Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Get started building custom filter expressions in LEM

Get started building custom filter expressions in LEM

Updated: September 15, 2017

This topic provides information to help you write custom filter expressions in LEM.

See also:

About custom filter expressions

The Filter Creation screen is similar to the Rule Creation screen, but creating filters is more forgiving. Filters report when events occur, so there is no harm if you create an unusual filter with logic issues. Create filters using the Filters Creation screen to familiarize yourself with the logic and tools required to create well-crafted rules.

When creating filter expressions, your conditions can be broad or specific. For example, the All Events filter does not include specific conditions. As a result, it captures all events, regardless of the source or event type. Conversely, the User Logons filter includes one condition: UserLogon Exists. This filter only captures events with the UserLogon event type.

To create a custom filter, click Monitor, click in the Filters toolbar, and select Create. When completed, the Filter Creation screen appears, providing the tools you need to create a custom filter.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1210-The_Filter_Creation_form_in_the_LEM_console/filtercreationscreen_581x298.png

Event filters are based on specific events or event groups listed in the left window pane. You can configure your new event by dragging and dropping the event attributes into the Conditions and Notifications configuration boxes. When a LEM Agent or Manager reports an event that matches the event filter conditions, the event message appears in the events grid when the filter is active.

Each new filter is added to the Filters pane. Selecting a filter activates the filter in the events grid. The events grid only displays event messages that meet your filter requirements.

Click the video File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1330-Troubleshoot_alerts_in_the_LEM_console/button_videocamera_18x12.png icon to view a tutorial about creating filters and monitoring events in LEM.

Examine the default filters included with LEM

The LEM console includes a variety of filters that support security industry best practices. The following steps describe how to open a filter and view the filter expression.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Monitor.

  3. In the Filters pane, select the filter you want to examine.

  4. Click and select Edit.

    The filter expression opens in the Filter Creation pane.

Create conditions to filter event reporting

The Conditions box appears in the Monitor view when you click in the Filters toolbar and select New Filter. Use the Conditions box in conjunction with the Filters pane to configure the conditions that determine events reported by a filter. Conditions are the various rules that state when the filter is to display an event message.

To define conditions, drag event variables from the events, event groups, and fields lists into the conditions box. Use the Conditions connectors to configure how these variables compare to other items, such as time of day sets, connector profiles, user-defined groups, constants, and other event fields.

You can also compare groups with AND/OR conditions. The AND conditions state which events must occur together before the filter shows an event. The OR conditions state that if any one of several conditions occur, the filter shows the event. The combined conditions dictate when the event filter displays an event. The filter ignores (and does not display) any events that do not meet these conditions.

The Conditions connectors enable you to configure relationships between events in the Conditions box and to establish conditions when the event filter displays the event message.

Below is an example of the Conditions box.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0890-Get_started_building_custom_filter_expressions_in_LEM/conditionscallouts.png

The following table describes each feature of the Conditions box.

Item Name Description
1 Group Configures groups based on the fields you drag from the Filters pane. Click ▼ to collapse an expanded group.
2 Nested group Deletes a condition or group, as well as any nested groups. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/button-addgroup.png to create the nested group.
3 Delete Deletes a condition or group, as well as any nested groups. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-deletegroup.png to delete the group.
4 Event variable Stores event variables (such as events, event groups, and fields) dragged from the Filters pane. As event messages stream into the console, the filter analyzes the values associated with each event variable to determine if the event message meets the filter conditions.
5 Operator Describes how the filter compares the event variable to another item to determine if the event meets the filter conditions. Click the operator icon to cycle through and select an operator. Press Ctrl and click the operator icon to select an operator from a drop-down list.
6 List item

Displays the non-event items from the Filters pane. Drag and drop a list item into this field to define conditions based on your selected filter.

Some event variables automatically add a blank constant as the list item. You can overwrite the constant with another list item or click the constant to add a specific value for the constant. For example, clicking a text Constant turns the field into an editable text box so you can type specific text. The text field also allows wildcard characters.

Each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your filter’s conditions.

7 Nested group

Refines your conditions by comparing one group of conditions to another. You can drag event variables and other items from the list pane into the nested group boxes to create the logic for highly-complex and exact conditions. This example above shows one nested group.

8 Boolean AND operator Combines or excludes keywords or fields in a search using the Boolean AND File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0890-Get_started_building_custom_filter_expressions_in_LEM/operator-and_9x15.png operator.
9 Boolean OR operator Combines or excludes keywords or fields in a search using the Boolean OR File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0890-Get_started_building_custom_filter_expressions_in_LEM/operator-or_9x15.png operator.
Last modified

Tags

Classifications

Public