Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Find and add LEM rules

Find and add LEM rules

Updated: September 15, 2017

This topic describes how to find and customize preconfigured LEM rules.

Find and add rules based on categories of interest

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click the OpsCenter tab.

  3. In the Getting Started widget, click Define Rules and Configure Alerts.

    By default, the Getting Started widget is located in the top left part of the page.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0740-Find_and_add_LEM_rules/lem_qsg_specify_conditions.png

  4. Select the check box next to the types of rules that you want to enable, and then click Next.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0740-Find_and_add_LEM_rules/lem_qsg_enable_rules2_430x232.png

  5. Complete the fields and selections to define the condition, correlation time, and action for each new rule, and then click Apply.

  6. In the console, click Build > Rules.

  7. In the Rules grid, locate a new rule, click button-gear_17x14.png and select Enable.

    A File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0740-Find_and_add_LEM_rules/icon-checkmark_enabled.png displays next to the enabled rule.

  8. Complete step 5 for each additional rule.

  9. Enable your rule. See Enable and activate rules prior to testing for details.

  10. Test the rules to verify they work as expected. See Testing rules in LEM for details.

Clone, customize, and enable a specific preconfigured rule

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Build > Rules.

  3. Use Refine Results in the sidebar to browse, search, or filter for specific rules or scenarios, or browse for a rule in the Rule Categories & Tags section.

  4. Select a rule to clone, and then click the corresponding button-gear(gray).png and choose Clone.

  5. In the Clone Rule dialog box, select a Custom Rules folder, rename the rule, and click OK.

  6. On the Rule Creation screen, customize the rule (if desired) and select Enable.

  7. Click Save.

  8. In the main Rules view, click Activate Rules to sync your local changes with the LEM appliance. See Enable and activate rules prior to testing for details.

  9. Test the rules to verify they work as expected. See Testing rules in LEM for details.

Change Management rule example

Change management rules notify you when a user makes network configuration changes. For example:

  • Adding, changing, or deleting users in Active Directory
  • Installing software on monitored computers
  • Making changes to the firewall policy

You can create a general change management rule to instruct LEM to notify you when a user changes your network configuration, or you can create a more specific rule that applies to specific users, groups, or types of changes. Generally, if you can see an event in your console, you can create a rule for the event. Use your filters as a starting point for creating custom rules.

The following change management rule example notifies you by email when a user adds another user to an administrative group.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Build > Rules.

  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0770-Test_enable_and_disable_rules_in_LEM/button-plus-black_15x14.png to create a new rule using the Rule Creation screen.

  4. Enter an appropriate name for the rule. For example:

    New Admin User

  5. In the rule Correlations box, enter the event or event group.

    For example, you can use the NewGroupMember.EventInfo Equals *admin* condition to execute anytime LEM receives a NewGroupMember event with admin included anywhere in the Event Info field.

    1. Click Events in the left pane.

    2. At the top of the Events list, enter NewGroupMember to search for this event, and then select it in the list.

    3. In the Fields: NewGroupMemberlist, locate EventInfo and drag it into the Correlations box.

    4. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account for all variations on the word administrator.

  6. Leave the Correlation Time box as is so your rule fires anytime LEM captures this type of event.

  7. Add the Send Email Message action to the Actions box.

    1. In the left pane, click Actions.

    2. Locate Send Email Message and drag the action into the Actions box.

    3. In the Email Template, click the menu and select a template.

    4. In the Recipients menu, select a LEM user.

    5. Drag and drop event fields or constants from the left pane into the Send Email Message form to complete the action.

      Always use event fields for events in the Correlations box. For example, you can use NewGroupMember.DetectionTime to populate the Detection Time field in this example.

  8. In the Rule Creation form, select Enable and click Save.

  9. In the main Rules view, click Activate Rules to sync your local changes with the LEM appliance.

    The LEM appliance will send an email anytime a user adds a user to any group in Active Directory that contains admin in its name.

Last modified

Tags

Classifications

Public