Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > About LEM filters and filter categories

About LEM filters and filter categories

Updated: September 15, 2017

This topic introduces filters and briefly describes the default filters included with LEM.

Filters capture events and alerts that take place on your network. (In LEM, the terms event and alert are interchangeable.)

The LEM console uses event filters to manage events. You can turn filters on and off, pause filters to sort or investigate events, perform actions to respond to events, and configure filters to notify you when they capture a particular event. Filters can also display widgets, which are charts and graphs that visually represent the event data.

Filter conditions can be broad or specific. For example, you can create a filter without conditions that captures all events, regardless of the source or event type, or you can create a filter that has one specific condition, such as "UserLogon Exists," which only captures user logon events.

Create filters when you want to group a particular type of event. For example, you can create filters to collect all events from your domain controllers, or all events for a specific type of user.

Create rules when you want LEM to take some kind of action in response to one or more events.

Use filters to group a particular type of event or to monitor specific events

Use filters to group a particular type of event. For example, you can create filters to collect:

  • All events from your firewalls
  • All events from your domain controllers
  • All events for a specific type of user
  • All events except for recurring, expected events

Create custom filters to monitor specific events, such as:

A failed authentication is an event triggered by three logon failures by the same account within an extremely short period of time.

  • Change Management filters to monitor configuration changes users create in your network.
  • High Volume Event filters to monitor traffic spikes or unexpected off-peak traffic.
  • General Interest filters to monitor log in failures and failed authentications.
  • Rule Scenario Event filters to determine if you have the appropriate events to create a rule for a specific scenario.
  • Daily Problem Event filters to monitor basic operational problems (such as account lockouts) in real time.

About the default filters included with LEM

SolarWinds LEM ships with filters that support best practices in the security industry. You can modify these filters to meet your needs, or you can create an unlimited number of custom filters. A single set of filters can monitor data collected across multiple LEM Managers.

Finding and viewing filters in Monitor view

To find a filter in LEM, open the Monitor tab in the LEM console, and click Filters in the top-left part of the screen to open the Filters sidebar. Expand a category to view its filters. To view a brief description of a filter, hover your cursor over it.

Filtered events are listed in the event grid, or you can view filtered event data using a variety of charts and graphs called widgets. Filters can also use the console to signal that they have captured a particular event by displaying a pop-up message, by playing a sound, or by using blinking text.

Filters are located in the Filters pane, where they are grouped into different categories.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0630-About_LEM_filters_and_filter_categories/filterspane2_348x199.png

About LEM filter categories

By default, filters are grouped into the following seven categories in the Filters pane:

  • Overview
  • Security
  • IT Operations
  • Change Management
  • Authentication
  • Endpoint Monitoring
  • Compliance

You can also add, edit, rename, export, import, and delete filter categories. See Manage LEM filter categories: Add, edit, view, and more for details.

About the Filters sidebar

The number to the right of each filter name shows the number of events associated with that filter. Filters shown in gray italics are currently turned off. To move a filter from one category to another, click and drag it to its new location.

Default filters included with LEM

This section lists the default filters included with LEM.

 

Overview Filters

Name Description Default Status
All Events Displays all events from all sources. On
Subscriptions

Filters events related to rules subscribed to the specified user.

On
LEM Internal Events Filters events related to LEM operations, including informational, warning, and audit events. On
Rule Activity Displays all activated rules. On

Security Filters

Name Description Default Status
Incidents Filters all events categorized as Incidents. On
Security Events

Filters events categorized as attack activity or potentially suspicious.

On
Network Event Threats Filters events with source or destination detected in the threat intelligence feed as potentially bad actors. On
All Firewall Events Filters events from firewall devices that match the targeted name. On
All Threat Events Filters all events with the source or destination detected in the threat intelligence feed as potentially bad actors. On
Denied ACL Traffic Filters events from network devices that indicate denied ACL activity. Off
Unusual Network Traffic Filters unusual network traffic and scans. On
Blocked Web Traffic Filters events from proxy servers or other web servers that blocked an attempt to access a URL. On
Proxy Bypassers Filters web traffic users who are bypassing your proxy server. Off
Web Traffic - Spyware Filters web traffic events to potential spyware sites. Off
Virus Attacks Filters events that indicate potential virus detection. On
IDS Scan / Attack Activity Filters security events detected by IDS tools (such as Snort). On
Security Processes Filters security-related process activities. On
File Audit Failures Filters events that indicate failed attempts to access files. On

IT Operations Filters

Name Description Default Status
All Domain Controller Events Displays all traffic from machines in the Domain Controllers tool profile. Off
All Web Traffic

Filters all web traffic-related events from network devices, proxy servers, and web servers.

On
Software Installation/Update Filters events related to software installation and updates. On
Service Events Filters events related to starting and stopping services, as well as service warnings and information. On
System Events Filters events related to system availability and status information. On
Error Events Filters events from all sources that contain "error". On
Warning Events Filters events from all sources that contain "warning". On
Windows Error Events Filters events from Microsoft Windows event logs that contain "error". On
Error Events for Device Filters events from a specific device that contain "error". Off
Web Traffic for Source Machine Filters web traffic emanating from a certain source machine. Off
All Network Traffic Filters all network traffic-related events from all devices and systems. On
FTP Traffic Filters TCP traffic events between one or more FTP ports reported by any device or system. On
SNMP Traffic Filters UDP traffic events between one or more SNMP ports reported by any device or system.

On

SMTP Traffic Filters UDP traffic events between one or more SMTP ports reported by any device or system. On

Change Management Filters

Name Description Default Status
General Change Management Filters all events that indicate changes to devices, systems, users, groups, and domains. On
User Account Changes

Filters changes to existing user accounts.

On
Machine Account Changes Filters changes to existing machine accounts. On
Group Changes Filters creation, deletion, and changes to groups. On
Domain & Membership Changes Filters new and deleted domain accounts (including users/groups) and domain changes. On
Device/System Policy Changes Filters events related to policy changes on devices and systems. On
All File Audit Activity Filters events related to all types of audited file access. On
USB File Auditing Filters file-related alerts from Agents running USB Defender On

Authentication Filters

Name Description Default Status
User Logons Filters all types of user logons. On
Interactive User Logons

Filters background network logon types.

On
Remote User Logons Filters events that indicate remote Windows system logons. On
Failed Logons Filters events that indicate failed logon attempts to devices and systems. On
Account Lockouts Filters events that indicate an account was locked out. On
Authentication Event Threats Filters authentication events with a source or destination detected in the threat intelligence feed as potentially bad actors. On
Admin Account Authentication Filters authentication events related to specified administrative accounts. Off

Endpoint Monitoring Filters

Name Description Default Status
Workstation Logon/Logon Failure Activity Filters non-network workstation logon/logon failure to a domain or local account. On
Local Account Authentication/Changes

Filters any user-related audit events that are not to or from the corporate domain.

On
Software Installed on Workstations Filters software installations on workstation systems. On
USB-Defender Events Filters USB Defender events. On
Workstation Events with Threats Filters all events detected on endpoints with a source or destination detected in the threat intelligence feed as potentially bad actors. On

Compliance Filters

Name Description Default Status
Top PCI Events Filters the most common PCI events of interest, which include change management, unexpected file access, incidents, and attacks. Off
Top HIPAA Events

Filters file activity, changes, and incidents related to HIPAA events.

Off
Top Banking Compliance Events Filters common banking compliance events, including change management, users and groups, and potentially suspicious attack activity. Off
Last modified

Tags

Classifications

Public