Does anyone know how to retrieve data from the ELM? I need to run a report or get information as to where a user had log on and log off in our network about three months ago. Since our domain controllers are added as devices it gets the event logs as raw data after a certain period of time.
You can perform and save searches from ELM Properties --> Data tab ( bottom left ) and plug in your criteria. I would recommend you narrow down to specific data sources and be as specific in your search criteria as possible.... and that is solely based on our experiences so far.
Thanks for your input but I tried that already and I am not getting any data or matches to my search. What am I doing wrong? I enter the username as the string value and select the ELM as the device since I really don't know which domain controllers would have authenticated the user I can't really narrow it down to a specific data source. After 5 hours of searching it comes back with 0 matches. Any suggestions?
Been slammed..... So you added the Domain controllers into the system but not configured the datasource?? That is not very useful.
How exactly did you add these systems and how are they logging to the receiver?
Yes I know the feeling I've been swamped here as well. The domain controllers were added as data source. We are using a domain account to pull all the event logs from these domain controllers. Connection is fine and it seems like it is pulling data. I'm not sure how to retrieve data from our ELM though. I can pull data from the ESM and create reports but not from the ELM. I understand that the data is raw which means you cannot query or create a report in ELM but you can pull data by using Data on the ELM properties like you said.
Hrmm... check your receiver data sources and make sure the logging box is check... That is first that comes to mind if you are getting events in ESM but no data in the ELM. Yes you can create create data source that do events but not log to ELM.
reading through how you did the ELM search I am curious if you actually selected the ELM as the device you are looking at logs for.
When doing an enhanced ELM search from the view dropdown, you actually select the data source on the left you want to query from the ELM. If you select the ELM it will only look for logs specifically generated by the ELM.
If you go to ELM Properties, Data, and perform your search there, you will still need to select the device that is the data source where those logs are, and the ELM will search for your search request, where the VIPS ID is associated with the device you selected (the domain controller).
Hopefully that helps, if not, please feel free to reach out to me.
Ryan is on to something.
I suggest a test. From the computer you just logged onto, figure out the Domain controller that processed yout logon ( type SET from a CMD prompt. Look for LOGONSERVER ). Now choose that Domain controller in the SIEM. Under EventSummary, do you see Logon events ( for the Current Day )? If not, there's the ( or a ) problem. If you do, narrow the time frame and search for your ID, on the [SOURCE USER]. Also, choose the Aa on the Source User. I've seen this affect my searches for user information in a negative way.
So by now, you should be able to find your own logon. If not, work on getting to that point first. Then you'll be ready to go what you setout to do.