Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Auto-populate user-defined groups using a LEM rule

Auto-populate user-defined groups using a LEM rule

Table of contents
No headers

Updated: September 15, 2017

You can automate how you populate User-Defined Groups using the Add User-Defined Group Element active response in a LEM rule. This active response populates a pre-defined user-defined group with static or dynamic values, as defined by that rule.

Complete the following task to populate a user-defined group based on a specific type of event, such as when you attach a USB device you want to tag as authorized, or when a user attempts to visit a prohibited website.

For additional information about working with LEM rules, see About LEM rules.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Build > Rules.

  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0830-Auto-populate_user-defined_groups_using_a_LEM_rule/button-plus_18x16.png in the Rules toolbar to create a new rule.

  4. Enter a name and description for your rule.

  5. Populate the Correlations box with conditions that represent the event you want to trigger your rule. For the USB example:
    1. Click Events on the components pane on the left, and then enter SystemStatus without any spaces in the search box.
    2. Click SystemStatus, and then locate EventInfo from the Fields: SystemStatus list.
    3. Drag EventInfo into the Correlations box. The left side of your new condition should read, SystemStatus.EventInfo.
    4. Enter *Attached* into the Text Constant field, denoted by the pencil icon, on the left side of your new condition.
    5. To specify a computer for this procedure, create a second condition with SystemStatus.DetectionIP = *computerName*, where computerName is the hostname of the computer you want to specify.

      In this example, the computer you attach your authorized devices to must have a LEM Agent with USB Defender installed, whether you specify it in your rule or not.

  6. Click Actions on the components pane, and then locate Add User-Defined Group Element.

  7. Drag Add User-Defined Group Element into the Actions box.

  8. Within the Add User-Defined Group Element, select the appropriate User-Defined Group, such as Authorized USB Devices. If you do not find the User-Defined Group, perform the following:
    1. Close the action and select Build > Groups.
    2. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0830-Auto-populate_user-defined_groups_using_a_LEM_rule/button-plus_18x16.png button on the top right and to create your own User-Defined Group, or clone an existing group.
  9. Populate the action using the alerts present in your Correlations. For the USB example:
    1. Select Authorized USB Devices from the User Defined Group menu.
    2. Click Alerts on the components pane, and then verify that SystemStatus is still selected.
    3. Drag ExtraneousInfo from the Fields: SystemStatus list into the blank Value field in the action.
  10. Select Enable at the top of the Rule Creation window, and then modify the Test and Subscribe settings if you want.

    Putting a rule into Test allows the rule to function as needed, but the rule will not perform any of the actions listed. In this example, it will not add any information to the User-Defined Group.

  11. Click Save at the bottom of the Rule Creation window.

  12. Click Activate Rules at the top of the main Rules view.

Any time the event you defined in your rule occurs, the value you defined in the Value field of the action gets added to the user-defined group you specified. In the USB example, the attached device is added to the Authorized USB Devices group.

Last modified

Tags

Classifications

Public