Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > Prevent a user from stopping the USB Defender service

Prevent a user from stopping the USB Defender service

Table of contents

Updated February 14, 2017

Overview

Users in your environment have administrator access and are able to disable their SolarWinds Log and Event Manager USB Defender service so they can attach their USB devices.

 

It is possible for you to remove certain permissions from the service to prevent them from adjusting it, that falls far into Windows territory, so we'll be covering alternative responses you can configure on your LEM.

Environment

  • All LEM versions
  • USB Defender installed on Windows hosts
  • Users of those hosts have access to stop services

Steps

Using ServiceStop events, we can easily clone a rule template to monitor for USB Defender stoppage and perform actions such as automatically restart the service or send an email alert to you.

  1. Go to Build > Rules and search for USB.
  2. Locate the USB-Defender Service Stopped template in the bottom section, click the gear icon, and clone it.
  3. Choose a user to receive the email alert in the Users dropdown.
  4. If you want to automatically restart the service, drag the Start Windows Service action from the Actions section on the left to below the Send Email Message action on the right.
  5. Populate the Agent and Service Name boxes in that section for this to function.
    1. Expand the Events section in the top left corner and locate the ServiceStop event.
    2. Drag the InsertionIP field from the Fields section on the left to the Agent box on the right.
    3. Drag the ServiceName field from the Fields section on the left to the Service Name box on the right.
    4. Save and then Activate the rule.

 

 

 

 

 

Last modified
00:50, 15 Feb 2017

Tags

Classifications

Public