Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Creating Rules for Real-time Correlation and Response with SolarWinds Log & Event Manager - Video

Creating Rules for Real-time Correlation and Response with SolarWinds Log & Event Manager - Video

Updated 8-18-2016

Overview

This video will show you how to quickly create rules within the Log & Event Manager console.

 

 

Environment

  • Log & Event Manager

 

Related Resources

Video Transcription

A rule is a mechanism which allows you to correlate events that take place on your network, and automatically send a notification or take a response.

Rules are different from LEM's console filters in two ways:

  • Rules operate on the LEM appliance whether you're logged in to the console or not, while filters are used only for displaying and organizing data.
  • Rules can automatically send notifications and perform active responses in real-time, while filters only capture events and trigger basic in-console notifications.

Some good examples of when to create rules are:

  • To be automatically notified of malicious or unexpected activity, such as device changes or potential security breaches
  • To detect when events have passed a certain threshold, such as excessive network traffic to unexpected ports
  • To compare an event's source or details with parts of your environment, such as admin logons to servers
  • To correlate multiple events with each other, such as new users created and subsequently granted admin privileges

Log & Event Manager comes with hundreds of pre-built rules easily categorized by common needs, such as change management, security, or compliance. You can also create and configure your own custom rules.

To quickly enable rules for a category of events within LEM, use the Add Rules wizard. This wizard is included as a part of the Getting Started widget on the Ops Center dashboard, and also found within Build>Rules.

After launching the wizard, you'll see a list of categories and descriptions to choose from. Let's go ahead and pick Change Management and Compliance as an example.

On the next pages, you'll see the subcategories for the categories you selected, and the list of rules in that subcategory. A selection of "General Best Practice" rules for each category are checked off by default, and you can toggle the selections to match what you're interested in monitoring. In this example, I'll check off "User Changes in Change Management", and "PCI" in compliance.

Before the rules I've selected can be enabled, the Add Rules wizard will ask for email server settings and email recipients. If you've already configured email settings, they'll be displayed here. In this example, I'll create a contact for these rules to be sent to myself, in addition to the default admin user.

Finally, you will see a confirmation page. When I click to finish the wizard, the rules will be enabled in the background.

You can see here in Build > Rules all the rules I just enabled. You can launch the Add Rules wizard as many times as you need to enable different categories or notification settings.

After using the Add Rules wizard you might want to further customize rules, or even create your own correlation rules.

From within Build > Rules, you can double click or click "edit" to edit an existing rule, or click the "+" button to create a blank new rule. I'll walk you through an example of creating a new rule to detect users being added to an administrators group.

On the left side of the rule builder, you'll find different rule components you can use to build your rule, including events, groups, and actions. On the right side, you'll find the rule definitions, including correlations, thresholds, and actions that will be taken.

Let's build a rule to detect when a user is added to an administrative group. In Events, I'll do a quick search for different "group" types of events by typing the text "group" in the search box. Since I'm interested in members being added, I'll select New Group Member. Below, the different fields associated with this event type appear. I can use these fields to further refine the rule's criteria, so I can ONLY be notified when certain users or types of groups are changed.

From fields, I'll select and drag over "Group Name" to the correlations area. On the right side of this correlation, I'll need to specify which groups to monitor for. I can use groups from Active Directory, or type in text to match. Here, I'll type *admin*, using the wildcards to match variations of "admin" including both "domain admins" and "administrators".

Correlation Time allows you to specify a threshold of activity that must be met before triggering this rule. In this case, I want the rule to fire on each user added, so I'll leave it at 1.

At the bottom, I'll specify to send me an email notification when this rule fires. Simply drag over the "Send Email" action, choose a template, and select the user. If you need to create or edit templates, you can do so from the Build > Groups drop down menu, but for now, I'll use the default template.

The last step in the rule editor is to enable this rule. If I just want to observe what this rule might do but not enable it, I can also enable "Test" mode, which will not trigger any actions. This is a good way to confirm if you're not sure of how your rule might work. In my case, I'm going to go ahead and leave test mode off and save the rule.

The last and most important step when you're done creating and customizing a rule is to click "Activate Rules". This pushes your changes to the LEM appliance and makes them the new running configuration.

Visit the Success Center for more information on using Log & Event Manager. https://support.solarwinds.com/Succe..._Manager_(LEM)

 

 

Last modified
14:53, 18 Aug 2016

Tags

Classifications

Public