Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > The Rule Creation screen and the Rule Builder form in the LEM console

The Rule Creation screen and the Rule Builder form in the LEM console

Updated: September 15, 2017

Use the Rule Creation screen and the Rule Builder form to create or edit a rule. To open this form, choose Build > Rules in the console, and click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-add_14x12.png on the Rules toolbar.

This topic provides page-level help for the Rule Builder form in the LEM console.

For more information, see:

Rule Creation screen

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/rule-creation-view.png

The following table describes the key features of the Rule Creation screen.

Name Description

The "Back to Rules Listing" button

Hides Rule Creation and returns to the Rules grid. Rule Creation remains open in the background so you can return to it to continue working on your rules.

In the Rules grid, clicking Back to Rule Creation returns you to Rule Creation.

The Rule Creation sidebar (also called the List pane)

Contains categorized lists of the components you can use when configuring policy rules.

  • To view the contents of a component list, click its title bar.
  • To add a component to a rule, select it from its list and then drag it into the appropriate correlation box.

The Rule Builder form (also called the Rule window)

The working area where you name, describe, configure, edit, test, verify, and enable each rule.

You can have multiple rule windows open at the same time. You can also minimize, maximize, resize, and close each window, as needed.

Minimized rule window bar

Stores minimized Rule Builder forms at the bottom of the Rule Creation screen. Each minimized form shows the name of its rule. Click a minimized rule to open the rule in the Rule Creation screen.

The Rule Builder form

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/rulewindowcallouts2.png

The following table describes each key feature and field of a rule window.

Item Name Description

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-01.png

Title bar

Each rule you create or edit appears in its own configuration window. Upon naming a rule, the window’s title bar displays the name of the rule. You can also use the title bar to minimize, maximize, and resize rule window. Minimized rule windows appear at the bottom of the Rule Creation pane.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-02.png

Name

Type a name for the rule.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-03.png

on

When creating a new rule, use this list to select which Manager the rule is to be associated with. Otherwise, when editing a rule, this field displays which Manager the rule is associated with.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-04.png

Tags

Click Add Tags to select categories and tags to add to the rule. Tags make it easier to categorize and find rules. For example, if you want a rule to appear in several different categories, select the corresponding tags.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-05.png

Description

Type a description of what the rule does, or the situation for which the rule is intended.

If the description extends beyond the visible area of the text box, a larger text box appears, so you can type a detailed description of the rule, its logic, its expected behavior, and its active response. When you are done typing, either press Tab or click anywhere outside the text box to close it.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-06.png

Enable

Select this check box to enable the rule. Clear this check box to disable the rule.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-07.png

Test

Select this check box to place the rule in test mode. Clear this check box to take the rule out of test mode.

You must enable a rule before you can test it.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-08.png

Subscribe

Use this list to select which Console users are to subscribe to the rule. This means the system will notify the subscribing users Consoles each time one of the subscribed-to rules triggers an alert. The alerts will appear in their alert grid.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-09.png

Rule Status

The Rule Status bar lists warnings and error messages about your rule's current configuration logic.

  • Click > to view a list of warning and error messages.
  • Click a message flag to provide detailed information about the nature of that problem.
  • Click a message to highlight the specific area or field that is the source of that problem.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-10.png

Correlations

Use the Correlations box to configure correlations between groups of alert events. You can coordinate multiple alert events into a set of conditions that will prompt the Manager to issue a particular active response.

You set up correlations by dragging items from the Events and Event Groups lists into this box, and then setting the specific conditions or for the alert that are to prompt action.

The Correlations connector bar lets you group alert conditions, and determine if they must all apply (an AND correlation) or if any of them may apply (an OR correlation) to prompt a response.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-11.png

Correlation Time

Use the Correlation Time box to establish the allowable frequency and time span in which the correlation events must occur before the rule applies.

The Advanced section lets you define an alert event threshold, and to define the re-inference period for the threshold. The threshold tells the Manager which specific fields to monitor to determine if a valid alert event has occurred (i.e., when to “count” the alert).

The box’s Advanced section lets you define a Response Window that lets the rule ignore any events that occur outside (past or future) of the established period.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-12.png

Actions

Use the Actions box to dictate which actions the rule is to execute when the events described in the Correlations and Correlation Time boxes occur. Examples of actions include sending an email message to your system administrator, or blocking an IP address.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-13.png

Undo/Redo

Click the Undo button to undo your last desktop action. You can click the Undo button repeatedly to undo up to 20 steps.

Click the Red button to redo a step that you have undone. You can click the Redo button repeatedly to redo up to 20 steps.

You can only use Undo or Redo for any steps you made since the last time you clicked Apply.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/callout-14.png

Save/Cancel/
Apply

Use these commands to save or cancel your work:

  • Click Save to save your changes to a rule and close the rule window.
  • Click the Cancel button to cancel any changes you have made to a rule since the last time you clicked Save, and close the rule window. If you have any unsaved changes, the system will prompt you to save or discard them.
  • Click Apply to save your changes to a rule, but keep the rule window open so you can continue working. You can click Apply at any time.

The Correlations box

To create a rule, you drag items from the list pane into the rule window’s Correlations box to configure the relationships (or correlations) that define the rule. These correlations define the events that must occur for the rule to take effect.

Creating rule correlations is a lot like configuring conditions for custom filters, so the Correlations box in Rule Creation behaves a lot like the Conditions box in Filter Creation. The following table describes each item shown in the Correlations box, above.

Name Description

Groups can be expanded or collapsed to show or hide their settings:

  • Click to >expand a collapsed group.
  • Click to ▼ collapse an expanded group.

Once a group is configured properly, you may want to collapse it to avoid accidentally changing it.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-addgroup_19x19.png

This is the Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. You may then drag alert variables and other items from the list pane into the nested group box.

By using nested groups, you can refine correlations by combining or comparing one group of correlations to another to create the logic for complex correlations.

Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/icon-threshold.png

This is the Threshold button, which opens the Threshold form for a group. The Threshold form is described below.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-deletegroup.png

This is the Delete button. It appears at the top of every Group box and every correlation. Click this button to delete a correlation or a particular group. Deleting a group also deletes any groups that are nested within that group.

Event variable

From the Events, Event Groups, or Fields list, drag an alert, Event Group, or alert field into the Correlations box. This is called the alert variable. A rule can have multiple alerts and Event Groups in its correlation configuration.

You can think of an alert variable as the subject of each group of correlations. As alerts stream through the Manager, the rule analyzes the values associated with each alert variable to determine if the alert meets the rule’s conditions. If so, the Manager either initiates an active response, or stores the alert for comparison with other alerts that may occur within the rule's allotted time frame.

Operators

Whenever you drag a list item or a field next to alert variable, an operator icon appears between them. The operator states how the filter is to compare the alert variable to the other item to determine if the alert meets the rule’s conditions.

  • Click an operator to cycle through the various operators that are available for that comparison. Just keep clicking until you see the operator you want to use.
  • Ctrl+click an operator to view all of the operators that are available for that comparison. Then click to select the specific operator you want to use.

List item

List items are the various non-alert items from the list pane. You drag and drop them into groups to define rule correlations based on your Time Of Day Sets, Connector Profiles, User-Defined Groups, Constants, etc.

Some alert variables automatically add a blank Constant as its list item. You can overwrite the Constant with another list item, or you can click the Constant to type or select a specific value for the constant.

Note that each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your rules’s correlations.

Threshold

The Threshold section lets you define a threshold for the correlations in a Group box. You can think of a threshold as a correlation frequency for the grouping; that is, the number of times the events defined by the group must occur within a specified period before the rule takes effect.

A group threshold behaves exactly like the threshold in the Correlation Time box.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/icon-advthreshold.png

This is the Set Advanced Threshold button. Whenever a group threshold’s number of Events within [time] is greater than 1, this button becomes enabled so you can open the Set Advanced Thresholds form. This form lets you specify advanced threshold fields and define an advanced response window for the alert fields within the grouping.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/operator-and.pngAND

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/operator-or.pngOR

Rule correlations and groups of correlations are subject to AND and OR comparisons. If you click an AND operator, it changes to an OR, and vice versa.

About advanced thresholds

Whenever a group threshold or the "Events within" box in the "Correlation Time" form has a value greater than 1, the Set Advanced Thresholds icon File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/icon-advthreshold.png is enabled. This icon opens the Set Advanced Thresholds form so you can define an alert event threshold and the re-inference period for that threshold. The threshold tells the Manager which specific alert fields to monitor to determine if a valid alert event has occurred (such as when to count the alert).

For example, threshold event x must occur multiple times on the same destination computer with the frequency defined in the Correlation Time box. Another example is threshold event y must occur on different destination computers with the frequency defined in the Correlation Time box. When the threshold event counter increases to the number displayed in the Events box, the threshold becomes true and triggers the next set of conditions in the rule.

To open the form, click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/icon-advthreshold.png in the Correlations box on the nested group you want to work with.

Set an advanced threshold

  1. Click the Set Advanced Thresholds icon File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/icon-advthreshold.png to open the Set Advanced Thresholds form. See About advanced thresholds for help.

  2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Use the adjacent fields to type or select the threshold time interval and unit of measure.

    The Re-Infer (TOT) option defines the period that an alert must remain above the threshold before the system issues a new notification and/or active response.

    For example, an alert exceeded the threshold and the Re-Infer (TOT) period for the alert is 1 hour. If the alert stays above the threshold for more than 1 hour, the system will issue an additional notification or active response at the end of 1 hour.

Add a Threshold field

  1. Click the Set Advanced Thresholds icon File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/icon-advthreshold.png to open the Set Advanced Thresholds form. See About advanced thresholds for help.

  2. At the bottom of the form, click Add.

    The Available Fields pane has two boxes. The top box lists all of the alerts applied to the correlations box. The bottom box lists the alert fields associated with the alert that is currently selected in the top box.

  3. In the top Available Fields box, select an alert. The fields associated with that alert appear in the lower Available Fields box.

  4. In the lower Available Fields box, select the alert field used to define the alert threshold.

  5. Click the Select Modifier drop-down menu and select an option.

    Select Same if the threshold will be defined by the selected field being the same multiple times.

    Select Distinct if the threshold will be defined by the selected field being different each time.

  6. Click button-plus_18x16.png  to display the field and its modifier in the Selected Fields grid.

  7. Repeat steps 2 through 6 for any additional threshold fields.

  8. Click OK to save the fields to the threshold and close the form.

    These fields raise the threshold for the correlation event and its active response to occur.

Edit a threshold field

You cannot actually edit a threshold field. Instead, you must delete it, and then replace it with a corrected field configuration.

To replace a threshold field:

  1. Click the Set Advanced Thresholds icon File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/icon-advthreshold.png to open the advanced threshold you want to work with. See About advanced thresholds for help.

  2. In the Selected Fields list, click  icon-delete(whtblackx).png to remove the field you want to change.

  3. In the Available Fields list, select the appropriate alert, and then the alert field.

  4. In the Select Modifier list, select the new modifier for the field (Same or Distinct).

  5. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-plus_15x13.png to display the corrected field and its modifier in the Selected Fields box.

    The corrected field and its modifier appear in the Selected Fields box.

  6. Click OK to close the form.

Delete a threshold field

  1. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/icon-advthreshold.png to open the advanced threshold you want to work with.

  2. In the Selected Fields list, select the field you want to delete.

  3. Click  icon-delete(whtblackx).png to remove the threshold field from the Selected Fields list.

  4. Click OK to close the form.

The Actions box

Use the Actions box to define the action response that LEM should execute when the correlation events specified by the rule occurs. You can assign more than one action to a rule. For example, you can shut down an Agent and then notify your system administrator of the event through email.

The Actions box fields indicate where the action is performed, what the action does, and who receives the action. For example, if you want a rule to disable a user, you can select Disable Domain User Account. To apply the action, specify which account you want to disable and where you want to disable it (that is, which Agent).

Using constants and fields to make actions flexible

When configuring an action, you can assign constants that define fixed parameters for a rule or alert fields from the alerts in the Correlations box. Fields determine the rule parameters when some degree of flexibility is required. Constants and fields are useful, but fields provide actions with a great deal of flexibility.

For example, if you have two network users named Bob and Jane, you can disable Bob’s user account and assign a constant to the rule that explicitly represents Bob’s account. However, this limits the rule to Bob's account.

If you assign a field to the rule, the rule can be interpreted as follows: When user activity meets the conditions in the Correlations box to prompt the Disable Domain User Account action, use the UserDisable.SourceAccount field in the alert to determine which user account to disable.

If Bob triggered the rule, the Manager disables Bob’s account. But if Jane also triggers the rule, the Manager can disable her account as well.

Configuring actions for a rule

  1. In the list pane, click the Actions list.

  2. Select and drag an action to the Actions box.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/actions.png

    The top left of the Actions box shows the name the action that will execute. In most cases, the Actions form prompts you for specific parameters about the computer, IP address, port, alert, user, and so on that receives the action.

  3. Use the list pane to assign the appropriate alert field or constant to each parameter.
    1. In the Events or Event Groups lists, select and drag an alert field to the appropriate parameter box in the Actions form.

    2. (Optional) Select and drag a constant from the Constants lists to the parameter box in the Actions form. Typically, you will select a text constant.

    3. Double-click the parameter box to edit the constant.
  4. Click Save to save your changes.

Last modified

Tags

Classifications

Public