Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Basic LEM procedures > Add rules

Add rules

Rules and filters perform different functions. Rules correlate events sent from LEM Agents to LEM and assign automatic actions or responses to those events. They instruct LEM to perform a specific action, such as sending an email, blocking an IP address, or shutting down a computer. Conversely, filters display events.

Click the video File:Success_Center/New_Articles/LEMUserGuide_MT/040/090/Button_videoCamera_18x12.png icon to view a tutorial on adding rules.

About rules

You can create rules to respond to one or more events. In many cases, you can base rules on several events that LEM correlates to trigger an action. You can also configure a rule to look for a single event.

Rule actions can include:

  • Sending an email
  • Logging a user off
  • Shutting down a computer
  • Deleting an Active Directory group
  • Blocking an IP address

Use Preconfigured rules to get started

The LEM appliance includes several preconfigured rules you can use to instruct LEM to respond to specific events on your network.

To enable a rule in your network:

  1. In the LEM Console, click the Build tab and select Rules.
  2. Use the Folders list or the Refine Results pane to browse, search, or filter for specific rules or scenarios.
  3. Select a rule to clone, click the corresponding File:Success_Center/New_Articles/LEMUserGuide_MT/040/090/Button-Gear(Gray)_17x14.png and select Clone.
  4. In the Clone Rule dialog box, select a Custom Rules folder, rename the rule, and click Ok.
  5. In the Rule Creation view, customize the rule (if desired) and select Enable.
  6. Click Save.
  7. In the main Rules view, click Activate Rules to sync your local changes with the LEM appliance.

Change Management rule example

Create a change management rule to notify you when a user changes your network configuration, such as:

  • Adding, changing, or deleting users in Active Directory
  • Installing software on monitored computers
  • Changing your firewall policy

You can create a general change management rule (similar to the filter illustrated in the previous section) to instruct LEM to notify you when a user changes your network configuration or creates a more specific rule that applies to specific users, groups, or types of changes.

Generally, if you can see an event in your console, you can create a rule for the event. Use your filters as a starting point for creating custom rules.

To create a rule that notifies you by email when a user adds another user to an administrative group:

  1. In the LEM Console, click the Build tab and select Rules.
  2. Click File:Success_Center/New_Articles/LEMUserGuide_MT/040/090/Button-Plus-Black_15x14.png and enter an appropriate name for the rule.

    For example:

    New Admin User

  3. In the rule Correlations box, enter the event or event group.

    For example, you can use the NewGroupMember.EventInfo Equals *admin* condition to execute anytime LEM receives a NewGroupMember event with admin included anywhere in the Event Info field.

    1. Click Events in the left pane.
    2. At the top of the Events list, enter NewGroupMember to search for this event, and then select it in the list.
    3. In the Fields: NewGroupMemberlist, locate EventInfo and drag it into the Correlations box.
    4. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account for all variations on the word administrator.
  4. Leave the Correlation Time box as is so your rule fires anytime LEM captures this type of event.
  5. Add the Send Email Message action to the Actions box.
    1. In the left pane, click Actions.
    2. Locate Send Email Message and drag the action into the Actions box.
    3. In the Email Template, click the menu and select a template.
    4. In the Recipients menu, select a LEM user.
    5. Drag and drop event fields or constants from the left pane into the Send Email Message form to complete the action.

      Always use event fields for events in the Correlations box. For example, you can use NewGroupMember.DetectionTime to populate the Detection Time field in this example.

  6. In the Rule Creation form, select Enable and click Save.
  7. In the main Rules view, click Activate Rules to sync your local changes with the LEM appliance.

    The LEM appliance will send an email anytime a user adds a user to any group in Active Directory that contains admin in its name.

For more detailed information about how to create LEM rules to take action on your network, see Creating rules from your LEM Console to take automated action.

Other Rule Scenarios

Countless scenarios may warrant a rule. Consider these combinations of rules and actions:

  • Respond to other change management events with the Send Email Message action.
  • Respond to port scanning events with the Block IP action.
  • Respond to isolated spikes in network traffic with the Send Email Message or Disable Networking action.
  • Respond to users playing games on monitored computers with the Send Popup Message or Kill Process action.
  • Respond to users attaching unauthorized USB devices to monitored computers using the Detach USB Device action.

In essence, any activity or event that can pose a threat to your network might warrant a LEM rule.

Troubleshooting

If you created a rule but are not receiving the expected results, verify the following to track down the root cause:

If you do not see an InternalRuleFired event for your rule, verify that:

  1. Click the Monitor tab and check for the requisite events.

    For example, if your rule is based on the NewGroupMember event, locate a requisite event in the All Events or default Change Management filter.

  2. If you cannot view the requisite events, troubleshoot your devices and connectors to move the events into LEM. Otherwise, continue troubleshooting here.
  3. Check for an InternalRuleFired event in the SolarWinds Events filter.

    If you see an InternalRuleFired event for your rule, go to the next step.

    • The rule is enabled.
    • The Correlation Time or Response Window in your rule was not modified.
    • You did not click Activate Rules after saving your rule.
    • The time on your device is not more than five minutes off from the time on your LEM appliance.
  1. If you see an InternalRuleFired event for your rule but LEM does not respond to the rule as expected, check the following:
    • Send Email Message
      Verify you configured and started the Email Active Response connector on the LEM appliance. Additionally, verify you associated an email address for your selected LEM??user as your email account.
    • Agent-based Actions
      Verify you installed the LEM Agent on a computer that will respond to LEM.
    • Block IP
      Verify you configured the active response connector for the targeted firewall that will respond to this action. The active response connector is separate from the data-gathering connector.

See Troubleshooting LEM rules and email responses for detailed information about troubleshooting LEM rules and active responses.

See Creating rules from your LEM Console to take automated action for information about creating and cloning rules in the LEM Console.

See the following links for information about the active responses available for LEM rules:

 
Last modified
16:48, 23 Mar 2017

Tags

Classifications

Public