Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Configure user-defined groups in LEM

Configure user-defined groups in LEM

Updated: September 15, 2017

User-defined groups contain values relevant to your IT environment, such as user and computer names, sensitive file locations, trusted IP addresses, and so on. Like other groups, they contain information that you can use in rules and filters. This topic provides steps to add and edit values in user-defined groups. You can also create rules that auto-populate user-defined groups with values. See Auto-populate user-defined groups using a LEM rule for details.

If Active Directory is available, use directory service groups to add user and computer accounts to rules and filters. A user-defined group cannot be synchronized with Active Directory, but a directory service group can synchronize with Active Directory every five minutes. See Configure directory service (DS) groups in LEM for details.

How rules and filters use user-defined groups

Following are a few rules that depend on user-defined groups:

  • A rule that stops LEM from blocking accounts in a user-defined group of trusted administrator accounts.
  • A second rule that sends out an alert when an account in the same user-defined group of trusted admin accounts logs in or makes changes.
  • A rule that checks a user-defined group containing trusted IP addresses to see if it should block a certain IP address.

Rules and filters typically make use of user-defined groups in slightly different ways:

  • In a rule, user-defined groups are typically used like a white list or black list that tell LEM which events it should include or ignore.
  • In a filter, user-defined groups limit the scope of the filter to items that belong to the group.

Rules that use user-defined groups include:

  • Authentication - Unknown User
  • Critical Account Logon Failures
  • Detach Unauthorized USB Devices
  • File Audit - Delete Sensitive Files
  • Non-Admin Server Logon
  • Vendor - Unauthorized Server Logon

Filters that use user-defined groups include:

  • Admin Account Authentication

  • Domain Controllers (all)

Create or edit a user-defined group

See Add a new group or Edit a group to get started adding or editing a group. You can create as many user-defined groups as you need to support your rules and filters. Well-planned groups provide flexibility.

You can only add a group to one LEM Manager at a time. To copy a group for use with another LEM Manager, export the group and then import it into the other Manager's Groups grid. See Export a group for steps.

The following image shows the user-defined group form. The form lists the elements that are configured for the group.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0570-Configure_user-defined_groups_in_LEM/udg-75.png

The following table describes how to configure the form fields for user-defined groups.

Field Description
Name Enter a name for the group.
Description Briefly describe the purpose of the group.
LEM Manager

Click the Manager drop-down list and select the Manager that will host the group.

If you are editing an existing group, this field displays the hosting Manager.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-plus_16x15.png Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-plus_16x15.png at the bottom of the form to add an element to the group. When you finish entering values, click Save at the bottom of the Element Details form.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0570-Configure_user-defined_groups_in_LEM/button-minus_16x15.png Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0570-Configure_user-defined_groups_in_LEM/button-minus_16x15.png to remove an element from the group.
Element Details

Name – The name of the data element.

Data – The specific element that you want to include or ignore in your rules and filters. You can use an asterisk ( * ) as a wild card to include all similar data elements.

Description – A description of the element and its intended use.

Save Click Save in the bottom-right corner to make your group changes permanent.

Customize the blank and sample user-defined groups included with LEM

SolarWinds recommends customizing the following blank and sample user-defined groups for your environment:

  • Admin accounts
  • Admin groups
  • Approved DNS servers
  • Authorized USB devices
  • Authorized VPN users
  • Sensitive files
  • Service accounts
  • Suspicious external machines
  • Suspicious local machines
  • Trusted IPs
  • Trusted server sites
  • Vendor and contractor accounts
  • Vendor-authorized servers

The Admin Accounts group is used in several template rules as a placeholder for a custom list of administrative users. This group represents the default administrative accounts in Windows and Unix/Linux environments. SolarWinds recommends that you clone this group before you customize it so that you can use it in both capacities. See Clone a group for more information.

Customize user-defined groups

SolarWinds recommends cloning any group that contains a default or suggested value before you alter it. This practice ensures that you have a backup of the default group should you need it later. See Clone a group for more information.

Complete the following procedure to customize any or all of the user-defined groups listed above.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Build > Groups.

  3. Locate the group you want to edit.

    Use the search box or Type menu on the Refine Results pane if necessary.

  4. Click the gear icon next to the group, and then select Edit.

    If you want to clone the group, select Clone instead, and then repeat this step for the cloned group.

  5. Add an element to the group:

    1. Click Add Element, denoted by File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-plus_16x15.png at the bottom of the details pane.

    2. Enter a nickname for the element in the Name field. This value is for reference only.

    3. Enter a value to define the element in the Data field (required). Consider using wildcard characters, such as asterisks ( * ), to abbreviate these entries as illustrated in the example at the end of this procedure.

    4. (Optional) Enter a description in the Description field.

    5. Click Save.

  6. To modify an element, click the element in the details grid, and then modify it in the Element Details form just as you would when adding a new element.

    To remove an element, click the element in the details grid, and then click Remove Element, denoted by a - icon at the bottom of the details pane.

  7. If you are finished editing the group, click Save.

Use the pre-populated User-Defined Groups as examples of what your custom groups might look like. The Data field is used for the correlation, while the Name field is for reference and the Description is optional.

The following is an excerpt from the default Admin Groups User-Defined Group:

Group Name: Admin Groups

Name Data
Administrators *Administrators*
Backup Operators *backup oper*
DNS Admins DNSAdmin*
Last modified

Tags

Classifications

Public