Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Configure the LEM event distribution policy

Configure the LEM event distribution policy

Updated: September 15, 2017

Configure the event distribution policy to choose which events should go to the LEM console, and which should go to the local LEM database. This topic explains how to configure the event distribution policy on the LEM Manager.

Practical uses for event distribution policy

Many data sources generate events that are difficult to control at a granular level, or they generate events of little or no value. SolarWinds recommends removing these events from the system to reduce the volume and noise sent to the LEM console and LEM database. By configuring the event distribution policy, you can disable (or exclude) specific event types at the event level from being sent to any or all of these destinations. The data sources continue to generate these events, and you can enable them at any time, but the selected system destinations will ignore them while they are disabled.

Additionally, you may have events that you want to monitor in the console, but that do not require long-term storage or reporting. In this case, you can configure the event distribution policy to disable database storage for those events, but enable processing by the console.

See also: Collecting Windows Filtering Platform (WFP) events in LEM

Open the Event Distribution Policy window

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Manage > Appliances.

  3. Click next to the targeted LEM Manager in the Appliances grid, and then select Policy.

    The Event Distribution Policy for [Manager] window appears.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0170-Configure_the_LEM_event_distribution_policy/callouts-policies75_463x333.png

    If you open the Event Distribution Policy window while it is in use by a user, a Policy Locked message appears. You can choose to take over the window, or view it in read-only mode. Any Full User can unlock any other user.

The following table describes the key features of the Event Distribution Policy window.

Field Description

 

Event/Field

Lists event categories and event types. Click ▼ to maximize an event category.

Console

Database

Warehouse

Rules

Select a check box to indicate whether a particular event time or event category is sent to the console or local database.

When selected, the event type is router to that particular destination. Clear a check box to prevent the event type from being routed to that destination.

Export

Exports a Manager event policy to a spreadsheet file.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1310-Appliances_view_in_the_LEM_console/button-gear_23x18.png

Click to select the Apply State to Branch command. This command pushes (or propagates) the selected event node check box settings down to the related, lower-level event types in the node tree hierarchy.

Description

Provides a description of the event type or event category currently selected in the grid.

Configure the event distribution policy

Use the Event Distribution Policy window to configure your event distribution policy. Locate the event types you need, and then select the appropriate check boxes to determine whether these event types are routed to a particular destination.

  1. Open the Event Distribution Policy window. See Open the Event Distribution Policy window for steps.

  2. Locate the events that you want to disable by either browsing the alert taxonomy or by using the search box under Refine Results.

    You can locate all of the events listed below by typing Windows Security in the search box.

  3. Select or clear the check boxes in the Console, Database, Warehouse, or Rules columns as appropriate:

    • Clear the Console box to prevent LEM Manager from showing an alert in the LEM console.

    • Clear the Database box to prevent LEM Manager from storing the alert in the LEM database.

    • Clear the Warehouse box to prevent LEM Manager from sending the alert to an independent database warehouse.

    • Clear the Rules box to prevent LEM Manager from processing the alert against LEM rules.

    • Select any check box to enable processing for the alert at any of the four levels listed above.

  4. Click Apply to save your changes.

  5. Click Save to save your changes and exit the Alert Distribution Policy window.

    This process may require 30 seconds to several minutes to complete.

Push event policy to lower-level event types

Use the Apply State to Branch command to propagate (or push) event distribution policy settings from a high-level event type to each of its lower-level “child” event types in the event hierarchy.

For example, if you select the top Security Event row and select the corresponding Console and Warehouse check boxes. Clicking Apply State to Branch assigns the same Console and Warehouse check box settings to every child item associated with Security Event. When you save your configuration, the policy causes all child event types of Security Event to send events to all user consoles and your data warehouse.

To push policy configure event distribution policy downward:

  1. Open the Event Distribution Policy window for a selected Manager. See Open the Event Distribution Policy window for steps.
  2. In the Event/Field grid, locate the event type that is a parent to the event types you want to configure.
  3. In the parent row, define the policy by selecting or clearing the Console, Database, Warehouse, and Rules check boxes.
  4. Click next to the targeted row and select Apply State to Branch.

    The Console pushes (or propagates) the parent row check box settings down to each of its lower-level event types in the node tree hierarchy.

    If you select one or more of the parent row check boxes, the console selects the same check box settings for each related lower-level event type in the node tree. When you save your configuration, the policy begins sending the “child” event types to the selected destinations.

    If you clear any of the parent row check boxes, the console disables the same check box settings from each related lower-level event type in the node tree. When you save your configuration, the policy stops sending those event types to those destinations.

  5. Click OK to save your changes.

    The Console implements the new policy.

Export a Manager event policy

You can export a Manager event policy to a spreadsheet file to:

  • View and manipulate the policy information in a spreadsheet application, such as Microsoft Excel.
  • Provide SolarWinds with a copy of your policy information for technical support or troubleshooting purposes.

To export a Manager policy:

  1. Open the Event Distribution Policy window for a selected Manager. See Open the Event Distribution Policy window for steps.

  2. At the top of the window, click Export.

    The Save As form appears.

  3. In the Save In box, select the folder you want to export to.

  4. In the File Name box, enter a name and file type for the exported file.

    In the file name, include an XLS file type to save the file as a Microsoft Excel spreadsheet.

  5. Click Save to save the file.

    The Console saves the file to the folder and with the file name you specified.

    You can now view the Manager policy information in a spreadsheet file, such as Excel.

Last modified

Tags

Classifications

Public