Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Manage view in the LEM console > Configure event distribution policy

Configure event distribution policy

Created by Caroline Juszczak, last modified by Caroline Juszczak on Sep 06, 2016

Views: 24 Votes: 0 Revisions: 4

Use event distribution policy to control how events are routed through the LEM system. With the Event Distribution Policy window, you can choose at the event level which events go to the LEM console and the local LEM database. This section explains how to configure event distribution policy for managers.

Practical uses for event distribution policy

Many data sources generate events that are difficult to control at a granular level, or they generate events of little or no value. You should remove these events from the system to reduce the volume and noise sent to your console and database. By configuring your event distribution policy, you can disable (or exclude) specific event types at the event level from being sent to any or all of these destinations. The data sources continue to generate these events, and you can enable them at any time. Until then, the selected system destinations will ignore them.

Additionally, you may have events that you want to monitor in the console but have no need for long-term storage and reporting. In this case, you can use your event distribution policy to disable database storage for certain events while enabling processing by the console.

Open the Event Distribution Policy window

  1. Click Manage > Appliances.
  2. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/080/030/Button-Gear_15x12.png next to your targeted manager in the Appliance grid and select Policy.

    The Event Distribution Policy for [Manager] window appears.

    File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/080/030/Callouts-Policies75_463x333.png

    If you open the Event Distribution Policy window while being used by a user, a Policy Locked message appears. You can choose to take over the window or view it in read-only mode. Any Full User can unlock any other user.

The following table describes the key features of the Event Distribution Policy window.

Item Description

Event/Field

Lists event categories and event types. Click to maximize an event category.

Console

Database

Warehouse

Rules

Select a check box to indicate whether a particular event time or event category is sent to the console or local database.

When selected, the event type is router to that particular destination. Clear a check box to prevent the event type from being routed to that destination.

Export

Exports a manager event policy to a spreadsheet file.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/080/030/Button-Gear_23x18.png

Click to select the Apply State to Branch command. This command pushes (or propagates) the selected event node check box settings down to the related, lower-level event types in the node tree hierarchy.

Description

Provides a description of the event type or event category currently selected in the grid.

Configure event distribution policy

Use the Event Distribution Policy window to configure your event distribution policy. Locate the event types you need and then select the appropriate check boxes to determine whether these event types are routed to a particular destination.

  1. Open the Event Distribution Policy window for a selected manager.
  2. Locate the event type you want to configure In the Event/Fields grid. You can:

    • Click any node in the Event/Field column to display its lower-level event type nodes.
    • Double-click any event type in the Event/Field column to display its lower-level event type nodes.
  3. Locate and configure your targeted event type.
    1. Select the Console check box to have your event type appear in the LEM console.
    2. Select the Database check box to have your event type stored in the local database.
    1. Clear a check box to exclude the event type from that particular destination.
  4. Save or cancel your changes.

    Click OK to save your event distribution policy changes, close the window, and return to the Console.

    Click Apply to save your changes, but keep the window open so you can continue working.

    Click Cancel to close the window without saving your changes and return to the Console.

After you save your changes, the Applying Changes status bar appears, and the manager is updated with the new event policy configuration.

This process may require 30 seconds to several minutes to complete.

Push event policy to lower-level event types

Use the Apply State to Branch command to propagate (or push) event distribution policy settings from a high-level event type to each of its lower-level child event types in the event hierarchy.

For example, if you select the top Security Event row and select the corresponding Console and Warehouse check boxes. clicking Apply State to Branch assigns the same Console and Warehouse check box settings to every child item associated with Security Event. When you save your configuration, the policy causes all child event types of Security Event to send events to all user consoles and your data warehouse.

To push policy configure event distribution policy downward:

  1. Open the Event Distribution Policy window for a selected manager.
  2. In the Event/Field grid, locate the event type that is a parent to the event types you want to configure.
  3. In the parent row, define the policy by selecting or clearing the Console, Database, Warehouse, and Rules check boxes.
  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/080/030/Button-Gear_17x14.png next to the targeted row and select Apply State to Branch.

    The Console pushes (or propagates) the parent row check box settings down to each of its lower-level event types in the node tree hierarchy.

    If you select one or more of the parent row check boxes, the console selects the same check box settings for each related lower-level event type in the node tree. When you save your configuration, the policy begins sending the child event types to the selected destinations.

    If you clear any of the parent row check boxes, the console disables the same check box settings from each related lower-level event type in the node tree. When you save your configuration, the policy stops sending those event types to those destinations.

  5. Click OK to save your changes.

    The Console implements the new policy.

Export a manager event policy

You can export a manager event policy to a spreadsheet file to:

  • View and manipulate the policy information in a spreadsheet application, such as Microsoft Excel.
  • Provide SolarWinds with a copy of your policy information for technical support or troubleshooting purposes.

To export a manager policy:

  1. Open the Event Distribution Policy window for a selected manager.
  2. At the top of the window, click Export.

    The Save As form appears.

  3. In the Save In box, select the folder you want to export to.
  4. In the File Name box, enter a name and file type for the exported file.

    In the file name, include an XLS file type to save the file as a Microsoft Excel spreadsheet.

  5. Click Save to save the file.

    The Console saves the file to the folder and with the file name you specified.

    You can now view the manager policy information in a spreadsheet file, such as Excel.

Improve performance with event filtering (Windows only)

The Windows Filtering Platform (WFP) application in Windows 7/8 and Windows Server 2008/2012 logs firewall and IPsec-related events to the system security log.

The generated alerts represent background events using additional LEM resources. These events are not required for an optimized LEM deployment. Modifying your LEM manager event distribution policy to tune out the windows noise reduces the space these events occupy in the security event log, reduces network activity, and does not consume LEM resources (such as CPU, memory, and disk space).

To modify your LEM manager event distribution policy:

  1. Open the LEM console and log into the LEM manager from the Manage > Appliances view.
  2. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/080/030/Button-Gear_17x14.png next to your LEM manager and select Policy.
  3. Locate the alerts you want to disable by using the search box under Refine Results.
  4. Locate all of the alerts listed below by entering Windows Security in the search box
  5. Check or clear the check boxes in the Console, Database, Warehouse, or Rules columns as required.
    1. Clear the Console check box to prevent your LEM manager from showing the alert in your LEM console.
    2. Clear the Database check box to prevent your LEM manager from storing the alert on your LEM database.
    3. Clear the Warehouse check box to prevent your LEM manager from sending the alert to an independent database warehouse.
    4. Clear the Rules check box to prevent your LEM manager from processing the alert against your LEM rules.
    5. Select any check box to enable processing for the alert at any of the four levels listed above.
  6. Click Apply to save your changes and keep working.

    Click Save to save your changes and exit the Alert Distribution Policy window,

Table of Alerts with Windows Security Auditing Provider SIDs

The alerts described in the tables below can be filtered out (dropped) using your LEM Manager's Event Distribution Policy by unchecking their boxes in the Console, Database, Warehouse, and Rules columns. LEM still must process these events, and uses additional resources in the form of memory and CPU reservations.

Alert name Windows event ID
TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IMCPTrafficAudit 5152, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156
PPTPTrafficAudit 5152

The Provider SID value in these alerts match the format for the Windows Security Auditing Event ID where Event ID is one of the Windows Event IDs listed below.

Event ID Event description
5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port
 
Last modified
15:23, 6 Sep 2016

Tags

Classifications

Public