Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn more about our patch management solution.

 

Home > Success Center > Log & Event Manager (LEM) > I have set up some LEM rules and now I want to receive Email notifications telling me who did what and when

I have set up some LEM rules and now I want to receive Email notifications telling me who did what and when

I have set up some rules and now I want to receive Email notifications telling me who did what and when.

 

First you will need to create a new email template:  

Be sure to Name it well.

 

  1. Go to Build > Groups.
     
  2. Click the + button at the top, and choose Email Template, or select one of the existing Email Templates and clone the template, then modify the name and parameters of the template.
     
  3. In the Details pane, provide a name for your template. This will be used in rules to reference the template.
     
  4. To create dynamic text (parameters) for your rule:
    1. Type a name in the Name field under the Parameters list and click the + button. For example, DetectionIP, DestinationAccount, EventInfo, and so on. This name is a reference to the actual event data.
    2. Repeat this for all the parameters you want to add.
      Note: Each one of these is a variable that holds your data and places it in the right location in the email. For example, for an Account Lockout template, consider using the following parameters:
      • Time
      • Account
      • DC
      • Machine
         
  5. Fill out the Subject box.
    • Specify static text (optional).
    • To use a Parameter, either type in the name as it appears in the parameters list, including the dollar sign, or drag it from the Parameters list into where you want it to appear in the subject.
      Note: Using a dynamic Parameter in the Subject provides a subject that includes the user account name, source, or any other text from the originating event.
       
  6. Enter the body of the message in the Message box.
    • Specify static text (optional).
    • To use a Parameter, either type in the name as it appears in the parameters list, including the dollar sign, or drag it from the Parameters list into where you want it to appear in the message body.
      Note: Oftentimes you will use a combination of static and dynamic text, such as:
      Account $Account locked out at $Time on DC $DC from computer $Machine.
      This would display the following:
      Account testuser locked out at 7/21/2016 8:05am on DC DC1 from computer PC1
       
  7. Click the Save at the bottom.

 

The following instructions address how to use the Send Email Message action in Rule Creation. Before adding an action, consider the example used in the two Related Procedures and perform the following:

  1. Open the LEM Console and go to Build > Rules.
  2. Select Change Management on the left and locate the User Account Lockout template on the right.
  3. Select the gear icon for the rule to clone.
  4. Edit the rule Correlations as needed and click Save.

To add or edit a Send Email Message Action:

  1. Expand the Actions list on the Components pane on the left, and drag Send Email Message into the orange Actions box on the right side.
    Note: If you make a mistake, or decide you want to clear out the actions and start over, hover over any action and click the upper right hand X. There is also an Undo button in the lower left corner of Rule Creation.
  2. Whether editing an existing Send Email Message Action or starting with a new one, select your template from the Email Template list.
    Note: If you forgot the name, you can always go back to Build>Groups to view your templates' details. Your rule will still be open when you come back to Build>Rules.
  3. Click on the Users list and check the box next to the user(s) you want to be notified about this event.
  4. To populate the Send Email Message action with dynamic values from the event firing the rule:
    1. Locate the Event or Event Group in the rule's Correlations. In this example, the User Account Lockout (Updated) Rule uses the UserDisable event, so expand Events on the components pane and type UserDisable into the search box.
    2. Click the Event to populate its available fields in the Fields listing under the Events listing.
    3. Drag the appropriate fields from the Fields listing into your action. In this example, the Email Template created in the related articles below require the following fields: DetectionTime for the Time variable, SourceMachine for the Machine variable, DestinationMachine for the DC variable, and DestinationAccount for the Account variable.
  5. Make sure your rule is enabled by selecting the Enable check box.
    Note: Once enabled, you can also use the Test check box to put your rule in Test Mode. When a test rule fires, you will see InternalTestRule events in the Console to let you know it was triggered and what it would have done, but no action will have been taken.
  6. Click Save to save your changes and exit Rule Creation.
    Important: Back in the folders view, you'll see that the Activate Rules button is enabled in the top right corner. This allows you to batch up all your rule changes in case you want to make multiple changes before changing the running state of the manager. So, be sure to click Activate Rules to tell the Console to send your changes to the manager and enable them.

At this point, your rule is active and your template is set up. The next time your rule fires, the recipients specified in your rule will have an email that matches the format you've specified.

Common monitoring/troubleshooting steps:

  • How do I know that the rule is being triggered? Check your Console for InternalRuleFired events, either by using nDepth or a filter. Those events will show which rule was triggered and when.
  • Rule is not triggered when it should be? Check your rule logic and timestamps. The appliance or virtual appliance host layer might need to be configured for NTP. By default, rules will not fire when incoming data drifts more than five minutes from the appliance's clock.
    1. Open a PuTTY session to LEM on port 32022.
    2. Using the CMC user, enter the appliance menu.
    3. Enter the dateconfig command, and confirm the date and time on the Console. The time can be changed with this command, but when the vSphere/Hyper-V time sync pushes the time to the LEM, this will change.
  • Rule is triggered but emails are not sent? Make sure that the Email Active Response connector is configured on your manager appliance by performing the following:
    1. Go to Manage > Appliances.
    2. Click the leftmost gear icon, going to Connectors > Email Active Response.
    3. Click Gear > New to create a new connector, or click Gear > Stop and Gear > Edit to edit the configuration if you see a mistake.
      Note:Always click Save and Gear > Start to start/restart the connector. If you typed in a test email address, you can click Test after starting to send a test mesage.

Related Procedures

Last modified
14:39, 13 Nov 2015

Tags

This page has no custom tags.

Classifications

Public