Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Use the ToolAlias field in LEM rules and filters to capture traffic from a specific device

Use the ToolAlias field in LEM rules and filters to capture traffic from a specific device

Updated: September 15, 2017

The ToolAlias field is a useful field to know if you have to create filters, rules, and searches that target traffic from a specific device. Every device that sends events to LEM has an Alias property that you can customize with a device-specific name. Use the ToolAlias field to examine the Alias property and find events that match your filter criteria.

You can also use the DetectionIP event to monitor events from a device that has a specific IP address, for example AnyAlert.DetectionIP=10.1.1.1.

Create a filter to capture events from a specific device

Use the ToolAlias field to create a filter that captures traffic from a specific device.

This procedure can also be applied to rules and searches.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Monitor.

  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0930-Use_the_LEM_ToolAlias_field_to_capture_traffic_from_a_specific_device/button-plus-black2_15x12.png in the Filters pane and select New Filter.

  4. Select one of the following conditions from the Events or Event Group (but don't drag it into the Conditions box yet):

    • To view all traffic from your device, select Any Alert from the Events group.

    • To view all network events from your device, select Network Audit Alerts in the Event Groups.

    • To view web traffic from your device, select WebTrafficAudit from the Events group.

  5. Below your selection, in the Fields list, select ToolAlias and drag it into the Conditions box.

  6. In the Constant field in the Group box, enter filter criteria to match the Alias property of the device that you want to track. Use asterisks (*) as wildcard characters to avoid entering the entire value.

    For example, consider the default Firewall filter. Its condition is Any Alert.ToolAlias = *firewall*. This assumes that the firewall connector was configured with a Tool Alias that includes firewall in the name.

  7. Click Save.

If your filter does not generate events in the LEM console, verify that the Tool Alias value matches the Alias property for your device. See the next section for steps.

Verify that the correct Alias value is associated with the connector

The following procedure applies to devices configured to send logs to LEM. To verify Agent connectors, use this same procedure, but apply it to the Agent associated with the connector instead.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Manage > Appliances.

  3. Click button-gear_17x14.png next to the appropriate LEM Manager, and then select Connectors.

  4. At the bottom of the Refine Results pane, select Configured.

  5. Select the connector instance that you want to verify.

    Configured tool instances appear with a icon-play.png in the Status column.

  6. Verify that the Alias field value is correct.

    To change the Alias property (optional):

    1. Click button-gear_17x14.png next to the connector and select Stop.

    2. Click button-gear_17x14.png​​​​​​​ next to the connector and select Edit.

    3. Edit the Alias field value, and then click Save.

    4. Click button-gear_17x14.png​​​​​​​ next to the connector and select Start.

  7. Click Close.

Last modified

Tags

Classifications

Public