Submit a ticketCall us

WebinarFREE IT Monitoring Webcast

Don’t miss out on our webcast, Essential IT Monitoring with SolarWinds ipMonitor, where we will show you how to keep an eye on your IT environment from one centralized, affordable, and lightweight monitoring tool: SolarWinds® ipMonitor®.

Register now.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > LEM Administrator Guide > Use the ToolAlias field in LEM rules and filters to capture traffic from a specific device

Use the ToolAlias field in LEM rules and filters to capture traffic from a specific device

Updated: September 10, 2018

The ToolAlias field is a useful field to know if you have to create filters, rules, and searches that target traffic from a specific device. Every device that sends events to LEM has an Alias property that you can customize with a device-specific name. Use the ToolAlias field to examine the Alias property and find events that match your filter criteria.

You can also use the DetectionIP event to monitor events from a device that has a specific IP address, for example AnyAlert.DetectionIP=10.1.1.1.

Create a filter to capture events from a specific device

Use the ToolAlias field to create a filter that captures traffic from a specific device.

This procedure can also be applied to rules and searches.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, click Monitor.

  3. In the Filters pane, click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0930-Use_the_LEM_ToolAlias_field_to_capture_traffic_from_a_specific_device/button-plus-black2_15x12.png, and then select New Filter.

  4. Select one of the following conditions from the Events or Event Group (but don't drag it into the Conditions box yet):

    • To view all traffic from your device, select Any Alert from the Events group.

    • To view all network events from your device, select Network Audit Alerts in the Event Groups.

    • To view web traffic from your device, select WebTrafficAudit from the Events group.

  5. Below your selection, in the Fields list, select ToolAlias and drag it into the Conditions box.

  6. In the Constant field in the Group box, enter filter criteria to match the Alias property of the device that you want to track. Use asterisks (*) as wildcard characters to avoid entering the entire value.

    For example, consider the default Firewall filter. Its condition is Any Alert.ToolAlias = *firewall*. This assumes that the firewall connector was configured with a Tool Alias that includes firewall in the name.

  7. Click Save.

If your filter does not generate events in the LEM console, verify that the Tool Alias value matches the Alias property for your device. See the next section for steps.

Verify that the correct Alias value is associated with the connector

The following procedure applies to devices configured to send logs to LEM. To verify Agent connectors, use this same procedure, but apply it to the Agent associated with the connector instead.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Manage > Appliances.

  3. Next to the appropriate LEM Manager, click button-gear_17x14.png, and then select Connectors.

  4. At the bottom of the Refine Results pane, select Configured.

  5. Select the connector instance that you want to verify.

    Configured tool instances appear with a icon-play.png in the Status column.

  6. Verify that the Alias field value is correct.

    To change the Alias property (optional):

    1. Next to the connector, click button-gear_17x14.png, and then select Stop.

    2. Next to the connector, click button-gear_17x14.png, and then select Edit.

    3. Edit the Alias field value, and then click Save.

    4. Next to the connector, click button-gear_17x14.png, and then select Start.

  7. Click Close.

Last modified

Tags

Classifications

Public