Submit a ticketCall us
Home > Success Center > Archive > 2017October30 - LEM Deletes > Creating filters for real-time monitoring

Creating filters for real-time monitoring

Created by Caroline Juszczak, last modified by Kevin.Swinson on Oct 30, 2017

Views: 55 Votes: 0 Revisions: 6

You can create custom filters in the Monitor and nDepth view using the Filters pane. This pane displays in the Monitor view and the nDepth Explorer. It contains categorized lists of events, event groups, event fields, Groups (from the Groups grid), profiles, and constants you can use to create conditions for your filters, rules, and search queries.

Click the video File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button_videoCamera_18x12.png icon to view a tutorial on creating filters to troubleshoot network issues.

Monitor filters

Below is an example of the Filters pane that displays in the Monitor view.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/EventsPane-Monitor.png

The following table describes each option in the Filters pane.

Filter Description
Events

All console event types. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button-AlertNodes_19x14.png to display the list as a hierarchical node tree. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button-AlertList_18x13.png to list event types alphabetically, regardless of their position in the hierarchy.

Event Groups Preconfigured groups of events used to initiate a specific event filter condition or rule creation.

User-Defined Groups

Groups of preferences used in rules and event filters to match, include, or exclude events, information, or data fields based on their membership with a particular Group. In most cases, these groups are used in rules for choosing which events to include or to ignore. These groups apply to managers and are created in the Group Builder.

Connector Profiles

Groups of agents with common connector configurations. Use connector profiles with rules and filters to include or exclude agents associated with a particular profile. You can create connector profiles in the Build > Groups grid.

Directory Service Groups

Preconfigured groups of network computers and system users you can use in rules and filters. They allow you to match, include, or exclude events to specific users or computers based on their group membership. These groups are synchronized through the Build > Groups grid.

Time Of Day Sets

Specific groups of hours you can associated with rules and event filters. You can use time of day sets to enable your filters to include or exclude messages that occur during the hours associated with a particular time of day set, or to have your rules take different actions at different times of day. You can create time of day sets in the Build > Groups grid.

Subscription Groups

All console user names, and the manager associated with each user. Each name represents the list of rules subscribed to each individual user. When you add a subscription group to a filter, you can build the filter so it only displays events messages related to specific rules that a particular user is interested in (or "subscribed to"). You can create subscription rules in the Build > Groups grid.

Constants The constants rules and filters can use for comparing event data. These include text, number, and time.
Notifications

Various notification methods the console can use to announce an event message for the filter. You can have the console display a pop-up message, display the new event as "unread," play a sound, or have the filter name blink. You can also configure multiple notification methods for the same filter. This list only applies to filters.

nDepth filters

Below is an example of the Filters pane that displays in the Explore > nDepth view.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/filters-pane-nDepth_157x163.png

The following table describes each option in the Filters pane.

Filter Description
Refine Fields

The top 100 data details for each field found in your nDepth search results. The details change, depending on whether you are searching event data or log messages. You can use these details to create, refine, or append nDepth search conditions. Click ABC to sort the details alphabetically within each category. Click 321 to sort the details by frequency within each category. The items that occur most often appear first within each category.

Managers

The various appliances monitored by the console. Use this list to select the manager for your nDepth search. If you stored the original event log on a separate nDepth appliance, select this appliance to search that data.

In Drag & Drop Mode, you can drag an item from this list into the search box to include that item in the search string. When using Search Builder, you can drag an item from this list into the Conditions box.

Events All console event types. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button-AlertNodes_19x14.png to display the list as a hierarchical node tree. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button-AlertList_18x13.png to list event types alphabetically, regardless of their position in the hierarchy.

User-Defined Groups

Groups of preferences used in rules and event filters to match, include, or exclude events, information, or data fields based on their membership with a particular Group. In most cases, these groups are used in rules for choosing which events to include or to ignore. These groups apply to managers and are created in the Group Builder.
Connector Profiles Groups of agents with common connector configurations. Use connector profiles with rules and filters to include or exclude agents associated with a particular profile. You can create connector profiles in the Build > Groups grid.
Directory Service Groups Preconfigured groups of network computers and system users you can use in rules and filters. They allow you to match, include, or exclude events to specific users or computers based on their group membership. These groups are synchronized through the Groups grid.
Subscription Groups All console user names, and the manager associated with each user. Each name represents the list of rules subscribed to each individual user. When you add a subscription group to a filter, you can build the filter so it only displays events messages related to specific rules that a particular user is interested in (or "subscribed to"). You can create subscription rules in the Groups grid.

Create conditions to filter event reporting

The Conditions box appears in the Monitor view when you click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button-Plus(Gray)_15x12.png in the Filters toolbar and select New Filter. Use the Conditions box in conjunction with the Filters pane to configure the conditions that determine events reported by a filter. Conditions are the various rules that state when the filter is to display an event message.

To define conditions, drag event variables from the events, event groups, and fields lists into the conditions box. Use the Conditions connectors to configure how these variables compare to other items, such as time of day sets, connector profiles, user-defined groups, constants, and other event fields.

You can also compare groups with AND/OR conditions. The AND conditions state which events must occur together before the filter shows an event. The OR conditions state that if any one of several conditions occur, the filter shows the event. The combined conditions dictate when the event filter displays an event. The filter ignores (and does not display) any events that do not meet these conditions.

The Conditions connectors enable you to configure relationships between events in the Conditions box and to establish conditions when the event filter displays the event message.

Below is an example of the Conditions box.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/ConditionsCallouts.png

The following table describes each feature of the Conditions box.

Item Name Description
1 Group Configures groups based on the fields you drag from the Filters pane. Click to collapse an expanded group.
2 Nested group Deletes a condition or group, as well as any nested groups. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button-AddGroup.png to create the nested group.
3 Delete Deletes a condition or group, as well as any nested groups. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button-DeleteGroup.png to delete the group.
4 Event variable Stores event variables (such as events, event groups, and fields) dragged from the Filters pane. As event messages stream into the console, the filter analyzes the values associated with each event variable to determine if the event message meets the filter conditions.
5 Operator Describes how the filter compares the event variable to another item to determine if the event meets the filter conditions. Click the operator icon to cycle through and select an operator. Press Ctrl and click the operator icon to select an operator from a drop-down list.
6 List item

Displays the non-event items from the Filters pane. Drag and drop a list item into this field to define conditions based on your selected filter.

Some event variables automatically add a blank constant as the list item. You can overwrite the constant with another list item or click the constant to add a specific value for the constant. For example, clicking a text Constant turns the field into an editable text box so you can type specific text. The text field also allows wildcard characters.

Each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your filter's conditions.

7 Nested group

Refines your conditions by comparing one group of conditions to another. You can drag event variables and other items from the list pane into the nested group boxes to create the logic for highly-complex and exact conditions. This example above shows one nested group.

8 Boolean AND operator Combines or excludes keywords or fields in a search using the boolean AND File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Operator-And_9x15.png operator.
9 Boolean OR operator Combines or excludes keywords or fields in a search using the boolean OR File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Operator-Or_9x15.png operator.

Create a filter

You can create custom filters from the Monitor view in your LEM console to display real-time traffic from your monitored computers and devices.

  1. Open the LEM console and log in to your LEM manager as an administrator or auditor.
  2. Click the Monitor view.
  3. In the Filters pane, click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Button-Plus(Gray)_15x12.png and select New Filter.
  4. Enter a filter name and description.
  5. Change the Lines Displayed value to modify the number of events your filter can store in memory.

    File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Lines-Displayed.png

    The default value is 1000.

  6. Maximize a filter group and drag a filter into the Conditions box.

    File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Drag-Filter-To-Conditions-Box_288x79.png

  7. (Optional) If you selected the Events group, drag an optional field into the Conditions box.
  8. Repeat step 6 through 7 for any additional filters.
  9. Maximize the Notifications group and drag a notification into the Notifications box.
  10. Set your AND File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Operator-And_9x15.png and OR File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/060/Operator-Or_9x15.png operators as required.
  11. Click Save.

    Your filter is saved.

Last modified

Tags

Classifications

Public