Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Basic LEM procedures > Add filters

Add filters

Created by Caroline Juszczak, last modified by Kevin.Kessler on Dec 13, 2016

Views: 44 Votes: 1 Revisions: 6

Click the video File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/030/Button_videoCamera_18x12.png icon to view a tutorial on adding filters.

Filters group and display events that your LEM Agents and remote logging devices send to LEM. They are based on events, which are the normalized version of these network events. View these events in real time on the Monitor tab in the LEM Console.

For LEM, events and alerts are interchangeable.

About filters

Create filters to group a particular type of event. For example, you can create filters to collect: 

  • All events from your firewalls
  • All events from your domain controllers
  • All events for a specific type of user
  • All events except for recurring, expected events

Customize default filters

The LEM Console includes several preconfigured filters on the Monitor tab. The filter conditions can be broad or specific.

For example, the All Events filter does not include specific conditions. As a result, it captures all events, regardless of the source or event type. Conversely, the User Logons filter includes one condition: UserLogon Exists. This filter only captures events with the UserLogon event type.

  1. In the LEM Console, click the Monitor tab.
  2. In the Filters pane, select the filter you want to examine.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/030/Button-Gear(Gray)_13x11.png and select Edit.
  4. Add your changes and click Save.

Other filter scenarios

Depending on your corporate IT policy, you can create and name a filter that monitors specific events, such as:

A failed authentication is an event triggered by three logon failures by the same account within an extremely short period of time.

  • Change Management to monitor configuration changes users create in your network.
  • High Volume Events to monitor traffic spikes or unexpected off-peak traffic.
  • Events of General Interest to monitor log in failures and failed authentications.
  • Rule Scenario Events to determine if you have the appropriate events to create a rule for a specific scenario.
  • Daily Problem Events to monitor basic operational problems (such as account lockouts) in real time.

Change Management filter

You can create a change management filter to monitor all change management events in your network. You can keep this filter general (as explained below) or refine it to report only certain changes or changes made by certain users.

  1. In the LEM Console, click the Monitor tab.
  2. In the Filters pane, click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/030/Button-Plus-Black_13x12.png and select New Filter.
  3. Enter a descriptive name for the filter.

    For example:

    Change Management Events

  4. In the Conditions box, drag an event or event group into the box.

    For example, you can use an Event Group Exists condition to capture all events from a certain group.

    1. In the Filter Creation pane, click Event Groups.
    2. Drag Change Management Events into the Conditions box.
  5. Click Save.

    The LEM Console takes you to the new filter on the Monitor tab. Examine the events, and then click an event to see more information in the Event Details pane.

Troubleshoot filter issues

If you created a filter that is not capturing your events, check the All Events filter to ensure the events are moving to the LEM Console.

  1. In the LEM Console, click the Monitor tab.
  2. In the Filters pane, click All Events.
  3. Locate an event you expected to see in your custom filter.

    You can pause the filter and sort it by any of the column headers.

  4. Verify that the field-value combinations in the event match the selections you added to your filter.

    For example, if your filter is searching for firewall in the Connector Alias field, ensure the Connector Alias field in your event contains firewall.

    If you cannot locate a related event, verify that one of your monitored devices is logging the event and the device is sending events to LEM.

    For example, you can create another filter to show all events from the specific device using the ConnectorAlias or DetectionIP event field.

See Creating filters for real-time monitoring in your LEM Console for additional information about creating filters in the LEM Console.

To create filters for specific events, devices, or time frames, see:

 

 
Last modified
16:25, 13 Dec 2016

Tags

Classifications

Public