial or complete URL addresses. Configure your proxy server to log to your SolarWinds LEM appliance and set up the appropriate connector on your SolarWinds LEM Manager. Setting Proxy Server to Log to a SolarWinds LEM Virtual Appliance Set your proxy server to log to your SolarWinds LEM virtualappliance to centralize its log data with the rest of your SolarWinds LEM events. You can integrate proxy servers from popular vendors such as Websense and Barracuda with your SolarWinds LEM virtual appliance. The integration process is different for each vendor, so we document each proxy server separately in the SolarWinds knowledge base. Search for your firewall vendor in the SolarWinds knowledge base. If a knowledge base article is not available, please contact SolarWinds Support. Configuring a Proxy Server Connector on a SolarWinds LEM Manager After you have set your proxy server to log to your SolarWinds LEM appliance, configure the corresponding connector on your SolarWinds LEM Manager. Many of the proxy server connectors are similar, though some have a few unique settings. The procedure below illustrates how to set up a connector for a Websense proxy server, and you can find instructions for additional firewall connectors in the SolarWinds knowledge base. Configuring the Websense Web Filter and Websense Web Security connector: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Select the Manage tab, and then click Appliances. 3. Click the gear button next to your SolarWinds LEM Manager (left), and then click Connectors. 4. In the Connector Configuration window, enter Websense Web Filter in the search box at the top of the Refine Results pane. 54 Chapter 5: Leveraging LEM 5. Click the gear button next to the Websense Web Filter and Websense Web Security connector , and then click New. 6. Replace the Alias value with a custom alias or accept the default. 7. Click Save. 8. Click the gear button next to the new instance of the connector, indicated by an icon in the Status column, and then click Start. 9. Click Close to close the Connector Configuration window. Creating a SolarWinds LEM Rule to Notify of Suspicious URL Attempts Clone and enable the Known Spyware Site Traffic rule to track when users attempt to access suspicious websites by partial or complete URL addresses. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network. Note: Before enabling this rule, ensure your proxy server transmits complete URL addresses to your SolarWinds LEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well. Cloning and enabling the Known Spyware Site Traffic rule: 1. Open theSolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Select the Build tab, and then click Rules. 3. Click Default Rules on the Refine Results pane (left). 4. Enter Known Spyware Site Traffic in the search box at the top of the Refine Results pane. 5. Click the gear button next to the rule (left), and then click Clone. 6. Select the folder where you want to save the cloned rule, and then click OK. 7. Select Enable at the top of the Rule Creation window, next to the Description field. 55 Monitoring Microsoft SQL Databases for Changes to Tables and Schema 8. Click Save. 9. Back on the main Rules screen, click Activate Rules. Monitoring Microsoft SQL Databases for Changes to Tables and Schema Monitor databases to track successful or failed attempts to make changes to their tables or schema. Install MSSQL Auditor on a LEM Agent running Microsoft SQL Profiler to monitor local or remote Microsoft SQL databases. MSSQL Auditor runs as a service in addition to the LEM Agent service. Configuring Database Servers Install and configure MSSQL Auditor on your database server to allow SolarWinds LEM Agent access to details about database configuration changes on that computer. Install the following components on your database server prior to installing MSSQL Auditor. l Microsoft SQL 2005 or 2008 Profiler l Microsoft .NET 2.0 Framework l SolarWinds LEM Agent for Windows Installing MSSQL Auditor on a SolarWinds LEM Agent 1. Download SolarWinds-LEM-v6.2-MSSQLAuditor.zip from the SolarWinds customer portal under Additional Components. 2. Run mssqlaudsetup.exe. 3. Click Next to start the wizard. 4. Accept the End User License Agreement, and then click Next. 5. Click Change to specify an installation folder, or accept the default, and then click Next. 6. Click Install. 7. When the installation is finished, select Launch SolarWinds MSSQL Auditor, and then click Finish. To configure MSSQL Auditor for use with your servers: Note: If you did not select Launch SolarWinds MSSQL Auditor after installing the 56 Chapter 5: Leveraging LEM application, you can launch it from the SolarWinds Log and Event Manager program group in your Start menu. 1. Enter the name of the SQL server to be monitored in the SQL Server\Instance field, and click Add Server. Note: To specify an instance other than the default, enter your server name in the following format: Server\Instance. 2. Repeat this step for all of the servers to be monitored. 3. To use an account other than the Local System Account to run MSSQL Auditor on your database server, select This Account in the Run Service As section, and provide the appropriate credentials. Note: We recommend you use an account in the "sysadmin" role on your database, though the account only needs to have Execute permissions for any stored procedures with the xp_trace prefix. 4. Click Start Auditor Service, which is denoted by a green "Play" icon, in the Manage Auditor Service section. 5. Click OK. Configuring the MSSQL Auditor Connector on a SolarWinds LEM Agent To configure the MSSQL Auditor connector on your SolarWinds LEM Agent: 1. Open the SolarWinds LEM Console and log into theSolarWinds LEM Manager as an administrator. 2. Select the Manage tab, and then click Nodes. 3. Locate the SolarWinds LEM Agent for your database server and verify it is connected to your LEM Manager. 4. Click the gear button next to the SolarWinds LEM Agent, and then click Connectors. 5. Enter MSSQL in the search box at the top of the Refine Results pane. 6. Click the gear button next to the SolarWinds Log and Event Manager MSSQL Auditor connector , and then click New. 7. Give the new connector a custom Alias, or accept the default. 57 Monitoring Microsoft SQL Databases for Changes to Tables and Schema 8. Verify that the value in the Log File field matches the folder in which the logs are stored on your database server, and then click Save. 9. Click the gear button next to the new instance of the connector , indicated by an icon in the Status column, and then click Start. 10. Repeat these steps for the MSSQL 2000 Application Log connector . 11. Click Close to close the Connector Configuration window. Creating a SolarWinds LEM Rule to Send Notifications of Microsoft SQL Database Change Attempts Clone and enable the MSSQL Database Change Attempt rule to track when users attempt to change properties on a monitored Microsoft SQL database. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network. See "Leveraging the Incidents Report in Security Audits" on page 59 Clone and enable the MSSQL Database Change Attempt rule to track when users attempt to change properties on a monitored Microsoft SQL database. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network. Cloning and enabling the MSSQL Database Change Attempt rule: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Select the Build tab, and then click Rules. 3. Enter MSSQL Database Change Attempt in the search box at the top of the Refine Results pane. 4. Click the gear button next to the rule (left), and then click Clone. 5. Select the folder where you want to save the cloned rule, and then click OK. 6. Select Enable at the top of the Rule Creation window, next to the Description field. 7. Click Save. 8. Back on the main Rules screen, click Activate Rules. 58 Chapter 5: Leveraging LEM Leveraging the Incidents Report in Security Audits Auditors typically require that IT administrators review the critical events on their networks on a daily basis. Create a method for reviewing these events by utilizing Incident events as discussed in the previous sections in this chapter. After you have defined your critical network events as Incidents, schedule the Incidents report to run daily and follow the procedure suggested below to maintain a paper trail to use during your security audits. We recommend scheduling reports to run on a daily basis, one of which is the Incidents report. Maintaining a paper trail for your security audits using the daily Incidents report: 1. Open the Incidents report every day for the previous day. 2. Print the report and review its contents. 3. Document any action you took as a result of the report on the printed report and sign it. 4. File the printed and signed report in a safe location for your next security audit. 59 Chapter 6: Ops Center The Ops Center is a dashboard used for viewing and managing informational widgets. Each widget represents a high-level graphical view of specific network activity. Widgets are designed to present important high-level information in easyto-read graphical formats, such as charts and graphs. Widgets are filter-driven — that is, a filter is the data source for the graphical representation found in the widget. In fact, widgets appear in Monitor, as well, so you can see graphical views of your filters along with their grid-based views. You can select from a library of commonly used widgets, or you can create your own widgets. You can add or remove widgets, edit existing widgets, or resize, refresh, and rearrange widgets to meet your personal preferences. Click to select the widget you want to work with. You can point to the widget to display ToolTips and details about its graph. You can also use the control options on its toolbar to change the widget’s settings display format. You can resize widgets, but they are limited to certain sizes and aspect ratios to keep the Ops Center tidy and organized. The following table describes the key features of the Ops Center view. Widgets Each widget represents a high-level graphical view of specific network activity. Widgets are designed to present important high-level information at a glance. Most widgets filter the data source for what you are graphing in the widget. Name Description Widget Manager Click this button to alternately open and close the Widget Manager. The Widget Manager includes two panes—the Categories pane and the Widgets pane. Getting Started Tips and shortcuts to get you started configuring and exploring LEM 60 Chapter 6: Ops Center Name Node Health Description A view of the status of each device being monitored by LEM. thwack Community & Sup- Access to useful information from the thwack comport munity. Top 10 Events Displays the top 10 events in the selected time range. Help Links to different resources to help you learn more about LEM What's New in LEM A list of items that have been added or improved in this version. Events per Minute Displays the total count of events per minute for the past 15 minutes. Custom Widget Example of what can be created on a custom widget. Top 10 Nodes by # of Events Displays the top 10 most active nodes(by # of events). Top 10 Users by # of Events Displays the top 10 users with the most events in the selected time range. Network Events by Source Machine Displays the top 10 machines generating network events. User Logons by Source Machine Displays the top 5 user logons by source machine. Data Simulator Plays back different kinds of simulated network data. Top 10 Rules by Number of Rules Fired Displays the top 10 most commonly triggered rules and how many times each has been triggered over a selected time period. 61 User Details User Details From the Top 10 Users widget, click on a user to open the User Details page. Every user has a User Details page that displays all related information, including all events, for that user. The User Details page contains the User:Details and User:All Events widgets. User: Details Widget Displays detailed user information such as User Name, Manager, User Type, etc. User: All Events Widget Lists all events generated by the selected user and displays statistics of the events in a graph. Click an event to see the Event Details page for the selected event. The User:All Events menus provide several presentation options: l Filter events by event group l Switch between Grid and Details views l Select by time Color-coding allows you to easily pick out events that might need attention. A green line on a graph represents informational events, a yellow line represents warning events, and a red line represents critical events. Node Details From the Top 10 Nodes, click a node to open the Nodes Details page. The Nodes Details page displays overview information on every device that is monitored by LEM. The Nodes Details page contains the Node:Details, Node:Connectors Applied, and Nodes:All Events widgets. Node: Details Widget Represents the detailed information about the specified node such as Node IP, Node Name, Last Event etc. 62 Chapter 6: Ops Center Node:Connectors Applied Widget l Provides a list of connectors which are configured for the specified node l Shows whether the connector is enabled or not l Allows you to turn on or turn off connectors l Allows you to configure new connectors Node: All Events Widget Lists all events generated by the selected node and displays statistics of the events in a graph. Click an event to see the Event Details page for the selected event. The Node:All Events menus provide several presentation options: l Filter events by event group l Switch between Grid and Details views l Select by time Color-coding allows you to easily pick out events that might need attention. A green line on a graph represents informational events, a yellow line represents warning events, and a red line represents critical events. Widget Manager In the Ops Center, master widgets reside in the Widget Manager’s Categories list. Dashboard widgets reside on the dashboard. Dashboard widgets cannot be saved in the Widget Manager. Name Filters pane Description Widgets are organized by filter. You can use the Filters pane to view, add, and edit the master widgets that are associated with each filter, and to create dashboard widgets from each master widget. The Name column lists each filter that has one or more master widgets. The Count column states how many master widgets are associated with each filter. You can also sort the columns of the Filters pane. 63 Widget Builder Name Description Opens the Widget Builder, so you can add a new master widget to the selected category. Opens the Widget Builder for the widget that is currently selected in the Widgets pane. The Widget Builder lets you edit the widget’s settings. Widgets pane The Widgets pane is used to view the master widgets that are associated with each filter. You can also use this pane to create dashboard widgets and to delete master widgets from the selected filter. Add to This button adds a copy of the master widget that is currently Dashboard shown in the Widgets pane to the dashboard. Delete Widget This button deletes the master widget that is currently shown in the Widgets pane. Deleting a master widget does not delete any of the dashboard widgets that came from that widget. Widget Builder This topic explains how to use the Widget Builder, which is used to add a new widget or edit the configuration of an existing widget. The following table explains each field on the Widget Builder. Field Description Name Type a name for the widget. This name will appear in the widget’s title bar. Filter Select the filter that is to be the widget's data source. If a filter name appears in italics, it means the filter is currently turned off. When creating a widget from the Monitor view, this field defaults to the filter that is currently active. If you select a different filter, the widget will be associated with that filter, not the active filter. When creating a widget from the Ops Center, this field defaults to the first option in the list. Note: If you create a widget from a filter that is turned off, the 64 Chapter 6: Ops Center Field Description widget will not display any chart information until the filter is turned back on. Description Type a brief description of the information this widget is reporting. You may use up to 80 characters. Visual Configuration Visualization Select the type of chart or graph you want—Pie, Bar, Line, Table, Type etc. Select Table for those times when a table of values is a useful way to view the data. You can display a widget with any of these display types at any time. However, some display types may not make sense for some widgets, depending on the widget’s content. Color/ Color Palette Select a color palette for the chart or graph. X-Axis Label If desired, type a label for the chart or graph’s horizontal axis. Y-Axis Label If desired, type a label for the chart or graph’s vertical axis. Preview The Preview section shows what the widget will look like, based on the options you have selected in the Visual Configuration section. Data Configuration Field Select a data field you want reported from those that are available in the selected data source. Show Select how you want the frequency reported: l Count: (default) This option counts each occurrence of the selected Field value. For example, if the Field you select is EventID, you are counting the number of events. As a practical matter, no matter which field you select, you are counting events. But it is best to think of the widget as counting occurrences of the field. 65 Widget Builder Field Description l Distinct Count: This option does not count repeating Field values. Instead, it counts each time a distinctly different event occurs. For example, if you select a Field value like Event Name or Detection IP, the widget will count each specific value only once. When used in a single-dimension chart, the Distinct Count option reports all values as 1, so this option is best used with multi-dimensional charts. Sort Select how you want the data Show data sorted: l l Descending (default) order is from highest to lowest (Z to A, or 0 to 1, etc.). Ascending order is from lowest to highest (A to Z, or 1 to 0, etc.). Sorting only applies when your Versus value is something other than Time. Versus If you want a second dimension in the chart, select another data field from those that are available in the selected data source. This field’s sort order is ascending. Split By If you want a third dimension in the chart, select another data field from those that are available in the selected data source. This field’s sort order is ascending. Limit Most filters contain a data span that exceeds what is practical to chart. The Limit value limits the number of items that will be seen. Select a limit for the number of items that are to be charted. The default value is 5. For example, this can represent your Top 5 or Bottom 5, depending on how you sort the data. Scope Select a value for the scope. This is the time frame reported by the chart or graph. The scope is always measured backward from the moment the chart is refreshed. For example, a scope of 30 66 Chapter 6: Ops Center Field Description minutes means “the last 30 minutes.” The scope can be measured in Seconds, Minutes (default), Hours, or Days. For events that happen frequently, choose a narrow scope. For events that happen rarely, choose a large scope. Resolution Select the time value that defines the “tick marks” that are to be used on the chart’s horizontal X-axis. This field is required when Versus is a Time Field. For example, if you are looking at 30 minutes of data, a Resolution of 5 Minutes means the bars or line chart data points are drawn in 5 minute increments. In charts with wider scope, the resolution could be hours or even days. This option is disabled for widgets that are not reporting timebased data. Refresh Select the rate at which you want the widget to refresh its visual display. This is necessary because the Console is monitoring real-time data. Therefore, you need to periodically refresh the chart. Save and cancel Save to Dashboard Select this option to save the new or updated widget to the bottom of the Ops Center dashboard. Save Click Save to save the new or revised master widget. Upon saving, the new widget configuration immediately appears in the Op CenterWidget Manager and in the Monitor view's Widget pane. Cancel Click Cancel to cancel your changes close the Widget Builder. Widgets act as shortcuts to the event filters that are their data sources. This means you can open the source filter directly from a widget. You do this by clicking the specific line, bar, or pie wedge of chart that interests you. The corresponding filter then opens in the Monitor view. The filter lists only the events 67 Viewing specific widget data that correspond with the chart item selected. See Opening a filter from a widget for information on using widget filters. The following table describes the function of each button on a widget toolbar. All of these buttons are on the widget toolbar, except for the “legend” button, which appears in the lower-left corner of the widget. Button Function Opens the widget in the Widget Builder, so you can edit its settings. “Flips” the widget, so you can configure its presentation format. Refreshes the widget’s data. Expands (maximizes) the widget to fill the desktop. Restores the widget from its maximized size to its default size. This button has two functions: l l In normal dashboard mode, this button deletes the widget from the dashboard. When you are editing a “flipped” widget, this button closes the widget’s edit mode, and returns it to its normal desktop view. Opens the widget’s legend. Viewing specific widget data Widget graphs and charts display basic high-level information. However, each widget includes ToolTips that show specific data about each bar, line, or wedge in the chart. Typically, this information is the reported event, Event Group, or event field, and its number of occurrences. To view specific chart data: Point to the specific bar, line, or wedge you want to know about and a ToolTip appears, showing specific data about the item you are pointing to. 68 Chapter 6: Ops Center Refreshing widget data On the widget toolbar, click the refresh button to show the latest data from your network.Widgets automatically refresh themselves according to the Refresh rate that was set when the widget was created. If a widget has a slow refresh rate, you can refresh it whenever you want. Refreshing a widget immediately updates it to show the most current real-time data from your network traffic. Opening a filterfrom a widget Widgets act as shortcuts to the event filters that are their data sources. This means you can open the source filter directly from a widget. You do this by clicking the specific line, bar, or pie wedge of chart that interests you. The corresponding filter then opens in the Monitor view. The filter lists only the events that correspond with the chart item you selected. To open a filter from a dashboard widget: 1. Open the Ops Center view. 2. In the dashboard, locate the widget you want to work with. 3. On the widget, click the specific line, bar, or pie wedge that interests you. 4. The Monitor view appears, with the event grid showing the filter that is the widget’s data source. Note that the event grid lists only those events that correspond to the line, bar, or pie wedge that you clicked. Also note that the filter is paused. Click Resume on the event grid toolbar to begin running the 69 Editing a widget’s chart presentation filter again. Note: It is possible for you to select an item in the widget that is no longer shown in the Monitor's event grid. That is, the filter may actually show fewer events than appear in the widget. This can happen if the widget's scope is broader than the filter's scope. In this case, the filter may no longer have some of the data shown by the widget, because the filter has had to make room for new data. Remember, the widget's scope can be different than the filter's scope. The widget tracks statistics about events that occurred over time (and perhaps a very large time frame). The filter tracks only a certain quantity of events for a time frame that may be much smaller than the widget's scope. To think about it another way: the Console filters are aware of 10,000 events at a time. With every refresh interval, a widget looks at those 10,000 events to draw a line, bar, or wedge that matches the right count for that time. Those 10,000 events are also displayed in the corresponding filter. But when the Console gets to 10,000 events, the widget doesn't "erase" any data points it has already drawn, but the filter has to remove the oldest events from the grid to make room for new data. Editing a widget’s chart presentation On the back of each widget there is a form that lets you change how the data is presented on the widget. However, your options are limited to the type of widget 70 Chapter 6: Ops Center you are working with and the type of data it is reporting. For example, widgets that only report data in one dimension may be limited to a pie chart, while information in two dimensions can be reported in a bar chart or a line chart. To edit a widget’s presentation from the dashboard: 1. In the Ops Center dashboard, locate the widget you want to work with. 2. Click the configure button on the widget toolbar. 3. The widget flips over to display its configuration options, as shown here. 4. Configure the widget, according to its configuration options. These options are a sub-set of the fields on the Widget Builder. To arrange widgets on the dashboard: 1. Open the Ops Center view. 2. If needed, click Widget Manager to close the Categories and Widgets panes. This provides the most space for arranging your widgets. 3. In the dashboard, drag a widget’s title bar to move that widget into a new position on the dashboard. As you move the widget around the dashboard, the other widgets rearrange themselves and make room for your widget. Upon releasing the mouse button, the widget snaps into place. 71 Resizing a widget Resizing a widget You can view widgets in “full-screen” mode or in their normal size. You can also change the size of a widget to make it taller or wider. However, the widget’s different sizes must conform to the dashboard’s standard geometry. To resize a widget: In the Ops Center dashboard, drag the lower-right corner of the widget in any direction. As you resize the widget, the surrounding widgets rearrange themselves to make room for the larger one. Upon releasing the mouse button, the widget snaps to the closest size allowed by the desktop’s geometry. To show a widget in full-screen mode: In the Ops Center dashboard, click the Maximize toolbar. The widget takes up the entire dashboard. button on the widget’s To restore a widget to its normal size: In the Ops Center dashboard, click the Minimize toolbar. The widget returns to its normal size. button on the widget’s Viewing a widget’s legend Each widget bar chart, graph, and pie chart has a legend that explains what each bar, line, or wedge in the chart represents. To view a widget’s legend: Click the widget’s legend button. The chart legend appears, as shown here. 72 Chapter 6: Ops Center Where to find widgets Widgets appear in two areas—the Ops Center and in the Monitor view’s Widgets pane: l l In the Ops Center, master widgets always reside in the Widget Manager’s Categories list. Dashboard widgets always reside on the dashboard. Dashboard widgets cannot be saved in the Widget Manager. In the Monitor view, each master widget appears in the Widgets pane for the filter that acts as its data source. Dashboard widgets do not appear in the Monitor view’s Widgets pane. 73 Chapter 7: Monitor The Monitor view is the heart of the LEM Console. As the name implies, it is used for monitoring your network activity. In Monitor, you create filters and widgets that group and display different events that come from your Agents, Managers, and network devices. Events are messages created from Agent, Manager, and network device log entries. These log entries are processed (or normalized) to extract information and display the data in a common column/field-based format, rather than the often convoluted format you see in the source data. These normalized events are sent from the Agent to the Manager for processing. At the Manager, the events are processed against your Rules, sent to your Database for archiving, and sent to the LEM Console for monitoring. Monitor View Features The following table describes the key features of the Monitor view. Name Description Filters button Click the Filters button to alternately show and hide the Filters pane. Filters pane Stores all of the filters that you can apply to the Console’s event messages. l l Click a filter name to apply that filter to the events grid. The events grid refreshes to show only the incoming events allowed by the filter’s conditions. Use the plus button to create your own custom filters and filter groups. l Use the pane’s gear button to edit, pause, resume, turn on, turn off, import, export, or delete filters. 74 Chapter 7: Monitor Name Events grid Description Agents monitor each configured data source on your network. The Agents then send events to your Managers. The Console's events grid displays every event that is logged to each Manager the Console is connected to. The grid’s title bar displays the name of that filter that is currently applied. By default, incoming events always appear at the top of the grid. This allows the Console to always show the most recent event activity first. Respond menu Use this menu to actively respond to a particular event message. For example, you can choose to block an IP address, or restart or shut down machine that is the source of the event activity. Explore menu Use this menu to explore a particular event message or one of its specific data elements with an explorer. The menu is context-sensitive. The contents of the selected cell (called a string) determines which explorers you may choose from. Pause/Resume This button toggles to pause or resume the event traffic that is currently being reported by the filter. This button lets you “highlight” rows in the events grid with a particular color. Highlighting can serve as a helpful visual reference point for marking and locating specific events in the grid. The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. You can use these commands to mark messages as read or unread, to remove messages, or to copy event information. Sort (▼ ▲) When a filter is paused, you can click the column headers to sort the grid in ascending (▲) or descending (▼) order by each of its columns. Filter Notifications pane The Filter Notifications pane summarizes the event activity from each of your active notification filters—these are filters that use blink, popup, or sound notifications. Click a filter name in this tab to view the events associated with that filter. This 75 Filters and Filter Groups Name Description pane behaves exactly like the status bar's Notifications tab. Widgets pane This pane displays the widgets associated with the filter that is currently applied to the events grid. Widgets automatically refresh themselves to reflect changes in events grid filtering. You can use this pane view the different widgets associated with the filter, change a widget’s visualization type (bar chart, pie chart, line graph, etc.), create a new widget, edit an existing widget, or save a widget to the Ops Center dashboard. Event Details and Description Event Details and Event Description are two views of the same pane. This pane displays detailed information about the last event to be selected in the grid. l l Notifications The Event Details view displays specific technical details about the event. You can also use this view to create a filter based on the selected event, or to scroll through the contents of the events grid. The Event Description view displays a written description of the event that is currently selected. The Notifications tab summarizes the event activity from each of your active notification filters—these are filters that use blink, popup, or sound notifications. Click a filter name in this tab to view the events associated with that filter. Filters and Filter Groups On a busy network, there can be millions of events each day. Therefore, the LEM Console uses event filters to manage events. A filter is a subset of your events that focuses on a particular type or group of events and hides all others. When configuring a filter, you can examine and use individual event properties to determine precisely which events are to appear in that filter. Filters apply at the LEM Console level. This means they apply to all data sent from every Manager monitored by the LEM Console. Filters also display events in real time. 76 Chapter 7: Monitor You can turn filters on and off, pause filters to sort or investigate their events, perform actions to respond to events, and configure filters to notify you when they capture a particular event. Filters can also display widgets, which are charts and graphs that visually represent the event data. Widgets are described in more detail below. LEM ships with many commonly used filters that support best practices in the security industry. However, you can create your own custom filters, or modify existing filters to meet your needs. There is no limit to the number of filters a LEM Console can contain. Filters are managed in the Filters pane. The Filters pane stores all of the filters that can be applied to the Console’s events grid. Filter Attributes The number next to each filter shows the total number of events that are currently associated with that filter. Positioning your pointer over a filter displays a Tooltip that briefly describes the purpose of each filter, when such a description is available. Any filters that appear in italics are currently turned off. You can use the Filters pane to do any of the following tasks: l Create your own custom filters and reconfigure existing filters to meet your needs. 77 Standard LEM Filters l Create filter groups for storing and organizing your filters. l Turn filters on and off, and pause them to stop the flow of event traffic. l Move filters from one filter group to another. l Copy filters. l Rename filters and filter groups. l Import and export filters. l Delete obsolete filters and filter groups. Standard LEM Filters LEM ships with some commonly used filters that support best practices in the security industry. Each of these filters is described in the following table. They are listed alphabetically for easy reference. The Default status column indicates if the filter is On (visible) or Off (hidden) by default. To add your own custom filters, see Utilizing the Console. Note: If you are installing an upgrade, LEM automatically converts your existing filters into the new graphical format described in see Utilizing the Console. Filter Description Default status Admin Account Authentication Displays events for authentication to administrative-level accounts. Off All Events Displays all events from all sources. On Change Management Displays events for changes made to users, groups, and devices. On Denied ACL Traffic Displays events for network traffic that has been administratively denied. Off Domain Controllers Displays all events from domain controller (all) devices. Off Failed Logons Displays failed logon attempts. On File Audit Failures Displays FileAuditFailure events, which show failed attempts to access audited files. Off 78 Chapter 7: Monitor Filter Description Default status Firewall Displays all events from firewall devices. On FTP Traffic Displays TCP Traffic to and from ports 20 and On 21, indicating file transfer activity on the network. IDS Displays all events from network intrusion detection devices. On Incidents Displays all Incident Events. On Network Events Displays all events in the NetworkAudit category of the event tree. On Proxy Bypassers Displays WebTrafficAudit events that are not from a proxy server. This can indicates an internal machine attempting to access the Web directly, rather than by using the proxy server. Off Rule Activity Displays InternalRuleFired and InternalTestRule events, which indicate that Rules have been triggered. On Security Events Displays all events in the SecurityEvent category of the event tree. On Security Processes Displays ProcessStart and ProcessStop events related to critical security processes running on machines. These processes include anti-virus, anti-spyware, and firewall processes. On SMTP Traffic Displays TCP traffic to and from port 25. It can also identify potentially infected hosts. On SNMP Traffic Displays network traffic to and from port 161. This filter can be used to discover network scan attempts and normal network monitoring tools. On Subscriptions Displays events from user rule subscriptions. On Events Displays all events in the InternalEvent category of the event tree. On 79 Filter Creation Filter Description Default status Unusual Network Traffic Displays events in the NetworkSuspicious On branch of the event tree, which indicate that potentially suspicious or unusual network activity may be occurring. USB File Auditing Displays file-related events from Agents with USB-Defender installed. USB-Defender Displays events from USB-Defender technology On that are related to insertion and removal of USB devices. User Logon (interactive) Displays UserLogon events where the logon type indicates a user physically logging on at a machine, or interactively logging on to a remote desktop. User Logons Displays all UserLogon events from all sources, On indicating varying types of user authentication and access. Virus Attacks Displays all VirusAttack events. VirusAttack events are created when virus scanners detect potentially malicious virus activity. Off Web Traffic for Source Machine Displays WebTrafficAudit events that match a specific source machine. This filter can be used to track a single machine’s web activity to discover potentially abusive activity. Off Web Traffic – Spyware Displays WebTrafficAudit activity to and from URLs that are indicated by the Spyware Sites User-Defined Group to be potentially malicious websites. Off On On Filter Creation The Monitor view has a Filter Creation tool where you create and edit your own custom event filters, as well as edit any existing filters. Use this form to name, 80 Chapter 7: Monitor describe, configure, and verify your filters. Event filters are based on specific Events or Event Groups. You configure them by dragging and dropping the filter’s Event attributes into configuration boxes. When an Agent or Manager reports an event that conforms to the event filter’s conditions, the event message appears in the events grid, whenever that filter is active. Each filter created is added to the Filters pane. Selecting the filter causes it to become the active filter in the events grid. As with other filters, the events grid show only those event messages that meet your filter’s requirements. The possibilities for event filters are endless, so this section describes how to create filters in general terms. This section is not intended to be a tutorial, but rather a reference for you to fall back on if you are unclear about how any of the custom filter form’s elements, commands, or functions perform. The tools in Filter Creation are very similar to those found in Rule Creation. Filters report event occurrences, so there is no harm if you create a filter that is unusual or has logic problems. But this is not the case when building rules— creating an incorrect rule can have unpleasant consequences. Therefore, creating filters with Filter Creation is an excellent way to familiarize yourself with the logic and tools needed to create well crafted rules. Features of Filter Creation Each element of the form is described in the following table. Name List pane Description This “accordion” pane is called the list pane. It contains categorized lists of the events, event groups, event variables, groups, profiles, and constants that you can use when creating conditions for your filters If more than one Manager is linked to the Console, each item in the list pane lists the Manager it is associated with. Therefore, some list items may appear to be listed multiple times. But in reality, they are listed once for each Manager. Events are universal to all Managers,so they do not show a Manager association. Filter Use the top part of the form to name and describe the filter, so 81 Events Name Description identification you can quickly identify it. section Filter Status The Filter Status bar lists warnings and error messages about bar your filter’s current configuration logic. l l l Conditions box Click >to view a list of warning and error messages. Click a message flag to provide detailed information about the nature of that problem. Click a message to highlight the specific area or field that is the source of that problem. Use this box to define the conditions for the data that is to be reported by the filter. You configure conditions by dragging items from the list pane into the Conditions box. Notifications Use this box to define how the Console is to event users of event box events, such as sound, pop-up message, etc. Undo/Redo Click the Undo button to undo your last desktop action. You can click the Undo button repeatedly to undo up to 20 steps. Click the Redo button to redo a step that you have undone. You can click the Redo button repeatedly to redo up to 20 steps. You can only use Undo or Redo for any steps you made since the last time you clicked Save. Save/Cancel Click Save to save your changes to a filter, close Filter Creation, and return to the events grid. Click the Cancel button to cancel any changes you have made to a filter since the last time you clicked Save, exit Filter Creation, and return to the events grid. If you have any unsaved changes, the system prompts you to confirm that you want to cancel. Events The topics in this section explain how to use the events grid to apply filters to incoming event traffic. It also explains how to use the events grid to pause, sort, 82 Chapter 7: Monitor highlight, copy, read, remove, explore, and respond to events to take preventive or corrective action. Applying a Filter to the Events Grid In the Monitor view, each item listed in the Filters pane represents a different event filter. You can filter the events coming into the Console by selecting any of these items. To apply a filter: 1. Open the Monitor view. 2. In the Filters pane, click the title bar of the filter group you want to work with. The filter group opens to list the filters that are available for that group. 3. Select the filter you want to apply to the events grid. The events grid title bar displays the name of the filter you have selected, and the grid refreshes to display only those events that meet the special conditions of that filter. LEM saves event filters on the workstation running the Console. If you move to another workstation, the filters do not follow. However, you can export the filters from one workstation and import them into another workstation. For more information, see Importing a filter and Exporting a filter. Sorting the Events Grid You can sort the events grid by any of its columns by clicking its column headers. Doing so also changes how the graph is sorted. However, you must pause the events grid before you can sort it. Pausing the grid temporarily stops the incoming flow of event traffic. For example, if you click the Event Name column header, the grid becomes sorted by event names in ascending order. If you click the column header again, it sorts the grid by that column in descending order. To sort the events grid: 83 Highlighting Events 1. On the events grid toolbar, click Pause. 2. Sort the grid as you normally would. You can also sort the grid by more than one column. For more information, see Sorting a grid by its columns. 3. When you are finished working with the sorted grid, click Resume to continue receiving the filter’s unsorted event traffic. Highlighting Events In the Monitor view’s events grid, you can highlight events to call attention to them or mark them for future reference. This allows the events to really stand out as you scroll through the contents of the grid. You can highlight multiple events at the same time. You can also choose the color you want for each set of events you are highlighting. To highlight events: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The events grid displays the filter you have selected. 3. On the events grid toolbar, click Pause to temporarily stop any incoming events. Note: It is not required to pause a filter to highlight its events; however, it is convenient. Pausing temporarily stops the flow of event traffic (freezing any event movement in the grid) so you can easily select each item. 4. In the events grid, click to select the events you want highlighted. 5. On the events grid toolbar, click the ▼ arrow next to the “highlight” button. 6. Use the color picker to select the highlight color you want. You can also type the hexadecimal value of any color in the Web-safe color palette. In the grid, the selected events become highlighted in the color you chose. 84 Chapter 7: Monitor 7. Click Resume to continue the flow of incoming event traffic. To highlight more events with the same color: 1. In the events grid, click to select the events you want highlighted. 2. Click the marker part of the events grid’s highlight events become highlighted with the marker color. button. The selected To turn an event’s highlighting off: 1. (Optional) On the events grid toolbar, click Pause to temporarily stop any incoming events. 2. In the events grid, select the events for which you want to remove highlighting. 3. On the events grid toolbar, click the ▼ arrow next to the highlight button. Then click the No Color the events. button. The highlighting is removed from 4. Click Resume to continue the flow of incoming event traffic. Copying Event Data to the Clipboard When needed, you can copy event data from the Monitor view's events grid or Event Details pane to your clipboard. This allows you to paste the data into another application, such as Microsoft Excel, for comparison or analysis, to share the data with someone who does not have a Console, or to send to SolarWinds 85 Marking Events as Read and Unread for technical support. You can copy the data for a single event or for multiple events. To copy event data from the events grid: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The events grid displays the filter you have selected. 3. In the events grid, click to select the events you want to copy. You can select multiple events. 4. Click the events grid’s gear button and then click Copy.The event data is now copied to your clipboard (as text), where it can be pasted into another application. To copy event data from the Event Details grid: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The events grid displays the filter you have selected. 3. In the events grid, click to select the event you want to work with. 4. In the Event Details pane, click to select the rows you want to copy. You can select multiple events. 5. Click the events grid’s gear button and then click Copy. The selected event details are now copied to your clipboard (as text), where it can be pasted into another application. Marking Events as Read and Unread You may want to mark the events in event filter as being unread and read. A read event is one that you have already looked at. An unread event is one you have not looked at yet. By marking events this way, you can easily track which events you have already examined. To mark events as read and unread: 86 Chapter 7: Monitor 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with.The events grid displays the filter you have selected. 3. In the events grid, select the events you want to mark as read or unread. You can select multiple events. Skip this step if you are going to mark all of the events as read or unread. 4. Click the events grid’s gear listed in the following table. button, and then select one of the options Command Description Mark Unread Select this command to mark the selected events as unread. This means you have not looked at them yet. Unread events appear in bold text. When a filter has the “read/unread” feature turned on, any of its events that are captured by other filters will appear as unread in those filters, too. Mark Read Select this command to mark the selected events as having been read. Events marked as “read” appear in normal text, rather than bold text. Mark All Unread Select this command to mark all of the events in the active filter as unread. This means you have not looked at them yet. Unread events appear in bold text. Mark All Read Select this command to mark all of the events in the active filter as having been read. Events marked as “read” appear in normal text, rather than bold text. The grid refreshes to show each row’s read/unread status. Removing Events When needed, you can remove individual events from a filter, or all of the events from a filter. You may want to do this to clean a filter of historical information that is no longer important to you. To remove individual events: 87 Using the Event Details/Event Description Pane 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The events grid displays the filter you have selected. 3. In the events grid, select the events you want to remove. 4. Click the events grid’s gear button, and then click Remove. The selected events are removed from the grid. To remove all events: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The events grid displays the filter you have selected. 3. Click the events grid’s gear button, and then click Remove All. All of the filter’s existing events are removed from the grid. The filter will now show only new incoming events. Using the Event Details/Event Description Pane In the Monitor view, the right half of the lower pane has two different views to show the properties of the event that is currently selected in the events grid: l l The Event Details view displays detailed information about the event that is currently selected in the grid. If more than one event is selected, it shows the properties of the last event to be selected. The Event Description view displays a written description of the last event to be selected in the grid. You can also use this pane to create a filter based on the selected event, or to scroll through the contents of the events grid. 88 Chapter 7: Monitor The Event Details view The Event Description view Button Description Click this button to create a new filter that captures the currently selected event type. Upon doing so, the Monitor view opens, with the new filter open in the events grid. The new filter appears in the Filters pane, under the last selected filter. If needed, you can edit the filter so it captures events of an even more specific nature. Click these buttons to move up and down among the events in the event event grid. The pane shows detailed technical information about each event that is selected. This lets you view the technical details and written descriptions of each event in the grid. Remember, you can also use your keyboard's up (↑) and down (↓) arrow keys: l l To cycle through the events in the events grid, click anywhere in the event event grid. Then use your up and down arrow keys. To cycle through the fields in the Event Details pane, click anywhere in the Event Details grid. Then use your up and down arrow keys. 89 Event Severity Levels Button Description Click this button to open the pane’s Event Details view. This view shows detailed information about each of the selected event's data fields. The actual fields that appear here vary, according to the event type that is currently selected. For example, network-oriented events show fields for IP addresses and ports. Account-oriented events show account names and domains. Click this button to open the pane’s Event Description view, which provides a detailed written description of the event type that is currently selected. Click the Print button to print this information from either view. Event Severity Levels Each event is assigned a number that indicates its severity. The following table explains each severity level. Level Name Description 0 Debug Designates detailed event information used for debugging by SolarWinds engineers. 1 System Error Indicates that part of the system is unusable. 2 Informational Indicates SolarWinds informational messages only. 3 Normal Audit Indicates normal behavior, but could be part of a signature attack. 4 Normal Notice Indicates normal behavior that should be monitored. 5 Suspicious Indicates normal behavior under some circumstances, but should be investigated. 6 Threatening Indicates that investigation is needed and possibly an action. 7 Critical Indicates that immediate action is needed. 90 Chapter 8: Explore The Console's Explore area has two views: l The nDepth view contains a powerful search engine that lets you search all of the event data or the original log messages that pass through a particular Manager. The log data is stored in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the Manager. nDepth summarizes and displays search results with several different visual tools that can also be combined into a customizable dashboard. The tools are intuitive and interactive—you can point and click to view information or refine your searches. Each graphical tool provides an alternative view of the same data, so you can examine your data from several perspectives. You can also view and explore a text-based view of the actual data. nDepth employs drag-and-drop tools that let you configure simple or even complex search criteria. You can use these tools to dig deeper into your findings by adding search conditions, or by appending text to existing search strings. nDepth also includes a tool called Search Builder that lets you configure complex search criteria using the same sort of drag-and-drop interface found in Filter Creation. Many of the explorers are utilities used for finding out more about event specific details, such as looking up IP addresses, domain names, and host names. The Event explorer lets you view all of the events related to an event message. It is designed to help you visualize how the event occurred and the system's response to that event. You can follow the chain of events that caused the event, and help determine its root cause. l The Utilities view contains several utilities, called explorers. You can think of this view as a center for investigating events and their details. nDepth nDepth is a powerful search engine that lets you search all of the event data or the original log messages that pass through a particular Manager. The log data is 91 Chapter 8: Explore stored in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the Manager. You can use nDepth to conduct custom searches, investigate your search results with a graphical tools, investigate event data in other explorers, and take action on your findings. nDepth's Visual Tools nDepth summarizes and displays search results with several different visual tools that can also be combined into a customizable dashboard. The tools are intuitive and interactive—you can point and click to refine your searches. Each graphical tool provides an alternative view of the same data, so you can examine your data from several perspectives. You can also view and explore a text-based view of the actual data. nDepth employs drag-and-drop tools that let you configure simple or even complex search criteria. You can use these tools to dig deeper into your findings by adding search conditions, or by appending text to existing search strings. nDepth also includes a tool called Search Builder that lets you configure complex search criteria using the same sort of drag-and-drop interface found in Filter Creation. nDepth's Primary Uses You can use nDepth to do any of the following: l l l l l Search either normalized event data or the original log messages. You can also use nDepth to explore log messages that are stored on a separate nDepth appliance. Intuitively view, explore, and search significant event activity. nDepth summarizes event activity with simple visual tools that you can use to easily select and investigate areas of interest. Use existing filter criteria from the Monitor view to quickly create similar searches. Create your own custom widgets for the nDepth Dashboard. Conduct custom searches. You can also create complex searches with the Search Builder, which is a tool that behaves just like the Filter Builder. You can also save any search, and then reuse it at any time by clicking it. l Save and reuse custom searches. l Schedule saved searches 92 Exploring Events vs. Log Messages l l Export your findings to a printable report in PDF format, or your search results to a spreadsheet file in CSV format. Use the Explore menu to investigate nDepth search results with other explorers. l Use the Respond menu to take action on any of your findings. l Export your findings to a report in PDF format. Exploring Events vs. Log Messages LEM has two data storage areas — one to store the messages from the original event logs, and one to store the normalized event data that the Console reports in the Monitor view. You can use nDepth to explore either one of these sources: l l In Events mode, nDepth summarizes and explores your event data. This is the normalized data that appears in the Monitor view and is stored in the LEM database. In Log Messages mode, nDepth summarizes and explores the raw log messages that are going into nDepth Log Storage from the original event logs. This mode is intended for customers who have specific data analysis needs, and who fully understand how to interpret the raw log messages that are generated by their network devices and tools. Note: The virtual appliance must be configured to store log message data. For more information, see Configuring Your LEM Appliance for Log Message Storage. Be aware that data storage is limited. If you have not configured a CMC option for archiving data, LEM will delete the oldest data to make room for new data. The topics in this chapter explain how to perform a basic searches with nDepth, how to use nDepth's graphical tools, how to use nDepth with other explorers, and how to respond to your findings. Opening nDepth You can open nDepth several ways. You can open the Explore >nDepth view directly to conduct custom searches. Or you can open nDepth from an existing data source, such as an event field or another explorer (NSLookup, Whois, and Traceroute, and Flow), to search for similar events or data. 93 Chapter 8: Explore By default, the nDepth search time is for the last 10 minutes (the end time is now, and the start time is 10 minutes ago). Opening nDepth From Another Data Source 1. Do one of the following: l l l In the Monitor view’s event grid, select the event row or field you want to explore. In the Event explorer’s Event Details pane, event map, or event grid, click the item or field you want to explore. In an explorer, select the data source you want to explore. 2. In the Explore menu on the Event grid, click nDepth. The Explore >nDepth view appears, and the nDepth search box contains the event or event field you are exploring. When you initiate an nDepth search from the Monitor view, nDepth automatically searches all hosts and sources for every instance of the selected event field that has occurred within a ten-minute period around the event you are exploring. This way, you can identify similar events that occurred before and after the event you are exploring. The following table describes the key features of the Explore >nDepth view. Name History button Description Alternately hides and opens the History and Saved Searches panes. History pane Shows recent Explore activity. This pane is shared between the Utilities view and the nDepth view.. Saved Searches pane Lists any searches that you have saved. To begin using one of these searches, click it to run that search. You can edit, schedule, and save changes to your saved searches. You can also save variations on these searches as new searches. nDepth explorer Use this window to create and run your searches, and to view, explore, and respond to your search results. 94 Opening nDepth From Another Data Source Name Undo/Redo Description Click the Undo button to undo your last action. You can undo up to 20 actions. Click the Redo button to redo a step that you have undone. You can redo up to 20 actions. Respond Use this menu to initiate a response to a particular event, event, or data field. Explore Use this menu to explore a particular data field with another explorer. Click the gear l Click Save to save any changes to the current search. l Click Save As to save the search for later use. l Click Schedule to create a scheduled search. l Click Delete Schedule to delete a scheduled search. l Search bar Click Export to export nDepth's current search results to a PDF document. Use the search bar to: l l List pane button to do any of the following: Select the type of data you want to explore—event data (default) or the original log messages. Select the mode for configuring searches—drag and drop, or text entry. l Configure and select the search's time frame. l Run the search. l Stop a search that is in progress. The list pane is the “accordion” list on nDepth's left side. It contains categorized lists of items that you can use when configuring search conditions. To use a list item as a search condition, double-click it, or drag it from the list into the search bar. You can also drag these items into the Search Builder to 95 Chapter 8: Explore Name Description quickly configure complex searches. Two of these lists appear only in nDepth: l l The Refine Fields list categorizes and lists the primary data details that are found in your nDepth search results. You can use these details to create, refine, or append nDepth searches. The Managers list includes each Manager and appliance that can be used with nDepth for searching data. Histogram Shows the number of events or log messages that were reported within a particular period. You can expand or reduce this period, as needed. You can also zoom in to a period to take a closer look, or zoom out to see high-level activity. Explorer Shows different graphical and text-based views of your search results, as well as a Dashboard view and the Search Builder. You can click items in each graphical view to search for those specific items. The title bar states which view is open, and the icon on the title bar indicates which type of data you are exploring: means you are exploring event data. means you are exploring log messages. Toolbar Use to select the nDepth explorer view you want to work in. Scheduled Saved Searches Saved searches can be scheduled to run automatically whenever you want. Scheduled Searches can also be shared between users. To schedule a Saved Search: 1. Select a Saved Search from the Saved Searches pane . 2. Click the gear button and select Schedule. 3. Select the Run Search option you desire. 96 nDepth's Search Bar 4. Select the Start Date of the search. 5. Select the Create an event checkbox. 6. If you wish to send email, select the Send email checkbox, and then select the recipients from the drop-down list. 7. Click OK. Note: If the virtual appliance is offline for some time (such as more than a day or two), the schedules that are run when the virtual appliance first comes back online may not run at the expected time. The schedules run at the next expected time after the appliance has been back online for a time. nDepth's Search Bar You can use the nDepth search bar to search all of the event data or the original log messages that pass through a particular Manager. You can use the search bar to perform simple searches and to append searches with basic search strings You can use the search bar to configure highly specific or complex searches; however, this is more easily done with Search Builder. To open Search Builder, click the search bar. The searches you configure in Search Builder automatically appear in the search bar. The following table describes the key features of nDepth's search bar. Name Description Mode Use this toggle switch to select how you intend to enter the search selector string for your queries: l l Select Drag & Drop Mode (upper position) to drag items from the list pane or the Result Details view directly into the search box. This is the recommended position, as it is it the easiest to use. Select Text Input Mode (lower position) to type a search string directly in the search box. In this mode, the search box also shows the text version (or search string) of any search that is being run or configured in Search Builder or the Saved Searches pane. 97 Chapter 8: Explore Name Search box Description This box contains your search conditions. You can enter search conditions a number of different ways. Click a delete button next to a condition or a group to remove that condition or group from the current search configuration. AND OR The search bar includes AND and OR operators. These operators let you include AND and OR relationships between conditions and groups of conditions, when you have multiple conditions in your search string. Click the operator icon to toggle between AND and OR relationships. Group When you have a group of conditions, the search bar displays the consummary ditions as a summary. To see the actual conditions, point to them. A ToolTip appears that shows each condition in the group. Click this Delete All button to delete the entire contents of the search box, so you can begin a new search. Click this button to begin a search, or to stop a search that is in progress. l l l Click to begin searching. If the search button turns red configuration is invalid. Click , it means the current search to stop a search that is in progress. Time In the time selector, select a time frame for the search. If needed, you selector can create your own custom time frame. Data Use this toggle switch to choose the data you want to nDepth to selector explore: l l Select Events (left position) to search LEM's normalized event data. This is the event data that appears in the Monitor view. Select Log Messages (right position) to search the actual log entries that are recorded on your network products' log files. If 98 nDepth Explorer Toolbar Name Description Events position. nDepth Explorer Toolbar nDepth explorer toolbar The following table describes the function of each option on the nDepth explorer toolbar. Each option provides a different view of the data from nDepth's most recent search. Tool View Description Dashboard Opens the nDepth Dashboard. This is nDepth's default view. It shows each nDepth view of the current search data as a small widget. You can minimize and maximize each widget, as needed. You can also edit the chart widgets to change their appearance.* Word Cloud Opens the Word Cloud, which shows keyword phrases that appear in your event data. Phrases appear in a size and color that relates to their frequency. You can filter this view to zero in on a range of activity. You can also click a phrase to create or append a search based on that phrase. Tree Map Opens the Tree Map, which shows the items that appear most often in the data as a series of categorized boxes. The box categories correspond with the those data categories found in the Refine Fields list. The size of a box within each category is associated with its relative frequency. The more often an item occurs, the larger its box appears. If a box is small, you can point to it to open a ToolTip that shows its contents. You can also click a box to create or append a search based on that item. 99 Chapter 8: Explore Tool View Description Bar Charts Opens the Bar Charts* view, which is a group of widgets that shows your most frequent data items as a series of bar charts. The size of each bar corresponds with the item's relative frequency. The more often an item occurs, the larger its bar appears. You can point to a bar to show information about it. You can also click a bar to create or append a search based on that item. Line Charts Opens the Line Charts* view, which is a group of widgets that shows your most frequent data items as a series of line graphs. The height of point on the graph corresponds with the item's relative frequency. The more often an item occurs, the higher the point appears on the graph. You can point to a item on the graph to show information about it. You can also click a point on the graph to create or append a search based on that item. Pie Charts Opens the Pie Charts* view, which is a group of widgets that shows your most frequent data items as a series pie charts. The size of each pie wedge corresponds with the item's relative frequency. The more often an item occurs, the larger its wedge appears. You can point to a wedge to show information about it. You can also click a wedge to create or append a search based on that item. Bubble Charts Opens the Bubble Charts* view, which is a group of widgets that shows your most frequent data items as a series of circles or "bubbles." The size of each bubble corresponds with the item's relative frequency. The more often an item occurs, the larger its bubble appears. You can point to a bubble to show information about it. You can also click a bubble to create or append a search based on that item. Result Details Opens the Result Details view, which is a text-based view of all of the data you are investigating. This view also supports nDepth's search capabilities by letting you create or refine searches by dragging and dropping search strings from the data into the search box. 100 nDepth's History Pane Tool View Search Builder Description Opens nDepth's Search Builder, which is a graphical interface used to create and refine complex searches. You can drag items from the nDepth's list pane directly into Search Builder's Conditions box to quickly configure complex searches. With a few minor differences, Search Builder behaves just like the Filter Creation tool. *In any explorer view, if a particular chart configuration does not logically apply to the data you are exploring, that chart will be disabled. nDepth's History Pane Each nDepth explorer search adds an item to the Explore view’s History pane. represents a search of event data. represents a search of original log messages. The history item shown below is for an nDepth search of event data. Pointing to the item's history icon also displays the number of search results and the text of your search string. A new search always adds a history item. If you click an earlier history item, the system takes you back to that search; it does not make a new item. As soon as you change something in nDepth and perform a new search, that search becomes a new history item. Using the nDepth Histogram nDepth's histogram shows the number of events or log messages that were reported within the search's time frame. nDepth returns search results chronologically, so you can use the histogram to investigate a particular interval, 101 Chapter 8: Explore to move the search period, to zoom in to a period to take a closer look, or zoom out to see high-level activity. nDepth's histogram summarizes event activity within a particular period. This histogram is for a search of the last 10 minutes of event activity. The bright zone shows the period that is currently being reported. The gray zones show activity outside of the reported period. This example shows the histogram for a search that covers a recent 10-minute period of activity. For this search, the bottom time bar is divided into one-minute intervals. The bar above that is divided into half-minute (30-second) intervals. The histogram displays a separate bar for each 30-second interval. Histogram Features The histogram has the following features: l l l l l l The title bar shows the total number of events that were reported by the search, as well as the search's time frame. The gray zones preview results that are outside the search's time frame. Each vertical bar in the histogram shows the total number of events that happened within the corresponding period. Time is provided in 24-hour (military) time. Pointing to a bar shows the total number of events in that interval, as shown above. Clicking a bar opens a pop-up window that shows a histogram for that bar's interval. Depending on range of the search's time frame, these intervals can be as little as 5-seconds. Pointing to a bar shows the total number of events 102 Searching the Activity Associated with a Particular Histogram Bar that occurred in that interval. Clicking a bar opens a pop-up window to show a histogram for that bar's interval l When you are in the Result Details view, the histogram shows two dashed vertical lines. These lines are markers that indicate where you are in the histogram for each page of the search results. The lines show the times of the first and last event on the current Result Details page. By default, the ▲ pointer shows the time of the first result on the page. If you select an event in the Result Details box, the pointer shows the time of that event. If you are looking at the search results of events number 1-200, the left line shows the time of event number 1, and the right line shows the time of event number 200. If you click event number 150, the ▲ pointer shows the time that event occurred. Searching the Activity Associated with a Particular Histogram Bar You can use the histogram to search the event activity associated with a particular vertical bar in the histogram. To search activity for a bar: l In the histogram, double-click a vertical bar.nDepth automatically refines the search and refreshes the data to show only the events from the time frame 103 Chapter 8: Explore associated with that bar. Moving the Search Period You can use the nDepth histogram to move the search period to an earlier or later start time. For example, say you run a search for a 30 minute time frame. This procedure lets you search the data for the same period (still 30 minutes), but from a different starting point (maybe with a starting point of 2 hours ago). To move the search period: 1. Point to the histogram's time bar. A slider appears. You can use this slider to move the same search period to an earlier or later starting point. For example, if the search period is 10 minutes, this slider moves that 10-minute period to an earlier or later starting point. This lets you search your data for the same period, but at some other starting point. 2. Drag the slider to move the search's period: l Drag the slider to the left to move the period to an earlier starting point. l Drag the slider to the right to move the period to a later starting point. As you move the slider, a ToolTip displays the period's midpoint time. 3. Click to run the search for the new time frame.nDepth automatically refines the search and refreshes the data to show only the events from the new time frame. Moving the period automatically changes the search bar's time selector to Custom. 4. If desired, click to restore the previous time frame. 104 Changing the Period's Start and End Time Changing the Period's Start and End Time You can use the nDepth histogram to change the search period by changing its start time and end time. For example, say you run a search for a 30 minute period. This procedure lets you expand the time frame (say to 40 minutes) or reduce the time frame (say to 23 minutes). To change a period's start or end time: 1. Point to anywhere on the histogram's vertical bars. Two sliders appear between the active time and the gray zones. You can use these sliders to expand or reduce the search time frame by changing its start time or end time. 2. Drag the sliders to change the search's time frame: l l Drag the left slider to change the time frame's start time. When you release the slider, a ToolTip shows the new start time. Drag the right slider to change the time frame's end time. When you release the slider, a ToolTip shows the new end time. 3. Click to run the search for the new time frame.nDepth automatically refines the search and refreshes the data to show only the events from the new time frame. Changing the time frame automatically changes the search bar's time selector to Custom. 4. If desired, click to restore the previous time frame. 105 Chapter 8: Explore Using Result Details Whenever you use nDepth, you can view the actual data the graphical views are based on by opening the Result Details view. Result Details is a text-based view of all of the data you are investigating. However, Result Details also supports nDepth's search capabilities, by letting you create or refine searches by dragging and dropping search strings from the search data into nDepth's search box. You can use Result Details in Events mode to view and search the normalized event data found in the Monitor view, or in Log Messages mode to view and search the original log message data that is collected and stored on the LEM (or some other dedicated nDepth appliance, as applicable). You can use nDepth's search results to refine your nDepth searches, to explore event details with other explorers, or to initiate an active response to event details. The following topics describe the key features of the Result Details view, as well as how to perform the primary tasks associated with this view. Interpreting Search Results in Events Mode In Events mode, you can use nDepth to search all of the normalized event data that is reported in the Monitor view. This data always comes from LEM. The following table explains how to interpret search results of data in Events mode. Name Event number Description The number to the far left is a counter for each event that is reported in the nDepth search results. Each event gets its own number. Each row represents a different event. To make viewing easier, each event appears with an alternating gray or white background. The number of events that appear depend entirely on your search conditions. Data and time stamp The time and date the event occurred. Event name The name of the event that occurred. 106 Interpreting Search Results in Log Messages Mode Name Description Event details The rest of the information in the box is made up of event details. You can select these details to refine your nDepth search, to explore them with other explorers, or to respond to them with an active response. Interpreting Search Results in Log Messages Mode In Log Messages mode, you can use nDepth to search all of the original log messages that pass through a particular network appliance (or host). nDepth Result Details view, showing original log message data The following table explains how to interpret search results of data in Log Messages mode. Item Name Event number Description The number to the far left is a counter for each log message (or event) that is reported in the nDepth search results. Each event gets its own number. Each row represents a different event.To make viewing easier, each event appears with an alternating gray or white background. The number of events that appear depend entirely on your search conditions. Data and time stamp The time and date the event occurred. Log message The first line of event displays the actual log message that matched your search criteria. 107 Chapter 8: Explore Item Name Description Host The network device the message came from (that is, the Manager or appliance that is storing the message). ToolId The actual product or tool that generated the message. ToolType SolarWinds's tool category for the tool that generated the message. Note: Tool IDs and Tool Types match SolarWinds’s tool configuration categories. Adding Search Strings from Result Details When using the Result Details view, use the following procedures to highlight and select character strings, and to create new search conditions from the data. To Do this Selecting data Highlight a continuous character string Point to the character string. Select a continuous character string Point to the character string to highlight it; then click to select it. Upon selecting a character string, an orange box surrounds the string. In addition, every matching character string in the search results becomes selected, too. Select a phrase (two or more character strings separated by spaces) Click the first character in the string, then drag across the string to select the rest of it. Select a data row Click the row's event number (the far left column of Upon selecting a character string, an orange box surrounds the string. In addition, every matching character string in the search results becomes selected, too. 108 Adding Search Strings from Result Details To Do this the row). When the row is selected, an orange highlight bar appears to the left of the row. Creating search conditions from Result Details data Clear the search box to add a new search condition 1. On the search bar, click box. to clear the search 2. Add a new search condition by using any of the techniques in this table. Add a search condition from Result Details data Select a character string in the data. Then doubleclick the selected string to add it to the search box. Select a character string in the data; then drag it into the search box. Copy and paste a character string from Result Details data into the search box 1. Change the search bar to Text Input Mode. 2. Select a character string in the data. 3. Press Ctrl+C to copy the search string. 4. Click the search box, and then press Ctrl+V to paste the character string in the text box. Type a search string in the search box 1. Change the search bar to Text Input Mode. 2. Type the search string directly in the search box. Add conditions to an existing search 1. In the data, select the character string you want to append to the existing search conditions. 2. Do either of the following: l Double-click the selected string. l Drag the string into the search box. In either case, your selection is appended to the existing conditions. 109 Chapter 8: Explore Using Explorers with Result Details You can use nDepth's Result Details view to access other explorers. This allows you to use other explorers to investigate specific details that you find in your nDepth search results. l l You can select specific values, and pass them into the value-based explorers, such as Whois, NSLookup, and Traceroute. For example, you could investigate a suspicious IP address with these explorers to learn more about that IP address. When you are viewing data in Events mode, each row in the search results represents the data for an individual event. You can select the row for an event you want to explore, and then pass the row into the Event Explorer to explore that event. To explore details in search results: 1. In the Result Details view, select the item you want to explore: l l Select the character string you want to investigate. When selected properly, the character string is surrounded by an orange box. If you are viewing data in Events mode, you can select the row that you want to explore in the Event Explorer. When you select a row, an orange highlight bar appears to the left of the row. 2. In the Explore menu, select the explorer you want to use. The Explore >Utilities view appears, and the system “passes” the selected data to the explorer you selected. 3. Click Search or Analyze, as applicable, to explorer the string. Responding to Result Details As with other explorers, you can respond to any item that is reported in nDepth's search results. If you see something unusual, you may want to take some kind of corrective action. For example, you could send a user account a popup message, or block a hostile IP address. Use the following procedure to initiate a response or corrective action to a particular event or event detail. To respond to a search result: 110 Exporting Result Details Data to a Spreadsheet 1. In the Result Details view, select the character string you want to respond to. When selected properly, the character string is surrounded by an orange box. 2. In the Respond menu, select which response you want to take. If nDepth is in Events mode, the event or the selected text appears in the Respond form. 3. Complete the Respond form, as applicable for the response. Exporting Result Details Data to a Spreadsheet Use the following procedure to export your nDepth search results to a spreadsheet. This lets you open, view, manipulate, and analyze your data in a spreadsheet application, such as Microsoft Excel. Spreadsheets are saved in comma-separated values (.csv) format. To export nDepth search results to a spreadsheet: 1. In nDepth, run the search you want to export. 2. Open the Result Details view. 3. Click the gear form appears. icon and then click Export to CSV. The Save Data As 4. Select the folder in which you want to save the file. 5. In the File name box, type a name for the file, if you want one different from the default name given. 6. Click Save. The Console exports the data to a .csv file, in the folder you selected. To stop this operation, you can click Cancel at any time before the data export is complete. Once exported, you may open the file in a spreadsheet application. Common nDepth Data Fields These categories frequently appear in the Refine Fields list, the Tree Map view, and the Result Details view. 111 Chapter 8: Explore Common Data Fields Categories in Events Mode This table describes the data fields that are most commonly seen when working with event data. The fields are listed here alphabetically. Field Description Event Name The name of the event. Detection IP The network node that is the originating source of the event data. This is usually a Manager or an Agent and is the same as the Insertion IP field, but can also be a network device such as firewall or an intrusion detection system that may be sending log files over a remote logging protocol. Inference Rule The name of the correlation that caused the event. The Inference Rule field will generally be blank, but in cases where the event was related to a rule, it displays the rule name. Insertion IP The Manager or Agent that first created the event. This is the source that first read the log data from a file or other source. IP Address The IP address associated with the event. This is a composite field, drawn from several different event fields. It shows all the IP addresses that appear in event data. Manager The name of the Manager that received the event. For data generated from an Agent, this is the Manager the Agent is connected to. Provider SID A unique identifier for the original data. Generally, the Provider SID field includes information that can be used in researching information on the event in the originating network device vendor's documentation. Severity The severity (0–7) of the event Tool Alias The Alias Name entered when configuring the tool on the Manager or Agent. User Name The user name associated with the event. This is a composite field, drawn from several different event fields. It 112 Common Data Field Categories in Log Messages Mode Field Description shows all the places that user names appear in event data. Common Data Field Categories in Log Messages Mode This table describes the data fields that are most commonly seen when working with log messages. The fields are listed here alphabetically. Field Host Description The node the log message came from (that is, the LEM or Agent that collected the message for forwarding to nDepth). HostFromData The originating network device (if different than the node) that the message came from. Normally, Host and HostFromData are the same, but in the case of a remote logging device (such as a firewall) this field reports the original remote device's address. ToolId The actual tool that generated the log message. ToolType Tool category for the tool that generated the log message. Using the Word Cloud nDepth's Word Cloud. You can use the sliders on the lower bar to filter the items shown in the World Cloud. 113 Chapter 8: Explore nDepth's Word Cloud summarizes your event activity by showing the top 100 keyword phrases that appear in your event messages. Phrases appear in a size and color that relates to their frequency: l l Phrases that appear in warmer colors (red, orange, and yellow) and in larger print represent the phases that occur most frequently. You can think of these as your "hot" items. Phrases that appear in cooler colors (green and blue) and in smaller print are those that occur with the least frequency. You can think of them as "cool" items. Cool items may still be important; they just occur far less frequently than "hot" items. Opening the Word Cloud l On the nDepth toolbar, click the icon. Viewing Statistics in the Word Cloud Word Cloud includes statistics about each item that is listed in the cloud. To see statistics: l Point to a phrase in the Word Cloud. A ToolTip appears showing the keyword phrase, its count (the number of times it occurs in the reported period), and its percentage. The percentage is based on the phrase's relative frequency, compared to the other reported phrases. Filtering the Contents of the Word Cloud There are two horizontal bars at the bottom of the Word Cloud: l l The top bar is a color gradient that goes from red (hot) to blue (cool). These colors correspond with the colors of the phrases shown in the Word Cloud. The lower bar controls which parts of the gradient the Word Cloud is allowed to show. You can use this bar to filter the World Cloud so that it only shows that section of the gradient you want to see. By default, the Word Cloud shows everything associated with the entire gradient—all items that are hot, cool, and in between. 114 Exploring Items in the Word Cloud By default, the Word Cloud displays the top 100 phrases, and the sliders are automatically adjusted to this width. If you manually adjust the sliders, nDepth remembers the left position and automatically adjusts the right position so the Word Cloud displays up to 100 phrases between the left and right positions. If all 100 phrases can be shown within the positions you've selected, the sliders will stay in place. Slider settings are remembered with each Word Cloud. This means you can create Word Clouds for the Dashboard that are adjusted differently from the primary Word Cloud view. To filter the contents of the World Cloud: l To hide hot items, drag the lower bar's left-hand slider to the right. l To hide cool items, drag the lower bar's right-hand slider to the left. l To restore the Word Cloud, drag the sliders back to their far-left and far-right positions. Exploring Items in the Word Cloud You can use the Word Cloud to explore a particular phase, by using as the basis for a new search, or to append an existing search. To explore an item in the Word Cloud: 1. In the Word Cloud, click the phrase you want to explore. The phrase appears in the search bar. 2. On the search bar, click the search button.After a moment, nDepth refreshes to show the results associated with your search. 115 Chapter 8: Explore Using the Tree Map nDepth's Tree Map The items that appear in nDepth's Tree Map view are the same Source Files data field categories and values listed in the Refine Fields list (at the top of the list pane). l l When you are working with events, the Tree Map organizes itself into categories based on common event data fields.. Most categories correspond with actual event fields, as they appear in the Monitor view. When you are working with log messages, the Tree Map organizes itself into categories based on common log message data fields. Note: Some data categories may not always be present. If there is no event activity associated with a particular data category or field, it will not appear in the Tree Map. The size of each box corresponds with the relative frequency of its occurrence. So the more often a detail occurs, the larger its box appears. Click to select an item from the Tree Map as a search condition. If a box is too small to show its contents, point to it to open a ToolTip that shows its contents. Opening the Tree Map On the nDepth toolbar, click the 116 Resizing Tree Map Categories icon. Resizing Tree Map Categories Use the following procedures to resize each category box in the Tree Map is associated with the relative frequency of its occurrence. To maximize a category: l Click the icon on the box's toolbar. Note: Even when maximized, a Tree Map category can show very small items within it. Don't forget, if a box is too small to show its contents, you can point to it to open a ToolTip that shows its contents. To restore a category to its proportional size: l Click the icon on the box's toolbar. Exploring items in the Tree Map You can use the Tree Map to explore a particular item, by using that item as the basis for a new search, or to append an existing search. To explore an item in the Tree Map: 1. In the Tree Map, click the item you want to explore. A search string for that item appears in the search bar. 2. On the search bar, click the search button. After a moment, nDepth refreshes to show the results associated with your search. Using nDepth widgets nDepth comes with a series of commonly used widgets. These widgets behave very much like the widgets in the Ops Center. Each widget represents a highlevel graphical view of the specific network activity associated with your nDepth search results. It shows the primary items that are generating that activity, as well as the count (or number of incidents) for each item. 117 Chapter 8: Explore A typical nDepth widget You can use nDepth's explorer views to create new widgets, change the look of existing widgets, add widgets to the nDepth Dashboard, and remove widgets you no longer user. Default nDepth Chart Widgets On the widget toolbar, click the refresh the latest data from your network. button. The widget refreshes to show nDepth Explorer and Widget Icons The following table briefly describes the function of each icon you will find on nDepth explorer views and widgets. Icon Description From a main nDepth view (such as Word Cloud, Tree View, or Result Details), this button add the view to the nDepth Dashboard as a widget. From the nDepth explorer toolbar, you can point to a chart view and then click this button to add a specific chart widget to the nDepth Dashboard. Adds a new widget to the current chart view. This button adds the widget to the nDepth Dashboard. This button only appears on widgets in their various chart views. Refreshes the widget so it displays the latest data. 118 Viewing a widget's details Icon Description This button is only enabled when the chart properties have changed. If you edit a chart's configuration, the Console does not have the data to draw the chart until you refresh its data. Opens the nDepth Widget Builder so you can edit or reconfigure the widget. Minimizes the widget to it appears as a title bar at the bottom of the view. To restore the widget, scroll down to the bottom of the view, and then click the widget's title bar. Toggles the widget between being its normal size and being maximized to fill the current view. Deletes the widget from the view. Once deleted, the widget cannot be restored; you must re-create it. Viewing a widget's details To view a widget's details, just click or point to an item on the widget nDepth widgets behave a lot like widgets in the Ops Center. To view a widget's details, point to that widget, or click an item on that widget to view details and statistics about that item, like in the pie chart widget show here. 119 Chapter 8: Explore Creating a search string from a widget item You can use items in widgets, or any of nDepth's graphical tools, to create new search strings, or to append existing search strings. To create a new search string from a widget: 1. On the search bar, click to delete the existing search string. 2. Click an item on a widget. A new search string associated with the widget item appears in search box. To append an existing search string with an item from a widget: l Click an item on a widget. In the search box, a new search string associated with the widget item is appended to the existing search string. Adding new nDepth Widgets Use this procedure to add a new widgets to the nDepth explorer's Bar Charts, Line Charts, Pie Charts, or Bubble Charts views. To add new nDepth widgets: 1. Open the Explore >nDepth view. 2. Use the nDepth explorer toolbar to open the chart view you want to work with—Bar Charts, Line Charts, Pie Charts, or Bubble Charts. The corresponding view appears. On the view's title bar, click the New Widget icon. The nDepth Widget Builder appears. 3. Complete the nDepth Widget Builder to configure the new widget. 4. The new widget appears at the bottom of the chart view. When configuring the widget, if you chose the Save to Dashboard option, the new widget also appears at the bottom of the nDepth Dashboard. Editing nDepth Widgets When needed, you can edit the configuration of any of the chart widgets. You can 120 Adding a Chart Widget to the nDepth Dashboard edit widgets from the Dashboard or from any of the chart views. To edit a chart widget: 1. Open the Explore >nDepth view. 2. Use the nDepth explorer toolbar to open the Dashboard or the chart view you want to work with. The corresponding view appears. On the widget you want to edit, click the Edit icon. The nDepth Widget Builder appears. 3. Use the nDepth Widget Builder to reconfigure the widget. 4. The updated widget appears at the bottom of the view. When configuring the widget, if you chose the Save to Dashboard option, the new widget also appears at the bottom of the nDepth Dashboard. 5. Click to get the data for the widget's new configuration, so the Console can draw the chart. Adding a Chart Widget to the nDepth Dashboard At any time, you can add a chart widget to the nDepth Dashboard. To add a widget to the nDepth Dashboard from a chart view: 1. Open the Explore >nDepth view. 2. Use the nDepth explorer toolbar to open the chart view you want to work with. 3. In the view, locate the chart widget you want to add to the Dashboard. 4. On the widget, click the Add to Dashboard button. The widget is copied to the bottom of the nDepth Dashboard. Adding a main nDepth view to the nDepth Dashboard Use this procedure to add a main nDepth view (such as Word Cloud, Tree View, or Result Details) to the nDepth Dashboard. These views are there by default; but 121 Chapter 8: Explore if you ever remove them from the Dashboard, you can use this procedure to restore them. To add a main nDepth view to the Dashboard: 1. Open the Explore >nDepth view. 2. On the nDepth explorer toolbar, click the view you want to add to the Dashboard. 3. On the view's title bar, click the gear Dashboard. icon, and then click Add to 4. The view now appears as a widget at the bottom of the nDepth Dashboard. Using Search Builder Use Search Builder whenever you need to need to create complex search queries. Search Builder is a visual tool that is used in conjunction with the options in nDepth's list pane. The list pane lets you choose which elements you want to incorporate in your search, such as events, event fields, specific event values, Tool Profiles, User-Defined Groups, constants, etc. You then create the search by selecting the conditions you want to search for, and then dragging and dropping those items into Search Builder's Conditions box. For example, if you want to search for activity among your Admin Accounts, you don't have to type a search with a long list of account names. Instead, you can just drag the appropriate User-Defined Group or Directory Service Group into the Conditions box. Search Builder lets you group search items, show AND/OR relationships between search items, select specific values for search items, and select the appropriate operators for specific values. 122 Opening Search Builder Opening Search Builder 1. Open the Explore >nDepth view. 2. On the nDepth explorer toolbar, click the Search Builder icon. Switching from the Search Bar to Search Builder You can open Search Builder directly from the nDepth search bar by doubleclicking it. This is handy if you have a complex search and the search box shows only a summary of the search, because it lets you open Search Builder to see the search's complete configuration. Search Builder always shows the configuration of the search that is currently in the search bar. 123 Chapter 8: Explore The search bar and the Search Builder show different views of the same search configuration To switch from the search bar to Search Builder: l Double-click the search bar. Search Builder appears, showing the configuration of the search that is in the search bar. Search Builder features This topic shows the main features of Search Builder. 124 Search Builder features Search Builder The following table describes each main features of Search Builder. Item Name Description Undo/Redo Click the Undo button to undo your last action. You can undo up to 50 steps. Click the Redo button to redo a step that you have undone. You can redo up to 50 steps. Search bar The search box shows the current state of the search you are building. If you have a complex search, the search box shows its configuration as a "summary." If you want to view the complete text of the search, switch the search bar to Text 125 Chapter 8: Explore Item Name Description Input Mode, which shows the current search configuration as a search string. List pane This “accordion” pane is called the list pane. It contains categorized lists of the events, event groups, event variables, groups, profiles, and constants that you can use when creating conditions for your filters. Two of the lists apply only to nDepth: l l Histogram pane The Refine Fields list summarizes all of the primary event details from your search results. Rather than typing this information as a search string, it is much easier (and less prone to error) to drag this information from the Refine Fields list into the search box. The Managers list includes each Manager and appliance that can be used with nDepth for searching data. Use the histogram to investigate a particular interval, to move the period, to zoom in to a period to take a closer look, or zoom out to see high-level activity. After configuring the search, click to begin the search. Conditions Use this box to define the conditions for the data that is to be box reported by the filter. You configure conditions by dragging items from the list pane into the Conditions box. For more information, This is the Add Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons. This is the Delete button. It appears at the top of every Group box. When you point to a condition, it also appears 126 Configuring a Search with Search Builder Item Name Description next to that condition. Click this button to delete a condition or a group. Deleting a group also deletes any groups that are nested within that group. Group Individual groups (and the entire Conditions box) can be expanded or collapsed to show or hide their settings: l l Click to >expand a collapsed group. Click to ▼ collapse an expanded group. The number that appears in parentheses indicates how many conditions are contained in the group. Once a group is properly configured, you may want to collapse it to avoid accidentally changing it. AND OR The Conditions box includes AND and OR operators, so you can include AND and OR relationships between your search conditions. Click the operator icon to toggle between AND and OR conditions. Configuring a Search with Search Builder Use this basic procedure whenever you need to configure a search with Search Builder. The number of possibilities are endless. They they all follow this basic procedure. Feel free to experiment with these tools. Searches report information, so there is no harm done if you create searches that are unusual or have logic problems. With a little practice, you will be able to configure complex searches that report exactly the data you want. To configure a search with Search Builder: 1. Open Search Builder. 2. In the list pane, locate the item you want to search for. 127 Chapter 8: Explore 3. Do one of the following: l Drag the item from the list pane into the Conditions box. l Double-click the item to add it to the Conditions box. Note: By default, the Conditions box includes a "this item exists" condition. To use it, type or paste the search string you want to search for into the text box. Or you can replace this condition by dragging an item from the list pane on top of it. 4. If the list item contains a variable field (such as a field for an IP address, a constant value, or an empty text box), type the specific value you want to search for. Note: Search Builder will show you if a particular configuration is invalid. If a condition field is yellow (left), it means the search's current configuration is invalid. If a condition field is red (right), it means the condition does not apply to the type of data you are currently searching. For example, perhaps you are trying to search log messages with conditions that are meant for event data. A yellow condition field means the search configuration is invalid. 5. Click A red condition means the search configuration does not apply to the type of data you are searching. to create new groups, as needed. 6. Repeat Steps 2 and 3, dragging new items into the appropriate group boxes, as needed. 7. Select the appropriate AND and OR operators for each group to configure the search to your needs. 8. When you are satisfied with the search conditions, click 128 to run the Utilities search. You can click at any time to stop a search that is in progress. After a few moments, nDepth returns the search results. To see the search results, do one of the following: l l l Select an option from the nDepth explorer toolbar to view a graphical version of the search results. Open the Refine Fields list to see a categorized summary of the search data. Open the Result Details view to examine and explore the actual data. Utilities The following table describes the key features of the Explore >Utilities view. Name History pane Description The History pane displays a record of your explorer viewing history. Selecting an item in the history list displays the corresponding explorer event in the Explorer pane. Click the History button to alternately show and hide the History pane. When needed, you can delete individual history items from the history list. The Reset button lets you remove all items from the history list.. Utilities pane The Utilities pane shows the explorers that are currently open. You can have multiple explorers open at the same time. Cascade button This button arranges the open explorer windows so they appear in an organized “cascade.” Their title bars are all visible, but the windows are all stacked, one on top of another. The active explorer is at the front of the stack. Respond menu This menu lets you take action to respond to the event or event field that is the subject of the active explorer. You can also use the Respond menu to take action even when no explorer windows are open or active. This menu behaves exactly as it does in the Monitor view’s 129 Chapter 8: Explore Name Description event grid. Explore menu This menu contains options to open the other explorers. You can use it to further explore the event message or event field that is the subject of the active explorer. Or you can open a blank explorer to manually enter the item you want to explore. Explorer windows The explorers you are working with appear as individual windows within the Utilities pane. You can minimize, resize, and close each explorer window, as needed. Minimized explorers Any explorers that you have minimized appear at the bottom of the Utilities pane as a title bar. Click a title bar to reopen that explorer. ◄>buttons Beginning from the active explorer window, you can use these buttons to cycle through the other open explorer windows. Click ◄ to go to the previous window. Click >to go to the next window. Explorer Types The Console contains the following explorers. Explorer Description Event The Event explorer, which can only be opened from the Monitor view, allows you to view all of the events that are related to the event that is currently selected in the Console. The Event explorer displays both sequential and concurrent events. That is, you can view the events that occurred before, during, and after the event occurred. You can also monitor events in real time, to see where they came from and where they are going. Use this explorer when you need to know what caused the rule to fire. Whois The Whois explorer identifies the source of an IP address or domain name based on how it is registered with domain and network authorities. It can tell you where something is located physically in the world, and who actually owns the device you're searching for. For example, use this explorer if you need to know who owns a 130 Explorer Types Explorer Description domain that corresponds to the IP that caused that rule to fire. NSLookup The NSLookup explorer resolves IP addresses to host names, and host names to IP addresses. Use this explorer to determine more information about a source or destination IP address. For example, use this explorer when you need to know a name that corresponds to that IP address that caused the rule to fire (it resolves a name like “SolarWinds.com” to an IP address). Traceroute The Traceroute explorer traces the network links from your host computer to the destination you specify. That is, it shows you the “hops” between your computer and the IP address of the destination. For example, use this explorer to determine the network connections between yourself and an IP that caused the rule to fire. Flow explorer The Flow explorer lets you perform flow analysis to determine which IP addresses or ports are generating or receiving the most network traffic. You can also analyze the volume of data (in bytes or packets) that is transferring to or from a given IP address or port number on your network. The explorer reports this information in easy-to-read graphs and tables. For example, if you see a strange IP address at the top of the Flow explorer’s activity list, you can select the desired bar on the graph or a row in the table, and then choose the Whois explorer from the Explore menu to find out what that the IP address is and why it is transmitting so much data. nDepth nDepth is a powerful search engine that lets you search all of the event data or the original log messages that pass through a particular Manager. The log data is stored in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the Manager. Both Explore views have a Respond menu and an Explore menu that you can use with any of the explorers: l The Respond menu lets you take corrective action on an event or other information presented in an explorer, such as shutting down a workstation when you see a problem reported in the Console. 131 Chapter 8: Explore l The Explore menu lets you explore use any of the other explorers to investigate a particular event, event detail, nDepth search result, or other explorer finding. NSLookup Explorer The NSLookup explorer is a network utility that is designed to resolve IP addresses to host names, and host names to IP addresses. Use this explorer whenever you need to know a name that corresponds to the IP address that caused the rule to fire. For example, it resolves a name like “SolarWinds.com” to an IP address. In the example shown here, we opened the NSLookup explorer for an event field that has an IP address of 192.168.168.10 (which appears in the Search field). The explorer retrieved the corresponding host name, which is grendel.corp.SolarWinds.com. Opening the NSLookup explorer adds an item to the Explore view’s History pane. The new item has a NSLookup explorer icon. Traceroute Explorer The Traceroute explorer is a network utility that is designed to trace the network links from your host computer to the destination you specify. Use this explorer whenever you need to determine the network connections between yourself and the IP address that caused the rule to fire. 132 Whois Explorer In the example shown here, we used the Traceroute explorer on the IP address of 192.168.167.1. It shows you the “hops” between your computer and that IP address. In this example, connecting to that IP address required two “hops.” Opening the Traceroute Explorer adds an item to the Explore view’s History pane. The new item has a Traceroute explorer icon. Whois Explorer The Whois explorer is a network utility that is designed to identify the source of an IP address or domain name based on how it is registered with domain and network authorities. This explorer contacts the central databases for IP addresses and domain names and returns the results of any of your searches. It can tell you where something is located physically in the world, and who actually owns the device you’re searching for. For example, use this explorer if you need to know who owns a domain that corresponds to the IP address that caused a rule to fire. 133 Chapter 8: Explore The example on the left shows the results for an IP address. The example on the right shows the results for the SolarWinds domain name, SolarWinds.com. From these, you can find out who owns the IP address and where the server is hosted. Opening the Whois Explorer adds an item to the Explore view’s History pane. The new item has a Whois explorer icon. Manually Exploring an Item At any time, you can manually explore an IP address, host name, or domain name. To do this, open a new, empty explorer, or by typing directly into the Search box of an explorer that is already open. 134 Chapter 9: Build The Build menu contains three views: Groups, Rules, and Users. Use these views to configure the related components on the LEM appliance. Since these components reside on the appliance, they are universal and available to all console users from any computer. The sections in this chapter address the features of each Build view in detail. Groups The Build >Groups view is used to create, name, configure, and organize groups of parameters. You may then choose from these Groups when configuring filters (in Filter Creation) and rules (in Rule Creation) to include or exclude the specific elements defined within each Group. Each Group you create only applies to the Manager that is selected when you create the Group. If you need a similar Group for another Manager, you must create it separately with that other Manager; or you must export the Group, and then import it from the other Manager’s Groups grid. Group types You can use the Build >Groups view to create any of the Groups listed in the following table. Group type Description EventGroups Event Groups are custom families of events that you can save as a Group. You can then associate the Event Group with your rules and filters. For example, you might create an Event Group made up of similar events that all need to trigger the same response from the Console. When you apply the Event Group to a rule, the Console implements the same rule when any one of the events in the Group occurs. Directory Service If you use a directory service, such as Active Directory, you can connect LEM to the server that stores your existing directory 135 Chapter 9: Build Group type Description service (DS) Groups. Once connected, you can synchronize your DS Groups with LEM and apply them to your rules and filters. DS Groups allow you to match, include, or exclude events to specific users or computers, based on their DS Group membership. In most cases, DS Groups are used in rules and filters as a type of white list or blacklist for choosing which users or computers to include or to ignore. When used by a filter, a DS Group lets you limit the scope of the events included in the filter to those users or computers that have membership in a particular Group. Email Template Email Templates allow you to create pre-formatted email messages that your rules can use to notify you of an event. State Variables State Variables are used in rules. They represent temporary or transitional states. For example, you can create a State Variable to track the “state” of a particular system, setting it to a different value depending on whether the system comes online or goes offline. Time of Day Sets Time of Day Sets are specific groups of hours that you can associate with rules and filters. Time of Day Sets allow them to take different actions at different times of day. For example, if you define two different Time of Day Sets for “Working Hours” and “Outside Working Hours,” you can assign different rules to each of these Time of Day Sets. For instance, you may want a rule that automatically shuts down the offending computer and events your system administrator via email. Connector Profiles Connector Profiles are groups of Agents that have common connector configurations. Most Agents in a network have only a few different network security connector configurations. Connector Profiles allow you to group Agents by their common connector configurations. You can then have your rules and filters include or exclude the Agents associated with a particular profile. User-Defined User-Defined Groups are groups of preferences that are used in Groups rules and filters. They allow you to match, include, or exclude 136 Groups View Features Group type Description events, information, or data fields based on their membership in a particular Group. In most cases, User-Defined Groups are used in rules and filters as a type of white list or blacklist for choosing which events to include or to ignore. Groups View Features The topics in this section describe the key features of the Groups view, including its major sections, the meaning of its grid columns, and how to refine its grid. The following table describes the meaning of each column in the Groups grid. Column Description The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. It has commands for editing, cloning, exporting, and deleting the selected Group. Type Displays the type of the Group—Connector Profile, User-Defined Group, Time of Day Set, etc. Name Displays the name of the Group. Description Displays a description of the Group. Pointing to this field displays the complete description as a ToolTip. Created By Displays the name of the Console user who created the Group. Created Date Displays the date the Group was created. Modified By Displays the name of the Console user who last modified the Group. Modified Date Displays the date on which the Groups was last modified. Manager Displays the name of the Manager the Group is associated with. Refining the Groups Grid By default, the Groups grid shows every Group associated with each Manager the Console is connected to. If the same Group is configured for more than one 137 Chapter 9: Build Manager, it appears in the grid multiple times—once for each Manager it is associated with. To help you work more efficiently with a long list of Groups, the Refine Results pane lets you apply filters to the Groups grid to reduce the number of Groups it shows. When you select options in the Refine Results pane, the grid refreshes to show only those items that match the refinement options you have selected. The other items in the grid are still there; however, they are hidden. To restore them, click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results form. Field Reset Search Description Click Reset to return the form and the Groups grid to their default settings. Use this field to perform keyword searches for specific Groups. To search, type the text you want to search for in the text box. The grid displays only those Groups that match or include the text you entered. Type Select the type of the Group you want to work with (Connector Profile, User-Defined Group, Time of Day Set, etc.) to have the grid display only Groups of that type. Manager Select a Manager to have the grid display only the Groups that are associated with that Manager. Created By Select the name of the Console user who created the Group to have the grid display only Groups from that user. Created Date Range Type or select a date range to have the grid display only Groups that were created on or within that date range. Modified By Select the name of the Console user who last modified the Group to have the grid display only Groups modified by that user. Modified Date Type or select a date range to have the grid display only Range Groups that were modified on or within that date range. 138 Rules Rules The Console’s Build > Rules view is used to create, configure, and manage your rules. Rules are used to monitor and respond to event traffic. They allow you to automatically notify or respond to security events in real time, whether you are monitoring the Console or not. When an event (or a series of events) meets a rule's conditions, the rule automatically prompts the Manager to take action, such as notifying the appropriate users, or performing a particular active response (such as blocking the IP address or stopping a particular process). The Console ships with a set of pre-configured rules that you can begin using immediately. However, you can use the view's Rule Creation connector to create your own custom rules and your own variations on any existing rules. Rules View Features This topic describes the key features of the Rules view and the Rules grid, and explains how to refine the Rules grid. Rules Grid Columns The Rules grid contains all policy rules that are configured for all Managers that are connected to the Console. The Manager column indicates which Manager each rule applies to. By default, the view shows the rules from the Custom Rules folder in the Folders pane. If you do not have any custom rules, then click the Rules folder to list the rules that the Console ships with. The following table describes the meaning of each column in the Rules grid. Columns are listed in their default order, from left to right. Column Description The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. These commands let you edit, enable, disable, test, clone, and delete the selected rule. Enabled Indicates whether or not the rule is enabled and ready for use with your policies. means the rule is enabled and is in active use. 139 Chapter 9: Build Column Description means the rule is disabled, and is not in use. Test Indicates whether or not the rule is in test mode. When a rule is in test mode, it causes events to appear in the Console, but it cannot perform any active responses. This lets you see how the rule would behave when it is fully enabled, but without risking any negative unintended consequences. means the rule is in test mode. means the rule is not in test mode. Note: A rule must be Enabled before you can test it. Name The name of the rule. Description A description of the rule. Pointing to this field displays the complete description as a ToolTip. Folder The name of the folder (in the Folders pane) in which the rule is stored. Created By The name of the Console user who created the rule. Created Date The date the rule was created. Modified By The name of the Console user who last modified the rule. Modified Date The date and time on which the rule was last modified. Manager The Manager the rule is associated with. Refine Results Form You can use the Refine Results form to refine the Rules grid. The form behaves like a search engine, letting you apply filters to the Rules grid to reduce the number of rules it shows. When you select options in the Refine Results pane, the grid refreshes to show only those items that match the refinement options you have selected. The other 140 Refine Results Form items in the grid are still there; however, they are hidden. To restore them, click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results form. Field Reset Search Description Click Reset to clear the form. This returns the form and the Rules grid to their default settings. Use this Search field to perform keyword searches for specific rules. To search, type the text you want to search for in the text box. The grid displays only those rules whose Name fields match or include the text you entered. Enabled Click this check box to show only those rules that are Enabled. Clear this check box to show both Enabled and Disabled rules. Test Click this check box to show only those rules that are in test mode. Clear this check box to show rules that are both in and out of test mode. Manager Select a Manager to have the grid display only the rules that are associated with that Manager. Created By Select the name of the Console user who created the rule to have the grid display only rules created by that user. Created Date Range Type or select a date range to have the grid display only rules that were created within that date range. Modified By Select the name of the Console user who last modified the rule to have the grid display only rules modified by that user. Modified Date Range Type or select the begin and end date range to have the grid display only rules that were modified on or within that date range. The connectors in Rule Creation are very similar to those found in Filter Creation. However, filters report event occurrences; rules act on them. There is no harm if you create a filter that is unusual or has logic problems. But this is not the always case with rules. Rules can have unexpected and sometimes 141 Chapter 9: Build unpleasant consequences if they are not configured exactly as you intend them to be. Inexperienced users should use caution when creating rules. Creating filters is an excellent way to familiarize yourself with the logic and connectors needed to create well crafted rules. You should only begin configuring rules after you are at ease with configuring filters. Even then, always test your rules before implementing them. Rule Categories and Tags The Rule Categories & Tags is the list of default rules categories and tags. To make it easier to find and categorize, rules that apply to multiple purposes appear in more than one category and/or tags. l l l There are a default set of Rule Categories & Tags, and you can also create your own customizable ones. New rule categories and tags that are created can be added or removed from your list of categories/tags at any time. Activity Types, Authentication, Change Management, Compliance, Devices, Endpoint Monitoring, IT Operations and Security categories are available pre-defined categories Rule templates have been separated into their own view and categorized into all of the appropriate categories and tags, making them much easier to find and use Rule Tagging The Rule Tagging feature allows you to add, change, or remove tags from existing or newly created rules. Rules may have several different categories and tags. If you have a rule that you want to appear in several different category locations, you can use the tag feature to have it display in those locations. To tag a rule: 1. Select an existing Rule Template or create a new Rule. 2. Click the Add Tags... link 3. Select the categories and tags.There are many default tags or you can 142 Users create a custom tag to suit your needs. 4. Click OK. Users The Users view is used to manage the system users who are associated with each Manager. By adding email addresses for each user, the Console can notify users of event conditions by email. This topics in this section describe the key features of the Users view, the meaning of each column in the Users grid, and how to refine the Users grid. Users View Features The following table describes the key features of the Users view. Name Description Refine Results This form behaves like a search engine. It lets you apply filters to the Users grid to reduce the number of users it shows. Users grid The Users grid displays all of the system users who are associated with each Manager throughout your network. Click this button to add a new user. User This pane displays detailed information about the user who is Information currently selected in the grid, including the user’s role, password information, and contact information. When editing a user, the User Information pane turns into an editable form. Users Grid Columns By default, the Users grid shows all users who are configured for all Managers that are monitored by the Console. However, you can use the Refine Results form to refine the grid’s contents. Column Description l Use the Edit command to edit the user’s settings and contact information. 143 Chapter 9: Build Column Description l Status Use the Delete command to delete the user. Indicates if the user is currently logged on to the Console: means the user is logged on. means the user is not logged on. User Name Displays the name the user uses to log on to the Manager. First Name Displays the user’s first name. Last Name Displays the user’s last name. Role Displays the user role that has been assigned to the user. Description Displays a brief description of the user’s job function or responsibility. Manager States which Manager the user is associated with. Last Login States the date and time the user last logged on to the system. Refining the Users Grid By default, the Users grid shows all users for all Managers. The Refine Results form behaves like a search engine, letting you apply filters to the grid to reduce the number of users it shows. Field Description Reset Click Reset to return the form and the Users grid to their default settings. Manager Select the Manager you want to work with. By default, the grid displays All Managers. Role Select the user role you want to work with. By default, the grid displays All roles. Last Login Date Range Type or select the begin and end date range to display the users who have logged in within that date range. 144 Viewing a User’s System Privileges Viewing a User’s System Privileges After selecting a user role, you can use the View Role button to view the system privileges that are associated with the user’s assigned role. To view a user’s system privileges: 1. Open the Build >Users view. 2. In the Users grid, double-click to user you want to work with. Below the grid, the User Information pane displays the user’s current settings. 3. Click the View Role button. The Privileges form appears, showing the user’s system privileges for his or her assigned role. This information is provided here for reference purposes and cannot be changed. 4. When you are finished viewing the role’s privileges, click Close to return to the Console. 145 Chapter 10: Manage The Manage > Appliances view (also called the Appliances view) is used to add, configure, and maintain each virtual appliance that is associated with and monitored by the LEM system. The term appliances is used here as a generic term that includes: l Managers l Database servers l Logging servers l Network sensors l nDepth servers The Appliances view is primarily concerned with Managers, even though other appliances may appear in your appliance list. Once a Manager is in place, you can use this view to do the following: l Use the Console to connect to and disconnect from a particular Manager. l Add a Manager’s agents. l Configure rules, policies, and network security connectors that apply to each Manager. Note: Commands in the Appliances view can take a while to execute, because they must remotely access the Manager or network appliance. When using multiple Managers, always use a unique hostname for each Manager. Doing this helps ensure proper event flow and console function. SolarWinds recommends giving each Manager its own unique name before adding it to LEM. 146 Chapter 10: Manage Appliances View Features This topic describes the key features of the Appliances view, the Details pane, the Appliances grid, and its Status icons. The following table describes the key features of the Manage >Appliances view. Name Description Appliances This grid lists all of the Managers and other network appliances grid LEM is monitoring. Use this grid to add, configure, or remove appliances; to configure Manager connectors and Manager policy; and to connect to and disconnect from Managers. Click this button to add a new Manager or network appliance to the Console. Click the gear button at the top of the grid to access commands applicable to multiple selections in the grid and other commands not requiring a grid selection. Click this button to copy the grid's information about your Managers to the clipboard, so you can paste it elsewhere, such as Microsoft Excel for analysis or the Remote Agent Installer for updates. Appliances Grid Columns The following table briefly describes the meaning of each column in the Manage >Appliances view’s Appliances grid. Column Description Opens a menu of commands you can perform on the selected appliance, such as: Login, Logout, Configure, Connectors (for connecting products to the appliance), Policy (for assigning event distribution policy), and Delete. The Login, Logout, Connectors, and Policy options apply only when you have a Manager selected. If you have a Manager selected but are not connected, only the Login, Configure, and Delete commands are available. Status Exhibits the appliance’s current connection status: 147 Appliances Grid Columns Column Description means Connected/Logged In. means Disconnected/Logged Off. Icon Differentiates between multiple Managers in the nDepth view. Name Shows the name of the Manager or the appliance. Type Describes the type of appliance as one of the following: l Manager l Database l Logging Server l Network Sensor Version Provides the version of the LEM Manager software. Platform Displays the manager platform name. The platform is one of the following: Trigeo SIM, VMware vSphere, or Microsoft HyperV. IP Address States the Manager’s or the appliance’s IP address. Port Shows the port number the Console is using to communicate with the Manager, the network appliance, or the database. Connectors Indicates whether the appliance connectors have been configured Update for automatic updates. If the icon is green, LEM is already set up to Enabled automatically update whenever SolarWinds updates a connector. If the icon is gray, automatic connector updates are inactive and must be turned on for automatic connector updates. User For Managers, this column displays the user name that is currently logged on to that Manager. To automatically apply connector updates and manually apply individual connector updates, use the Connector Updates menu at the top right of the Appliance grid. 148 Chapter 10: Manage Details Pane The Details pane displays essential information about an appliance, such as its name, connection status, and IP address. To view an appliance’s details: 1. Open the Manage > Appliances view. 2. If needed, log into the Manager you want to work with. 3. In the Appliances grid, click to select the Manager or appliance you want to work with. 4. If the Details/Properties pane is not already open, click the open pane ▲ button at the bottom of the window. The Details pane displays information about the Manager or appliance you have selected. Field Description Platform Displays the name of the Manager platform, which can be Trigeo SIM, VMware vSphere, or Microsoft HyperV. CPU Reservation Shows how much CPU space has been reserved. Reserving CPU space ensures enough resources are available for the allocated CPUs. Number of CPUs Exhibits the number of CPUs actually allocated to this Manager. Memory Allocation Provides the amount of memory allocated to the Manager. Memory Reservation Indicates how much memory has been reserved for this system. Reserving memory ensures enough system memory is available when it's needed. Status Shows the Manager’s or the appliance’s current connection status. Name Displays the Manager’s or the appliance’s name. Type Indicates the appliance type, which is either Manager, 149 Configuring a Manager's Properties Field Description Database Server, nDepth, Logging Server, or Network Sensor. Version Shows the version of the Manager software. IP Address Displays the Manager’s or the appliance’s IP address. Port Exibits the port number the Console uses to communicate with the Manager or the appliance. Configuring a Manager's Properties In the Properties pane, use the Properties form to configure Managers. It records the Manager’s configuration settings, such as its login options, Agent licenses, its password settings, its ability to automatically send software updates to Agents. Note: LEM uses the Properties form only for Managers. The Properties pane is disabled for other types of appliances. To configure a Manager's properties: 1. At the top of the Console, click Manage > Appliances. 2. In the Appliances grid, click to select the Manager you want to work with. 3. If the Details/Properties pane is not already open, click the “open pane” ▲ button at the bottom of the window. 4. Complete Properties form. The following sections describe how to complete each tab. The Properties form automatically refreshes to show changes occurring to the Manager since you opened the form. This ensures that you are looking at the most current information. The Login Tab The Login tab has two main uses: l If the Login on console startup option is checked, the system uses this data to automatically connect to the Manager whenever the Console is 150 Chapter 10: Manage opened. l If you manually log in to a Manager from the Appliances grid, the system uses this data to connect the Manager so you don’t have to complete the log in dialog box. Use the following table to complete the Properties pane’s Login tab. Option Description Username Type your user name for logging into LEM. Password Type your password for logging into the Manager. Login on console startup Select this check box to have LEM automatically log you into the Manager upon opening the LEM Console. If you prefer to manually log on, then clear this check box. Save Credentials Select this check box to have the Console save the Manager’s user name and password locally. The Console can then automatically provide them whenever you log on to a Manager. l l If you also select the Login on console startup check box, the Console will automatically log on to the Manager whenever the Console is started. If the Login on console startup check box is not selected, then the Console automatically supplies the user name and password whenever you manually log on to the Manager. Reconnect on disconnection Select this check box to have the Console automatically attempt to reconnect with the Manager, if the Manager becomes disconnected. Try to reconnect every xx seconds Type the number of seconds the Console is to wait before attempting a new connection with the Manager. 151 The License Tab Option Description Timeout reconnection attempts after xx tries Select this check box to have the Console quit its reconnection attempts with the Manager after a given number of tries, if the previous connection attempts have been unsuccessful. Then type the number of tries the Console is to attempt to reconnect with the Manager before giving up. Save Click Save to save the configuration settings. Cancel Click Cancel to discard any configuration settings you may have entered since the last time you saved. The License Tab The License tab summarizes your available and allocated licenses.It is also used to activate your SolarWinds LEM license. The following table explains the License tab's remaining reference information. Field Description Total Nodes Displays the total number of nodes allowed by your SolarWinds LEM license. Total Unused Nodes Displays the number of nodes that have not yet been allocated. Total Agent Nodes Displays the number of nodes that have been allocated to LEM Agent devices such as workstations or servers. Total NonAgent Nodes Displays the number of nodes that have been allocated to non-Agent devices such as firewalls or switches. Maintenance Displays the date your current maintenance contract with Expiration Date SolarWinds Support expires. For more information on activating your SolarWinds LEM license, see "Going from evaluation to production" in the SolarWinds Log & Event Manager Quick Start Guide.. 152 Chapter 10: Manage License Recycling Each time a VM desktop is created, an agent connects to LEM and a license is used. This continues to happen as desktops are created and destroyed, eventually causing all licenses to be used up. License recycling allows you to collect and reuse licenses from nodes that have not sent an event to the LEM manager within a specified amount of time. To enable license recycling: 1. Select the Enable license recycling checkbox. 2. Select a defined time frame from the options shown for when to recycle license if a node has not sent an event. 3. Select when you would like the system to check for recyclable licenses. 4. Select the nodes to be checked. The Settings Tab The Settings tab defines the Manager’s password policy settings and global automatic update settings. Global automatic updates allow the Manager to automatically send software updates to Agents as new software becomes available. Use the following table to complete the Properties pane’s Settings tab. Option Description Password Policy Minimum Password Length Type or select the minimum number of characters that must be used on passwords for user account that are to connect to the Console and its Managers. Passwords must have at least six characters, but no more than 40 characters. Must meet complexity requirements Select this check box if passwords must meet the following complexity requirements: l Passwords must not match or contain part of the user’s user name. 153 The Settings Tab Option Description l l Passwords must be at least six characters long. Passwords must contain characters from three of the following four categories: n English uppercase characters (A through Z). n English lowercase characters (a through z). n Base 10 digits (0 through 9). n Non-alphanumeric characters (!, $, #, %, ^, etc.). Remote Updates Enable Global This check box indicates whether or not the Manager can Automatic automatically update its Agents with new software. Updates l Select this check box to have the Manager automatically issue the latest software updates to qualifying Agents as they become available. l If this check box is not selected, then global automatic updates for this Manager are Disabled. This means its Agents will not automatically receive new software updates from the Manager. Note that each Agent is also controlled by its Automatic Update settings on the Agents grid. The Agent’s Automatic Updates setting will not work if you do not also select this Enable Global Automatic Updates check box. Here is how it works. If you do not select this check box, but you have an Agent set to automatically receive updates, nothing will happen. The Agent will not receive its updates. But if you do select this check box and if you have an Agent set to automatically update, the Agent will automatically receive updates when they become available. Maximum Concurrent Updates Select how many Agents the Manager can update at one time. The default value is 10. If the number of Agents that require updates is greater than the 154 Chapter 10: Manage Option Description value you have entered here, the remaining Agents will be queued for updating as soon as an update slot becomes available. Explorer Command Agent Current Select the default Agent for performing SolarWinds explorer Default Agent functions, such as NSLookup and Whois. For best results, choose an Agent that is normally online and will return the expected results. Connection Requests Minutes Set the value for the amount of time before a timeout request is initiated. Seconds Set the value for the amount of time before a timeout request is initiated. SolarWinds Improvement Program Email Address Enter your email address. Send usage Select this checkbox to send statistics to SolarWinds. statistics to SolarWinds to help us improve our products Threat Intelligence Allow LEM to detect threats based on list of bad IP addresses This checkbox is active by default. Threat intelligence identifies events as threats by matching events' IP information against a list of known bad IP addresses.. Click the video icon to view the corresponding tutorial, which offers more information on threat intelligence feed functionality.. 155 Configuring Event Distribution Policy Only administrators have the permissions required to turn the threat intelligence feed off and on. Disabling and reenabling the threat intelligence feed forces a threat intelligence update and creates an InternalAudit event. Restarting LEM also forces the threat intelligence feed to update. Configuring Event Distribution Policy The topics in this section explain how to configure event distribution policy for Managers. Event distribution policy lets you control how events are routed through the LEM system. With the Event Distribution Policy window, you can choose—at the event level—which events are to go to the LEM Console, and to the local LEM database. Practical Uses for Event Distribution Policy Event distribution policy has several practical uses that are explained in the following examples. l l Many data sources generate events that are difficult to control at a granular level; or, they generate events of little or no value. You are better off removing these events from the system to reduce the volume and noise being sent to your Console and database. By configuring event distribution policy, you can disable (exclude) specific event types, at the event level, from being sent to any or all of these destinations. The data sources will continue to generate these events, so you can always enable them at any time. Until then, the selected system destinations will ignore them. There may be events that you want to monitor in the LEM Console, but do not need for long-term storage and reporting. In this case, you can use event distribution policy to disable database storage for certain events, while enabling processing by the Console. Opening the Event Distribution Policy Window 1. At the top of the LEM Console, click Manage >Appliances. 2. In the Appliances grid, click the gear 156 button for the Manager you want Chapter 10: Manage to work with, and then click Policy. The Event Distribution Policy for [Manager] window appears. If you open the Event Distribution Policy window while another user is currently using it, a Policy Locked message appears. You can choose to take over the window, or to view it in read-only mode. Any Full User can unlock any other user. About the Event Distribution Policy Window The following table describes the key features of the Event Distribution Policy window. Item Description Event/Field The window’s grid is a hierarchical node tree. The Event/Field column lists event categories and event types. Opening an event category node displays the lower-level event types that are 157 Configuring Event Distribution Policy Item Description Check Boxes The check boxes in the grid’s Console, Database, Warehouse, and Rules columns indicate whether or not a particular event type (or entire event category) is to be sent to the LEM Console, or to the local database. A check mark means the event type will be routed to that particular destination. An empty check box means the event type will not be routed to that destination. Export Button The Export button exports a Manager’s event policy to a spreadsheet file. Click the gear button to use the Apply State to Branch command. This command pushes, or propagates, the selected event node’s check box settings down to the related, lower-level event types in the node tree hierarchy. Description The Description box provides a description of the event type or event category that is currently selected in the grid. Configuring Event Distribution Policy The Event Distribution Policy window makes configuring your event distribution policy a straightforward matter. First, you find the event types you want to work with, and then you select check boxes to determine whether or not those events types are to be routed to a particular destination. To configure event distribution policy: 1. Open the Event Distribution Policy window for the Manager you want to work with. 2. In the Event/Fields grid, locate the event type you want to work with. You can do this several different ways: l l In the Event/Field list, click any node to show its lower-level event type nodes. In the Event/Field list, double-click any event type row to show its lower-level event type nodes. 158 Chapter 10: Manage 3. Once you have found the event type you want, configure it as follows: l l l Select the row’s Console check box to have that event type appear in the LEM Console. Select the row’s Database check box to have that event type stored in the local database. Clear a check box to exclude the event type from that particular destination. 4. To save or cancel your changes, do one of the following: l l l Click OK to save your event distribution policy changes, close the window, and return to the Console. Click Apply to save your changes, but keep the window open so you can continue working. Click Cancel to close the window without saving your changes and return to the Console. Upon saving, the Applying Changes status bar appears. Updating the Manager with the new event policy configuration changes can take anywhere from 30 seconds to several minutes. Pushing event policy to lower-level event types With the Apply State to Branch command, you can propagate or “push” event distribution policy settings from a high-level event type to each of its lower-level “child” event types in the event hierarchy. For example, let’s say you select the topmost Security Event row and then select its Console and Warehouse check boxes. Clicking Apply State to Branch assigns the same Console and Warehouse check box settings to every child item that is associated with Security Event. Upon saving, this policy causes all event types that are child items of Security Event to begin sending events to all user’s Consoles and your data warehouse. To push policy configure event distribution policy downward: Open the Event Distribution Policy window for the Manager you want to work with. 159 Exporting a Manager’s Event Policy 1. In the Event/Field grid, locate the event type that is a “parent” to the event types you want to configure. 2. In the parent row, define the policy by selecting or clearing the Console, Database, Warehouse, and Rules check boxes. 3. Click the row’s gear button and then click Apply State to Branch. The Console pushes, or propagates, the parent row’s check box settings down to each of its lower-level event types in the node tree hierarchy. l l If you select one or more of the parent row’s check boxes, the Console selects the same check box settings for each related lower-level event type in the node tree. Upon saving, the policy begins sending the “child” event types to the selected destinations. If you clear any of the parent row’s check boxes, the Console disables the same check box settings from each related lower-level event type in the node tree. Upon saving, the policy stops sending those event types to those destinations. 4. Click OK to save your changes. The Console implements the new policy. Exporting a Manager’s Event Policy When needed, you can export a Manager’s event policy to a spreadsheet file. You may want to do this for any of the following reasons: l l You can view and manipulate the policy information in a spreadsheet application, such as Microsoft Excel. You can provide SolarWinds with a copy of your policy information for technical support or troubleshooting purposes. To export a Manager’s policy: 1. Open the Event Distribution Policy window for the Manager you want to work with. 2. At the top of the window, click Export. The Save As form appears. 3. In the Save In box, select the folder you want to export to. 160 Chapter 10: Manage 4. In the File Name box, type a name and file type for the exported file. In the file name, include a file type of .xls to save the file as a Microsoft Excel spreadsheet. 5. Click Save to save the file. The Console saves the file to the folder and with the file name you specified. You may now view the Manager’s policy information in a spreadsheet file, such as Excel. Improving performance with event filtering (Windows only) The Windows Filtering Platform (WFP) application in Windows 7/8 and Windows Server 2008/2012 logs firewall- and IPsec-related events to the System Security Log. The alerts generated represent background events using additional LEM resources. These events. are not necessary for an optimized LEM deployment. Modifying your LEM Manager's Event Distribution Policy to tune out the “windows noise” reduces the space these events occupy in the Security Event log, reduces network activity, and does not consume precious LEM resources, such as CPU, memory, and disk space. To modify your LEM Manager's Event Distribution Policy: 1. Open the LEM Console and log into the LEM Manager from the Manage > Appliances view. 2. Click the gear icon next to your LEM Manager, and then select Policy. 3. Locate the alerts you want to disable by using the search box under Refine Results.Locate all of the alerts listed below by typing Windows Security in the search box 4. Check or uncheck the boxes in the Console, Database, Warehouse, or Rules columns as follows: l l l Uncheck the Console box to prevent your LEM Manager from showing the alert in your LEM Console. Uncheck the Database box to prevent your LEM Manager from storing the alert on your LEM database. Uncheck the Warehouse box to prevent your LEM Manager from sending the alert to an independent database warehouse. 161 Table of Alerts with Windows Security Auditing Provider SIDs l l Uncheck the Rules box to prevent your LEM Manager from processing the alert against your LEM rules. Check any box to enable processing for the alert at any of the four levels listed above. 5. Click Apply to save your changes and keep working 6. Click Save to save your changes and exit the Alert Distribution Policy window, Table of Alerts with Windows Security Auditing Provider SIDs The alerts described in the tables below can be filtered out (dropped) using your LEM Manager's Event Distribution Policy by unchecking their boxes in the Console, Database, Warehouse, and Rules columns. LEM still must process these events, and uses additional resources in the form of memory and CPU reservations. Alert name Windows event ID TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159 IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159 UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159 IMCPTrafficAudit 5152, 5156, 5157, 5158, 5159 ICMPTrafficAudit 5152, 5156 PPTPTrafficAudit 5152 The Provider SID value in these alerts match the format, Windows Security Auditing Event ID, where Event ID is one of the Windows Event IDs listed below. Event ID Event description 5152 Windows Filtering Platform blocked a packet 5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections 5156 Windows Filtering Platform allowed a connection 5157 Windows Filtering Platform blocked a connection 162 Chapter 10: Manage Event ID Event description 5158 Windows Filtering Platform permitted a bind to a local port 5159 Windows Filtering Platform blocked a bind to a local port Adding and Editing Nodes The Manage >Nodes view displays the Agents that are monitored by each of your Managers. Once you have installed the Agents on your client PCs, you can use the Nodes view to do the following: l l l l Add a new Node or Scan for a New Node. Integrate the Agent’s network security connectors with the LEM system. You are actually integrating the Agents themselves, but the Agents forward messages from the network security connectors to the Manager for event processing. Connect an Agent to a Manager. View the name, connection status, event status, and IP address of each Agent. l Determine whether or not the Agent is using USB-Defender. l View an Agent’s properties. l l l l Control an Agent’s automatic update settings for installing new software from the Manager. Actively respond to events that affect Agents. Copy Agent information to the clipboard for use with the Remote Agent Installer, or for analysis with programs such as Microsoft Excel. Remove an Agent from a Manager. Nodes View Features This topic describes the key features of the Nodes view and the Nodes grid, and how to refine the Nodes grid. The following table describes the key features of the Manage >Nodes view. 163 Nodes Grid Columns Name Description Sidebar Click the Sidebar button to alternately hide and open the Refine Results pane. Refine Results pane By default, the Nodes grid shows all Nodes that are associated with all of your Managers. The Refine Results pane lets you apply filters to the Nodes grid to reduce the number of Nodes it shows. This way, you can show only those Nodes that are associated with a particular Manager, Connector Profile, status, etc. Nodes grid The Nodes grid lists all of the Agent and Non-Agent nodes that are associated with each Manager and appliance that is monitored by the LEM Console. You can also Add a New Node and Scan for a New Node with the buttons in the toolbar. Respond Use the Respond menu to perform an action on a particular Agent. menu For example, you can send an Agent a pop-up message, or shut the computer down. This menu behaves exactly as it does in the Monitor view’s event grid. Remote This menu lets you control the Agent’s automatic update status. Updates Remote updates are a way for the Agent to automatically accept menu updated Agent software from the Manager when new software becomes available. The gear button at the top of the grid opens commands that you can perform on multiple selections in the grid, and commands that do not require a grid selection. It includes commands for copying Agent information and for deleting Agents. Nodes Grid Columns The following table briefly describes the meaning of each column of the Nodes grid. Column Description Add Node Displays a wizard to assist you in adding Nodes. Scan for New Scans syslog data that has been sent to LEM. 164 Chapter 10: Manage Column Description Nodes The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. l l l Status The Connectors command lets you configure the Agent’s connectors. The Delete command lets you delete Agent licenses from a Manager. The Copy command lets you copy Agent information to the clipboard for use with the Remote Agent Installer, or for analysis in another program, such as Microsoft Excel. The Agent’s current connection status: Icon Status Enabled Description Agent is Connected to a Manager. Disabled Agent is Not Connected to a Manager (that is, it is an open license). Node IP The Node’s IP address. Node Name The name of the system where the Node is installed. Typically, this is the computer name or host name assigned to the Note. Agent Node The LEM Manager or Agent on which the node's logs are stored. Note: This column is blank for LEM Agents. USB The Nodes’s current USB-Defender status. An icon ( ) means USB -Defender is installed on the Node. If no icon is present USB Defender is not installed on the Node. Note: This column is blank for non-Agent nodes. 165 Nodes Grid Columns Column Version Description The version number of the Node software. Note: This column is blank for non-Agent nodes. OS The operating system of the computer where the Node is installed. Note: This column is blank for non-Agent nodes. Profile The Connector Profile associated with the Node, if applicable. Note: This column is blank for non-Agent nodes. FIM The Node's current FIM status. Icon Status Description Operational At least 1 FIM Connector for this Node has been created and is running. Connector is configured and running. Non-operational No Not conicon figured Updates Enabled At least 1 FIM Connector or FIM Connector Profile configured for this Node and driver disabled Node is not assigned to a FIM Connector or FIM Connector Profile. Connector is not configured and running. This field indicates whether or not the Node is enabled for receiving remote updates. Icon Status Description Enabled The Node is enabled for receiving remote updates. Disabled The Node is disabled from receiving remote updates. Update Status This field indicates the Agent’s current software update status. 166 Chapter 10: Manage Column Description Icon Status Current Description The Agent's software is current. Outdated The Manager has an update newer than the version being used by this Agent. Updating The Manager is currently sending an update to this Agent. Queued The Agent is waiting to be updated while other Agents get updated. The number of Agents that can be updated at one time is determined by the Maximum Concurrent Updates setting in the Appliances view's Settings tab. Unknown The Manager does not yet know the Agent’s software status. Canceled The user canceled updating during update process. Error An error has occurred while updating. ID The Agent’s unique identification number. Manager The Manager that this Agent is connected to. An Agent can only be connected to one Manager. Install Date The time and date the Agents was first installed and connected to the Manager. Last Connected The time and date the Agent was last connected to the Manager. Adding a Syslog Node The Add Node button displays a wizard that walks you through adding a Node to monitor a network device. The wizard locates the new node and then recommends an appropriate connector. 167 Scan for New Nodes 1. Click the Add Node button. 2. Select Syslog node. 3. Enter the IP Address of the node. 4. Select the Node Vendor from the list. 5. Configure the node so LEM can receive syslog messages. If you need help, click the links provided for enabling specific vendor devices. 6. Select the I have configured this node so that LEM can receive its Syslog messages check box. 7. Click Next and LEM then scans for new devices. Scan for New Nodes The Scan for New Nodes button scans the syslog data that has been sent to LEM and detects new nodes. You can use this if you have enabled many devices to send syslog to LEM and want to add and configure them all at once. To scan for a new node: 1. Click the Scan for New Nodes button. Note: Scanning for new nodes may take a few minutes. If it does, you'll get a message that the scan is continuing in the background. 2. A New Connector(s) Found message displays as data is found from new devices. 3. Click View Now to add the recommended connectors for these devices. 4. Click Next. Note: Click the Summary tab to display a summary of the nodes and connectors that will be added or updated to LEM as a result of the Scan for New Nodes. 5. Click Finish. Events from the new nodes appear in the LEM console as they are received from the devices. 168 Chapter 10: Manage Adding Nodes Manually 1. To configure additional nodes, navigate to Manage > Nodes to see a listing of all the nodes being monitored by LEM. 2. Select the desired node, then click the gear button next to it and select Connectors. Here you can search agent nodes by category or use the search box to find a node by keyword, such as DNS. 3. Click the gear new node. icon next to the search result and select New to create a 4. Configure the new node and select Start to start the node. Refining the Agents Grid By default, the Agents grid shows every Agent that is associated with every Manager that is monitored by the LEM Console. To help you work more efficiently with a long list of Agents, the Refine Results pane lets you apply filters to the Agents grid to reduce the number of Agents it shows. When you select options in the Refine Results pane, the grid refreshes to show only those items that match the refinement options you have selected. The other items in the grid are still there; however, they are hidden. To restore them, click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results form. Field Description Reset Click Reset to clear the form. This returns the form and the Agents grid to their default settings (showing all Agents for all Managers.) Search Use this field to perform a keyword search for a specific Agent in the Name field. To search, type the text you want to search for in the text box. The grid displays only those Agents that match or include the text you entered. Manager Select the Manager you want to work with. Select All to include Agents from every Manager. Profile Select the Connector profile you want to work with. Select All to include Agents from every Connector Profile. 169 Refining the Agents Grid Field Description Node Select whether you want to view Agent or Non-Agent nodes. Status Select the connection status of the Agents you want to work with (Connected or Not Connected). Select All to include both. Version Select the version of the software on the Agent. Select All to include Agents of every version. OS Select the operating system (OS) of the computer the Agent is installed on. Select All to include all operating systems. USB Select the Agent’s USB-Defender status (Installed or Not Installed). Select All to include both. 170 Chapter 11: Adding and controlling users and groups This chapter discusses procedures for working with users and managing restrictions for LEM Reports and the LEM desktop console. Adding New Users The following procedure explains how to add and configure new users. You add each new user by opening and completing the User Information form. This form records each user’s individual settings. It also allows you to record a user’s email addresses, which the Manager can use to notify the user when an appropriate alert event occurs. Starting with LEM version 5.4, the Build > Users component of the LEM console integrates with Microsoft Active Directory. Import domain users or groups to create LEM console users with domain credentials. Note: Before you import any user into LEM, be sure the account in Active Directory includes a valid email address if you plan to send that user email messages for LEM rules. After you import a user, you cannot change or add the email address for the LEM user account. To add a new user: 1. Open the Build >Users view. 2. At the top of the Users grid, click Add User. Below the grid, a blank User Information form appears. A completed form is shown here for reference purposes. 171 Chapter 11: Adding and controlling users and groups 3. Complete the User Information form, as described in the following table. Field Manager list Description In the upper-right corner of the form, select the Manager this user will be associated with. User Name Type the user’s system user name. This is the name the user will use when logging into the Manager. Note: User names admin_role,audit_role, and reports_ role cannot be used. First Name Type the user’s first name. Last Name Type the user’s last name. Password Type the user’s system password. This is the password the user will use when logging into the Manager. This can be an initial system password or a temporary password that is assigned to replace a forgotten password. If you have the Must Meet Complexity Requirements option checked in the Appliances view's Settings tab, the Console enforces the following password policy: l l Passwords must have a minimum of six characters. Spaces are not allowed. Passwords must have two of the following three attributes: 172 Adding New Users Field Description l At least one special character l At least one number l A mix of lowercase and uppercase letters. Confirm Password Type the password a second time to verify that you entered it correctly. Role Select the appropriate role for this user: l l l l l View Role Administrators are users who have full access to the system, and can view and modify everything. Auditors are users who have extensive view rights to the system, but cannot modify anything other than their own filters. Monitors are users who can access the Console, but cannot view or modify anything, and must be provided a set of filters. Contacts are users who cannot access the Console, but do receive external notification. Guests are users who have extensive view rights to the system, but cannot modify anything other than their own filters. After selecting a user role, you can click the View Role button to open the Privilegesform, which shows the system privileges for that role. This information is provided here for reference purposes and cannot be changed. Description Type a brief description (up to 50 characters) of the user’s title, position, or area of responsibility. Contact Use this section to record the user’s email addresses, so the Information Manager can notify users of network security events by email. You can add as many email addresses as you need for each user. 173 Chapter 11: Adding and controlling users and groups Field Description It is always a good idea to test each email address to confirm that it has been entered correctly and that it works properly. To add the user’s email address: 1. Click the “add” button. 2. In the box that appears (shown here), type the user’s email address and then click Save. 3. The email address appears in the Contact Information section. 4. Repeat this procedure as needed, to record each email address that applies to the user. To test an email address: In the User Information form’s Contact Information area, click the test button for the email address you want to test. Verify that the user has received the email test message. If the message was not received, you may need to edit email address. Note: In order for the Manager’s notification system to work, you must have the Manager’s Email Connector Settings set up properly.. 4. When you are finished, click Save to save the new user; otherwise, click Cancel. To create a user from an Active Directory user: 1. Open your LEM console and log in to your LEM appliance. 174 Adding New Users 2. Configure the Directory Service Query connector on your LEM appliance if you haven't already. For additional information, see Configuring the Directory Service Query Connector. 3. Click Build and then select Users. 4. Click the plus button, and then select Directory Service User. 5. Select the Organizational Unit and Group where you want to add the user. 6. Select the user you want to add from the Available Users column, and then click Select User. 7. Select a LEM Role in the User Information form. Click View Role to see details about each role. 8. Enter a user description. If you change the Description field, your changes only apply to the LEM user account, not the Active Directory account. 9. Click Save. To create users from an Active Directory group: 1. Open your LEM console and authenticate to your LEM appliance. 2. Configure the Directory Service Query connector on your LEM appliance if you haven't already. For additional information, see Configuring the Directory Service Query Connector 3. Click Build , and then select Users. 4. Click the plus button, and then select Directory Service Group. 5. Select the Organizational Unit to which the group you want to add belongs. 6. Select the group you want to add from the Available Groups column, and then click Select Group. 7. Select a LEM Role in the User Information form. Click View Role to see details about each role. Note: If you want members of this group to have different LEM user roles, change their roles individually after you complete this procedure. 8. Enter a description for these users if you want. If you change the Description field, your changes only apply to the LEM user accounts, not the Active Directory accounts. 9. Click Save. 175 Chapter 11: Adding and controlling users and groups Editing User Settings Follow this procedure to edit an existing user’s configuration settings. You can also edit the user’s email addresses to make corrections or keep them current. If an email address becomes obsolete, you can also easily remove it. Only the description and the role can be edited for Active Directory users. To edit a user’s settings: 1. Open the Build >Users view. 2. In the Users grid, do one of the following: l Double-click the user you want to work with. l Click to select the user you want to work with. Then click the row’s gear button and click Edit. Below the grid, the User Information pane displays the user’s current settings and becomes an editable form. 3. Make the necessary changes to the User Information form. 4. Click Save. To delete a user’s email address: 1. Open the Build >Users view. 2. In the Users grid, click to select the user you want to work with. 3. Click the row’s gear button and then click Edit. 4. In the User Information form’s Contact Information section, click the delete button next to each email address you want to delete. The system removes that particular contact information. 5. Click Save. Deleting Users Follow this procedure to delete a user from a Manager. To delete a user: 176 Restricting LEM Reports 1. Open the Build >Users view. 2. In the Users grid, click to select the user you want to delete. 3. Click the gear button and then click Delete. Note: You cannot delete the admin user from the system. 4. At the Confirmation prompt, click Yes to delete the user; otherwise, click No. The user is removed from the Users list. This user is no longer authorized to use the Manager. Restricting LEM Reports Access to LEM Reports is completely restricted by default. In order to run reports in LEM Reports for the first time, complete one of the procedures to specify which computers have access to your LEM database. Add the computer on which you want to run reports to the list of "allowed" computers on your LEM Manager, or remove all LEM Reports restrictions. To configure your LEM Manager to allow specific computers to run LEM Reports: 1. Log in to your LEM virtual appliance using either the vSphere "console" view, or an SSH client such as PuTTY. 2. At the cmc> prompt, enter service. 3. At the cmc::scm# prompt, enter restrictreports. 4. Press Enter. 5. Separate each IP address of the computers you want to run LEM Reports with a space. Note: Your entry overrides any previous entries, so ensure the list you provide is complete. 6. Enter y to confirm your entry. 7. Enter exit to return to the cmc> prompt. 8. Enter exit to log out of your LEM virtual appliance. To remove all LEM Reports restrictions: 1. Log in to your LEM virtual appliance using either the vSphere "console" 177 Chapter 11: Adding and controlling users and groups view, or an SSH client such as PuTTY. 2. At the cmc> prompt, enter service. 3. At the cmc::scm# prompt, enter unrestrictreports. 4. Press Enter. Note: Unrestricting LEM Reports make the LEM database accessible on any computer on your network running LEM Reports. 5. Enter exit to return to the cmc> prompt. 6. Enter exit to log out of your LEM virtual appliance. 178 Chapter 12: Utilizing the Console The LEM console displays normalized information about the events on your monitored devices in real time. The sections in this chapter address how to use the LEM console to view, respond to, and search for these events on a day-to-day basis. Unless otherwise stated, the functionality described in this chapter is identical between the web and desktop consoles. Creating filters for real-time monitoring You can create custom filters from the Monitor view in your LEM Console to display real-time traffic from your monitored computers and devices. To create a filter in your LEM Console: 1. Open the LEM Console and log in to your LEM Manager as an administrator or auditor. 2. Click the Monitor tab. 3. Click the button at the top of the Filters pane, and then select New Filter to open Filter Creation. 4. Enter a Name and Description (optional) at the top of the Filter Creation view. 5. To modify the number of events your filter can store in memory, edit the Lines Displayed value next to the Name field. The default value is 1000. 6. Drag one of the following elements into the Conditions box. l l l Events: Drag a single Event into your Conditions to filter for any instance of the Event you specify. This type of Condition does not require a value.The field at the top of the Events list is a search box. Event fields: Drag an Event field into your Conditions to filter for any Event that contains the value you specify. Events: Drag a single Event into your Conditions to filter for any instance of the Event you specify. This type of Condition does not require a value.The field at the top of the Events list is a search box. 179 Chapter 12: Utilizing the Console Event fields: Drag an Event field into your Conditions to filter for any Event that contains the value you specify. Features of the List Pane l The list pane is the “accordion” list on the left side of Filter Creation, Rule Creation, and the nDepthexplorer.It contains categorized lists of events, Event Groups, event fields, Groups (from the Groups grid), profiles, and constants that you can use when creating conditions for your filters, rules, and search queries. If more than one Manager is linked to the Console, each item in the list pane lists the Manager it is associated with. Therefore, some list items may appear to be listed multiple times. But in reality, they are listed once for each Manager. Events are universal to all Managers, so they do not show a Manager association. The following table describes the contents of each list in the list pane. They are listed in the order in which they appear. If a list does not apply to a particular view, then it will not appear in that view. List Refine Fields Description This list only appears with nDepth. It categorizes and lists the top 100 data details for each listed field found within your nDepth search results. The details change, depending on whether you 180 Creating filters for real-time monitoring List Description are searching event data or log messages. You can use these details to create, refine, or append nDepth search conditions. l l l l l l Managers The data categories are expanded by default. o Click ▼ All to collapse all of the category nodes. o Click >All to open all of the category nodes. o Click >next to a category to open that category. o Click ▼ next to a category to close that category. o The number in parentheses next to each category indicates how many unique details are in that category. o The number next to each detail indicates how many times that detail is reported in the search result's data. Click the ABC button to sort the details within each category alphabetically. Click the 321 button to sort the details within each category by frequency—the items that occur most often appear first within each category. Double-click a detail to add that detail to the search string. Drag a detail into the search bar to include that item in the search string. When using Search Builder, drag a detail into the Conditions box to add that item to the search string. This list only appears in nDepth. It includes the various appliances that are being monitored by the Console. Use this list to select the Manager on which you want to perform an nDepth search. If you are storing the original event log data on a separate nDepth appliance, then you would select that appliance here when you want to search that data. l In Drag & Drop Mode, you can drag an item from this list into the search box to include that item in the search string. 181 Chapter 12: Utilizing the Console List Description l Events When using Search Builder, you can drag an item from this list into the Conditions box. The Events list includes all of the Console’s event types. You can show the events either of two ways—as a hierarchical node tree, or as an alphabetized list. Both views contains the same events—they are just presented differently. You can search either view. To do so, begin typing a word or phrase in the box at the top of the list. The Events list will refresh to show any event types that include your word or phrase. Then use the list to select each event type that you want to include as a filter condition or a rule correlation. In the Events list, click this button to display the list as a hierarchical node tree. This is the Events list's default view. This view also has the following attributes: l l Lower-level event types are hidden by nodes in the event tree. To open a node, click the >icon. This displays the node’s next level of events. Using the search box displays the event and its parent event types, so you can see how the event appears in the event hierarchy. In the Events list, click this button to list event types alphabetically, regardless of their position in the hierarchy. Event Groups The Event Groups list displays pre-configured groups of events that can be used to initiate a particular event filter condition or rule correlation. The top box lists the names of Event Groups. The Fields list displays those fields that apply to the Event Group that is currently selected. Fields The Fields list displays those data fields that apply to whichever event is selected in the Events or Event Groups list. UserDefined This list displays the different preconfigured User-Defined Groups that apply to the Managers. User-Defined Groups are 182 Creating filters for real-time monitoring List Groups Description groups of preferences used in rules and event filters that allow you to match, include, or exclude events, information, or data fields based on their membership with a particular Group. In most cases, User-Defined Groups are used in rules as a type of white list or blacklist for choosing which events to include or to ignore. User-Defined Groups are created in the Group Builder. Connector Profiles This list displays all the different Connector Profiles that apply to the Managers. Connector Profiles are groups of Agents that have common Connector configurations. You can use them to have your rules and filters include or exclude the Agents associated with a particular profile. Connector Profiles are created in the Groups grid. Directory Service Groups This list displays the Directory Service Groups that are synchronized with the Managers. Directory Service Groups are preconfigured groups of network computers and system users that you can use in rules and filters. They allow you to match, include, or exclude events to specific users or computers based on their Group membership. Directory service groups are synchronized to LEM through the Groups grid. Time Of Day This list displays all of the different Time Of Day Sets that apply Sets to the Managers. Time Of Day Sets are specific groups of hours that you can associate with rules and event filters. You can use them to have your filters include or exclude messages that occur during the hours associated with a particular Time of Day Set, or to have your rules take different actions at different times of day. Time of Day Sets are created in the Groups grid. Note: This list does not appear in nDepth. State Variables This list displays all of the different State Variables that apply to this Manager. The upper box lists the names of State Variables. The lower box lists the various fields that apply to whichever State Variable is selected in the upper box. 183 Chapter 12: Utilizing the Console List Description State Variables are created within the Groups grid. Note: This list only applies to rules. Subscription This list displays all of the Console user names, and the Manager Groups each user is currently associated with. Each name in the list represents the list of rules that each individual user is subscribed to. By adding a Subscription Group to a filter, you can build the filter so that it only displays events messages that are related to specific rules that a particular user is interested in (or “subscribed to”). Subscription groups are created in the Rules grid. Note: This list only applies to filters and nDepth searches. Constants This list displays the three types of constants that rules and filters can use for comparing event data—text, number, or time. Actions This list displays all of the active responses that a rule can initiate, such as sending an email message, sending a pop-up message, blocking an IP address, etc. Note: This list only applies to rules. Notifications This list includes the various notification methods the Console can use to announce an event message for the filter. You can have the Console display a pop-up message, display the new event as “unread,” play a sound, or have the filter name blink. If needed, you can configure multiple notification methods for the same filter. Note: This list only applies to filters. Creating conditions to filter event reporting Use the Conditions box to configure the conditions that determine which events a filter is to report. Conditions are the various rules that state when the filter is to display an event message. To define conditions, you drag event variables from the Events, Event Groups, and Fields lists into the Conditions box. Then use the Conditions connectors (described below) to configure how these variables are to compare to other items, 184 Creating conditions to filter event reporting such as Time Of Day sets, Connector Profiles, User-defined Groups, Constants, and other event fields. You can also compare groups with AND/OR conditions. AND conditions state which events must all occur together before the filter shows an event. OR conditions state that if any one of several conditions occur, the filter shows the event. The combined conditions dictate when the event filter is to display an event. The filter ignores (and does not display) any events that do not meet these conditions. The Conditions Connectors allow you to configure relationships between events in the Conditions box, and to establish conditions for when the event filter is to display the event message. The following table describes each item condition connector. The Conditions box The following table describes each feature of the Conditions box. Item Name ► ▼ Description Individual groups (and the entire Conditions box) can be expanded or collapsed to show or hide their settings: l l Click to >expand a collapsed group. Click to ▼ collapse an expanded group. The number that appears in parentheses indicates how many conditions are contained in the group. 185 Chapter 12: Utilizing the Console Item Name Description Once a group is properly configured, you may want to collapse it to avoid accidentally changing it. This is the Add Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons. This is the Delete button. It appears at the top of every Group box. When you point to a condition, it also appears next to that condition. Click this button to delete a condition or a group. Deleting a group also deletes any groups that are nested within that group. Event variable From the Events, Event Groups, or Fields list, drag an event, Event Group, or event field into the Conditions box. This is called the event variable. You can think of an event variable as the subject of each group of conditions. As event messages stream into the Console, the filter analyzes the values associated with each event variable to determine if the event message meets the filter’s conditions. Operators Whenever you drag a list item or a field next to event variable, an operator icon appears between them. The operator states how the filter is to compare the event variable to the other item to determine if the event meets the filter’s conditions. l l List item Click an operator to cycle through the various operators that are available for that comparison. Just keep clicking until you see the operator you want to use. Ctrl+click an operator to view all of the operators that are available for that comparison. Then click to select the specific operator you want to use. List items are the various non-event items from the list pane. You drag and drop them into groups to define conditions based 186 Creating a New Filter Item Name Description on your Time Of Day Sets, Connector Profiles, User-Defined Groups, Constants, etc. Some event variables automatically add a blank Constant as its list item. You can overwrite the Constant with another list item, or you can click the Constant to add a specific value for the constant. For example, clicking a text Constant turns the field into an editable text box so you can type specific text. The text field also allows wildcard characters. Note that each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your filter’s conditions. Nested group A group within a group is called a nested group. You may drag event variables and other items from the list pane into the nested group boxes. By using nested groups, you can refine conditions by combining or comparing one group of conditions to another. This allows you to create the logic for highly complex and exact conditions. This example above shows one nested group. It represents a set of conditions within a higher-level group. AND Conditions (and groups of conditions) are subject to AND and ORcomparisons. If you click an AND operator, it changes to an OR, and vice versa. OR Creating a New Filter Use the following procedure whenever you need to create a new filter. Configure the filter with the Filter Creation connector. To create a new filter: 1. Open the Monitor view. 2. In the Filters pane, click the title bar of the filter group you want the new filter to reside in. If you change your mind later, you can always move the filter to 187 Chapter 12: Utilizing the Console a different group. The filter group opens to list the filters that are available for that group. 3. On the Filters pane, click the plus button and then click New Filter. The Monitor view changes from showing the event grid to showing the Filter Creation connector. The connector shows a new filter with the name of [New Filter]. 4. In the Name box, type a name for the filter. This is the name that will be used to identify the filter in the Filters pane. 5. In the Lines Displayed box, type or select the total number of events that are to be displayed in this filter. You can use the up and down arrow buttons to the right of the box to select a value. The default value is 1000 lines. You can select up to a maximum of 2000 lines. 6. In the Description box, type a brief description of what the filter does, or the situation for which the filter is intended. 7. Use the list pane and the Conditions box to configure the conditions that define the filter. These are conditions between events, Event Groups, event fields, and other components. 8. If you want special notification whenever the filter captures an event event, drag an option from the Notifications list to the Notification box. Then configure the notification method. 9. Click Save to save the filter’s settings. 10. If applicable, use the Filter Status section to verify, troubleshoot, and resolve any problems with the filter’s logic. When finished, the new filter appears in the filter group you selected in Step 2. Editing an Existing Filter Use the following procedure whenever you need to edit or rename an existing filter. Once the filter is open for editing, you can change its name, description, configuration, or notification settings, as needed. Create filters in the Filter Creation connector. To edit an existing filter: 188 Cloning an Existing Filter 1. Open the Monitor view. 2. In the Filters pane, open the filter group that contains the filter you want to edit. 3. Select the filter you want to edit. 4. On the Filters pane, click the gear button and then click Edit. The Monitor view changes from showing the event grid to showing the Filter Creation connector. 5. Edit the filter’s configuration, as required. 6. Click Save to save the filter’s settings. 7. If applicable, use the Filter Status section to verify, troubleshoot, and resolve any problems with the filter’s logic.. Cloning an Existing Filter Cloning a filter lets you copy an existing filter, but save it with a new name. Cloning allows you to quickly create variations on existing filters. To clone a filter: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to clone. 3. On the Filters pane, click the gear button and then click Edit. 4. Click the row’s gear button and then click Clone. The newly cloned filter appears in the filter group, just below the original filter. A clone always uses the same name as the filter it was cloned from, followed by the word Clone. For example, a clone of the Virus Attacks filter would is called Virus Attacks Clone. A second clone of the Virus Attacks filter is called Virus Attacks Clone 2, and so on. 5. Edit the cloned Group, as needed, to give it its own name and to assign its own specific settings. 189 Chapter 12: Utilizing the Console Pausing Filters At any time, you can pause a filter to stop the stream of event messages that are appearing on that filter. This allows you to inspect a set of event messages without being interrupted by new incoming messages. You can pause each filter independently, or you can pause every filter on the Console. To pause a filter: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to pause. The event grid changes to display the filter you selected. 3. Do either of the following: l l On the event grid’s title bar, click Pause. On the Filters pane, click the gear Pause/Resume. button and then click In the Filters pane, the word Paused appears next to the filter. To pause all filters: 1. Open the Monitor view. 2. On the Filters pane, click the gear button and then click Pause All. In the Filters pane, the word Paused appears next to every filter, except those that have been turned off. Resuming Paused Filters When a filter is paused, it ceases to receive any event traffic. To begin receiving event traffic again, you must resume the filter. You can resume each filter independently, or you can resume every paused filter on the Console. 190 Turning Filters On and Off To resume running a filter: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to resume. The event grid changes to display the filter you selected. 3. Do either of the following: l l On the event grid’s title bar, click Resume. On the Filters pane, click the gear Pause/Resume. button and then click In the Filters pane, the word Paused is replaced by the number of events that are currently associated with the filter. To resume running all filters: 1. Open the Monitor view. 2. On the Filters pane, click the gear button and then click Resume All. In the Filters pane, the word Paused is replaced by the number of events that are currently associated with each filter. Turning Filters On and Off Perhaps you only use a few filters on a regular basis. If so, you can turn off any unused filters. If you later decide you need the filter, you can easily turn it back on again. This “on/off” feature lets you conserve resources and not monitor a filter without taking the drastic measure of deleting the filter. When you turn a filter back on, it starts from that moment in time—it does not pull prior events from memory. Filters are turned on and off from the Filters pane. Filters that are off appear in italic type and show a status of Off. Filters that are on appear normal. 191 Chapter 12: Utilizing the Console To turn a filter off: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to turn off. 3. On the Filters pane, click the gear button and then click Turn Off. In the Filters pane, the filter title is now italicized and reads Off in its status column. While the filter is no longer in use now, it remains available for later use. To turn on filter back on: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to turn on. 3. On the Filters pane, click the gear button and then click Turn On. The filter appears in the event grid and begins processing data. In the Filters pane, the filter’s status column changes from Off to showing the total number of events associated with the filter. Copying a Filter You can copy a filter. This allows you to quickly create variations on existing filters, or the same the same filter in multiple filter groups. To copy a filter: 1. Open the Monitor view. 2. In the Filters pane, open the filter group that contains the filter you want to copy. 3. Now open the filter group that is to receive the copied filter. 4. In the first folder, click the filter you want to copy. Then press Ctrl while dragging the filter to the group that is to receive the copy. A copy of the filter appears in the new filter group. 192 Importing a Filter To create a variation of the original filter: 1. In the Filters pane, click the select the newly copied filter. 2. Click the Filters pane gear button and then click Edit. 3. In Filter Creation, rename and reconfigure the filter, as desired. 4. Click Save. Importing a Filter Event filters are saved on the workstation that is running the Console. If you move to another workstation, the filters will not follow. However, you can export the filters from one workstation and import them into another workstation. This allows you to move filters from one Console to another, so that another user can use the same filters on their Console, too. It also allows you to import filters that are provided by SolarWinds You may import more than one filter at a time. To import a filter: 1. Open the Monitor view. 2. In the Filters pane, select the filter group that is receive the new filters. 3. On the Filters pane, click the gear button and then click Import Filters.The Select Filter File(s) to Import form appears. 4. In the Look In box, browse to the folder that contains the filters you want to import. 5. Select the filter files you want to import, and then click Open. To select multiple files, press Ctrl key while clicking each file you want to import. The imported filters appears in the filter group you selected in Step 2. Exporting a Filter When needed, you can export a filter. Exporting does not remove the filter; it copies the filter to another location. Exporting filters is useful for the following reasons: 193 Chapter 12: Utilizing the Console l l l You can move filters from one Console workstation to another, so that another Console users can use the same filters. You can save a export your filters to a computer folder or network folder for archival purposes. You can provide SolarWinds with a copy of a filter for technical support or troubleshooting purposes. Filters are exported from the Filters pane. You may export only one filter at a time. To export a filter: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to export. 3. On the Filters pane, click the gear button and then click Export Filter. 4. In the Browse For Folder form, browse to the folder in which you want to save the exported file. If needed, you can click Make New Folder to create a new folder for the file. 5. Click OK. The system exports the folder file to the folder. Deleting a Filter When needed, you can delete a filter, which removes the filter from the both the event grid and the Filters pane. Deleting a filter also deletes all of the widgets associated with that filter. Use caution when deleting a filter. The only way to restore it and its widgets is to recreate them. To delete a filter: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to delete. 3. Do either of the following: l Click the selected filter’s delete l Click the pane’s gear button. button, and then click Delete. 194 Managing Filter Groups 4. At the confirmation prompt, click Yes. The filter is deleted and no longer appears in the Filters pane. Managing Filter Groups The topics in this section explain how to create and manage filter groups in the Filters pane. Adding a New Filter Group 1. Open the Monitor view. 2. Click the Filters pane plus button and then click New Group. 3. A new filter group appears, and its title bar is an editable text box. 4. Type a name for the new group and then press Enter. 5. The new filter group appears in the Filters list. Filter groups are listed in the order in which you create them. However, you can rearrange them, as desired. Renaming a Filter Group 1. Open the Monitor view. 2. In the Filters pane, do one of the following: l Double-click the title bar of the filter group you want to rename. l Click to select the title bar of the filter group you want to rename. Click the Filters pane gear button and then click Edit. The filter group’s title bar changes to an editable text box. 3. Type a new name for the filter group and then press Enter. Rearranging Filter Groups By default, new filter groups appear at the bottom of the Filters pane. However, you can rearrange your filter groups so they appear in the different order. For example, you may want to put your most frequently used filter groups toward the top of the pane, and your lesser used groups toward the bottom. 195 Chapter 12: Utilizing the Console To move a filter group: 1. Open the Monitor view. 2. In the Filters pane, click the title bar of the filter group you move, and then drag it to its new position. Moving a Filter From One Group to Another Once you have created your filter groups, you can organize your filters to them by dragging them from one group to another. To move a filter from one group to another: 1. Open the Monitor view. 2. In the Filters pane, open the filter group that contains the filter you want to move. 3. Do either of the following: l l Click the filter you want to move; then drag and drop it just below the title bar of the group that is to receive the filter. Open the filter group that is to receive the filter. Then drag the filter from its original group into position in the new group. The filter appears in its new filter group. 196 Deleting a Filter Group Deleting a Filter Group When needed, you can delete an entire filter group. Deleting a filter group deletes all of the filters that are stored within that group and all of the widgets that are associated with those filters. Before deleting a filter group, be sure to move any filters you want to save into another filter group. To delete a filter group: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter group you want to delete. 3. Do either of the following: l Click the filter group’s delete l Click the pane’s gear button. button, and then click Delete. 4. At the confirmation prompt, click Yes. The filter group and all of its filters are deleted and no longer appear in the Filters pane. Responding to Events The event grid’s Respond menu lets you take direct action on a particular event message. Each Respond command opens the Respond form. The Respond form includes data from the field you selected and options for customizing the action, just as you would configure a rule’s active response in Rule Creation. The Respond menu is context-sensitive. The event type or cell that is currently selected in the event grid determines which responses you may choose from. 1. In the Monitor view’s event grid, click the specific cell of the event message you want to respond to. 2. Click the event grid’s Respond menu, and then select the type of response you want to make. You can choose between All Actions and a list of commonly used actions. The Respond form appears, which has three main sections: 3. In the middle of the form, complete the action’s configuration fields. You can do this by typing text into each field, by dragging and dropping information 197 Chapter 12: Utilizing the Console from the form’s event information section, or some combination of the two. 4. Click OK to execute the action. Otherwise, click Cancel. Using the Respond Form’s Drag and Drop Functionality In the Respond form, you can drag and drop information from the form’s event information section (at the bottom of the form) into its action configuration fields (in the middle of the form). You can use this method to do any of the following: l add content to a blank field l replace the content of a field l add to the content that is already in a field. You can also use a combination of typing and drag and drop to configure an action. To place event information into a field: Follow this procedure to add content to a blank configuration field or to replace the content of an existing configuration field. 1. In the Respond form’s event information grid, scroll to locate the field that contains the data element needed to configure the action. 2. Click the data and then drag it into the appropriate action configuration field (in the middle of the Respond form). The the new data element appears in 198 Using the Respond Form’s Drag and Drop Functionality the configuration field. To add to the contents of a field from the event information: Follow this procedure to add new field information to a configuration box, rather than replace it. Typically, you will use this procedure to add multiple data elements to the Message box. 1. In the Respond form’s event information section, scroll to locate the field that contains the data element you want to add to the configuration field. 2. Select the information field’s contents by clicking its data in the Information column. 3. Press Ctrl, then drag the data into the appropriate action configuration field (in the middle of the form) to add the new data element to the configuration field. 199 Chapter 12: Utilizing the Console Review events with the Event explorer The Event explorer, which can only be opened from the Monitor view, lets you view all of the events that are related to the event message currently selected in the Console. The Event explorer displays both sequential and concurrent events. That is, you can view the events that occurred before, during, and after the event message occurred. You can also monitor events in real time, to see where they came from and where they are going. You can explore events for any event in the Console. When you explore an event, the Console makes a request to the Manager to determine which events are related to that event. The Event explorer then displays a summary of events that occurred before, during, and after the system issued the event. The Event explorer shows only those events that relate to the event that you selected. That is, it shows the event that triggered the event, and any events that occurred because of that event (such as a response, notification, other event, etc.). With its straightforward graphical display, the Event explorer can help you visualize how an event occurred and the system’s response to that event. You can follow the chain of events that caused the event, and help determine its root cause. Opening the Event explorer You can only open the Event explorer from the Monitor view’s event grid. You may explore any event that appears in the grid. To open the Event explorer: 1. In the Monitor view’s event grid, click to select the event you want to explore. 2. In the event grid’s Explore menu, click Event. The Explore view opens, showing the Event explorer. The Event explorer shows all of the events that are associated with the event you are exploring. The event that you are currently focusing on appears in the History pane. In this case, it is the event itself. Event Explorer features The Event explorer has three main sections – the information pane, the event 200 Event Explorer features map, and the event grid. The following table describes the key features of each section. The following topics explain how to use each feature in detail. Name Description Event Details Click this button to alternately open and close the Event Details pane. Event Details The Event explorer's Event Details displays information about pane the event is currently selected in the event map or the event grid. l It provides detailed information about the event. l It displays a written definition of the event. l It allows you to create a new filter based on the event. l You can also copy text from this pane and paste it into explorers to explore specific data. This pane works exactly like Event Details pane in the Monitor view. Event map The event map displays a graphical view of the event you are exploring, as well as the related events that came before and after the central event. The event you are exploring appears in the middle. Prior events appear to the left. Events that follow appear to the right. You can double-click any event to move that event to the middle, which allows you to view its relationship with other events. Stop Click Stop to cancel an explorer lookup at any time. Next/Previous You can step through the events in the map by clicking the Next and Previous buttons. Pane divider Drag this bar up or down to resize the event map and event grid panes. Event grid The event grid provides a tabular version of the event map. The events are listed chronologically, from earliest to latest. Clicking an event in the grid highlights the corresponding item in the event map. The information pane also changes to show 201 Chapter 12: Utilizing the Console Name Description information about the event you have selected. You can sort the event grid by each of its columns, so long as you click Pause first. Scroll bars The vertical and horizontal scroll bars let you quickly scroll through the information pane, larger event maps, and the event grid. For example, you can use the event grid’s scroll bars to view the full range of events and all of the data associated with each event. Exploring events The event grid’s Explore menu lets you use an explorer to investigate a particular event or one of its data fields.For example, if you select an InsertionIP cell, your explorer options include the Whois, Traceroute, and NSLookup explorers. If you click the EventInfo cell, your only explorer options is nDepth, because only that explorer can search the raw data for a random string. To explore an event: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to work with. The event grid displays the filter you have selected. 3. In the event grid, click the row (or cell) you want to explore. 4. In the filter's Explore menu, select the explorer you want to work with. The Explore view appears, showing the explorer you selected. The explorer contains the data for the cell you selected. Using the Event Map The top section of the Event explorer is called the event map. The event map displays a graphical view of the event you are exploring, as well as related events that came before and after the central event. Each event in the map can be thought of as a node that links to other events. When you first open an event in the Event explorer, that event is always the central event in the event map. However, you can double-click any related event 202 Reading an Event Map to move that event to the center of the map. This lets you see the events that came before and after that event. In this way, you can move through the entire chain of events to analyze the relationships between them. Reading an Event Map l l l l l l Read the map from left to right. The Event explorer always places the event you are currently exploring in the middle of the map. Related events prior to the central event appear to the left. These events “caused” the event you are exploring. If there are no prior events, this appears as a box labeled None. Related events that follow the central event appear to the right. These events followed or were “caused by” the central event. These are the various system responses (if any) that were triggered by the central event. If there are no events that follow, this appears as a box labeled None. If the same event occurs multiple times, they appear together in a box, like the one shown above for the prior events. In this example, WebTrafficAudit occurred 10 times before triggering the rule, so they are grouped together. You can use the scroll bar to view each event. You can also select each event in the box to view information about it in the information pane. Double-click an event in the event map to move that event to the center position. The map then displays the related events that came before and after the new central event. As before, events prior to the central event appear to the left; events that follow the central event appear to the right. When you select a new central event, the information pane changes to show information about that event. The event grid also refreshes to reflect the new central event. l Click Prev (previous) to move the previous event in the map to the center position. l Click Next to move the next event in the map to the center position. l Click Stop to cancel an explorer lookup at any time. l Click an event in the event map to highlight the corresponding item in the event grid. 203 Chapter 12: Utilizing the Console Event Map Legend Events that appear in the event map can be events, rules, or commands (system responses to an event). Each type of event in the map has its own icon. The following table explains each icon. Icon Meaning An event from the Audit Event tree. An event from the Security Event treee. An event from the Asset Event tree. An event from the Incident Event tree. An event from the Internal Event tree that is not related to rules or active response activity. An internal command that indicates the system has taken action to respond to an event. Rule activity, either from a rule in test mode, or from a rule that has initiated an actual active response. Using the Event Grid The event grid lists all of the events that appear in the event map in a tabular form. Events are listed chronologically, from the earliest event (top) to the latest event (bottom). The grid is useful for comparing events and for exploring event data. The event grid’s Order column icons indicate when each event occurred, as described in the following table. Icon Meaning The event occurred before the central event shown in the event map. The event occurred during (as part of) the central event. The event occurred after the central event shown in the event map. 204 Viewing information in the event grid The columns in the event grid show detailed information about the event. The columns vary, depending on the event you are viewing. Viewing information in the event grid l l l l l Click an event in the grid to highlight the corresponding item in the event map. The information pane also changes to show information about the event you have selected. When needed, you can use the vertical scroll bar to view all of the events. Use the horizontal scroll bar to view all of the data fields associated with a particular event. This same data also appears in the information pane, but as text. Click an individual cell in the grid to explore that field. Point to an individual cell in the grid to see a ToolTip that displays the complete contents of the cell. Exploring From the Event Grid 1. In the event map or the event grid, select the event you want to explore. 2. In the event grid, select the specific field you want to explore. 3. In the Explore menu, select the explorer you want to work with. Only those explorers that are valid for the selected fields are available.The explorer appears, with the field data you selected appearing in the Search box. 4. If you are using the nDepth Explorer, click Search. The other explorers begin searching automatically. To respond from the event grid: 1. In the event map or the event grid, select the event you want to respond to. 2. In the event grid, select the specific field you want to respond to. 3. In the Respond menu, select the response you want. 4. Complete the Respond form. Using the Event Details Pane In the Event explorer, the upper-left pane is called the Event Details pane. It has 205 Chapter 12: Utilizing the Console two different views to show the properties of the event that is currently selected in the event map or the event grid: l l The Event Details view displays detailed information about the event that is currently selected in the grid. If more than one event is selected, it shows the properties of the last event to be selected. The Event Description view displays a written description of the last event to be selected in the grid. You can also use this pane to create a filter based on the selected event, to scroll through the contents of the event grid, or to explore specific event data with other explorers. Opening and Closing the Event Details Pane You can open and close the Event explorer’s Event Details pane of two ways: l l Click the event map’s Event Details button. Position your pointer over two thin lines next to the Event Details pane (or if the pane is closed, next to the left side of the event map). When the pointer turns into a double-headed arrow, double-click to open or close the pane. When the Event Details pane opens, it shows information about the event that is currently selected in the event map or event grid. Viewing an Event’s Event Details To view details information about a particular event or event: l Click the event in the event map. l Click the event in the event grid. The Event Details pane displays information about the event you selected. Exploring From the Event Details Pane 1. The following table explains how to use the toolbar at the top of the Event Details pane. 206 Exploring From the Event Details Pane Button Description Click this button to create a new filter that captures the currently selected event type. Upon doing so, the Monitor view opens, with the new filter open in the event grid. The new filter appears in the Filters pane, under the last selected filter. If needed, you can edit the filter so it captures events of an even more specific nature. Click these buttons to move up and down among the events in the event event grid. The pane shows detailed technical information about each event that is selected. This lets you view the technical details and written descriptions of each event in the grid. Remember, you can also use your keyboard's up (↑) and down (↓) arrow keys: l l To cycle through the events in the event grid, click anywhere in the event event grid. Then use your up and down arrow keys. To cycle through the fields in the Event Details pane, click anywhere in the Event Details grid. Then use your up and down arrow keys. Click this button to open the pane’s Event Details view. This view shows detailed information about each of the selected event's data fields. The actual fields that appear here vary, according to the event type that is currently selected. For example, networkoriented events show fields for IP addresses and ports. Accountoriented events show account names and domains. Click this button to open the pane’s Event Description view, which provides a detailed written description of the event type that is currently selected. 2. In the event map or the event grid, select the event you want to explore. 3. In the Event Details pane's Information column, click the event field you want to explore. 4. In the Explore list, select the explorer you want to work with. The explorer 207 Chapter 12: Utilizing the Console appears, with the field data you selected appearing the Search box. 5. If you are using the nDepth Explorer, click Search. The other explorers begin searching automatically. Performing nDepth Searches Data searches are at the heart of nDepth. For that reason,SolarWinds has invested a lot of effort to provide you with useful search results with the least amount of effort. Mastering a few basic techniques can provide you with most of the information you will ever need. The topics in this section explain the most common procedures you need to get the most out of your nDepth searches. Data searches are at the heart of nDepth. For that reason,SolarWinds has invested a lot of effort to provide you with useful search results with the least amount of effort. Mastering a few basic techniques can provide you with most of the information you will ever need. The topics in this section explain the most common procedures you need to get the most out of your nDepth searches. Use the following procedure to perform an nDepth search. This method is the same, regardless of which nDepth view you are using. To perform a search: 1. Open the Explore >nDepth view. 2. Use the search bar's far-right toggle switch to choose the type of data you want to explore: l l Select Events (left position) to search the normalized event data that appears in the Monitor view. Select Log Messages (right position) to search the actual log entries that are recorded on your network products' log files. If this position is disabled, it means your equipment does not have the capacity to store and search the original log messages. 3. Use the search bar's far-left toggle switch to select how you want to enter the search string: 208 Performing nDepth Searches l l Select Drag & Drop Mode (upper position) to drag items from the list pane or the Result Details view directly into the search box. This is the recommended position, as it is it the easiest to use and the best way to avoid mistakes. Select Text Input Mode (lower position) to type search strings directly in the search box. 4. In the search box, enter your search string. By default, the search box includes a "this item exists" condition, so you can begin searching right away, without having to drag and drop anything. To use this condition, click an item on one of nDepth's graphical tools, or type or paste a search string directly in the text box. In Drag & Drop Mode, the search box indicates when a particular configuration is invalid: l l If a condition field is yellow, it means the search's configuration is invalid. If a condition field is red , it means the search conditions do not apply to the type of data you are currently searching. For example, you are searching log messages with conditions that are meant for event data. 5. If you select more than one condition, determine the AND/OR relationship between each condition. Click the operator icon to toggle between AND and OR relationships. By default, searches use AND operators for each condition in the search string. But there is one exception—if you are selecting multiple items from a widget, it defaults to an OR relationship for the group of items from that widget. 6. In the time selector, select the time frame for which you want to search the data. By default, nDepth reports your network event activity over the last 10 minutes (the end time is now, and the start time is 10 minutes ago). See create your own custom time frame.Be aware that the longer the time frame, the more numerous your search results will be. 7. Click the Search button to run the search. If needed, you can stop a 209 Chapter 12: Utilizing the Console search at any time by clicking .After a moment, nDepth's graphical tools summarize your search results. The Result Details view shows the actual data. Creating Search Conditions nDepth lets you create search conditions many different ways. The following table explains how to add search conditions, both in Drag & Drop Mode and in Text Input Mode. Mode To D&D Text Do this Clear a search from the On the search bar, click the round Delete search box button (next to the button). All ● ● Add a new search ● ● ● ● Add a search Click an item in a graphical tool to add that ● condition from a widget item to the search box. or other graphical tool ● Add a search condition from the list pane In the Refine Fields list, double-click an item. ● Add a search from Search Builder Configure a search with Search Builder. ● Search Builder automatically populates the 1. On the search bar, click the search box. to clear 2. Add new search conditions by using any of the techniques in this table. Add conditions to an existing search Use any of the techniques listed in this table. nDepth automatically adds new search conditions to the search string. ● In any list, select the item you want to work ● with, then drag that item directly into the search box. 210 ● Deleting Items From Search Strings Mode To D&D Text Do this search bar with its search configuration. This is because the search bar and the Search Builder are different views of the same search. Add a search Select a character string from the data. ● condition from the Res- Then double-click the string to add it to the ult Details view search box. ● Select a character string from the data, and ● then drag it into the search box. Select a character string from the data. Then copy (Ctrl+C) the search string and paste (Ctrl+V) it in the text box. ● Type a search string Type a search string directly in the search box. ● Perform the search On the search bar, click . ● ● Deleting Items From Search Strings As with the Search Builder, you can use the search bar to delete search conditions from a search string. There are buttons to delete individual conditions, groups of conditions, or the entire string. The following table explains how to delete search conditions directly from the search bar. For the examples in this table, suppose you have a set of search conditions that looks like this: Severity = 4 AND ( InsertionIP = SolarWinds-demo50 OR InsertionIP = intrepid ) 211 Chapter 12: Utilizing the Console To Delete an individual search condition Do this Click the string. button next to the condition in the search Example: Use this method to delete Severity = 4. To delete a group of conditions Click the button at the far right of the search box Example: Use this method to delete the OR group containing the two Insertion IPs. Delete the entire search string Click the round Delete All button. button (next to the Search) Example: Use this method when you want to delete the entire search string to begin a new search. Creating Custom time frames Use the following procedure to create a custom time frame for your nDepth queries. To create a custom time frame: 1. In the search bar's time selector list, click Custom range. You can use the calendars that appear to set your From and To date and time range. By default, the custom time frame shows the time frame of your last search. 2. Use the two calendars to select the start (From) date and time, and the end (To) date and time, as described in the following table. To Pick a date in the month shown Do this Click the date. 212 Saving a Search To Do this Go to an earlier Click ◄. month Go to a later month Click ►. Go to an earlier Click ▼. year Go to a later year Click ▲. Select a different time Type a new time directly in the time box. Or in the hour, minute, and second fields, click ▼ for an earlier value, or click ▲ for a later value, respectively. Note: You can use your keyboard’s up, down, right, and left arrows to move within the calendar and to select a time. 3. To close the calendar, click anywhere outside of its boundary. Saving a Search You can save any search that you create so you can reuse it at any time. Saved searches include your entire search string as well as the time frame you have selected. To save a search: 1. In nDepth, perform a search as described above, until your results are satisfactory. 2. Click the gear form appears. button and then click Save As. The Save This Search 3. In the Search Name box, type a name that will easily help you remember the focus of this search. You can type up to 200 characters. 4. Click OK. Your search appears in the Saved Searches pane. Saved 213 Chapter 12: Utilizing the Console searches use the following icons: represents a search for event data. represents a search for original log messages. Using a Saved Search One of the great benefits of saving a search is that you can reuse it at any time. Saved searches are stored in the Saved Searches pane. Saved searches are listed alphabetically. To use a saved search: 1. Open the Explore >nDepth view. 2. If the Saved Searches pane is not visible, click the History button to open it. 3. On the search bar, select the type of data you want to search — Events or Log Messages. 4. In the Saved Searches pane, click the search you want run. After a moment, nDepth shows the search results. Pointing to a search in the Saved Searches pane displays a ToolTip with the full name of the search. Making Changes to a Saved Search When needed, you can make changes to any of your saved searches, and then save your changes as the search's new configuration. To save your changes to a search: 1. Open the Explore >nDepth view. 2. If the Saved Searches pane is not visible, click the History button to open it. 3. In the Saved Searches pane, click the name of the search you want to perform. 4. Use the search bar to reconfigure the search, as needed. 214 Exporting nDepth Search Results to PDF 5. Click the gear button and then click Save. The search is now saved with the new configuration. The next time you run it from the Saved Searches pane, it will run with this configuration. Exporting nDepth Search Results to PDF The results of any nDepth search can be exported to a full-color, printable report. The report is exported as a PDF file for easy storage, printing, and e-mail attachment. Note: PDF reports are limited to 25,000 events or log messages. If you need a larger report, you can use the Result Details view to export your search results to a spreadsheet in CSV format. To export nDepth search results to PDF: 1. In nDepth, perform a search so nDepth shows the information you want reported. 2. Click the gear button and then click Export. 3. Customize your report in the nDepth Export window using the following options. a. Use the navigation bar at the bottom to preview your search results in the default format. b. Use Insert Page Before Current Page on the navigation bar to add a blank report page. c. Use Toggle…orientation on the navigation bar or on an individual report page thumbnail to switch between portrait and landscape page orientation. d. Click Items on the left to open a list of report items that you can drag into your report body. e. Click Saved Layouts on the right to open a list of options related to saving and applying report layouts. f. Hover over report pages and other elements, such as titles, graphs, and text, to access additional configuration options. Options to clear 215 Chapter 12: Utilizing the Console all page contents, enter static text, and delete pages or other elements appear as you hover over each element. g. Drag charts and graphs to rearrange them in the report body. 4. Click Export to PDF to export the report in the Preview pane. 5. In the Save PDF As window, choose a destination and file name for your report. 6. Click Save. Exploring Search Results from Graphical Views When using nDepth's graphical views, you can explore event details with other explorers. This allows you to use other explorers to investigate specific event details in your nDepth search results. For example, you could investigate a suspicious IP address with the NSLookup, Traceroute, or Whois explorers to figure out where that IP is. Note: When using explorers with nDepth's graphical views, you must manually type the event detail you want to explore. This information is not automatically "fed" into the explorer, like it is with nDepth's Result Details view. To explore details with other explorers: 1. From any of nDepth's graphical views, click the Explore menu. Then select the explorer you want to use to explore the event detail. The Explore >Utilities view appears. 2. Type the event detail into the appropriate explorer field. 3. Click Search or Analyze, as applicable to the explorer. Taking Action on Event Details When using nDepth's graphical views, you can respond to any item that is reported in nDepth's search results. If you see something unusual, you may want to take some kind of corrective action. For example, you could send a user account a popup message, or block a hostile IP address. Use the following procedure to initiate a response or corrective action to a particular event or event detail. 216 Deleting a Saved Search To initiate a response: 1. From any of nDepth's graphical views, click the Respond menu. Then select the response you want. 2. Complete the Respond form, as applicable for the response. Deleting a Saved Search When needed, you can easily delete any unwanted searches from your Saved Searches pane. Deleting a saved search is permanent. If you want to restore the search, you will have to recreate it and save it. To delete a saved search: 1. Open the Explore >nDepth view. 2. If the Saved Searches pane is not visible, click the History button to open it. 3. In the Saved Searches pane, point to the search you want to delete; then click the icon next to the search. 4. At the confirmation prompt, click Yes. Creating Search Conditions nDepth lets you create search conditions many different ways. The following table explains how to add search conditions, both in Drag & Drop Mode and in Text Input Mode. Mode To D&D Text Do this Clear a search On the search bar, click the round Delete All from the search ton (next to the button). box Add a new search 1. On the search bar, click box. but- ● ● ● ● to clear the search 2. Add new search conditions by using any of the techniques in this table. 217 Chapter 12: Utilizing the Console Mode To Do this D&D Text Add conditions Use any of the techniques listed in this table. to an existing nDepth automatically adds new search conditions search to the search string. ● ● Add a search Click an item in a graphical tool to add that item to condition from a the search box. widget or other graphical tool ● ● Add a search condition from the list pane In the Refine Fields list, double-click an item. ● ● In any list, select the item you want to work with, then drag that item directly into the search box. ● Add a search Configure a search with Search Builder. Search ● from Builder automatically populates the search bar with Search Builder its search configuration. This is because the search bar and the Search Builder are different views of the same search. ● Add a search condition from the Result Details view ● Select a character string from the data. Then double-click the string to add it to the search box. ● Select a character string from the data, and then drag it into the search box. ● Select a character string from the data. Then copy (Ctrl+C) the search string and paste (Ctrl+V) it in the text box. ● Type a search string Type a search string directly in the search box. ● Perform the search On the search bar, click 218 . ● ● Deleting Items From Search Strings Deleting Items From Search Strings As with the Search Builder, you can use the search bar to delete search conditions from a search string. There are buttons to delete individual conditions, groups of conditions, or the entire string. The following table explains how to delete search conditions directly from the search bar. For the examples in this table, suppose you have a set of search conditions that looks like this: Severity = 4 AND ( InsertionIP = SolarWinds-demo50 OR InsertionIP = intrepid ) Item To Delete an individual search condition Do this Click the button next to the condition in the search string. Example: Use this method to delete Severity = 4. To delete a group of conditions Click the button at the far right of the search box Example: Use this method to delete the OR group containing the two Insertion IPs. Delete the entire search string Click the round Delete All Search) button. button (next to the Example: Use this method when you want to delete the entire search string to begin a new search. 219 Chapter 12: Utilizing the Console Creating Custom time frames Use the following procedure to create a custom time frame for your nDepth queries. To create a custom time frame: 1. In the search bar's time selector list, click Custom range. You can use these calendars to set your From and To date and time range. By default, the custom time frame shows the time frame of your last search. 2. Use the two calendars to select the start (From) date and time, and the end (To) date and time, as described in the following table. To Pick a date in the month shown Do this Click the date. Go to an earlier Click ◄. month Go to a later month Click ►. Go to an earlier Click ▼. year Go to a later year Click ▲. Select a different time Type a new time directly in the time box. Or in the hour, minute, and second fields, click ▼ for an earlier value, or click ▲ for a later value, respectively. Note: You can use your keyboard’s up, down, right, and left arrows to move within the calendar and to select a time. 3. To close the calendar, click anywhere outside of its boundary. 220 Managing Connectors Managing Connectors Use the following procedure whenever you need to open the Connector Configuration form. This form is used for the following reasons: l To configure and manage a Manager’s sensor, actor, and notification connectors. l To configure and manage an Agent’s sensor and actor connectors. l To change the connectors configured in an Agent’s Connectors Profile. Note: To change a Connector Profile's membership and properties, edit the Connector Profile in the Build >Groups view. You must be logged on to a Manager before you can configure its connectors or its Agents’ connectors. To open a Manager’s Connector Configuration form: 1. On the LEM Console, click Manage >Appliances. 2. In the Appliances grid, click to select the Manager you want to work with. 3. If needed, log in to the Manager. To do so, click the gear then click Login. button and 4. Click the gear button and then click Connectors. The Connector Configuration for [Manager] form appears. You may now add the connector instances for each network security product or device this Manager is to monitor or interact with on the Manager computer. To open an Agent’s Connector Configuration form: 1. If needed, log in to the Manager you want to work with. 2. On the LEM Console, click Manage >Agents. 3. In the Agents grid, click to select the Agent you want to work with. 221 Chapter 12: Utilizing the Console 4. Click the gear l l button and then click Connectors. If the Agent is not in a Connector Profile, the Connector Configuration for [Agent] form appears. You may now add the connector instances for each network security product or device this Agent is to monitor or interact with on the Agent’s computer. If the Agent is in a Connector Profile, the Agent Connector Configuration prompt appears. A prompt warns you that the Agent belongs to a Connector Profile. You can choose to edit the Connector Profile, which affects every Agent in that profile; or you can remove the Agent from the profile to configure the Agent separately. 5. Do one of the following: l To edit the connector Profile, click Connector Profile. The Connector Configuration for [Connector Profile] form appears. You may now begin adding, editing, or deleting the connector instances associated with that Connector Profile. l To remove the Agent from the Connector Profile and configure its connectors separately, click Agent Connector Configuration. The Connector Configuration for [Agent] form appears. You may now add the connector instances for each network security product or device this Agent is to monitor or interact with on the Agent’s computer. Adding New Connector Instances In this procedure, use the Connector Configuration form to do the following: l l Configure the connector settings for each sensor that is to gather data from a network security product’s event logs. Configure the connector settings for each actor that is to initiate an active response from a network security product or device. Each configuration of a sensor or actor connector is called a connector instance. Most products typically write to only one log source. For these products, a single 222 Adding New Connector Instances connector instance will suffice. However, some products write to more than one log. For these products, create separate connector instances—one instance for each log source. When a product requires more than one instance, you can differentiate between them by assigning each instance a unique name, called an alias. To add a new connector instance: 1. Open the Connector Configuration form for the Manager or Agent you want to work with. 2. If desired, use the Refine Results pane to select the connector Category you want to work with. 3. In the Connectors grid, click to select the connector to be configured. l The icon means the connector is for a sensor. l The icon means the connector is for an actor. 4. Do either of the following: l At the top of the Connectors grid, click New. l Click the connectorrow’s gear button and then click New. The Properties pane opens as an editable form. The fields on the form vary from one connector to another, in order to support the product or device you are configuring. For new instances, the form displays the default connector settings needed to configure the associated product or device. In most cases, you can save the connector with its default settings; however, you can change the settings, as needed. 5. Complete the Properties form, as needed. To assist you, we have prepared some reference tables that explain the meaning of each field you may encounter in the Properties form. 6. Click Save to save the connector configuration as a new connector instance; otherwise, click Cancel. Upon saving, the following things happen in the connectors grid: l If you configured a sensor, a sensor connector instance appears below the connector you are working with. 223 icon Chapter 12: Utilizing the Console l l If you configured an actor, an actor connector instance appears below the connector you are working with. icon The icon in the Status column means the connector instance is stopped. All new connector instances automatically have a status of Stopped. To begin using the connector, you must start it. 7. To start the connector instance, click its gear button and then click Start. After a moment, the system starts the connector instance. Upon starting, the connector’s Status icon changes to . The selected connector instance is now running. 8. If needed, repeat Steps 3–7 for each additional connector instance that is required to fully integrate this product or device with the LEM. Starting a Connector Instance Whenever you finish adding or reconfiguring a connector instance, you must start it so it can begin running. Starting a connector instance enables that particular connector configuration. If the connector instance is for a sensor, starting it enables the sensor to begin monitoring the product’s event log. If the connector instance is for an actor, starting it enables the actor to begin initiating active responses on that product when requested to do so by policy. To start a connector instance: 1. Open the Connector Configuration form for the Manager or Agent you want to work with. 2. In the Connectors grid, click to select the connector instance you want to start. 3. Click the connector instance’s gear button and then click Start. After a moment, the system starts the connector instance. Upon starting, the connector’s Status icon changes to . The selected connector instance is now running. 224 Stopping a Connector Instance Common problems with starting connector instances If the connector fails to start, the Console will display a Warning or a Failure event that states the problem. Normally, connectors fail to start for either of the following reasons: l The network security device’s log file does not exist. l The Agent does not have permission to access the file. Stopping a Connector Instance Use this procedure to stop a connector instance. You must always stop a connector instance before you can edit or delete that connector instance. However, you can also stop a connector instance to prevent the connector from gathering data for the Console, or to prevent it from initiating active responses on a network security product or notification system. To stop a connector instance: 1. Open the Connector Configuration form for the Manager or Agent you want to work with. 2. In the Connectors grid, click to select the connector instance you want to stop. 3. Click the connector instance’s gear button and then click Stop. After a moment, the system stops the connector instance. When the connector’s Status icon changes to , it means the connector has stopped. Once a connector instance has been stopped, it can be edited, deleted, or restarted, as needed. The connector instance will remain stopped until you restart it. Editing a Connector Instance When needed, you can edit an existing connector instance’s configuration settings. However, you cannot edit its name (alias). If you need to rename a connector instance alias, you must delete the current connector instance and create a new one with the new name. Also, you cannot edit the Log File value for some Windows event log sensors. 225 Chapter 12: Utilizing the Console Use this procedure whenever you need to correct or change a connector’s configuration. To edit a connector instance: 1. Open the Connector Configuration form for the Manager or Agent you want to work with. 2. In the Connectors grid, click to select the connector instance you want to edit. 3. Click the connector instance’s gear button and then click Stop. After a moment, the system stops the connector instance. When the connector’s Status icon changes to , it means the connector has stopped. 4. To edit the connector, click the gear button and then click Edit. 5. In the Properties form, update the connector settings, as needed: To assist you, we have prepared some reference tables that explain the meaning of each field you may encounter in the Properties form. 6. Click Save to save your changes. 7. When you are finished, restart the connector instance by clicking the gear button and then clicking Start. Deleting a Connector Instance When needed, you can delete an obsolete or incorrect connector instance. To delete a connector instance: 1. Open the Connector Configuration form for the Manager or Agent you want to work with. 2. In the Connectors grid, click to select the connector instance you want to delete. 3. Click the connector instance’s gear button and then click Stop.After a moment, the system stops the connector instance. When the connector’s 226 Creating Connector Profiles to Manage and Monitor LEM Agents Status icon changes to , it means the connector has stopped. 4. Click the connector instance’s button and then click Delete. 5. At the confirmation prompt, click Yes to delete the connector instance. After a moment, the connector instance disappears from the Connectors grid. Note: Do not recreate this connector until it has been completely removed. It may take up to two minutes for the connector to be deleted from your system. Creating Connector Profiles to Manage and Monitor LEM Agents Use Connector Profiles to manage and monitor similar LEM Agents across your network. The following two use cases are the most common for this type of component. l l Configure and manage connectors at the profile level to reduce the amount of work you have to do for large LEM Agent deployments. Create filters, rules, and searches using your Connector Profiles as Groups of LEM Agents. For example, create a filter to show you all Web traffic from computers in your Domain Controller Connector Profile. Complete the two procedures below to create a Connector Profile using a single LEM Agent as its template. To create a Connector Profile using a LEM Agent as a template: 1. Configure the Connectors on the LEM Agent to be used as the template for the new Connector Profile. These connectors are applied to any LEM Agents that are later added to the Connector Profile. 2. Click Build , and then select Groups. 3. Click the button, and then select Connector Profile. 4. Enter a name and description for the Connector Profile. 5. Select the desired LEM Agent template from the Template list next to the Description field. 6. Click Save. To add LEM Agents to your new Connector Profile: 227 Chapter 12: Utilizing the Console 1. Locate the new Connector Profile in the Build > Groups view. Click the gear button next to your Connector Profile, and then select Edit. 1. Move LEM Agents from the Available Agents list to the Connector Profile by clicking the arrow next to them. 2. If you are finished adding LEM Agents to your Connector Profile, click Save. 3. The connector configurations set for the template agent will be applied to any agent added to the Connector Profile. Using an Agent to edit a Connector Profile You can use an Agent that is a member of a Connector Profile as a vehicle for editing that profile’s connector settings. You can add new connector instances to the profile, or edit or delete its existing instances. Use caution when editing a Connector Profile. The changes you make will apply to every Agent that is a member of that profile. You can also edit a Connector Profile's connector settings from the Manage > Agents view. To use an Agent to edit a Connector Profile’s connector settings 1. Open the Manage >Agents view. 2. In the Agents grid, click to select the Agent that is in the Connector Profile you want to edit. 3. Click the gear button and then click Connectors. The Agent Connector Configuration prompt appears to warn you that the Agent belongs to a Connector Profile. 4. Click Connector Profile. The Connector Configuration for [Connector Profile] form appears. You may now begin adding, editing, or deleting the Connector instances that are associated with that Connector Profile. File Integrity Monitoring Connectors File Integrity Monitoring (FIM) provides the ability to monitor files of all types for any unauthorized changes that may lead to a data breach by a malicious attack. Using FIM, you can detect changes to critical files, both to ensure systems are 228 Features of FIM free of compromise and to ensure critical data is not being changed by unauthorized modifications of systems, configurations, executables, log and audit files, content files, database files, and web files. If FIM detects a change in a file you are monitoring, it is logged. LEM then takes those logs and performs the configured action. Correlation rules can be built to act as a second-level filter to only actively send an alert to certain patterns of activity (not just single instances), and when an alert is triggered, the data is in context with your network and other system log data With a SIEM like LEM, you can also respond with administrative action. Features of FIM l l l l l On Windows (XP, Vista, 7, 8, Server 2003, 2008, 2012), monitors for realtime access and changes to files and registry keys and WHO changed them Allows you to configure the logic of files/directories and registry keys/values to monitor for different types of access (create, write, delete, change permissions/metadata) Provides the ability to standardize configurations across many systems Provides monitoring templates which can be used to monitor the basics. Also allows the option of creating and customizing your own monitors. Provides templates for rules, filters, and reports to assist in including FIM events quickly What can FIM detect? l l l l Insider abuse by auditing files directly through intelligent correlation rules. Active integration with active directory settings can disable accounts, change user groups and rights. If a critical registry key is changed (if registry is supported). For example, a new service is installed, software is installed, a key gets added to "hide" data in an unexpected area. If a new driver or a similar device is installed. Adds a layer of defense to anti virus software for detecting viruses that mask as "similarly" named files (like ntkernl.sys vs. ntkernI.sys). If critical business files are accessed and who is accessing them. Detects potential abuse, unexpected access, or changes to sensitive data. 229 Chapter 12: Utilizing the Console l l l If files are moved. Usually when users move directories into other directories. Zero-day exploits, which is an attack that takes advantage of security vulnerabilities the same day the vulnerability becomes known. FIM can trigger an alert letting you know there has been a file change by a potential malware or Trojan and can automatically stop the running malware process. Advanced Persistent Threats by inserting a granular, file-based auditing into the existing event stream to pinpoint attacks and help block them in progress. Adding a FIM Connector To add a FIM connector: 1. Navigate to Manage > Nodes to see a listing of all the nodes being monitored by LEM. 2. Select the desired node, then click the gear Connectors. icon next to it and select 3. Enter FIM in the Refine Results pane. The search results in FIM Registry and also FIM File and Directory. 4. Select either a FIM file and Directory or a FIM Registry. 5. Click the gear icon next to the FIM Connector profile you want to work with, then select New to create a new connector. The Connector Configuration window displays. 6. Select a Monitor from the Monitor Templates pane, and then click the gear icon and select Add to selected monitors. The Monitor Template then moves to the Selected Monitor pane. 7. Click Save, or click Add Custom Monitor to modify the monitor to your requirements. 230 Monitors Monitors Monitors allow you to configure rules for which files to watch, and which actions to watch for those files. Different monitoring templates have been provided to use right away, and to assist in creating custom templates or configurations. Adding Custom Monitors 1. Click Add Custom Monitor in the Connector Configuration window. 2. Enter a Monitor Name. 3. Enter a Description for the monitor. 4. Click Add New. The Add Condition window displays. See See "Adding Conditions " on page 232 for more information on how to add conditions to monitors. Editing Monitors 1. Select a Monitor from the Selected Monitors pane. 2. Click the gear icon and select Edit monitor Promoting a Monitor to a Template 1. Select the Monitor to be promoted. 2. Click the gear icon and select Promote monitor to template. 3. Click Yes to promote this monitor to a template. The monitor is now available in the Monitor Templates pane. Deleting a Monitor 1. Select the monitor to be deleted. 2. Click the gear icon and select Delete. 3. Click Remove. The monitor is then removed from the Selected Monitors pane. 231 Chapter 12: Utilizing the Console Adding Conditions 1. Click Add New in the Conditions window. 2. Click Browse to select a File and Directory or a Registry key to watch. 3. Click OK. 4. Select whether the files are recursive or non-recursive. Refer to the table below for more information. Recursive The folder selected and all its sub-folders which match the given mask will be monitored for corresponding selected operations. Non-recursive Only the files in the selected folders will be monitored. 5. Enter a Mask. For example, *exe or directory*. 6. For a FIM File and Directory, select Create, Read, Write, and Delete for Directory, File, Permissions, and Other operations. For a FIM Registry, select Create, Read, Write, and Delete for Key and Value operations. For more information on Other, refer to the Microsoft MSDN information. 7. Click Save. Editing Conditions 1. Select the condition to be edited in the Conditions window. 2. Click Edit. 3. Click Browse to select a File and Directory or a Registry key to watch. 4. Click OK. 5. Select whether the files are recursive or non-recursive. Refer to the table below for more information. Recursive The folder selected and all its sub-folders which match the given mask will be 232 Deleting Conditions monitored for corresponding selected operations. Non-recursive Only the files in the selected folders will be monitored. 6. Enter a Mask. For example, *exe or directory*. 7. For a FIM File/Directory, select Create, Read, Write, and Delete for Directory, File, Permissions, and Other operations. For a FIM Registry, select Create, Read, Write, and Delete for Key and Value operations. For more information on Other, refer to the Microsoft MSDN information. 8. Click Save. Deleting Conditions 1. Select the condition to be deleted in the Conditions window. 2. Click Delete. 3. Click Remove. FIM Connector Advanced Settings 1. Complete the Advanced Connector Settings form according to the device you're configuring. The following fields/descriptions are common for most connectors: Log Directory When you create a new alias for a connector, LEM automatically places a default log file path in the Log Directory field. This path tells the connector where the operating system stores the product’s event log file. In most cases, you should be able to use the default log file path that is shown for the connector. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed, To manually change the log file location: 233 Chapter 12: Utilizing the Console 1. Enter or paste the correct path in the Log Directory field. 2. Stop the Agent. 3. Manually update the Agent's spop.conf property o com.solarwinds.lem.fim.minifilter.fsLogLocation for a file and directory connector. This appears as %SystemDrive%\\Mylocation\\FileSystem in the config file. o com.solarwinds.lem.fim.minifilter.registryLogLocation for a registry connector . This appears as C:\\My other log location\\Registry in the config file. 4. Restart the Agent. Log Data Select either nDepth, Alert, or Alert, nDepth. To store a copy of Type to Save the original log data in addition to normalized data, change the Log Data Type to Save to Alert, nDepth. Storage for original log data must also be enabled on the appliance. nDepth Host If you are using a separate nDepth appliance (other than LEM), type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if you are advised to do so. nDepth Port If you are using a separate nDepth appliance (other than the SolarWinds LEM), type the port number to which the connector is to send nDepth data. Generally, the default setting is correct. Only change it if you are advised to do so. Sleep Time Type or select the time (in seconds) the connector sensor is to wait between event monitoring sessions. The default (and minimum) value for all connectors is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate connectors. Windows NT-based connectors automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time 234 Managing Widgets dictates the interval the sensor is to use for monitoring new events. Wrapper Name This is an identification key that the SolarWinds LEM uses to uniquely identify the properties that apply to this particular connector. This is read-only information for SolarWinds reference purposes. Tool Version This is the release version for this connector. This is read-only information for reference purposes. Enable Connector Upon Save When this option is selected, the connector starts when you click Save. 7. After completing the form, click Sold. 8. If you did not select the Enable Connector Upon Save option, navigate to the Connectors list and click the gear button next to the new connector (denoted by an icon in the Status column), and then select Start. 9. After starting the connector, verify that it is working by checking for events on the Monitor tab. Managing Widgets The topics in this section explain how to use the Widget Manager to create and manage your widgets. Opening and Closing the Widget Manager l At the top of the Ops Manager view, click Widget Manager to alternately open and close the Widget Manager. The Widget Manager includes the Filters pane and the Widgets pane. Creating New Master Widgets In the Ops Center, you can use the Widget Manager to create a new master widget for any of your filters. Widgets are created with a tool called the Widget Builder, which allows you to define the new widget’s foundational and aesthetic 235 Chapter 12: Utilizing the Console settings. It also allows you to save a copy of the new widget to the Ops Center dashboard. To create a new master widget from the Ops Center: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters and Widgets panes. 3. Click the button. The Widget Builder appears. 4. Complete the Widget Builder 5. Select the Save to Dashboard check box if you want to save a copy of the new widget to the Ops Center dashboard. 6. When you are finished, click Save. Upon saving the new widget, several things happen: l l l l In the Filters pane, the Count value of the associated filter increases by one to account for the new widget. The new widget appears in the Widgets pane for the associated filter. The next time you open the widget’s source filter in the Monitor view, the new widget will appear in the Widgets pane’s widget list. If you selected the Save to Dashboard option, a copy of the widget also appears in the Ops Center dashboard. Editing Master Widgets In the Ops Center, you can use the Widget Manager to edit any of the master widgets that are associated with a filter. Typically, you will edit a master widget when you want to change a master widget’s name, behavior, or appearance, or whenever you want to use the master widget as a template to create a new dashboard widget based on the master widget’s current configuration. Once saved, an updated master widget appears with its new configuration in the Ops Center’s Widget Manager and in the Monitor view’s Widgets pane. Once created, each dashboard widget operates independently of the master widget it was created from. Therefore, editing a master widget does not affect any previous copies (dashboard widgets) that were created from that master. This 236 Adding Widgets to the Dashboard independence lets you use a master widget as a template for creating variations of the same widget for the Ops Center dashboard. To edit a master widget in the Ops Center: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters and Widgets panes. 3. In the Filters pane, select the filter you want to work with.The widgets associated with this filter appear in the Widgets pane. 4. Drag the pane’s scroll bar left or right to browse the filter's widgets. 5. When you find the widget you want to edit, click the Filters pane gear button. The Widget Builder appears. 6. Use the Widget Builder to reconfigure the widget, as needed. 7. Select Save to Dashboard if you want to save a copy of the reconfigured master widget to the Ops Center dashboard. 8. Click Save to save your changes to the widget. The master widget’s new configuration appears in the Widgets pane. If you selected the Save to Dashboard option, a copy of the newly configured widget also appears in the Ops Center dashboard. Adding Widgets to the Dashboard Use either of the following procedures to add a copy of a master widget to the Ops Center dashboard. The original remains with its filter. Once a copy is on the dashboard, you may edit its graphical presentation, as needed. To add a widget from the Widgets pane to the dashboard: 1. Open the Ops Center view. 2. Click Widget Manager to open the Filters and Widgets panes. 3. In the Filters pane, select the filter you want to work with.The widgets associated with this filter appear in the Widgets pane. 237 Chapter 12: Utilizing the Console 4. To preview the widgets in the Widgets pane, do one of the following: l Drag the pane’s scroll bar left or right to browse the filter's widgets. l Click any widget to move it to the front of the pane. 5. When you find the widget you want to add to the dashboard, do either of the following: l l Click Add to Dashboard. Click anywhere on the widget. Drag it to the dashboard, and then drop it in the position you want. To add a widget to the dashboard from the Widget Builder: 1. When creating or editing a master widget with the Widget Builder, configure the form so the widget appears the way you want it to on the dashboard. 2. Select the Save to Dashboard check box. 3. Click Save. A copy of the widget appears at the bottom of the Ops Center dashboard. Deleting Master Widgets Widgets can only be deleted from the Ops Center, and master widgets can only be deleted from the Widget Manager. Deleting a master widget does not delete any of the dashboard widgets that came from that master. To delete a master widget: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters list and the Widgets pane. 3. In the Filters list, select the filter that contains the widget you want to delete. 4. In the Widgets pane, use the scroll bar to select the widget you want to delete. 5. Click Delete Widget. 6. At the confirmation prompt, click Yes. 238 Editing a Dashboard Widget Editing a Dashboard Widget In the Ops Center dashboard, you can edit any dashboard widget. Editing a dashboard widget does not affect the master widget it came from, or any other widget. You are editing only that particular widget. When editing a dashboard widget, the Save to Dashboard option is disabled, because dashboard widgets can only be created from a master widget. To edit a dashboard widget: 1. In the Ops Center dashboard, locate the widget you want to work with. 2. Click the gear button on the widget toolbar. The Widget Builder appears. 3. Make the necessary changes to the Widget Builder. 4. When you are finished, click Save. The widget appears in the dashboard with its new configuration. Deleting Dashboard Widgets Widgets can only be deleted from the Ops Center. You can delete dashboard widgets directly from the dashboard. To delete a widget from the dashboard: 1. Open the Ops Center view. 2. In the dashboard, locate the widget you want to delete. 3. Click the delete button on the widget toolbar. 4. At the confirmation prompt, click Yes. The widget is deleted from the dashboard. Note: If needed, you can readily recreate the dashboard widget, so long as you do not delete the master widget it came from. 239 Chapter 13: Advanced Configurations Setting up an Appliance If you are setting up a Manager for the first time, you should follow this order of events: l On the Console, open the Manage > Appliances view. l Add a Manager to the Console. l Log on to the Manager through the Console. l Configure the Manager’s properties with the Properties form. l l Configure the Manager’s connectors with the Connector Configuration window. (Optional) Assign the Manager’s alert distribution policy with the Event Distribution Policy window. Adding Appliances to the Console Use this procedure whenever you want to add a new Manager or other network appliance to the LEM Console. To add a new appliance: 1. At the top of the LEM Console, click Manage and then click Appliances. 2. At the top of the Appliances grid, click the symbol. 3. Enter the IP Address of the virtual appliance. 4. Click to display the Advance Properties form. The following table describes the form fields: 240 Chapter 13: Advanced Configurations Field Description Username Enter the username used to connect to the virtual appliance. Password Enter the password for the virtual appliance. Appliance Type Select the appliance type you are adding—Manager, Database Server, nDepth, Logging Server, or Network Sensor. Connection Type the port number the Console must use to communicate Port with the Manager network appliance or the database. The secure port number is 8443. This value will default to 8080 for virtual appliances in the evaluation phase. Note: This field only applies when the Appliance Type field is set to Manager. Model Select the appliance's appropriate model. If you are uncertain which model you have, select Unknown. If you know your model but it is not listed, select Other. Your selection here has no affect on the Manager’s operation. If you selected any of the specific models, a picture of the appliance appears at the top of the Details pane. Level The appliance’s level. Its level is directly related to the appliance's capacity and performance, ranging from Level 1 to Level 4. If you are uncertain which level the Manager belongs to, select Unknown. If you are adding a Database Server, Level 4 is automatically selected. This option is disabled if you are using a virtual appliance. Service Tag Type the Dell serial number or registration number found on the appliance. It uniquely identifies this piece of equipment and its specific configuration properties. Icon Color Select the desired color for your icon. Reset At any time, you can click Reset to reset the form to its default settings. 241 Copying Appliance Data 5. Click Connect to add the appliance and close the form. Otherwise, click Cancel to return to the Console without adding the appliance. 6. Enter the IP Address of the virtual appliance and then click Connect. Note: The LEM desktop software requires that you change your LEM password after installation. This password must be between 6 and 40 characters, and must contain at least one capital letter and one number. The default username/password is Admin/Password. 7. Click OK. Copying Appliance Data If needed, you can copy your the data from the Appliances grid to your clipboard. This allows you to page the data into another application, such as Microsoft Excel for analysis or the Remote Agent Installer for updates. You can copy the data for a single appliance, multiple appliances, or for every appliance in the grid. To copy data for a single appliance: 1. Open the Manage >Appliances view. 2. In the Appliances grid, select the appliances you want to copy. 3. Click the button, and then do one of the following: l Click Copy Selected to copy the data for the selected appliances. l Click Copy All to copy the data for every appliance in the grid. The appliance data is now copied to your clipboard, where it can be pasted into another application. Removing an Appliance When needed, you can remove a Manager or other network appliance from the Console. To remove an appliance: 242 Chapter 13: Advanced Configurations 1. At the top of the Console, click Manage, and then click Appliances. 2. In the Appliances grid, click to select the appliance you want to remove. 3. Click the gear button and then click Delete. 4. At the confirmation prompt, click Yes to remove the appliance. Otherwise, click No to return to the Console without removing the appliance. The appliance disappears from the Appliances grid. Managing Connectors Configuring Manager Connectors (general procedure) Follow this procedure to configure a Manager’s connectors (sensors and actors). It lets the Manager monitor and interact with the supported security products or devices that are installed on or remotely logging to the Manager computer. To configure a Manager’s connectors: 1. Start the LEM Console. 2. Open the Manage >Appliances view. 3. If you have not already done so, add and configure each Manager you will be using with your network. 4. Log on to the Manager you want to work with. 5. Open the Connector Configuration for [Manager] form. 6. Add a connector instance for each of the product’s event log sources. 7. When you are finished, start the Connector instance. 8. Repeat Steps 6 and 7 for each product or device that is logging to the Manager computer. 9. Repeat Steps 4–8 for each Manager, until you have configured Connectors for each point on your network. Configuring Agent Connectors (general procedure) Follow this procedure to configure the connectors (sensors and actors) the Agent uses to monitor and interact with each network’s security product and device that is running on the Agent computer. 243 Using Connector Profiles to Configure Multiple Agents To configure an Agent’s connectors: 1. Open the Manage > Agents view. 2. Open the Connector Configuration for [Agent] form. 3. Add a connector instance for each of the product’s event log sources. 4. When you are finished, start the connector instance. 5. Repeat Steps 3 and 4 for each product or device the Agent is monitoring on the Agent’s computer. 6. If you are not using Connector Profiles, repeat Steps 2–5 for each Agent, until you have configured the connectors for each point on your network. If you are using Connector Profiles, you can use a configured Agent as a template for a Connector Profile. Using Connector Profiles to Configure Multiple Agents Most Agents in a network have only a few different connector configurations. Therefore, you can greatly speed up the connector configuration process by creating Connector Profiles. A Connector Profile is a group of Agents that share the same connector configuration. It allows you to configure a set of standardized connector settings, and then apply those settings to all of the Agents that are assigned to that profile. Once applied, every Agent in the profile will then have the exact same connector settings. One of the great benefits of using Connector Profiles is that you can maintain all of the Agents in a profile at once by updating only the Connector Profile’s connector configuration. The system then propagates your changes to all of the Agents in the profile. By using Connector Profiles, you can greatly speed up the process of connecting your network security products to LEM. If you do not use Connector Profiles, you will have to create at least one connector instance for every product that you intend to integrate with LEM, and then repeat this process for every one of your Agents. A well-planned set of Connector Profiles provides you with a versatile and efficient method for configuring and maintaining your Agents’ connector configurations. 244 Chapter 13: Advanced Configurations Configuring email active response connectors Configure the Email Active Response connector on your LEM Manager to enable the LEM Manager to send automated emails to Console users in response to rules firing. This connector specifies the mail host that your Manager uses to send emails and, when necessary, provides the requisite server credentials. Requirements l An email server that allows the LEM Manager to relay email messages through it l IP address or hostname of your email server l A return email address for bounced messages and replies l User credentials for your email server only if your email server requires internal users to authenticate to send email Configuring the email active response connector 1. Log into the LEM Manager on which you want to configure the connector from the Manage > Appliance view of your LEM Console. 2. Click the gear icon next to your LEM Manager and select Connectors. 3. Enter Email Active Response in the search box on the Refine Results pane. 4. Click the gear icon next to the master connector on the right and select New. 5. Complete the Email Active Response connector form.Notes: Note: If you use a hostname for the Mail Host value, your Manager must be able to resolve it. 6. Enter a valid email address in the Test E-mail Address field. After the connector is saved and started, your Manager sends a test email to the email address. 7. Click Save. 8. Locate the new instance of the connector. It is a grey icon in the Status column. 9. Select Start from the gear menu next to the new connector. 245 Testing the Email Active Response Connector A green icon in the Status column indicates that the connector is running and you can use the Test Email button to test your settings. Testing the Email Active Response Connector If the test email is successful, you receive it in the mailbox specified. If the test email is unsuccessful, the LEM Internal Events filter presents the following information: l Event Name: InternalInfo l Event Info: Email notification failed l Extraneous Info: Information about the failure. For example, server not reachable, authentication issue, etc. You can modify the configuration of the connector to make sure you are using the correct information Managing Groups Adding a New Group 1. Open the Build >Groups view. 2. In the Groups grid, click create and then click the Group type you want to The Group Details pane opens to show an editable form for the Group type you have selected. 3. In the Name box, type a name for Group. 4. In the Description box, type a brief description of the Group and its intended use. 5. In the Manager list, select the Manager on which the Group is to reside. 6. Complete the rest of the form to configure the Group. 7. When you are finished, click Save. The new Group appears in the Groups grid. 246 Chapter 13: Advanced Configurations Editing a Group Editing a Group is very much like creating a new one. The only difference is that you are reconfiguring an existing item. To edit a Group: 1. Open the Build >Groups view. 2. In the Groups grid, do one of the following: l Double-click the Group you want to edit. l Click the gear button for the Group you want to edit and click Edit. The Edit pane opens as an editable form, showing the selected Group’s current configuration. 3. Make any necessary changes to the Edit form to reconfigure the Group. 4. When you are finished, click Save. The revised Group is applied to the Manager and appears in the Groups grid. Cloning a Group Cloning a Group lets you copy an existing Group, but save it with a new name. Cloning allows you to quickly create variations on existing Groups for use with your rules, filters, and Agents. Cloned Groups must be for the same Manager as the original Group. That is, you cannot clone a Group from one Manager for use with another Manager. To clone a Group: 1. Open the Build >Groups view. 2. In the Groups grid, click to select the Group you want to clone. 3. Click the row’s gear button and then click Clone. The newly cloned Group appears in the Groups grid in the row just below the original Group. A clone always uses the same name as the Group it was cloned from, followed by the word Clone. For example, a clone of the Disk Warning 247 Importing a Group Group would be called Disk Warning Clone. A second clone of the Disk Warning Group would be called Disk Warning Clone 2, and so on. 4. Edit the cloned Group, as needed, to give it its own name and to assign its own specific settings. Importing a Group You can import Groups from a remote source into the Groups grid. You can import a Group that you have exported from another Manager, or you can import Groups that are provided by SolarWinds. You may import only one Group at a time. To import a Group: 1. Open the Build >Groups view. 2. On the Groups grid connector bar, click the gear Import.The Open form appears. button and then click 3. In the Look In box, browse to the folder that contains the Group file you want to import. 4. Do either of the following: l Double-click the file to open it. l Click to select the file you want to import, and then click Open. The Group appears in the Groups grid and in the Group Details form for editing. 5. In the Group Details form, select the Manager this Group is to be assigned to. 6. Make any other desired changes in the Group Details form. 7. Click Save to send the Group to the Manager. 8. If you are working with Email Templates or State Variables, drag the new Group from the Groups grid into the folder (in the Folders pane) that is to store the Group. 248 Chapter 13: Advanced Configurations Exporting a Group When needed, you can export Groups. Exporting Groups is useful for three reasons: l Once exported, you can import the Group into another Manager. l You can save a copy off of the Manager for any reason. l You can provide SolarWinds with a copy of your Group for technical support or troubleshooting purposes. You may export only one Group at a time. To export a Group: 1. Open the Build > Groups view. 2. In the Groups grid, click to select the Group you want to export. 3. Click the row’s gear button and then click Export. 4. After a moment, the Save As form appears. 5. Use the Save As form to select the folder in which you want to save the exported Group. 6. In the File name box, type a name for the exported Group. 7. Click Save to export and save the Group; otherwise, click Cancel. You can now import the Group for use with another Manager. Deleting a Group When needed, you can delete any of your Groups. To delete a Group: 1. Open the Build > Groups view. 2. In the Groups grid, select the Group you want to delete. 3. Click the row’s gear button and then click Delete. 4. At the confirmation prompt, click Yes to delete the Group. The item disappears from the Groups grid. 249 Configuring Event Groups Configuring Event Groups Whenever you create or edit an Event Group, the Build >Groups view’s Edit pane opens and becomes the Event Group form. The Event Group form lets you create custom families of alerts that you can save as a Group. You can then associate the Event Group with your rules and filters. For example, you might create an Event Group made up of similar alerts that all need to trigger the same response from the Console. When you apply the Event Group to a rule, the Console implements the rule when any one of the alerts in the Group occurs. Each Event Group you create only applies to the Manager that is selected when you create the Group. If you need a similar Event Group for a different Manager, you must create it separately for the other Manager. To configure an event group: 1. Open the Build >Groups view. 2. On the Groups grid, click and then click Event Group. The Edit pane opens, showing the Event Group form. 3. In the Name box, type a name for the new Event Group. 4. In the Description box, type a brief description of the Event Group’s contents. 5. In the Manager list, select the Manager on which this Group is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. Now you will configure the Event Group by selecting the alerts you want in the Group. 250 Chapter 13: Advanced Configurations The Events box lists alerts in a hierarchical tree. You may need to open the nodes in the alert tree to see the alert you are looking for. 6. In the Events list, select each alert that you want to include in this Group. l To choose an alert, click its check box. l To remove an alert, clear its check box. Note: In the node-tree view, you can Ctrl+Click to select (or clear) an alert and all of the alerts below that item (that is, its child alerts). For example, press Ctrl and click Security Event to select Security Event and all of its child alerts. 7. Click Save. The new Event Group appears in the Groups grid. Event List Features The following table explains how to use each feature of the Events list. Icon Description Click this button to display the Events list as a hierarchical node tree. Then use the list to select each alert type that you want to include in this Group. This is the default view. This view also has the following attributes: l Lower-level alert types are hidden by nodes in the alert tree. To open a node, click the >icon. This displays the node’s next level of alerts. 251 Event List Features Icon Description l l Using the search box displays the alert and its parent alert types, so you can see how the alert appears in the alert hierarchy. You can Ctrl+Click to select (or clear) an alert and all of the alerts below that item (that is, its child alerts). For example, if you press Ctrl and click Security Event, you will select Security Event and all of its child alerts. Click this button to list alert types alphabetically, regardless of their position in the hierarchy. Then use the list to select each alert type that you want to include in this Group. You can use this box to search either view of the Events list. To do so, type a word or phrase in the text box. The Events list will refresh to show any alerts that include your word or phrase. ► This icon represents a closed (or collapsed) alert node in the alert tree hierarchy. Each time you see this icon, it means the alert node contains lower-level alerts. To open a node, click it. Opening the node expands the alert tree, displaying the next level of related alerts. ▼ This icon represents an open (or expanded) alert node in the alert tree hierarchy. Each time you see this icon, the node is displaying its related lower-level alerts. To close (or collapse) the node, click it. This collapses the alert tree at that level, hiding its lower-level alerts. This item has not been selected; nor have any of its lower-level items. This item has been selected; but not any of its lower-level items. This item has not been selected, but one or more if its lower-level items has been selected. This item has been selected, and so have one or more of its lower-level items. 252 Chapter 13: Advanced Configurations Configuring Directory Services Groups Many companies use a directory service, such as Active Directory, to organize and administer their network’s computers and system users. This computer and user information is organized into Directory Service Groups (DS Groups) that are managed with the directory service. If you use such a directory service, you can connect LEM to the server that stores your existing DS Groups, synchronize your Groups with LEM, and apply your Groups to your rules and filters. Once your directory service is connected, your DS Groups become seamlessly integrated with the LEM. Whenever you make a change to a Group in the directory service, LEM automatically updates your rules and filters to reflect the change. The topics in this section explain how to retrieve and synchronize information from your directory service for use with LEM. How to Use Directory Services Groups DS Groups allow you to match, include, or exclude events to specific users or computers based on their Group membership, to determine if a particular alert event is relevant or not. In most cases, DS Groups are used in rules and filters as a type of white list or blacklist for choosing which users or computers to include or to ignore. When used by a filter, a DS Group lets you limit the scope of the alerts included in the filter to those users or computers that have membership in a particular Group. For example, you may want to use a DS Group that you created in your directory services that contains the names of high-risk network users. You can then refer to this Group in a rule or filter. For instance, your rule may dictate to always disable these users if you detect malicious activity. Synchronizing Directory Service Groups with LEM This procedure explains how to retrieve Group data from your directory service and select which DS Groups are to be synchronized with LEM. This procedure ensures that you capture the most current information from any Groups that are not currently synchronized with LEM. 253 Synchronizing Directory Service Groups with LEM You can also use this procedure to remove DS Groups that no longer require synchronization. Note: To use DS Groups, first make sure the Directory Service Query Connector is configured and running on the LEM Manager for which you want to use DS Groups. DS Groups only apply to Managers that are connected to them. If you need a similar DS Group for another Manager, you must connect to the directory service with the other Manager. To retrieve DS Group data from your directory service: 1. Open the Build >Groups view. 2. On the Groups grid, click and then click Directory Services Group. The Select Directory Services Group form appears. You will use this form to select which directory service Groups you want to synchronize for use with LEM. 3. In the Manager list (the upper-right drop-down list), select the Manager that is going to use the DS Groups. 4. In the other drop-down list, select the directory services domain you want to work with. The form displays the actual contents (folders and Group categories) of your directory service system: l Each folder to the left contains the Group categories that are associated with that area of your directory service. You can click a 254 Chapter 13: Advanced Configurations folder node (►) to display the Group categories contained within that folder. l The Available Groups box lists a different set of Group categories with each folder you select. For example, clicking the Users folder shows a different set of Group categories than if you click the Laptops folder. 5. In the folder list, click the Group category you want to work with. 6. In the Available Groups list, do the following: l l Click the check box for each Group you want to synchronize with LEM. Clear the check box for each Group you want to remove from synchronization. 7. Repeat Steps 5 and 6 until you have selected all of the DS Groups you want synchronized with LEM. 8. Click Save. The system synchronizes the DS Groups to LEM and adds them to the Groups grid. The DS Groups are now ready for use with your rules and filters. Viewing a Directory Services Group Members The Groups grid shows each DS Group that is synchronized with LEM. When you select a DS Group in the Groups grid, the Directory Service Groups pane appears to show the members of that DS Group. To view a DS Group: 1. Open the Build >Groups view. 2. In the Groups grid, select the DS Group you want to view. The Edit pane opens, showing the Directory Services Group form. The form displays the contents of the Group,. Directory Services Group Grid Columns The grid in the Directory Services Group form provides information on each specific computer account and user account that is currently associated with the 255 Deleting DS Groups DS Group. The following table describes the meaning of each grid column. Column Description Type Displays an icon that shows if the group member is a User or a Computer. The computer icon represents a computer account. The person icon represents a user account. Name Displays the display name of the group member. Description Displays the description associated with the group member in directory services. SAM Name Displays the account name of the member. Principal Name Displays the principal name of the member. Distinguish Displays the complete distinguished name of the member. Name Date Email Displays the email address of the member. Deleting DS Groups You can delete DS Groups from the Console, just as you would any other Group. Deleting a DS Group does not remove the Group from your original directory service. You can restore a DS Group at any time if you ever need to use it again. Configuring Email Templates Email templates allow you to create pre-formatted email messages that rules can use to notify you of an alert event. These templates become available in the Actions component list, whenever you drag Send Email Message or Send Pager Message to the Actions box. You will then be prompted to fill in the message variables from the Events or Event Groups lists. You create and manage templates in the Build >Groups view’s Email Template form. As with rules, you can add, edit, clone, and delete templates, and you can organize them in folders. 256 Chapter 13: Advanced Configurations Step 1: Creating the Email Template This section describes how to create the actual email template. Email templates allow you to report specific information about an alert event, because you can include variables that capture specific parameters about that event. For example, you can report which server is affected, what time the event occurred, or which Agent was shut down. The possibilities for message templates are endless. To create an email template: 1. Open the Build >Groups view. 2. In the Groups grid, do one of the following: l l Click and then click Email Template to add a new email template Double-click the email template you want to edit. The Email Template form appears. If you are editing an existing template, the form shows any parameters that have already been configured for the template. 3. In the Manager list, select the Manager on which this template resides. If you are editing an existing template, this field shows the Manager this template is associated with. 4. In the Name box, type a name for the template. This should be a name that makes it easy to identify the type of event that has occurred, or where or to whom the email message is going. 257 Step 2: Adding Message Parameters 5. In the From box, type whom the message is from. Typically, this is “SolarWinds” or “Manager.” 6. In the Subject line, type a subject for the message. Typically, you will want a subject that indicates the nature of the alert event. 7. Click Save to save the template. Step 2: Adding Message Parameters In the Parameters list, you will add variables that are placeholders for specific items within the message text. When the Manager sends the message, it will complete the message by filling in the variable parameters with the appropriate text. You can add as many parameters as you like. For example, you may want a message to tell you which Agent or server was affected. Or you may want to know the time the event occurred. So you can create a variables for Agents, servers, or time. In the previous example, there are parameters for the server and for the destination computer. If you add too many or unnecessary parameters, you can easily delete the ones you don’t need. To add message parameters: 1. In the Name box, type the name of the parameter you want to capture in the email message. 2. Click the Add list. button. The new parameter appears in the Parameters 3. Repeat Steps 1 and 2 for each parameter you want to capture in this message. 4. Click Save so save your changes to the template. To delete a parameter: 1. In the Parameters list, select the parameter you want to delete. 2. Click the Delete button. 3. The parameter disappears from the Parameters list. 4. Click Save to permanently delete the parameter. 258 Chapter 13: Advanced Configurations Step 3: Creating the message Now, in the Message box, you will create the actual text of the email message. To create an email template message: 1. In the Message box, type the email message that the Manager is to send when an event occurs, like in the example shown here. 2. In the Parameters list, select a parameter. Then drag it to the appropriate spot in the message text. The parameters serve as placeholders for information that the Manager will fill in. 3. Repeat Step 2 for each parameter. 4. When you have finished with the template, click Save. The new template appears in Groups grid. Managing email template folders As with rules and State Variables, you can use the Folders pane to organize your email templates into folders and sub-folders. You can add, rename, move, and delete template folders. Configuring State Variables You can use the Groups grid to add, edit, and delete State Variables and the number, text, and time fields associated with each State Variable. 259 Adding new State Variable fields State Variables are used in rules. They represent temporary or transitional states. For example, you can create a State Variable to track the “state” of a particular system, setting it to a different value depending on whether the system comes online or goes offline. You can also configure rules to monitor the contents of a State Variable to validate or invalidate a rule. For example, you can set a DEFCON value and ensure that the DEFCON value is over 3 before notifying on-call staff. Note: If you require permanent lists of data that can be preserved over long periods of time, you can use User-Deined Groups in a similar manner. Adding new State Variable fields 1. Open the Build >Groups view. 2. In the Groups grid, do one of the following: l To add a new State Variable, click l Double-click the State Variable you want to edit. l Click the gear then click Edit. and then click State Variable. icon for the State Variable you want to edit, and The State Variables pane opens as an editable form. If you are editing an existing State Variable, the form shows any fields that have already been configured. 260 Chapter 13: Advanced Configurations 3. In the Name box, type a name for the State Variable. 4. In the Manager list, select the Manager on which this State Variable is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. Now add the State Variable fields that make up the Group. Adding State Variable fields is a straightforward process. You name the field, and then select what the variable represents—text, a number, or time. 5. Click the Add button. The Add Variable Field form becomes active. 6. In the Name box, type a name for the State Variable field. 7. In the Type list, select the type of State Variable the field represents—Text, Number, or Time. 8. Click the left Save button to save the field; otherwise, click Cancel. The new State Variable field appears in the State Variables grid, showing the field’s name and comparison type. 9. Repeat Steps 5–8 for each field you want to add to the State Variable. 10. Click the rightmost Save button to save the State Variable settings.The new 261 Editing State Variable fields State Variable appears in the Groups grid and the Rule Builder’s State Variables list. You can now incorporate this State Variable whenever you add or edit a rule. Editing State Variable fields 1. Open the Build >Groups view. 2. In the Groups grid, do either of the following: l l Double-click the State Variable you want to edit. Click the gear then click Edit. icon for the State Variable you want to edit, and The State Variables pane opens as an editable form. 3. In the fields grid, select the State Variable field you want to edit. The Add Variable Field form becomes active, showing the field’s current configuration. 4. Make the necessary changes to the field’s Name or Type. 5. Click the form’s Save button to apply your changes to the field. The updated field appears in the fields grid. 6. Click the rightmost Save button to save your changes to the State Variable. Deleting State Variable fields 1. Open the Build >Groups view. 2. In the Groups grid, do either of the following: l l Double-click the State Variable you want to edit. Click the gear then click Edit. icon for the State Variable you want to edit, and The State Variables pane opens as an editable form. 3. In the fields grid, select the field you want to delete. 262 Chapter 13: Advanced Configurations 4. Click the Delete button. The field disappears from the fields grid. 5. Click Save to save the changes to the State Variable. Managing State Variable Folders As with rules and email templates, you can use the Folders pane to organize your State Variables into folders and sub-folders. You can add, rename, move, and delete State Variable folders. Configuring Time of Day Sets Time of Day Sets are Groups of hours that you can associate with rules and filters. Time of Day Sets allow your rules and filters to take different actions at different times of day. For example, if you define two different Time of Day Sets for “Business Hours” and “Outside Business Hours,” you can assign different rules to each of these Time of Day Sets. For instance, you may want your rules to alert your system administrator via email and pager during working hours. Outside of business hours, you may want your rules to alert your administrator by pager only, and automatically shut down the offending PC. You can easily create as many Time of Day Sets as you needed, to reflect all of your business needs. A well-planned group of Time of Day Sets provides you with versatile and responsive rules that perform the way you want, when you want. Each Time of Day Set you create only applies to the Manager that is selected when you create it. If you need a similar Time of Day Set for another Manager, then you must create it separately with that other Manager. Configuring a Time of Day Set 1. Open the Build >Groups view. 2. In the Groups grid, do either of the following: l l To add a new Time of Day Set, click Set. and then click Time of Day Double-click the Time of Day Set you want to edit. 263 Configuring a Time of Day Set The Edit pane opens, showing the Time of Day Set form. 3. In the Name box, type a name for the new Time of Day Set. 4. In the Description box, type a brief description of the Time of Day Set and its intended use. 5. In the Manager list, select the Manager on which this Time of Day Set is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. The form has a time grid that lets you define a Time of Day Set for the Manager. The time grid is based on a one-week period, and is organized as follows: l l l It has seven rows, where each row represents one day of the week. It has 24 numbered columns, where each column represents one hour of the day. The white column headers represent morning hours (midnight to noon). The shaded column headers represent evening hours (noon to midnight). Each column has two check boxes that divide each hour into two halfhour (30-minute) periods. Together, the rows, columns, and check boxes divide an entire week into 30-minute periods. 6. In the time grid, click to select the half-hour periods that are to define this Time of Day Set. For assistance, see the table in the topic, below. 7. Click Save. The new Time of Day Set appears in the Groups grid. 264 Chapter 13: Advanced Configurations Selecting periods in the time grid 1. In the Connectors grid, click to select the connector instance you want to delete. 2. Click the gear button and then click Delete. 3. At the confirmation prompt, click Yes. 4. Do one of the following: l l Click Activate to apply your changes to every Agent associated with the Connector Profile. Click Discard to discard your changes and reload the previous configuration. 5. Click Close to return to the Groups grid. Configuring User-Defined Groups User-Defined Groups are groups of preferences that are used in rules and filters. User-Defined Groups allow you to match, include, or exclude events, information, or data fields based on their membership in a particular Group. Examples of User-Defined Groups In most cases, User-Defined Groups are used as a type of white list or blacklist for choosing which events to include or to ignore. When used by a filter, a UserDefined Group lets you limit the scope of the alerts included in the filter to those items that have membership in a particular Group. Each User-Defined Group is made up of one or more elements that define the Group. The elements can be almost anything: IP addresses, user names, email addresses, web site URLs, etc. Because of their versatility, the possibilities of User-Defined Groups are almost endless. For example, you may want to create a Group of trusted IP addresses that you can use in rules and filters. You can then refer to this Group in a rule. For instance, your rule may dictate to never block these IP addresses. Or you may want to create a Group of trusted accounts for the local administrator. You could then format your rules so that they never block these accounts. Or, 265 Configuring a User-Defined Group because these accounts are trusted, you may want to watch them more carefully so that you are notified whenever they log on or make changes. You can create as many User-Defined Groups as you need to reflect all of your different rule and filtering needs. Well-planned User-Defined Groups can provide you with the precise feedback active responses you need to manage and maintain your network security. Each User-Defined Group you create only applies to the Manager that is selected when you create it. If you need a similar User-Defined Group for another Manager, then you must create it separately with that other Manager. Configuring a User-Defined Group 1. Open the Build >Groups view. 2. In the Groups grid, do one of the following: l l To add a new User-Defined Group, click Defined Group. and then click User- Double-click the User-Defined Group you want to edit. The Edit pane opens, showing the User-Defined Group form. If you are editing an existing User-Defined Group, the form shows any parameters that have already been configured for the Group. 3. In the Name box, type a name for the Group. 4. In the Description box, type a brief description of the Group and its intended use. 266 Chapter 13: Advanced Configurations 5. In the Manager list, select the Manager on which this Group resides. If you are editing an existing Group, this field shows the Manager on which it resides. 6. Make any necessary additions, changes, or deletions to the Group’s Element Details grid. 7. Click Save to save your changes to the User-Defined Group. Adding data elements to a User-Defined Group Once you have created a User-Defined Group, you can add the data elements that make up the Group. To add a User-Defined Group’s data elements: 1. Open the Build >Groups view. 2. In the Groups grid, double-click the User-Defined Group you want to work with. The Edit pane opens, showing the Group’s current configuration. 3. At the bottom of the Edit pane, click the Add button. The Element Details form becomes active. 4. Complete the Element Details form as described in the following table. Field Description Name Type a name for the data element. Data Type the specific data element that you want to include or ignore in your rules and filters. You can use an asterisk ( * ) as a wild card to include all similar data elements. Description Type a detailed description of the data element and its intended use, if appropriate. In this example, the data elements are a list of anti-virus firewall processes. 5. Click Save. 267 Editing a data element in a User-Defined Group The new element appears in the data element grid. Note that the table displays each element’s name, data element, and description. 6. Repeat Steps 3–5 for each data element you want to add to the Group. Editing a data element in a User-Defined Group 1. Open the Build >Groups view. 2. In the Groups grid, double-click the User-Defined Group you want to work with.The Edit pane opens, showing the Group’s current configuration. 3. In the form’s data element grid, select the data element you want to edit. The Element Details form displays the data element’s current configuration. 4. Make the necessary changes to the Element Details form. 5. Click Save to save your changes to the Group. The revised data element appears in the data element grid. 268 Chapter 13: Advanced Configurations Deleting a data element from a User-Defined Group 1. Open the Build >Groups view. 2. In the Groups grid, double-click the User-Defined Group you want to work with.The Edit pane opens, showing the Group’s current configuration. 3. In the form’s data element grid, select the data element you want to delete. 4. Click the Delete element grid. button. The element is removed from the Group’s data 5. Click Save to save the changes to the Group. The following table explains how to select periods in the Time of Day Sets time grid. To Do this Select a period Click an individual check box to select that period. Select a group of periods Click and drag to select a range of periods. You can drag up, down, or diagonally. Move a block of selected hours Click the block of hours you want to move, holding down the mouse button so the pointer turns into a “grabbing” hand. Then drag the hour block into its new position. Duplicating Press the Ctrl key. Then click the block of hours you want to copy, a block of holding down the mouse button so the pointer turns into a selected “grabbing” hand. Then drag a copy of the hour block into position. hours Invert your Click the Invert button to select the opposite hours of the ones you selection have manually selected This feature is useful when you want to select all but a few hours of the day. You can select the hours that do not apply to the Time of Day Set, and then click Invert to automatically select all of the 269 Configuring Connector Profiles To Do this hours that do apply to the Time of Day Set. For example, if you have your business hours selected, clicking Invert would select everything outside of your business hours. Delete a selected period Click the check box to clear that selection. You can also click and drag over a range of selected periods to clear those selections. Configuring Connector Profiles Most Agents in a network have only a few different connector configurations. Because of this, the Group Builder lets you group Agents that share the same configurations into Connector Profiles. Once you define a Connector Profile, your rules and filters can use it to include or exclude the Agents associated with that profile. You can create as many Connector Profiles as you need to reflect each of your common network security connector configurations. For example, you might set up a standard user workstation profile, a web sever profile, etc. SolarWinds provides several default Connector Profiles that address common configurations. One of the great benefits of using Connector Profiles is that you can maintain all of the Agents in a profile at once by updating only the Connector Profile’s connector configuration. The Group Builder then propagates your changes to all of the Agents in the profile. A well-planned set of Connector Profiles provides you with a versatile and efficient method to update and maintain your Agents’ connector configurations. Connector Profile Rules l l An Agent can only be a member of one Connector Profile. It cannot be in multiple profiles. Each Connector Profile you create only applies to the Manager that is selected when you create it. If you need a similar Connector Profile for another Manager, you must create it separately for the other Manager. 270 Chapter 13: Advanced Configurations Creating a Connector Profile (general procedure) Connector Profiles are created in the Build >Groups view. Creating a Connector Profile is a two-step process: 1. Select the Agent that is to act as a template for the profile. 2. Add the Agents that are to be members of the profile. Upon saving, the system applies the template Agent’s connector configuration to every other Agent that you added to the profile. When you select an Agent for use as a template, select one that has a very similar configuration to how you want profile’s final connector configuration to look. One trick is to prepare a template Agent in advance, by manually configuring an Agent that you know will be a member of the new profile. Edit them exactly how you want them. Then use the Agent as the template for the new profile. This minimizes your need to edit the profile’s connector configuration later on. The complete procedure for creating at Connector Profile is given below. Step 1: Selecting a template for the profile In this procedure, you will create, name, describe, and select a template for the new Connector Profile. To create a Connector Profile: 1. Open the Build >Groups view. 2. On the Groups grid connector bar, click and then click Connector Profile. The Connector Profile form appears. 271 Step 2: Selecting the Agents that are members of the profile 3. In the Name box, type a name for the Connector Profile. 4. In the Description box, type a brief description of the Connector Profile and its intended use. 5. In the Manager list, select the Manager on which this Connector Profile is to reside. If you are editing an existing Group, this field shows the Manager on which its resides. Note: If the Manager you want is not listed, go to Manage >Appliances and log on to that Manager. You must be logged on to a Manager before you can create Groups for it. 6. In the Template list, select the Agent with the connector configuration this profile is to be based on. If you do not want to use a template, select None. Note: For best results, always select a template when creating a new Connector Profile. Otherwise, the profile will delete the connectors on every Agent in the profile. If you do not want to use a template, then be sure click Edit Connectors and add connectors to the profile before you add Agents and save the profile. If you do not, there will be no connectors in the profile; and upon saving, any Agents in that profile will have theirs deleted. 7. Click Save. The new Connector Profile appears in the Groups grid. Step 2: Selecting the Agents that are members of the profile Now you will select the Agents that are to be members of the Connector Profile. These Agents are governed by the Connector Profile’s connector configuration. 272 Chapter 13: Advanced Configurations The Connector Profile form contains two list boxes. The Available Agents box lists each Agent that is associated with the Manager but is not in the Connector Profile. The Selected Agents box lists those Agents that are in the Connector Profile. To add Agents to a Connector Profile: 1. In the Groups grid, locate the new Connector Profile you just created. 2. Double-click the Connector Profile to re-open it. The profile appears in the Connector Profile form. As you can see, the Agent you selected as a template appears in the Selected Agents list, by default. 3. In the Available Agents list, select an Agent that you want to add to the Connector Profile. Or, in the Selected Agents list, select an Agent that you want to remove from the Connector Profile. 4. Use the appropriate arrow button to add or remove Agents to or from the profile, as described in the following table. Button Function Moves the selected Agent from the Available Agents list to the Selected Agents list (and into the profile). Moves all Agents from the Available Agents list to the Selected Agents list (and into the profile). Removes the selected Agent from the Selected Agents list to the Available Agents list (and out of the profile). Removes all Agents from the Selected Agents list to the Available Agents list (and out of the profile). 5. Click Save to save the Connector Profile. Upon saving, the system applies the template Agent’s connector configuration to every other Agent that you added to the profile. Note: If you remove an Agent from a Connector Profile (that was previously saved with that profile), the Agent retains the profile's connector configuration, but will no longer have membership in the profile. Troubleshooting tip 273 Editing a Connector Profile’s Connector Settings At times, not all of the Agents in a Connector Profile will use the same logging path for a particular connector. You can verify this by checking the Agent’s configured connector status. If a connector has a status of likely that connector has a different logging path. (Not Running), it is To correct this problem, you may want to add another connector instance to the profile’s connector catalog that points to the alternative logging path. Or, you can create a new profile that has the alternative logging path. Editing a Connector Profile’s Connector Settings When editing a Connector Profile, you can use the Connector Profile form’s Edit Connectors command to add, edit, or delete the connector instances associated with the profile. When doing this, be aware that when you change a Connector Profile, you change the connector configuration of every Agent that is associated with that Connector Profile. When editing an individual Agent, you have to stop and start each connector instance, because you are making direct changes to the running configuration of the Agent. But when editing a Connector Profile’s configuration, you do not need to stop or start each connector instances. However, you must still activate the changes. This difference is because any time you edit a Connector Profile’s connector configuration, you are working on the profile’s configuration data, not an actual Agent. When editing a Connector Profile, you do not actually change the Agents that are members of the profile until you click Activate. Upon activating, the system automatically sends the changes out to every Agent that is a member of that profile, stops each connector instance, makes the changes, and then restarts each connector instance. Opening a Connector Profile’s Settings 1. Open the Build >Groups view. 2. In the Groups grid, locate the Connector Profile you want to edit. 3. Do one of the following: l Double-click the Connector Profile you want to edit. l Click the gear button and then click Edit. 274 Chapter 13: Advanced Configurations The Connector Profile pane opens, showing the Agents that are in the profile. 4. At the bottom of the Connector Profile pane, form, click Edit Connectors.The Connector Configuration for [Connector Profile] form appears. The form’s Connectors grid contains all of the connector instances that define the Connector Profile. Adding a New Connector Instance 1. On the Connectors grid, select the connector you want to configure. 2. Click New. 3. Update the connector settings using the Properties form: 4. Click Save. 5. Do one of the following: l l Click Activate to apply your changes to every Agent associated with the Connector Profile. Click Discard to discard your changes and reload the connectors previous configuration. 6. Click Close to return to the Groups grid. Editing a Connector Profile’s Connector Settings 1. In the Connectors grid, select the connector instance you want to edit. 2. Click the row’s gear button and then click Edit. 3. In the Properties form, update the connector settings, as needed: 4. Click Save. 5. Do one of the following: l l Click Activate to apply your changes to every Agent associated with the Connector Profile. Click Discard to discard your changes and reload the previous connectors configuration. 275 Managing Rules At times, not all of the Agents in a profile will use the same logging path for a particular connector. You can verify this by checking the Agent’s configured connector status. If a connector has a status of (Not Running), it is likely that connector has a different logging path. To correct this problem, you may want to add another instance to the connector profile’s connector catalog that points to the alternative logging path. Or, you can create a new profile that has the alternative logging path. 6. Repeat this procedure for each connector instance you want to reconfigure. 7. Click Close to return to the Groups grid. Managing Rules The topics in this section explain how to manage your rules. Many management tasks can be done from the Rules grid, or in Rule Builder as you are configuring a rule. Creating Rules In the Build > Rules view, the Rule Creation tool is used to configure new rules and to edit existing rules. Like filters, you create rules by configuring conditions between alert variables other components, such as Time of Day Sets, User-Defined Groups, Constants, etc. However, rules go a step further. They let you correlate alert variables with other alerts and their alert variables. By correlate, we mean you can specify how often and in what time frame the correlations must be met before the rule is triggered. The combined correlations dictate when the rule is to initiate an active response. You can configure rules to fire after multiple alerts occur. The Manager will remember alerts if they meet the rule's basic conditions. It waits for the other conditions to be met, too. If they are, the Manager fires the rule. The rule does not take action until the alerts meet all of the conditions and correlations defined for that rule. The possibilities for rules are endless. Therefore, this section describes how to create rules only in very general terms. This section is not intended to be a 276 Chapter 13: Advanced Configurations tutorial, but rather a reference for you to fall back on if you are unclear about how any part of Rule Creation works. dea Caution: Practice with filters before creating rules The connectors in Rule Creation are very similar to those found in Filter Creation. However, filters report event occurrences; rules act on them. There is no harm if you create a filter that is unusual or has logic problems. But this is not the always case with rules. Rules can have unexpected and sometimes unpleasant consequences if they are not configured exactly as you intend them to be. Inexperienced users should use caution when creating rules. Creating filters is an excellent way to familiarize yourself with the logic and connectors needed to create well crafted rules. You should only begin configuring rules after you are at ease with configuring filters. Even then, always test your rules before implementing them. Rule Creation Features The topics in this section describe the key features of the Rule Creation view, the rule window, and the Correlations box, which are all used to configure and edit policy rules. l l l The Rule Creation view is a different view of the Rules view that allows you to configure and edit policy rules. The rule window is the window that you will use to view, configure, and edit your policy rules. The Correlations box is a component of the rule window that is used to configure the specific correlations that define the rule. The following table descries the key features of the Rule Creation connector. The topics that follow discuss some of these features in greater detail. Name Back to Rules Listing Description Click this button to hide Rule Creation and return to the Rules grid. Rule Creation remains open in the background, so you can return to it to continue working on your rules. In the Rules grid, clicking Back to Rule Creation will return you to Rule Creation. 277 Advanced Thresholds Name Description List pane The list pane is the “accordion” list to the left. It contains categorized lists of the components you can use when configuring policy rules. It behaves exactly like the list pane in Filter Creation. To view the contents of a component list, click its title bar. To add a component to a rule, select it from its list and then drag it into the appropriate correlation box. Rule window Each rule you create or edit appears in its own rule window. This is where you configure name, describe, configure, edit, test, verify, and enable each rule. You can have multiple rule windows open at the same time. You can also minimize, maximize, resize, and close each window, as needed. Minimized rule window bar Any minimized rule windows appear in the bar at the bottom of the Rule Creation pane, behind the active rule window. Each minimized window shows the name of its rule. Clicking a minimized rule opens that rule in the Rule Creation pane. Advanced Thresholds Whenever a Group threshold or the Correlation Time form’s Events within box has a value greater than 1, the Set Advanced Thresholds button becomes enabled. This button opens the Set Advanced Thresholds form, so you can define an alert event threshold and the re-inference period for that threshold. The threshold tells the Manager which specific alert fields to monitor to determine if a valid alert event has occurred (i.e., when to “count” the alert). For example: l l Threshold event x must occur multiple times on the same destination computer with the frequency defined in the Correlation Time box. Or, threshold event y must occur on different destination computers with the frequency defined in the Correlation Time box. When the threshold event counter increases to the number shown in the Events box, the threshold itself becomes true and triggers the next set of conditions in the rule. 278 Chapter 13: Advanced Configurations Opening the Set Advanced Threshold form l l In the Correlations box, click the work with. button on the nested group you want to In the Correlation Time box, click the button. Setting an advanced threshold 1. Open the Set Advanced Thresholds form. 2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Then use the adjacent fields to type or select the threshold’s time interval and unit of measure. The Re-Infer (TOT) option defines the period in which an alert must remain above the threshold before the system issues a new notification and/or active response. For example, suppose an alert has exceeded the threshold, and the alert’s Re-Infer (TOT) period is 1 Hour. If the alert stays above the threshold for more than 1 hour, the system will issue an additional notification or active response at the end of 1 hour. To add a Threshold field: 1. Click to open the Set Advanced Thresholds form. 2. At the bottom of the form, click Add. The Available Fields pane has two boxes. The top box lists all of the alerts that have been applied to the rule’s Correlations box. The bottom box lists the alert fields associated with whichever alert is currently selected in the top box. 3. In the top Available Fields box, select an alert. The fields associated with that alert appear in the lower Available Fields box. 4. In the lower Available Fields box, select the alert field that is to help define the alert threshold. 5. Below the Available Fields boxes, there is a drop-down list. It is called the Select Modifier list. In the Select Modifier list, select the appropriate option: 279 Editing threshold fields l l 6. Click Select Same if the threshold is to be defined by the selected field being the same multiple times. Select Distinct if the threshold is to be defined by the selected field being different each time. . The field and its modifier appear in the Selected Fields grid. 7. Repeat Steps 2 – 6 for any additional threshold fields. 8. Click OK to save the fields to the threshold and close the form; otherwise, click Cancel.These fields now raise the threshold for the correlation event and its active response to occur. Editing threshold fields You cannot actually edit a threshold field. Instead, you must delete it, and then replace it with a corrected field configuration. To replace a threshold field: 1. Click to open the advanced threshold you want to work with. 2. In the Selected Fields list, click to remove the field you want to change. 3. In the Available Fields list, select the appropriate alert, and then the alert field. 4. in the Select Modifier list, select the new modifier for the field (Same or Distinct). 5. Click . The corrected field and its modifier appear in the Selected Fields box. 6. Click OK to close the form. Deleting a threshold field 1. Click to open the advanced threshold you want to work with. 2. In the Selected Fields list, select the field you want to delete. 280 Chapter 13: Advanced Configurations 3. Click the Delete button. The threshold field disappears from the Selected Fields list. 4. Click OK to close the form. Using the Actions box In Rule Creation, the Actions box defines which action response the Manager is to take whenever the correlation events specified by the rule occurs. You can assign more than one action to a rule. For example, you may want to shut down an Agent, and then notify your system administrator of the event via email. The fields in the Actions box indicate where the action is to be performed, what the action is supposed to do, and to whom it is supposed to happen. For example, if you want a rule to disable a user, you could select the action called Disable Domain User Account. For the action to apply, you must specify which account you want to disable, and where you want to disable it (that is, which Agent). Using constants and fields to make actions flexible When configuring an action, you can assign constants that define fixed parameters for a rule. Or you can assign alert fields (from the alerts in the Correlations box). Fields determine a rule’s parameters when some degree of flexibility is required. Constants and fields both have their uses. But fields can provide actions with a great deal of flexibility. Say you have two network users: Bob and Jane. To disable Bob’s user account, you could assign a constant to the rule that explicitly represents Bob’s account. But doing so limits the rule to Bob's account. Now if you assign a field to the rule, the rule can be interpreted as follows: “When user activity meets the conditions in the Correlations box to prompt the Disable Domain User Account action, use the alert's UserDisable.SourceAccount field to determine which user account to disable.” If Bob triggered the rule, the Manager disables Bob’s account. But if Jane also triggers the rule, the Manager can disable her account, too. Configuring a Rule’s Actions Use the following high-level procedure to configure a rule’s actions. To configure a rule's actions: 281 Adding a New Rule 1. In the list pane, click the Actions list to open it. 2. Select the action you want, then drag it to the rule window’s Actions box. The top left of the Actions box shows the name the action that is to be taken. In most cases, the Actions form will prompt you for specific parameters about the computer, IP address, port, alert, user, etc., that is to receive the action. 3. Use the list pane to assign the appropriate alert field or constant to each parameter: l l In the Events or Event Groups lists, select an appropriate alert field for each parameter, and drag it to the appropriate parameter box in the Actions form. When needed, in the Constants list, select a constant for a parameter, and then drag it to the appropriate parameter box in the Actions form. Typically, you will select a text constant. Once the constant is in place, double-click the parameter box to edit the constant. 4. Click Save to save your changes. Adding a New Rule Follow this general procedure whenever you want to create a new rule. Be sure to test your rules before fully implementing them. Testing helps ensure that your rules do not cause any unpleasant consequences. To add a new rule: 1. Open the Build >Rules view. 2. On the Rule grid connector bar, click 282 Chapter 13: Advanced Configurations . The Rule Creation connector appears. Note: At any time while you are configuring a rule, you can click the Back to Rules Listing button to return to the Rules grid. Rule Creation remains open in the background. 3. In the Name box, type a name for the rule. Note that the name also appears on the form’s title bar. 4. In the on list, select the Manager on which this rule is to reside. 5. In the in list, select the folder and sub-folder in which this rule is to be stored in the Folders pane. 6. In the Description box, type a complete description of the rule, such its use, purpose, or behavior. 7. Configure the rule's correlations. 8. If needed, configure the rule's correlation time and advanced threshold. 9. Configure the rule's active response. 10. Apply the appropriate Enabled, Test, and Subscription settings. l l l To assign rule subscribers, click the Subscribe list, and then click the check box for each user who is to subscribe to the rule. If you want to use the rule immediately upon saving it, select the Enabled check box. If you want to operate the rule in test mode before fully activating it, select the Test check box. It is highly recommended that you operate each new rule in test mode to confirm that the rule behaves as expected. 11. When you are satisfied with the rule’s configuration, click Save. Note: You can also click Apply to save your changes without closing the form. The Rules grid appears. The new rule appears in the Rules grid and in the Folders pane, in the folder you designated for the rule. 12. To begin using (or testing) the revised rule, click Activate Rules. 283 Rule Window Features Rule Window Features Each rule you create or edit appears in its own rule configuration window. You will use these windows to design and edit custom policy rules. You can use the rule window to name, describe, configure, edit, enable, and test your custom rules. The following table describes each key feature and field of a rule window. Item Name Title bar Description Each rule you create or edit appears in its own configuration window. Upon naming a rule, the window’s 284 Chapter 13: Advanced Configurations Item Name Description title bar displays the name of the rule. You can also use the title bar to minimize, maximize, and resize rule window. Minimized rule windows appear at the bottom of the Rule Creation pane. Name Type a name for the rule. on When creating a new rule, use this list to select which Manager the rule is to be associated with. Otherwise, when editing a rule, this field displays which Manager the rule is associated with. in Select the folder (in the Folders pane) in which the rule is to be stored. Description Type a description of what the rule does, or the situation for which the rule is intended. If the description extends beyond the visible area of the text box, a larger text box appears, so you can type a detailed description of the rule, its logic, its expected behavior, and its active response. When you are done typing, either press Tab or click anywhere outside the text box to close it. Enable Select this check box to enable the rule. Clear this check box to disable the rule. Test Select this check box to place the rule in test mode. Clear this check box to take the rule out of test mode. Note: You must enable a rule before you can test it. Subscribe Use this list to select which Console users are to subscribe to the rule. This means the system will notify the subscribing users Consoles each time one of the subscribed-to rules triggers an alert. The alerts will appear in their alert grid. Rule Status The Rule Status bar lists warnings and error messages about your rule's current configuration logic. 285 Rule Window Features Item Name Description l l l Correlations Click >to view a list of warning and error messages. Click a message flag to provide detailed information about the nature of that problem. Click a message to highlight the specific area or field that is the source of that problem. Use the Correlations box to configure correlations between groups of alert events. You can coordinate multiple alert events into a set of conditions that will prompt the Manager to issue a particular active response. You set up correlations by dragging items from the Events and Event Groups lists into this box, and then setting the specific conditions or for the alert that are to prompt action. The Correlations connector bar lets you group alert conditions, and determine if they must all apply (an AND correlation) or if any of them may apply (an OR correlation) to prompt a response. Correlation Time Use the Correlation Time box to establish the allowable frequency and time span in which the correlation events must occur before the rule applies. The Advanced section lets you define an alert event threshold, and to define the re-inference period for the threshold. The threshold tells the Manager which specific fields to monitor to determine if a valid alert event has occurred (i.e., when to “count” the alert). The box’s Advanced section lets you define a Response Window that lets the rule ignore any events that occur outside (past or future) of the established period. Actions Use the Actions box to dictate which actions the rule is to execute when the events described in the Correlations and Correlation Time boxes occur. Examples of actions include sending an email message to your system 286 Chapter 13: Advanced Configurations Item Name Description administrator, or blocking an IP address. Undo/Redo Click the Undo button to undo your last desktop action. You can click the Undo button repeatedly to undo up to 20 steps. Click the Red button to redo a step that you have undone. You can click the Redo button repeatedly to redo up to 20 steps. You can only use Undo or Redo for any steps you made since the last time you clicked Apply. Save/Cancel/ Apply Use these commands to save or cancel your work: l l l Click Save to save your changes to a rule and close the rule window. Click the Cancel button to cancel any changes you have made to a rule since the last time you clicked Save, and close the rule window. If you have any unsaved changes, the system will prompt you to save or discard them. Click Apply to save your changes to a rule, but keep the rule window open so you can continue working. You can click Apply at any time. Correlations Box Features To create a rule, you drag items from the list pane into the rule window’s Correlations box to configure the relationships (or correlations) that define the rule. These correlations define the events that must occur for the rule to take effect. Creating rule correlations is a lot like configuring conditions for custom filters, so the Correlations box in Rule Creation behaves a lot like the Conditions box in Filter Creation. The following table describes each item shown in the Correlations box, above. 287 Correlations Box Features Name ► ▼ Description Groups can be expanded or collapsed to show or hide their settings: l Click to >expand a collapsed group. l Click to ▼ collapse an expanded group. Once a group is configured properly, you may want to collapse it to avoid accidentally changing it. This is the Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. You may then drag alert variables and other items from the list pane into the nested group box. By using nested groups, you can refine correlations by combining or comparing one group of correlations to another to create the logic for complex correlations. Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons. This is the Threshold button, which opens the Threshold form for a group. The Threshold form is described below. This is the Delete button. It appears at the top of every Group box and every correlation. Click this button to delete a correlation or a particular group. Deleting a group also deletes any groups that are nested within that group. Event variable From the Events, Event Groups, or Fields list, drag an alert, Event Group, or alert field into the Correlations box. This is called the alert variable. A rule can have multiple alerts and Event Groups in its correlation configuration. You can think of an alert variable as the subject of each group of correlations. As alerts stream through the Manager, the rule analyzes the values associated with each alert variable to determine if the alert meets the rule’s conditions. If so, the Manager either initiates an active response, or stores the alert for comparison with other alerts that may occur within the rule's allotted time frame. 288 Chapter 13: Advanced Configurations Name Description Operators Whenever you drag a list item or a field next to alert variable, an operator icon appears between them. The operator states how the filter is to compare the alert variable to the other item to determine if the alert meets the rule’s conditions. l l List item Click an operator to cycle through the various operators that are available for that comparison. Just keep clicking until you see the operator you want to use. Ctrl+click an operator to view all of the operators that are available for that comparison. Then click to select the specific operator you want to use. List items are the various non-alert items from the list pane. You drag and drop them into groups to define rule correlations based on your Time Of Day Sets, Connector Profiles, User-Defined Groups, Constants, etc. Some alert variables automatically add a blank Constant as its list item. You can overwrite the Constant with another list item, or you can click the Constant to type or select a specific value for the constant. Note that each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your rules’s correlations. Threshold The Threshold section lets you define a threshold for the correlations in a Group box. You can think of a threshold as a correlation frequency for the grouping; that is, the number of times the events defined by the group must occur within a specified period before the rule takes effect. A group threshold behaves exactly like the threshold in the Correlation Time box. This is the Set Advanced Threshold button. Whenever a group threshold’s number of Events within [time] is greater than 1, this button becomes enabled so you can open the Set Advanced Thresholds form. This form lets you specify advanced threshold 289 Editing Rules Name Description fields and define an advanced response window for the alert fields within the grouping. Rule correlations and groups of correlations are subject to AND and OR comparisons. If you click an AND operator, it changes to an OR, and vice versa. AND OR Editing Rules Whenever you need to edit a rule’s name or configuration, you use the Rule Creation connector to make the necessary changes to the rule. When needed, you can edit multiple rules at the same time. It is not necessary to disable a rule before editing it. When you edit a rule, you are editing a local copy until you save and activate it. If the rule was enabled when you began editing it, it will continue to be enabled while you work on the new version. When you save the new version and then click Activate Rules, the Manager replaces the original rule with the new version. To open rules for editing: 1. Open the Build >Rules view. 2. In the Folders pane, click the folder that contains the rules you want to edit. The Rules grid displays the rules associated with the selected folder and its sub-folders. 3. In the Rules grid, click to select the rule (or rules) you want to edit. 4. Open the rules for editing as follows: l To edit a single rule, either double-click the rule, or click the row's gear button and then click Edit. l To edit multiple rules, click the grid's gear and then click Edit. 290 button and then click Chapter 13: Advanced Configurations Rule Creation appears, showing the rule’s current configuration. If you opened multiple rules, they all appear as "cascaded" windows. You may now edit the rules. Locked rules If a prompt like the one shown here appears, it means another user is already editing one of the selected rules and has those rules "locked." In this case, you can do either of two things: l l You can proceed in a read-only fashion, which allows you to see the details of a rule. You can break the lock and take control over the rule, which means the other person will not be able to save any changes he or she makes to the rule. To edit the rule: 1. Use Rule Creation to make any necessary changes to the rule’s name, Manager, folder, description, enabled status, test-mode state, correlations, correlation time, or actions. l l If you want to use the rule immediately upon saving it, select the Enable check box. If you want to try the rule in test mode, select the Test check box. 2. Click Save. The Rules grid appears. 3. To begin using (or testing) the rule’s new configuration, click Activate Rules. Subscribing to a rule You can assign rules to specific Console users, which means those users will subscribe to those rules. This means the system will notify the subscribing users' Consoles each time one of the subscribed-to rules triggers an alert. The alerts will appear in their Monitor view’s alert grid. 291 Subscribing to a rule Rule subscriptions can be used in conjunction with filters and reports to monitor activity for specific rules. Each user can subscribe to as many different rules as needed. You can assign subscriptions in Rule Creation while you are creating the rule, or anytime later directly from the Rules grid. To manage rule subscribers from the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, click the folder that contains the rule you want to work with. 3. In the Rules grid, select the rules you want to work with. 4. On the Rules grid connectorbar, click Subscribe. The Subscribe list opens. It only includes those Console uses who are associated with the same Manager as the selected rule. A check box with a gray background means the user already subscribes to one or more of the selected rules, but not all of them. 5. Select the check box for each Console user who is to subscribe to the selected rules: l l l Select an empty user's check box to have that user subscribe to all of the selected rules. Clear a gray user's check box to remove the user's subscription to all of the selected rules. Clear a gray user's check box and then select it again, to have that user subscribe to all of the selected rules. Remember, these users are already subscribed to some rules, but not all of them. This procedure assigns all of the selected rules to that user. As you can see, if you have multiple rules selected, each subscription change affects every selected rule. 6. Click Subscribe again to close the list. The selected Console users now subscribe to the selected rules. To add rule subscribers from Rule Creation: 292 Chapter 13: Advanced Configurations 1. With a rule open in Rule Creation, click Subscribe. The Subscribe list opens. It only includes those Console uses who are associated with the same Manager as the selected rule. 2. Manage the rule's subscribers as follows: l l Select the check box for each Console user who is to subscribe to this rule. Clear the check box for each subscriber who is no longer to subscribe to this rule. 3. Click Subscribe again to close the list. 4. Click Save. The selected Console users now subscribe to the rule. Enabling a rule The Manager only uses rules that are enabled. It ignores all other rules. Therefore, the Manager cannot use rules until you enable them. You can enable rules from the Rules grid, or directly from Rule Creation. In either case, the Enable check box lets you turn a rule on and off. Note: In the Rules grid, you can enable multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is disabled and another is enabled, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would become enabled, and the second would become disabled. Therefore, when performing this command on multiple rules, you will typically want to select only those rules that already have the same Enabled/Disabled state. To enable rules from the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rules you want to enable. 3. In the Rules grid, select the rule (or rules) you want to enable. 293 Placing rules in test mode 4. Enable the rules as follows: l l To enable a single rule, click the row's gear Enable. button and then click To enable multiple rules, click the grid's gear click Enable. button and then In the Rules grid, the rules’ Enabled icons become active, which means the rules are now enabled. However, the Manager cannot begin using these rules until you activate them. 5. Click Activate Rules to begin using the rule. To enable a rule from Rule Creation: 1. With a rule open in Rule Creation, select the Enable check box. 2. When you are finished configuring the rule, click Save. The Rules grid appears, with the icon appearing in the rule's Enabled column. This icon means the rule is now enabled. However, the Manager cannot begin using the rule until you activate it. 3. Click Activate Rules to begin using the rule. Placing rules in test mode Before fully enabling a rule, you can try it out in test mode. In test mode, the Manager processes the rule’s alert messages as it normally would, but without performing any of the rule’s actions. This lets you see how the rule will behave when it is activated, without any possible disruption to your network. Note: In the Rules grid, you can change the test mode of multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is in test mode and another isn't, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would move out of test mode, and the second would move into test mode. Therefore, when performing this command on multiple rules, you will 294 Chapter 13: Advanced Configurations typically want to select only those rules that already have the same Test On/Test Off state. To place rules in test mode in the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rules you want to test. 3. Check the rules' Enabled status. If any of the rules you want to test show a "disabled" icon), then they need to be enabled. You can do this by clicking the row's gear button and then clicking Enable. In the Rules grid, the icon appears in the rule’s Enabled column to indicate that the rule has been enabled. 4. In the Rules grid, select the rule (or rules) you want to test. 5. Place the rules in test mode as follows: l l To put a single rule in test mode, click the row's gear then click Test On. button and To put multiple rules in test mode, click the grid's gear then click Test On. button and In the Rules grid, the icon appears in the rules’ Test column to indicate that the rules are in test mode. 6. Click Activate Rules. The rules are now functional, but in test mode. To remove a rule from test mode in the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rules you want to work with. 3. In the Rules grid, select the rule (or rules) you want to work with. 295 Placing rules in test mode 4. Remove the rules from test mode as follows: l l To remove a single rule from test mode, click the row's gear button and then click Test Off. To remove multiple rules from test mode, click the grid's gear button and then click Test Off. In the Rules grid, the "disabled" icon appears in the rules’ Test column to indicate that the rules are no longer in test mode. 5. Click Activate Rules. The rules are now fully functional. To place a rule in test mode from Rule Creation: 1. Open the Build >Rules view. 2. In the Folders pane, click the folder that contains the rule you want to test. 3. In the Rules grid, click to select the rule you want to test. 4. On the Rules grid connectorbar, click Edit.Rule Creation appears, showing the rule’s current configuration. 5. Select the Enable check box. 6. Select the Test check box. Note: To test a rule, you must have both Enable and Test checked. If only Enable is checked, the rule is completely enabled (that is, it is fully in use). If only Test is checked, the rule will not be enabled, which means the Manager will not be able to use it for testing. 7. Click Save. The Rules grid appears. 8. Click Activate Rules.The rule is now in test mode. To fully activate a rule from in Rule Creation: 1. Open the rule in Rule Creation, as described above. 2. Clear the Test check box. 3. Click Save. 296 Chapter 13: Advanced Configurations 4. On the Rule Builder connectorbar, click Activate Rules. The rule is now fully functional. Activating rules Whenever you create a new rule or change an existing rule, you are working on a “local copy” of the rule. The Manager has no way of using the rule change until you activate it. Activating a rule tells the Manager to reload the enabled rules it is working on, which allows it to upload up the changes you just made. You must activate rules whenever you create a new rule, edit an existing rule, or make changes to a rule’s Enabled/Disabled or Test On/Test Off status. Otherwise, the Manager will not recognize the change. To activate rule changes, both the Rules grid and Rule Creation have an Activate Rules command. This command sends any new rule changes to the Manager for immediate use. In Rule Creation, the Activate Rules command leaves Rule Creation open so you can continue working. To activate rules from the Rules grid: 1. Open the Build >Rules view. 2. Many any necessary changes to your rules. 3. On the Rules grid connectorbar, click Activate Rules. The Manager activates any new rule changes and begins processing all enabled rules. To activate rules from Rule Creation: l At any time, in Rule Creation, click Activate Rules. The Manager activates any new rule changes and begins processing all enabled rules. However, Rule Creation stays open so you can continue working. The rule you are currently working on is not activated. It cannot be activated until it is first saved. Disabling a rule The Manager will continue to use any active rules, so long as they are enabled. If needed, you can easily turn off rules by disabling them. However, the Manager 297 Disabling a rule will continue to use those rules until you activate their new “disabled” status with the Activate Rules command. Note: In the Rules grid, you can disable multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is disabled and another is enabled, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would become enabled, and the second would become disabled. Therefore, when performing this command on multiple rules, you will typically want to select only those rules that already have the same Enabled/Disabled state. To disable rules from the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rules you want to disable. 3. In the Rules grid, select the rule (or rules) you want to disable. 4. Disable the rules as follows: l l To disable a single rule, click the row's gear Disable. To disable multiple rules, click the grid's gear click Disable. button and then click button and then In the Rules grid, the Enabled column for each rule shows a “disabled” icon to indicate the rules are now inactive. 5. Click Activate Rules. The Manager stops processing the disabled rules. To disable a rule from Rule Creation: 1. Open the rule you want to disable in Rule Creation. 2. Clear the Enable check box. 3. Click Save. The Rules grid appears. 4. Click Activate Rules. The Manager stops processing the disabled rule. 298 Chapter 13: Advanced Configurations Cloning rules The Clone command lets you copy any existing rule, make changes to the copy, and then save the copy with a new name in one of your Custom Rules subfolders. The benefit of cloning is that you can quickly create variations on existing rules. You clone a preconfigured rule, such as a rule from the Rules or NATO5 Rules folder, and then adjust the cloned copy to suit your specific needs. Note: A cloned rule must be for the same Manager as the original rule. That is, you cannot clone a rule from one Manager and save it for another Manager. To clone rules: 1. Open the Build >Rules view. 2. In the Folders pane, click the folder that contains the rule you want to clone. 3. In the Rules grid, click to select the rule you want to clone. 4. Click the row's gear appears. button and then click Clone. The Clone Rule form 5. In the Clone Name box, type a name for the cloned rule. 6. In the Folders list, select which Custom Rules folder is to store the cloned rule. 7. Click OK to save the cloned rule; otherwise, click Cancel. The newly cloned copy of the rule automatically opens in Rule Creation so you can begin making changes. Importing a rule You can import a rule from a remote source into a particular rule folder. For example, you may want to import a rule from one Manager to another. Or you can import a rule that is provided by SolarWinds. You may only import one rule at a time. To import a rule to a rule folder: 299 Exporting rules 1. Open the Build >Rules view. 2. On the Rules grid connectorbar, click form appears. and then click Import. The Open 3. In the Look In box, browse to and open the folder that contains the rule you want to import. 4. Select the rule file you want to import.Rrule files are always .xml files.The file you selected appears in the File Name box. 5. Click Open to import the file; otherwise, click Cancel. The Import Rules form appears. 6. In the Manager list, select which Manager the imported rule is to be associated with. 7. In the Folders list, click to select the rule folder that is to store the imported rule. You will need to click a folder’s >icon to view its sub-folders. 8. Click Import. The system imports the rules into the designated rule folder. Exporting rules Exporting rules is useful for three reasons: l You can export a rule from one Manager and import it into another Manager. l You can export rules to save archived copies in a safe place. l You can export rules to provide SolarWinds with a copy of your rule for technical support or troubleshooting purposes. You can export multiple rules at the same time. The rules will be saved to a new folder that contains each rule. To export rules: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rule you want to export. The Rules grid displays the rules in that folder. 300 Chapter 13: Advanced Configurations 3. In the Rules grid, select the rules you want to export. 4. On the Rules grid connectorbar, click and then click Export.The Select Directory to Export Rule to form appears. 5. In the Save in box, locate the general area in which you want to save the exported rule folder. 6. In the File name box, type a name for the folder that is to contain the exported rules. Note: Rules are saved as .xml files. 7. Click Save. The rules are exported and saved in the folder you specified. Each exported rule retains its name and the date and time on which it was exported. If an Export Error message appears, it means one or more of the rules failed to export. If you are exporting multiple rules, the system exports as many as it can, and the message lists which rules failed to export and which ones succeeded. Click OK to close the form. Deleting Rules When needed, you can easily delete rules. You can delete one rule at a time, or you can delete multiple rules. Deleting a rule is permanent. Once a rule is deleted, it can only be restored by re-creating it or by importing a previously exported rule. To delete rules: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rule you want to delete.The Rules grid displays the rules in that folder. 3. In the Rules grid, select the rule (or rules) you want to delete. 301 Connector Configuration Features 4. Delete the rules as follows: l l To delete a single rule, click the row's gear Delete. To delete multiple rules, click the grid's gear Delete. button and then click button and then click 5. At the Confirm Delete prompt, click Yes to delete the rules; otherwise, click No. The rules disappear from the Rules grid. 6. Click Activate Rules to notify the Manager that the rules were deleted. Connector Configuration Features The topics in this section describe key features of the Connector Configuration form, its grid columns, its icons, and how to use its Refine Results form. After configuring a Manager’s connectors, you must configure the sensor and actor connectors for each Agent that is associated with that Manager. The Connector Configuration form lets you connect the Agent’s connectors to any supported products that are installed on or remotely logging to the Agent’s computer. After the Agent connectors are configured, the Manager can monitor and interact with the products and devices on that computer. Agents connectors run locally to monitor data on the Agent’s computer. An Agent’s sensors generally monitor log files, as well as data that is logged to the Agent’s computer from remove devices that cannot have their own Agents. An Agent’s active response connectors (actors) allow the Agent to receive instructions from the Manager and perform active responses locally, on the Agent’s computer, such as sending pop-up messages or detaching USB devices. Once you understand how the connectors work, the following procedures guides you through the configuration process needed to integrate LEM with your network security products and devices. The Connector Configuration form has similar features, whether you are configuring or editing a Manager, an Agent, or a Connector Profile. The following table describes the key features of the Connector Configuration form. 302 Chapter 13: Advanced Configurations Name Description Sidebar button Click the Sidebar button to alternately hide and open the form’s Refine Results pane. Refine Results pane By default, the Connectors grid shows all of the products that are supported. The Refine Results pane lets you apply filters to the grid to reduce the number of products it shows. This way, you can show only those products that are configured for use with this Agent, or that are associated with a particular product category or status (Running or Stopped). Connectors The Connectors grid lists all of the sensor and actor connectors grid that are available to each Agent. These connectors are what allow LEM to monitor and interact with your network security products and devices. Connectors are organized by category and product name. Each connector is named after the third-party product it is designed to configure for use with LEM. Click this button to create a new connector instance the sensor or actor that is currently selected in the Connectors grid. Properties pane This pane displays detailed information about the connector that is currently selected in the Connectors grid. l l If the connector is not configured, this pane displays a description of the connector. If the connector is configured, this pane displays the configuration settings as read-only information. Whenever you add or edit a connector , this pane turns into an editable form for recording the configuration settings. Connectors Grid Columns The following table briefly describes the meaning of each column in the Connector Configuration form’s Connectors grid. 303 Connectors Grid Icons Column Description The gear button opens a menu of commands that apply to the connector that is currently selected in the grid. Status Shows the connector’s current connection status: means the connector is connected and running. means the connector is disconnected and not running. Category The high-level connector category, such as anti-virus connectors, firewall connectors, operating system connectors, etc. Name The name of the actor, sensor, or connector instance. Typically, connectors are named after the third-party products they are designed to configure for use with LEM. Connectors Grid Icons The following table describes the icons used in the Connector Configuration utility’s node tree. Icon Description A blue connector icon represents a sensor for a particular product. The sensor displays the name of the product it is designed to monitor. Each connector instance (or alias) that is currently configured to monitor that product is listed below the connector. If no connector instances are listed, it means the product, on this Agent computer, has not been configured for use with LEM. Whenever you select a sensor in the grid, the lower pane displays the connector’s name and a description of the sensor, when available. The orange connector icon represents an actor for a product that can perform an active response. The actor displays the name of the product it is designed to interact with. Each connector instance (or alias) that is currently configured to initiate an active response on that product is listed below the connector. If no connector instances are listed, it means the product, on this Agent computer, has not been configured for use with LEM. 304 Chapter 13: Advanced Configurations Icon Description Whenever you select an actor in the grid, the lower pane displays the connector’s name and a description of the actor, when available. This icon represents a configured instance of a sensor connector. Each sensor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured connector instance appears below its connector. Whenever you select a sensor connector instance in the grid, the lower pane displays the sensor connector’s name, and the connector instance’s name (or alias) and configuration settings. The Status column displays each instance’s current status—Stopped ( ) or Running ( ). This icon represents a configured instance of an actor connector. Each actor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured connector instance appears below its connector. Whenever you select an actor connector instance in the grid, the lower pane displays the actor connector’s name, and the connector instance’s name (or alias) and configuration settings. The Status column displays each instance’s current status—Stopped ( ) or Running ( ). Refining the Connectors Grid By default, the Connectors grid shows every connector (sensor and actor) that can be configured for use with a particular Agent or Manager. To help you work more efficiently with a long list of connectors, the Refine Results pane lets you apply filters to the Connectors grid to reduce the number of connectors it shows. When you select options in the Refine Results pane, the Connectors grid refreshes to show only those sensor and actors that match the options you have selected. The other connectors are still there; however, they are hidden. To restore them to the grid, click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results pane. 305 Refining the Connectors Grid Field Reset Search Description Click Reset to clear the form and return the Connectors grid to its default state (showing all connectors). Use this field to perform keyword searches for specific products, such as “Cisco” or “McAfee.” To search, type the text you want to search for in the text box. Then press Enter or click the magnifying glass symbol. The grid displays only those products that match or include the text you entered. Configured Select this check box to have the Connectors grid show only Connectors those connector instances that are currently configured for the Manager or Agent you are working with. Clear this check box to have the grid list both configured and unconfigured connectors. Category Select a high-level category to list the connectors that are available to support third-party products in that category. Each connector is named after the product it is designed to configure for use with LEM. Note: If you cannot find a particular product, it is either not supported, or it is in a different category. Status Select Running to list all of the connectors that are currently running on the Manager or Agent you are working with. Select Stopped to list all of the connectors that are currently stopped on the Manager or Agent you are working with. 306 Chapter 14: Reports Over time, databases accumulate a great deal of information. SolarWinds has developed LEM Reports to provide a quick and easy way to extract data from databases and present it in a useful form. Several standard reports that can be modified are included in the Reports distribution, and you can create new reports as necessary. Reports includes powerful tools to help format information and easily preview reports before you display them. When you have finished editing your reports, you can print them with the click of a button, and most reports are enabled to be viewed through the Reports Console. The following table describes the key features of Reports. Name Description Menu Button Click the Menu Button to open, save, or print a report, and to see everything else you can do with a report. This button has a similar function to the File menu used by earlier Windows programs. Quick Access Toolbar The Quick Access Toolbar is a customizable toolbar. It contains a set of commands that are independent of the tab that is currently displayed. You can customize the toolbar by adding buttons for the commands you use most often, and you can move the toolbar to two different locations. Ribbon The Ribbon is designed to help you quickly find the commands that you need to complete a task. Commands are organized in logical groups that are collected together under tabs. Each tab relates to a type of activity, such as running and scheduling reports, or viewing and printing reports. To save space, you can minimize the Ribbon, showing only the tabs. Settings Use the commands on this tab to choose the reports you want to run, tab open, and schedule, and to configure reports and the reports’ data source settings. View tab Upon opening or running a report, the Ribbon automatically switches to the View tab, which has a toolbar for printing, exporting, resizing, 307 Chapter 14: Reports Name Description and viewing the report. If you click the View tab without having opened a report, the Preview pane shows a blank page. If you click the View tab and you have run a report, the Preview pane displays the contents of the report. Grouping You can use the yellow bar above the grid to group, sort, and bar organize the reports list. Report list/ Preview pane By default, this section is a grid that displays a list of SolarWinds’s Standard Reports. Upon selecting a different report category, the grid changes to list the reports that are in that category. You use this grid to select report that you want to run or schedule. You can also filter and sort the grid to quickly find the reports you want to work with. Upon opening or running a report, this section changes into a report Preview pane that displays the report. In Ribbon also automatically switches to the View tab, which has a toolbar for printing, exporting, resizing, or viewing the report. About Reports Reports allows you to select which Manager or data warehouse you want to report on, select the reports you want to run, and schedule when you want to run the reports. The system then automatically generates the reports according to your schedule and settings. You can run reports two different ways: l l Scheduled Reports are reports that you configure to automatically run on their own, on a particular schedule, and without intervention. On-demand reports are those reports that you run only when you need them. 308 Opening Reports Reports can take quite a bit of time to run. The larger the report, the longer it takes. SolarWinds recommends that you schedule any reports that you intend to run frequently. l Reports features l Configuring report preferences l Managing report categories l Working with report lists l Running and scheduling reports l Managing reports l Viewing reports l Searching reports for specific text l Using the Select Expert tool l Printing reports Opening Reports 1. Click the Start button and then click All Programs. 2. Point to the SolarWinds folder, click the Reports shortcut. After a moment, Reports appears. Using the Quick Access Toolbar The Quick Access Toolbar is a customizable toolbar. It contains a set of commands that are independent of the tab that is currently displayed. You can customize the toolbar by adding buttons for the commands you use most often, and you can move the toolbar to two different locations. The Quick Access toolbar 309 Chapter 14: Reports Default commands By default, the Quick Access Toolbar shows the commands listed in the following table. Button Command Description Open Opens a report that has been saved in RPT format. The report opens in the Reports Preview pane in the View tab, where you can view, search, print, and export it. See See "Opening your saved reports" on page 375 Run Runs the report that is currently selected in the report list. If the report requires any parameters, the Enter Parameter Values form appears. For the procedure on running reports, see See "Running Reports on Demand" on page 351 Refresh Report List This command refreshes the report list for each report category. Use this command if you have added new report files—such as some new custom reports—and they are not showing up in the report list. This command accesses your computer’s Reports directory, retrieves information about all of the reports, and rebuilds the lists for each report category. Exit Exits the Reports application. Customizing the Quick Access Toolbar You are not limited to the Quick Access Toolbar’s default commands. You can customize the toolbar by adding or removing any command shown on the Ribbon. In this manner, you can customize the toolbar with the commands you use most often. 310 Moving the Quick Access Toolbar To customize the toolbar: 1. Click the drop-down list next to the Quick Access Toolbar. The Customize Quick Access Toolbar form appears. 2. Add and remove commands to the toolbar as follows: l l l To add a button to the toolbar, select the corresponding command’s check box. To remove a button from the toolbar, clear the corresponding command’s check box. To choose from a list of additional commands, click More Commands. Then use the form’s Customize view to add or remove commands to the toolbar. To add commands from the Ribbon: 1. On the Ribbon, click the appropriate tab or group to display the command that you want to add to the Quick Access Toolbar. 2. Right-click the command, and then click Add to Quick Access Toolbar on the shortcut menu. The command appears on the Quick Access Toolbar. Moving the Quick Access Toolbar The Quick Access Toolbar can be located in either of two places—in the upperleft corner of the window, next to the Reports Button (its default location), or below the Ribbon. If you don't want the toolbar to be displayed in its current location, you can move it to the other location. To move the Quick Access Toolbar: 311 Chapter 14: Reports 1. Click the drop-down list next to the Quick Access Toolbar. The Customize Quick Access Toolbar form appears. 2. Do one of the following: l l To move the toolbar below the Ribbon, click Show Quick Access Toolbar Below the Ribbon. To move the toolbar above the Ribbon, click Show Quick Access Toolbar Above the Ribbon. Minimizing the Ribbon You cannot delete or replace the Ribbon with the toolbars and menus from the earlier versions of Reports. However, you can minimize the Ribbon to make more space available on your screen. When the Ribbon is minimized, you see only the tabs. Full Ribbon 312 Configuring Report Preferences Minimized Ribbon To always keep the Ribbon minimized: 1. Click the drop-down list next to the Quick Access Toolbar. 2. In the list, click Minimize the Ribbon. 3. To use the Ribbon while it is minimized, click the tab you want to use, and then click the option or command you want to use. 4. After clicking the command, the Ribbon goes back to being minimized. To restore the Ribbon: 1. Click the drop-down list next to the Quick Access Toolbar. 2. In the list, clear the Minimize the Ribbon check box. To quickly minimize or restore the Ribbon: To quickly toggle between minimizing and restoring the Ribbon, do one of the following: l Double-click the name of the active tab. l Press Ctrl+F1. Configuring Report Preferences Reports has a Preferences group that is used to set up database connections so the Console knows which database to draw from when running reports. Table of preferences The following table briefly describes each option in the Preferences group. Preference / Option Description Configure 313 Chapter 14: Reports Preference / Option Primary Data Source Description Select this option to choose the default data source that is to be used for running reports whenever the Reports window is opened. The option you select here becomes the default setting in the Data Source list. At any time, you can select a different data source and then run reports from that source. But whenever you reopen the Reports window, it defaults to the data source you have selected here. Syslog Server Select this option to have a Manager send report log information to a syslog server. A syslog server logs basic report activity, such as who is running reports, which reports are being run, which database a report is drawing from, when each report is run, when each report is complete, and any error messages that occur if a report generates errors. Data Warehouse Select this option to configure a new Database Warehouse source so it appears in the Report Data Sources list. Data Source Data Source Use this list to select the data source that you want to run reports against. When you select a data source here, it temporarily overrides the Primary Data Source (default) you have selected as the Primary Data Source in the Configure list. For more information, see See "Running Reports on Demand" on page 351 The following topics explain how to configure each preference. Selecting a (default) Primary Data Source Use this procedure to select your Primary Data Source. This is the default data source that is to be used for running reports whenever the Reports window is opened. It will appear as the default setting in the Preferences group’s Data Source list. 314 Configuring a syslog server At any time, you can select a different data source and run reports from that source. But whenever you close and then reopen the Reports window, it defaults to your Primary Data Source. To run reports from a different data source, see See "Running Reports on Demand" on page 351 To select a primary data source: 1. Open Reports. 2. On the Settings tab, in the Preferences group, click Configure and then select Primary Data Source. The Select Primary Data Source form appears. 3. In the Primary Data Source list, select the default data source. 4. Click Test Connection to have the system perform a ping test a to confirm that a connection to the data source has been established. A test is not required, but highly recommended. During the test, the OK button will become disabled. l l If the test succeeds, the OK button will become enabled, and the status area below the Test Connection button will read: "Ping Test...success." If the test fails, an error message will occur. If the test fails, see See "Troubleshooting Database Connections" on page 319 5. Click OK. Configuring a syslog server Use this procedure to have a Manager send report log information to a syslog server. A syslog server records all report-related events and application 315 Chapter 14: Reports messages. It logs basic report activity, such as who is running reports, which reports are being run, which database a report is drawing from, when each report is run, when each report is complete, and any error messages that occur if a report generates errors. By default, the syslog server is set to the Primary Manager, but it can be set to any server running a standard syslog service. However, the server must have an Agent installed so it can communicate with the Manager. To configure a syslog server: 1. Open Reports. 2. On the Settings tab, in the Preferences group, click Configure and then select Syslog Server. The Set Syslog Server form appears. 3. In the Syslog Server (Host Name) box, type the server’s host name. 4. Click Test. The system performs a ping test to confirm that a connection has been established. You must test the connection before the server can be accepted. A successful test does not confirm if the host is actually a syslog server. l l If the ping test succeeds, it will retrieve and display the host IP address and a message appears, stating: "The Ping Test succeeded." If the ping test fails, a message appears to tell you so. In this case, confirm that you have entered the correct host name and that it matches a valid DNS entry. 5. Upon completing a successful test, click OK. 316 Configuring a Data Warehouse Configuring a Data Warehouse Use this procedure to configure a new database warehouse as a data source, so you can report against it. Once configured, it appears in the Preferences group’s Data Source list under Warehouses. This procedure also creates a matching ODBC DSN that is used by Reports to communicate with the data warehouse server. To configure a data warehouse: 1. Open Reports. 2. On the Settings tab, in the Preferences group, click Configure and then select Data Warehouse. The Configure Data Warehouse form appears. 3. Complete the form as described in the following table. Field Description Warehouse Name (Host Name) Type the data warehouse server’s host name. 317 Chapter 14: Reports Field Description Port Number Type the port number for connecting to the data warehouse. Database Type Select the type of database that is used by the data warehouse. Security Click this button to create a password for reporting against the data warehouse, if it is different than the default password. l l In the Specify Password box, type the new password, and then click OK. Click Reset to reset the password to its default setting. Timeout for database connection test x sec. Type how long (in seconds) the system is to wait for a response when performing a “ping test” to test for a connection to the database. If a connection cannot be made within this period, the test automatically stops. Set as Primary Data Source Select this option to make the data warehouse the Primary Data Source. This means it will become the default data source for reporting. Host IP Address If you perform a connection test and the test is successful, this read-only field displays data warehouse server’s IP address. Do not ping Select this option if you do not intend to perform a ping test to verify your connection to data warehouse server. 318 Troubleshooting Database Connections Field Description Connect with Warehouse Name Select this option to have the Reports window connect to the data warehouse server with the Host Name setting. Connect with IP Address Select this option to have the Reports window connect to the data warehouse server with the IP Address setting. No Warehouse Click this button to clear the form’s data warehouse settings, delete any warehouse configuration details, and close the Configure Data Warehouse form. Test Connection Click this button to have the system perform a ping test and a database connection test to confirm that a connection to the data warehouse has been established. l l If the test succeeds, a dialog box will displays the Host IP Address. If the test fails, see See "Troubleshooting Database Connections" on page 319 If you do not perform a connection test, the system will perform one automatically when you click OK. 4. Click OK. Troubleshooting Database Connections Use the following table to troubleshoot error messages that may occur with the ping test used to test the connection between Reports and the data warehouse or the Primary Data Source. Error message Description Correction Manager ping timed out. Reports was unable to 319 l Confirm that you have Chapter 14: Reports Error message Description Correction connect to the Manager's host name or IP address. Confirm that the host name (or IP address) you specified is correct. entered the warehouses’s Host Name properly. Make sure it matches a valid DNS entry. l Sending the authentication packet failed. Could not flush socket buffer. Reports could resolve and connect to the IP address, but could not authenticate to the database server at that location. Try entering the warehouse’s actual IP address in the Host Name field. Confirm that the Host Name (or IP address) you specified is correct and is allowing connections from the location on which you are running Reports. This error may also indicate a need to modify report restrictions. . Server ping test successful, but database connection test failed. Reports could resolve, connect to the IP address, and connect to SQL Server, but could not log in using the reports user. Login incorrect. l l Login failed for user ‘[user name]’ 320 Confirm that the Host Name (or IP address) you specified contains the SolarWinds database. The warehouse may require a password for reporting purposes. In this case, click the Security button and then enter the warehouse’s reporting password. Managing report categories Managing report categories SolarWinds provides a large variety of standard reports that cover the needs of a several different industries. The Manage Categories form allows you to choose reports for those industries, regulatory concerns, and auditing areas that concern your company; to search for specific reports; and to add reports to your Favorite Reports list. Manage Categories form The Manage Categories form The Manage Categories form has three tabs that have the following functions: l l The Industry Setup tab lets you select the industries and areas of regulatory compliance that are of interest to your company. Reports that are related to the options you select then appear in the Industry Reports list. The Favorites Setup tab’s Search view lets you list, sort, and group the report list by industry and regulatory area. It highlights reports that are 321 Chapter 14: Reports already listed in your Favorite Reports list, and allows you to add new reports to the Favorite Reports list. l The Favorites Setup tab’s Favorites view displays your current list of favorite reports. You can use this view to sort and group your favorite reports to locate a specific report. When needed, this view is also used to remove a report from your list of favorites. Selecting reports for specific industries In the Manage Categories form, use the Industry Reports tab to select the industries and areas of regulatory compliance that are of interest to your company. By selecting only those reports that apply to your industry, you can greatly reduce the number of reports that appear when you view the Industry Reports list. To select industry reports: 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Manage button and then click Manage Categories. The Manage Categories form appears. 3. Click the Industry Setup tab, if it is not already shown. The Classifications section lists those industries and regulatory areas that are supported by standard Reports. The Reports for section displays all of the standard Reports that support the classifications you select. 4. In the Classifications section, select the check box for each industry (Education, Federal, Financial, Healthcare, etc.) that your company is concerned with. The Reports for section displays all of the standard reports that support the industry or industries you have selected. 5. If you are only concerned with a few regulatory areas within these industries, select the check box for each regulatory area your company is concerned with (such as HIPAA or SOX). For a description of each regulatory option, see See "Industry options" on page 323 322 Industry options The Reports for section now lists only those standard reports that support the regulatory areas you have selected. 6. To remove reports for any industry or regulatory area, simply click to clear the corresponding check box. 7. Click OK to save your changes and close the window. In the Category list, the Industry Reports option now lists the standard Reports that support the industries and regulatory areas you have selected. Industry options Industry reports are standard reports that are designed to support the compliance and auditing needs of certain industries. Currently, SolarWinds provides reports that support the financial services industry, the health care industry, and the accountability reporting needs of publicly traded companies. The following table describes which compliance and auditing areas are specifically supported. Supported industry Description Education FERPA Reports in this category support compliance with the Federal Educational Rights and Privacy Act (FERPA), which gives parents and eligible students certain rights with respect to their children's education records. Federal CoCo Reports in this category support compliance with the UK Code of Connection regulations. DISA STIG Reports in this category support compliance with the Defense Information Systems Agency's (DISA) Security Technical Implementation Guide (STIG). FISMA Reports in this category support compliance with the Federal Information Security Management Act (FISMA). 323 Chapter 14: Reports Supported industry NERC-CIP Description Reports in this category support compliance with the North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) reliability standards. Finance CISP Reports in this category support compliance with the Cardholder Information Security Program, which helps safeguard credit card and bank card transactions at the point of sale, over the Internet, on the phone, or through the mail. CISP helps protect cardholder data for cardholders, merchants, and service providers. COBIT Reports in this category support compliance with Control Objectives for Information and related Technology (COBIT™). COBIT is an “open” standard for IT security and control practices. It includes more than 320 control objectives and includes audit guides for more than 30 IT processes. GLBA Reports in this category support compliance with the Gramm Leach Bliley Act (GLBA). GLBA requires financial institutions to protect the security, integrity, and confidentiality of consumer information. It affects banking institutions, insurance companies, securities firms, tax preparation services, all credit card companies, and all federally insured financial institutions. Security information and event management (SIEM) plays a vital role in GLBA. NCUA Reports in this category support compliance with the National Credit Union Administration (NCUA). NCUA is the federal agency that charters and supervises federal credit unions and insures savings in federal and most state-chartered credit unions across the country 324 Industry options Supported industry Description through the National Credit Union Share Insurance Fund (NCUSIF), a federal fund backed by the United States government. PCI Reports in this category support compliance with the Payment Card Industry (PCI) Data Security Standard requirements of VISA CISP and AIS, MasterCard SDP, American Express and DiscoverCard. SOX Reports in this category support compliance with the Sarbanes-Oxley (SOX) Act of 2002. Sarbanes-Oxley protects a company’s investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws. Provisions within Sarbanes-Oxley hold executive management and the board of directors liable for criminal and civil penalties. Specifically, under Section 404 of the Sarbanes-Oxley Act, executives must certify and demonstrate that they have established and are maintaining an adequate internal control structure and procedures for financial reporting. General GPG13 Reports in this category support compliance with the Good Practice Guide 13 (GPG13), a mandatory aspect of CoCo compliance. ISO 17799/ 27001/27002 Reports in this category support compliance with the ISO 17799, ISO 27001, and ISO 27002 international security standards. Healthcare HIPAA Reports in this category support compliance with the Health Insurance Portability and Accountability Act (HIPAA), which requires national standards for electronic health care transactions. 325 Chapter 14: Reports Creating a list of favorite reports In the Manage Categories form, the Favorites Setup tab has a Search view. It is similar to the Industry Setup tab in that it lets you view a list of reports by industry and regulatory area. It highlights reports that are already in your Favorite Reports list and allows you to add new reports to the Favorite Reports list. Step 1: Searching the reports 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Manage button and then click Manage Categories. The Manage Categories form appears. 3. Click the Favorites Setup tab. 4. Click the Search button near the top of the form. 326 Removing a report from the Favorite Reports tab As you can see, the Search view looks just like the Industry Setup tab. The Classifications area lists those industries and regulatory areas that are supported by standard Reports. The Reports Matching Search Criteria box lists every standard SolarWinds report. If a report appears highlighted in green, it means the report is in your Favorite Reports tab. 5. In the Classifications area, select the check box for each industry or regulatory area your company is concerned with. 6. Click the Search button below the left frame. The Reports Matching Search Criteria box displays all of the standard reports that support the options you have selected. For example, if you selected Finance, it lists only those reports that are associated with Finance. If you selected Finance and PCI, it lists every report that is associated with either Finance or PCI. If needed, you can also organize the report list by sorting, filtering, and grouping the report list. Step 2: Adding a report to your list of favorites 1. In the report list, locate the report you want to add to the Favorite Reports list. 2. Do either of the following: l Click to select the report. Then click Add To Favorites. l Right-click the report, and then click Add To Favorites. The Favorite Reports list now includes the report as one of your favorites. Removing a report from the Favorite Reports tab When needed, you can use the Manage Categories form to remove a report from the Favorite Reports list. This does not delete the report; the report remains in its original category. For example, if you remove a favorite report that originally came from the Standard Reports list, it remains listed in the Standard Reports list. This means you can restore the report as a favorite at any time. To remove a report from the Favorite Reports list: 327 Chapter 14: Reports 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Manage button and then click Manage Categories. The Manage Categories form appears. 3. Click the Favorites Setup tab. 4. Click the Favorites button. The window displays your current list of favorite reports. If there are a lot of reports, you can sort, filter, and group the report list to locate the specific report you want to remove. 5. In the report list, select the report you want to remove from the Favorite Reports list. Then do either of the following: l Click Remove From Favorites. l Right-click the report and then select Remove From Favorites. 6. Click Apply to save the change. 328 Viewing Historical Reports 7. Repeat Steps 5 and 6 for each report you want to remove. 8. Click OK to save your changes and close the window. The reports no longer appear in your Favorite Reports list. Viewing Historical Reports On rare occasion, typically during after taking an upgrade, you may encounter a report that can only be run against the earlier version. These legacy reports are called Historical Reports. In these cases, the View Historical Reports option lets you view, schedule, and run these reports. By default, this option is disabled, as it is only used to for viewing legacy reports. To view historical reports: 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Manage button and then click View Historical Reports. A Historical Reports option appears in the Category list. 3. In the Category list, select Historical Reports to display the list of Historical Reports. 4. You may now view, schedule, or run a Historical Report. Working with report lists Reports ships with a wide range of reports. To keep them organized, they are arranged and listed into different categories. This topic explains how to locate reports, view report properties, and create a list of your favorite reports. Viewing lists of reports by category Reportsships with a wide range of reports. To keep them organized, they are arranged into categories. You can use report categories to select the type of reports you want to work with—standard reports or your own custom reports. Each option in the Category list displays the reports that are assigned to that category. To view a list of reports by category: 329 Chapter 14: Reports l On the Settings tab, in the Report Categories group, click the Category list and then select a report category. The window displays the list of reports in that category. If you select a different category, the reports list changes to display the reports that are in the new category. The following table describes each option in the Category list. Tab Description Standard This list displays the standard set of reports that ship with the Reports SolarWinds system and are supported by SolarWinds technical support. Most standard reports capture specific event data that occurs during a particular period. Industry Reports This list displays the standard reports that are designed to support the compliance and auditing needs of certain industries, such as the financial services industry, health care industry, and the accountability requirements of publicly traded companies. For more information, see See "Selecting reports for specific industries" on page 322 Custom Reports This list displays any custom reports that you created, or that SolarWinds created for your company, to meet a specific need. Standard and custom reports are essentially the same thing. They are run and scheduled in the same manner. The only difference is that custom reports are “undocumented,” as they are created specifically by you or for you. While SolarWinds supports any custom reports they make for your company, SolarWinds does not support any custom reports that you make yourself. Favorite Reports This list displays the standard, industry, and custom reports that you use most often. You can add and remove reports to this category as needed. Locating a report by title If you know a report’s title, you can quickly locate it in the Reports window by 330 Viewing a report’s properties typing its name in the appropriate report category list. To locate a report by title: 1. Open Reports. 2. On the Settings tab, in the Report Categories group’s Category list, select the category that contains the report. 3. Click any row in the report list. 4. In the Report Title column, begin typing the report name. The system takes you to the first report title that matches the letters you have typed. For example, if you clicked Standard Reports and began typing “even”, the system takes you to Event Summary, which is the first matching report title. 5. From here, you can scroll down to the exact report you are looking for. Viewing a report’s properties In Reports, many reports have similar titles. Therefore, you can use the Properties feature to view a written description of each report. To view a report’s properties: 331 Chapter 14: Reports 1. In the reports list, click to select the report you want to work with. 2. Do either of the following: l l In the report grid, position the mouse pointer over the report you have selected. On the Settings tab, in the Report Selection group, click Report Properties. In either case, an Information box appears, showing a description of the report. 3. Click OK to close the Information box. Creating a list of favorite reports The reports you use most often are obviously your favorite reports. To easily access these reports, you can add them in the Favorite Reports list. This list contains only your favorite reports. It can include any of SolarWinds’s standard reports, as well as any custom reports you may have. 332 Custom report filters To designate a report as a favorite, you must copy it to the Favorite Reports list. Each Console user can set up his or her own list of favorite reports. The Console displays the favorites of the user who is currently logged on. Note: A “Console user” is determined by the user’s Windows account. If two users on the same computer log into the same account, they will share a list of favorites. To create a list of favorite reports: 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Category list. Then select the category that contains the report you want to add to your list of favorites. 3. Locate the report in the report list. 4. Right-click the favorite report and then select Add Report to Favorites. The system copies the report to your Favorite Reports list. The next time you open the Favorite Reports list, the report will be there. Note: Usually, reports are added to the Favorite Reports list through the Report View Preferences window. See See "Creating a list of favorite reports" on page 326 for more information. Custom report filters In most cases, the standard column filters should meet your day-to-day needs. But if the filters are insufficient, you can create your own customized multi-column filters. You can also choose to save your custom filters. This allows you to save them for later use, or to pass them on to other users. Creating a custom report filter 1. On the Reports window, click the report filter you want to use as a starting point. 2. At the bottom of the filter, click the Customize… button. The Filter Builder form appears. 333 Chapter 14: Reports 3. Use the form’s buttons to select the column, column option, and specific conditions that define the filter. In the example shown above, the filter displays only those reports where the Category column equals Audit, and the Type column equals Authentication. 4. Click OK or Apply to apply the filter. Otherwise, click Cancel. Saving a custom report filter 1. Create the custom filter, as explained above. 2. Click Save As. The Save the active filter to file form appears. 334 Opening a saved custom report filter 3. Use the Save in list to locate and select the folder you want to store the filter in. 4. In the File name box, type a name for the filter. 5. Click Save. The filter is now saved and available for later use. Opening a saved custom report filter 1. Click the Customize button. The Filter Builder form appears. 2. Click Open. The Open an existing filter form appears. 335 Chapter 14: Reports 3. Use the Look in list to locate and open the folder that contains the custom filter. Then click to select the filter. 4. Click Open. 5. The custom filter’s configuration appears in the Filter Builder form. 6. On the Filter Builder form, click OK or Apply. The custom filter is applied to the report list. Exporting a report Use this procedure to export the report shown in the Reports window’s Preview pane. You can choose to export the report as a Adobe Portable Document File (.PDF), a Crystal Reports RPT file, as HTML, as a Microsoft Excel file, or as several other common file formats. SolarWinds officially supports PDF and RPT formats. To export a report: 1. In the Reports window, open or run the report you want to export. The report appears in the Preview pane. 336 Reports features 2. On the View tab, in the Output group, click Export. The Export form appears. 3. In the Format list, select the fine type in which you want to save the report. The Description box at the bottom of the form describes each file format that you choose. 4. Use the Destination list to browse to the folder in which you want to save the file. 5. Click OK. The system save the file to the folder and in the format that you selected. Reports features The topics in this section describe the key features of the Reports window, its Menu Button, its Quick Access Toolbar, and its Ribbon. 337 Chapter 14: Reports Key features of the Reports window The following table describes the key features of Reports. Item Name Description Menu Button Click the Menu Button to open, save, or print a report, and to see everything else you can do with a report. This button has a similar function to the File menu used by earlier Windows programs. Quick Access Toolbar The Quick Access Toolbar is a customizable toolbar. It contains a set of commands that are independent of the tab that is currently displayed. You can customize the toolbar by adding buttons for the commands you use most often, and you can move the toolbar to two different 338 Key features of the Reports window Item Name Description locations. For more information, see See "Using the Quick Access Toolbar" on page 309 Ribbon The Ribbon is designed to help you quickly find the commands that you need to complete a task. Commands are organized in logical groups that are collected together under tabs. Each tab relates to a type of activity, such as running and scheduling reports, or viewing and printing reports. To save space, you can minimize the Ribbon, showing only the tabs. For more information, see See "Minimizing the Ribbon" on page 312 Settings tab Use the commands on this tab to choose the reports you want to run, open, and schedule, and to configure reports and the reports’ data source settings. View tab Upon opening or running a report, the Ribbon automatically switches to the View tab, which has a toolbar for printing, exporting, resizing, and viewing the report. If you click the View tab without having opened a report, the Preview pane shows a blank page. If you click the View tab and you have run a report, the Preview pane displays the contents of the report. Grouping bar You can use the yellow bar above the grid to group, sort, and organize the reports list. For more information, see See "Grouping reports" on page 341 Report list/ Preview pane By default, this section is a grid that displays a list of SolarWinds’s Standard Reports. Upon selecting a different report category, the grid changes to list the reports that are in that category. You use this grid to select report that you want to run or schedule. You can also filter and sort the grid to quickly find the reports you want to work with. See See "Sorting, filtering, and grouping report lists" on page 374 339 Chapter 14: Reports Item Name Description Upon opening or running a report, this section changes into a report Preview pane that displays the report. In Ribbon also automatically switches to the View tab, which has a toolbar for printing, exporting, resizing, or viewing the report. Using the Menu Button In Reports, the Menu Button opens a menu that lets you execute the most common report commands. The following table describes each command in the Menu Button menu. Menu option Description Open Report Opens a report that has been saved in RPT format. The report opens in the Reports Preview pane in the View tab, where you can view, search, print, and export it. The Recent Reports list to the right shows a list of recently opened reports. Export Report Use this command to export the report you are currently viewing. Schedule Use this command to configure a schedule for automatically 340 Grouping reports Menu option Description running the selected report in the Report list. Print Report This command prints the report you are viewing to your default printer, with its default settings. Printer Setup This command opens a Print Setup dialog box, which you can use to select a printer and customize its print settings. Refresh Report List This command refreshes the report list for each report category. Use this command if you have added new report files—such as some new custom reports—and they are not showing up in the report list. This command accesses your computer’s Reports directory, retrieves information about all of the reports, and rebuilds the lists for each report category. Exit Exits the Reports application. Grouping reports You can sort the Reports window’s report list into groups of reports by dragging one or more column headers into grouping box above the report list. This feature allows you to quickly organize and display groups of reports that fall into very specific categories. For example, suppose you want to group the reports by Category. By simply dragging the Category column header from the report list into the grouping box, you can rearrange the report list into groups that are defined by items from the Category column, as shown here. 341 Chapter 14: Reports The tools for grouping reports Groups change the report list into a series of nodes. There is a separate node for each unique item or category from the column that defines the grouping. The nodes are alphabetized, and each node is named by the column and category that defines the grouping. For example, the Category column that defines the grouping in the example above has three unique categories—Audit, Security, and Support. So grouping by the Category column creates three nodes—Category: Audit, Category: Security, and Category: Support. Opening a particular node displays only the reports that are associated with that particular grouping configuration. You can group reports by any column header in the report list (Title, Category, Level, Type, etc.). You can also create sub-groups to create parent-child hierarchies. For example, you could create a Category group and a Type subgroup, or vice versa. Creating a report group l Decide which column is to define the report groupings. Then drag that column header into the Drag a column header here to group by that column area above the report list. Before 342 Viewing the reports within a group After In the example shown above, we have dragged the Category header to group the report list by Category. The report list now displays a separate node for each unique item that is in the column that is defining the grouping. The nodes are alphabetized and labeled for easy reference. Viewing the reports within a group l Click a node to display a list of reports that fall within that grouping. To close the node, simply click it again. Creating a sub-group 1. Drag another column header into the Drag a column header here to group by that column area. 343 Chapter 14: Reports 2. Do either of the following: l l Place the new column header above the existing header to have the new header act as the primary grouping. In the example shown above, the report list would be grouped by Level and then Type. Place the new column header below the existing header to have the new header act as the secondary grouping. In the example shown above, the report list would be grouped by Type and then Level. The report list refreshes to display two levels of nodes—one level of nodes for the primary group, and one set of nodes for the secondary group. 3. To view the reports within a particular grouping, click a higher-level group node, and then a sub-group node. The report list displays only those reports that apply to both groupings. 4. Repeat Steps 1 and 2 for each additional grouping you require. 344 Managing reports Managing reports The following topics explain how to edit a scheduled report task, how to delete a schedule from a task, and how to delete a scheduled report task. Editing a scheduled report task When needed, you can easily make changes to a scheduled report task, or to a specific task schedule, by editing its settings. To edit a schedule report task: 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Category list and then select either Standard Reports or Custom Reports. The grid displays all of the reports in the category you have selected. 3. In the grid’s Report Title column, click the name of the report that needs the schedule change. 4. On the Settings tab, in the Report Selection group, click Schedule. The Report Scheduler Tasks window appears. 5. In the Task Description list, select the report schedule you want to edit. 6. Click Modify. The scheduler form appears. 7. Make your report schedule changes to the Task, Schedule, and Settings tabs, as needed. 8. To change the settings for a particular schedule, click the Schedule tab. In the tab’s schedule list, select the schedule you want to change. Use the boxes to change the settings, then click Apply. 9. When you are finished making all of your changes, click OK to close the form. You return to the Report Scheduler Tasks form. 10. If needed, make any changes to the Report Settings. 345 Chapter 14: Reports 11. Click Save. 12. Click Close to close the Report Scheduler Tasks form. Deleting a schedule from a task If a particular task schedule is incorrect or no longer needed, you can easily delete it from a tasks list of schedules. To delete a task schedule: 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Category list and then select either Standard Reports or Custom Reports. The grid displays all of the reports in the category you have selected. 3. In the grid’s Report Title column, click the name of the report for which you want to delete a task schedule. 4. On the Settings tab, in the Report Selection group, click Schedule. The Report Scheduler Tasks window appears. 5. In the Task Description list, select the scheduled report that has a schedule you want to delete. 6. Click Modify. The task schedule form appears. 7. Click the Schedule tab and select the Show Multiple Schedules check box if it has not been selected. 8. In the schedule list box, select the schedule you want to delete. 9. Click Delete. 10. Click Close to close the Report Scheduler Tasks form. Deleting a scheduled report task If a scheduled report task is incorrect or no longer needed, you can easily delete it from your task list. To delete a scheduled report task: 346 Printing reports 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Category list and then select either Standard Reports or Custom Reports. The grid displays all of the reports in the category you have selected. 3. In the grid’s Report Title column, click the name of the scheduled report that has a task you want to delete. 4. On the Settings tab, in the Report Selection group, click Schedule. The Report Scheduler Tasks window appears. 5. In the Task Description list, select the scheduled report task you want to delete. 6. Click Delete. 7. At the confirmation prompt, click Yes. Otherwise, click No to keep the scheduled report task. 8. Click Close to close the Report Scheduler Tasks form. Printing reports You can print any report shown in the Reports window’s Preview pane. Printing a report 1. In the Reports window, open or run the report you want to print. The report appears in the Preview pane. 2. On the View tab, in the Output group, click Print. The Print form appears. 3. Select the printer and any print options you want. 4. Click Print. The report is printed according to the print options you selected. 347 Chapter 14: Reports Setting up printer preferences Use the Printer Setup command to define the default print settings the Print command is to use when printing Reports. For example, if you usually print in landscape, you can select that preference here. The Print command will then print in landscape, by default. Whenever you need to override a default setting, you can always do so with the normal Print dialog box. To set up printer preferences: 1. In the Reports window, open or run the report you want to print. The report appears in the Preview pane. 2. On the View tab, in the Preferences group, click Printer Setup. The Page Setup form appears. 3. Select the Paper, Orientation, Margin, and Printer options you want. 348 Filtering report lists A preview section at the top of the form displays a thumbnail version of the report with the options you have selected. 4. Click OK. The report is printed according to the print options you selected. Filtering report lists The Reports window lets you filter the report list. This means you can have the list display only those reports that are associated with a particular report title, category, level, or type. You can also apply more than one filter at a time to display a very small subset of the report list. If needed, you can also create your own custom filters, and then save them for later use. Each column header in the report list has a drop-down button. Clicking the button displays a list of filter options that are available for that column, as shown here. Filtering a report list For example, the Category column has several options. Selecting Audit reduces the list to show only the reports associated with the Audit category. When you apply a filter, a yellow status bar appears below the reports list. The status bar lists which filters are currently applied. You can use this list to remove each filter individually, or to remove them all at once. 349 Chapter 14: Reports Filtering a report list 1. Decide which column you want to use for the filter. 2. Click a column header's drop-down list and select a filter option. 3. The report list refreshes to display the filtered list. 4. Repeat Step 2 for each additional filter you want to apply. Changing a filter setting Do either of the following: l l Click a filtered column header's drop-down list and select a different filter option. In the status bar below the report list, click the filter’s drop-down arrow . Then select a different filter option from your list of most commonly used filters. The report list refreshes to display the list with the new filter. Turning off report filters In the Reports window, when you are finished with a report filter, you can turn it off. Turning off a filter refreshes the report list so that it displays the list without that column filter. You can turn off a single filter or all of the filters at once. 350 Running and Scheduling Reports To turn off a filter: Do either of the following: l In the appropriate column header drop-down list, select (All). l Clear the check box next to the filter in the status bar. The report list refreshes to display the list without that column filter. To turn off all of the filters: l Click the icon in the status bar. The report list refreshes to display the list without any filters. Running and Scheduling Reports This section explains how to run reports. You can run reports two different ways: l l On-demand reports are those reports that you run only when you need them. Scheduled Reports are reports that you configure to automatically run on their own, on a particular schedule, and without intervention. All Reports are scheduled and run in the same manner. The following procedures explain the methods for running on-demand reports and scheduled reports. Reports can take quite a bit of time to run. The larger the report, the longer it takes to run. For that reason, it is recommended you schedule any reports you intend to run frequently. Running Reports on Demand 1. Open Reports. 2. On the Settings tab, in the Preferences group, click the Data Source list and then select the Manager that is to be the data source for the report. This step is only needed if you are selecting a data source that is different from the Primary (default) Data Source. 351 Chapter 14: Reports 3. In the Report Categories group, click the Category list and select the report category you want to work with. The report list displays all of the reports in the category you have selected. 4. In the report list, locate the report you want to run. Then do any of the following: l Double-click the report. l Right-click the report and then click Run Report. l l Click to select the report. Then on the Settings tab, in the Report Selection group, click Run. Click to select the report. Then on the Quick Access Toolbar, click the Run button. Depending on the report you selected, you may be prompted to enter certain report parameters, such as a start date/time, an end date/time, and a range. In this case, the Enter Parameter Values form appears. 352 Running Reports on Demand 5. To complete the Enter Parameter Values form, select an item in the Parameter Fields box. Then, in the lower half of the form, type or select the appropriate value for that parameter. The following table explains how to complete each parameter field. Parameter field Description Start Date/Time Type or select the report’s start date and time. The time is optional. Click the Now button to populate these fields with the current date and time. End Date/Time Type or select the report’s ending date and time. The time is optional. Click the Now button to populate these fields with the current date and time. Top N Type the number of items you want reported, such as the “top 5” or the “top 10.” 6. Click OK. The report appears in the Preview pane and the Ribbon changes to the View tab. You can use the View tab to print, export, view, resize, and 353 Chapter 14: Reports search the various pages of the report. Report Errors If you receive the following error, it is possible that your database server for your data warehouse or your SolarWinds appliance is offline, or that you need to run the restrictreports CMC command. 1. First, check to make sure that your servers are online. 2. Then check your restrictreports settings. If you receive any other errors, or if you are uncertain about how to properly perform these procedures, please refer to the SolarWinds Knowledgebase or contact SolarWinds Technical Support. Scheduling Reports (process overview) Scheduling a report requires several steps. But once you configure a report schedule, SolarWinds does the rest. You can create more than one schedule for the same report. This allows you to run the same report on different Managers, and to run the same report in different intervals (daily, weekly, monthly, etc.), each with a different scope. Scheduling a report is basically a seven-step process: 1. First, select the report you want to schedule and then click Schedule. 2. Name the scheduled task. You need to name the scheduled task to distinguish it from other similar tasks. For example, the same scheduled report needs to be configured separately for each data source (Manager). Therefore, you will name each task to readily distinguish between the scheduled tasks for each data source. 354 Step 1: Selecting the report you want to schedule 3. Set the schedule parameters. This states when the scheduled report is to run. 4. Apply any advanced scheduling options, if desired. 5. Select settings that define when the SolarWinds system can and cannot run the task. 6. Apply the scheduled report to the data source (Manager) for which you want a report. Then define the scope, which is the period you want to the report to cover. When the system runs the report, it retrieves any pertinent events that occurred within the period defined by the scope. 7. Finally, select any export options for the report. This allows you to export to the folder of your choice, and in a format that is easy to read and print. If you do not export the report, it will automatically print to your default printer. Each step of this process is fully explained in the following numbered topics. You must repeat this process for each report you want to schedule. Step 1: Selecting the report you want to schedule In this step, you will select the report you want to schedule, then open the Report Scheduler Tasks window. To begin scheduling: 1. Open Reports. 2. On the Settings tab, in the Report Categories group, click the Category list and select the report category you want to work with. The report list displays all of the reports in the category you have selected. 3. In the Report Title column, locate the report you want to schedule. Then do any one of the following: l Click the report and then click the Schedule button. l Right-click the report and then select Schedule Report. l Click the report you want to schedule. Then on the Menu Button menu, select Schedule Report. The Report Scheduler Tasks window appears. Use this window to add, edit, and delete your scheduled report tasks. 355 Chapter 14: Reports Note that the Event Summary box shows only the tasks that apply to the report you selected in Step 3. Step 2: Adding a new scheduled report task Here, you will name and configure the new scheduled task that is associated with this report. To create a scheduled task: 1. To add a new report schedule, click the Add button. The Enter Scheduler Task Description form appears. 2. In the Task Description box, type a name for the report, then click OK. At this point, the task scheduler form appears. The form takes the name of the report to indicate which report you are scheduling. 356 Step 2: Adding a new scheduled report task 3. Complete the Task tab as described in the following table. Field Description Run Normally, you will not change the default setting. But if you do, use this box to type the path to the argument that initiates the task settings for this report. If needed, click the Browse button to locate the correct folder and file. Start in Normally, you will not change the default setting. But if you do, use this box to type the path to the Reports executable file (.exe). Comments Type a description of the report schedule you are configuring, such as “Monthly SolarWinds Event Summary Graphs.” Run as By default, this box displays the current user. To change the user, type the domain and user name as follows: [Domain]\[UserName]. 357 Chapter 14: Reports Field Description Then click the Set password button to set up a password for the current user to run the report. This step is required for the scheduler to work properly. Enabled (scheduled task runs at specified time) Select this check box to run the scheduled task to the schedule you will specify in the Schedule tab. If you clear this check box, the report will not run on that schedule. 4. Click Apply to save your changes to the tab. Step 3: Scheduling the Report Now you will create the actual report schedule. The settings on the Schedule tab tell the system when to run the report. If needed, you can create multiple schedules for each report that are within the same scope. For example, perhaps you would like to run an event summary report for the current week and have it display the running total for the week at each hour. You could set the report to “Week: Current” and have multiple schedules that run on an hourly schedule and on a twice-daily schedule. To schedule a report: 1. Click the Schedule tab. For new tasks, the tab states that the task is not scheduled. 2. Click the New button to create a new schedule for the report. The schedule shown above appears by default. You will create a new schedule by modifying this default schedule with the various boxes in the Schedule tab. 358 Step 3: Scheduling the Report 3. Complete the Schedule tab as described in the following table. Field Description Schedule Task Select how often the system is to run the report—daily, weekly, etc. Start time Type or select the time the system is to run the report. For more detailed scheduling, click the Advanced button. See See "Step 4: Selecting Advanced Scheduling Options" on page 360 for more information. Every Type or select how often you want to run the task based on your selection in the Schedule Task box above. For example, for a daily report, you can run the report every day, every 2 days, every 3 days, etc. For a weekly report, you can run the report every week, every 2 weeks, etc. Show Select this check box if you will have more than one 359 Chapter 14: Reports Field Description multiple schedules schedule for this task, where each schedule has the same scope. If you are going to create more than one schedule with different scopes, then you will need to create a different task for each schedule. If the report is to have only one schedule, then clear this check box. 4. Click Apply to save your changes. The new report schedule appears in the list box near the top of the tab. 5. If desired, repeat Steps 2 – 4 to set up each new schedule for this task. Step 4: Selecting Advanced Scheduling Options If you clicked the Schedule tab’s Advanced button, then the Advanced Schedule Options form appears (shown here). This form provides you with complete control over your report schedules. For example, you can schedule start and end dates for the report, or set a task to repeat for a set period of time. To select advanced scheduling options: 360 Step 4: Selecting Advanced Scheduling Options 1. Click the Advanced button on the Schedule tab. The Advanced Schedule Options form appears. 2. Complete the Advanced Schedule Options form as described in the following table. Field Description Start Date Type or select the date you want the system to begin running the report. End Date Select this check box if there is a date on which you want the system to stop running the report. Then type or select the end date. If there is no end date, then leave this check box blank. Repeat task Select this check box if you want the system to repeat running the scheduled report at regular intervals. Every Type or select the interval. In the example shown above, this task will run every 4 hours. Time Type or select the time you want the system to stop running the repeated task. Duration Type or select how long you want the task to run. By limiting the time the task can run, you can prevent the task from running forever, should a problem occur. Reports can be very time consuming; therefore, use this configuration option with caution. If the task is still running, stop it at this time. Select this check box to have the system stop running a report that is running when the Time or Duration setting occurs. Keep the check box clear to have the system finish running a report that overlaps the Time or Duration setting. 361 Chapter 14: Reports Note: The following image displays the valid and invalid date formats for reports. In the example shown above, the configured report will run every four hours, starting on Monday, August 18, and running through Sunday, August 30. Each time the task runs, the system will stop it if it continues to run for more than one hour. 3. Click OK to save your changes and exit the form; otherwise, click Cancel. You return to the task scheduler form. Step 5: Stating when the system can or cannot run the task In this topic, you will use the Settings tab to select options that state when the 362 Step 5: Stating when the system can or cannot run the task system can and cannot run the task. To define when the system can or cannot run the task: 1. Click the Settings tab to fine tune the options for this task. 2. Complete the Settings tab as described in the following table. Field Description Scheduled Task Completed Select Delete the task if it is not scheduled to run again to have the system delete a task that has run its course. For example, you may want the system to delete a task that has a definite end date. Leave this check box clear to keep the task. Select Stop the task if it runs for [xxx] hour(s) [xxx] minute(s) to specify a maximum allowable time limit for the system to accomplish a task. Use the hour(s) and minute(s) boxes to specify a maximum allowable time. In the example shown, the system will stop the 363 Chapter 14: Reports Field Description task if it exceeds 72 hours. If you leave this check box clear, then the system continues running the task until it is complete. Idle Time These options allow you to run tasks when the computer is idle. Select Only start the task if the computer has been idle for at least [xxx] minute(s) to begin running a task only if the computer is idle for the specified time. Use the minute(s) box to specify a minimum idle time. If you leave this check box clear, then the system will run the task when the computer is in use. In the If the computer has not been idle for that long, retry for up to [xxx] minute(s) box, use the minutes(s) box to specify how often you want the system to check to see if the computer has reached its minimum idle time requirement for beginning the task. Select Stop the task if the computer ceases to be idle to have the system stop running a task when the computer is once again in use. If you leave this check box clear, then the system will continue running the task until it is complete. Power Management Select Don’t start the task if the computer is running on batteries to prevent the system from running the task when the computer is running with a battery as its power source. If you leave this check box clear, then the system will run the task even when the computer is on batteries. Select Stop the task if battery mode begins to have the system stop the task when the computer switches to a battery as its power source. If you leave this check box clear, then the system will continue running the report even when the computer switches to battery 364 Step 6: Assigning the data source and scope Field Description power. Select Wake the computer to run this task to have the system run the computer at normal power to run the scheduled report task. If you leave this check box clear (not checked), then the report will not run until the next scheduled time after the computer is removed from “sleep.” 3. Click Apply to save your changes. 4. Click OK to close the task scheduler form and return to the Report Scheduler Tasks window. Step 6: Assigning the data source and scope Once you have added your scheduled report tasks, you can assign the task to a particular data source (a Manager) and define the task’s scope. The scope is the event period you want the report to cover. When the system runs the report, it retrieves any pertinent events (that the report covers) that occurred within the period defined by the scope. To assign the task’s data source: 1. In to the Report Scheduler Tasks window’s Task Description list, select the report schedule you want to assign. 365 Chapter 14: Reports 2. Click the Load to View or Edit button. The window’s Report Execution Settings For Selected Task section becomes enabled. You will use this section to configure the report execution settings for the task (report schedule) you selected above. 3. Use the Select the report data source list to select the Manager or to which you want to assign this task. Note: You can only assign a task to a single Manager. If you need to assign a similar or identical task to another Manager, then you must create a new task for that other Manager. To assign the task’s scope: In the Report Scope area, you will set up the task’s scope for this data source. The scope is the event period, or time frame, for the events you want the report to cover. 366 Step 6: Assigning the data source and scope 1. In the Date Range list, select the date range you want the report to cover for this task and this data source. In the example shown above, the date range is Day: Today. This means the report will cover the period from 12:00:00 AM to 11:59:59 PM of the current date. For a more complex example, suppose you chose Week: Previous as the date range. The scheduled report would contain information from the last full week, from 12:00:00 AM the last Monday to 11:59:59 PM the last Sunday. For example, if today is Wednesday the 11th, the task runs from 12:00:00 AM on the 2nd to 11:59:59 PM on the 8th. The following table describes each option in the Date Range list. Date range Description Day: Today Run for the specified timeframe on the current (today’s) date. Day: Yesterday Run for the specified timeframe on the previous (yesterday’s) date. Week: Current Run from one week ago to the current time. Week: Previous Run from 12:00:00 AM last Monday to at most 11:59:59 Sunday. This report will capture the last full week of data. Month: Current Run from one month ago to the current time. Month: Run from 12:00:00 AM on the first of the month until 367 Chapter 14: Reports Date range Description Previous 11:59:59 PM on the last day of the month. This will report will capture the last full month of data. User Defined Use this option to run any other report scopes. You can use this option to schedule reports for arbitrary periods, or for periods that are outside of the conventional scope of a day, week, or month. 2. In the Start Time and End Time boxes, type or select a start time and end time for reporting events that occurred on this Manager. The report will only show those events that occurred on the Manager within this period. Note: If you select a Week or a Month scope, you cannot edit the Start Date/Time and End Date/Time. 3. The Count Settings area only applies to count-based reports, such as “Top 20” reports. In the Number of Items box, type or select the number of items you want the report to track. 4. To configure the report so that it automatically exports to a file, continue to See "Step 7: Exporting a scheduled report" on page 368 below. Otherwise, click Save. Step 7: Exporting a scheduled report Finally, you can have the report utility automatically export a scheduled report in Adobe’s Portable Document Format (.PDF) to the folder of your choice. If you do not choose to export a scheduled report, then the system will print the report to your default printer each time it runs. To export a scheduled report to a file: 1. Open the Report Scheduler Tasks window, if you have not already done so. 2. In the Task Description box, select the scheduled report task you want to export. 3. On the Report Settings tab, select the Export check box. This enables the 368 Step 7: Exporting a scheduled report other fields in this section. This section allows you to name and export this report in the format and folder of your choice when the task scheduler runs this report. 4. In the Format list, select the file format in which you want to export the report. 5. Click the folder icon next to the File Name box. Browse to the folder where you want to save the report, then type a unique file name for the report. If the report has multiple schedules, then give each schedule’s exported report a different name. Otherwise, the exported filenames files will overwrite each other, or they will increment according to the If File Exists setting, causing it to be difficult to readily identify the different schedules’ reports. 6. In the If File Exists list, choose one of the following options: l l Select Increment to store the new report along with any previous versions of the report in the folder. The Report Console increments each report by appending the report filename with an underscore and a digit. For example, the first increment is [FileName]_1.pdf, the second is [FileName]_2.pdf, and so on. Select Overwrite to have each new version of the report overwrite the previous version of the report in the folder. 7. Click Save. 8. Click Close to close the Report Scheduler Tasks window and return to the Reports window. 9. Repeat sections See "Step 2: Adding a new scheduled report task" on page 356 through See "Step 7: Exporting a scheduled report" on page 368 for each report you want to schedule and assign to a particular data source. 369 Chapter 14: Reports Searching reports for specific text In the Reports window has a Search tool that you can use to search for key words or phrases in text-based reports. This tool only works when you are viewing a text-based view of a report in the Preview pane. You cannot use this tool with graphical-only reports, or the default graphical view that is displayed when you first run the report. Viewing the text-based details of a report Do either of the following: l l Open a page that is past the graphical section of the report, into the report content pages. On the View tab, click the Tree button to open the report’s list of sub-topics. Then click the content-based sub-topic to jump to that section of the report. For more information, see See "Viewing reports" on page 375 Using the Search tool 1. In the Reports window, open or run the report you want to view. The report appears in the Preview pane. 2. Display the text-based details you want to search in the Preview pane. 3. On the View tab, in the Navigate group, click Search. The Find form appears. 370 Using the Select Expert tool 4. In the Find what box, type the text you want to search for. 5. Select Match whole word only to search for entire words that match, omitting matching letters within words. 6. Select Match case to make the search sensitive to uppercase or lowercase letters. 7. In the Direction area, click Up to search from where you are now to the start of the document, or click Down to search from where you are now to the end of the document. 8. Click Find Next. The tool locates the next instance of the text in the report and highlights it for easy viewing. 9. Continue clicking Find Next for each remaining instance of the text you want to find. 10. When you are finished, click Cancel to close the Search form. Using the Select Expert tool The Select Expert tool lets you use queries to create a smaller, more focused report from a larger text-based report. In this manner, you can create reports with very focused information. This tool only works when you are viewing a text-based view of a report in the Preview frame. You cannot use this tool with the default graphical view that is displayed when you first run the report. Note: Using the Select Expert to filter report data by date or time fields (such as InsertionTime or DetectionTime) will result in an error. If you receive this error, 371 Chapter 14: Reports clear the error prompt, return to the Select Expert, and delete the time-based filter. To filter by time and date, you must run the report with the specified range. (missing or bad snippet) Running a query with the Select Expert tool 1. In Reports, open or run the report you want to work with. The report appears in the Preview pane. 2. On the View tab, in the View group, click Select Expert. The Select Expert form appears. 3. Click either the New button or the <New> tab. The Fields form appears. This form displays all of the various report fields that you can query on this report. 372 Running a query with the Select Expert tool You can click the Browse button to bring up a list of available fields that you can select with the tool. 4. Select the field you want to query, then click OK. The Select Expert form appears. The first tab displays the field name you have selected. It lists the query options for that field and has an adjacent list where you can select a specific value. 5. In the tab’s left-hand list box (or boxes), select a query option for the field. Then, in the adjacent right-hand list box, select a specific value for the field. If needed, you can click the Browse Data button to see a complete list of values that are present in the report for that field. From the Browse Data box, you can select a value; then click Close to apply that value to the query. 6. Repeat Steps 3 – 5 for each field you want to add to the query. 7. Click OK to close the form and apply the query; otherwise, click Cancel. 373 Chapter 14: Reports The new report appears in Preview frame. If needed, you can use the Preview frame’s toolbar to save or export the report. Restoring the original report When you are through querying a report with the Select Expert tool, you can restore the report to its original state. To turn off the Select Expert settings: 1. On the View tab, in the View group, click Select Expert. The Select Expert form appears. 2. Click Delete to remove the query options. 3. Click OK. The original report appears in the Preview frame. Sorting, filtering, and grouping report lists Sorting the report list You can sort the report list by the clicking its column headers. This sorts the entire report list by the contents of the column you have selected. You can sort each column in either ascending order (alphabetical) or descending order (reverse alphabetical). 374 Viewing reports To sort the report list: l Click a column header once to sort the report list by that column in ascending (alphabetical) order. The column header shows an upward arrow. This arrow means the report list is sorted by this column in ascending order. l Click the column header again to sort the report list by that column in descending (reverse alphabetical) order. The column header shows a downward arrow. This arrow means the report list is sorted by this column in descending order. Viewing reports The topics in this section explain how to open, view, and manipulate a report image shown in the Reports Preview pane. Opening your saved reports Whenever a report is saved or exported to .rpt format, you can use the Open command to reopen and view the report’s contents. This applies to scheduled reports that the system has run and saved, as well as on-demand reports that you have run and exported for later viewing. To open a saved report: 1. Open Reports. 2. Do one of the following: l Click the Menu Button and then click Open Report. l On the Quick Access Toolbar, click Open Report. l On the Settings tab, in the Report Selection group, click Open. 375 Chapter 14: Reports The Open Report File form appears. 3. Use the Open Report File form to explore to the report file you want to view. Note: If the report cannot be found where it is expected, be sure you have selected Crystal Reports (*.rpt) in the File type list. 4. Select the file and then click Open. The report opens in the Reports Preview pane. You may now view, search, resize, print, or export the report, as needed. Viewing the sections of a master report Some of SolarWinds’s standard reports are “master” reports. A master report is a report made up by a series of sub-topics, where each sub-topic contains a specific set of details about the higher-level master topic. Together, these topics make up the whole report, just like individual chapters make up a book. When a report has more than one sub-topic, a sub-topic pane appears on to the left of the Reports window’s Preview pane. The sub-topic pane lists the subtopics that are found in the report. If you click a sub-topic, the Preview pane displays the first page of that section of the report. To view a section of a master report: l In the sub-topic pane, select the sub-topic you want to see. The Preview pane displays the first page of that section of the report. 376 Hiding and showing a master report’s sub-topic pane In this example, the Preview pane is showing the Authentication report. The sub-topic pane shows this report has sub-topics on suspicious authentications, authentication failures, user logons, user logoffs, user logon failures, etc. Clicking a sub-topic displays that section of the report. Hiding and showing a master report’s sub-topic pane Whenever you are previewing a master report (that is, a report that has lowerlevel topics), the View tab’s Tree button becomes enabled. You can use this button to toggle between hiding and revealing the report’s sub-topic pane. To hide the sub-topic pane: l On the View tab, in the View group, click the Tree The sub-topic pane becomes hidden, as shown here. 377 button. Chapter 14: Reports To restore the sub-topic pane: l On the View tab, in the View group, click the Tree The sub-topic pane appears again. 378 button again. Viewing the pages of a report Viewing the pages of a report In the Reports window, the View tab’s Navigate group has a toolbar that you can use to browse through the pages of a multi-page report. If the report has only one page, then this toolbar is disabled. To view the pages of a report: 1. In the Reports window, open or run the report you want to view. 2. Click the View tab. 379 Chapter 14: Reports 3. In the Navigate group, use the toolbar to view the report, as described in the following table. Button Function Displays the first page of the report. Displays the previous page of the report. Displays the next page of the report. Displays the last page of the report. Displays the page number that is currently shown in the Preview frame, as well as the total number of pages in the report. If the Console has not yet tallied the total number of pages, you will see how ever many pages it is certain of and a “+” to indicate that there are more pages. To determine how many pages are in the report, click the button. This takes you to the last page of the report, forcing the Console to determine how many pages there are. It also causes the 1+ to display the actual number of pages. You can also use this feature to display a particular page of the report. In the Page box, type a page number you want to see and then press Enter. The Preview frame then displays that page. Magnifying and reducing report pages You can use the Reports Zoom feature to resize a report by typing or selecting a percentage of the report’s actual size. You can magnify (zoom in) or reduce (zoom out) on a report, or have the report expand or reduce to fit the Preview pane. 380 Stopping a report in progress To zoom in or out on a report: 1. In Reports, open or run the report you want to view. The report appears in the Preview pane. 2. On the View tab, in the View group, click the Zoom list and then select the option you want. l l l l l l Select Page Width to have the width of the report page match that of the Preview pane. Select Whole Page to display the entire report page within the Preview pane. Select anything less than 100% to reduce the report accordingly. For example, 50% displays the report at have its normal size. Select 100% to display the report in its actual size. Select anything greater than 100% to magnify the page accordingly. For example, 200% displays the report at twice its normal size. In the Zoom box, type a [number]% for the magnification you want, and then press Enter. For example, type 33% to reduce the image to one-third of its actual size. Or type 175% to magnify the report so it is three-quarters larger than its normal size. Stopping a report in progress l To stop running or loading a report that is progress, click the Stop button on the status bar, in the lower-right corner of the Reports window. 381 Chapter 14: Reports 382 Chapter 15: Setting up an nDepth Appliance The topics in this section are about configuring nDepth to store and access your original log messages: l l Setting up the nDepth Appliance (if you are using a separate nDepth Appliance to store original log messages). Configuring your network connectors (sensors) for use with nDepth to store original log messages. Using a separate nDepth appliance If needed, you can use a separate nDepth appliance for long-term storage and retrieval of your network's original event log messages. In this configuration, each Manager has its own dedicated nDepth appliance. The appliance stores all of the original log file source data that passes through a particular Manager. The log data is stored in its entirety, in real time, as it originally occurs from each host (network device) and source (application or connector) that is monitored by the Manager. Even when you use a separate appliance, you can still access and explore this information from the Console's nDepth view. The primary advantage of using a separate nDepth appliance is that it provides you with the capacity for long-term storage and retrieval of the original log messages. If long-term storage of this information is a high priority, then you will want to consider a separate appliance; otherwise, a separate appliance is probably unnecessary. If you have questions, contact your SolarWinds sales representative or SolarWinds Technical Support. Installing a Separate nDepth Appliance If you would like to use a separate nDepth appliance for long-term storage and retrieval of the original log messages, then you must install that appliance before 383 Chapter 15: Setting up an nDepth Appliance you begin using nDepth. Contact SolarWinds Technical Support for instructions on installing a separate appliance. If you are not using a separate appliance, this procedure is not required, because short-term log messages are stored directly on LEM. Configuring Network Connectors for Use with nDepth To use nDepth to explore your network's original log messages, you must configure each connector (sensor) for use with nDepth with the Console's Connector Configuration form. First, decide which network devices, applications, and connectors that are monitored by the Manager are to also send their log messages to nDepth. Then configure each of these connectors for use with nDepth. You can choose to route a connector’s log messages to LEM, directly to nDepth, or to both. SolarWinds recommends that you configure each connector so it routes its log messages to both nDepth and LEM. This allows you to receive events on these connectors, and to search log messages stored on the separate nDepth appliance. l l How many days of live data will the LEM database store? The number of days' worth of live data that the LEM database will store varies for every implementation. The information below should help you determine this number for your environment, while also promoting a more detailed understanding of how the database works in general. l This article contains the following sections. l What the LEM Database Stores l Where to Find the Numbers Alternate Storage Methods By default, the LEM database is allowed 230 GB of the 250 GB allocated to the LEM virtual appliance. This partition consists of three data stores: l Syslog/SNMP data from devices logging to the LEM appliance; l Normalized Event data; and l Original, or "raw," log data, if enabled. 384 Where to Find the Numbers For the sake of this article, we'll call #1 the Syslog store. The Syslog store consists of all Syslog/SNMP log data that is sent to the LEM appliance. The LEM appliance reads and processes the data in real time, and then sends it to the Event store for long-term storage. The LEM appliance stores the original data for 50 days in its original format, just in case you need to review it, and compresses and rotates the data in the Syslog store daily, maintaining a consistent 50 days' worth of data. The amount of data being stored here should level off at around the 50-day mark. The Event store, #2 above, consists of all of the normalized Events generated by the LEM Manager and LEM Agents. Data in this store is compressed at a ratio of 40:1 to 60:1, which equates to an average compression rate of about 95-98%. LEM Reports and nDepth query this store for Event data whenever they're run. Finally, the original log store, #3 above, is an optional store for original, or "raw," log messages, which is searchable using Log Message queries in nDepth. The data in this store can come from LEM Agents or other devices that are logging to the LEM appliance. You can define whether data is sent to this store at the connector level, so not all devices have to log in this manner. For more information, see Configuring Your LEM Appliance for Log Message Storage and nDepth Search in the SolarWinds Knowledge Base. Where to Find the Numbers There are three primary sources for statistics related to how your LEM database is being used: the Disk Usage summary in the CMC, the Database Maintenance Report, and the Log Storage Maintenance Report. Disk Usage Summary When you initially log into your LEM virtual appliance using the vSphere "console" view or an SSH client such as PuTTY, the LEM appliance automatically generates a Disk Usage summary. You can also generate an ad hoc Disk Usage summary by running the diskusage command from the cmc::acm# (cmc > appliance) prompt. The two lines to note here are: Logs/Data: This figure represents the total space being utilized by your LEM database. This value is presented in the percent% (usedG/allocatedG) format, where percent is the percent of the allocated space that is currently being used, used is the actual amount of space that is currently being used, and allocated is the total amount of space that is currently allocated to the LEM database. 385 Chapter 15: Setting up an nDepth Appliance Logs: This figure represents the amount of space being utilized by the Syslog store. This figure is included in the used figure noted above. To figure out how much space is currently being utilized by your Event store, subtract the Logs value from the used value. Note: If you are storing original log messages in your LEM database, the calculation above will show you the combined space being utilized by both your Event and original log stores. Database Maintenance Report Run the Database Maintenance Report in LEM Reports to see a snapshot of your current database utilization. For the sake of this discussion, note the following sections: Disk Usage Summary: This section provides disk usage figures as percentages of the space allocated to the LEM database. Disk Usage Details: This section provides the actual amounts related to the percentages in the Disk Usage Summary section. Database Time Span (days): Note the Event DB value in this section. This value tells you how many days' worth of live Event data is currently stored on your LEM database. For detailed information about this value, see the second page of the Database Maintenance Report. Note: The Other Files figure in the Database Maintenance Report consists primarily of the data in the Syslog store noted above. Log Storage Maintenance Report Run the Log Storage Maintenance Report in LEM Reports to get detailed information about the original log store noted above. If you have not enabled your LEM appliance and connectors to store original log messages, this report will be blank. Alternate Storage Methods Depending on the needs of your environment, you might want to utilize one or more of the alternate storage methods listed below. For more details or assistance with any of these methods, please open a ticket with Support. l Backup your LEM virtual appliance on a regular basis. This will give you "offline" storage for all of your LEM data stores and configuration settings. 386 Alternate Storage Methods For instructions and recommendations, see the Log & Event Manager > Backup section of the SolarWinds Knowledge Base. l Decrease the number of days for which Syslog/SNMP data is stored on your LEM virtual appliance. l Deploy another LEM virtual appliance to be used as a Syslog server. l Deploy another LEM virtual appliance to be used as a database server. l Increase the space allocated to your LEM virtual appliance. 387 Chapter 16: Enabling Transport Layer Security The Transport Layer Security (TLS) option introduces an extra level of security for data transfers between a LEM database and the Reports application. By default, TLS is disabled on both newly deployed 6.0.1 and LEM appliances updated from previous versions. The enabling procedure differs depending on your LEM configuration (standalone or with dedicated database appliance). Note: During the process, the LEM certificate for accessing the Web or AIR Console needs to be rebuilt. This means that machines used to access LEM Web or AIR Console need to have the certificate re-imported. Enabling Standalone LEM Appliance 1. Access the cmc prompt, either from the vSphere/Hyper-V Client console or via the SSH client. Note: The following steps are mandatory for upgraded LEM Appliances. If you have a freshly deployed 6.0.1 appliance, proceed to step 7, the default hostname is swi-lem. 2. At the cmc> prompt, enter appliance. 3. At the cmc::acm# prompt, enter hostname. 4. Enter the name of your manager at the prompt “Please enter the new hostname…” Note: Enter the currently used hostname if you do not want the LEM manager name to change 5. At the cmc::acm# prompt, enter exit. 6. At the cmc> prompt, enter manager. 7. At the cmc::cmm# prompt, enter exportcert. 8. Follow the prompts to export LEM Manager CA certificate. 388 Chapter 16: Enabling Transport Layer Security Note: An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ... Success. 9. At the cmc::cmm# prompt, enter enabletls. 11. At the cmc::cmm# prompt, enter restart. This concludes the TLS configuration of standalone LEM Manager. Follow See "Setting up a Dedicated LEM User for Reports Accessing" on page 389 to set up a user for accessing Reports and See "Configuring Reports Application" on page 390 to configure the Reports application itself. Setting up a Dedicated LEM User for Reports Accessing Note: LEM 6.0.1 requires authorization to access LEM from the Reports application. This means that a user with Reports role has to be created in the LEM Console. If you already have a suitable user, proceed to See "Configuring Reports Application" on page 390 1. Login to the LEM Web or AIR Console as a user with Administrator rights. 2. Navigate to Build > Users page. 3. Click + to create new LEM User. 4. Fill in the text fields. Username and Password are mandatory. 5. Select the Reports option form the LEM Role dropdown. Note: Other roles that cay query LEM via Reports are Administrator and Auditor. 6. Save the new user. Note: If you have an Active Directory Connector configured, you can utilize a directory Service user as a Reports user instead of in-built LEM one. 389 Configuring Reports Application Configuring Reports Application 1. Start the LEM Reports 6.0.1 application. 2. Select Managers – Credentials and Certificates option under the Configure button. 3. Click the green button. 4. Specify the manager IP or hostname. 5. Fill in the credentials of the user created previously in Web Console. 6. Check the Use TLS connection? box. Note: You can also ping the address you specified by pressing Test Connection button. This option does not perform credentials validation or TLS availability check. 7. Click the green button again to add a new Manager. 8. Select the Certificates tab. 9. Click the Import Certificate button. 10. Browse and Open LEM certificate (e.g. the network share folder specified during certificate export). 11. Use the certificate from the Database Appliance in case you have LEM configured with a dedicated Database. 12. Close the Manager Configuration window. Note: There is no need to import the LEM CA certificate again if the LEM changed its hostname. Enabling TLS on a LEM Manager with a Dedicated Database Appliance 1. Access the cmc prompt (either from vSphere/Hyper-V Client console or via SSH client). 2. At the cmc> prompt, enter appliance. 3. At the cmc::acm# prompt, enter hostname. 390 Chapter 16: Enabling Transport Layer Security 4. At the prompt “Please enter the new hostname…” specify desired name of your manager. Note: If you don’t want your LEM manager name to change, enter the currently used hostname. 5. At the cmc::acm# prompt, enter exit. 6. At the cmc> prompt, enter manager. 7. At the cmc::cmm# prompt, enter exportcert. 8. Follow the prompts to export LEM CA certificate. Note: An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAert-hostname.crt ... Success. 9. At the cmc::cmm# prompt, enter enabletls. Enabling TLS on LEM Database 1. Access the cmc prompt (either from vSphere/Hyper-V Client console or via SSH client). 2. At the cmc> prompt, enter appliance. 3. At the cmc::acm# prompt, enter hostname. 4. At the prompt “Please enter the new hostname…” specify desired name of your manager. Note: If you don’t want your LEM manager name to change, enter the currently used hostname. 5. At the cmc::acm# prompt, enter exit. 6. At the cmc> prompt, enter manager. 7. At the cmc::cmm# prompt, enter exportcert. 8. Follow the prompts to export LEM CA certificate. 391 Importing Certificates into the Manager and Database Note: An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAert-hostname.crt ... Success. 9. At the cmc::cmm# prompt, enter enabletls. Note: To use the custom CA to sign Database or Manager certificate, it is necessary to generate and sign the certificate after changing the hostname. This is used Importing Certificates into the Manager and Database Manager and Database nodes need to trust each other’s certificates. This can be done by importing certificates from both sides. Note: It is not required to perform steps of this chapter on any appliance in these two cases: l l You have upgraded from 6.0.0 or earlier. A clean 6.0.1 or newer was deployed and CA used to sign both LEM certificates. 1. Access the cmc prompt of LEM Manager. 2. At the cmc> prompt, enter manager. 3. At the cmc::cmm# prompt, enter importl4ca. 4. Choose the network share location specified during certificate export of Database. 5. When prompted for a file name, specify the name of Database certificate. 6. Enter the full filename required including the file extension. 7. Access the cmc prompt of LEM Database. 8. At the cmc> prompt, enter manager. 9. At the cmc::cmm# prompt, enter importl4ca. 10. Choose the network share location specified during certificate export of Manager. 11. When prompted for a file name, specify the name of Manager certificate. 392 Chapter 16: Enabling Transport Layer Security Note: Full filename required including the file extension. This concludes the TLS configuration of a LEM Manager with a dedicated database appliance. Follow the instructions for See "Setting up a Dedicated LEM User for Reports Accessing" on page 389 to set up a user for accessing reports, and See "Configuring Reports Application" on page 390 to configure the Reports application. 393 Chapter 17: Troubleshooting If you do not see the events you expected to see in the LEM Console, use the following procedures to troubleshoot your LEM Agents and network devices. Troubleshooting the LEM Agent Start by determining whether the LEM Agent is connected to the LEM appliance: 1. Open the LEM Console and log in to your LEM appliance. 2. Click the Manage tab, and then select Nodes. 3. To filter this list to show just LEM Agents, select Agent from the Nodes menu on the Refine Results pane. Note: Refer to the icon in the Status column to determine which procedures to use. Troubleshooting Disconnected or Missing LEM Agents Complete these procedures for LEM Agents that show in the LEM Console as "Disconnected," or do not show in the LEM Console at all. To troubleshoot LEM Agents that you cannot see in the LEM Console: 1. Verify you have installed the LEM Agent on the host computer. 2. If you have installed the LEM Agent, complete the procedure for how to troubleshoot LEM Agents that show as "Disconnected" in the LEM Console. To troubleshoot LEM Agents that show as "Disconnected" in the LEM Console: 1. Verify the LEM Agent service is running on the host computer. 2. Verify you can ping the LEM appliance by hostname from the LEM Agent computer. 3. If you can ping the appliance by hostname, clear the LEM Agent certificate. 4. If you cannot ping the appliance by hostname, try pinging the appliance by IP address. 394 Chapter 17: Troubleshooting 5. If you can ping the appliance by IP address, do one of the following: l l Edit spop.conf so the LEM Agent calls the LEM appliance by its IP address instead of its hostname. For instructions, see the spop.conf procedure later in this section. Change your DNS settings so the LEM Agent computer can resolve the LEM appliance's hostname (recommended). 6. If you cannot ping the appliance by IP address, resolve any network or firewall issues between the LEM Agent and appliance. To edit spop.conf so the LEM Agent calls the LEM appliance by its IP address (Windows): 1. Stop the SolarWinds Log and Event Manager Agent service. 2. Delete the spop folder (do not delete the ContegoSPOP folder): l 32-bit computers:C:\Windows\System32\ContegoSPOP\spop l 64-bit computers:C:\Windows\SysWOW64\ContegoSPOP\spop 3. In the ContegoSPOP folder, open and modify the spop.conf file by replacing the ManagerAddress value with the LEM appliance's IP address. 4. Save and close the file. 5. Start the >SolarWinds Log and Event Manager Agent service. Troubleshooting Connected LEM Agents Complete the following procedures for LEM Agents that show in the LEM Console as Connected. To troubleshoot LEM Agents that show as "Connected" in the LEM Console: 1. Verify you have configured the appropriate connectors on the LEM Agent. For example, the LEM Agent for Windows runs the connectors for the Windows Application and Security Logs by default, but you must configure the connector for the DNS server role. 2. Verify the connectors you have configured are running. 3. If the necessary connectors are configured and running, delete and recreate the connectors that are not working. Contacting Support 395 Troubleshooting Network Devices Logging to LEM If you still do not see events from your LEM Agents after completing these procedures, send the following files to SolarWinds Support (default paths): 32-bit Windows OS: l l C:\Windows\System32\ContegoSPOP\spoplog.txt (the most recent version) C:\Windows\ System32\ContegoSPOP\tools\readerState.xml 64-bit Windows OS: l C:\Windows\SysWOW64\ContegoSPOP\spoplog.txt (the most recent version) C:\Windows\SysWOW64\ContegoSPOP\tools\readerState.xml Troubleshooting Network Devices l Start by determining whether the device is sending data to the LEM appliance: 1. Connect to your LEM appliance using the VMware "console" view, or an SSH client such as PuTTY. 2. If you're connecting to your appliance through SSH, log in as the CMC user, and provide the appropriate password. 3. If you're connecting to your appliance using VMware, select Advanced Configuration on the main console screen, and then press <Enter> to get to the command prompt. 4. At the cmc> prompt, enter appliance. 5. At the cmc::acm# prompt, enter checklogs. 6. Enter an item number to select a log file to view. 7. Check each log file that is not empty for evidence that the device is logging to the appliance, such as the device's product name, device name, or IP address. Troubleshooting Network Devices Logging to LEM To monitor a network device with LEM, you must first configure the device to send its log messages to the LEM appliance. Determine whether or not the device you 396 Chapter 17: Troubleshooting are troubleshooting is logging to LEM prior to completing the following troubleshooting procedures. To determine whether the LEM appliance is receiving data from the device: 1. Connect to your LEM appliance using a virtual console or SSH client. 2. Access the CMC prompt: l l Virtual Console: Arrow down to Advanced Configuration, and then press Enter. SSH Client: Log in using your CMC credentials. 3. At the cmc> prompt, enter appliance. 4. At the cmc::acm# prompt, enter checklogs. 5. Enter an item number to select a log file to view. 6. Check each log file that is not empty for evidence that the device is logging to the appliance, such as the device's product name, device name, or IP address. Devices Not Logging to a Log File on the Appliance 1. Complete the following procedures for network devices that do not show data on the LEM appliance. 2. To troubleshoot network devices that have not sent logs to the LEM appliance: 3. Verify you have configured the device to log to the LEM appliance. 4. Verify the device is logging to the correct IP address for the LEM appliance. 5. If the device is sending SNMP traps to the LEM appliance, verify you have configured the LEM appliance to accept SNMP traps. 6. Verify a firewall is not blocking communication between the device and the LEM appliance. To configure your LEM Manager to accept SNMP traps: 1. Connect to your LEM appliance using a virtual console or SSH client. 2. Access the CMC prompt: l Virtual Console: Arrow down to Advanced Configuration, and then press Enter. 397 Troubleshooting Devices Logging to a Log File on the Appliance l SSH Client: Log in using your CMC credentials. 3. At the cmc> prompt, enter service. 4. At the cmc::scm# prompt, enter enablesnmp. 5. Press Enter to confirm your entry. 6. After you see the message, Done starting the SNMP service, enter exit to return to the cmc> prompt. Troubleshooting Devices Logging to a Log File on the Appliance Complete the following procedure for network devices that show data on the LEM appliance. To troubleshoot network devices that have sent logs to the LEM appliance: 1. Verify you have configured the appropriate connector on the LEM appliance. For information about how to troubleshoot connectors that are out of date, see Troubleshooting "Unmatched Data" or "Internal New Tool Data" events in your LEM Console. 2. Verify the connector you have configured is running. 3. If the necessary connector is configured and running, delete and recreate the connector instance. Contacting Support If you still do not see events from your network device after completing these procedures, send a screenshot of your device's logging configuration screens to SolarWinds Support. 398 Appendix A: Standard Widget Tables The following table briefly describes the widgets that ship with the LEM Console. Widget name/Filter Description All Events Displays all events from all filters. Events by Event Type Displays a count of the top 10 events by event type (event name). Events by Connector Displays the number of events being captured by each Name configured connector, over time. Events per Minute Displays the total count of events per minute for the last 15 minutes. Change Management Displays events related to changes occurring on the network. Change Management Events by Agent Displays the top 10 Agents generating change management events Change Management Events by Type Displays the top 10 change management events by event type. Failed Logons Displays all user account failed logon attempts. Failed Logons by User Account Displays the top 5 Failed Logons by User Account name. File Audit Failures Displays FileAuditFailure events, which show failed attempts to access audited files. File Audit Failures by File Name Displays the top 10 file names generating file audit failures. File Audit Failures by Source Account Displays the top 10 source accounts generating file audit failures. 399 Appendix A: Standard Widget Tables Widget name/Filter Description Firewall Displays all events from firewall devices. Firewall Events by Firewall Displays the top 5 firewalls generating firewall events Firewall Events by Type Displays the top 5 firewall events by event type. Incidents Displays all Incident events. Incidents by Rule Name Displays the top 5 incidents by the name of the rule that generated the Incident. Interactive Logons by User Account Displays the top 10 user logons by user account name. My Rules Fired by Rule Name Displays the top 5 subscribed events by the name of the rule that generated them. Network Events Displays all Network events. Network Events by Source Machine Displays the top 10 machines generating network events. Network Event Trends Displays the top 10 network-related events by event type. Rule Activity Shows all of the rules that have fired. Rules Fired by Rule Displays the top 5 rules fired by rule name. Name Security Processes Displays process launches and exits from processes in the "Security Processes" User-Defined Group, which is used to monitor critical security-related processes. Security Processes by Agent Displays the top 10 Agents generating security process events. Subscriptions Displays events created by rules you are "Subscribed" to in the Rules area. SolarWinds Events Displays all Internal events (events generated during operation of the LEM). 400 Appendix A: Standard Widget Tables Widget name/Filter Description Unusual Network Traffic Displays events that indicate unusual or suspicious network traffic. Unusual Network Traffic by Destination Displays the top 5 destinations for unusual network traffic. Unusual Network Traffic by Source Displays the top 10 sources of unusual network traffic. USD Defender Displays all USB-Defender events. USB-Defender Activ- Displays the top 5 Agents with the most USB-Defender ity by Detection IP events. USB File Auditing Displays USB-Defender's File Auditing events. USB File Auditing by Detection IP Displays the top 5 Agents with the most USB file auditing events. User Logons Displays all user account logons User Logons by Agent Displays the top 5 Agents reporting user logons. User Logons by Source Machine Displays the top 5 user logons by source machine. User Logons by User Account Displays the top 10 user logons by user account name. User Logons (Interactive) Displays interactive user account logons. Virus Attacks Displays all virus attack events. Virus Attacks by Source Machine Displays the top 5 sources of virus attacks or infections. 401 Appendix B: Events This appendix describes every event type that is displayed in the Events Panel and that can be configured with the Policy commands. Note: LEM reports events in a hierarchical node tree, shown here. When you click a node to open it, you will see that most nodes also have lower-level nodes. Each node that has lower-level nodes is called a parent node. Similarly, all lowerlevel nodes below a particular parent node can be thought of as child nodes or children to that parent node. Naturally, the term parent and child applies to the node, relative to its position and role on the node tree. That is, a node can be a child to one node, and a parent to others. LEM automatically assigns alerts to the nodes of the alert tree based on the specific nature of the alert and its severity. 402 Appendix B: Events Event types There are five types of events: l l l l l Asset Events relate to the changing state of different types of enterprise assets, including software, hardware, and users. These alerts can indicate changes made to system configurations, software updates, patch applications, vulnerability information, and other system events. Audit Events are generally related to normal network activity that would not be considered an attack, compromise, or misuse of resources. Many of the audit alerts have rules that can be used to threshold and escalate “normal” behavior into something which may be considered a security event. Incident Events Events are used to raise global enterprise-wide visibility in response to any issue detected by Rules. Incidents generally reflect serious issues that should be addressed. Since Incidents are created by Rules, any combination of malicious or suspicious traffic from any other single alert or combination of alerts can create an Incident. Internal Events are related to the operation of the LEM system. Any events generated by LEM relating to Active Response, LEM users, or LEM errors will appear under one of the many children. These alerts are for informational purposes. They do not necessarily reflect conditions that should cause alarm. Events that may reflect potential issues within LEM are specifically marked for forwarding to SolarWinds. Security Events are generally related to network activity that is consistent with an internal or external attack, a misuse or abuse of resources, a resource compromise, resource probing, or other abnormal traffic that is noteworthy. Security Events indicate aggressive behavior that may lead to an attack or resource compromise, or suspicious behavior that may indicate unauthorized information gathering.LEM infers some Security Events from what is normally considered audit traffic, but it escalates the events to alert status based on thresholds that are defined by Rules. Asset Events Asset Events deal with assets and asset scan results. They relate to the changing state of different types of enterprise assets, including software, hardware, and users. Asset information can come from centralized directory service connectors, or it can be scan information from security scan connectors, including 403 Asset Events Vulnerability Assessment and Patch Management connectors. Therefore, these alerts indicate changes made to system configurations, software updates, patch applications, vulnerability information, and other system events. Each Asset Event is described below. For your convenience, they are listed alphabetically. AssetManagement AssetManagement alerts are for gathering non-realtime data about system assets (computer, software, users). The data will come from various sources, including Directory Service connectors. AssetManagement > MachineAsset MachineAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates (including software installation) of specific nodes that exist in the enterprise. AssetManagement > MachineAsset > MachineAssetAdded MachineAssetAdded alerts indicate a new presence of a node (host or network device) in the enterprise. AssetManagement > MachineAsset > MachineAssetRemoved MachineAssetRemoved alerts indicate the removal of a node (host or network device) from the enterprise. AssetManagement > MachineAsset > MachineAssetUpdated MachineAssetUpdated alerts indicate a change to an existing node (host or network device) in the enterprise, including new software and software patch installations on the node. AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated SoftwareAssetUpdated alerts indicate an attempted software change (including application of a software patch) to an existing node (host or network device) in the enterprise, successful or failed. AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated > SoftwareAssetPatched SoftwareAssetPatched alerts indicate a successful application of a software patch to an existing node (host or network device) in the enterprise. 404 Appendix B: Events AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated > SoftwareAssetPatchFailed SoftwareAssetPatchFailed alerts indicate a failed application of a software patch to an existing node (host or network device) in the enterprise. AssetManagement > SoftwareAsset SoftwareAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates of specific software and software versions that exist in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetAdded SoftwareAssetAdded alerts indicate a new presence of an installation of specific software applications or operating systems in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetAdded > SoftwareAssetVersionAdded SoftwareAssetVersionAdded alerts indicate a new version installation of specific known software applications or operating systems in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetRemoved SoftwareAssetRemoved alerts indicate removals of specific software applications or operating systems from the enterprise. AssetManagement > UserAsset UserAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates to users and user groups that exist in the enterprise. AssetManagement > UserAsset > GroupAssetAdded GroupAssetAdded alerts indicate a new presence of a user group in the enterprise. AssetManagement > UserAsset > GroupAssetRemoved GroupAssetRemoved alerts indicate the removal of a user group from the enterprise. AssetManagement > UserAsset > GroupAssetUpdated GroupAssetUpdated alerts indicate a change to a user group that exists in the enterprise, including group member additions and deletions. AssetManagement > UserAsset > GroupAssetUpdated > GroupAssetMemberAdded 405 Asset Events GroupAssetMemberAdded alerts indicate an addition of a user member to a user group that exists in the enterprise. AssetManagement > UserAsset > GroupAssetUpdated > GroupAssetMemberRemoved GroupAssetMemberRemoved alerts indicate a removal of a user member from a user group that exists in the enterprise. AssetManagement > UserAsset > UserAssetAdded UserAssetAdded alerts indicate a new presence of a user in the enterprise. AssetManagement > UserAsset > UserAssetRemoved UserAssetRemoved alerts indicate the removal of a user from the enterprise. AssetManagement > UserAsset > UserAssetUpdated UserAssetUpdated alerts indicate a change to a user that exists in the enterprise. AssetScanResult AssetScanResult contains alerts useful for data gathered from security scan results (reports). These alerts are commonly gathered from Vulnerability Assessment and Patch Management connectors. AssetScanResult > ExposureFound ExposureFound alerts indicate scan results that are not high risk but demonstrate configuration issues or potential risks. These alerts may indicate exposures that can potentially cause future exploits or have been common sources of exploits in the past, such as common open ports or host configuration issues. AssetScanResult > VulnerabilityFound VulnerabilityFound alerts indicate scan results that demonstrate high risk vulnerabilities. These alerts can indicate the presence of serious exposures that should be addressed and can represent significant risk of exploit or infection of enterprise assets. GeneralAsset GeneralAsset alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be asset issuerelated. 406 Appendix B: Events Audit Events Events that are children of AuditEvent node are generally related to normal network activity that would not be considered an attack, compromise, or misuse of resources. Many of the audit alerts have rules that can be used to threshold and escalate “normal” behavior into something which may be considered a security event. Each Audit Event is described below. For your convenience, they are listed alphabetically. AuthAudit Events that are part of the AuthAudit tree are related to authentication and authorization of accounts and account ''containers'' such as groups or domains. These alerts can be produced from any network node including firewalls, routers, servers, and clients. AuthAudit > DomainAuthAudit DomainAuthAudit events are authentication, authorization, and modification events related only to domains, subdomains, and account containers. These alerts are normally operating system related, however could be produced by any network device. AuthAudit > DomainAuthAudit > NewDomainMember NewDomainMember events occur when an account or account container has been added to a domain. Usually, these additions are made by a user account with administrative privileges, but occasionally a NewDomainMember alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > DeleteDomainMember DeleteDomainMember events occur when an account or account container has been removed from a domain. Usually, these changes are made by a user account with administrative privileges, but occasionally a DeleteDomainMember alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > ChangeDomainMember A ChangeDomainMember alert occurs when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeDomainMember alert will also happen when local system maintenance activity takes place. 407 Audit Events AuthAudit > DomainAuthAudit > ChangeDomainMember > DomainMemberAlias DomainMemberAlias events happen when an account or account container within a domain has an alias created, deleted, or otherwise modified. This event is uncommon and is used to track links between domain members and other locations in the domain where the member may appear. The alias for a domain member has been changed. AuthAudit > DomainAuthAudit > NewDomain NewDomain events occur upon creation of a new trust relationship between domains, creation of a new subdomain, or creation of new account containers within a domain. Usually, these creations are done by a user account with administrative privileges. AuthAudit > DomainAuthAudit > ChangeDomainAttribute ChangeDomainAttribute events occur when a domain type is changed. These events are uncommon and usually provided by the operating system. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeDomainAttribute alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > DeleteDomain DeleteDomain events occur upon removal of a trust relationship between domains, deletion of a subdomain, or deletion of account containers within a domain. Usually, these changes are made by a user account with administrative privileges. AuthAudit > GroupAudit GroupAudit events are authentication, authorization, and modification events related only to account groups. These alerts are normally operating system related, however could be produced by any network device. AuthAudit > GroupAudit > ChangeGroupAttribute ChangeGroupAttribute events occur when a group type is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeGroupAttribute alert will also happen when local system maintenance activity takes place. AuthAudit > GroupAudit > DeleteGroup 408 Appendix B: Events DeleteGroup events occur upon deletion of a new group of any type. Usually, these deletions are made by a user account with administrative privileges. AuthAudit > GroupAudit > DeleteGroupMember DeleteGroupMember events occur when an account or group has been removed from a group. Usually, these changes are made by a user account with administrative privileges, but occasionally a DeleteGroupMember alert will also happen when local system maintenance activity takes place. AuthAudit > GroupAudit > NewGroup NewGroup events occur upon creation of a new group of any type. Usually, these additions are made by a user account with administrative privileges. AuthAudit > GroupAudit > NewGroupMember NewGroupMember events occur when an account (or other group) has been added to a group. Usually, these additions are made by a user account with administrative privileges, but occasionally a NewGroupMember alert will also happen when local system maintenance activity takes place. A new user, machine, or service account has been added to the group. AuthAudit > MachineAuthAudit MachineAuthAudit events are authentication, authorization, and modification events related only to computer or machine accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients, but are normally operating system related. AuthAudit > MachineAuthAudit > MachineAuthTicketFailure MachineAuthTicketFailure alerts reflect failed computer or machine account ticket events from network devices that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the point on the network where the computer or machine was attempting logon. In larger quantities, these alerts may reflect a potential issue with a computer or set of computers, but as individual events they are generally not a problem. AuthAudit > MachineAuthAudit > MachineAuthTicket MachineAuthTicket alerts reflect computer or machine account ticket events from network devices monitored by Contego that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the type of device the logon was intended for along with all other relevant fields. AuthAudit > MachineAuthAudit > MachineDisable 409 Audit Events MachineDisable events occur when a machine account is actively disabled and/or when an account is forcibly locked out by the operating system or other authentication connector. These events are usually operating system related and could reflect a potential issue with a computer or set of computers. AuthAudit > MachineAuthAudit > MachineEnable MachineEnable alerts reflect the action of enabling a computer or machine account. These events are normally OS-related and will trigger when a machine is 'enabled', normally by a user with administrative privileges. AuthAudit > MachineAuthAudit > MachineLogoff MachineLogoff alerts reflect computer or machine account logoff events from network devices (including network infrastructure devices, where appropriate). Each alert will reflect the type of device from which the user was logging off. These alerts are usually normal events but are tracked for consistency and auditing purposes. AuthAudit > MachineAuthAudit > MachineLogonFailure MachineLogonFailure alerts reflect failed computer or machine account logon events from network devices (including network infrastructure devices, when appropriate). Each alert will reflect the point on the network where the computer or machine was attempting logon. In larger quantities, these alerts may reflect a potential issue with a computer or set of computers, but as individual events they are generally not a problem. AuthAudit > MachineAuthAudit > MachineLogon MachineLogon events reflect computer or machine account logon events from network devices monitored by Contego (including network infrastructure devices, when appropriate). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. These events are normally operating system related. AuthAudit > MachineAuthAudit > MachineModifyAttribute MachineModifyAttribute events occur when a computer or machine type is changed. These events are uncommon and usually provided by the operating system. AuthAudit > MachineAuthAudit > MachineModifyPrivileges 410 Appendix B: Events MachineModifyPrivileges events are created when a computer or machine's privileges are elevated or demoted based on their logon or activities they are performing. These events are uncommon. AuthAudit > UserAuthAudit UserAuthAudit events are authentication, authorization, and modification events related only to user accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients. AuthAudit > UserAuthAudit > UserAuthTicketFailure UserAuthTicketFailure alerts reflect failed user account ticket events from network devices that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the point on the network where the user was attempting logon. In larger quantities, these alerts may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. AuthAudit > UserAuthAudit > UserAuthTicket UserAuthTicket alerts reflect user account ticket events from network devices monitored by Contego that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. AuthAudit > UserAuthAudit > UserDisable UserDisable events occur when a user account is actively disabled and/or when a user is forcibly locked out by the operating system or other authentication connector. These events are usually operating system related and could reflect a potential issue with a user or set of users. AuthAudit > UserAuthAudit > UserEnable UserEnable alerts reflect the action of enabling a user account. These events are normally OS-related and will trigger both when an account is ''unlocked'' after lockout due to unsuccessful logons and 'enabled' in the traditional sense. AuthAudit > UserAuthAudit > UserLogoff UserLogoff alerts reflect account logoff events from network devices (including network infrastructure devices). Each alert will reflect the type of device from which the user was logging off. These alerts are usually normal events but are tracked for consistency and auditing purposes. AuthAudit > UserAuthAudit > UserLogon 411 Audit Events UserLogon alerts reflect user account logon events from network devices monitored by Contego (including network infrastructure devices). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. AuthAudit > UserAuthAudit > UserLogonFailure UserLogonFailure alerts reflect failed account logon events from network devices (including network infrastructure devices). Each alert will reflect the point on the network where the user was attempting logon. In larger quantities, these alerts may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. With SolarWinds policy, you can configure combinations of this event to escalate to FailedAuthentication in the Security tree, reflecting the increase in severity of the event over several occurrences. AuthAudit > UserAuthAudit > UserModifyAttribute UserModifyAttribute events occur when a user type is changed. These events are uncommon and usually provided by the operating system. AuthAudit > UserAuthAudit > UserModifyPrivileges UserModifyPrivileges events are created when a user's privileges are elevated or demoted based on their logon or activities they are performing. These events are uncommon. GeneralAudit GeneralAudit alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be audit-related. MachineAudit MachineAudit alerts are used to track hardware or software status and modifications. These events are generally acceptable, but do indicate modifications to the client system that may be noteworthy. MachineAudit > SoftwareInstall SoftwareInstall alerts reflect modifications to the system at a software level, generally an OS level (or equivalent, in the case of a network infrastructure device). These alerts are generated when a user updates a system or launches system-native methods to install third party applications. MachineAudit > SoftwareInstall > SoftwareUpdate 412 Appendix B: Events SoftwareUpdate is a specific type of SoftwareInstall that reflects a more current version of software being installed to replace an older version. MachineAudit > SystemScan SystemScan alerts reflect information related to scheduled or on-demand scans of systems. These alerts are generally produced by Anti-Virus, Patch Management, and Vulnerability Assessment connectors, and indicate the start, finish, and information related to a scan. MachineAudit > SystemScanInfo SystemScanInfo is a specific type of SystemScan alert that reflects information related to a system scan. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. MachineAudit > SystemScanStart SystemScanStart is a specific type of SystemScan alert that indicates initiation of a system scan. MachineAudit > SystemScanStop SystemScanStop is a specific type of SystemScan alert that indicates completion of a system scan. This activity is generally normal, however, in the error or failure state a specific alert will be generated. MachineAudit > SystemScanWarning SystemScanWarning is a specific type of SystemScan alert that indicates a scan has returned a 'Warning' message indicating an issue. These alerts may indicate scan issues that should be corrected for future scans. MachineAudit > SystemStatus SystemStatus alerts reflect general system state events. These events are generally normal and informational, however, they could potentially reflect a failure or issue which should be addressed. MachineAudit > SystemStatus > SystemReboot SystemReboot is a specific type of SystemStatus alert that is used to audit system restarts. This alert will only be generated if the system restart was normal and not a result of a crash or other failure condition. MachineAudit > SystemStatus > SystemReboot > SystemShutdown SystemShutdown is a specific type of SystemStatus alert that is used to audit system shutdowns, including both expected and unexpected shutdowns. In the 413 Audit Events event the shutdown was unexpected, the event detail will note the information provided by the connector related to the abnormality. PolicyAudit PolicyAudit events are used to track access, modification, scope change, and creation of authentication, domain, account, and account container policies. Many of these alerts reflect normal system traffic. Most PolicyAudit alerts are provided by the Operating System. PolicyAudit > NewAuthPolicy NewAuthPolicy alerts occur when a new authorization or authentication package, process, or logon handler is applied to an item (usually an account or domain). In the operating system context, these events will often occur on boot as the system initializes the appropriate authentication policies for itself. PolicyAudit > PolicyAccess PolicyAccess alerts reflect all levels of access to policy, mostly targeting domain, account, access, and logon policy modifications. PolicyAudit > PolicyAccess > PolicyModify PolicyModify alerts reflect all types of modifications to contained policies, both at a local and domain/account container level. In the context of a network infrastructure device, this would be a modification to access control lists or other similar policies on the device. PolicyAudit > PolicyAccess > PolicyModify > DomainPolicyModify DomainPolicyModify alerts are a specific type of PolicyModify alerts that reflect changes to domain and account container level policies. These types of policies are generally related to the operating system. Usually these modifications are made by a user with administrative privileges, but occasionally these changes can also be triggered by the local system. PolicyAudit > PolicyAccess > PolicyScopeChange PolicyScopeChange alerts are a specific type of PolicyAccess alert that reflect a new scope or assignment of policy to users, groups, domains, interfaces, or other items. In the context of the operating system, these events are usually describing elevation of user privileges according to predefined policies. The process of this elevation is considered a scope change as the user is being brought under a new scope of privileges appropriate to the type of access they are requesting (and 414 Appendix B: Events being granted). These events may accompany or precede object or file opens, including other policies. PolicyAudit > PolicyAccess > GroupPolicyModify GroupPolicyModify alerts are specific PolicyAccess alerts used to describe modifications to account group policies. Usually these modifications are made by a user with administrative privileges, but occasionally these changes can also be triggered by the local system. ResourceAudit Members of the ResourceAudit tree are used to define different types of access to network resources. These resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. ResourceAudit > FileAudit FileAudit alerts are used to track file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note success or failure of the requested operation. ResourceAudit > FileAudit > FileAuditFailure FileAuditFailure alerts are used to track failed file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note what requested operation failed. ResourceAudit > FileAudit > FileRead FileRead is a specific FileAudit alert generated for the operation of reading files (including reading properties of a file or the status of a file). These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileRead > FileExecute FileExecute is a specific FileRead alert generated for the operation of executing files. These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileRead > FileDataRead FileDataRead is a specific FileRead alert generated for the operation of reading data from a file (not just properties or status of a file). These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite 415 Audit Events FileWrite is a specific FileAudit alert generated for the operation of writing to a file (including writing properties of a file or changing the status of a file). These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some operating systems. ResourceAudit > FileAudit > FileWrite > FileDataWrite FileDataWrite is a specific FileWrite alert generated for the operation of writing data to a file (not just properties or status of a file). These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileCreate FileCreate is a specific FileWrite alert generated for the initial creation of a file. These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileMove FileMove is a specific FileWrite alert generated for the operation of moving a file that already exists. These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileDelete FileDelete is a specific FileWrite alert generated for the deletion of an existing file. These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileAttributeChange FileAttributeChange is a specific FileWrite alert generated for the modification of file attributes (including properties such as read-only status). These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileLink FileLink is a specific FileWrite alert generated for the creation, deletion, or modification of links to other files. These alerts may be produced by any connector that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileHandleAudit 416 Appendix B: Events FileHandleAudit alerts are used to track file handle activity on monitored network devices, usually through low level access to the Operating System, either natively or with or a Host-Based IDS. These events will note success or failure of the requested operation. ResourceAudit > FileHandleAudit > FileHandleClose FileHandleClose is a specific FileHandleAudit alert generated for the closing of file handles. These alerts may be generated by a connector that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileHandleAudit > FileHandleCopy FileHandleCopy is a specific FileHandleAudit alert generated for the copying of file handles. These alerts may be generated by a connector that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileHandleAudit > FileHandleOpen FileHandleOpen is a specific FileHandleAudit alert generated for the opening of file handles. These alerts may be generated by a connector that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileSystemAudit FileSystemAudit alerts reflect hardware to filesystem mapping events and usage of filesystem resources. These events are generally normal system activity, especially during system boot. ResourceAudit > FileSystemAudit > MountFileSystem MountFileSystem alerts are a specific type of FileSystemAudit that reflect the action of creating an active translation between hardware to a usable filesystem. These events are generally normal during system boot. ResourceAudit > FileSystemAudit > UnmountFileSystem UnmountFileSystem alerts are a specific type of FileSystemAudit that reflect the action of removing a translation between hardware and a usable filesystem. These events are generally normal during system shutdown. ResourceAudit > NetworkAudit Members of the NetworkAudit tree are used to define events centered on usage of network resources/bandwidth. ResourceAudit > NetworkAudit > ConfigurationTrafficAudit 417 Audit Events ConfigurationTrafficAudit alerts reflect application-layer data related to configuration of network resources. Included in ConfigurationTrafficAudit are protocols such as DHCP, BootP, and SNMP. ConfigurationTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access network devices or services, attempts to access devices that are configured via these services, or other abnormal traffic. ResourceAudit > NetworkAudit > CoreTrafficAudit CoreTrafficAudit alerts reflect network traffic sent over core protocols. Events that are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP protocols. Events of this type and its children do not have any application-layer data. Events placed in the parent CoreTrafficAudit alert itself are known to be a core protocol, but are not able to be further categorized based on the message provided by the connector. ResourceAudit > NetworkAudit > CoreTrafficAudit > TCPTrafficAudit TCPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be TCP. TCPTrafficAudit alerts may indicate normal traffic inside the network, normal traffic pass-through, denied traffic, or other non-application TCP traffic that is not known to have any immediate attack basis. ResourceAudit > NetworkAudit > CoreTrafficAudit > IPTrafficAudit IPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be IP. IPTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of spoofs, routing issues, or other abnormal traffic. Generally, for the abnormal traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > CoreTrafficAudit > UDPTrafficAudit UDPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be UDP. 418 Appendix B: Events UDPTrafficAuditEvents may indicate normal traffic inside the network, normal traffic pass-through, denied traffic, or other non-application UDP traffic that is not known to have any immediate attack basis. ResourceAudit > NetworkAudit > CoreTrafficAudit > ICMPTrafficAudit ICMPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be ICMP. ICMPTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of scans, floods, or other abnormal traffic. Generally, for the abnormal traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > CoreTrafficAudit > IPSecTrafficAudit IPSecTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the traffic is known to be related to non-application layer IPSec events (such as key exchanges). IPSecTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured IPSec peers, problems with IPSec communication, or other abnormal traffic. ResourceAudit > NetworkAudit > LinkControlTrafficAudit LinkControlTrafficAudit alerts are generated for network events related to link level configuration. LinkControlTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration at the link level, inappropriate usage, or other abnormal traffic. ResourceAudit > NetworkAudit > RoutingTrafficAudit RoutingTrafficAudit alerts are generated for network events related to configuration of network routes, using protocols such as IGMP, IGRP, and RIP. RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. ResourceAudit > NetworkAudit > RoutingTrafficAudit > RIPTrafficAudit RIPTrafficAudit alerts are a specific subset of RoutingTrafficAudit alerts where the protocol is known to be RIP. 419 Audit Events RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. ResourceAudit > NetworkAudit > NamingTrafficAudit NamingTrafficAudit alerts are generated for network events related to the naming of network resources and nodes, using protocols such as WINS and DNS. NamingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of inappropriate DNS authority attempts, misconfiguration of naming services, and other abnormal traffic. In several cases, for traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > FileSystemTrafficAudit FileSystemTrafficAudit alerts are generated for network events related to requests for remote filesystems, using protocols such as SMB and NFS. FileSystemTrafficAudit alerts generally indicate normal traffic for networks that have remote filesystem resources such as SMB and NFS shares; however, alerts of this type could also be symptoms of attempts to enumerate shares or services, misconfiguration of such resources, or other abnormal traffic. For networks that do not have remote filesystem resources, these alerts will generally indicate abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit ApplicationTrafficAudit alerts reflect network traffic that is mostly or all applicationlayer data. Events that are children of ApplicationTrafficAudit are also related to application-layer resources. Events placed in the parent ApplicationTrafficAudit alert itself are known to be application-related, but are not able to be further categorized based on the message provided by the connector or because they are uncommon and rarely, if ever, imply network attack potential. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic EncryptedTraffic alerts reflect application-layer traffic that has been encrypted and is intended for a secure host. Included in EncryptedTraffic alerts are client and server side application events, such as key exchanges, that normally occur after the low-level session creation and handshaking have completed. 420 Appendix B: Events ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic > EncryptedTrafficError EncryptedTrafficError alerts are a specific subnet of EncryptedTraffic alerts that reflect problems while exchanging keys or data. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > MailTrafficAudit MailTrafficAudit alerts reflect application-layer data related to mail services. Included in MailTrafficAudit are client and server mail events from protocols such as IMAP, POP3, and SMTP. MailTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of excessive mail usage, unintended mail traffic, abnormal command exchanges to a server, or generally abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > WebTrafficAudit WebTrafficAudit alerts reflect application-layer data related to web services. Included in WebTrafficAudit are client and server web events from web servers, web applications, content filter related events, and other web services. WebTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of inappropriate web usage, potential abuse of web services, or other abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > TimeTrafficAudit TimeTrafficAudit alerts reflect application-layer data related to network time configuration. Included in TimeTrafficAudit are protocols such as NTP and activities, such as detection of client-side network time updates. TimeTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, or other abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > TimeTrafficAudit > NTPTrafficAudit NTPTrafficAudit alerts are a specific type of TimeTrafficAudit related to the Network Time Protocol. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > FileTransferTrafficAudit 421 Audit Events FileTransferTrafficAudit alerts reflect application-layer data related to file retrieval and send to/from remote hosts. Included in FileTransferTrafficAudit are protocols such as TFTP and FTP. FileTransferTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access file transfer services, attempts to access devices that require file transfer services for configuration, or other abnormal traffic. ResourceAudit > NetworkAudit > PointToPointTrafficAudit PointToPointTrafficAudit alerts reflect application-layer data related to point-topoint connections between hosts. Included in PointToPointTrafficAudit are encrypted and unencrypted point-to-point traffic. ResourceAudit > NetworkAudit > PointToPointTrafficAudit > PPTPTrafficAudit PPTPTrafficAudit alerts are a specific type of PointToPointTrafficAudit alerts that reflect application-layer encrypted Peer-to-Peer Tunneling Protocol activities. Included in PPTPTrafficAudit alerts are tunnel creation, tunnel deletion, session creation, and session deletion, among other PPTP-related events. PPTPTrafficAudit alerts generally indicate normal traffic for networks that have PPTP-accessible devices on the network; however, alerts of this type could also be symptoms of inappropriate access, misconfiguration of the PPTP server or clients, other communications errors, or other abnormal traffic. For networks that do not have remote filesystem resources, these alerts will generally indicate abnormal traffic. ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit RemoteProcedureTrafficAudit alerts reflect application-layer data related to remote procedure services. Included in RemoteProcedureTrafficAudit are the traditional RPC services used to service remote logons and file shares, and other services which require remote procedure access to complete authentication, pass data, or otherwise communicate. RemoteProcedureTrafficAudit alerts generally indicate normal traffic for networks that have remote procedure services on their network; however, alerts of this type could also be symptoms of inappropriate access, misconfiguration of the remote procedure services, errors in the remote procedure calls, or other abnormal traffic. ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit > RPCTrafficAudit 422 Appendix B: Events RPCTrafficAudit is a specific subset of RemoteProcedureTrafficAudit related to traditional RPC services, including portmapper. ResourceAudit > NetworkConnectionAudit NetworkConnectionAudit alerts are generated when a connection is initiated on a network client. ResourceAudit > NetworkConnectionAudit > LANConnection LANConnection is a specific type of NetworkConnectionAudit that reflects a successful connection on a physical network interface such as an Ethernet card. ResourceAudit > NetworkConnectionAudit > VPNConnection VPNConnection is a specific type of NetworkConnectionAudit that reflects a successful connection to a remote VPN. ResourceAudit > NetworkConnectionAudit > DialupConnection DialupConnection is a specific type of NetworkConnectionAudit that reflects a successful connection through a traditional modem. ResourceAudit > ObjectAudit ObjectAudit alerts are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note success or failure of the requested operation. ResourceAudit > ObjectAudit > ObjectAuditFailure ObjectAuditFailure alerts are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note a failure of the requested operation. ResourceAudit > ObjectAudit > ObjectDelete ObjectDelete is a specific ObjectAudit alert generated for the deletion of an existing object. These alerts may be produced by any connector that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > ObjectAudit > ObjectLink 423 Audit Events ObjectLink is a specific ObjectAudit alert generated for the creation, deletion, or modification of links to other objects. These alerts may be produced by any connector that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > ProcessAudit ProcessAudit alerts are generated to track launch, exit, status, and other events related to system processes. Usually, these events reflect normal system activity. Process-related activity that may indicate a failure will be noted separately from normal activity in the alert detail. ResourceAudit > ProcessAudit > ProcessStop ProcessStop is a specific type of ProcessAudit alert that indicates a process has exited. Usually, ProcessStop reflects normal application exit, however in the event of an unexpected error the abnormal state will be noted. ResourceAudit > ProcessAudit > ProcessStart ProcessStart is a specific type of ProcessAudit alert that indicates a new process has been launched. Usually, ProcessStart reflects normal system activity ResourceAudit > ProcessAudit > ProcessWarning ProcessWarning is a specific type of ProcessAudit alert that indicates a process has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the process. ResourceAudit > ProcessAudit > ProcessInfo ProcessInfo is a specific type of ProcessAudit alert that reflects information related to a process. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. ResourceAudit > ServiceAudit ServiceAudit alerts are generated to track information and other events related to system components. Usually, these events reflect normal system activity. System service-related activity that may indicate a failure will be noted separately from normal activity in the alert detail. ResourceAudit > ServiceAudit > ServiceInfo ServiceInfo is a specific type of ServiceAudit alert that reflects information related to a service. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. ResourceAudit > ServiceAudit > ServiceStart 424 Appendix B: Events ServiceStart events are a specific type of ServiceAudit alert that indicates a new system service is starting. ResourceAudit > ServiceAudit > ServiceStop ServiceStop events are a specific type of ServiceAudit alert that indicates a system service is stopping. This activity is generally normal, however, in the event of an unexpected stop the abnormal state will be noted. ResourceAudit > ServiceAudit > ServiceWarning ServiceWarning is a specific type of ServiceAudit alert that indicates a service has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the service. Incident Events Incident Events reflect global enterprise-wide issues that should be raised for system-wide visibility. These alerts generally reflect serious issues that should be monitored and addressed. They are sub-categorized into different types of Incidents Events that can provide more detailed information. Because Incident Events are created by Rules, any combination of malicious or suspicious traffic from any other single alert or combination of alerts can create an Incident Event. Each Incident alert is described below. For your convenience, they are listed alphabetically. HostIncident HostIncident alerts reflect global enterprise-wide host system issues that should be raised for system-wide visibility. These alerts are used to indicate issues on hosts that should be tracked and addressed, including security and administrative issues that apply specifically to host-based information. HybridIncident HybridIncident alerts reflect global enterprise-wide combined network and host system issues that should be raised for system-wide visibility. These alerts are used to indicate the combination of network and host-based issues that should be tracked and addressed, including security and administrative issues that span both network and host-based information. NetworkIncident 425 Internal Events NetworkIncident alerts reflect global enterprise-wide network system issues that should be raised for system-wide visibility. These alerts are used to indicate network-based issues that should be tracked and addressed, including security and administrative issues that apply specifically to network-based information. Internal Events Events that are a part of the InternalEvent node are related to the operation of the LEM system. Any events generated by the system relating to Active Response, Internal users, or Internal errors will appear under one of the many children. These alerts are for informational purposes and do not necessarily reflect conditions that should cause alarm. Events that may reflect potential issues within the system are specifically marked for forwarding to SolarWinds. Each Internal Event is described below. For your convenience, they are listed alphabetically. InternalAudit InternalAudit alerts reflect attempted accesses and changes to components of the LEM system by existing SolarWinds users. Both successful and failed attempts will generate alerts in this part of the tree. InternalAudit > InternalAuditFailure InternalAuditFailure is a specific type of InternalAudit alert that indicates failed audit information. These alerts are generated when a user fails to view or modify (including creation, update, and deletion) anything within the SolarWinds system. The alert will include the user, type of access, and item being accessed. InternalAuditFailure events are uncommon and can indicate an attempted privilege escalation within the LEM system by unprivileged users. InternalAudit > InternalAuditSuccess InternalAuditSuccess is a specific type of InternalAudit alert that indicates successful audit information. These alerts are generated when a user successfully views or modifies (including creation, update, and deletion) anything within the LEM system. The alert will include the user, type of access, and item being accessed. InternalCommands InternalCommands alerts are only used internally with few exceptions. These alerts are used for sending Commands through the system to complete active responses. 426 Appendix B: Events InternalCommands > InternalAgentToolCommand InternalAgentToolCommand alerts are internal only. They are fired between Managers and Agents to manage connector settings. InternalCommands > InternalAgentFastPack InternalAgentFastPack alerts are internal only. They are fired between Managers and Agents to configure updated connector signatures. InternalFailure Events that are a part of the InternalFailure tree reflect potential issues within the system. These alerts could reflect configuration issues, issues that cannot be resolved without contacting SolarWinds, and potential serious issues which also merit contacting SolarWinds. InternalFailure > InternalError InternalError alerts reflect configuration or install issues that should be reported to SolarWinds. These are generally internal errors related to connectors that may be producing unexpected log entries or conditions that were not expected. These issues generally cannot be solved without contacting SolarWinds, however they should not be fatal errors. InternalFailure > InternalException InternalException alerts reflect more serious problems within the system. These problems generally lie within the product implementation and may require a software update to eliminate. These alerts and their surrounding conditions should be reported to SolarWinds. InternalFailure > InternalWarning InternalWarning alerts are generally problems which can be solved by the user. Usually, these alerts are configuration related and may assist in debugging the underlying issue. InternalWarning alerts do not reflect internal problems within the system and thus should not be immediately reported to SolarWinds, however they may assist with solving a technical support issue should the need arise. InternalGeneralEvent InternalGeneralEvent events are uncommon events used to track Internal information that has not yet been placed into a more specific InternalEvent. 427 Internal Events Events of the InternalFailure family providing more information will be generated in addition to this event if the event is serious. InternalInfo Events within the InternalInfo family are related to events that are happening within the system. Generally, these informational alerts are confirming or reporting normal activity such as user updates, user logons, policy updates, and Agent connection-related events. InternalInfo > InternalAgentOffline InternalAgentOffline alerts reflect detection of disconnection of an Agent to its Manager. These alerts will happen when the Manager has detected that the Agent closed the connection, whether that be due to network down time of the Agent or due to a shut down of the Agent service. InternalInfo > InternalAgentOnline InternalAgentOnline alerts reflect successful connection of Agents to their respective Managers. These alerts will happen when an Agent initiates successful communication with the Manager, whether that be due to network down time of the Manager or Agent or due to an update of the Agent in question. InternalInfo > InternalDuplicateConnection InternalDuplicateConnection alerts occur when an Agent has attempted to connect to their given Manager more than once. Usually these alerts are triggered by network issues on the Agent end, due to a possible asynchronous disconnection detection (for example, the Manager was not able to detect the Agent went offline, but the Agent service was restarted). Usually this issue can be resolved by stopping the Agent service, waiting for the InternalAgentOffline alert, and then restarting the Agent service. InternalInfo > InternalInvalidConnection InternalInvalidConnection alerts occur when an Agent that the Manager recognizes, but cannot communicate with, attempts to connect. These alerts usually reflect Agents that are missing an update that has already been applied to the Manager. Please ensure that the indicated Agent has been upgraded to the same release version of the system that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert. This will force the Agent to reinitialize connection to the Manager. 428 Appendix B: Events InternalInfo > InternalInvalidInstallation InternalInvalidInstallation alerts occur in the unlikely case that the Manager can communicate with the Agent but there are errors detected in the Manager-toAgent relationship. These alerts are very uncommon, but may be triggered during an upgrade process. Please ensure that the indicated Agent has been upgraded to the same release version of the system that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert. This will force the Agent to reinitialize connection to the Manager. InternalInfo > InternalLicenseMaximum InternalLicenseMaximum alerts reflect an attempt to add more Agents to a Manager than that Manager is licensed for. The number of Agents that can be added is a hard limit that the Manager stores and this limit is also enforced by the Console. If more licenses are needed, this issue can be resolved by contacting SolarWinds Sales for an update. InternalInfo > InternalNewToolData InternalNewToolData alerts generally reflect issues related to connectors with unexpected log entries or other conditions that were not expected. These issues generally cannot be solved without contacting SolarWinds, however they are not fatal. InternalInfo > InternalPolicyConfiguration InternalPolicyConfiguration alerts reflect successful or unsuccessful attempts to update Policy on a given Manager. These alerts are generated after Policy has been successfully installed to the Manager or after an error has been detected. Generally, an error in updating Policy will also produce an alert from the InternalFailure family, providing more information. InternalInfo > InternalToolOffline InternalToolOffline alerts reflect successful stop of an Internal Tool. These alerts are generated after a connector has stopped the log file reader that was created when the connector was brought online. Generally, an error in an attempt to stop a connector will produce an alert from the InternalFailure family providing more information. InternalInfo > InternalToolOnline 429 Internal Events InternalToolOnline alerts reflect successful startup of an Internal Tool. These alerts are generated after a connector has successfully created a log file reader and has begun the reading process. Generally, an error in an attempt to start a connector will produce an alert from the InternalFailure family providing more information. InternalInfo > InternalUnknownAgent InternalUnknownAgent alerts occur when an Agent that the Manager does not recognize has attempted to connect. Commonly, this alert is caused by removing the Agent from the Console before removing the Agent service on the client. These alerts may also be triggered during an upgrade process; in that case, they may reflect Agents that have not yet been brought up to date. Usually this issue can be resolved by Uninstalling and Reinstalling the Agent triggering the alert. This will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalUnsupportedAgent InternalUnsupportedAgent alerts are generated when a valid Agent connects and has not been upgraded to the same release version as the Manager. The Agent in question failed to properly negotiate its connection or respond to a query and has been assumed to be missing a feature required of it. Please ensure that the indicated Agent has been upgraded to the same release version of SolarWinds that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert, this will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalUserLogoff InternalUserLogoff alerts are generated when a user logs off or is disconnected from the Console. InternalInfo > InternalUserLogon InternalUserLogon alerts are generated when a user successfully completes the logon process to a Manager via the Console. Failed log-on attempts are produced in a separate alert, InternalUserLogonFailure. InternalInfo > InternalUserLogonFailure InternalUserLogonFailure alerts are generated when a user has completed initialization of a connection to the Console, but enters an incorrect user name and/or password. InternalInfo > InternalUserUpdate 430 Appendix B: Events InternalUserUpdate alerts are generated when a user is modified and the update has successfully been sent to the Manager, or when the update has failed to apply. These updates include change or addition of an email address, change or addition of a pager, and change or addition of blocked alerts from selected Agents. Generally, an error in updating a user will also produce an alert from the InternalFailure family. InternalPolicy InternalPolicy alerts reflect information related to correlation rules. These alerts are used to indicate that a rule has been triggered, either in test mode or in normal operating conditions. InternalPolicy > InternalTestRule InternalTestRule alerts reflect rule activity where a correlation rule has triggered and is set in “Test” mode. It indicates the trigger of the rule and includes an enumeration of what actions would take place, if any, if the rule were fully enabled. To remove a rule from Test mode, clear the “Test” checkbox for the Rule in the Rule Builder. InternalPolicy > InternalRuleFired InternalRuleFired alerts reflect rule activity, specifically where a correlation rule has triggered. It indicates the trigger of the rule and includes an enumeration of what actions were triggered in response to the correlation. Security Events Events that are a part of the SecurityEvent node are generally related to network activity that is consistent with an internal or external attack, a misuse or abuse of resources, a resource compromise, resource probing, or other abnormal traffic that is noteworthy. Security Event events indicate aggressive behavior that may lead to an attack or resource compromise, or suspicious behavior that may indicate unauthorized information gathering. LEM infers some Security Events from what is normally considered audit traffic, but it escalates the events to alert status based on thresholds that are defined by Rules. Each Security Event is described below. For your convenience, they are listed alphabetically. AttackBehavior 431 Security Events Events that are children of AttackBehavior are generally related to network activity that may be consistent of an attack, misuse or abuse of resources, a resource compromise, or other abnormal behavior that should be considered indicative of a serious security event. AttackBehavior > InferredAttack InferredAttack alerts are reserved AttackBehavior alerts used for describing attacks that are a composite of different types of alerts. These events will be defined and inferred by Contego Policy. AttackBehavior > ResourceAttack Members of the ResourceAttack tree are used to define different types of malicious or abusive access to network resources, where these resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. AttackBehavior > ResourceAttack > NetworkAttack Members of the NetworkAttack tree are used to define events centered on malicious or abusive usage of network bandwidth/traffic. These events include access to network resources, relaying attacks via network resources, or denial of service behavior on network resources. AttackBehavior > ResourceAttack > NetworkAttack > Access Children of the Access tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess ApplicationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all application-layer. Generally, ApplicationAccess alerts will reflect attempted exploitation of weaknesses in server or client software, or information that is restricted/prohibited by device access control or policy. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or proxy servers may also provide them. Events placed in the parent ApplicationAccess alert itself are known to be application-related, but not able to be further categorized based on the message provided by the connector or because they are uncommon. 432 Appendix B: Events AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > DataBaseAccess DataBaseAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via applicationlayer database traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in database server or client software. These alerts are generally provided by network-based intrusion detection systems, the database server, or the client software itself. Appropriate response to these alerts may entail better access control of database servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to database servers and/or clients, or the possible removal of the database service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess FileTransferAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPFileAccess FTPFileAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to filesystems of resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software with the intent of information gathering or low-level filesystem access of the server or client. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are 433 Security Events connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPInvalidFormatAccess FTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software with the intent of information gathering or low-level access to the server or client. These attacks are always abnormal traffic that the file transfer server or client is not prepared to respond to; attacks, such as buffer overflows, may also result in the server or client software or system being halted. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPCommandAccess FTPCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server software with the intent of information gathering or low-level access to the server or client. These attacks are always abnormal command traffic that the file transfer server is not prepared to respond to, but may provide access to (e.g. debug or legacy commands). These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, restriction of allowed commands, or the possible removal of the file transfer service or client application related to this event. 434 Appendix B: Events AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess MailAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer, retrieval, or service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail-related server or client software. These alerts are generally provided by network-based intrusion detection systems or the mail server, service, or client software itself. Appropriate response to these alerts may entail better access control of mail servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail servers and/or clients, or possible removal of the mail server, service, or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess MailTransferAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software. These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPInvalidFormatAccess SMTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the SMTP server is not prepared to respond to; attacks, such as buffer overflows, may also result in the server software or system being halted. These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts 435 Security Events may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPInvalidFormatAccess > SmailAccess SmailAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via applicationlayer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the SMTP server is not prepared to respond to; they may also result in the server software or system being halted. The smail attack specifically attempts to execute applications resulting in compromise of the SMTP server system. These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPCommandAccess SMTPCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal command traffic that the SMTP server is not prepared to respond to, but may provide access to (e.g. debug or legacy commands). These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or 436 Appendix B: Events patches to SMTP servers, restriction of allowed commands, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailDeliveryAccess MailDeliveryAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail retrieval traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail retrieval related server or client software - the MDA (mail delivery Agent) or MUA (mail user Agent). These alerts are generally provided by network-based intrusion detection systems, or the mail server, service, or client software itself. Appropriate response to these alerts may entail better access control of mail servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail servers and/or clients, or the possible removal of the mail server, service, or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailServiceAccess MailServiceAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via applicationlayer mail service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail service-related server or client software, including services such as mailing list software, spam filters, email redirection software, and other mail filtering software. These alerts are generally provided by network-based intrusion detection systems, the mail service, or the client software itself. Appropriate response to these alerts may entail better access control of mail services or servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail services and/or clients, or the possible removal of the mail service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailServiceAccess > MajordomoAccess MailServiceAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via applicationlayer mail service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in Majordomo, a specific type of mailing list software. 437 Security Events These alerts are generally provided by network-based intrusion detection systems, or the mail service itself. Appropriate response to these alerts may entail better access control of mail services or servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to the mail service, or the possible removal of the mail service related to this event. Generally, the most appropriate response will be updates or patches that can be retrieved from the Majordomo web site (http://www.greatcircle.com/majordomo) or your operating system vendor. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > NewsAccess NewsAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via applicationlayer news traffic (over protocols such as NNTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the news server or client software. These alerts are generally provided by network-based intrusion detection systems, the news server, or the client software itself. Appropriate response to these alerts may entail better access control of news servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to news servers and/or clients, or the possible removal of the news service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > PrinterAccess PrinterAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via applicationlayer remote printer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the remote printer server or client software. These alerts are generally provided by network-based intrusion detection systems, the remote printer server, or the client software itself. Appropriate response to these alerts may entail better access control of remote printer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote printer servers and/or clients, or the possible removal of the remote printer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess 438 Appendix B: Events WebAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the web server or client software. These alerts are generally provided by network-based intrusion detection systems, the web server, or client software itself. Appropriate response to these alerts may entail better access control of web servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers and/or clients, or the possible removal of the web service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess HTTPClientAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via applicationlayer WWW traffic where the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software or abuse and/or misuse of resources from clients. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to these alerts may entail applying updates or patches to web client software, or restriction of incoming/outgoing web requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess > FraudulentCertificateAccess FraudulentCertificateAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software through fraudulent certificates. The intent of these attacks may be to forge certificates that convince the client that the site is trusted, when in fact it is not, passing data along with those certificates that may be inappropriate and/or contain exploits. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to 439 Security Events these alerts may entail applying updates or patches to web client software, or restriction of incoming/outgoing web requests/responses to reflect the abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess > ProhibitedHTTPControlAccess ProhibitedHTTPControlAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software or abuse and/or misuse of resources from clients through client controls such as ActiveX and Java. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to these alerts may entail applying updates or patches to web client software, or restriction of incoming/outgoing web requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess HTTPServerAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic where the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in the server software or abuse and/or misuse of server resources. These alerts are generally provided by network-based intrusion detection systems, the web server or service software itself, and/or firewalls with the capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess HTTPApplicationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. 440 Appendix B: Events Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of the server software, such as PHP, CGI, administrative sites, and other application services. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPAdministrationAccess HTTPAdministrationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications run on top of server software that are related to remote administration of sites, services, and/or systems. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, administrative sites, and/or clients, or the possible removal of the web service application or administrative site related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPDynamicContentAccess HTTPDynamicContentAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications, running on top of the server software, that generate dynamic content such as PHP, CGI, and ASP. 441 Security Events These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, dynamic content, and/or clients, or the possible removal of the web service application or dynamic content related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPFileRequestAccess HTTPFileRequestAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of server software that are related to remote administration of sites, services, and/or systems with the intent of information gathering or low-level filesystem access of the server or client. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPServiceAccess HTTPServiceAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of server software that are related to remote services such as printing or console access. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with 442 Appendix B: Events capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application or site related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPInvalidFormatAccess HTTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer web traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in web server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the web server is not prepared to respond to; attacks, such as buffer overflows, may also result in the server software or system being halted. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of the web server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers or services, or the possible removal of the web server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > NamingAccess NamingAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via applicationlayer naming service traffic (using protocols such as DNS and WINS). Generally, these alerts will reflect attempted exploitation of weaknesses in the naming server or client software. These alerts are generally provided by network-based intrusion detection systems, the naming server, or the client software itself. Appropriate response to these alerts may entail better access control of name servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to naming servers and/or clients, or the possible removal of the naming service or client application related to this event. 443 Security Events AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > RemoteConsoleAccess RemoteConsoleAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote console service traffic (services such as telnet, SSH, and terminal services). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote console server or client software. These alerts are generally provided by network-based intrusion detection systems, the remote console server, or the client software itself. Appropriate response to these alerts may entail better access control of remote console servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote console servers and/or clients, or the possible removal of the remote console service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > TimeAccess TimeAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote time service traffic (using protocols such as NTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote time server or client software. These alerts are generally provided by network-based intrusion detection systems, the time server, or client software itself. Appropriate response to these alerts may entail better access control of remote time servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote time servers and/or clients, or the possible removal of the remote time service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ConfigurationAccess ConfigurationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via resource configuration traffic (using protocols such as DHCP, BootP, and SNMP). Generally, these alerts will reflect attempted exploitation of weaknesses in the configuration server or client software or attempts to gain system-level access to configuration servers themselves. In the case of SNMP and similar configuration 444 Appendix B: Events protocols, it could reflect an attempt to enumerate a device or devices on the same network for further attack. These alerts are generally provided by network-based intrusion detection systems, the configuration server, or the client software itself. Appropriate response to these alerts may entail better access control of configuration servers and services (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to configuration servers and/or clients, or the possible removal of the configuration service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess CoreAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess alerts will reflect attempted exploitation of weaknesses in network protocols or devices with intent to gain access to servers, clients, or network infrastructure devices. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. In some cases, these events are escalated from the Audit tree via Contego Policy. Events placed in the parent CoreAccess alert itself are known to be a core protocol-related but not able to be further categorized based on the message provided by the connector or because they are uncommon. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > ICMPRedirectAccess ICMPRedirectAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all ICMP Redirects (ICMP type 5) and the intent is to redirect traffic to either enumerate devices or client machines, or to gather information on devices or client traffic to further attack those or other resources. ICMP Redirects are generally benign ICMP messages sent to hosts to redirect traffic intended for a network that another gateway can control. In the cases where ICMP Redirects are used for attacking, a host will generally feign themselves as a router, pass a redirect to a client machine to modify it's routing table to send traffic to the false router instead of their normal network gateway, and proceed to enumerate, gather information, or attack the redirected host. The false router will then send the traffic on to the correct gateway, and the host has no idea of what has occurred (unless 445 Security Events another device or connector detects it). This is one type of what is commonly referred to as a man-in-the-middle attack. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, updates to network infrastructure devices, or restriction of incoming/outgoing ICMP redirect requests/responses to reflect inappropriate or abusive access. Appropriate methods of prevention of ICMP redirect attacks would be to limit hosts who can broadcast ICMP Redirects across network devices to correct routers and gateways, limit ingress and egress ICMP traffic, and to make sure clients, servers, and network infrastructure devices are current with regards to operating system or other networking software to ensure that other attacks related to ICMP Redirect attacks of this type (such as denial of service attacks) do not occur. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPFragmentationAccess IPFragmentationAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all IP and the intent is to mask possible malicious or abusive data past an IDS or other detection device by using many IP fragments (usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, an IDS on the network may not be able to detect the malicious traffic, only the presence of fragments (if even that). The attack may be allowed to pass through the network either incoming or outgoing, thereby eliminating one line of defense. Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an IPFragmentationAccess alert. Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software (especially the IDS), updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPSourceRouteAccess 446 Appendix B: Events IPSourceRouteAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all IP and the intent is generally to misrepresent the originating address to bypass detection. IPSourceRouteAccess is a type of IP Spoofing where an attacker falsifies network information to convince the destination that the given source is something other than the actual source, directing the destination to return the traffic through an IP Source Route option that traces the traffic to the trusted host and then on to the untrusted attacker. The trusted host receives the traffic from the destination and because of the IP Source Route, it passes the traffic on to the untrusted attacker. The data is not modified and the attacker has 'tricked' the network into passing the traffic on. Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal or external devices, or perform denial of service attacks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to IP Spoofing itself is difficult as the originating host may be alternating spoofed hostnames or IP addresses in order to continually circumvent detection; however, response to IP spoofing which utilizes the IP source route could entail removing the ability to pass traffic through routers or gateways that contains an IP Source Route option. Initial appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, however this may prove ineffective or unrealistic. Other responses may include applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. Unfortunately, it may prove difficult to derail an attempted attack through IP Spoofing, however, routing and firewalling policies (including disallowing traffic with the IP Source Route option) should prevent further access through spoofed addresses. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPSpoofAccess IPSpoofAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all IP and the intent is to misrepresent the originating address to either bypass detection or misdirect response to attack activity. IP Spoofing is done by falsifying network information to convince the destination (and any network hops in between) that the given source is something other than the actual source. Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal or external devices, or perform denial of service attacks. 447 Security Events These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to IP Spoofing is difficult as the originating host may be alternating spoofed hostnames or IP addresses in order to continually circumvent detection. Initial appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, however this may prove ineffective or unrealistic. Other responses may include applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. Unfortunately, it may prove difficult to derail an attempted attack through IP Spoofing, however, routing and firewalling policies should prevent further access through spoofed addresses. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > TCPHijackAccess TCPHijackAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all TCP and the intent is to hijack a user's connection. TCP Hijacking is done with the intent to take over another network user's connection by sending malformed packets to 'confuse' the server into thinking that the new user is the original user. In doing so, the original user gets removed from his connection to the server and the new user has injected himself, taking over all attributes the server assumed from the original - including levels of security and/or trust. TCP Hijacking can be used to place future attack connectors on client systems, gather information about networks and/or client systems, immediately attack internal networks, or other malicious and/or abusive behavior. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. Appropriate response to these alerts may entail blocking or resetting the remote hijacker's connection/IP address, applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > TCPTunnelingAccess TCPTunnelingAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all TCP and the intent is to tunnel a possible malicious or abusive connection through other TCP traffic. TCP tunneling uses permitted TCP traffic to bypass access policies on network devices, content filtering, monitoring, and 448 Appendix B: Events other traffic shaping or behavior policies. TCP tunneling is done by initiating a known 'acceptable' TCP connection through allowed policies and piggybacking an unacceptable connection atop the granted one. On the new 'tunnel' that the user has built, they are allowed to pass any traffic through that does not match other policies - often after the connection has been initiated, it may be difficult to detect and prevent further malicious or abusive activity. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess FileSystemAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote filesystem traffic (using protocols such as SMB and NFS). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote filesystem server or client software or attempts to gain system-level access to remote filesystem servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess > NFSAccess NFSAccess alerts are a specific type of FileSystemAccess alert that reflects malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via NFS (network file share) remote filesystem traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the NFS server or client software or attempts to gain system-level access to NFS servers themselves. 449 Security Events These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess > SMBAccess SMBAccess alerts are a specific type of FileSystemAccess alert that reflects malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via SMB (server message block) remote filesystem traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the SMB server or client software or attempts to gain system-level access to SMB servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > LinkControlAccess LinkControlAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is low-level link control (using protocols such as ARP). Generally, LinkControlAccess alerts will reflect attempted exploitation of weaknesses in switching devices by usage of malformed incoming or outgoing data, with intent to enumerate or gain access to or through switching devices, clients that are also on the switching device, and entire networks attached to the switching device. In some cases, a managed switch with restrictions on port analyzing activity may be forced into an unmanaged switch with no restrictions - allowing a malicious client to sniff traffic and enumerate or attack. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices with link level control (such as 450 Appendix B: Events switches). Appropriate response to LinkControlAccess events may be to clear the link-level control mechanisms of the switching device (things such as flushing the ARP cache), applying updates or patches to switching devices, or better segmentation of networks to prevent information disclosure if an attack occurs. AttackBehavior > ResourceAttack > NetworkAttack > Access > PointToPointAccess PointToPointAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via point to point traffic (using protocols such as PPTP). Generally, these alerts will reflect attempted exploitation of weaknesses in point to point server or client software, attempts to enumerate networks, or attempts to further attack devices on trusted networks. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls, routers, or VPN servers may also provide them. Appropriate response to these alerts may entail better access control of remote access services (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote access servers and/or clients, or the possible removal of the remote point to point service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > PointToPointAccess > PPTPSpoof PPTPSpoof alerts reflect a specific type of PointToPointAccess alert where the attack traffic is all PPTP and the intent is to misrepresent the originating address to either bypass detection or misdirect response to attack activity; often times the target of these attacks are internal trusted networks that allow remote access through PPTP tunneling. PPTP Spoofing is done by falsifying network information to convince the destination (and any network hops in between) that the given source is something other than the actual source. Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal devices, or perform denial of service attacks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to PPTP Spoofing is difficult, as the originating host appears to be coming from a 'trusted' address that has already completed initial handshaking and key sharing. Initial appropriate response to these alerts may entail blocking or 451 Security Events resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing PPTP traffic requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > RemoteProcedureAccess RemoteProcedureAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic (using protocols such as the traditional RPC services, RMI, and CORBA). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote procedure server, or the client software itself. Appropriate response to these alerts may entail better access control of remote procedure (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote procedure servers and/or clients, or the possible removal of the remote procedure service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > RemoteProcedureAccess > RPCPortmapperAccess RPCPortmapperAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic using the traditional RPC portmapper service. Generally, these alerts will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote procedure server, or the client software itself. Appropriate response to these alerts may entail better access control of remote procedure (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote procedure servers and/or clients, or the possible removal of the remote procedure service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess 452 Appendix B: Events RoutingAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is routing-related protocols (RIP, IGMP, etc.). Generally, RoutingAccess alerts will reflect attempted exploitation of weaknesses in routing protocols or devices with intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. These routing protocols are used to automate the routing process between multiple devices that share or span networks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices that utilize routing protocols such as firewalls and routers. Appropriate response to RoutingAccess events may be better access control of routing devices (e.g. restriction of what devices are allowed to update routing by IP address to ensure only trusted devices are passing data), applying updates or patches to routing servers and/or devices, or the possible removal of the automated routing protocols from servers and/or devices. AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess > MalformedRIPAccess MalformedRIPAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is all RIP (Routing Information Protocol). Generally, MalformedRIPAccess alerts will reflect attempted exploitation of weaknesses in RIP by usage of malformed incoming or outgoing data, with the intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. RIP is used to automate the routing process between multiple devices that share or span networks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices that utilize routing protocols such as firewalls and routers. Appropriate response to RIP Access events may be better access control of routing devices (e.g. restriction of what devices are allowed to update routing by IP address to ensure only trusted devices are passing data), applying updates or patches to routing servers and/or devices, or the possible removal of the automated routing protocols from servers and/or devices. AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess 453 Security Events TrojanTrafficAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the communication related to Trojans over the network (generally, 'trojaned' clients calling home to the originator). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess > TrojanCommandAccess TrojanCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as Trojan Horses. This alert detects the communication related to Trojans sending commands over the network (infecting other clients, participating in a denial of service activity, being controlled remotely by the originator, etc.). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). 454 Appendix B: Events AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess > TrojanInfectionAccess TrojanInfectionAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the infection traffic related to a Trojan entering the network (generally with intent to infect a client). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Access > VirusTrafficAccess VirusTrafficAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. This alert detects the communication related to viruses over the network (generally, the spread of a virus infection or an incoming virus infection). Viruses are generally executables that require user intervention to spread, contain malicious code that is placed on the client system, and are used to exploit the client and possibly spread itself to other clients. These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending virus to find out methods of removal (if necessary). 455 Security Events AttackBehavior > ResourceAttack > NetworkAttack > Denial Children of the Denial tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources through a denial of service attack. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial ApplicationDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer protocols. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ApplicationDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > FileTransferDenial FileTransferDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer file transfer-related protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileTransferDenial events may be attempts to exploit weaknesses in file transfer-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial MailDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related protocols (SMTP, 456 Appendix B: Events IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial > MailServiceDenial MailServiceDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailServiceDenial events may be attempts to exploit weaknesses in mailrelated software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial > MailServiceDenial > MailSpamDenial MailSpamDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related services (usually SMTP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack through excessive mail relaying. MailSpamDenial events reflect excessive attempts to relay mail through an SMTP server from remote sites that should not typically be relaying mail through the server, let alone excessive quantities of mail. The goal of these attacks may not be to enumerate or exploit weaknesses in the mail server, but to relay as much mail through an open relay mail server as quickly as possible, resulting in a denial of service attack. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the mail server itself, firewalls, or other network infrastructure devices. These alerts may indicate an open relay on the 457 Security Events network or an attempt to find an open relay; appropriate response may be to close access to SMTP servers to only internal and necessary external IP addresses. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > WebDenial WebDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer web-related protocols (HTTP, HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. WebDenial events may be attempts to exploit weaknesses in webrelated software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial CoreDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. CoreDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ChargenDenial ChargenDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service via UDP chargen or echo services. This attack attempts to exploit network infrastructure devices and hosts by pointing two chargen or echo hosts at each other and forcing so many responses that the network and hosts are flooded. In response to a request to the echo or chargen port, the second device will send a response, which will trigger another request, which will trigger a response, etc. The source of the initial request is a spoofed IP address, which appears as one of the hosts which will be a party in the attack 458 Appendix B: Events (sent to the second host). This will render both devices and possibly the network they are on useless either temporarily or for a significant amount of time by the sheer amount of traffic that is created. ChargenDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPFloodDenial ICMPFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an ICMP-based 'flood' attack (which uses many very large ICMP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point where the device is rendered useless and cannot accept network connections). Normal ICMP Traffic should not trigger an ICMPFloodDenial alert. ICMPFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPFragmentationDenial ICMPFragmentationDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack by using many ICMP fragments (usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may overflow the stack, triggering a host or service crash). Normal ICMP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an ICMPFragmentationDenial alert. Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPSourceQuenchDenial 459 Security Events ICMPSourceQuenchDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an ICMP-based attack (which uses many ICMP packets set to type 4 - Source Quench). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any client listening and responding to source quench traffic may be slowed down to the point where rendered useless by way of correct response to the quench request. Normal ICMP traffic (including single, normal, source quench packets) should not trigger an ICMPSourceQuenchDenial alert. ICMPSourceQuenchDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFloodDenial IPFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an IP-based 'flood' attack (which uses many very large IP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point where the device is rendered useless and cannot accept network connections). Normal IP Traffic should not trigger an IPFloodDenial alert. IPFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFragmentationDenial IPFragmentationDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack by using many IP fragments (usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may overflow the stack, triggering a host or service crash). Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an IPFragmentationDenial alert. 460 Appendix B: Events Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFragmentationDenial > PingOfDeathDenial PingOfDeathDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'ping of death' attack (which uses many large ICMP Echo Request packets). The network infrastructure devices handling the traffic will pass on the traffic correctly, however, any vulnerable client on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Unpatched Windows NT and 95/98 clients are especially vulnerable to this type of attack. Normal ICMP Echo Traffic should not trigger a PingOfDeathDenial alert. PingOfDeathDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > LandAttackDenial LandAttackDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'land' attack (which uses TCP traffic with the SYN bit set and the same source IP and port as the destination). The network infrastructure devices handling the traffic will pass on the traffic correctly, however, any vulnerable client on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Unpatched Windows 3.11, NT, and 95 clients are especially vulnerable to this type of attack. Normal TCP traffic (with or without the SYN bit) should not trigger a LandAttackDenial alert. LandAttackDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SmurfDenial SmurfDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'Smurf' attack. A Smurf attack attempts to exploit a vulnerability in some network infrastructure devices by sending ICMP Echo 461 Security Events Requests to devices that will re-broadcast the traffic to internal devices. In response to the broadcast Echo Request, all of the devices will send an ICMP Echo Reply, which will effectively overflow the device. The destination of the ICMP Echo Reply is a spoofed 'victim' IP address which will also be overflowed by the actual replies sent to their host. This will render both devices useless either temporarily or for a significant amount of time. SmurfDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SnorkDenial SnorkDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'Snork' attack. A Snork attack attempts to exploit a vulnerability in Windows NT devices by using the Windows RPC service and sending packets to devices that will broadcast the traffic to other internal Windows NT devices using RPC. In response to the broadcast, all of the Windows NT devices will send another packet, and this process will continue until it effectively overflows the device and possibly the network. The destination or source of the initial packet is a spoofed 'victim' IP address which will create the illusion of internal activity. This will render both devices useless either temporarily or for a significant amount of time. SnorkDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SynFloodDenial SYNFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a TCP-based 'flood' attack (which uses many very large TCP packets with the SYN bit set). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point where the device is rendered useless and cannot accept network connections). Normal TCP Traffic (with or without the SYN flag) should not trigger a SYNFloodDenial alert. SYNFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. 462 Appendix B: Events AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > TeardropDenial TeardropDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a teardrop attack (which uses many overlapping IP fragments, usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may be reassembled in such a way that triggers a host or service crash). Unpatched Windows NT and 95/98 clients are especially vulnerable to this type of attack. Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger a TeardropDenial alert. TeardropDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > UDPBombDenial UDPBombDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a UDP-based 'bomb' attack (which uses many large UDP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Normal UDP Traffic should not trigger a UDPBombDenial alert. UDPBombDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ConfigurationDenial ConfigurationDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is protocols related to configuration of resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ConfigurationDenial events may be attempts to exploit weaknesses in configuration-related software to gain access to a host system, attempts to exploit 463 Security Events weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > FileSystemDenial FileSystemDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote filesystem-related protocols (NFS, SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileSystemDenial events may be attempts to exploit weaknesses in remote filesystem services or software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > LinkControlDenial LinkControlDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is link level protocols (such as ARP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. LinkControlDenial events may be attempts to exploit weaknesses in link-level control software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RemoteProcedureDenial RemoteProcedureDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedure-related protocols (traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RemoteProcedureDenial events may be 464 Appendix B: Events attempts to exploit weaknesses in remote procedure services or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RemoteProcedureDenial > RPCPortmapperDenial RPCPortmapperDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedure-related protocols, specifically related to the RPC portmapper service. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RPCPortmapperDenial events may be attempts to exploit weaknesses the remote procedure service or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RoutingDenial RoutingDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is routing-related protocols (RIP, IGMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RoutingDenial events may be attempts to exploit weaknesses in routers or routing software to gain access to a host system, attempts to exploit weaknesses in the routing software or service to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > TrojanTrafficDenial TrojanTrafficDenial events are a specific type of Denial event where the transport of the malicious or abusive usage originates with malicious code on a client system known as a Trojan. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. 465 Security Events TrojanTrafficDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, attempts to spread the Trojan to other hosts, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Relay Children of the Relay tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is relaying inappropriate or abusive access to other network resources (either internal or external). Generally, these attacks will have the perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Relay > DDOSToolRelay DDOSToolRelay events reflect potential network traffic related to known Distributed Denial of Service connectors. These connectors are used to relay attacks to new remote (and possibly local) hosts to exploit or inundate the remote host with data in an attempt to cripple it. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay connector (in some cases known as a 'zombie'), and if necessary, to quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external network, blocking the remote host, better access control of clients, servers, and services (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to servers and/or 466 Appendix B: Events clients, or the possible removal of the service related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay FileTransferRelay events reflect potential network traffic related to known attack connectors that operate over file transfer protocols. These connectors are used to relay attacks to new remote (and possibly local) hosts to exploit or abuse services. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the file transfer software itself, and firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay connector, and if necessary, to quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external network, blocking the remote host, better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay > FTPBounce FTPBounce events are a specific type of FileTransferRelay related to known attack connectors using file transfer protocols that are used to launder connections to other services, redirect attacks to other hosts or services, or to redirect connections to other hosts or services. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the file transfer software or service itself, and firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay connector, and if necessary, to 467 Security Events quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external network, blocking the remote host, better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > ServiceProcessAttack Members of the ServiceProcessAttack tree are used to define events centered on malicious or abusive usage of services or user processes. These events include abuse or misuse of resources from malicious code placed on the client system. AttackBehavior > ResourceAttack > ServiceProcessAttack > VirusAttack VirusAttack alerts reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this alert will depend on the ActionTaken field, which reflects whether the virus or other malicious code was successfully removed. These alerts are usually provided by a virus scanner running on the client system. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent further outbreak, updates of virus scanner pattern files on other network nodes to prevent further outbreak, virus scans on other network nodes to detect further outbreak if any has taken place, and research into the offending virus to find out methods of removal. AttackBehavior > ResourceAttack > ServiceProcessAttack > VirusSummaryAttack VirusSummaryAttack alerts reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this alert will depend on the ActionTaken field which reflects whether the virus or other malicious code was successfully removed. These alerts differ from VirusAttack in that they may be a composite of virus events normally due to a scheduled scan on the client system as opposed to a real-time scan. These alerts are usually provided by a virus scanner running on the client system. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent further outbreak, updates of virus scanner pattern files on other network nodes to prevent further outbreak, virus scans on other network nodes to 468 Appendix B: Events detect further outbreak if any has taken place, and research into the offending virus to find out methods of removal. GeneralSecurity GeneralSecurity alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be security issue-related. SuspiciousBehavior Events that are children of SuspiciousBehavior are generally related to network activity that may be consistent of enumeration of resources, unexpected traffic, abnormal authentication events, or other abnormal behavior that should be considered indicative of a serious security event. SuspiciousBehavior > AuthSuspicious Members of the AuthSuspicious tree are used to define events regarding suspicious authentication and authorization events. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users, and suspicious access to unauthorized services or information. SuspiciousBehavior > AuthSuspicious > FailedAuthentication FailedAuthentication events occur when a user has made several attempts to authenticate themselves which has continuously failed, or when a logon failure is serious enough to merit a security event on a single failure. SuspiciousBehavior > AuthSuspicious > GuestLogin GuestLogin events describe user authentication events where an attempt was made successfully or unsuccessfully granting access to a user that generally has no password assigned (such as anonymous, guest, or default) and no special privileges. Access of a user with this level of privileges may be granted access to enough of the client system to begin exploitation. These events are usually produced by a client or server operating system, however may also be produced by a network-based IDS or network infrastructure device when it is possible or appropriate. SuspiciousBehavior > AuthSuspicious > RestrictedInformationAttempt RestrictedInformationAttempt events describe a user attempt to access local or remote information that their level of authorization does not allow. These events 469 Security Events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to information. SuspiciousBehavior > AuthSuspicious > RestrictedServiceAttempt RestrictedServiceAttempt events describe a user attempt to access a local or remote service that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to services. SuspiciousBehavior > InferredSuspicious InferredSuspicious alerts are reserved SuspiciousBehavior alerts used for describing suspicious behavior that is a composite of different types of alerts. These events will be defined and inferred by Contego Policy. SuspiciousBehavior > ResourceSuspicious Members of the ResourceSuspicious tree are used to define different types of suspicious access to network resources, where these resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious Members of the NetworkSuspicious tree are used to define events regarding suspicious usage of network bandwidth/traffic. These events include unusual traffic and reconnaissance behavior detected on network resources. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon Children of the Recon tree reflect suspicious network behavior with intent of gathering information about target clients, networks, or hosts. Reconnaissance behavior may be valid behavior on a network, however, only as a controlled behavior in small quantities. Invalid reconnaissance behavior may reflect attempts to determine security flaws on remote hosts, missing access control policies that allow external hosts to penetrate networks, or other suspicious behavior that results in general information gathering without actively attacking. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate Enumerate alerts reflect attempts to gather information about target networks, or specific target hosts, by sending active data which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The 470 Appendix B: Events originating source of the enumeration is generally attempting to acquire information that may reveal more than normal traffic to the target would. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate ApplicationEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the application to attempt to fingerprint what is allowed or denied by the service, requests to the application which may enable an attacker to surmise the version and specific application running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the host or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > FileTransferEnumerate FileTransferEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to file transfer services which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the file transfer service to attempt to fingerprint what is allowed or denied by the service, requests to the file transfer service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the file transfer service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > FileTransferEnumerate > FTPCommandEnumerate FTPCommandEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to file transfer services which will elicit responses that reveal information about the application. This enumeration specifically entails commands sent to the FTP service to attempt to fingerprint what is allowed or denied by the service, requests to the FTP service that may enable an attacker to surmise the version and specific 471 Security Events service running, and other information gathering tactics that use FTP commands to query. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the FTP service that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > MailEnumerate MailEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to mail-related services which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the mail service to attempt to fingerprint what is allowed or denied by the service, requests to the mail service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the mail service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > MailEnumerate > SMTPCommandEnumerate SMTPCommandEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to mail-related services which will elicit responses that reveal information about the application. This enumeration specifically entails commands sent to the SMTP service to attempt to fingerprint what is allowed or denied by the service, requests to the mail service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics that use SMTP commands to query. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the mail service that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > WebEnumerate WebEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to web-related services which will elicit responses that reveal information about the application 472 Appendix B: Events or host. This enumeration may be a LEMple command sent to the web service to attempt to fingerprint what is allowed or denied by the service, requests to the web service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the web service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > BannerGrabbingEnumerate BannerGrabbingEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending a request which will elicit a response containing the host or service's 'banner'. This 'banner' contains information that may provide a potential attacker with such details as the exact application and version running behind a port. These details could be used to craft specific attacks against hosts or services that an attacker may know will work correctly the first time - enabling them to modify their methodology go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > MSNetworkingEnumerate MSNetworkingEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Microsoft networking services (using protocols such as NetBIOS and SMB/CIFS) that will illicit responses that reveal information about the application, host, or target network. This enumeration may be a LEMple command sent to the networking service to attempt to fingerprint what is allowed or denied by a service, requests to a service that may enable an attacker to surmise the version and specific service running, requests to a service that may enable an attacker to fingerprint the target network, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the networking service, host, or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate RemoteProcedureEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote 473 Security Events Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the remote procedure service to attempt to fingerprint what is allowed or denied by the service, requests to the remote procedure service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate > RPCPortmapperEnumerate RPCPortmapperEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to the Portmapper Remote Procedure service that will illicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the portmapper service to attempt to fingerprint what is allowed or denied by the service, requests to the portmapper service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the portmapper service or client application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate > RPCPortScanEnumerate RPCPortScanEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This specific type of enumeration is done by sending queries to RPC related ports to attempt to fingerprint the types and specific services running, and may involve other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint 474 Appendix B: Events Footprint alerts reflect attempts to gather information about target networks by tracing the network through routers, clients, servers, or other network infrastructure devices. The originating source of the footprint is generally attempting to acquire information that may reveal more about network behavior than normal traffic to the target would. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > DNSRequestFootprint DNSRequestFootprint alerts are a specific type of Footprint alert that reflects a DNS record request that may serve to reveal DNS configuration. Contained within this DNS configuration may be information that reveals internal networks, protected devices, or IP addresses of potential targets. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > FirewalkingFootprint FirewalkingFootprint alerts are a specific type of Footprint alert that reflects the usage of a connector that attempts to gather information about network infrastructure device access control and filtering lists. Firewalking works by passing TCP and UDP packets to determine what packets a given device will forward. This activity may reflect attempts to enumerate devices beyond the perimeter of a network, gathering information about activity that is allowed or denied past given gateways. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > TraceRouteFootprint TraceRouteFootprint alerts are a specific type of Footprint alert that reflects an IP packet route trace from source to destination. Generally, this route will not reveal specific information about device types or hosts on a network, but will trace the path of IP traffic across routing devices. This traffic may be an attempt to discover routing devices that are misconfigured (which may be vulnerable to attacks such as IP spoofing or IP fragmentation). SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan Scan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other 475 Security Events information that a probe may discover without enumeration of the specific services or performing attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan CoreScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > HostScan HostScan alerts reflect attempts to gather information about specific target hosts by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications on the host, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system and application information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > ICMPQuery ICMPQuery alerts reflect attempts to gather information about specific target hosts, or networks, by sending ICMP-based queries that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks, contain many sequential ICMP 476 Appendix B: Events packets, and generally have the intent of discovering operating system and application information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep PingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending ICMP or TCP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep > ICMPPingSweep ICMPPingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending ICMP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep > TCPPingSweep TCPPingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending TCP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan PortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. 477 Security Events Portscans specifically operate by sending probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan > TCPPortScan TCPPortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over TCP that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. TCP portscans specifically operate by sending TCP probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan > UDPPortScan UDPPortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over UDP that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. UDP portscans specifically operate by sending UDP probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint StackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of packets to probe a device's network stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific 478 Appendix B: Events services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint > ICMPStackFingerprint ICMPStackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of ICMP packets to probe a device's ICMP stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint > TCPStackFingerprint TCPStackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of TCP packets to probe a device's TCP/IP stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > TrojanScanner TrojanScanner alerts reflect attempts of Trojans on the network to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about the host. The originating Trojan source of the scan is generally attempting to acquire information that will reveal whether a target host or network has open and available services for further exploitation, whether the target host or network is alive, and how much of 479 Security Events the target network is visible. A Trojan may run a scan before attempting an attack operation to test potential effectiveness or targeting information. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic UnusualTraffic alerts reflect suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualICMPTraffic UnusualICMPTraffic alerts reflect ICMP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualICMPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualIPTraffic UnusualIPTraffic alerts reflect IP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualIPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualProtocol UnusualProtocol alerts reflect suspicious behavior on network devices where the traffic is targeted at unknown, unassigned, or uncommonly used protocols. This traffic may have no known exploit, but is unusual and should be considered potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualProtocol may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualTCPTraffic UnusualTCPTraffic alerts reflect TCP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be 480 Appendix B: Events potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualTCPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualUDPTraffic UnusualUDPTraffic alerts reflect UDP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualUDPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. 481 Appendix C: Appendix Event Data Fields The following table explains the meaning of each grid column or data field that can appear in various alert grids, event grids, and information panes throughout the Console. The actual columns and fields that are shown vary according to the alert, view, or grid you are working with. But the meaning of these fields remains the same, regardless of where you see them. For convenience, the fields are listed in alphabetical order. Grid column or field Description EventName The name of the alert. ConnectionName The name of the dial-up or VPN connection. ConnectionStatus The current status of the dial-up or VPN connection. DestinationMachine The IP address the network traffic is going to. DestinationPort The port number the network traffic is going to. DetectionIP The network node that is the originating source of the alert data. This is usually a Manager or an Agent and is the same as the InsertionIP field, but can also be a network device such as firewall or an intrusion detection system that may be sending log files over a remote logging protocol. DetectionTime The time the network node generated the data. This is usually the same as the InsertionTime field, but they can differ when the Agent or Manager is reading historical data, or if a network device has an incorrect time setting. EventInfo A short summary of the alert details. Additional details appear in the following fields, but EventInfo provides enough information to view a “snapshot” of the alert information. ExtraneousInfo Extra information that is relevant to the alert, but may not be reflected in other fields. This can include information 482 Appendix C: Appendix Event Data Fields Grid column or field Description useful for correlating or summarizing alert information in addition to the EventInfo field. Host The node the log message came from (that is, the LEM or Agent that collected the message for forwarding to nDepth). HostFromData The originating network device (if different than the node) that the message came from. Normally, Host and HostFromData are the same, but in the case of a remote logging device (such as a firewall) this field reports the original remote device's address. InferenceRule The name of the correlation that caused this alert. The InferenceRule field will generally be blank, but in cases where the alert was related to a rule, it displays the rule name. InsertionIP The Manager or Agent that first created the alert. This is the source that first read the log data from a file or other source. InsertionTime The time the Manager or Agent first created the alert. This time indicates when the data was read from a log file or other source. IPAddress The IP address associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the IP addresses that appear in alert data. Manager The name of the Manager that received the alert. For data generated from an Agent, this is the Manager the Agent is connected to. Order In the Event explorer’s event grid, the Order field indicates when each event occurred: means the event occurred before the central event shown in the event map. means the event occurred during (as part of) the 483 Appendix C: Appendix Event Data Fields Grid column or field Description central event shown in the event map. means the event occurred after the central event shown in the event map. Protocol Displays the protocol associated with this alert (TCP or UDP). ProviderSID A unique identifier for the original data. Generally, the ProviderSID field includes information that can be used in researching information on the alert in the originating network device vendor's documentation. SourceMachine The IP address the network traffic is coming from. SourcePort The port number the network traffic is coming from. ConnectorAlias The Alias Name entered when configuring the connector on the Manager or Agent. ConnectorId The actual connector that generated the log message. ConnectorType Connector category for the connector that generated the log message. Username The user name associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the places that user names appear in alert data. 484 Appendix D: Connector Categories FileName Description Version 3comswitch.xml 3Com Switch 7374 actianceusg.xml Actiance Unified Secur- 7374 ity Gateway activescout.xml ActiveScout 7374 AIXauditlog.xml AIX Audit 7405 AIXsyslog.xml AIX Syslog 7426 AlliedTelesis.xml Allied Telesis Routers and Switches 7374 amavis.xml AMaViS 7374 ApacheAccessLog.xml Apache Access 7374 ApacheErrorLog.xml Apache Error 7374 apcinfrastruxure.xml APC InfraStruXure 7374 arraynetworksspx.xml Array Networks SPX 7374 aruba.xml Aruba Wireless Access Point 7374 aruba3x.xml Aruba Wireless Access Point 3x 7374 as400.xml Legacy TriGeo Agent AS400 Tool 7453 astarosg.xml Astaro Security Gate- 7374 485 Appendix D: Connector Categories FileName Description Version way atlas.xml Adtran Atlas Switch 7374 aventail.xml SonicWALL Aventail SSL VPN E-Class 7374 avgnetworkserver.xml AVG DataCenter 7.5 7374 avgnetworkserver.xml AVG DataCenter 8.0 7374 avgworkstation.xml AVG 7.5 Network 7374 AxcientUMC.xml Axcient Unified Management Console (UMC) 7380 BackupExecSR.xml Symantec Backup Exec System Recovery 7374 barracudaadmin.xml Barracuda Admin 7374 barracudaNG.xml Barracuda NG Firewall (Phion Netfence) 7374 barracudaweb.xml Barracuda Web Filter 7374 BarracudaWebAppFW.xml Barracuda Web Applic- 7374 ation Firewall bind.xml Bind 7374 biopassword.xml BioPassword 7374 Bit9Parity.xml Bit9 Parity v5+ Syslog 7492 bladerackswitch.xml Blade RackSwitch 7374 bluecoatproxySG.xml Blue Coat ProxySG 7399 486 Appendix D: Connector Categories FileName Description Version bluecoatproxysgwa.xml Blue Coat Proxy SG web access 7379 bordermanager.xml Novell BorderManager 7374 bordermanagerwebproxy.xml Novell BorderManager Web Proxy 7374 Borderware.xml Borderware Firewall 7374 brightstor.xml CA's BrightStor v11.5 7374 checkpointedgex.xml Checkpoint Edge X Firewall 7374 ciscoacsadminaudit.xml Cisco ACS Admin Audit 4.1+ 7387 ciscoacsadminaudit.xml Cisco ACS Admin Audit 7387 ciscoacsbackup.xml Cisco ACS Backup and Restore 7374 ciscoacsdbr.xml Cisco ACS Database Replication 7374 ciscoacsdbs.xml Cisco ACS Database Sync 7374 ciscoacsexpress.xml Cisco ACS Express 7374 ciscoacsfailed.xml Cisco ACS Failed Attempts 7374 ciscoacspassauth.xml Cisco ACS Passed Authentications 7374 ciscoacspassword.xml Cisco ACS User Password Changes 7374 487 Appendix D: Connector Categories FileName Description Version ciscoacsradius.xml Cisco ACS RADIUS Accounting 7374 ciscoacsservmon.xml Cisco ACS Service Monitoring 7374 ciscoacssyslog.xml Cisco Secure ACS 4.1 Syslog 7374 ciscoacssyslog5.xml Cisco Secure ACS 5+ Syslog 7374 ciscoacstacacc.xml Cisco ACS TACACS+ Accounting 7374 ciscoacstacadmin.xml Cisco ACS TACACS+ Administration 7374 ciscoacsvoip.xml Cisco ACS VoIP 7374 ciscocatos.xml Cisco CatOS 7374 CiscoCSCSSM.xml Cisco Content Security and Control Security Services Module 6.16.2 7374 CiscoCSCSSM63.xml Cisco Content Security and Control Security Services Module 6.3+ 7374 ciscocss.xml Cisco Content Services Switch 7374 CiscoFirewalls.xml Cisco PIX and IOS 7443 CiscoIDS.xml Cisco IDS/IPS v4/5.x 7374 CiscoIPSsdee.xml Cisco IPS 5+ (SDEE) 7374 488 Appendix D: Connector Categories FileName Description CiscoNAC_CA.xml Cisco (NAC) Network 7422 Access Control Appliance with Clean Access Manager (CAM) or Server (CAS) Software cisconetworkregistrar.xml Cisco Network Registrar for Windows 7374 CiscoNXOS.xml Cisco Nexus NX-OS 7395 CiscoVPN.xml Cisco VPN 7374 ciscowlc.xml Cisco Wireless LAN Controller and IOS-XE Software 7388 citrixnetscaler.xml Citrix Secure Access Gateway Enterprise Appliance / Netscaler 7374 CitrixSAG.xml Citrix Secure Access Gateway 7374 CitrixXD.xml Citrix XenDesktop 7374 CitrixXS_auth.xml Citrix XenServer auth log 7374 CitrixXS_daemon.xml Citrix XenServer daemon log 7374 ClamAV.xml ClamAV 7374 codegreenci.xml CodeGreen Content Inspection 7374 codegreenciuser.xml CodeGreen Content 7374 489 Version Appendix D: Connector Categories FileName Description Version Inspection user commandavwindows.xml Command Antivirus for Windows 7374 CommandES.xml Command for Exchange Server 7374 consentrycontroller.xml ConSentry Controller 7374 ContegoManagerMonitor.xml Manager Monitor 7374 ContegoReports.xml SWLEM Reports 7374 corenteawb.xml Corente AWB 7374 cyberarkvault.xml Cyber-Ark Vault 7374 cyberguard.xml Cyberguard 7374 CyberoamUTM.xml Cyberoam UTM 7374 dellPowerConnect.xml Dell PowerConnect Switches 7374 devicelockevents.xml DeviceLock Audit 7374 devicelockevents.xml DeviceLock Events 7374 digitalpersona.xml DigitalPersona Pro 7374 dlinkdfl.xml D-Link DFL firewall 7374 dragonids.xml Dragon IDS 7374 edmzpar.xml eDMZ Password Auto Repository 7374 eeyeblinkep.xml eEye Blink Pro7380 fessional Endpoint Protection 490 Appendix D: Connector Categories FileName Description Version EFTServer.xml EFT Server Enterprise Windows Application Log 7374 emcrecoverpoint.xml EMC RecoverPoint 7374 enterasysswitch.xml Enterasys C-Series and N-Series Switches 7374 epo.xml ePolicy Orchestrator (ePO) 7380 epo45.xml ePolicy Orchestrator (ePO) 4.5+ 7467 esafe.xml eSafe 7374 esoft.xml eSoft 7374 esxcfgfirewall.xml VMWare ESX esxcfgfirewall log 7374 esxhostd.xml VMWare ESX hostd log 7483 esxihostd.xml VMWare ESXi Hostd log 7397 esxmessages.xml VMWare ESXi messages log 7406 esxmessages.xml VMWare ESX messages log 7406 esxsecure.xml VMWare ESX secure log 7429 esxvmkernel.xml VMWare ESXi vmkernel log 7392 491 Appendix D: Connector Categories FileName Description Version esxvmkernel.xml VMWare ESX vmkernel log 7392 esxvmkwarning.xml VMWare ESX vmkwarning log 7374 extremeswitch.xml Extreme Switch 7452 F5BigIPdaemon.xml F5 BigIP BSD daemon messages 7374 F5BigIPhttpd.xml F5 BigIP HTTPD specific 7374 F5BigIPLTMgeneral.xml F5 General BIG-IP spe- 7454 cific messages F5BigIPmessages.xml F5 BigIP messages 7374 FileSure.xml FileSure 7374 FirePass.xml FirePass SSL VPN 7374 fireproof.xml FireProof 7374 flexteller.xml Flex Teller 7374 forefrontapp.xml Forefront Security Application Log (Client Security, Exchange and Sharepoint) 7374 forefrontEPAV.xml Forefront Endpoint Pro- 7374 tection - AV forefrontSQLDB.xml Forefront Security SQL Database 7374 forefrontsys.xml Forefront Security System Log (Client Secur- 7374 492 Appendix D: Connector Categories FileName Description Version ity) forescoutcounteractnac.xml ForeScout CounterACT NAC 7374 fortigate25.xml FortiGate 2.5 7374 fortigate28.xml FortiGate 2.8+ 7448 foundry.xml Foundry 7374 freebsdauth.xml FreeBSD Authentication 7374 freeradius.xml FreeRADIUS 7374 freshclam.xml FreshClam 7374 fsecureav.xml F-Secure Anti-Virus 7 7374 GFIsim.xml GFI LANguard System Integrity Monitor 3 7374 globalscapeeftclient.xml Globalscape EFT client 7374 globalscapeftp.xml Globalscape Secure FTP (W3C Extended file format) 7407 GnatBox.xml GNAT Box System Software v.3.3 7415 GroupShield.xml Group Shield/Outbreak for Exchange Server 7374 hp_procurve.xml HP ProCurve Switches 7374 Firmware F.05.65+ Zl Series 493 Appendix D: Connector Categories FileName Description Version hp_procurve_msm700_series.xml HP MSM700 Series Controller 7436 hpbladesystemenclosure.xml HP BladeSystem Enclosure local log 7374 hpbladesystemenclosure.xml HP BladeSystem Enclosure auth log 7374 hpstorwksmsa.xml HP StorageWorks Mod- 7374 ular Smart Array hpuxsyslog.xml HP-ux Syslog 7374 HuaweiSwitches.xml Huawei Switches 7374 iasradius.xml IAS RADIUS Rotating File 7374 iasradius.xml IAS RADIUS NonRotating File 7374 IASsystem.xml Windows IAS System Log 7374 IIS.xml Microsoft IIS Web 7374 Server 7.0 (W3C Extended file format) IIS.xml Microsoft IIS Web 7374 Server 6.0 (W3C Extended file format) IIS.xml Microsoft IIS Web 7374 Server 5.0 (W3C Extended file format) iisftp.xml Microsoft IIS FTP 7374 Server 7.0 (W3C Exten- 494 Appendix D: Connector Categories FileName Description Version ded file format) iisftp.xml Microsoft IIS FTP 7374 Server 5+ (W3C Extended file format) ingatesipfw.xml Ingate Firewall 7374 InoculateIT60.xml InoculateIT 6.0 7374 InoculateIT70plus.xml InoculateIT 7.0+ 7374 intrushield.xml IntruShield 7490 ipfilter.xml IP Filter 7374 iprism.xml St. Bernard iPrism 7374 ironportemailsecurity.xml IronPort Email Security Appliance 7374 ironportwebsecurity.xml IronPort Web Security 7374 ISA2004FirewallLog.xml Microsoft ISA 2004/2006 Firewall (ISA Server file format) 7374 ISA2004ProxyLog.xml Microsoft ISA 2004 7374 Web Proxy (ISA Server file format) ISA2004W3CFirewall.xml Microsoft ISA 2004/2006 Firewall (W3C Server file format) 7374 ISA2004W3CWebProxy.xml Microsoft ISA 2004 Web Proxy (W3C Server file format) 7374 495 Appendix D: Connector Categories FileName Description ISA2006ProxyLog.xml Microsoft ISA 2006 7374 Web Proxy (ISA Server file format) ISA2006W3CWebProxy.xml Microsoft ISA 2006 Web Proxy (W3C Server file format) 7374 ISAApplication.xml Microsoft ISA Server Application Log 7374 ISAFirewallLog.xml Microsoft ISA 2000 Firewall (ISA Server file format) 7374 ISAPackertFilterLog.xml Microsoft ISA Packet Filter (ISA Server file format) 7374 isapi_redirect.xml Apache Tomcat isapi_ redirect 7374 ISAProxyLog.xml Microsoft ISA Web Proxy (ISA Server file format) 7374 ISAW3CFirewallLog.xml Microsoft ISA Firewall (W3C Extended file format) 7374 ISAW3CPackertFilterLog.xml Microsoft ISA Packet Filter (W3C Extended file format) 7374 ISAW3CProxyLog.xml Microsoft ISA Web Proxy (W3C Extended file format) 7374 496 Version Appendix D: Connector Categories FileName Description Version issproventia.xml ISS Proventia IPS 7380 issrealsecure.xml ISS RealSecure IDS 7380 jacocartcare.xml JACO CartCare 7374 juniperidp30.xml Juniper IDP 3.x 7374 juniperidp40.xml Juniper IDP 4.0+ 7374 junipernsm.xml Juniper NSM 7374 junipersbr_authaccepts.xml Juniper SBR authentication accepts report log 7374 junipersbr_authaccepts.xml Juniper SBR authentication accepts report log 7374 junipersbr_authrejects.xml Juniper SBR authentication rejects report log 7374 junipersbr_authrejects.xml Juniper SBR authentication rejects report log 7374 junipervgw.xml Juniper Virtual Gateway 7374 junos.xml Juniper JUNOS 7455 KasperskyAdminKitDB.xml Kaspersky Security Center 7417 KasperskyAdminKitDB.xml Kaspersky Administration Kit 8 7417 497 Appendix D: Connector Categories FileName Description Version kasperskyav.xml Kaspersky Anti-Virus 6 7374 lancopestealthwatch.xml Lancope StealthWatch 7374 linkproof.xml LinkProof 7374 linuxauditd.xml Linux Auditd 7374 linuxdhcpd.xml DHCPd 7374 LogAgent.xml LogAgent for OS400 (Patrick Townsend Security Solutions) 7410 LOGbinderSP.xml LOGbinder for Sharepoint: Security Log 7374 LOGbinderSP.xml LOGbinder for Sharepoint: LOGbinder SP log 7374 lotus8.xml Lotus Notes and Domino Server 8 7374 MacOSXcrash.xml Mac OS X (crashreporter) 7374 MacOSXinstall.xml Mac OS X (install) 7374 MacOSXmail.xml Mac OS X (mail) 7374 MacOSXppp.xml Mac OS X (ppp) 7374 MacOSXsecure.xml Mac OS X (secure) 7374 MacOSXsystem.xml Mac OS X (system) 7374 Made2Manage.xml Made2Manage 7374 McAfeeAccessProtection.xml McAfee Access Pro- 7374 498 Appendix D: Connector Categories FileName Description Version tection McafeeAccessScanLogReader.xml McAfee On Access Scan v7.0 7374 McafeeActivityLog.xml McAfee Activity Log (4.5 DAT file update) 7374 mcafeeemailgateway.xml McAfee Email Gateway 7374 McAfeeMailScan.xml McAfee Mail Scan 7374 McAfeeNetShield.xml McAfee NetShield 7374 McAfeeTotalProtection.xml McAfee Total Protection 7374 McAfeeUpdateLogReader.xml McAfee Update v7.0 7374 McAfeeVSCLogReader.xml McAfee VSC 7374 McafeeVSHHomeReader.xml McAfee VSH Home 7374 McAfeeVSHLogReader.xml McAfee VSH 5.0/7.0 7374 McAfeeVSHOnDemandReader.xml McAfee VSH 85i 7374 McAfeeVSHOnDemandReader.xml McAfee VSH 80i 7374 McAfeeWebEmail.xml McAfee Web Email Scan 7374 mcafeewebgateway6x.xml McAfee Web Gateway v6.x 7374 meditech.xml Meditech 7374 meditechemraccess.xml Meditech EMR Access Log 7374 499 Appendix D: Connector Categories FileName Description Version motorola_wlancontroller.xml Motorola WLAN Controller 7374 moveit.xml MOVEit Log 7444 moveit.xml MOVEit Windows Application Log 7444 msexchange.xml Microsoft Exchange Event Log 7411 msexchange.xml Microsoft Exchange Application Log 7411 msrras.xml Microsoft RRAS 7374 mssecessentials.xml Microsoft Security Essentials 7374 mssqlapplicationlog.xml MSSQL 2000 Application Log 7442 mssqlauditor.xml SolarWinds Log and Event Manager MSSQL Auditor 7475 nagios.xml Nagios 7374 nDepthLogMessage.xml nDepth Log Storage Message 7374 neoaccelvpn.xml Neo Accel SSL VPN 7374 NeoterisVPN.xml Neoteris VPN/Juniper SA series 7374 NessusdMsgLog.xml Nessus Message 7374 NessusdReport.xml Nessus XML Report 7374 500 Appendix D: Connector Categories FileName Description Version NessusdReport.xml Nessus Report 7374 nessusnbe.xml Nessus Security Scanner NBE Report 7374 netaccess.xml Net Access 7374 netfilter.xml iptables / netfilter 7374 netgearFV.xml Netgear FV Series 7374 netgearsslvpn.xml Netgear SSL VPN Con- 7374 centrator SSL312 netgearswitch.xml Netgear Switch 7374 netilla.xml Netilla VPN 7419 netiqdra.xml NetIQ Directory and Resource Administrator 7374 Netscreen.xml Netscreen 7374 netscreen5.xml Juniper/NetScreen 5 7491 netvanta.xml Adtran NetVanta Router 7374 netware65.xml Novell Netware 6.5 7374 netware65.xml Novell Netware 6.5 File 7374 netware4153.xml Novell Netware 4.1 5.3 7374 NetwareDB.xml Novell Netware 6.5 (Database) 7374 501 Appendix D: Connector Categories FileName Description Version networkbox.xml Network Box RM300 and ITPE1000 7374 nitroips.xml NitroSecurity IPS 7374 NitroIPSsnort.xml NitroGuard IPS - Snort Format 7374 NOD32DB.xml NOD32 Antivirus 4 Access Threat 7374 NOD32DB.xml NOD32 Antivirus 4 Access Scan 7374 NOD32DB.xml NOD32 Antivirus 4 Access Event 7374 NOD32DB.xml NOD32 Antivirus 4 SQL Threat 7374 NOD32DB.xml NOD32 Antivirus 4 SQL Scan 7374 NOD32DB.xml NOD32 Antivirus 4 SQL Event 7374 nortel200series.xml Nortel Contivity 200 Series 7374 nortelalteon.xml Nortel Alteon 7374 nortelbaystack.xml Nortel Baystack 7374 nortelcontivity.xml Nortel Contivity 7374 nortelroutingswitch.xml Nortel Ethernet Routing Switch 7374 nortelswitch4500.xml Nortel Ethernet Rout7374 ing Switch 4500 Series 502 Appendix D: Connector Categories FileName Description Version nortelwss.xml Nortel WLAN Security Switch 7374 norton.xml Symantec Corp Antivirus 7374 novellidentityauditDB.xml Novell Identity Audit DB 7374 ntapplication.xml Windows Application Log 7423 ntdns.xml Windows DNS Server Log 7374 ntds.xml Windows Directory Ser- 7428 vice Log ntfrs.xml Windows File Replication Service 7374 ntsecurity.xml Windows NT/2000/XP Security Log 7374 ntsystem.xml Windows System Log 7446 nubridgesprotect.xml NuBridges Protect Token Manager Engine 7374 nubridgesprotect.xml NuBridges Protect Resource Service 7374 nubridgesprotect.xml NuBridges Protect Key Manager 7374 openbsdftpd.xml OpenBSD FTPd 7374 OpenEdgeAudit.xml OpenEdge Audit 7374 503 Appendix D: Connector Categories FileName Description Version openldap.xml OpenLDAP 7374 OpenSSH.xml Open SSH 7374 OpenVMS.xml HP OpenVMS 8+ 7374 Opsec.xml OPSEC(TM) / Check Point(TM) NG LEA Client 7374 oracledatabase.xml Oracle Auditor - Database 7374 oraclesyslog.xml Oracle Auditor - Syslog 7374 oraclewindows.xml Oracle Auditor - Windows 7441 OsirisHIMS.xml Osiris Host Integrity Monitoring System 7374 paloaltofirewall.xml Palo Alto Networks PA-2000 Series and PA-4000 Series Firewall 7463 PAM.xml Linux PAM 7418 PandaSecurityForDesktopsDB.xml Panda Security for Desktops 4.02 7374 PassManPro.xml ManageEngine Password Manager Pro SNMP 7413 PatchLinkVulnDB.xml PatchLink Vulnerability 7374 pcanywhere.xml pcAnywhere 504 7374 Appendix D: Connector Categories FileName Description Version permeo.xml Permeo VPN 7374 pointsecpc.xml PointSec PC 7374 postfix.xml Postfix 7374 proftpdaccess.xml ProFTPD Access 7374 proftpdauth.xml ProFTPD Auth 7374 proximorinoco.xml Proxim Orinoco WAP 7374 ptechinteract.xml PowerTech Interact 7374 pureftpd.xml Pure-FTPd 7374 qualysguard.xml QualysGuard Scan Report 7374 radwareappdirector.xml Radware AppDirector 7374 RaritanDominion.xml Raritan Dominion Switch 7374 refleximc.xml Reflex IMC 7374 RemotelyAnywhere.xml RemotelyAnywhere / LogMeIn 7374 RetinaStatusLog.xml Retina 7374 rsaauthmanager71.xml RSA Authentication Manager 7.1 7374 safeatoffice.xml Checkpoint Safe@Office Firewall 7374 safeword.xml SafeNet SafeWord 7374 samba.xml Samba 7374 505 Appendix D: Connector Categories FileName Description Version SanDiskCMC.xml SanDisk CMC 7374 savantprotection.xml Savant Protection 7374 SecureNet.xml SecureNet IDS 7380 securespheredb.xml SecureSphere Database Gateway 6.0 7374 securespheresystem.xml SecureSphere System and Firewall Events 6.0 7374 securesphereweb.xml SecureSphere Web Application Firewall 6.0 7374 securid.xml SecurID 7374 securidsyslog.xml SecurID Syslog 7374 selinux.xml SELinux 7374 sendmail.xml Linux Sendmail 7374 sentriant.xml Extreme Sentriant 7374 servuftp.xml Serv-U FTP Server (Never Rotate) 7374 servuftp.xml Serv-U FTP Server 7374 Sidewinder.xml Sidewinder Firewall 7374 sidewinder61.xml Sidewinder 6.1+ Firewall 7401 SmoothWallUTM.xml SmoothWall Unified Threat Manager 7433 506 Appendix D: Connector Categories FileName Description Version snmpdmessages.xml smnpd daemon messages 7374 snort.xml FortiSnort 7440 snort.xml Snort 7440 snort.xml SyslogSnort 7440 solarisbsm.xml Solaris 10 BSM Auditing 7374 solarissnare.xml Solaris 8 and 9 Snare Auditing 7374 solarissnare.xml Solaris 10 Snare Audit- 7374 ing sonicsslvpn.xml SonicWALL SSL VPN 7391 sonicwall.xml SonicWall 7465 sonicwalles.xml Sonicwall Email Secur- 7374 ity sonicwallgmsdb.xml SonicWall GMS 7374 Sophos.xml Sophos Anti-Virus for Win2k 7374 SophosDB.xml Sophos Enterprise 3.0 Database 7374 SophosDB.xml Sophos Enterprise 2.0 Database 7374 sophoses.xml Sophos ES appliance auth 7374 sophoses.xml Sophos ES appliance 7374 507 Appendix D: Connector Categories FileName Description Version SophosSNMP.xml Sophos Anti-Virus SNMP 7439 sophosws.xml Sophos WS appliance 7374 SquidAccessLog.xml Squid Access Log 7374 SquidGuardAccessBlock.xml SquidGuard Access Block Log 7374 stonegatefirewall.xml StoneGate Firewall v5.3 CEF 7374 sudolog.xml sudo syslog 7374 sudolog.xml sudo 7374 SW_Orion.xml SolarWinds Orion and Virtualization Manager 7380 sybari.xml Sybari's Antigen 7.0 for 7374 Exchange Server 2000 symantecep.xml Symantec Endpoint Protection 11 7445 SymantecGatewayIDS.xml Symantec Gateway IDS 7374 symantecwebsec.xml Symantec Web Security for Windows 7374 symmetricomsyncserver.xml Symmetricom SyncServer 7419 thycoticsecretserver.xml Thycotic Secret Server 7374 timirror.xml Titanium Mirror Firewall 7374 508 Appendix D: Connector Categories FileName Description Version tippingpoint.xml Tippingpoint IPS 1.4 7374 tippingpoint.xml Tippingpoint IPS 2.1 7374 tippingpoint.xml Tippingpoint SMS 7374 tippingpoint_audit_system.xml TippingPoint Audit and System 7374 tippingpointxseries.xml Tippingpoint X505 7374 toplayer.xml TopLayer Attack Mitigator 7374 trendDeepSecurity.xml Trend Deep Security 7374 trendimss.xml Trend IMSS 7374 trendimssemgr.xml Trend IMSS Policy 7374 trendimssvirus.xml Trend IMSS Virus 7374 trendInterScan.xml Trend InterScan 7374 trendmicroigsa.xml Trend Micro Interscan Gateway Security Appliance 7374 trendOfficeScan.xml Trend Office Scan 7374 trendScanMail.xml Trend ScanMail 7374 trendServerProtect.xml Trend Server Protect 7374 tricipher.xml TriCipher 7374 tw_enterprise.xml Tripwire Enterprise 7374 ultravnc.xml Ultra VNC 7374 Velociraptor.xml Symantec Velociraptor 7374 509 Appendix D: Connector Categories FileName Description Version 1.5 velociraptor20.xml Symantec Velociraptor 2.0 7374 velociraptor30.xml Symantec Velociraptor 3.0 7374 vericeptmonitor.xml Vericept Monitor 7374 VIPREBusiness.xml VIPRE 5.0 7374 VIPREBusiness.xml VIPRE Business - Sys- 7374 tem Events 4.0 VIPREBusiness.xml VIPRE Business 4.0 7374 VIPREEnterpriseDB.xml VIPRE Enterprise 3.1 7374 visneticfirewall.xml VisNetic Firewall 7374 vistasecurity.xml Windows 7/2008/Vista Security Log 7449 vormetric.xml Vormetric 7374 vsftpxfer.xml vsftpd xferlog 7374 WatchguardFirewalls.xml WatchGuard firewalls 7420 WebrootAntispywareCorpEdDB.xml Webroot Antispyware Corporate Edition 3.5 7374 websense.xml Websense Web Filter and Websense Web Security 7434 websenseDB.xml Websense Web Filter and Websense Web Security Database 7435 510 Appendix D: Connector Categories FileName Description websenseds.xml Websense Data Secur- 7435 ity WgFirebox.xml WatchGuard Firebox 7429 WgSoho.xml WatchGuard SOHO 7429 WgVclass.xml WatchGuard Vclass 7374 WgVclassAlarm.xml WatchGuard Vclass (Alarm) 7374 WgVclassVpn.xml WatchGuard Vclass (VPN) 7374 WgXcore.xml WatchGuard Xcore 7429 WgXCSauth.xml WatchGuard Extensible Content Security (XCS) auth log 7374 WgXCSsyslog.xml WatchGuard Extensible Content Security (XCS) syslog 7374 WgXedge.xml WatchGuard Firebox X Edge E-Series 7429 WindowsDHCPServer.xml Windows DHCP Server 2003 7374 WindowsDHCPServer.xml Windows DHCP Server 2000 7374 WindowsDHCPSystem.xml Windows DHCP Server 2000/2003/2008 System Log 7374 511 Version Appendix D: Connector Categories FileName Description Version WindowsDNSTraffic.xml Windows DNS Traffic Log 7374 windowsfirewall.xml Windows Firewall 7374 WRGHostGateway.xml Wescom Resources Group's Host Gateway Windows Log 7374 wsftpserver.xml WS_FTP Server Corporate 7374 xirruswifiarray.xml Xirrus WiFi Array 7374 512 Appendix E: CMC Commands CMC commands are the only means to access LEM and nDepth Appliances. Use CMC to upgrade and maintain the appliances. You can use the CMC commands for such tasks as: l Upgrading the Manager software l Deploying new connector infrastructure to the Managers and Agents l Rebooting or shutting down the network appliance l Configuring trusted reporting hosts l Configuring supplemental services on the Manager appliance l Controlling your nDepth appliances l Manually applying connector updates Logging on to CMC To log on to CMC: 1. Connect to the Network Appliance either of two ways: l l Connect directly to the Network Appliance with a keyboard and monitor. If you connect in this manner, skip to Step 7. Connect using SSH on port 32022. SSH stands for Secure Shell, which is a remote administration connector. To connect to the network appliance using SSH, you can use PuTTY, which is a free SSH tool. For more information on this tool, refer to the SolarWinds knowledge base.. The following example shows the PuTTY Configuration form with the default Manager settings. 513 Appendix E: CMC Commands 2. In the Host Name (or IP address) box, type the IP address of your Manager (in this example, the IP address is 10.1.1.200). 3. Under Protocol, click SSH. 4. In the Port box, type 32022. 5. So you don’t have to do this again, type Manager into the Saved Sessions box, and then click Save. 6. Click Open. Note: To reopen this connection for future sessions, double-click Manager in the Saved Session box. The connection will reopen 7. Whether you connect remotely or physically, the system will prompt you for your CMC user name and password. 514 Using the CMC 'appliance' menu Using the CMC 'appliance' menu After typing the appliance command, the cmc::acm# prompt appears. You may then use any of the commands listed in the following table. The commands are listed in alphabetical order. Command descriptions with an asterisk (*) mean the command requires an automatic restart of the Manager service. Command Description activate Activates appliance features after activating LEM. checklogs Shows the contents of the virtual appliance’s log files from sources such as syslog and SNMP. cleantemp Removes temporary files created by the virtual appliance during normal operation. You may run this command to recover used disk space, or at the suggestion of SolarWinds Support. clearsyslog Removes all rotated and compressed localN files. dateconfig Sets/shows the virtual appliance’s date and time. demote Demotes the appliance to a secondary appliance in a high availability or disaster recovery configuration. The demoted appliance will disable running LEM services and resume replicating its configuration information from the configured primary appliance. diskusage Checks and provides a summary of disk usage for your virtual appliance and several of the internal components (such as the database or log files). This information is included when you send SolarWinds Support information using the support command. editbanner Edits the SSH login banner. exit Exits the Appliance menu and returns to the main menu. exportsyslog Exports the System Logs. 515 Appendix E: CMC Commands Command Description help Shows the Help menu hostname Changes the virtual appliance’s hostname. limitsyslog Interrogates and/or changes the number of rotated log files to be kept. netconfig Configures network parameters for the appliance, such as the IP address, subnet mask and DNS server(s). ntpconfig Configures the Network Time Protocol (NTP) service on the virtual appliance for synchronization with a time server. password Changes the CMC user password. ping Pings other IP addresses or host names from the virtual appliance to verify network connectivity. promote Promotes the appliance to the primary appliance in a high availability or disaster recovery configuration. The promoted appliance will take over LEM services until it is demoted with the demote command. reboot Reboots the virtual appliance. setlogrotate Defines the syslog rotation frequency (hourly, daily shutdown Shuts down the virtual appliance. top Displays and monitors CPU and memory usage, as well as per process information for the Manager Network Appliance. tzconfig Configure the virtual appliance's time zone information. viewnetconfig Displays the current network configuration parameters for the appliance such as the IP address, subnet mask and DNS server (s). Using the CMC 'manager' Menu After typing the manager command, the cmc::cmm# prompt appears. You may then use any of the commands listed in the following table. The commands are 516 Using the CMC 'manager' Menu listed in alphabetical order. Command descriptions with an asterisk (*) mean the command requires an automatic restart of the Manager service. Command Description actortoolupgrade * Upgrades the Manager’s Actor Tools from CD or floppy disk. archiveconfig Configures the Manager appliance database archives to a remote file share on a daily, weekly, or monthly schedule. backupconfig Configures the Manager appliance software and configuration backups to a remote file share on a daily, weekly, or monthly schedule. cleanagentconfig Reconfigures the Agent on this Manager to a new Manager. configurendepth Configures the virtual appliance to use an nDepth server dbquery Queries the Manager appliance database directly. debug Emails the Manager debugging information to any given email address. The email message contains a collection of data that can be useful in diagnosing problems. exit Return to main CMC menu. exportcert Exports the CA certificate for Console. exportcertrequest Exports a certificate request for signing by CA. help Displays a brief description of each command. importcenter * Imports a certificate used for Console communication. logbackupconfig Configures the Manager appliance remote log backups to a remote file share on a daily, weekly, or monthly schedule. resetadmin * Resets the admin password to "password". This command does not affect other users on the system and all settings are preserved. restart * Restarts the Manager service. This will take the Manager offline for 1–3 minutes. 517 Appendix E: CMC Commands Command Description sensortoolupgrade Upgrades the Manager’s Sensor Tools from a CD or floppy disk. showlog Allows you to page through the Manager’s log file. showmanagermem Displays the Manager's configured memory utilization settings. start Starts the Manager service. If the Manager is already started, then nothing will happen. stop * Stops the Manager service. This makes the Manager inactive until it is started again. support Sends debugging information via email to support@SolarWinds.com. This command prompts you for your name and email address. It then sends SolarWinds a collection of data that can be useful in diagnosing problems. togglehttp * Enables or disables HTTP on port 80. viewsysinfo Displays appliance settings and information, useful for support and troubleshooting. watchlog Displays 20 lines of the current Manager log file and monitors the log for further updates. Any new log entries appear as they are written to the log. Using the CMC 'ndepth' menu If you have one or more nDepth appliances, CMC has an ind menu that lets you control these appliances. After typing the ind command, the cmc::ind# prompt appears. You may then use any of the commands listed in the following table. The commands are listed in alphabetical order. Command descriptions with an asterisk (*) mean the command requires an automatic restart of the Manager service. 518 Using the CMC 'service' Menu Command Description exit Exits the nDepth menu and returns to the main menu. help Shows the help menu. logmarchiveconfig Sets Log Message archive share settings. logmbackupconfig Sets Log Message backup share settings. restart * Restarts the Log Message search/storage service. start Starts the Log Message search/storage service. stop Stops the Log Message search/storage service. Using the CMC 'service' Menu After typing the service command, the cmc::scm# prompt appears. You may then use any of the commands listed in the following table. The commands are listed in alphabetical order. Command descriptions with an asterisk (*) mean the command requires an automatic restart of the Manager service. Command Description copysnortrules Copy the existing Snort rules from the Manager onto a floppy disk or network file share. This allows you to retrieve the Snort rules from the Manager’s hard drive and make any rule updates or modifications. This requires a formatted floppy disk or a network file share. disableflow Disables NetFlow/sFlow collection on the SolarWinds Appliance (and in the SolarWinds Explorer). disablesnmp Disables SNMP trap logging to the Manager. The SNMP trap logging service will be permanently disabled until the enablesnmp command is issued. enableflow * Enables NetFlow/sFlow collection on the SolarWinds Appliance (and in the Explorer). enablesnmp Enables SNMP trap logging to the Manager. By default, 519 Appendix E: CMC Commands Command Description SNMP is disabled on the Manager. This command enables SNMP to allow integration with some security tools that can only log using SNMP. exit Returns to the main CMC menu. getflowdbsize Checks the size of the Flow database. help Displays a brief description of each command within the service menu. loadsnortbackup Loads Snort rules from “factory default” on the Manager. This allows you to revert to the Snort rules’ original default settings in case of an error. This command overwrites any changes that were made to the main set of rules with the original rules that were installed with the SolarWinds system. loadsnortrules Loads Snort rules from a floppy disk or a network file share to the Manager. This allows you to update the Snort rules on the Manager. The floppy disk must be in the same format (i.e., the same names and directories) that the copysnortrules command uses to issue the original rules; otherwise, the rules will not be updated. restartsnort Restarts the Snort service. restartssh Restarts the SSH service. If the SSH service is running, this command stops and then restarts the service. restrictconsole Restricts access to the Console’s graphical user interface to only certain IP addresses or hostnames. This command prompts you to provide the allowable IP addresses or hostnames. Once the restriction is in place, only the given IP addresses/hostnames are able to connect to the Console. Users are still required to log in with a password to fully access the Console. restrictreports Restricts access to reports to only certain IP addresses or hostnames. This command prompts you to provide the 520 Using the CMC 'service' Menu Command Description allowable IP addresses or hostnames. Once the restriction is in place, only the given IP addresses/hostnames are able to create and view reports. restrictssh Restrict the SSH service to only certain IP addresses. This command prompts you to provide the allowable IP addresses. Once the restriction is done, only the given IP address/user combinations will be able to connect to the Manager using the SSH service. startssh Start running the SSH service. stopopsec Terminate any connections from the Manager Appliance to Check Point® OPSEC™ hosts. stopssh Stops running the SSH service. If you issue this command, you can only access the Manager with a keyboard and monitor until you issue a reboot command. To restrict access to the SSH service (outside of the user name and password requirements), see the restrictssh command. unrestrictconsole Removes restrictions to the Console’s graphical user interface. This command removes all restrictions and allows any valid system user to connect to the Console. The only protection at this point is the user name and password combination. unrestrictreports Removes restrictions on access to reports. This command removes all restrictions and allows anyone with the Reports Console, or any alternative database connection software, with the proper username and password, to create and view reports and browse the database. unrestrictssh Removes restrictions to the SSH service. Any connection attempts will still require a user name and password. 521 Appendix E: CMC Commands Upgrading LEM Connectors Upgrading connectors through the LEM Console is a new feature in LEM 6.2. For pre-6.2 versions, update connectors using the CMC command interface. Updating connectors using the LEM Console 1. Navigate to the Appliance grid on the Manage tab. 2. Select Update from the Connector Updates pull-down menu at the top right of the Appliances pane. A message displays, letting you know whether the update was applied or not. Updating connectors using the CMC interface 1. Download the current Connector Update package here: http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEMConnectors.zip. 2. Prepare the update package: a. Download the Connector Update package using the link above, or from the Additional Components page for LEM on the SolarWinds Customer Portal. The download is approximately 3.6 MB. b. Unzip the file. The directory structure created uses approximately 100 MB of space. c. Open the SolarWinds-LEM-Connectors folder. d. Copy the LEM folder to the root of a network share. For example, the network share might be: \\<server-IP>\<share-name>. The connector upgrade finds the LEM directory under the root of the share 3. Connect to the LEM Virtual Appliance using a virtual console or SSH client. 4. Access the CMC prompt: l l Virtual Console: Arrow down to Advanced Configuration, and then press Enter. SSH Client: Log in using CMC credentials. 522 Updating connectors using the CMC interface 5. At the cmc> prompt, enter manager. 6. At the cmc::cmm# prompt, enter sensortoolupgrade. 7. Press Enter to validate the entry. 8. Enter n to indicate that the update is on the network. 9. Press Enter to validate your entry. 10. Enter the server and share the name for the location where the update package was saved in \\server\share format. The connector upgrade locates the LEM directory under the root of the share. 11. Enter y to confirm the entry. 12. Enter the domain and user name for a user that can access the share in domain\user format. 13. Enter y to confirm the entry. 14. Enter the password for the user. 15. Re-enter the password to confirm the entry. 16. Enter 1 to start the update. The update takes several minutes. 17. Verify that the configured connectors restart after they are updated by watching for InternalToolOnline events in the default SolarWinds events filter in the LEM Console. 16. After the update is finished, enter exit twice to exit the CMC interface. 523 Appendix F: Report Tables The following tables list all of LEM’s reports, provide descriptions of their contents, and suggest schedules for running each report. Table of Audit reports The following table lists and describes each audit reports. For your convenience, the reports are listed alphabetically by title. Title Description File name Schedule Authentication Report This report lists all authentications tracked by the SolarWinds system, including user logon, logoff, failed logon attempts, guest logons, etc. Authentication Report Authentication Audit This report lists event events that are RPT2003- As related to authentication and 02-10.rpt needed authorization of accounts and account “'containers'” such as groups or domains. These events can be produced from any network node including firewalls, routers, servers, and clients. Authentication Report Suspicious Authentication This report lists event events that are RPT2003- As related to suspicious authentication 02-9.rpt Needed and authorization events. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users, and suspicious access to unauthorized services or information. Authentication Report - Top This report lists the Top User Log On events grouped by user name. 524 RPT2003- Weekly 02.rpt RPT2003- As 02-6-2.rpt needed Appendix F: Report Tables Title Description File name Schedule User Log On by User Authentication Report - Top User Log On Failure by User This report lists the Top User Log On RPT2003- As Failure events grouped by user name. 02-7-2.rpt needed Authentication Report SolarWinds Authentication This report shows logon, logoff, and RPT2003- As logon failure activity to the SolarWinds 02-8.rpt needed Console. Authentication User Logoff events reflect account RPT2003- As Report - User Log logoff events from network devices 02-5.rpt needed Off (including network infrastructure devices). Each event will reflect the type of device from which the user was logging off. These events are usually normal events but are tracked for consistency and auditing purposes. Authentication User Logon events reflect user Report - User Log account logon events from network On devices monitored by SolarWinds (including network infrastructure devices). Each event will reflect the type of device that the logon was intended for along with all other relevant fields. RPT2003- As 02-6.rpt needed Authentication This report lists all account logon Report - User Log events, grouped by user name. On by User RPT2003- As 02-6-1.rpt needed Authentication User Logon Failure events reflect RPT2003- As Report - User Log failed account logon events from 02-7.rpt needed On Failure network devices (including network infrastructure devices). Each event will 525 Table of Audit reports Title Description File name Schedule reflect the point on the network where the user was attempting logon. In larger quantities, these events may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. Authentication This report lists all account logon RPT2003- As Report - User Log failure events, grouped by user name. 02-7-1.rpt needed On Failure by User Change Management General Authentication Related Events This report includes changes to domains, groups, machine accounts, and user accounts. Change Management General Authentication: Domain Events This report includes changes to RPT2006- As domains, including new domains, new 20-01.rpt needed members, and modifications to domain settings. Change Management General Authentication: Domain Events Change Domain Attribute This report lists changes to domain RPT2006- As type. These events are uncommon 20-01needed and usually provided by the operating 7.rpt system. Usually, these changes are made by a user account with administrative privileges, but occasionally a change will happen when local system maintenance activity takes place. Change Management General Authentication: This report lists event events that RPT2006- As occur when an account or account 20-01needed container within a domain is modified. 4.rpt Usually, these changes are made by a 526 RPT2006- As 20.rp needed Appendix F: Report Tables Title Description File name Schedule Domain Events - user account with administrative Change Domain privileges, but occasionally an event Member occurs when local system maintenance activity takes place. Events of this nature mean a user, machine, or service account within the domain has been modified. Change Management General Authentication: Domain Events Delete Domain This report lists event events that RPT2006- As occur upon removal of a trust 20-01needed relationship between domains, 8.rpt deletion of a subdomain, or deletion of account containers within a domain. Usually, these changes are made by a user account with administrative privileges. Change Management General Authentication: Domain Events Delete Domain Member This report lists event events that occur when an account or account container has been removed from a domain. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. Change Management General Authentication: Domain Events Domain Member Alias This report lists event events that RPT2006- As happen when the alias for a domain 20-01needed member has been changed. This 5.rpt means an account or account container within a domain has an alias created, deleted, or otherwise modified. This event is uncommon and is used to track links between domain members and other locations in the domain where the member may appear. 527 RPT2006- As 20-01needed 3.rpt Table of Audit reports Title Description File name Schedule Change Management General Authentication: Domain Events DomainAuthAudit This report lists authentication, RPT2006- As authorization, and modification events 20-01needed that are related only to domains, 1.rpt subdomains, and account containers. These events are normally related to operating systems. However, they can be produced by any network device. Change Management General Authentication: Domain Events New Domain This report lists event events that occur upon creation of a new trust relationship between domains, creation of a new subdomain, or creation of new account containers within a domain. Usually, these creations are done by a user account with administrative privileges. Change Management General Authentication: Domain Events New Domain Member This report lists event events that RPT2006- As occur when an account or an account 20-01needed container (a new user, machine, or 2.rpt service account) has been added to the domain. Usually, these additions are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. Change Management General Authentication: Group Events This report lists changes to groups, including new groups, members added/removed to/from groups, and modifications to group settings. Change Management General Authentication: This report lists event events that RPT2006- As occur when a group type is modified. 20-02needed Usually, these changes are made by a 6.rpt user account with administrative 528 RPT2006- As 20-01needed 6.rpt RPT2006- As 20-02.rpt needed Appendix F: Report Tables Title Description File name Schedule Group Events Change Group Attribute privileges, but occasionally a they occur when local system maintenance activity takes place. Change Management General Authentication: Group Events Delete Group This report lists event events that RPT2006- As occur upon deletion of a new group of 20-02needed any type. Usually, these additions are 5.rpt made by a user account with administrative privileges. Change Management General Authentication: Group Events Delete Group Member This report lists event events that RPT2006- As occur when an account or group has 20-02needed been removed from a group. Usually, 3.rpt these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. Change Management General Authentication: Group Events Group Audit This report lists authentication, RPT2006- As authorization, and modification events 20-02needed related only to account groups. These 1.rpt events are normally operating system related, however could be produced by any network device. Change Management General Authentication: Group Events New Group This report lists NewGroup events. RPT2006- As These events occur upon creation of a 20-02needed new group of any type. Usually, these 4.rpt additions are made by a user account with administrative privileges. Change Management General Authentication: This report lists NewGroupMember events. These events occur when an account (or other group) has been added to a group. Usually, these 529 RPT2006- As 20-02needed 2.rpt Table of Audit reports Title Description File name Schedule Group Events New Group Member additions are made by a user account with administrative privileges, but occasionally an event will occur when local system maintenance activity takes place. A new user, machine, or service account has been added to the group. Change Management General Authentication: Machine Account Events This report includes changes to RPT2006- As machine accounts, including 20-03.rpt needed enabling/disabling machine accounts and modifications to machine account settings. Change Management General Authentication: Machine Account Events - Machine Disabled This report lists MachineDisable events. These events occur when a machine account is actively disabled and/or when an account is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a computer or set of computers. RPT2006- As 20-03needed 3.rpt Change Management General Authentication: Machine Account Events - Machine Enabled This report lists MachineEnable events, which reflect the action of enabling a computer or machine account. These events are normally related to the operating system, and will trigger when a machine is “enabled,” normally by a user with administrative privileges. RPT2006- As 20-03needed 1.rpt Change Management General This report lists RPT2006- As MachineModifyAttribute events, which 20-03needed occur when a computer or machine 2.rpt 530 Appendix F: Report Tables Title Description File name Schedule Authentication: type is changed. These events are Machine Account uncommon and usually provided by Events - Machine the operating system. Modify Attribute Change Management General Authentication: User Account Events This report includes changes to user RPT2006- As accounts, including enabling/disabling 20-04.rpt needed user accounts and modifications to user account settings. Change Management General Authentication: User Account Events - User Disabled This report lists UserDisable events. RPT2006- As These events occur when a user 20-04needed account is actively disabled and/or 3.rpt when a user is forcibly locked out by the operating system or other authentication tool. These events are usually related to the operating system and can reflect a potential issue with a user or set of users. Change Management General Authentication: User Account Events - User Enabled This report lists UserEnable events, RPT2006- As which reflect the action of enabling a 20-04needed user account. These events are 1.rpt normally related to the operating system . They occur both when an account is “'unlocked'” after lockout due to unsuccessful logons, and when an account is “enabled” in the traditional sense. Change Management General Authentication: User Account Events - User This report lists UserModifyAttribute events that occur when a user type is changed. These events are uncommon and usually provided by the operating system. 531 RPT2006- As 20-04needed 2.rpt Table of Audit reports Title Description File name Schedule Modify Attributes Change Management Network Infrastructure: Policy/View Change This report includes accesses to network infrastructure device policy, including viewing or changing device policy. RPT2006- As 21.rpt needed Change Management Windows/Active Directory Domains: Group Created This report includes creations of Windows/Active Directory groups. RPT2006- As 22-01.rpt needed Change Management Windows/Active Directory Domains: Group Deleted This report includes deletions of Windows/Active Directory groups. RPT2006- As 22-02.rpt needed Change Management Windows/Active Directory Domains: Group Events This report includes Windows/Active Directory group-related events. RPT2006- As 22.rpt needed Change This report includes changes to Management Windows/Active Directory group Windows/Active properties, such as the display name. Directory Domains: Group Property Updated RPT2006- As 22-03.rpt needed Change Management - RPT2006- As 23.rpt needed This report includes Windows/Active Directory machine-related events. 532 Appendix F: Report Tables Title Description File name Schedule Windows/Active Directory Domains: Machine Events Change This report includes creations of Management Windows/Active Directory machine Windows/Active accounts. Directory Domains: Machine Events Account Created RPT2006- As 23-01.rpt needed Change This report includes deletions of Management Windows/Active Directory machine Windows/Active accounts. Directory Domains: Machine Events Account Deleted RPT2006- As 23-02.rpt needed Change This report includes disables of Management Windows/Active Directory machine Windows/Active accounts. Directory Domains: Machine Events Account Disabled RPT2006- As 23-03.rpt needed Change This report includes enables of Management Windows/Active Directory machine Windows/Active accounts. Directory Domains: Machine Events Account Enabled RPT2006- As 23-04.rpt needed Change RPT2006- As 23-05.rpt needed This report includes changes to 533 Table of Audit reports Title Description File name Schedule Management Windows/Active Directory machine Windows/Active account properties, such as the Directory display name. Domains: Machine Events Account Properties Update Change This report includes additions of Management Windows/Active Directory machine Windows/Active accounts to groups. Directory Domains: Machine Events Added To Group RPT2006- As 23-06.rpt needed Change This report includes additions of Management Windows/Active Directory machine Windows/Active accounts to Organizational Units. Directory Domains: Machine Events Added To OU RPT2006- As 23-07.rpt needed Change This report includes removals of Management Windows/Active Directory machine Windows/Active accounts from groups. Directory Domains: Machine Events Removed From Group RPT2006- As 23-08.rpt needed Change Management Windows/Active Directory RPT2006- As 23-09.rpt needed This report includes removals of Windows/Active Directory machine accounts from Organizational Units. 534 Appendix F: Report Tables Title Description File name Schedule Domains: Machine Events Removed From OU Change Management Windows/Active Directory Domains: New Critical Group Members This report includes additions of Windows/Active Directory user accounts to critical groups, such as Domain or Enterprise Admins. RPT2006- As 22-04.rpt needed Change Management Windows/Active Directory Domains: OU Events This report includes Windows/Active Directory Organizational Unit-related events. RPT2006- As 24.rpt needed Change Management Windows/Active Directory Domains: OU Events - OU Created This report includes creation of Windows/Active Directory Organizational Units. RPT2006- As 24-01.rpt needed Change Management Windows/Active Directory Domains: OU Events - OU Deleted This report includes deletion of Windows/Active Directory Organizational Units. RPT2006- As 24-02.rpt needed Change Management - This report includes updates to Windows/Active Directory RPT2006- As 24-03.rpt needed 535 Table of Audit reports Title Description Windows/Active Directory Domains: OU Events - OU Properties Update Organizational Unit properties, such as the display name. Change Management Windows/Active Directory Domains: User Events This report includes Windows/Active Directory user-related events. File name Schedule RPT2006- As 25.rpt needed Change This report includes creations of Management Windows/Active Directory user Windows/Active accounts. Directory Domains: User Events - Account Created RPT2006- As 25-01.rpt needed Change This report includes deletions of Management Windows/Active Directory user Windows/Active accounts. Directory Domains: User Events - Account Deleted RPT2006- As 25-02.rpt needed Change This report includes disables of Management Windows/Active Directory user Windows/Active accounts. Directory Domains: User Events - Account Disabled RPT2006- As 25-03.rpt needed 536 Appendix F: Report Tables Title Description File name Schedule Change This report includes enables of Management Windows/Active Directory user Windows/Active accounts. Directory Domains: User Events - Account Enabled RPT2006- As 25-04.rpt needed Change Management Windows/Active Directory Domains: User Events - Account Lockout This report includes user-driven disables of Windows/Active Directory user accounts, such as a user triggering an excessive failed password limit. RPT2006- As 25-05.rpt needed Change Management Windows/Active Directory Domains: User Events - Account Properties Updated This report includes changes to Windows/Active Directory user account properties, such as the display name. RPT2006- As 25-06.rpt needed Change Management Windows/Active Directory Domains: User Events - Added To Group This report includes additions of Windows/Active Directory user accounts to groups. RPT2006- As 25-07.rpt needed Change Management Windows/Active Directory Domains: User This report includes additions of Windows/Active Directory user accounts to Organizational Units. RPT2006- As 25-08.rpt needed 537 Table of Audit reports Title Description File name Schedule Events - Added To OU Change Management Windows/Active Directory Domains: User Events Removed From Group This report includes removals of Windows/Active Directory user accounts from groups. RPT2006- As 25-09.rpt needed Change Management Windows/Active Directory Domains: User Events Removed From OU This report includes removals of Windows/Active Directory user accounts from Organizational Units. RPT2006- As 25-10.rpt needed File Audit Events This report tracks file system activity associated with audited files and system objects, such as file access successes and failures. RPT2003- Weekly 05.rpt File Audit Events File Attribute Change is a specific File RPT2003- As - File Attribute Write event generated for the 05-41.rpt needed Change modification of file attributes (including properties such as read-only status). These events may be produced by any tool that is used to monitor the activity of file usage, including a HostBased IDS and some Operating Systems. File Audit Events File Audit events are used to track file RPT2003- As activity on monitored network devices, 05-11.rpt needed File Audit 538 Appendix F: Report Tables Title Description File name Schedule usually through the Operating System or a Host-Based IDS. These events will note success or failure of the requested operation. File Audit Events File Audit Failure events are used to track failed file activity on monitored File Audit Failure network devices, usually through the Operating System or a Host-Based IDS. These events will note what requested operation failed. RPT2003- As 05-12.rpt needed File Audit Events File Create is a specific File Write RPT2003- As event generated for the initial creation 05-42.rpt needed File Create of a file. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events File Data Read is a specific File Read RPT2003- As event generated for the operation of 05-31.rpt needed File Data Read reading data from a file (not just properties or status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events File Data Write is a specific File Write RPT2003- As event generated for the operation of 05-43.rpt needed File Data Write writing data to a file (not just properties or status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. 539 Table of Audit reports Title Description File name Schedule File Audit Events File Delete is a specific File Write RPT2003- As event generated for the deletion of an 05-44.rpt needed File Delete existing file. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events File Execute is a specific File Read RPT2003- As event generated for the operation of 05-32.rpt needed File Execute executing files. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events File Handle Audit events are used to RPT2003- As track file handle activity on monitored 05-21.rpt needed File Handle Audit network devices, usually through low level access to the Operating System, either natively or with or a Host-Based IDS. These events will note success or failure of the requested operation. File Audit Events File Handle Close File Handle Close is a specific File Handle Audit event generated for the closing of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some HostBased IDS'. RPT2003- As 05-22.rpt needed File Audit Events File Handle Copy is a specific File Handle Audit event generated for the File Handle Copy copying of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some Host- RPT2003- As 05-23.rpt needed 540 Appendix F: Report Tables Title Description File name Schedule Based IDS'. File Audit Events File Handle Open is a specific File RPT2003- As Handle Audit event generated for the 05-24.rpt needed File Handle Open opening of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some HostBased IDS'. File Audit Events File Link is a specific File Write event RPT2003- As generated for the creation, deletion, or 05-45.rpt needed File Link modification of links to other files. These events may be produced by any tool that is used to monitor the activity of file usage, including a HostBased IDS and some Operating Systems. File Audit Events File Move is a specific File Write event RPT2003- As generated for the operation of moving 05-46.rpt needed File Move a file that already exists. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events File Read is a specific File Audit event RPT2003- As generated for the operation of reading 05-33.rpt needed File Read files (including reading properties of a file or the status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events File Write is a specific File Audit event RPT2003- As generated for the operation of writing 05-47.rpt needed File Write 541 Table of Audit reports Title Description File name Schedule to a file (including writing properties of a file or changing the status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a HostBased IDS and some operating systems. File Audit Events Object Audit events are used to track RPT2003- As special object activity on monitored 05-51.rpt needed Object Audit network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note success or failure of the requested operation. File Audit Events Object Audit Failure Object Audit Failure events are used RPT2003- As to track special object activity on 05-52.rpt needed monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note a failure of the requested operation. File Audit Events Object Delete is a specific Object RPT2003- As Audit event generated for the deletion 05-53.rpt needed Object Delete of an existing object. These events 542 Appendix F: Report Tables Title Description File name Schedule may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. File Audit Events Object Link is a specific Object Audit event generated for the creation, Object Link deletion, or modification of links to other objects. These events may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. RPT2003- As 05-54.rpt needed Incident Events This report tracks the Incident, HostIncident, HybridIncident and NetworkIncident events that have been generated to reflect enterprisewide issues. RPT2006- Daily 19.rpt Inferred Events This report tracks events that are triggered by correlations built in the SolarWinds Rule Builder. RPT2006- As 27.rpt needed Inferred Events This report tracks events that are by Inference Rule triggered by correlations, and orders them by the correlation rule name. RPT2006- As 27-01.rpt needed Log On/Off/Failure Track activity associated with account RPT2003- Weekly events such as log on, log off and log 03.rpt on failures. This is a refined version of the Authentication Report that does not include SolarWinds authentication events. It is more appropriate for management reports or audit reviews than regular use. Network Traffic Audit Track activity associated with network RPT2003- Daily, if traffic audit events such as TCP, IP 06.rpt needed 543 Table of Audit reports Title Description File name Schedule and UDP events. Specifically, this report tracks regular network traffic activity, such as encrypted traffic, web traffic, and other forms of UDP, TCP and ICMP traffic. It gives you both an overview and some details of exactly what is flowing through your network. This report can be quite large. Network Traffic Audit Application Traffic ApplicationTrafficAudit events reflect RPT2003- As network traffic that is mostly or all 06-11.rpt needed application-layer data. Events that are children of ApplicationTrafficAudit are also related to application-layer resources. Events placed in the parent ApplicationTrafficAudit event itself are known to be application-related, but are not able to be further categorized based on the message provided by the tool or because they are uncommon and rarely, if ever, imply network attack potential. Network Traffic Audit Application Traffic by Destination Machine This report lists all Application Traffic events (such as WebTrafficAudit), grouped by destination machine/IP. RPT2003- As 06-11needed 2.rpt Network Traffic Audit Application Traffic by Provider SID This report lists all Application Traffic events (such as WebTrafficAudit), grouped by provider SID. RPT2033- As 06-11needed 3.rpt Network Traffic Audit - This report lists all Application Traffic events (such as WebTrafficAudit), RPT2003- As 06-11needed 544 Appendix F: Report Tables Title Description File name Schedule Application grouped by source machine/IP. Traffic by Source Machine 1.rpt Network Traffic Audit Application Traffic by Tool Alias This report lists all Application Traffic events (such as WebTrafficAudit), grouped by the SolarWinds sensor tool alias that reported each event. RPT2003- As 06-11needed 0.rpt Network Traffic Audit Configuration Traffic Configuration Traffic Audit events RPT2003- As reflect application-layer data related to 06-02.rpt needed configuration of network resources. Included in ConfigurationTrafficAudit are protocols such as DHCP, BootP, and SNMP. ConfigurationTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access network devices or services, attempts to access devices that are configured via these services, or other abnormal traffic. Network Traffic Audit Core Traffic CoreTrafficAudit events reflect network traffic sent over core protocols. Events that are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP protocols. Events of this type and its children do not have any application-layer data. Events placed in the parent CoreTrafficAudit event itself are known to be a core protocol, but are not able to be further categorized 545 RPT2003- As 06-03.rpt needed Table of Audit reports Title Description File name Schedule based on the message provided by the tool. Network Traffic Audit - Core Traffic by Destination Machine This report lists all Core Traffic events RPT2003- As (such as TCPTrafficAudit), grouped by 06-03needed destination machine/IP. 2.rpt Network Traffic Audit - Core Traffic by Provider SID This report lists all Core Traffic events RPT2003- As (such as TCPTrafficAudit), grouped by 06-03needed provider SID. 3.rpt Network Traffic This report lists all Core Traffic events RPT2003- As Audit - Core (such as TCPTrafficAudit), grouped by 06-03needed Traffic by Source source machine/IP. 1.rpt Network Traffic Audit - Core Traffic by Tool Alias This report lists all Core Traffic events RPT2003- As (such as TCPTrafficAudit), grouped by 06-03needed the SolarWinds tool sensor alias that 0.rpt reported the event. Network Traffic Encrypted Traffic Audit events reflect RPT2003- As Audit - Encrypted application-layer traffic that has been 06-04.rpt needed Traffic encrypted and is intended for a secure host. Included in Encrypted Traffic Audit are client and server side application events, such as key exchanges, that normally occur after the low-level session creation and handshaking have completed. Network Traffic Audit Link Control Traffic Link Control Traffic Audit events are RPT2003- As generated for network events related 06-05.rpt needed to link level configuration. Link Control Traffic Audit events generally indicate normal traffic, however, events of this type could also be symptoms of 546 Appendix F: Report Tables Title Description File name Schedule misconfiguration at the link level, inappropriate usage, or other abnormal traffic. Network Traffic Audit - Network Traffic Members of the Network Audit tree are RPT2003- As used to define events centered on 06-06.rpt needed usage of network resources/bandwidth. Network Traffic Audit Point to Point Traffic Point To Point Traffic Audit events RPT2003- As reflect application-layer data related to 06-07.rpt needed point-to-point connections between hosts. Included in Point To Point Traffic Audit are encrypted and unencrypted point-to-point traffic. Network Traffic Remote Procedure Traffic Audit RPT2003- As Audit - Remote events reflect application-layer data 06-08.rpt needed Procedure Traffic related to remote procedure services. Included in Remote Procedure Traffic Audit are the traditional RPC services used to service remote logons and file shares, and other services which require remote procedure access to complete authentication, pass data, or otherwise communicate. RemoteProcedureTrafficAudit events generally indicate normal traffic for networks that have remote procedure services on their network; however, events of this type could also be symptoms of inappropriate access, misconfiguration of the remote procedure services, errors in the remote procedure calls, or other abnormal traffic. Network Traffic Routing Traffic Audit events are 547 RPT2003- As Table of Audit reports Title Description File name Schedule Audit - Routing Traffic generated for network events related 06-09.rpt to configuration of network routes, using protocols such as IGMP, IGRP, and RIP. RoutingTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. Network Traffic Audit Time Traffic Time Traffic Audit events reflect RPT2003- As application-layer data related to 06-10.rpt needed network time configuration. Included in TimeTrafficAudit are protocols such as NTP and activities, such as detection of client-side network time updates. Network Traffic Audit Top Application Traffic by Source This report lists the Top Application Traffic events (such as WebTrafficAudit), grouped by source machine/IP. RPT2003- As 06-01needed 2.rpt Network Traffic Audit Top Core Traffic by Source This report lists the Top Core Traffic events (such as TCPTrafficAudit), grouped by source machine/IP. RPT2003- As 06-03needed 2.rpt Network Traffic Audit Web Traffic WebTrafficAudit events reflect RPT2003- As application-layer data related to web 06-01.rpt needed services. Included in WebTrafficAudit are client and server web events from web servers, web applications, content filter related events, and other web services. WebTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of inappropriate web usage, potential abuse of web 548 needed Appendix F: Report Tables Title Description File name Schedule services, or other abnormal traffic. Network Traffic Audit - Web Traffic by Destination Machine This report lists all WebTrafficAudit events grouped by destination machine/IP. RPT2003- As 06-01needed 2.rpt Network Traffic Audit Web Traffic by Provider SID This report lists Web Traffic Audit events grouped by provider SID. RPT2003- As 06-01needed 3.rpt Network Traffic This report lists all WebTrafficAudit RPT2003- As Audit - Web events grouped by source machine/IP. 06-01needed Traffic by Source 1.rpt Machine Network Traffic Audit Web Traffic by Tool Alias This report lists Web Traffic Audit events grouped by tool alias. RPT2003- As 06-01needed 0.rpt Network Traffic Audit Web URL Requests by Source Machine This report lists the most frequently visited URLs grouped by the requesting client source machine. RPT2003- As 06-01needed 5.rpt Network Traffic This report shows graphs of the most RPT2003- As Audit frequently visited URLs for each client 06-01needed Web URL source machine. 4.rpt Requests by Source Machine Graphs Resource Configuration The Resource Configuration report details events that relate to configuration of user accounts, 549 RPT2003- Weekly 08.rpt Table of Audit reports Title Description File name Schedule machine accounts, groups, policies and their relationships. Items such as domain or group modification, policy changes, and creation of new network resources. Resource Configuration Authorization Audit Events that are part of the Auth Audit RPT2003- As tree are related to authentication and 08-01.rpt needed authorization of accounts and account ''containers'' such as groups or domains. These events can be produced from any network node including firewalls, routers, servers, and clients. Resource Configuration Domain Authorization Audit Domain Auth Audit events are RPT2003- As authentication, authorization, and 08-02.rpt needed modification events related only to domains, subdomains, and account containers. These events are normally operating system related, however could be produced by any network device. Resource Configuration Group Audit Group Audit events are authentication, RPT2003- As authorization, and modification events 08-03.rpt needed related only to account groups. These events are normally operating system related, however could be produced by any network device. Resource Configuration Machine Authorization Audit Machine Auth Audit events are RPT2003- As authentication, authorization, and 08-04.rpt needed modification events related only to computer or machine accounts. These events can be produced from any network node including firewalls, routers, servers, and clients, but are 550 Appendix F: Report Tables Title Description File name Schedule normally operating system related. Resource Configuration Policy Audit Policy Audit events are used to track access, modification, scope change, and creation of authentication, domain, account, and account container policies. Many of these events reflect normal system traffic. Most PolicyAudit events are provided by the Operating System. RPT2003- As 08-06.rpt needed Resource Configuration User Authorization Audit User Auth Audit events are authentication, authorization, and modification events related only to user accounts. These events can be produced from any network node including firewalls, routers, servers, and clients. RPT2003- As 08-05.rpt needed Table of Security reports The following table lists and describes each of the security reports. For your convenience, the reports are listed alphabetically by title. Title Description Authentication Report Failed Authentication Failed Authentication events occur when a user has made several attempts to authenticate themselves which has continuously failed, or when a logon failure is serious enough to merit a security event on a single failure. File name Schedule RPT2003- As 02-1.rpt needed Authentication This report shows logins to various Guest RPT2003- As Report accounts. 02-2.rpt needed Guest Login Authentication Restricted Information Attempt events Report - 551 RPT2003- As 02-3.rpt needed Table of Security reports Title Description File name Schedule Restricted Information Attempt describe a user attempt to access local or remote information that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to information. Authentication Report Restricted Service Attempt Restricted Service Attempt events describe a user attempt to access a local or remote service that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to services. Console The Console report shows every event RPT2003- As that passes through the system in the 10.rpt needed given time interval. It mimics the basic management console view. It does not contain the same level of field detail, but it is useful to get a quick snapshot of activity for a period, a lunch hour, for example.This report can be very large, so you will only want to run for small time intervals, such as hours. Console Overview An overview of all events during the RPT2003- As specified time range. Shows graphs of the 10-00.rpt needed most common generic event field data from the console report. Event Summary Attack Behavior Statistics Event Summary Sub Report - Attack Behavior Statistics 552 RPT2003- As 02-4.rpt needed RPT2003- As 01-02.rpt needed Appendix F: Report Tables Title Description Event Event Summary Sub Report Summary Authorization Audit Statistics Authorization Audit Statistics Event Summary Graphs File name Schedule RPT2003- As 01-03.rpt needed The event summary report gathers RPT2003- Daily statistical data from all major event 01.rpt categories, summarizes it with a one-hour resolution, and presents a quick, graphical overview of activity on your network. Event Event Summary Sub Report - Machine Summary Audit Statistics Machine Audit Statistics RPT2003- As 01-05.rpt needed Event Summary Policy Audit Statistics Event Summary Sub Report - Policy Audit RPT2003- As Statistics 01-06.rpt needed Event Summary Resource Audit Statistics Event Summary Sub Report - Resource Audit Statistics Event Summary Suspicious Behavior Statistics Event Summary Sub Report - Suspicious RPT2003- As Behavior Statistics 01-08.rpt needed Event Summary Top Level Statistics Event Summary Sub Report - Top Level Statistics 553 RPT2003- As 01-07.rpt needed RPT2003- As 01-01.rpt needed Table of Security reports Title Description File name Schedule Machine Audit Track activity associated with machine RPT2003- Weekly process and service audit events. This 09.rpt report shows machine-level events such as software installs, patches, system shutdowns, and reboots. It can be used to assist in software license compliance auditing by providing records of installs. Machine Audit File System Audit This report tracks activity associated with RPT2003- As file system audit events including mount 09-010.rpt needed file system and unmount file system events. These events are generally normal system activity, especially during system boot. Machine Audit - File System Audit - Mount File System Mount File System events are a specific RPT2003- As type of File System Audit that reflect the 09-012.rpt needed action of creating an active translation between hardware to a usable files ystem. These events are generally normal during system boot. Machine Audit - File System Audit Unmount File System Unmount File System events are a RPT2003- As specific type of File System Audit that 09-013.rpt needed reflect the action of removing a translation between hardware and a usable files ystem. These events are generally normal during system shutdown. Machine Audit This report tracks activity related to RPT2003- As - Process processes, including processes that have 09-030.rpt needed Audit started, stopped, or reported useful process-related information. Machine Audit - Process Audit Process Audit This report lists Process Audit events that RPT2003- As are generated to track launch, exit, status, 09-031.rpt needed and other events related to system processes. Usually, these events reflect 554 Appendix F: Report Tables Title Description File name Schedule normal system activity. Process-related activity that may indicate a failure will be noted separately from normal activity in the event detail. Machine Audit - Process Audit Process Info Process Info is a specific type of Process RPT2003- As Audit event that reflects information 09-032.rpt needed related to a process. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. Machine Audit - Process Audit Process Start Process Start is a specific type of Process RPT2003- As Audit event that indicates a new process 09-033.rpt needed has been launched. Usually, Process Start reflects normal system activity. Machine Audit - Process Audit Process Stop Process Stop is a specific type of Process RPT2003- As Audit event that indicates a process has 09-034.rpt needed exited. Usually, Process Stop reflects normal application exit, however in the event of an unexpected error the abnormal state will be noted. Machine Audit - Process Audit Process Warning Process Warning is a specific type of Process Audit event that indicates a process has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the process. RPT2003- As 09-035.rpt needed Machine Audit This report tracks activity related to - Service services, including services that have Audit started, stopped, or reported useful service-related information or warnings. RPT2003- As 09-040.rpt needed Machine Audit - Service Audit Service Info RPT2003- As 09-041.rpt needed This report tracks ServiceInfo events, which reflect information related to a particular service. Most of these events can safely be ignored, as they are 555 Table of Security reports Title Description File name Schedule generally normal activity that does not reflect a failure or abnormal state. Machine Audit This report tracks ServiceStart events, - Service which indicate that a new system service Audit is starting. Service Start RPT2003- As 09-042.rpt needed Machine Audit - Service Audit Service Stop This report tracks ServiceStop events, RPT2003- As which indicate that a system service is 09-043.rpt needed stopping. This activity is generally normal, however, in the event of an unexpected stop the abnormal state will be noted. Machine Audit - Service Audit Service Warning This report lists ServiceWarning events. RPT2003- As These events indicate a service has 09-044.rpt needed returned a “'Warning” message that is not a fatal error and may not have triggered an exit of the service. Machine Audit This report tracks activity associated with RPT2003- As - System system status and modifications, 09-020.rpt needed Audit including software changes, system reboots, and system shutdowns. Machine Audit - System Audit Machine Audit Machine Audit events are used to track RPT2003- As hardware or software status and 09-021.rpt needed modifications. These events are generally acceptable, but do indicate modifications to the client system that may be noteworthy. Machine Audit - System Audit Software Install SoftwareInstall events reflect modifications to the system at a software level, generally at the operating system level (or equivalent, in the case of a network infrastructure device). These events are generated when a user updates a system or launches system- 556 RPT2003- As 09-025.rpt needed Appendix F: Report Tables Title Description File name Schedule native methods to install third party applications. Machine Audit - System Audit Software Update SoftwareUpdate is a specific type of RPT2003- As SoftwareInstall that reflects a more current 09-026.rpt needed version of software being installed to replace an older version. Machine Audit - System Audit System Reboot System Reboot events occur on monitored network devices (servers, routers, etc.) and indicate that a system has restarted. RPT2003- As 09-022.rpt needed Machine Audit - System Audit System Shutdown System shutdown events occur on monitored network devices (servers, routers, etc.) and indicate that a system has been shutdown. RPT2003- As 09-023.rpt needed Machine Audit - System Audit System Status SystemStatus events reflect general system state events. These events are generally normal and informational, however, they could potentially reflect a failure or issue which should be addressed. RPT2003- As 09-024.rpt needed Machine Audit USBDefender This report tracks activity associated with RPT2003- As USB-Defender, including insertion and 09-050.rpt needed removal events related to USB Mass Storage devices. Malicious Code This report tracks event activity associated with malicious code such as virus, Trojans, and worms, both on the network and on local machines, as detected by anti-virus software. 557 RPT2003- Weekly 04.rpt Table of Security reports Title Description File name Schedule Malicious Code Service Process Attack Members of the Service Process Attack RPT2003- As tree are used to define events centered on 04-01.rpt needed malicious or abusive usage of services or user processes. These events include abuse or misuse of resources from malicious code placed on the client system. Malicious Code - Trojan Command Access Trojan Command Access events reflect RPT2003- As malicious or abusive usage of network 04-05.rpt needed resources where the intention, or the result, is gaining access to resources through malicious code commonly known as Trojan Horses. This event detects the communication related to Trojans sending commands over the network (infecting other clients, participating in a denial of service activity, being controlled remotely by the originator, etc.). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). Malicious Code - Trojan Infection Access Trojan Infection Access events reflect RPT2003- As malicious or abusive usage of network 04-04.rpt needed resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This event detects the infection traffic related to a Trojan entering the network (generally with intent to infect a client). Trojans are generally 558 Appendix F: Report Tables Title Description File name Schedule executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). Malicious Trojan Traffic Access events reflect RPT2003- As Code - Trojan malicious or abusive usage of network 04-02.rpt needed Traffic Access resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This event detects the communication related to Trojans over the network (generally, 'trojaned' clients calling home to the originator). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). Malicious Code Report Trojan Traffic Denial Trojan Traffic Denial events are a specific RPT2003- As type of Denial event where the transport 04-03.rpt needed of the malicious or abusive usage originates with malicious code on a client system known as a Trojan. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Trojan Traffic Denial events may be attempts to exploit weaknesses in software to gain 559 Table of Security reports Title Description File name Schedule access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, attempts to spread the Trojan to other hosts, or other denial of service activities. Malicious Virus Attack events reflect malicious code RPT2003- As Code Report - placed on a client or server system, which 04-06.rpt needed Virus Attack may lead to system or other resource compromise and may lead to further attack. The severity of this event will depend on the ActionTaken field, which reflects whether the virus or other malicious code was successfully removed. Malicious Code Report Virus Summary Attack Virus Summary Attack events reflect RPT2003- As malicious code placed on a client or 04-07.rpt needed server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this event will depend on the Action Taken field which reflects whether the virus or other malicious code was successfully removed. These events differ from Virus Attack in that they may be a composite of virus events normally due to a scheduled scan on the client system as opposed to a real-time scan Malicious Code Report Virus Traffic Access Virus Traffic Access events reflect RPT2003- As malicious or abusive usage of network 04-08.rpt needed resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. This event detects the 560 Appendix F: Report Tables Title Description File name Schedule communication related to viruses over the network (generally, the spread of a virus infection or an incoming virus infection). Viruses are generally executables that require user intervention to spread, contain malicious code that is placed on the client system, and are used to exploit the client and possibly spread itself to other clients. Network This report tracks activity associated with RPT2003- As Events: Attack top-level NetworkAttack events. 11-00.rpt needed Behavior Network Events: Attack Behavior Access This report shows malicious asset access RPT2003- Weekly via the network. For example, attacks on 11.rpt FTP or Windows Network servers, malicious network database access, abuses of services, or attempted unauthorized entry. Network Events: Attack Behavior Access Access Children of the Access tree define events RPT2003- As centered on malicious or abusive usage 11-01.rpt needed of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources. Network Events: Attack Behavior Access Application Access Application Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all application-layer. Generally, ApplicationAccess events will reflect attempted exploitation of weaknesses in server or client software, or information that is restricted/prohibited by device access control or policy. 561 RPT2003- As 11-02.rpt needed Table of Security reports Title Description File name Schedule Network Events: Attack Behavior Access Configuration Access Configuration Access events reflect RPT2003- As malicious or abusive usage of network 11-03.rpt needed resources where the intention, or the result, is gaining access to resources via resource configuration traffic (using protocols such as DHCP, BootP, and SNMP). Generally, these events will reflect attempted exploitation of weaknesses in the configuration server or client software or attempts to gain systemlevel access to configuration servers themselves. In the case of SNMP and similar configuration protocols, it could reflect an attempt to enumerate a device or devices on the same network for further attack. Network Events: Attack Behavior Access - Core Access Core Access events reflect malicious or RPT2003- As abusive usage of network resources 11-04.rpt needed where the intention, or the result, is gaining access to resources where the related data is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess events will reflect attempted exploitation of weaknesses in network protocols or devices with intent to gain access to servers, clients, or network infrastructure devices. Network Events: Attack Behavior Access Database Access Database Access events reflect malicious RPT2003- As or abusive usage of network resources 11-05.rpt needed where the intention, or the result, is gaining access to resources via application-layer database traffic. Generally, these events will reflect attempted exploitation of weaknesses in database server or client software. 562 Appendix F: Report Tables Title Description File name Schedule Network Events: Attack Behavior Access - File System Access File System Access events reflect RPT2003- As malicious or abusive usage of network 11-06.rpt needed resources where the intention, or the result, is gaining access to resources via remote filesystem traffic (using protocols such as SMB and NFS). Generally, these events will reflect attempted exploitation of weaknesses in the remote filesystem server or client software or attempts to gain system-level access to remote filesystem servers themselves. Network Events: Attack Behavior Access - File Transfer File Transfer Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these events will reflect attempted exploitation of weaknesses in file transfer server or client software. Network Events: Attack Behavior Access - Link Control Access Link Control Access events reflect RPT2003- As malicious or abusive usage of network 11-08.rpt needed resources where the intention, or the result, is gaining access to resources where the related data is low-level link control (using protocols such as ARP). Generally, Link Control Access events will reflect attempted exploitation of weaknesses in switching devices by usage of malformed incoming or outgoing data, with intent to enumerate or gain access to or through switching devices, clients that are also on the switching device, and entire networks attached to the switching device. In some cases, a managed switch with restrictions on port 563 RPT2003- As 11-07.rpt needed Table of Security reports Title Description File name Schedule analyzing activity may be forced into an unmanaged switch with no restrictions allowing a malicious client to sniff traffic and enumerate or attack. Network Events: Attack Behavior Access - Mail Access Mail Access events reflect malicious or RPT2003- As abusive usage of network resources 11-09.rpt needed where the intention, or the result, is gaining access to resources via application-layer mail transfer, retrieval, or service traffic. Generally, these events will reflect attempted exploitation of weaknesses in mail-related server or client software. Network Events: Attack Behavior Access Naming Access Naming Access events reflect malicious RPT2003- As or abusive usage of network resources 11-10.rpt needed where the intention, or the result, is gaining access to resources via application-layer naming service traffic (using protocols such as DNS and WINS). Generally, these events will reflect attempted exploitation of weaknesses in the naming server or client software. Network Events: Attack Behavior Access News Access News Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer news traffic (over protocols such as NNTP). Generally, these events will reflect attempted exploitation of weaknesses in the news server or client software. Network Point To Point Access events reflect Events: Attack malicious or abusive usage of network Behavior resources where the intention, or the 564 RPT2003- As 11-11.rpt needed RPT2003- As 11-12.rpt needed Appendix F: Report Tables Title Description File name Schedule Access - Point result, is gaining access to resources via to Point point to point traffic (using protocols such Access as PPTP). Generally, these events will reflect attempted exploitation of weaknesses in point to point server or client software, attempts to enumerate networks, or attempts to further attack devices on trusted networks. Network Events: Attack Behavior Access Printer Access Printer Access events reflect malicious or RPT2003- As abusive usage of network resources 11-13.rpt needed where the intention, or the result, is gaining access to resources via application-layer remote printer traffic. Generally, these events will reflect attempted exploitation of weaknesses in the remote printer server or client software. Network Events: Attack Behavior Access Remote Console Access Remote Console Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote console service traffic (services such as telnet, SSH, and terminal services). Generally, these events will reflect attempted exploitation of weaknesses in the remote console server or client software. Network Events: Attack Behavior Access Remote Procedure Access Remote Procedure Access events reflect RPT2003- As malicious or abusive usage of network 11-15.rpt needed resources where the intention, or the result, is gaining access to resources via remote procedure call traffic (using protocols such as the traditional RPC services, RMI, and CORBA). Generally, 565 RPT2003- As 11-14.rpt needed Table of Security reports Title Description File name Schedule these events will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. Network Events: Attack Behavior Access Routing Access Routing Access events reflect malicious RPT2003- As or abusive usage of network resources 11-16.rpt needed where the intention, or the result, is gaining access to resources where the related data is routing-related protocols (RIP, IGMP, etc.). Generally, Routing Access events will reflect attempted exploitation of weaknesses in routing protocols or devices with intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. These routing protocols are used to automate the routing process between multiple devices that share or span networks. Network Events: Attack Behavior Access - Time Access Time Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote time service traffic (using protocols such as NTP). Generally, these events will reflect attempted exploitation of weaknesses in the remote time server or client software. Network Events: Attack Behavior Access - Virus Traffic Access Virus Traffic Access events reflect RPT2003- As malicious or abusive usage of network 11-19.rpt needed resources where the intention, or the result, is gaining access to resources through malicious code commonly known 566 RPT2003- As 11-17.rpt needed Appendix F: Report Tables Title Description File name Schedule as viruses. Generally, these events will reflect attempted exploitation of weaknesses in the web server or client software. Network Events: Attack Behavior Access - Web Access Web Access events reflect malicious or RPT2003- As abusive usage of network resources 11-18.rpt needed where the intention, or the result, is gaining access to resources via application-layer WWW traffic. Generally, these events will reflect attempted exploitation of weaknesses in the web server or client software. Network Events: Attack Behavior Denial / Relay Track activity associated with network RPT2003- Weekly denial or relay attack behaviors. This 12.rpt report shows malicious asset relay attempts and denials of service via the network. For example, FTP bouncing, Distributed Denial of Service events, and many protocol abuses. Network Events: Attack Behavior Denial / Relay - Application Denial Application Denial events are a specific RPT2003- As type of Denial event where the transport 12-01.rpt needed of the malicious or abusive usage is application-layer protocols. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Application Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. 567 Table of Security reports Title Description File name Schedule Network Events: Attack Behavior Denial / Relay Configuration Denial Configuration Denial events are a specific RPT2003- As type of Denial event where the transport 12-02.rpt needed of the malicious or abusive usage is protocols related to configuration of resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ConfigurationDenial events may be attempts to exploit weaknesses in configuration-related software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. Network Events: Attack Behavior Denial / Relay - Core Denial Core Denial events are a specific type of RPT2003- As Denial event where the transport of the 12-03.rpt needed malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Core Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. Network Events: Attack Behavior Denial / Relay - Denial Children of the Denial tree define events RPT2003- As centered on malicious or abusive usage 12-04.rpt needed of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources 568 Appendix F: Report Tables Title Description File name Schedule through a denial of service attack. Network Events: Attack Behavior Denial / Relay - File System Denial File System Denial events are a specific RPT2003- As type of Denial event where the transport 12-05.rpt needed of the malicious or abusive usage is remote filesystem-related protocols (NFS, SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. File System Denial events may be attempts to exploit weaknesses in remote filesystem services or software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. Network Events: Attack Behavior Denial / Relay - File Transfer Denial File Transfer Denial events are a specific RPT2003- As type of Denial event where the transport 12-06.rpt needed of the malicious or abusive usage is application-layer file transfer-related protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileTransferDenial events may be attempts to exploit weaknesses in file transfer-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. Network Link Control Denial events are a specific Events: Attack type of Denial event where the transport Behavior of the malicious or abusive usage is link 569 RPT2003- As 12-07.rpt needed Table of Security reports Title Description File name Schedule Denial / Relay level protocols (such as ARP). The intent, - Link Control or the result, of this activity is Denial inappropriate or abusive access to network resources through a denial of service attack. LinkControlDenial events may be attempts to exploit weaknesses in link-level control software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. Network Events: Attack Behavior Denial / Relay - Mail Denial MailDenial events are a specific type of RPT2003- As Denial event where the transport of the 12-08.rpt needed malicious or abusive usage is applicationlayer mail-related protocols (SMTP, IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. Network Events: Attack Behavior Denial / Relay - Relay Children of the Relay tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is relaying inappropriate or abusive access to other network resources (either internal or external). Generally, these attacks will have the perimeter or an internal host as 570 RPT2003- As 12-09.rpt needed Appendix F: Report Tables Title Description File name Schedule their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. Network Events: Attack Behavior Denial / Relay - Remote Procedure Denial Remote Procedure Denial events are a RPT2003- As specific type of Denial event where the 12-10.rpt needed transport of the malicious or abusive usage is remote procedure-related protocols (traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RemoteProcedureDenial events may be attempts to exploit weaknesses in remote procedure services or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. Network Events: Attack Behavior Denial / Relay - Routing Denial Routing Denial events are a specific type RPT2003- As of Denial event where the transport of the 12-11.rpt needed malicious or abusive usage is routingrelated protocols (RIP, IGMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Routing Denial events may be attempts to exploit weaknesses in routers or routing software to gain access to a host system, attempts to exploit weaknesses in the routing software or service to enumerate or reconfigure, or other denial of service activities. 571 Table of Security reports Title Description File name Schedule Network Events: Attack Behavior Denial / Relay - Web Denial Web Denial events are a specific type of RPT2003- As Denial event where the transport of the 12-12.rpt needed malicious or abusive usage is applicationlayer web-related protocols (HTTP, HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Web Denial events may be attempts to exploit weaknesses in webrelated software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. Network Events: Suspicious Behavior Track activity associated with suspicious RPT2003- Weekly network behaviors such as 07.rpt reconnaissance or unusual traffic. Specifically, this report shows potentially dangerous activity, such as excessive authentication failures, port scans, stack fingerprinting, and network enumerations. Network Events: Suspicious Behavior Application Enumerate Application Enumerate events reflect RPT2003- As attempts to gather information about target 07-01.rpt needed hosts, or services on target hosts, by sending active application-layer data which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the application to attempt to fingerprint what is allowed or denied by the service, requests to the application which may enable an attacker to surmise the version and specific application running, and other information gathering tactics. These enumerations 572 Appendix F: Report Tables Title Description File name Schedule may result in information being provided that can allow an attacker to craft a specific attack against the host or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. Network Events: Suspicious Behavior Banner Grabbing Enumerate Banner Grabbing Enumerate events RPT2003- As reflect attempts to gather information 07-02.rpt needed about target hosts, or services on target hosts, by sending a request which will elicit a response containing the host or service's 'banner'. This 'banner' contains information that may provide a potential attacker with such details as the exact application and version running behind a port. These details could be used to craft specific attacks against hosts or services that an attacker may know will work correctly the first time - enabling them to modify their methodology go on relatively undetected. Network Events: Suspicious Behavior Core Scan Core Scan events reflect attempts to RPT2003- As gather information about target networks, 07-03.rpt needed or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system 573 Table of Security reports Title Description File name Schedule information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Network Events: Suspicious Behavior Enumerate Enumerate events reflect attempts to RPT2003- As gather information about target networks, 07-04.rpt needed or specific target hosts, by sending active data which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the enumeration is generally attempting to acquire information that may reveal more than normal traffic to the target would. Network Events: Suspicious Behavior Footprint Footprint events reflect attempts to gather RPT2003- As information about target networks by 07-05.rpt needed tracing the network through routers, clients, servers, or other network infrastructure devices. The originating source of the footprint is generally attempting to acquire information that may reveal more about network behavior than normal traffic to the target would. Network Events: Suspicious Behavior General Security General Security events are generated RPT2003- As when a supported product outputs data 07-17.rpt needed that has not yet been normalized into a specific event, but is known to be security issue-related. Network Events: Suspicious Behavior Host Scan Host Scan events reflect attempts to gather information about specific target hosts by sending scans which will elicit responses that reveal information about 574 RPT2003- As 07-06.rpt needed Appendix F: Report Tables Title Description File name Schedule clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications on the host, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system and application information which may be used for further attack preparation. Network Events: Suspicious Behavior ICMP Query ICMP Query events reflect attempts to RPT2003- As gather information about specific target 07-07.rpt needed hosts, or networks, by sending ICMPbased queries that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks, contain many sequential ICMP packets, and generally have the intent of discovering operating system and application information which may be used for further attack preparation. 575 Table of Security reports Title Description File name Schedule Network Events: Suspicious Behavior - MS Network Enumerate MS Networking Enumerate events reflect RPT2003- As attempts to gather information about target 07-08.rpt needed hosts, or services on target hosts, by sending active data to Microsoft networking services (using protocols such as NetBIOS and SMB/CIFS) that will illicit responses that reveal information about the application, host, or target network. This enumeration may be a LEMple command sent to the networking service to attempt to fingerprint what is allowed or denied by a service, requests to a service that may enable an attacker to surmise the version and specific service running, requests to a service that may enable an attacker to fingerprint the target network, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the networking service, host, or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. Network Events: Suspicious Behavior Network Suspicious Members of the NetworkSuspicious tree are used to define events regarding suspicious usage of network bandwidth/traffic. These events include unusual traffic and reconnaissance behavior detected on network resources. Network Events: Suspicious Behavior - Port Scan events reflect attempts to RPT2003- As gather information about target networks, 07-10.rpt needed or specific target hosts, by sending scans 576 RPT2003- As 07-09.rpt needed Appendix F: Report Tables Title Description File name Schedule Port Scan over core network protocols (TCP, IP, ICMP, UDP) that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Port Scans specifically operate by sending probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. Network Events: Suspicious Behavior Recon Children of the Recon tree reflect RPT2003- As suspicious network behavior with intent of 07-11.rpt needed gathering information about target clients, networks, or hosts. Reconnaissance behavior may be valid behavior on a network, however, only as a controlled behavior in small quantities. Invalid reconnaissance behavior may reflect attempts to determine security flaws on remote hosts, missing access control policies that allow external hosts to penetrate networks, or other suspicious behavior that results in general information gathering without actively attacking. Network Events: Remote Procedure Enumerate events 577 RPT2003- As 07-12.rpt needed Table of Security reports Title Description File name Schedule Suspicious Behavior Remote Procedure Enumerate reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the remote procedure service to attempt to fingerprint what is allowed or denied by the service, requests to the remote procedure service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. Network Events: Suspicious Behavior Scan Scan events reflect attempts to gather RPT2003- As information about target networks, or 07-13.rpt needed specific target hosts, by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information 578 Appendix F: Report Tables Title Description File name Schedule that a probe may discover without enumeration of the specific services or performing attack attempts. Network Events: Suspicious Behavior Stack Fingerprint Stack Fingerprint events reflect attempts RPT2003- As to gather information about specific target 07-14.rpt needed hosts by sending a certain set of packets to probe a device's network stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. Network Events: Suspicious Behavior Trojan Scanner Trojan Scanner events reflect attempts of RPT2003- As Trojans on the network to gather 07-15.rpt needed information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about the host. The originating Trojan source of the scan is generally attempting to acquire information that will reveal whether a target host or network has open and available services for further exploitation, whether the target host or network is alive, 579 Table of Security reports Title Description File name Schedule and how much of the target network is visible. A Trojan may run a scan before attempting an attack operation to test potential effectiveness or targeting information. Network Events: Suspicious Behavior Unusual Traffic Unusual Traffic events reflect suspicious RPT2003- As behavior on network devices where the 07-16.rpt needed traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. Unusual Traffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. Priority Event This report is no longer in use. The RPT2003- As (reference) Priority Event report tracks those events 16.rpt needed that the user has identified as a priority event. These events appear in the Priority filter of the Console. Priority Event This report is no longer in use.This report RPT2003- As By User mirrors the standard Priority Event report 17.rpt needed (reference) but groups the events received by Console User account. The same event may be seen by many users, so this report tends to be much larger than the standard Priority Event report. Rule The Rule Subscriptions report tracks RPT2006- Daily Subscriptions those events that the user has subscribed 28-01.rpt by User to monitor. SolarWinds Actions The SolarWinds Action Report lists all commands or actions initiated by SolarWinds Network Security. 580 RPT2003- As 18.rpt needed Appendix F: Report Tables Table of Support Reports Support Reports are diagnostic tools used by SolarWinds Customer Support. You will normally only run these reports at SolarWinds’s request. For your convenience, the reports are listed alphabetically by title. Title Description File name Schedule Agent Connection Status This report is a diagnostic tool used by RPT2009- As Customer Support, and generally run only 33-1.rpt requested at their request. This report tracks internal agent online and offline events. Agent Connection Status by Agent This report is a diagnostic tool used by RPT2009- As Customer Support, and generally run only 33-2.rpt requested at their request. This report tracks internal agent online and offline events grouped by agent. Agent Connection Summary This report is a diagnostic tool used by RPT2009- As Customer Support, and generally run only 33.rpt requested at their request. This report shows high level summary information for when agents go online and offline. Audit Audit - Internal Audit Report Internal Audit Report RPT2006- As 31-01.rpt requested Audit Internal Audit Report grouped by User Internal Audit Report by User RPT2006- As 31-02.rpt requested Agent This report is a diagnostic tool used by RPT2007- As Maintenance Customer Support, and generally run only 32.rpt requested Report at their request. This report displays internal event data for possible misconfigured agents. Database This report is a diagnostic tool used by 581 RPT2006- As Table of Support Reports Title Description File name Schedule Maintenance Customer Support, and generally run only 26.rpt Report at their request. requested List of Rules This report lists available rules for the Rule RPT2006- As for Rule Subscriptions. 29-02.rpt needed Subscriptions List of This report lists the rules that users have Subscription subscribed to. Rules by User RPT2006- As 29-03.rpt needed List of Users This report lists each user entered. RPT2006- As Currently, the users are only used for Rule 29-01.rpt needed Subscriptions. Tool This report is a diagnostic tool used by RPT2003- As Maintenance Customer Support, and generally run only 14.rpt needed by Alias at their request. List of New Tool Data events based on Tool Alias. Tool Maintenance by Insertion Point This report is a diagnostic tool used by RPT2003- As Customer Support, and generally run only 15.rpt needed at their request. List of New Tool Data events based on Agent InsertionIP. Tool This report is a diagnostic tool used by RPT2003- As Maintenance Customer Support, and generally run only 13.rpt needed by Provider at their request. List of New Tool Data events based on ProviderSID. Tool This report is a diagnostic tool used by RPT2003- As Maintenance Customer Support, and generally run only 14.rpt requested Detail Report at their request. The report displays a summary of all SolarWinds error messages received from various tools. Tool This report is a diagnostic tool used by RPT2003- As Maintenance Customer Support, and generally run only 13.rpt requested Report at their request. The report displays a 582 Appendix F: Report Tables Title Description File name Schedule summary of unique SolarWinds error messages received from various tools. Report schedule definitions The following table describes each recommended report schedule. Schedule Description Daily Run and review this report once each day. Weekly Run and review this report once each week. As needed SolarWinds suggests that you run these reports only when needed for specific auditing purposes, or when you need the details surrounding a Priority event or a suspicious event. As These reports are diagnostic tools and should only be run at the requested request of SolarWinds's technical support personnel. 583 Appendix G: Connector Configuration Tables The tables in this section describe the various categories of network security products that can be connected to LEM, and explain the fields for configuring sensors, actors, and notification systems. Connector Categories The following table describes the various categories of network security products that can be connected to LEM. The Description column describes how the connectors (sensors and actors) typically work with each type of product or device. The Use with columns indicate if each product type requires Manager connectors, Agent connectors, or both. Use with Category Anti-Virus Description Managers Agents This category lets you configure ● sensors for use with common anti-virus products. These products protect against, isolate, and remove viruses, worms, and Trojan programs from computer systems. To configure an anti-virus connector, the anti-virus software must already be installed on the Agent computer. Some anti-virus connectors can also be run on the Manager by remotely logging from an Anti-Virus server. Due to software conflicts, it is recommended that you run only one brand of anti-virus software per computer. Application This category lets you configure 584 ● ● Appendix G: Connector Configuration Tables Use with Category Description Managers Agents sensors for use with application switches. Application-Layer switches transmit and monitor data at the application layer. Database This category lets you configure sensors for use with database auditing products. These products monitor databases for potential database intrusions, changes, and database system events. ● File Transfer and This category lets you configure Sharing sensors for use with file transfer and file sharing products. These products are used to share files over the local network and/or Internet. Monitoring these products provides information about what files are being transferred, by whom, and system events. Firewalls This category lets you configure sensors and actors for use with applications and devices that are used to protect and isolate networks from other networks and the Internet. Firewall sensors connect to, read, and retrieve firewall logs. Most firewalls also have an active response connector. These connectors configure actors that interface with routers and firewalls to perform block commands. Actors can perform active responses either via telnet or serial/console cable. Normally, you will configure these connectors on the Manager. 585 ● ● ● ● Connector Categories Use with Category Description Managers Agents To configure a firewall connector, the firewall product must already be installed on the Agent computer, or it must be remotely logging to an Agent or a Manager. Normally, you will configure these connectors on the Manager. You must also configure each firewall’s data gathering and active response capabilities separately. For example, configuring a firewall’s data gathering capabilities does not configure the firewall’s active response settings. Identity and Access Management This category lets you configure sensors for use with identity access, identity management, and other singlesign on connectors. These products provide authentication and single-sign on capabilities, account management, and other user access features. Monitoring these products provides information about authentication and management of accounts. ● IDS and IPS This category lets you configure ● sensors and actors for use with network-based and host-based intrusion detection systems. These products provide information about potential threats on the network or host, and can be used to raise alarms about possible intrusions, misconfigurations, or network issues. ● Generally, network-based IDS and IPS 586 Appendix G: Connector Configuration Tables Use with Category Description Managers Agents connectors are configured to log remotely, while host-based IDS and IPS systems log locally on an agent system. Some network-based IPS systems provide the capability to perform an active response via their actor connector, allowing you to block an IP address at the IPS device. Manager This category lets you configure ● sensors for use with the Manager and other Appliances. These connectors monitor for conditions on the Manager that may be informational or display potential problems with the appliances. Network Management This category lets you configure ● sensors for use with network management connectors. These connectors monitor for different types of network activity from users on the network, such as workstation-level process and application monitoring. Generally, these systems are configured to log remotely from a central monitoring server. Network Services This category lets you configure sensors for use with different network services. These connectors monitor service-level activity for different network services, including DNS and DHCP. Most network services are configured to log locally on an agent's system, however, some are configured to log remotely. 587 ● ● ● Connector Categories Use with Category Operating Systems Description Managers Agents This category lets you configure sensors for use with utilities in the Microsoft Windows operating system that monitor system events. ● This category includes a Windows Active Response connector. This connector configures an actor that enables Windows active response capabilities on Agents using Windows operating systems. This allows LEM to perform operating system-level responses, such as rebooting computers, shutting down computers, disabling networking, and disabling accounts. To configure an operating system connector, the operating system software must already be installed on the Agent computer. If you perform the remote Agent installation, the Windows NT/2000/XP Event Application Logs and System Logs connectors are configured by default. Proxy Servers and Content Filters This category lets you configure ● sensors for use with different content monitoring connectors. These connectors monitor user network activity for such activities as web surfing, IM/chat, and file downloads, and events related to administering the monitoring systems themselves. Generally, these connectors are 588 ● Appendix G: Connector Configuration Tables Use with Category Description Managers Agents configured to log remotely from the monitoring system. Routers/Switches This category lets you configure ● sensors, and in some cases actors, for use with different routers and switches. These connectors monitor activity from routers and switches such as connected/disconnected devices, misconfigurations or system problems/events, detailed access-list information, and other related messages. Some routers/switches have the capability to configure an actor connector to block an IP address at the device. Generally, these connectors are configured to log remotely from the router/switch. ● System Scan Reporters This category lets you configure sensors for use with different asset scanning connectors, such as vulnerability scanners. These connectors provide information about potential vulnerabilities, exposures, and misconfigurations with different devices on the network. Generally, these connectors create events in the 'Asset' categories in the event tree. ● System Connectors This category lets you configure the ● Manager with an external notification system, so LEM can transmit event messages to LEM users via email or pager. For details, see See "Setting up a Notification System" on page 596 589 Configuring Sensors Use with Category Description Managers Agents VPN and Remote This category lets you configure ● Access sensors and actors for use with Virtual Private Network (VPN) server products that provide secure remote access to networks. Normally, you will configure these connectors on the Manager. ● Web Server ● This category lets you configure sensors for use with Web server products. To configure a web server connector, the web server software must already be installed on the Agent or Manager computer. Configuring Sensors The following table describes each field you’ll find on the Connector Configuration form when configuring sensors for data gathering connectors. The actual fields that appear depend on the connector you are configuring. Not every field appears with every connector. For convenience, the table is sorted alphabetically by field name. Field Alias Description Type a name that easily identifies the application or appliance event log file that is being monitored. For active response connectors, we recommend you end the alias with “AR”. For example, an alias for the Cisco PIX Active Response connector might be “Cisco PIX AR”. This allows you to differentiate the active response connector from the data gathering connector. Log File / Log Directory When you create a new alias for a connector, LEM automatically places a default log file path in the Log File box. This path tells the connector where the operating system stores the product’s event log file. 590 Appendix G: Connector Configuration Tables Field Description For most connectors, you can change the log file path, as needed. However, some products write events to the Windows Application Log or the Windows System Log. In these cases, you are actually configuring the sensor that monitors events that are written to that log file. For these connectors, the Log File setting is disabled, and the system automatically populates the Log File field with the name of the Windows event log the sensor is monitoring. In most cases, you should be able to use the default log file path that is shown for the connector. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed, type or paste the correct path in the Log File box, or use the Browse button to explore to correct folder or file. If you are uncertain about which file path to use, either refer to your original product documentation, or contact SolarWinds Technical Support. Note: If the product creates separate log files based on the current date or some other fixed interval, you can either select the log directory or any log file in that directory. If you select a log file, LEM reads through the directory’s log files in order, from the file you selected to the most current file. The LEM then reads new files as they are added. nDepth Host If you are using a separate nDepth appliance (other than LEM), type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if you are advised to do so. nDepth Port If you are using a separate nDepth appliance (other than the SolarWinds LEM), type the port number to which the connector is to send nDepth data. Generally, the default setting is correct. Only change it if you are advised to do so. New File Name Interval Select the interval in which the connector posts and names each new log file. The interval tells the SolarWinds LEM when to begin reading the next log file. The default setting is 591 Configuring Sensors Field Description Daily: yymmdd. Output Select the appropriate data output option: Event - This is the default option. It sends the connector’s log file data as events to the SolarWinds LEM for processing by your correlation rules, associated active responses, SolarWinds Consoles, and databases. nDepth - This option sends the connector’s log file data to a separate nDepth appliance for archiving. The data does not go to the SolarWinds LEM, so any potential event activity does not appear in the Event Panel. However, you can still use the Console's nDepth explorer to search the data on this appliance. Event, nDepth - SolarWinds recommends that you choose this option if you want to use nDepth to search log messages in addition to events. This option sends the connector’s log file data to the SolarWinds LEM for event processing and to SolarWinds nDepth for data archiving. This means the LEM reports potential event activity in the Event Panel, and nDepth archives the connector’s output data for later reference. Furthermore, you can use the Console's nDepth explorer to search either type of data. Server IP Address/ [Product] IP Address/ [Product] Server Type the IP address of the router or firewall. Use the following IP address format: 192.123.123.123. Sleep Time Type or select the time (in seconds) the connector sensor is to wait between event monitoring sessions. The default (and minimum) value for all connectors is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate connectors. 592 Appendix G: Connector Configuration Tables Field Description Windows NT-based connectors automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time dictates the interval the sensor is to use for monitoring new events. Connector Version This is SolarWinds’s release version for this connector. This is read-only information for reference purposes. Wrapper Name This is an identification key that the SolarWinds LEM uses to uniquely identify the properties that apply to this particular connector. This is read-only information for SolarWinds reference purposes. If the connector settings you need are not shown here, you are probably configuring an active response connector. See "connector configuration tables," below. When you have finished configuring the connector settings, don’t forget to start the connector. Configuring Actors The following table describes each field you will find on the Connector Configuration form when configuring actors for active response connectors. Because each connector is product-based, the fields that appear depend on the connector you are currently configuring. Not every field appears with every connector. For convenience, the table is sorted alphabetically by field name. Field Recommended field settings Advanced These settings are no longer applicable. Auth Port For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the LEA/OPSEC interface. Base URL Type the URL to connect to the SonicWALL firewall and perform the login. Include “http://” at the beginning of the URL. Note: SolarWinds does not support HTTPS. Only use this connector for older SonicWALL firmware version. Block For CheckPoint OPSEC firewalls, type the timeout in seconds 593 Configuring Actors Field Recommended field settings Timeout for the blocks to expire from the firewall. A value of zero (0) means “never expire.” Client DN For CheckPoint OPSEC firewalls, type the client DN string. The “CN” and “O” must be uppercase. Configuration Select either telnet or SerialPort. Mode Enable Password Type the connector’s password for entering Enable mode. Enable Windows Active Response For the Windows Active Response connector, select this check box to enable active response settings. From Zone Type the external zone used for configuring restrictions on firewall connections. Incoming Interface Type the Interface for which the block is to be made effective; that is, the Interface for which incoming traffic will be filtered to prevent traffic from the blocked IP address. Password / Login Password Type the connector’s login password. For some products, the password name must be the same one that was used when the firewall was installed. Port Name / Serial Port Name Select a serial port for performing active response via console cable, if applicable. The port name represents the physical communication port on the computer. The port name is only relevant if the Configuration Mode (below) is set to SerialPort. /dev/ttyS0 = serial port 1, and /dev/ttyS1 = serial port 2. If the Configuration Mode is set to telnet, then this field is disabled and the Port Name box reads: There are no ports available. Remote Connection Type the firewall port used for connecting to and configuring the firewall. 594 Appendix G: Connector Configuration Tables Field Recommended field settings Port Server DN For CheckPoint OPSEC firewalls, type the server DN string. The “cn” and “o” must be lowercase. Server Port For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the SAM/OPSEC interface. Server / Server Address / IP Address / [Product] IP Address Type the IP address of the router or firewall. This address allows LEM to perform active responses to events on that particular router or firewall. Use the following IP address format: 192.123.123.123. SSLCA For CheckPoint OPSEC firewalls, click the Browse button to locate the SSL certificate file to upload to the server. If the connector is already configured, then use the existing certificate on the server. You can use the same path for both the LEA (log reading) and SAM (active response) certificates. Take Admin Control Only one person can configure the firewall at one time. Selecting this check box allows LEM’s active response to take administrative control over the firewall when a user is logged into the WatchGuard Management Console. That is, LEM disconnects the user and takes control over the firewall. To Zone Type the internal zone used for configuring restrictions on firewall connections. connector Configuration Instance (Alias) Type a name that easily identifies the product that LEM is to act on. For active response connectors, we recommend you end the alias with “AR”. For example, an alias for the Cisco PIX Active Response connector might be “Cisco PIX AR”. This allows you to differentiate the active response connector from the data gathering connector. User Name / Login User Name Type the user name needed to log onto and configure the firewall. For some products, the user name must be the same one that was used when the firewall was installed. 595 Setting up a Notification System If the connector settings you need are not shown here, you are probably configuring a connector (data gathering) connector.When you have finished configuring the connector settings, don’t forget to start the connector. Setting up a Notification System The Connector Configuration form has a category called System connectors that you can use to set up an external notification system. This allows the Manager to transmit messages to SolarWinds users via e-mail or pager, to record pertinent event data or text to a specified file, or to synchronize your existing Directory Service Groups with your existing network directory services. The following table explains how to configure each option in the System connectors category. Field Recommended field settings Append Text to File Active Response Description Use this connector to have the Agent “write” the specified event data or text to the specified file. How to append Select Newline to write the event data to the file so that each event is on a distinct line (that is, one event per line), by inserting a “return” or “newline” character. Select No Newline to stream the event data to the file by appending the new data immediately following any existing data in the file. Maximum file size (MB) Type the allowable maximum file size for the text file, in Megabytes. Directory Service Query Description Use this connector to have the Manager communicate with existing directory services on the network to retrieve and update group information. This allows you to synchronize your existing Directory Service Groups for use with rules and filters. User Name Type a user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information. 596 Appendix G: Connector Configuration Tables Field Recommended field settings Directory Type the IP address or host name of your directory services Service Server server (commonly, this is a domain controller). Domain Name Type the fully-qualified domain name of your directory services domain. Password Type the password for the above user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information. Directory Service Server’s Port Type the port used to communicate with the directory service server. Email Active Response Description Use this connector to have a Manager automatically notify users of event events when configured to do so by event policy. Return Type the name that you want to appear in the From field of Display Name active response e-mail messages. Port Type the port used to communicate with the internal email server. Return Address Type the email address that you want to appear in the From field of active response email messages. Mail Host Type the IP address or host name of an internal SMTP server that the Manager can use to send email messages through without authentication. Authentication Type the user name needed to access the internal email Server server, if required. Username Authentication Type the password needed to access the internal email server, Server if required. Password Test E-mail Address Type the e-mail address you want to use to test the Mail Host assignment. When you click the Test Email button, a test 597 Setting up a Notification System Field Recommended field settings message should appear at this email address. Test Email button This button tests your email notification settings to ensure that you entered the correct e-mail host. Click the Test Email button. Then check the email address’s in-box. If you entered the correct address, the in-box should receive the test message. 598 Appendix H: Filter Configuration Tables The following table is for use with Filter Creation. It lists the possible filter combinations that you can create in the Conditions box for each type of field. l l l The Left field column lists each type of field you can drag into the Conditions box’s left field. The Right field column lists the corresponding field types that you can drag into the Conditions box’s right field. The Operators columns list the types of comparisons you can make between left and right fields. Operators Left field not exists in in = ≠ > >= < <= event • event group • text event field Right field • • text event field • • text event group field • • text constant • • directory service group • • subscription group • • connector profile • • user-defined group time event field 599 • • • • time event field • • • • time event group field • • • • time constant Appendix H: Filter Configuration Tables Operators Left field not exists in in = ≠ > >= < <= • • number event field text event group field time of day • • • • • • number event field • • • • • • number event field group • • • • • • number constant • • text event field • • text event group field • • text constant • • directory service group • • subscription group • • connector profile • • user-defined group time event group field • • • • • time event field • • • • time event group field • • • • time constant • number event group field text constant Right field time of day • • • • • • number event field • • • • • • number event group field • • • • • • number constant • • directory service group • • connector profile 600 Comparing Values with Operators Operators Left field number constant time constant not exists in in = ≠ > >= < <= Right field • • user-defined group • • directory service group • • connector profile • • user-defined group • • directory service group • • connector profile • • user-defined group Comparing Values with Operators When configuring a rule or a filter, whenever you drag an item from the list pane and position it next to event variable, an operator icon appears between them. The operator states how the event variable must compare with the other item to be subject to rule's or filter’s conditions. For example, an operator might state whether or not an event should be contained within or outside of an Time of Day Set; or it may state whether or not an event applies to a particular Connector Profile. The operators that appear between two elements vary, depending on your selections. The form only allows comparisons that are logical for the elements you have selected. For more information on which operators are available for a particular field, see the following reference tables: Each of these tables provides a matrix of valid operators for comparing an event variable to other elements. Selecting a new operator l l Click an operator to cycle through the various operators that are acceptable for the current condition. Ctrl+click an operator to show a list of operators you can choose from. Then click to select the operator you want to use. 601 Appendix H: Filter Configuration Tables Operator tips The following tips apply to operators: l l l When comparing two numeric values, the full range of mathematical operator options is available. An IP address is treated as a string (or text) value. Therefore, operators are limited to “equal” and “not equal.” DateTime fields have a default value of “> Time Now”, which means, greater than the current date and time. Table of operators The following table describes each operator and how it should be interpreted when used as a filter condition. Operator Meaning Exists Not exist Description Use these operators to specify if a particular event or Event Group exists. Read conditions with these operators as follows: “This [event/Event Group] must [exist/not exist].” Note: "Not exist" is only used in rules. is in Use these operators when comparing event fields with groups (such as Event Groups, User-Defined Groups, etc.). They determine the filter’s behavior, based on whether or not the field is contained a specific Group. is not in Read conditions with these operators as follows: Equals l This [event field] must be in this [Group]. l This [event field] must not be in this [Group]. Read conditions with these operators as follows: l This [event variable] must equal this [list item*]. l This [event variable] must not equal this [list item*]. Does not equal Text comparisons (for IP addresses, host names, etc.) are limited to “equal” or “not equal” operators. 602 Examples of AND and OR conditions Operator Meaning Greater than Description Read conditions with these operators as follows: l Greater than OR equal to Less than l l l Less than OR equal to AND This [event variable] must be greater than or equal to this [list item*]. This [event variable] must be less than this [list item*]. This [event variable] must be less than or equal to this [list item*]. Conditions and groups of conditions are subject to AND and OR comparisons. l OR This [event variable] must be greater than this [list item*]. l The AND symbol means two or more conditions (or groups) must occur together for the filter to apply. This is the default comparison for new groups. The OR symbol means any one of several conditions (or groups) may occur for the filter to apply. When comparing groups of distinct events, you must use the OR symbol. If you click an AND operator, it changes to an OR, and vice versa. *A list item can be another event variable, such as an event field. For example, you may want to compare that an event's source is equal to a destination. In this case, you would compare two event fields, such as SourceMachine = DestinationMachine. Examples of AND and OR conditions Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create 603 Appendix H: Filter Configuration Tables complex filter conditions or rule correlations. Example If x AND y AND z occur, report the event. Description If all of the conditions apply, report the event. If x OR y OR z occurs, report the If any of the conditions apply, report the event. event. If (x AND y) OR z occurs, report the event. If conditions x and y occur, or if condition z occurs, report the event. If (a AND b) OR (x AND y) OR (z), occurs, report the event. In this case, you would create three groups, two nested within the third: l l “Condition1” AND “Condition2 AND Condition3” OR “Condition4 AND Condition5.” The nested groups are configured as (a AND b) and (x AND y), joined with an OR. The outer group is configured as (z), surrounding the nested groups with an OR. In this example, the filter reports the event when it meets the following conditions: Condition1 and Condition2 and Condition3, or Condition1 and Condition4 and Condition5. Configuring event filter notifications In Filter Creation, the Notifications box lets you to define how the Console is to notify a user when the filter receives an event. Each notification option instructs the Console to announce the event in a particular way. You can have the filter display a pop-up message, display the event in bold text, play a warning sound, have the filter name blink, or configure a combination of these methods. Selecting the notification method 1. In the list pane, click the Notifications list. 604 Notifications table 2. Drag one or more notification option from the Notifications list to the Notifications box. 3. Configure each option, as described in the Notifications table, below. Notifications table The following table lists the various notification methods that can be employed to notify a user that a filter’s event threshold has been met. l l l The Notification column lists each options that is available in the list pane’s Notifications list. They are alphabetized for easy reference. The Description column briefly states how each option behaves. The Fields column explains the data fields that can be configured for each option. Notification Display Popup Message l Description Fields This option causes the filter to display the Popup Notification form when receiving an event. Notify on x events received This form states the name of the filter that is receiving the events, and that the filter’s event threshold has been met. If you want the pop-up form to appear again after receiving repeated events, select the Repeat on check box. Type the number of events the filter must receive before displaying the Popup Notification form. Repeat on x events received Then in the events received box, type how many more events the filter should receive before issuing the pop-up form another time. From the form, the message recipient can choose to view the filter, to turn off the pop-up form for that filter, or to turn off the pop-up form 605 Appendix H: Filter Configuration Tables Notification Description Fields for all filters. Display New Events As Unread This option displays new events in the filter with bold text. Not applicable They remain bold until you acknowledge them by clicking them or by opening them in the Event Explorer. Enable This option causes Blinking the filter name to Filter Name blink in the Filters pane. Color Click the Color button to open the Blink Color form. Choose a color from one of the three color palettes. Then click OK. The filter name will blink in this color. Time (ms) Move the slider to select the amount of time between blinks, in milliseconds. Notify on x events received Type the number of events the filter must receive before the filter tab begins blinking. Repeat on x events received The filter tab stops blinking once you acknowledge it by selecting it. If you want the tab to begin blinking again after receiving repeated events, select the Repeat on check box. Then in the events received box, type how many more events the filter should receive 606 Notifications table Notification Description Fields before it starts blinking again. Play Sound This option causes the filter to play a sound upon receiving an event. Sound/Browse To select a sound, click the Browse button. Then use the Open form to locate and select the sound file that you want to use. Sound files must be of the .wav file type. When you are done, the name of the file should appear in the Sound box. To test the sound, click the “play” button. Notify on x events received Type the number of events the filter must receive before displaying the sound. Repeat on x events received If you want the sound to play again after receiving repeated events, select the Repeat on check box. Then in the events received box, type how many more events the filter should receive before the filter plays the sound another time. 607 Appendix I: Rule Configuration Tables Rule Correlation Table The following table is for use with Rule Creation. It lists the possible rule configurations you can create in the rule window’s Correlations box for each type of field. l l l The Left field column lists each type of field you can drag into the Correlations box’s left field. The Right field column lists the corresponding field types that you can drag into the Correlations box’s right field. The Operators columns list the types of comparisons you can make between left and right fields. Operators Left field not not exists exists in in = ≠ > >= < <= event • • event group • • text event field Right field • • text event field • • text event group field • • text state variable field • • text constant • • directory service group • • connector profile • • user-defined group 608 Appendix I: Rule Configuration Tables Operators Left field not not exists exists in in = ≠ > >= < <= time event field • • • • time event field • • • • time event group field • • • • time state variable field • • • • time constant • • number event field text event group field Right field time of day • • • • • • number event field • • • • • • number event group field • • • • • • number state variable field • • • • • • number constant • • text event field • • text event group field • • text state variable field • • text constant • • directory service group • • connector profile • • user-defined group time event group field • • 609 • • time event field Appendix I: Rule Configuration Tables Operators Left field not not exists exists in in = ≠ > >= < <= • • • • time event group field • • • • time state variable field • • • • time constant • • number event group field text state variable • • Right field time of day • • • • • • number event field • • • • • • number event group field • • • • • • number state variable field • • • • • • number constant • • text event field • • text event group field • • text state variable field • • text constant • • directory service group • • connector profile • • user-defined group time state variable 610 • • • • time event field • • • • time event group field Appendix I: Rule Configuration Tables Operators Left field not not exists exists in in = ≠ > >= < <= • • • • time state variable field • • • • time constant • • number state variable text constant number constant time constant Right field time of day • • • • • • number event field • • • • • • number event group field • • • • • • number state variable field • • • • • • number constant • • directory service group • • connector profile • • user-defined group • • directory service group • • connector profile • • user-defined group • • directory service group • • connector profile • • user-defined group Comparing Values with Operators When configuring a rule or a filter, whenever you drag an item from the list pane 611 Appendix I: Rule Configuration Tables and position it next to event variable, an operator icon appears between them. The operator states how the event variable must compare with the other item to be subject to rule's or filter’s conditions. When configuring a rule or a filter, whenever you drag an item from the list pane and position it next to event variable, an operator icon appears between them. The operator states how the event variable must compare with the other item to be subject to rule's or filter’s conditions. For example, an operator might state whether or not an event should be contained within or outside of an Time of Day Set; or it may state whether or not an event applies to a particular connector Profile. Selecting a New Operator l l Click an operator to cycle through the various operators that are acceptable for the current condition. Ctrl+click an operator to show a list of operators you can choose from. Then click to select the operator you want to use. Operator Tips The following tips apply to operators: l l l When comparing two numeric values, the full range of mathematical operator options is available. An IP address is treated as a string (or text) value. Therefore, operators are limited to “equal” and “not equal.” DateTime fields have a default value of “> Time Now”, which means, greater than the current date and time. Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations. Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations. 612 Appendix I: Rule Configuration Tables Example Description If x AND y AND z occur, report the event. If all of the conditions apply, report the event. If x OR y OR z occurs, report the If any of the conditions apply, report the event. event. If (x AND y) OR z occurs, report the event. If conditions x and y occur, or if condition z occurs, report the event. If (a AND b) OR (x AND y) OR (z), occurs, report the event. In this case, you would create three groups, two nested within the third: l l “Condition1” AND “Condition2 AND Condition3” OR “Condition4 AND Condition5.” The nested groups are configured as (a AND b) and (x AND y), joined with an OR. The outer group is configured as (z), surrounding the nested groups with an OR. In this example, the filter reports the event when it meets the following conditions: Condition1 and Condition2 and Condition3, or Condition1 and Condition4 and Condition5. Accountable The following table lists the various actions a Manager can take to respond to event events. These actions are configured in Respond form when you are initiating an active response, and in the rules window’s Actions box when you are configuring a rule's automatic response. The table’s Action column lists the actions that are available. They are alphabetized for easy reference. The Description column briefly states how the action behaves. The Fields column lists the primary data fields that apply with each action. Some data fields will vary, depending on the options you select. Action Add Domain Description Fields This action adds a Domain Controller Agent 613 Appendix I: Rule Configuration Tables Action User To Group Description Fields domain user to a specified user group that resides on a particular Agent. Select the event field or constant that defines the Agent on which the group to be modified resides. To modify a group at the domain level, specify a domain controller as the Agent. Group Name Select the event field or constant that defines the group that is to be modified. Username Select the event field or constant that defines the user who is to be added to the group. Add Local User This action adds a local To Group user to a specified user group that resides on a particular Agent. Agent Select the event field or constant that defines the Agent on which the group to be modified resides. To modify a group at the domain level, specify a domain controller as the Agent. Group Name Select the event field or constant that defines the group that is to be modified. Username Select the event field or constant that defines the user who is to be added to the group. Add UserDefined Group Element This action adds a new User-Defined Group Element data element to a From the User-Defined Groups list, particular user-defined 614 Appendix I: Rule Configuration Tables Action Description Fields group. select the User-Defined Group that is to receive the new data Element. Value Select the event field or constant that defines the data element that is to be added to the specified User-Defined Group. The fields will vary according to which User-Defined Group you select. Append Text To This action appends File text to a file. This allows you to data from an event and put it in a text file. Agent Select the event field or constant that defines the Agent on which the file to be appended is located. File Path Select the event field or constant that defines the path to the Agent file that is to be appended with text. Text Select the event field or constant that defines the text to be appended to file. Block IP This action blocks an IP IP Address address. Select the event field or constant that identifies the device’s IP address. Create User Account This action creates a Agent new user account on an Select the event field or constant that Agent. defines the Agent on which the new user account is to be added. To create a user account at the domain level, specify a domain controller as the Agent. 615 Appendix I: Rule Configuration Tables Action Description Fields Account Name Select the event field or constant that names the account that is to be created. Account Password Select the event field or constant that defines the password that is to be assigned to the new account. Create User Group This action creates a Agent specified user group on Select the event field or constant that an Agent. defines the Agent on which the new A user group is a new user group is to reside. group of Windows users To create a user group at the domain on a Windows PC, level, specify a domain controller as server, or network who the Agent. are external to the LEM Group Name system. Select the event field or constant that defines which user group is to be created. Delete User Account This action deletes a user account from an Agent. Agent Select the event field or constant that defines the Agent on which the user account is to be deleted. To delete a user account at the domain level, specify a domain controller as the Agent. Account Name Select the event field or constant that names the account that is to be deleted. Delete User This action deletes a 616 Agent Appendix I: Rule Configuration Tables Action Group Description Fields user group from a particular Agent. Select the event field or constant that defines the Agent on which the user group to be deleted resides. To delete a user group at the domain level, specify a domain controller as the Agent. Group Name Select the event field or constant that defines the user group that is to be deleted. Detach USB Device This action detaches a USB mass storage device that is connected to an Agent. Agent Select the event field or constant that defines the Agent from which the USB device is to be detached. Device Select the event field or constant that defines the device ID of the USB device that is to be detached. Disable Domain This action disables a User Account Domain User Account on a Domain Controller Agent. Domain Controller Agent Select the event field or constant that defines the Domain Controller Agent on which the domain user is to be disabled. Destination Account Select the event field or constant that defines the account that is to be disabled. Disable Local User Account This action disables a local user account on an Agent. 617 Agent Select the event field or constant that defines the Agent on which the local user is to be disabled. Appendix I: Rule Configuration Tables Action Description Fields Destination Account Select the event field or constant that defines the account that is to be disabled. Disable Networking This action disables an Agent Agent’s network Select the event field or constant that access. defines the Agent that is to be The result is that the disabled from the network. specified Agent will be Message unable to connect to the Type the message that is to appear network. on the Agent. Disable Windows Machine Account This action disables a Windows machine account that resides on a Domain Controller Agent. Domain Controller Agent Select the event field or constant that defines the Domain Controller Agent on which the account is to be disabled. Destination Account Select the event field or constant that specifies which Windows account is to be disabled. Enable Domain This action enables a User Account Domain User Account on a Domain Controller Agent. Domain Controller Agent Select the event field or constant that defines the Domain Controller Agent on which the domain user is to be enabled. Destination Account Select the event field or constant that defines the account that is to be enabled. Enable Local User Account This action enables a local user account on 618 Agent Select the event field or constant that Appendix I: Rule Configuration Tables Action Description Fields an Agent. defines the Agent on which the local user is to be enabled. Destination Account Select the event field or constant that defines the account that is to be enabled. Enable Windows Machine Account This action enables a Windows machine account that resides on a Domain Controller Agent. Domain Controller Agent Select the event field or constant that defines the Domain Controller Agent on which the account is to be enabled. Destination Account Select the event field or constant that specifies which Windows account is to be enabled. Incident Event This action escalates potential issues by creating an Incident Event. Event Select which Incident Event the rule is to create. Event Fields From the list pane, select the events and constants that define the appropriate data elements for each event fields The fields vary, depending on which Incident Event event is selected. Infer Event This action escalates potentially irregular audit traffic into security events by creating (or “inferring”) a new event with a higher severity. 619 Event Select which Event the rule is to infer. Event Fields From the list pane, select the events and constants that define the Appendix I: Rule Configuration Tables Action Description Fields appropriate data elements for each event field. The fields vary, depending on the which event is selected. Kill Process by ID This action terminates the specified process on an Agent by using its process ID value. Agent Select the event field or constant that defines the Agent on which the process is to be terminated. Process ID Select the event field or constant that identifies the ID number of the process that is to be terminated. Kill Process by Name This action terminates the specified process on an Agent by referring to the process name. Agent Select the event field or constant that defines the Agent on which the process is to be terminated. Process Name Select the event field or constant that identifies the name of the process that is to be terminated. Account Name Select the event field or constant that identifies the name of the account that is running the process to be terminated. Log Off User This action logs the user off of an Agent. Agent Select the event field or constant that defines the Agent from which the user is to be logged off. Account Name Select the event field or constant that 620 Appendix I: Rule Configuration Tables Action Description Fields identifies the specific account name that is to be logged off. Modify State Variable This action modifies a state variable. State Variable From the State Variables list, drag the state variable that the rule is to modify. State Variable Fields From the appropriate component list, type or drag the data element that is to be modified in the state variable. The fields vary, depending on the which state variable is selected. Remove Domain User From Group This action removes a domain user from a specified user group that resides on a particular Agent. Domain Controller Agent Select the event field or constant that defines the domain controller Agent on which the group to be modified resides. Group Name Select the event field or constant that defines the group that is to be modified. User Name Select the event field or constant that defines the user who is to be removed from the group. Remove Local User From Group This action removes a local user from a specified user group that resides on a particular Agent. Agent Select the event field or constant that defines the Agent on which the group to be modified resides. Group Name Select the event field or constant that 621 Appendix I: Rule Configuration Tables Action Description Fields defines the group that is to be modified. User Name Select the event field or constant that defines the user who is to be removed from the group. Remove UserDefined Group Element This action removes a data element from a particular user-defined group. User-Defined Group From the User-Defined Groups list, select the user-defined group from which the specified data element is to be removed. Value Select the event field or constant that defines the data element that is to be removed from the specified userdefined group. The fields will vary according to which user-defined group you select. Reset User Account Password This action resets a Agent user account password Select the event field or constant that on a particular Agent. identifies the Agent on which the user password is to be reset. To reset an account at the domain level, specify a domain controller as the Agent. Account Name Select the event field or constant that identifies the user account that is to be reset. New Password Select the event field or constant that defines the user’s new password. 622 Appendix I: Rule Configuration Tables Action Description Fields Restart Machine This action reboots an Agent. Agent Select the event field or constant that identifies the Agent that is to be rebooted. Delay (sec) Type the time (in seconds) after the event occurs that the Manager is to wait before rebooting the Agent. Restart Windows Service This action restarts the specified Windows service on an Agent. Agent Select the event field or constant that identifies the Agent on which the Windows service will be restarted. Service Name Select the event field or constant that identifies the name of the service that is to be restarted. Send Email Message This action sends a preconfigured email message to a predetermined email distribution list. Email Template Select the template that the email message is to use. Recipients Click the check boxes to select which users are to receive the email message. Email Fields Either drag a field from the components list, or select a constant from the components list to select the appropriate data elements that are to appear in each email template field. The fields vary, depending on which email template is selected. 623 Appendix I: Rule Configuration Tables Action Send Popup Message Description Fields This action displays a pop-up message to an Agent. Agent Select the event field or constant that identifies the Agent that is to receive the pop-up message. Account Name Select the event field or constant that identifies the user account to receive the message. Message Select the event field or constant that defines the message that is to appear on the Agent’s monitor. Shutdown Machine This action shuts down Agent an Agent. Select the event field or constant that identifies the Agent that is to be shut down. Delay (sec) Type the time (in seconds) after the event occurs that the Manager is to wait before shutting down the Agent. Start Windows Service This action starts the specified Windows service on an Agent. Agent Select the event field or constant that identifies the Agent on which the Windows service is to be started. Service Name Select the event field or constant that defines the Windows service that is to be started. Stop Windows Service This action stops the specified Windows service on an Agent. 624 Agent Select the event field or constant that identifies the Agent on which the Appendix I: Rule Configuration Tables Action Description Fields Windows service is to be stopped. Service Name Select the event field or constant that defines the Windows service that is to be stopped. 625 Appendix J: Additional Configuration and Troubleshooting Information Appendix J: Additional Configuration and Troubleshooting Information 1. Auto-populating User-defined Groups Using a LEM Rule 2. Configuring Default Batch Reports on Vista/7/2008 Computers 3. Configuring LEM Reports on Computers Without the LEM Console 4. Configuring Report Restrictions 5. Configuring your LEM Appliance Log Message Storage and nDepth Search 6. Creating a Custom Filtered Report 7. Creating a Filter for a Specific Event Type 8. Creating Connector Profiles to Manage and Monitor LEM Agents 9. Creating Email Templates in the LEM Console 10. Creating Rules from Your LEM Console to Take Automated Action 11. Creating Users in the LEM Console 12. Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy 13. Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data 14. Enabling file auditing in Windows 15. Enabling LEM to Track Events 16. Filtering and Exporting LEM Reports 17. Getting Started with User-Defined Group 18. Modifying Filters for Users with the Monitor Role 19. Output, nDepth Host, nDepth Port Fields 20. Report Formats and their corresponding numbers listed in a LEM scheduled report ini file 21. Troubleshooting LEM Agent Connections 22. Troubleshooting LEM Rules and Email Responses 23. Troubleshooting 'Unmatched Data' or 'Internal New Tool Data' events in your LEM Console 626 Appendix J: Additional Configuration and Troubleshooting Information 24. Using the Append Text To File Active Response 25. Using the Block IP Active Response 26. Using the Computer-based Active Response 27. Using the Detach USB Device Active Response 28. Using the Disable Networking Active Response 29. Using the Kill Process Active Response 30. Using the SolarWinds LEM Local Agent Installer Non-interactively 31. Using the SolarWinds LEM Remote Agent Installer 32. Using Time of Day Sets to Pinpoint Specific Time Frames in Filters and Rules 33. Using the User-based Active Response 34. Viewing All Traffic from a Specific Device in the LEM Console 35. Windows Audit Policy and best practice 627 Auto-populating User-Defined Groups Using a LEM Rule Auto-populating User-Defined Groups Using a LEM Rule Automate how you populate User-Defined Groups using the Add User-Defined Group Element active response in a LEM Rule. The Add User-Defined Group Element active response populates a pre-defined User-Defined Group with static or dynamic values, as defined by that rule. Complete the following procedure to populate a User-Defined Group based on a specific type of event, such as when you attach a USB device you want to tag as authorized, or when a user attempts to visit a prohibited website. To create a LEM rule to automatically populate a User-Defined Group: 1. Open your LEM Console, and then log in to your LEM Manager as an administrator. 2. Click the Build tab, and then select Rules. 3. Click the + button in the upper-right corner of the Rules view. 4. Name your rule, and give it a description if you want. 5. Populate the Correlations box with conditions that represent the event you want to trigger your rule. For the USB example: a. Click Events on the components pane on the left, and then enter SystemStatus without any spaces in the search box. b. Click SystemStatus, and then locate EventInfo from the Fields: SystemStatus list. c. Drag EventInfo into the Correlations box. The left side of your new condition should read, SystemStatus.EventInfo. d. Enter *Attached* into the Text Constant field, denoted by the pencil icon, on the left side of your new condition. e. If you want to specify a computer for this procedure (recommended), create a second condition that looks like SystemStatus.DetectionIP = *computerName*, where computerName is the hostname of the computer you want to specify. Note: In this example, the computer you attach your authorized devices to must have a LEM Agent with USB Defender installed, whether you specify it in your rule or not. 628 Appendix J: Additional Configuration and Troubleshooting Information 6. Click Actions on the components pane, and then locate Add User-Defined Group Element. 7. Drag Add User-Defined Group Element into the Actions box. 8. Within the Add User-Defined Group Element, select the appropriate UserDefined Group, such as Authorized USB Devices. If you do not find the User-Defined Group, perform the following: a. Close the action and select Build > Groups. b. Select the + button on the top right and to create your own UserDefined Group, or clone an existing group. 9. Populate the action using the alerts present in your Correlations. For the USB example: a. Select Authorized USB Devices from the User Defined Group menu. b. Click Alerts on the components pane, and then verify that SystemStatus is still selected. c. Drag ExtraneousInfo from the Fields: SystemStatus list into the blank Value field in the action. 10. Select Enable at the top of the Rule Creation window, and then modify the Test and Subscribe settings if you want. Putting a rule into Test allows the rule to function as needed, but the rule will not perform any of the actions listed. In this example, it will not add any information to the User-Defined Group. 11. Click Save at the bottom of the Rule Creation window. 12. Click Activate Rules at the top of the main Rules view. Any time the event you defined in your rule occurs, the value you defined in the Value field of the action gets added to the User-Defined Group you specified. In the USB example, the attached device is added to the Authorized USB Devices group. Additional Information For additional information about working with LEM rules, see Creating Rules from your LEM Console to Take Automated Action. 629 Configuring Default Batch Reports on Windows 7, 8 and Windows Server 2008, Configuring Default Batch Reports on Windows 7, 8 and Windows Server 2008, 2012 Computers Installation of LEM Reports include a default batch set of INI files used to schedule reports. These files contain the configurations necessary to schedule several best practice reports on either a daily or weekly basis, depending on their scope. Choosing a Reports Computer l l l l Reports is supported on Windows workstation 7/8 or server 2003/2008/2012. Choose a computer that is on overnight because the daily and weekly start time for these reports is 1:00 AM and 3:00 AM, respectively. Choose a computer with at least 512 MB of RAM. SolarWinds recommends to use a computer with 1 GB of RAM or more for optimal reports performance. Include the computer in the list of IP addresses defined by the restrictreports command in the CMC. For more information, see Configuring Report Restrictions. INI File Preparation Modify the default INI files in the LEM Reports installation directory to specify the hostname of the LEM manager or database in your environment and the export destination for your scheduled reports. To modify the default INI files: 1. Navigate to the LEM Reports installation directory and open the SchedINI folder: l l On 32 bit computers: C:\Program Files\SolarWinds Log and Event Manager Reports On 64 bit computers: C:\Program Files (x86)\SolarWinds Log and Event Manager Reports 2. Open each of the BRPT*.ini files and make the following changes in a text editor: 630 Appendix J: Additional Configuration and Troubleshooting Information l l Replace the default value next to Manager1 with the hostname of the LEM Manager or database appliance in your environment. Use the hostname of your LEM database appliance if you have a dedicated appliance to store your normalized LEM alert data. Modify the ExportDest file path if you want to customize the location to which LEM Reports saves the exported reports. The default file path is %ProgramFiles%\SolarWinds Log and Event Manager Reports\Export. 3. Save your changes and close the files. Scheduling the Reports to Run Schedule your batch reports to run using Windows Task Scheduler. Complete the following procedure twice: once for the daily reports and once for the weekly reports. To schedule reports using Windows Task Scheduler: 1. Create a new scheduled task by opening Control Panel > Administrative Tools > Task Scheduler. 2. Select Task Scheduler Library. 3. Click Create Basic Task in the Actions pane. 4. Enter a name for your task that reflects the frequency of the scheduled task. For example, enter LEM Reports - Weekly for the weekly task, and then click Next. 5. Select Daily or Weekly, depending on what batch of reports you are scheduling, and then click Next. 6. Set the start time and frequency for your scheduled reports, and then click Next. l For the daily task: 1 AM, Recur every 1 Day l For the weekly task: 3 AM, Recur every 1 week, Monday 7. Select Start a program, and then click Next. 8. For the Program/script field, click Browse to browse for SWLEMReports.exe. See Step 1 in See "INI File Preparation" on page 630 for the default installation paths. 631 Default Report Schedules 9. In the Add arguments (optional) field, enter the following, according to the task being created: Notes: l l Use the %ProgramFiles(x86)% environment variable on 64-bit computers. The /l at the beginning of the additional argument is optional. This generates a log file called SWLEMReports.log when Task Scheduler runs your task. The file is saved in %ProgramFiles%\SolarWinds Log and Event Manager Reports. 10. For the daily task: /l "%ProgramFiles%\SchedINI\BATCHDay.ini" 11. For the weekly task: /l "%ProgramFiles%\SchedINI\BATCHWeek.ini" 12. Click Next. 13. Verify the task details on the Summary dialog, select Open the Properties dialog for this task when I click Finish, and then click Finish. 14. Click Change User or Group to change the user account task scheduler should use to complete the task. Notes: l l l Provide a user with administrator level permissions. If you specified a network location in Step 2 in See "INI File Preparation" on page 630, provide a user with write permissions to that folder. Use a service account to avoid having to maintain the task according to your password change policy. 15. On the Properties window, select Run whether user is logged on or not. 16. Select Run with highest privileges. 17. Select the appropriate operating systems in the Configure fo menu, and then click OK to save your changes and exit the Properties window. 18. Enter the Windows password for the user specified for this task, and then click OK. Default Report Schedules Once configured, the scheduled tasks run and export the following reports: 632 Appendix J: Additional Configuration and Troubleshooting Information Daily Reports l EventSummary.pdf l SubscriptionsByUser.pdf l Incidents.pdf l NetworkTrafficAudit.rpt Weekly Reports l MaliciousCode.rpt l NetSuspicious.rpt l NetAttackAccess.rpt l NetAttackDenial.rpt l Authentication.rpt l FileAudit.rpt l MachineAudit.rpt l ResourceConfiguration.rpt Notes: l l You can open reports with the .rpt extension in LEM Reports for filtering and exporting. If you have another program, like Crystal Reports, associated with this file format, you can access these reports with LEM Reports by opening the Reports console first and then clicking Open on the Settings tab. If you create a scheduled report, you can remove the task from Windows task scheduler, and the ini file will still be under the SchedINI directory. You can change the name of the RPTxxxxx-x.ini to BRPTxxxxx-x.ini, and add the file to the BatchDay.INI or the BatchWeek.INI. 633 Configuring LEM Reports on Computers without the LEM Console Configuring LEM Reports on Computers without the LEM Console To add a manager to LEM Reports on computers without the LEM desktop console: 1. Open the LEM Reports application. 2. If the Manager List form does not open automatically, click Configure on the Settings tab, and then select Managers - Credentials and Certificates. 3. On the Manager Configuration pop-up window: a. Enter the hostname for your LEM appliance in the Manager Name field. b. Enter the admin user in the User name field. c. Enter the password for the admin user. d. Select the green + to save the credentials e. Close the window. f. Open an SSH/PuTTY connection, enter the Manager menu, enter the enabletls command and follow the prompts. Note: If you would like to enable TLS communications. perform the following: i. Open the LEM Console, select Build > Users, and create a local user, assigning the reports role to this user, and then save. ii. Perform Step 3 but use the report user, password, and select the TLS Connection before saving with the green + button. 4. Click Add Manager. 5. Click OK. 634 Appendix J: Additional Configuration and Troubleshooting Information Configuring Report Restrictions The LEM appliance allows unrestricted access to LEM Reports by default. To run LEM Reports, either modify this restriction to allow specific computers to use LEM Reports, or remove the restriction entirely. LEM Reports restriction access (port 9001) can be restricted in the same way that SSH access (port 32022) and console access (port 8443/8080) can be restricted to the LEM. The LEM Reports can also be configured with a user/password, similar to SSH and console access. To configure your LEM Manager to allow specific computers to run LEM Reports: 1. Connect to your LEM virtual appliance using the vSphere console view, or an SSH client such as PuTTY. 2. At the cmc> prompt, enter service. 3. At the cmc::scm# prompt, enter restrictreports. 4. When prompted, press Enter. 5. Enter the IP addresses of the computers you want to allow to run LEM Reports, separated by spaces. Note: Ensure the list you provide is complete. Your entry will override any previous entries. 6. Enter y to confirm your entry. 7. Enter exit to return to the cmc> prompt. 8. Enter exit to log out of your LEM virtual appliance. To remove all LEM Reports restrictions: 1. Connect to your LEM virtual appliance using the vSphere console view, or an SSH client such as PuTTY. 2. At the cmc> prompt, enter service. 3. At the cmc::scm# prompt, enter unrestrictreports. 4. When prompted, press Enter. Note: Unrestricting LEM Reports will make the LEM database accessible on any computer on your network running LEM Reports. 635 Configuring the USB Defender Local Policy Connector 5. Enter exit to return to the cmc> prompt. 6. Enter exit to log out of your LEM virtual appliance. Configuring the USB Defender Local Policy Connector This document describes how to create and configure the USB Defender Local Policy connector on an Agent. The USB Defender Local Policy connector allows an Agent to enforce restrictions on USB devices even while the Agent is not connected to the manager. Rather than using rules when disconnected, the connector uses a list of permitted users or devices. To do this, the Agent compares the fields in all USB device Attached events to a locally stored whitelist of users or devices. If none of the fields match an entry on the list, the Agent detaches the device. When the Agent is connected to the manager via the network, the manager rule also applies. So any devices listed in the local whitelist must also be in the User Defined Group for authorized devices or the rule takes effect and the device detaches even though it was allowed by the whitelist in the USB Defender local policy. When the Agent is connected, both USB Defender Local Policy and the LEM rule are active. To configure the USB Defender Local Policy connector: 1. Create a text file with one entry per line. This file serves as the local policy. Each entry can be a user name or a USB device ID, from the ExtraneousInfo field of an Attached alert. 2. In the LEM Console, click Nodes from the Manage menu. 3. Click the gear icon next to the node to be configured and select Connectors. 4. Enter USB defender in the Refine Results window. 5. In the Nodes window, select the USB Defender Local Policy connector. Click its gear icon and click New. 6. Click the … button next to the Policy field to browse to the text file you created above and upload your list to the connector. 7. Click the Save in the UDLP details pane to complete the setup. 636 Appendix J: Additional Configuration and Troubleshooting Information 8. When the new connector appears in the Connectors list, click the gear next to it and click Start. Note: The authorized devices in the local whitelist must also be in the UDG for manager’s Detach Unauthorized USB rule or the rule on the manager enforces detachment when the laptop is connected to the network. In reverse, if you are using a blacklist and the device is in the USB Local Policy and not in the User Defined Group of the rule, the device still detaches. Having a device or user in one whitelist or blacklist and not in the other is not recommended and yields inconsistent results. 637 Configuring your LEM Appliance Log Message Storage and nDepth Search Configuring your LEM Appliance Log Message Storage and nDepth Search The LEM appliance has the ability to store the original logs that are normalized by the LEM Manager and Agents for retention and search purposes. To do this, both the LEM Manager and the applicable connectors must be configured accordingly. Complete the procedures below to configure both of these elements. Notes: l l l nDepth in this section refers to RAW data (original log), and is different from the nDepth Search performed under Explore > nDepth in the Console. If you enable original log storage (RAW database storage) and enable connectors to send data to both databases, LEM storage requirements may double for the same retention period and extra resource reservations of at least two additional CPUs and 8-16GB of RAM may be required. Original log (RAW log storage) will not appear in the Monitor tab in the Console. Rules can only fire on normalized data and not on RAW log data being received. To configure your LEM Manager to store original log files in their own database: Note: The following procedure must be completed prior to configuring any connector to send log messages to your LEM appliance. 1. Log in to your LEM appliance using CMC credentials. 2. At the cmc> prompt, enter manager. 3. At the cmc::cmm# prompt, enter configurendepth and follow the prompts to configure your LEM Manager to use an nDepth server: a. Enter y at the Enable nDepth? prompt. b. If you are prompted with Run nDepth locally? (Recommended), enter y. This will configure a separate database on your LEM appliance to store original log files. c. If your LEM implementation consists of several appliances, follow the prompts to complete the process for your dedicated database or 638 Appendix J: Additional Configuration and Troubleshooting Information nDepth appliance. For additional information about this process, contact Support. 4. Back at the cmc::cmm# prompt, enter exit to return to the previous prompt. 5. At the cmc> prompt, enter ndepth. 6. At the cmc::nDepth# prompt, enter start. This command will start the Log Message search/storage service. 7. Enter exit to return to the previous prompt. 8. Enter exit to log out of your LEM appliance. To configure your connectors to send original log data to your LEM appliance: 1. Open the connector for editing in the Connector Configuration window for the LEM Manager or LEM Agent, as applicable: l l If the connector has already been configured, stop the connector by clicking gear > Stop, and then click gear > Edit. If the connector has not been configured, create a new instance of the connector by clicking gear > New next to the connector you want to configure. 2. In the Connector Details pane, change the Output value to Alert, nDepth. Leave the nDepth Host and nDepth Port values alone unless otherwise instructed by Support. The Output values are defined as: l Alert: Sending data to the alert database l nDepth: Sending data to the RAW (original log) database 3. If you are finished configuring the connector, click Save. 4. Start the connector by clicking gear > Start. 5. Click Close to close the Connector Configuration window. 6. Repeat these steps for each connector you want to send original log data to your LEM appliance. 639 Creating a Custom Filtered Report Creating a Custom Filtered Report This procedure describes how to save and configure the properties of a filtered report so that it can be used as a custom report. 1. Open the LEM reports application and launch a preferred report. 2. Enter a desired time frame. 3. Click Select Expert. 4. Change the desired fields if a more refined report is desired. To save the filtered report: 1. Use Select Expert to filter the report to show only the type of data you want to see in your custom report. 2. Once the report has been filtered, click the Export button. 3. From the Format list, select Crystal Reports (RPT). 4. Leave Destination set to Disk file and click OK. 5. Within the Save File window, navigate to the following folder: C:\Program Files (x86)\SolarWinds Log and Event Manager Reports\CustomReports Note: This is the default location for 64-bit operating systems. If you are utilizing a 32-bit operating system, the default folder would be C:\Program Files\SolarWinds Log and Event Manager Reports\CustomReports 6. In the File name field, type a name for your filtered report that will allow you to identify the report by the filename under Custom Reports, and click Save. To see your new report in the Reports console: 1. On the Reports window, click the Settings tab. 2. From the Category list, select Custom Reports. 3. On the Quick Access Toolbar, click the Refresh Report List icon or press F5. When the refresh completes, the new custom report will appear in the list, displaying any changes made to its Properties. You may now launch your custom report for any time frame. 640 Appendix J: Additional Configuration and Troubleshooting Information Creating a Filter for a Specific Event Type You can use the Create a Filter From This Event button at the top of the Event Details pane to create a new filter for the selected event . To create a new filter for a specific event type: 1. Open your LEM Console and log in to your LEM Manager as an administrator or auditor. 2. Navigate to the Monitor view. 3. Select the event you want to create a filter for in the Event Grid. 4. With the event selected above displayed in the Event Details pane, click the Create a Filter From This Event button. Notice the new filter in your Filters pane. 5. (Optional) Modify the new filter to show more specific data. a. Select the filter in the Filters pane. b. Click the gear icon at the top of the Filters pane, and then select Edit. c. Edit the filter by selecting the Events tab in Filter Creation, and select the fields below to look at more specific details of this event type, and then click Save. Video Click the video icon to view the corresponding tutorial, which shows how to create a filter from an event. 641 Creating Connector Profiles to Manage and Monitor LEM Agents Creating Connector Profiles to Manage and Monitor LEM Agents Use Connector Profiles to manage and monitor similar LEM Agents across your network. The following two use cases are the most common for this type of component. l l Configure and manage connectors at the connector profile level to reduce the amount of work you have to do for large LEM Agent deployments. Create filters, rules, and searches using your Connector Profiles as Groups of LEM Agents. For example, create a filter to show you all Web traffic from computers in your Domain Controller Connector Profile. Complete the following procedures to create a Connector Profile using a single LEM Agent as its template: To create a Connector Profile using a LEM Agent as a template: 1. Configure the connectors on the LEM Agent to be used as the template for your new Connector Profile. These connectors are to be applied to any LEM Agents that are later added to the Connectors Profile. 2. Click the Build menu, and then select Groups. 3. Click the + menu, and then select Connector Profile. 4. Give your new Connector Profile a Name, and enter a Description if you wish. 5. Select the LEM Agent you want to use as your template from the Template list next to the Description field. 6. Click Save. To add LEM Agents to your new Connector Profile: Notes: l An agent can only have one profile at a time. l Any profile change will be applied to all members of that profile. l Agents that are members of a profile cannot have single-use connectors applied to individual members. 642 Appendix J: Additional Configuration and Troubleshooting Information 1. Locate the new Connector Profile in the Build > Groups view. 2. Click the gear icon next to your Connector Profile, and then select Edit. 3. Move LEM Agents from the Available Agents list to the Connector Profile by clicking the arrow next to them. 4. If you are finished adding LEM Agents to your Connector Profile, click Save. The connector configurations set for the template agent will be applied to any agent added to the Connector Profile. 643 Creating Email Templates in the LEM Console Creating Email Templates in the LEM Console Email templates allow customization of the appearance of email notifications when triggered as responses in your rules. An email template has two components: l l Static text that lets you customize the appearance of the email Dynamic text (parameters) that is filled in from the original event that triggered the rule to fire For example, when creating an Account Lockout template that will notify you when an account is locked out, or automatically file a trouble ticket, fill in some static text that describes the event and then use the dynamic text to describe the account that was filled out from the original event, such as the username and computer or domain controller they were locked out on. Create templates that are specific to a type of event you are looking for to help avoid creating one email template per rule. For example, you can have one template for Account Modification that can be used to tell you when a user is added/removed from a group, their password is reset, or other details are changed. There is no limit to the number of templates. To keep rules, events, and emails simple to manage, SolarWinds recommends the following: l Create the rule with a name that describes the event. l Create the email template with a name that describes the event. l In the email template subject and/or message, enter the event/rule name to describe the event/alert. When receiving the email, you can easily identify the email template used, the rule that fired, and the event that caused the rule to fire. To create a new email template: 1. Go to Build > Groups. 2. Click the + button at the top, and choose Email Template, or select one of the existing Email Templates and clone the template, then modify the name and parameters of the template. 644 Appendix J: Additional Configuration and Troubleshooting Information 3. In the Details pane, provide a name for your template. This will be used in rules to reference the template. 4. To create dynamic text (parameters) for your rule: a. Type a name in the Name field under the Parameters list and click the + button. For example, DetectionIP, DestinationAccount, EventInfo, and so on. This name is a reference to the actual event data. b. Repeat this for all the parameters you want to add. Note: Each one of these is a variable that holds your data and places it in the right location in the email. For example, for an Account Lockout template, consider using the following parameters: l Time l Account l DC l Machine 5. Fill out the Subject box. l l Specify static text (optional). To use a Parameter, either type in the name as it appears in the parameters list, including the dollar sign, or drag it from the Parameters list into where you want it to appear in the subject. Note: Using a dynamic Parameter in the Subject provides a subject that includes the user account name, source, or any other text from the originating event. 6. Enter the body of the message in the Message box. l l Specify static text (optional). To use a Parameter, either type in the name as it appears in the parameters list, including the dollar sign, or drag it from the Parameters list into where you want it to appear in the message body. Note: Oftentimes you will use a combination of static and dynamic text, such as: Account $Account locked out at $Time on DC $DC from computer $Machine. This would display the following: 645 Creating Email Templates in the LEM Console Account testuser locked out at 7/21/2016 8:05am on DC DC1 from computer PC1 7. Click the Save at the bottom. 646 Appendix J: Additional Configuration and Troubleshooting Information Creating Rules from your LEM Console to Take Automated Action You can create custom Rules from the Build > Rules view in your LEM Console to monitor and respond to traffic from your monitored computers and devices. One of the common uses for rules is to use them to generate email notifications. For more details about using email templates in rules, see Using the Send Email Message Action in Rule Creation. To create a rule from your LEM Console: 1. Open your LEM Console and log in to your LEM Manager as an administrator. 2. Click the Build menu and select Rules. 3. Click the + button in the upper-right corner to open Rule Creation. Note: In the Rules view, you may also edit a disabled rule or clone a rule from the rule templates. 4. Enter a Name and Description (optional) at the top of the Rule Creation view. 5. If you want to save the rule in a folder other than All Rules, select the folder from the list on the far right. The default value is All Rules. 6. Drag one of the following elements into the Correlations box. l l Events: Drag a single Event into your Correlations to address any instance of the Event you specify. This type of parameter does not require a value. Note: The field at the top of the Events list is a search box. Event fields: Drag an Event field into your Correlations to address any Event that contains the value you specify. Note: The same principles apply to Event Groups and their fields. 7. If your Correlations defined above require a value, populate the value in one of the following ways. l Enter a static text value in the Text Constant field, denoted by a pencil icon. Note: Use asterisks (*) as wildcard characters to account for any 647 Creating Rules from your LEM Console to Take Automated Action number of characters before, within, or after your text value. l l Drag a Group from the list pane on the left over to replace the Text Constant field. The most commonly used Groups include User Defined Groups, Connector Profiles, Directory Service Groups, and Time Of Day Sets. Drag an Event field from an Event already present in your Correlations over to replace the Text Constant field. This will result in a parameter that states whether values from different Events in your Correlations should match. 8. If you want to change the operators in your Conditions, click the operator until you find the one you want. Note: There are two types of operators. l l Condition operators: These are found between your Events and their values. Examples include Equals, Does Not Equal, Contains, and Does Not Contain. Rule Creation only displays the operators that are available for the values in your Correlations. Group operators: These are found on the outside (right) of your Correlation Groups. The two options are And (blue) and Or (orange). 9. Repeat Steps 6, 7, and 8 for any additional Correlations you want to configure for your rule. 10. If you only want your rule to fire after several instances of the event(s) in your Correlations, modify the Correlation Time as appropriate. 11. Add an Action to your rule using the Actions list on the left. Notes: l l l All rules require at least one action, though they can contain several if you want. Populate your action with Constants or Event fields as appropriate. When you use Event fields in your Actions, follow the procedure above for populating your Correlations, and be sure to use the same Event or Event Group as is present in your Correlations. For example: Since the Correlations in the rule illustrated above are based on the UserLogon Event, the fields used in its Actions must come from the UserLogon Event. 648 Appendix J: Additional Configuration and Troubleshooting Information 12. If the Rule Status below the Description field contains an error or warning, click the status indicator to view additional details and address the issue. 13. If you want your rule to be fully functional once it's on your LEM Manager, select the Enable checkbox next to the Description field. 14. If you want to disable your rule's Actions to test its configurations, select the Test checkbox. Note: Rules must also be enabled for them to work in Test mode. 15. If you want your rule to generate a local notification for any LEM Console user, select the user from the Subscribe list. Note: This option also tracks the rule's activity in the Subscriptions report in LEM Reports. 16. Click Save. 17. Once your rule is in your Custom Rules folder, click Activate Rules to sync your local changes with the rules folders on your LEM Manager and allow the new/changed rules to function properly. Important: When enabling or disabling rules, no changes will take effect until the Active Rules button is clicked. Video Click the video icon to view the corresponding tutorial, which offers more information on creating rules in the LEM Console. 649 Creating Users in the LEM Console Creating Users in the LEM Console Users can be created in the LEM Console for the following reasons: l l To allow logging into the Console for configuring LEM. A local user can be created for login, or an Active Director user can be added for login. Adding an AD user requires the Directory Service Query connector to have been configured to access AD. To allow rules to send an email when a particular event or alert happens. SolarWinds recommends that you create distinct users for anyone who needs to receive email notifications from the LEM manager. There is a number of common ways this can be done: l If there are users who need to access the Log & Event Manager Console, you can create an admin, auditor, or monitor user. Be sure to associate an email address with each user. l l l l l l Admin: Default user that cannot be deleted and has full access to everything in the Console. Note: SolarWinds does not recommend multiple users sharing the Admin account for auditing purposes. Auditor: User with read/write access to Monitor (filters) and read-only access to rules Monitor: User with read-only access to everything in the Console Contact: User without access to everything in the Console. They are unable to log in to the Console. This type of user is added for purposes of sending emails to the user's email address and bringing in distribution lists or cellular email-to-SMS addressees for texts. Reports: Created to allow the SolarWinds Reports application secure application to the LEM database when TLS authentication is enabled. This type of user is unable to log in to and has no access to the Console. If you have an external system, that is for trouble ticketing/incident handling, or person who doesn't need to access the console, you can create a contact user. Be sure to associate an email address with the user. 650 Appendix J: Additional Configuration and Troubleshooting Information l If you want to notify everyone in your IT organization of the same thing at the same time, you can associate a distribution list email address with any of the above types of users. To set up users: 1. Go to Build > Users. 2. Click the + button on the top right, and select LEM User, or Directory Service User. 3. Fill in the information at the bottom, which includes selecting the role for this user. Note: If you're creating a Contact user, you do not need to enter a password. 4. Add email addresses to the user by clicking + under Contact Information and clicking Save. Note: When adding an Active Directory user, most deployments of AD will auto-populate the user's email address. You may not be able to add/modify/delete the pre-populated email address. You will need to create a new local user or use an existing user to add the email address to. 5. Click Save at the bottom once done. 651 Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy Windows Filtering Platform (WFP) is a new application in Windows 7/8 and Windows Server 2008/2012 that logs firewall and IPsec related events to the System Security Log. We recommend tuning WFP in your Active Directory group policies to decrease the load it would otherwise create on your LEM Manager. These alerts represent background events which can consume additional resources on the LEM to process these events, and are not necessary for an optimized LEM deployment. Tuning out the Windows noise in the group policies will reduce the space these events occupy in the Security Event log, will reduce network activity, and will not consume precious resources on the LEM (CPU, memory, disk space). The alerts described in the following tables can be filtered out (dropped) using your LEM Manager's Event Distribution Policy by unchecking their boxes in the Console, Database, Warehouse, and Rules columns. It’s important to note that the LEM still must process these events, thereby taking additional resources in the form of memory and CPU reservations. Note: SolarWinds recommends that you disable WFP Alerts using Group or Local Policy instead of on LEM. Disabling the WFP Alerts on LEM prevents you from receiving useful data and may impact performance. For information about disabling these alerts on the computer running WFP, see LEM Manager Crashes after Receiving a High Number of Alerts from Windows 7 or Windows Server 2008 and its related articles. 652 Appendix J: Additional Configuration and Troubleshooting Information To modify your LEM Manager's Alert Distribution Policy: 1. Open your LEM Console and log into your LEM Manager from the Manage > Appliances view. 2. Click the gear icon next to your LEM Manager, and then select Policy. 3. Locate the alerts you want to disable by either browsing the alert taxonomy or using the search box under Refine Results. Note: You can locate all of the alerts listed below by typing Windows Security in the search box. 4. Check or uncheck the boxes in the Console, Database, Warehouse, or Rules columns as appropriate. Notes: l l l l l Uncheck the Console box to prevent your LEM Manager from showing the alert in your LEM Console. Uncheck the Database box to prevent your LEM Manager from storing the alert on your LEM database. Uncheck the Warehouse box to prevent your LEM Manager from sending the alert to an independent database warehouse. Uncheck the Rules box to prevent your LEM Manager from processing the alert against your LEM rules. Check any box to enable processing for the alert at any of the four levels listed above. 5. To save your changes and keep working, click Apply. 6. To save your changes and exit the Alert Distribution Policy window, click Save. Table of Alerts with Windows Security Auditing Provider SIDs Note: The ProviderSID value in the following alerts match the format, Windows Security Auditing Event ID, where Event ID is one of the Windows Event IDs listed in the following table: Alert Name TCPTrafficAudit IPTrafficAudit UDPTrafficAudit Windows Event ID 5152, 5154, 5156, 5157, 5158, 5159 5152, 5154, 5156, 5157, 5158, 5159 5152, 5154, 5156, 5157, 5158, 5159 653 Table of Descriptions by Event ID Alert Name ICMPTrafficAudit RoutingTrafficAudit PPTPTrafficAudit Windows Event ID 5152, 5156, 5157, 5158, 5159 5152, 5156 5152 Table of Descriptions by Event ID Event ID 5152 5154 5156 5157 5158 5159 Brief Description Windows Filtering Platform blocked a packet Windows Filtering Platform permitted an application or service to listen on a port for incoming connections Windows Filtering Platform allowed a connection Windows Filtering Platform blocked a connection Windows Filtering Platform permitted a bind to a local port Windows Filtering Platform blocked a bind to a local port 654 Appendix J: Additional Configuration and Troubleshooting Information Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data Do not modify the Output, nDepth Host, or nDepth Port fields unless your LEM appliance has been configured to receive and store original log data in its own database. Storing information Your SolarWinds LEM appliance can store 100% of the original log data read by any SolarWinds LEM connector in addition to the data normalized and presented in your LEM Console. Original log data is stored in a separate database from the normalized data, and is searchable seperately. This database typically resides on the same appliance as the LEM Manager and alert database, but it can also reside on a dedicated LEM database or nDepth appliance. The Output, nDepth Host, and nDepth Port fields in the tool configuration forms on your LEM Manager and Agents are reserved for implementations in which the LEM appliance has been configured to receive and store original log messages. If your LEM appliance is not configured appropriately, modifying these settings will cause all alert data to queue indefinitely, rather than being sent to the appropriate database. 655 Enabling Windows File Auditing in Windows Enabling Windows File Auditing in Windows Enable file auditing in Windows to monitor events related to users accessing, modifying, and deleting sensitive files and folders on your network. To maximize the value of this type of auditing, enable auditing on a file server on which you have installed a LEM Agent, and only for the specific files and folders you want to monitor. If you enable auditing on all files or folders, or even a large number of them, you will create an unnecessary burden on your LEM appliance by telling Windows to log events you don't want or need to see. Complete the two-part process below to first enable object auditing on your server, and then enable file auditing on the files and folders you want to audit. Provided Windows is logging the events and your server has a LEM Agent installed on it, your LEM Console will begin displaying the new file auditing alerts immediately. To enable object auditing in Windows: 1. Open Administrative Tools > Local Security Policy. 2. Expand Local Policies and click Audit Policy in the left pane. 3. Select Audit object access in the right pane, and then click Action > Properties. 4. Select Success and Failure. 5. Click OK. 6. Close the Local Security Policy window. To enable file auditing on a file or folder in Windows, perform either one of the following procedures: Note: Do not perform both of the following options. Option 1 1. Locate the file or folder you want to audit in Windows Explorer. 2. Right-click the file or folder and then click Properties. 3. Click the Security tab. 4. Click Advanced. 5. Click the Auditing tab. 656 Appendix J: Additional Configuration and Troubleshooting Information 6. If you are using Windows Server 2008, click Edit. 7. Click Add. 8. Enter the name of a user or group you want to audit for the selected file or folder, and click Check Names to validate your entry. For example, enter Everyone. 9. Click OK. 10. Select Success and Failure next to full control to audit everything for the selected file or folder. 11. Optionally, clear Success and Failure for unwanted events, such as: l Read attributes l Read extended attributes l Write extended attributes l Read permissions 12. Click OK in each window until you are back at the Windows Explorer window. 13. Repeat these steps for all files or folders you want to audit. Option 2 1. Open the LEM Console and go to Manage > Appliances. 2. Select the gear on the left of a specific agent whose files you want to monitor. 3. Search for File Integrity Monitoring (FIM) and select the gear on the left to create a new FIM connector for this agent. 4. You may choose a pre-defined template from the Monitor Templates pane or create a custom monitor by performing the following steps: a. Click Add Custom Monitor in the Selected Monitors pane. b. Assign a name and description (optional). c. Click Add New Button. d. Click Browse to search for the directory that you want to monitor, and then click OK. e. Specify which kind of files you want to monitor in the with mask field. 657 Enabling Windows File Auditing in Windows f. Select the boxes for which kind of operations you want to monitor in the for these actions field, and click Save. Note: You may repeat these steps for every directory or file type that you want to monitor. g. When the custom monitor is created, click Save and the new monitor will appear in the Selected Monitors pane. Note: You have the option to promote this custom monitor to a template. 5. You can create a Connector Profile under Build > Groups to allow a common group of connector configurations for agents that will be placed under this profile. 658 Appendix J: Additional Configuration and Troubleshooting Information Enabling LEM to Track Events Tracking Buildup Events Out of the box, LEM captures Cisco events 302003, 302009, and 603108. LEM can be configured to capture Cisco firewall buildup events, too. The primary buildup event to use for TCP tracking is 302013. Other buildup events include 302015, 302017, 302020, 302303, 305009, 305011, and 609011. Check the description of these events in the Cisco System Log Messages Guide to make sure those are events you want to capture. Tracking Teardown Events Out of the box, LEM captures Cisco event 603019. You can also enable LEM to capture Cisco firewall teardown NAT events. The teardown sibling to buildup even 302013 is 302014. Other events include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. You can see description of these events in the Cisco System Log Messages Guide to make sure they are ones you want to capture. Enabling LEM to Track Buildup/Teardown Events To enable the latest LEM connector to capture buildup/teardown NAT events: 1. Ensure your firewalls are configured to log to LEM and that the appropriate LEM connector is configured to monitor for your firewall data. 2. Access the firewalls you will monitor buildup/teardown messages from and adjust the severity level of those events from 6 (the default) to 0. For more information, refer to the Changing the Severity Level of a Syslog Message section in the Monitoring the Security Appliance page in the Cisco site. Considerations A few things to consider include: l l To monitor accepted traffic, use the log target in your accept ACLs instead of the buildup logging. This lets you control what accepted traffic you are made aware of. To monitor the information about the actual NAT, consider the event load this will create. Plan a test phase where you turn it on, determine if it is valuable to you for investigating. 659 Enabling LEM to Track Events l l l Consider the nDepth original log message store, if you are interested in unmodified log data (versus the normalized data). Note that this consumes additional disk space. Consider whether you need both buildups and teardowns, or just buildup messages. The teardown NAT messages include the same info as the built messages, along with some duration and size info that may or may not be useful. A lot of colleges & universities that are using the built messages do not rely on the teardown messages, they only need to know a connection was established for verification/analysis/correlation. Check your syslog data to determine and enable only those buildup and/or teardown events are of use. 660 Appendix J: Additional Configuration and Troubleshooting Information Filtering and Exporting LEM Reports You can use Select Expert to filter pre-configured reports in LEM Reports to quickly find events of interest. You can also export filtered reports to share, save, or run later. To filter a report in LEM Reports: 1. Open LEM Reports on a computer that is allowed to run reports. For more information, see LEM Reports Error: Logon failed. Database Vendor Code 210. 2. If you want to filter a report that has already been run, for example, a scheduled report, click Open and open the report using the Open Report File window. 3. If you want to run a new report, select the report on the Settings tab, and then click Run to set the Start and End times for the report. 4. On the View tab, examine the report to identify the value you want to use in your filter. Note: Hover over any value in the report to view a tooltip that contains its complete field name as it is used in Select Expert. 5. Click Select Expert to create your filter, and then click New. 6. Select the field name noted above, and click OK. 7. Select an operator from the list on the left, and complete filling out the rest of the form. 8. Repeat these steps for each of the fields you want to use in your filter. 9. If you are finished creating your filter, click OK. 10. Examine your results and modify your Select Expert filter if necessary. To export and save a report in LEM Reports: 1. Open the report and filter it if you want. 2. On the View tab, click Export. 3. Select a format from the Format list. Note: Select Crystal Reports (RPT) if you want to be able to filter the exported report further in the future. For more information, see Creating a Custom Filtered Report. 661 Filtering and Exporting LEM Reports 4. Select Disk file from the Destination list, and click OK. 5. If you want to set a page range for the exported report, select Page Range and enter a From and To value. 6. Click OK. 7. Specify a folder and file name for the exported report. 8. Click Save. Video Click the video icon to view the corresponding tutorial, which offers more information on filtering and exporting LEM Reports. 662 Appendix J: Additional Configuration and Troubleshooting Information Getting Started with User-Defined Groups Customize the blank and sample User-Defined Groups in your LEM Console for use with the default filters and rules they are associated with as well as your customer filters and rules. Blank and Sample User-Defined Groups to Customize The following is a list of blank or sample User-Defined Groups that SolarWinds recommends you customize for your environment. l Admin Accounts l Admin Groups l Approved DNS Servers l Authorized USB Devices l Authorized VPN Users l Sensitive Files l Service Accounts l Suspicious External Machines l Suspicious Local Machines l Trusted IPs l Trusted Server Sites l Vendor / Contractor Accounts l Vendor Authorized Servers Note: The Admin Accounts group is used in several template rules as a placeholder for a custom list of administrative users, and represent the default administrative accounts in Windows and Unix/Linux environments. SolarWinds recommends you to clone this group before you customize it so you can use it in both of its capacities. Customizing User-Defined Groups - Typical Complete the following procedure to customize any or all of the User-Defined Groups listed above. The procedure to create your own User-Defined Groups is practically the same, the difference is clicking plus icon > User Defined Group instead of editing an existing group. 663 Getting Started with User-Defined Groups Note: If you choose to alter any group that contains a default/suggested value, SolarWinds recommends that you clone the group first so you always have a backup of the default group. Cloning an existing group creates a duplicate group with the same name, but having a 2 at the end of the name. To customize a User-Defined Group: 1. Open your LEM Console, and then log into your LEM Manager as an administrator. 2. Click the Build tab, and then select Groups. 3. Locate the group you want to edit. Use the search box or Type menu on the Refine Results pane if necessary. 4. Click the gear icon next to the group, and then select Edit. Note: If you want to clone the group, select Clone instead, and then repeat this step for the cloned group. 5. To add an element to the group: a. Click Add Element, denoted by a + button, at the bottom of the details pane. b. Enter a nickname for the element in the Name field. This value is for reference only. c. Enter a value to define the element in the Data field (required). Consider using wildcard characters, such as asterisks (*), to abbreviate these entries as illustrated in the example at the end of this procedure. d. Enter a description in the Description field. This value is optional. e. Click Save on the bottom-left, under the Element Details form. 6. To modify an element, click the element in the details grid, and then modify it in the Element Details form just as you would when adding a new element. 7. To remove an element, click the element in the details grid, and then click Remove Element, denoted by a - icon at the bottom of the details pane. 8. If you are finished editing the group, click Save on the bottom-right of the details pane. 664 Appendix J: Additional Configuration and Troubleshooting Information Use the pre-populated User-Defined Groups as examples of what your custom groups might look like. The Data field is used for the correlation, while the Name field is for reference and the Description is optional.The following is an excerpt from the default Admin Groups User-Defined Group: Group Name: Admin Groups Name Administrators Backup Operators DNS Admins Data *Administrators* *backup oper* DNSAdmin* Customizing User-Defined Groups - Variations The following are two variations you might want to use when setting up your filters, rules, and groups. Using Directory Service Groups to account for Windows users, groups, and computer accounts. Directory Service Groups are groups that LEM pulls from Active Directory. Use these groups instead of User-Defined Groups in your filters and rules to reduce the need for ongoing maintenance. For additional information, see Configuring the Directory Service Query Connector. Automating how you populate User-Defined Groups using the Add UserDefined Group Element active response. The Add User-Defined Group Element active response populates a pre-defined User-Defined Group with static or dynamic values, as defined by a LEM rule. Use this active response to populate a User-Defined Group based on a specific type of event, such as when you attach a USB device you want to tag as authorized, or when a user attempts to visit a prohibited website. For additional information, see Auto-populating User-Defined Groups Using a LEM Rule. Additional Information Extended Description Log & Event Manager comes with several default filters, rules, and groups that you can use to monitor and respond to events on your network. Given the variable nature of the IT environments into which LEM is deployed, many of the UserDefined Groups are blank or contain suggested values by default. 665 Uses Uses The following are examples of default filters and rules that use the blank and sample groups. Filters l Admin Account Authentication l Domain Controllers (all) Note: The Domain Controllers (all) filter uses a Connector Profile in the constant position by default, but you can replace it with a User-Defined Group or Directory Service Group if the Tool Profile is not sufficient for your environment. For additional information about Connector Profiles, see Creating Connector Profiles to Manage and Monitor LEM Agents. Rules l Authentication - Unknown User l Critical Account Logon Failures l Detach Unauthorized USB Devices l File Audit - Delete Sensitive Files l Non-Admin Server Logon l Vendor - Unauthorized Server Logon 666 Appendix J: Additional Configuration and Troubleshooting Information Modifying Filters for Users with the Monitor Role LEM Console users in the Monitor role have read-only access to the LEM Console. By default, their Filters list on the Monitor tab contains the same default/standard filters as any other user. However, you can modify their Filters. To modify the filters for a LEM Console user with the Monitor role: 1. Open the LEM Console, log in as admin or under another user name with an admin role, and edit the user role to temporarily assign an admin role. 2. Instruct the user to log in using their Windows profile. 3. Change the filters as desired, deleting unnecessary filters. 4. Log out of the user Console window. 5. From the user computer, log in with the user credentials. 6. From your admin login, change the user role back to monitor. 7. Click the Monitor tab. Note: You may also perform the following to achieve the same results, but you would have to have previously created and exported the filters: l l If you want to add new filters to the user’s Filters list, create or import the filters as appropriate. If you want to remove a filter from the user’s Filters list, point to the filter and click the x that appears to the right. 8. Log out of your LEM Manager. When the user logs on to your LEM Manager with the same computer and Windows profile using their LEM user account, they will only see the filters you specified above. 667 Output, nDepth Host, nDepth Port Fields Output, nDepth Host, nDepth Port Fields Note: Do not modify the Output, nDepth Host, or nDepth Port fields unless your LEM appliance has been configured to receive and store original log data in its own database, the RAW database, also called the nDepth database. Your SolarWinds LEM appliance can store 100% of the original log data read by any SolarWinds LEM connector in addition to the data normalized and presented in your LEM Console. Original log data is stored in a separate database from the normalized data, and is can be separately searched. This database typically resides on the same appliance as the LEM Manager and alert database, but it can also reside on a dedicated LEM database or nDepth appliance. The Output, nDepth Host, and nDepth Port fields in the tool configuration forms on your LEM Manager and Agents are reserved for implementations in which the LEM appliance has been configured to receive and store original log messages. If your LEM appliance is not configured appropriately, modifying these settings will cause all alert data to queue indefinitely, rather than being sent to the appropriate database. For additional information about configuring your LEM appliance and tools to handle original log data, refer to Configuring your LEM Appliance Log Message Storage and nDepth Search. 668 Appendix J: Additional Configuration and Troubleshooting Information Report Formats and their Corresponding Numbers Listed in a LEM Scheduled Report INI File This section describes how to edit a scheduled report that is already in the Task Scheduler of the machine running these reports. Note: As with custom reports and scheduled reports, SolarWinds recommends that report creation be documented for disaster recovery. l Scheduled Report INI files are located in: Program Files\SolarWinds Log and Event Manager Reports\SchedINI l l Schedule Report INI files generate automatically when scheduling a report using the LEM Reports console. If you need to hand edit a scheduled report ini file, or if you are changing the format of the report, you must add the corresponding number report format after the equal sign to the line: "ExportFormat= " The following list identifies the number assigned to each possible format for a LEM report: Number 1 2 3 4 5 6 7 8 9 10 11 12 Report Format Excel: MS Excel 97-2000, with headings format Exceldata: MS Excel 97-2000, data only format HTML32: HTML version 3.2 format HTML40: HTML version 4.0 format PDF: Adobe Portable Document format RTF: Rich Text Format CSV: Separated Values Text format TAB: Tab Separated text format Text: Text based report format Word: MS Word Document format XML: XML Document format RPT: Crystal RPT w/ Data format The following is an example of a LEM Scheduled Report INI file: [TaskSetup] 669 Report Formats and their Corresponding Numbers Listed in a LEM Scheduled Keyword=2009331 Filename=C:\Program Files\SolarWinds Log and Event Manager Reports\Reports\RPT2009-33-1.rpt [DSNManager] Manager1=sherman [RptParams] RptDateRangeDesc=DAY_P RptDateRange=2 RptStartTime=12:00:00 AM RptStopTime=11:59:59 PM TopN=20 [Export] DoExport=T ExportDesc=EXCEL ExportFormat=1 ExportDest=C:\Program Files\SolarWinds Log and Event Manager Reports\Export ExportFileName=format1.xls ExportOverWrite=INCREMENT 670 Appendix J: Additional Configuration and Troubleshooting Information Troubleshooting LEM Agent Connections There are a number of reasons why a LEM Agent might not connect to your LEM appliance. The following troubleshooting procedures can help you work around the most common causes: l Verify the computer is still in your environment. l Verify the computer is turned on. l Verify the LEM Agent service is running. The LEM Agent runs as a service on the host operating system. Ensure the service is running on the host using one of the following (or similar) procedures. l On Windows hosts: 1. Open Control Panel > Administrative Tools > Services. 2. Navigate to SolarWinds Log and Event Manager Agent. 3. Click Start (green Play button) if the LEM Agent is not running. l On Linux hosts: 1. Run ps ax | grep contego in a CLI terminal. 2. Look for ContegoSPOP. 3. If the LEM Agent is not running, run sudo /etc/init.d/swlemagent start. 4. Enter the root password if necessary. l On Mac hosts: 1. Run ps ax | grep -i trigeo in a CLI terminal. 2. Look for SWLEMAgent. 3. Run launchctl load /Library/LaunchDaemons/com.trigeo.trigeoagent.plist. if the LEM Agent is not loaded. l Verify a firewall is not blocking the connection. The LEM Agent relies on the following ports to communicate with the LEM appliance. Ensure you have the proper exceptions in place for any firewall between a LEM Agent and the LEM appliance. 671 Troubleshooting LEM Agent Connections l l l 37890-37892: Traffic from LEM Agents to the LEM appliance Note: SolarWinds recommends disabling all three profiles: domain/public/private even though IP subnets may be fully configured in AD sites. There are instances when Windows firewall blocks agent communications even when the port connection is tested. 37893-37896: Traffic from the LEM appliance to LEM Agents Check the LEM Agent is running the current version of the software. The following are steps to check the version of a LEM Agent: 1. Open the most recent copy of spoplog.txt in a text editor from the installation folder. l Windows: C:\Windows\system32\ContegoSPOP\ l Linux: /usr/local/contego/ContegoSPOP/ l Mac: /Applications/TriGeoAgent/ 2. Search for Release in the text editor. 3. The most recent entry reflects the current version running on your system. For example, SolarWinds Log and Event Manager Agent (Release x.x.x). l Reset the LEM Agent's certificate. The following steps can correct the connection issues. Symptoms include: l Intermittent connectivity l Inability to upgrade the LEM Agent software. l General failure to connect. Contact Support if all conditions have been verified, and symptoms still continue. l On Windows hosts: 1. Stop the SolarWinds Log and Event Manager Agent service in Control Panel > Administrative Tools > Services. 2. Delete only the six (6) files *.xml and *.trigeo under the spop folder in C:\Windows\system32\ContegoSPOP\ 672 Appendix J: Additional Configuration and Troubleshooting Information 3. Delete the entry for the affected LEM Agent in the Manage > Nodes pane in the LEM Console by clicking the gear icon next to the entry, and then clicking Delete. 4. Restart the LEM Agent service. If resetting fails, perform the following steps: 1. Stop the SolarWinds Log and Event Manager Agent service in Control Panel > Administrative Tools > Services. 2. Delete the spop folder in C:\Windows\system32\ContegoSPOP\. Important: Do not delete the ContegoSPOP folder. 3. Delete the entry for the affected LEM Agent in the Manage > Nodes pane in the LEM Console by clicking the gear icon next to the entry, and then clicking Delete. 4. Restart the LEM Agent service. l On Linux hosts: 1. Stop the swlem-agent service: /etc/init.d/swlem-agent stop 2. Delete the spop folder: rm -Rf /usr/local/contego/ContegoSPOP/spop 3. Delete the entry for the affected LEM Agent in the Manage > Nodes pane in the LEM Console by clicking the gear icon next to the entry, and then clicking Delete. 4. Restart the swlem-agent service: /etc/init.d/swlem-agent start l On Mac hosts: 1. Unload swlemagent.plist: launchctl unload /Library/LaunchDaemons/com.swlem.swlemagent.plist 2. Delete the spop folder: rm -Rf /Applications/TriGeoAgent/spop 3. Delete the entry for the affected LEM Agent in the Manage > Nodes pane in the LEM Console by clicking the gear icon next to the entry, and then clicking Delete. 673 Troubleshooting LEM Agent Connections 4. Reload swlemagent.plist: launchctl load /Library/LaunchDaemons/com.swlem.swlemagent.plist l Check LEM Agent ports. Having the Manager ports (37890-37892) open on the FW, and Agent ports (37893-37896) closed could result to Telnet being able to connect and Agent not being able to connect. Do the following to determine that your firewall is set up correctly: 1. From a command line, telnet from the Agent to port 37892 on LEM. 2. Run a netstat command. 3. Stop the LEM Agent. 4. Modify the LEM Agent’s spop.conf file by adding the following 4 lines. Note: This process works best if you open Wordpad and run as an administrator. The process also assumes ports 65320-65323 are available for use. l AgentLowPort=65320 l AgentHighPort=65321 l com.solarwinds.lem.communication.agentLowPort=65322 l com.solarwinds.lem.communication.agentHighPort=65323 5. Restart the LEM agent. l Re-install Agent 1. Either download the Remote Agent Uninstaller to uninstall an agent, or use Programs & Features in the Windows control panel. Notes: l l The remote installer must be run using runas administrator with the file on the local hard drive, even if you are an admin. Do not use this on Windows 2012-R2 or 8.1. 2. Remove the agent directory c:\windows\syswow64\ContegoSPOP\ 3. Re-install the agent. Use the local agent installer on computers in a DMZ and Windows 8.1/2012-R2, select runas-administrator and 674 Appendix J: Additional Configuration and Troubleshooting Information Windows-7 compatibility. If using the remote agent installer, select runas-administrator. Have the installer file on the local hard drive. 4. If there is a network resolution problem looking up the hostname, use the LEM IP address for the Manager Name while installing the agent. 5. If the agent is not showing up in the console Node list, be sure you have enough available licenses under Manage > Appliances on the License tab. The LEM will respond to an icmp ping, a traceroute from Windows/Linux, and accept telnet on agent ports or putty-port 32022. Other software, such as an anti-virus, can prevent proper agent installs or other software could control the ports used by the agent. Support may increase the logging level for agents, or may ask for a debug from the LEM appliance. l Contact Support. If this article does not resolve the issue, open a ticket with SolarWinds Support for further assistance. Please be prepared with the the following information: l The exact operating system the host computer is running l The version of your LEM components: l l Agent installer l LEM appliance l LEM Console The most recent copy of spoplog.txt and the spop.conf file from the Agent installation folder. 675 Troubleshooting LEM Rules and Email Responses Troubleshooting LEM Rules and Email Responses Consult the following scenarios to troubleshoot LEM rules that are not firing as expected or sending the expected notifications. For additional information about any of the procedures referenced in these scenarios, see the associated footnotes. My rule fires, but I don't get an email. Problem: You see the expected InternalRuleFired alerts in the default SolarWinds Alerts and Rule Activity filters in the LEM Console, but are not getting the expected email notification. Steps to resolve: 1. Verify that the ExtraneousInfo field of the InternalRuleFired alert shows the associated email action in Email [recipient] format. 2. If that action is not present, add the Send Email Message action to the rule.See "1 For additional information about using email notifications in LEM rules, see Using the Send Email Message Action in Rule Creation." on page 681 3. Verify that the intended recipient has an email address associated with his LEM user account: a. Click the Build tab, and then select Users. b. Click the LEM user account associated with the intended recipient. 4. If the Contact Information box is blank in the User Information pane, edit the user to add an email address.See "2 For additional information about creating LEM user accounts, see Creating Users in the LEM Console." on page 681 Note: If you are unable to add an email address to an AD user, you may need to create a separate user and add the email to that user account, and then select that user in the email template. 5. Verify that the Email Active Response connector is configured on your LEM Manager: 676 Appendix J: Additional Configuration and Troubleshooting Information a. Click the Manage tab, and then select Appliances. b. Click the gear icon next to your LEM Manager, and then select Connectors. c. On the Connector Configuration window, select Configured on the Refine Results pane. 6. If Email Active Response is not in the list, clear the Configured check box, and then configure the missing connector.See "3 For additional information about configuring the Email Active Response connector, see Configuring the Email Active Response Connector." on page 681 My rule doesn't fire, and I don't see the expected alerts. Problem: You do not see the expected InternalRuleFired alerts in the default SolarWinds Alerts or Rule Activity filters in the LEM Console, nor do you see the alerts needed to fire your rule anywhere in your LEM Console. Steps to resolve: To determine whether the requisite alerts are in your LEM Console, create a filter or nDepth search that matches the correlations in your rule. If the alerts are not present, complete the following procedure: 1. Review the network devices that are sending syslog data to the LEM, and validate the configurations on that network device to send data. Verify that one of your devices is logging the events you want to capture. For example: l l l Remote logging devices, such as firewalls and web filters, should be logging your web traffic events. Domain controllers and end-user computers should be logging domain-level and local authentication and change management events. Note: If you have multiple domain controllers, they will not all replicate every domain event. Each server only logs the events they execute. Other servers, such as database servers and web servers, should be logging events associated with their particular functions. 677 Troubleshooting LEM Rules and Email Responses 2. Validate if data is received by the LEM. l Validate if the LEM icons show syslog/agent connection: a. Syslog device IPs will appear in the GUI-console Manage > Nodes list as a pipe-Y symbol. b. Agent host names and IP addresses will appear in the GUIconsole Manage > Nodes list as a green plug icon. l Validate if data is being received by syslog facility or by the agent. a. If a network syslog device is sending syslog data to the LEM, you should be able to view the LEM syslog files for that data. b. Perform the following: i. Open the vSphere/Hyper-V console to access the LEM. Note: You may also use a PuTTY session, port 32022, cmc user. ii. Enter the appliance menu, and enter the checklogs command. iii. View the syslog that was chosen by the network device. All of the data received in this area is UDP traffic received on port 514. c. Agent data is encrypted and more difficult to tell if it is received by the LEM. 3. If your device is not in the Nodes list, configure computers by installing a LEM AgentSee "4 For additional information about installing LEM Agents on Windows computers, see Using the SolarWinds LEM Remote Agent Installer. For articles related to installing LEM Agents on other operating systems, browse or search the Agents category of the LEM knowledge base." on page 681, or configure other devices, such as firewalls, to log to your LEM appliance.See "5 For additional information about configuring remote logging devices to log to your LEM appliance, search the Connectors category of the LEM knowledge base." on page 682 After your device is in the list, continue to the next step. 678 Appendix J: Additional Configuration and Troubleshooting Information 4. If your device is in the Nodes list, configure the appropriate connectors: a. To configure syslog connectors (manager connectors) on your LEM Manager for remote logging devices, click the Manage tab, and then click Appliances. b. Click the gear icon next to the Agent or Manager on which you want to configure the new connectors, and then select Connectors. c. Use the Search box at the top of the Refine Results pane to locate the appropriate connectors. d. Configure the connector according to your needs. e. To configure agent connectors, go to Manage > Nodes, select the gear icon next to the agent and edit the connectors. I see the alerts, but my rule doesn't fire. Problem: You see the alerts required to fire your rule in the LEM Console, but your rule still doesn't fire. Steps to resolve: 1. Verify that all of your rules have been activated in all open LEM Consoles: a. Click the Build tab, and then select Rules. b. If the Activate Rules button is not greyed out, click it. This synchronizes all of the changes you have made to your rules in the Console with your LEM Manager. c. Repeat these steps for all open LEM Consoles in your environment. 2. Compare the InsertionTime and DetectionTime values in the alerts you expected to fire your rule. 3. If the time is off by more than five minutes, verify and correct the time settings on your LEM appliance and any remote logging devices as necessary. See To view and modify the time on your LEM appliance. 4. If none of the previous troubleshooting steps help, restart the Manager service on your LEM appliance. In general, consider doing this once every six months: 679 Troubleshooting LEM Rules and Email Responses a. Connect to your LEM virtual appliance using either the vSphere console view, or an SSH client like PuTTY. b. If you are using an SSH client, log in to your LEM virtual appliance using your CMC credentials. c. At the cmc> prompt, enter manager. d. At the cmc::cmm prompt, enter restart. e. Press Enter to confirm your entry. Note: Restarting the Manager service will make your LEM Manager unavailable for about one minute. However, no data is lost during this process. f. Enter exit twice to leave the CMC interface. My rule fires, but the email is blank. Problem: You receive an email notification for the alert, but the fields in the custom email template are blank. Steps to resolve: 1. Click the Build tab, and then select Rules. 2. Locate your rule, click the gear icon on the left and select Edit. You will notice that the fields in the Actions box are blank. 3. Copy the event assigned to this rule. This is the string before the dot in the Correlation box. 4. Click Events on the left pane and type the event in the search field. 5. Drag the fields required in your rule from the Fields pane to populate the blank fields in the Actions box. 6. Click Save to close the Rule Creation window. 7. Click Activate Rules on the Rules window. To view and modify the time on your LEM appliance: 1. Connect to your LEM virtual appliance using either the vSphere console view, or an SSH client like PuTTY. 680 Appendix J: Additional Configuration and Troubleshooting Information 2. If you are using an SSH client, log in to your LEM virtual appliance using your CMC credentials. 3. At the cmc> prompt, enter appliance. 4. At the cmc::acm prompt, enter dateconfig. 5. Press Enter through all of the prompts to view the current date and time settings on your LEM applaince. 6. By default, the LEM receives a time synchronization from the VM host computer. Without this, time on the LEM wil be off and rules may not fire. You will need to disable the time sync on the VM host computer, and enable the LEM to get time from an NTP server: a. At the cmc::acm prompt, enter ntpconfig. b. Press Enter to start the configuration script. c. Enter the IP addresses of your NTP servers separated by spaces. d. Enter y to verify your entry. 7. Enter exit twice to leave the CMC interface. Additional Information For general instructions for working with LEM Rules, see Creating Rules from your LEM Console to Take Automated Action. For additional information about the specific procedures discussed in this article, see the following related articles according to your need. 1 For additional information about using email notifications in LEM rules, see Using the Send Email Message Action in Rule Creation. 2 For additional information about creating LEM user accounts, see Creating Users in the LEM Console. 3 For additional information about configuring the Email Active Response connector, see Configuring the Email Active Response Connector. 4 For additional information about installing LEM Agents on Windows computers, see Using the SolarWinds LEM Remote Agent Installer. For articles related to installing LEM Agents on other operating systems, browse or search the Agents category of the LEM knowledge base. 681 Additional Information 5 For additional information about configuring remote logging devices to log to your LEM appliance, search the Connectors category of the LEM knowledge base. 682 Appendix J: Additional Configuration and Troubleshooting Information Troubleshooting Unmatched Data or Internal New Connector Data Alerts in the LEM Console Periodically, you might see Unmatched Data or Internal New Connector Data alerts in your LEM Console, which indicate one or more of the connectors on your appliance cannot properly normalize the log data they are associated with. This article contains troubleshooting procedures for syslog and Agent devices. Troubleshooting Syslog Devices Complete the following troubleshooting procedures for devices that send logs to a syslog facility on your LEM appliance. Verify the connector and device are pointed at the same local facility 1. Check the configuration on your device to determine what local facility it's logging to on your LEM appliance. In some cases, you cannot modify this setting. For additional information, search for your device in the Connectors section of the LEM Knowledgebase. Except for CheckPoint firewall, the LEM receives UDP syslog data on port 514. 2. Verify that the connector is pointed to the same logging facility as the device: a. Open your LEM Console and log in to your LEM appliance as an administrator. b. Click the Manage tab, and then select Appliances. c. Click the gear icon next to your LEM appliance, and then select Connectors. d. Locate the connector in the list. Use the search box at the top of the Refine Results pane, or select Configured if necessary. e. Select the configured connector to view its details. Verify the Log File value matches the output value in your device's configuration. 3. If the device and connector configurations do not match, point the connector to the appropriate location: 683 Troubleshooting Syslog Devices a. Stop the connector: gear icon > Stop b. Open the connector for editing: gear icon > Edit c. Change the Log File value so it matches your device. d. Click Save. e. Start the connector: gear icon > Start Verify that certain devices are not logging to the same local facility Certain devices, mainly Cisco, have similar enough logging formats that they cause connector conflicts when they're logging to the same facility on your LEM appliance. Use the following procedure and table to determine what devices are logging to each facility, and whether those devices conflict with one another: 1. Connect to your LEM appliance using a VMware console view, or an SSH client such as PuTTY. 2. If you're connecting to your appliance through SSH, log in as the CMC user, and provide the appropriate password. 3. If you're connecting to your appliance using VMware, select Advanced Configuration on the main Console screen, and then press Enter to get to the command prompt. 4. At the cmc> prompt, enter appliance. 5. At the cmc::acm# prompt, enter checklogs. 6. Enter an item number to select a local facility to view. 7. To view the device sending the event, open the log facility. The EPOCH timestamp (1427722392000) starts each event, which is the date/time in Unix numeric format. The device sending the event follows (192.168.2.251). Then you will typically see the ProviderSID (ASA-1-106021) which is similar to an Event ID. 8. If you see that two or more devices are logging to the same facility, consult the following table to determine whether those devices conflict with one another. 684 Appendix J: Additional Configuration and Troubleshooting Information Table of Conflicting Devices Different types of firewalls should log to different facilities. For example, Cisco firewalls and Palo Alto, or others, should log to different facilities. However, all Cisco should be the same local facility, and all Palo Alto should be the same facility. In addition, ensure the devices in each of these groups are logging to distinct local facilities on your LEM appliance. For example, if a device in Group 1 is logging to local1, make sure a device in Group 2 is not also logging to that facility. Note: SolarWinds recommends you to split the devices/vendors to different facilities as having all devices pointed at one facility with multiple connectors reading that facility will have a performance impact on LEM. Group Group 1 Group 2 Group 3 Group 4 Group 5 Group 6 Devices Cisco ASA Cisco IOS Cisco PIX Cisco Catalyst (CatOS) Cisco Wireless LAN Controller (WLC) Cisco Nexus Cisco VPN Dell PowerConnect Troubleshooting Agent Devices/Connectors Complete the following troubleshooting procedures for LEM Agent connectors, such as Windows-based and database connectors. Verify the connector is pointing to the appropriate folder/event log. 1. Check the configuration on the host computer to determine what folder/event log it's logging in to. In some cases, you cannot modify this setting. For additional information, search for your device in the Connectors section of the LEM Knowledgebase. 2. Verify that the connector is pointed to the same folder/event log as the device: a. Open your LEM Console and log in to your LEM appliance as an administrator. 685 Contacting Support b. Click the Manage tab, and then select Nodes. c. Click the gear icon next to the LEM Agent for the host computer, and then select Connectors. d. Locate the connector in the list. Use the search box at the top of the Refine Results pane, or select Configured if necessary. e. Select the configured connector to view its details. Verify the Log File value matches the output value in the host computer's configuration. 3. If the the host computer and connector configurations do not match, point the connector to the appropriate location: a. Stop the connector: gear icon > Stop b. Open the connector for editing: gear icon > Edit c. Change the Log File value so it matches the host computer. d. Click Save. e. Start the connector: gear icon > Start Apply the latest connector update package If you completed the other procedure in this section and you still see the Unmatched Data or Internal New Connector Data alerts, apply the latest connector package before calling Support. For instructions on how to apply the latest connector update package, see Applying a LEM Connector Update Package. Contacting Support If you are unable to resolve your issue using this article, open a ticket with SolarWinds Support for further assistance. Please be prepared to provide the following once you are in touch with a representative: l l A copy of the LEM Report, Tool Maintenance by Alias, for the last 24 hours, or the period during which the unmatched data was detected, and export in Crystal Reports format (rpt). For syslog devices: A sample of the logs currently being sent to LEM for the affected connectorSee "1To generate a syslog sample from the LEM appliance:" on page 687 686 Appendix J: Additional Configuration and Troubleshooting Information l l l 1To For Windows connectors: A copy of the entire event log in .evtx format, and specify English when requested for the language option. For database connectors (required): A sample of the event table containing the events not being read, along with details about those events For database connectors (optional): If possible, the schema for the database generate a syslog sample from the LEM appliance: 1. Connect to your LEM appliance using a VMware console view, or an SSH client such as PuTTY. 2. If you're connecting to your appliance through SSH, log in as the CMC user, and provide the appropriate password. 3. If you're connecting to your appliance using VMware, select Advanced Configuration on the main Console screen, and then press Enter to get to the command prompt. 4. At the cmc> prompt, enter appliance. 5. At the cmc::acm# prompt, enter exportsyslog. 6. Enter an item number to select a local facility to export. 7. Repeat the previous step to specify more than one facility. 8. Enter q to proceed. 9. Follow the on-screen instructions to complete the export. 687 Using the Append Text to File Active Reponse Using the Append Text to File Active Reponse Use the Append Text To File Active Response to append static or dynamic text to a flat text file on your network. This action is useful for keeping a running list of deployed LEM Agents or tracking certain types of activity across several users and computers, and can be automated in a LEM rule, or executed manually from the Respond menu in the LEM Console. Requirements To use this active response, ensure the file you want to append already exists. Follow these guidelines when creating the file: l Use .txt, or a similar flat text file format. l Avoid using spaces in the file path or name. l Note the complete file path and name, as it is required to use the active response. Configure the Append Text to File Active Response and Windows Active Response connectors on each LEM agent on which you want to be able to use this active response. To configure the Append Text to File action in the rule: 1. Open your LEM console and log in to your LEM Manager as an administrator. 2. Create a new rule or edit an existing rule that triggers on a specific event. 3. Open the rule to edit, and select the actions in the left column. 4. Drag the Append Text to File action from the left to the Actions box under the rule. 5. Open the Constants on the left, and then drag the Text field to the empty box next to File Path under the Append Text to File action. 6. Using the same event stated in the Correlations, select the event from the Events list on the left and drag the DetectionIP field from the Fields list to the Agent under this action. 7. Fill in the directory structure in the File Path under this action, indicating the name of the file. 688 Appendix J: Additional Configuration and Troubleshooting Information 8. The Test field under the Append Text to File will contain the text that you are inserting into the file. If using plain text, drag the Text constant from the left to the empty box in the Text field. 9. Save the rule. To configure the Append Text to File Active Response connector on a LEM Agent: 1. Open your LEM Console and log in to your LEM Manager as an administrator. 2. Click the Manage tab, and then select Nodes. 3. Locate the LEM agent on which you want to enable the connector. 4. Click the gear icon to the left of the LEM agent, and then select Connectors. 5. Enter Append Text to File in the Search box at the top of the Refine Results pane. 6. Click the gear icon next to the connector, and then select New. 7. Enter a custom Alias for the new connector, or accept the default. 8. Specify whether you want the connector to append data to a new line in the How to append menu. 9. Specify a Maximum file size(MB) or accept the default. 10. Click Save. 11. Click the gear icon next to the new connector, denoted by an icon in the Status column, and then select Start. 12. Click Close to exit the Connector Configuration window. To configure the Windows Active Response connector on a LEM Agent: 1. Open your LEM Console and log in to your LEM Manager as an administrator. 2. Click the Manage tab, and then select Nodes. 3. Locate the LEM agent on which you want to enable the connector. 4. Click the gear icon to the left of the LEM agent, and then select Connector. 689 Using the Append Text to File Active Reponse 5. Enter Windows Active Response in the Search box at the top of the Refine Results pane. 6. Click the gear icon next to the connector and then select New. 7. Enter a cus

LEM User Guide

Related documents

Products

Support

LEM User Guide

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib