Submit a ticketCall us

AnnouncementsTHWACKcamp 2018 is here

2018 is the seventh year for THWACKcamp™, and once again we’ll be live October 17 – 18 with packed session tracks covering everything from network monitoring and management, to change control, application management, storage, cloud and DevOps, security, automation, virtualization, mapping, logging, and more.

Register for online sessions.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Troubleshoot LEM rules that are not sending emails or not firing

Troubleshoot LEM rules that are not sending emails or not firing

Table of contents
Created by Randall Harwood, last modified by James Moore on Sep 05, 2018

Views: 2,382 Votes: 5 Revisions: 23

Updated: September 5, 2018


This article describes how to troubleshoot the following issues:

  • A LEM rule that you cloned and modified to fit different event correlations is not sending email alerts.
  • One or more LEM rules that you created are showing in nDepth, but are not showing in the monitor or sending email alerts.


  • All LEM versions


Rules not firing quick fix:  If you or any of your colleagues have not made any changes to LEM or any of the rules that are not firing:

  1. Restart LEM manager service via putty or LEM CLI console in VMware/hyper-v cmc->manager->restart. 
  2. If the issue is still not resolved, reboot LEM via cmc->appliance->reboot. 

If the rules are still not firing, follow the troubleshooting steps in the following section:

Detailed Troubleshooting for all/some rules not firing in LEM

  1. Check if the event exists in nDepth by using the same correlation as in the rule.
  2. Check the Insertion Time and Detection Time.
    1. If these do not match, one of three things could be happening:
      1. Time on the LEM is inaccurate - See step 8.
      2. Time on the Node is inaccurate - Update the time or configure the node to get the correct time from an NTP server.
      3. The LEM is queuing data - See LEM is queueing and dropping event data.
  3. Make sure the rule matches the events pulled in nDepth.
  4. Make sure the rule has been saved and you clicked Activate Rules.
  5. Make sure the rule is enabled.
  6. Perform Ndepth search for InternalRuleFired events and try to find the rule you are troubleshooting. If the rule is not there means, the Condition / Logs.
  7. Make sure the rule is not using AnyAlert.
  8. Make sure the rule does not have conditions that contain only symbols such as $ or ~.
  9. Make sure the date, time, and time zone are accurate inLEM:
    1. Open the CMC console and at the prompt, go to the appliance. Run dateconfig and tzconfig, if necessary.
    2. If the response window for the rule is set to 5 mins, and the time on the LEM is 6 mins off, the rule will not fire.
    3. Use an SSH client to connect to your LEM Appliance.
  10. Restart LEM.



Last modified