Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Create a new LEM rule to monitor and respond to events

Create a new LEM rule to monitor and respond to events

Updated: September 15, 2017

This topic describes how to create a custom rule to monitor and respond to events from your monitored computers and devices.

 

Click the video File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1330-Troubleshoot_alerts_in_the_LEM_console/button_videocamera_18x12.png icon to view a tutorial about creating rules in the LEM console.

 

Create a new rule

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Build > Rules.

  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-add_14x12.png on the Rules toolbar.

  4. Enter a name and description for the rule.

  5. Click the drop-down menu and select the LEM Manager that will host this rule.

    If you are editing a rule, this field displays the LEM Manager instance associated with the rule.

  6. Click Add Tags.

    Select the categories and tags for this rule, and then click OK.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0750-Create_a_new_LEM_rule/lem-ug-tags.png

  7. Configure the correlations (or relationships) that define the rule. These correlations define the events that must occur for the rule to take effect. You can coordinate multiple alert events into a set of conditions that prompt the LEM Manager to issue a particular active response.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0750-Create_a_new_LEM_rule/lem-ug-correlations_257x68.png

    1. Drag Event or Event Group items from the list pane into the Correlations box. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/button-addgroup.png to add a group.
    2. Click the correlations connector bar. Select AND File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0890-Get_started_building_custom_filter_expressions_in_LEM/operator-and_9x15.png to determine if the alert conditions must all apply or OR File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0750-Create_a_new_LEM_rule/operator-or_10x17.png if any alert conditions apply to prompt a response.

    If your correlations require a value, populate the value using one of the following procedures:

    • Enter a static text value in the Text Constant field, denoted by a pencil icon. Use asterisks (*) as wildcard characters to account for any number of characters before, within, or after your text value.

    • Drag a group from the list pane to replace the Text Constant field. The most commonly used groups include User Defined Groups, Connector Profiles, Directory Service Groups, and Time Of Day Sets.

    • Drag an Event field from an existing event in your Correlations to replace the Text Constant field. This will result in a parameter that states whether values from different Events in your Correlations should match.

  8. If you want to change the operators in your conditions, click the operator until you find the one you want.

    There are two types of operators: Condition and Group.

    • Condition operators are found between your events and their values. Examples include Equals, Does Not Equal, Contains, and Does Not Contain. Rule Creation only displays the operators that are available for the values in your Correlations.
    • Group operators are found outside of your correlation groups. The two options are And (blue) and Or (orange).

    For more information see Comparing values with operators in LEM filters and rules.

  9. Configure the correlation time to establish the allowable frequency and time span that the correlation events must occur before the rule applies.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0750-Create_a_new_LEM_rule/lem-ug-correlations-time_263x78.png

    1. Set the Events within and Response Window settings for your rule.
    2. If the Events within value is 2 or more, click Advanced File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/button-addgroup.png to select advanced threshold fields and define an advanced response window for the alert fields within the grouping.
  10. Configure the actions that occur when the events in the Correlations and the Correlations Time boxes occur (for example, sending an email message to the system administrator or blocking an IP address).

    Use the following guidelines:

    • All rules must have at least one action.

    • Populate your action with constants or event fields as appropriate.
       

    1. Click the Actions list.

      File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0750-Create_a_new_LEM_rule/lem-ug-actions-box_268x72.png

    2. Select and drag an action from the list into the Actions box.

    For more information, see About LEM response actions.

  11. Apply the appropriate Enabled, Test, and Subscribe settings as appropriate.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0750-Create_a_new_LEM_rule/lem-ug-enable-test-subscribe.png

    1. Select the Enabled check box to enable the rule after you click Save. See Enable and activate rules prior to testing for details.

    2. Select the Test check box to operate the rule in test mode before it is enabled. SolarWinds recommends running each new rule in test mode to confirm that the rule behaves as expected. See Testing rules in LEM for details.

      You must enable a rule before you can test it.

    3. Click the Subscribe drop-down menu and select all users who subscribe to the rule. The system will notify the subscribing users each time one of the subscribed-to rules triggers an alert. The alerts will appear in their alert grid.

      This option also tracks rule activity in the Subscriptions report in LEM Reports.

  12. Click Save.

    The new rule appears in the Rules grid.

    You can click Apply to save your changes without closing the form.

  13. Once your rule is in your Custom Rules folder, click Activate Rules to sync your local changes with the rules folders on your LEM Manager and allow the new or updated rules to function properly.

    When enabling or disabling rules, no changes will take effect until you click Active Rules.

Example: Create a Change Management rule

This section shows you how to create a rule in LEM by stepping you through an example.

Click the video File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1330-Troubleshoot_alerts_in_the_LEM_console/button_videocamera_18x12.png icon to view a tutorial about creating a rule to watch for unauthorized vendor access.

About the Change Management rule example

Rules in the Change Management category notify you when a user makes a network configuration change, for example:

  • Adding, changing, or deleting users in Active Directory

  • Installing software on monitored computers

  • Making changes to the firewall policy

You can create a general change management rule to instruct LEM to notify you when a user changes your network configuration, or you can create a more specific rule that applies to specific users, groups, or types of changes. Generally, if you can see an event in your console, you can create a rule for the event. Use your filters as a starting point for creating custom rules.

The following change management rule example notifies you by email when a user adds another user to an administrative group.

Create the example Change Management rule

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Build > Rules.

  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0770-Test_enable_and_disable_rules_in_LEM/button-plus-black_15x14.png to create a new rule using the Rule Creation screen.

  4. Enter an appropriate name for the rule. For example:

    New Admin User

  5. In the rule Correlations box, enter the event or event group.

    For example, you can use the NewGroupMember.EventInfo Equals *admin* condition to execute anytime LEM receives a NewGroupMember event with admin included anywhere in the Event Info field.

    1. Click Events in the left pane.

    2. At the top of the Events list, enter NewGroupMember to search for this event, and then select it in the list.

    3. In the Fields: NewGroupMemberlist, locate EventInfo and drag it into the Correlations box.

    4. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account for all variations on the word administrator.

  6. Leave the Correlation Time box as is so your rule fires anytime LEM captures this type of event.

  7. Add the Send Email Message action to the Actions box.

    1. In the left pane, click Actions.

    2. Locate Send Email Message and drag the action into the Actions box.

    3. In the Email Template, click the menu and select a template.

    4. In the Recipients menu, select a LEM user.

    5. Drag and drop event fields or constants from the left pane into the Send Email Message form to complete the action.

      Always use event fields for events in the Correlations box. For example, you can use NewGroupMember.DetectionTime to populate the Detection Time field in this example.

  8. In the Rule Creation form, select Enable and click Save.

  9. Test the rules to verify they work as expected. See Testing rules in LEM for details.

  10. In the main Rules view, click Activate Rules to sync your local changes with LEM.

    The LEM Manager will send an email anytime a user adds a user to any group in Active Directory that contains admin in its name.

Last modified

Tags

Classifications

Public