Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Using the LEM web console and desktop console > Review events with the event explorer

Review events with the event explorer

Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 12, 2016

Views: 19 Votes: 0 Revisions: 5

The Event explorer displays all events related to an event you select in the Monitor view events grid. You can view monitor events that occurred before, during, and after the event in real time to identify their root cause. This process can help you visualize how an event occurred and the system's response to that event. You can follow the chain of events that caused the event, and help determine its root cause.

When you explore an event, the console sends a request to the manager to determine which events are related to the event. In response, Event explorer displays the events that triggered the event, as well as events that occurred due to the event (such as a response or notification).

The Event explorer includes three sections: Event Details, Event Map, and Event Grid. This example shows an event explorer that provides information about the TCPPortScan event selected in the Monitor events grid.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/lem-ug-event-explorer-screen_417x248.png

Event Details

The Event Details provides detailed information about the event you select in the Monitor grid. This view displays detailed information about the event data fields. These fields may vary depending on the selected event type. For example, network-oriented events display fields for IP addresses and ports while account-oriented events display account names and domains.

Click Event Details to open the Event Details window. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Button-AlertInfo_19x14.png to read the event description and File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Button-AlertDetails_19x13.png to return to the event details. If you need to research this event further, click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Button-AddFilter_15x14.png to create a filter that displays this event type in the Monitor view event grid. The filter will display in the Filters pane under the last selected grid. When you complete your event review, click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Button-UpDown_12x13.png to move to the previous or next event in the grid.

Event Map

The Event Map displays a graphical view of the event you are exploring, as well as the triggering and proceeding events. This allows you to move through the entire chain of events to analyze the relationships between each event.

Event explorer always places your selected event in the center of the map. Related prior events that triggered your selected event display to the left. If no prior events exist, a box labeled None displays in the map. Related events that follow the central event appear to the right. These events were caused by the central event (such as system responses). If no events follow, a box labeled None displays. If the same event occurs multiple times, they appear together in a box.

Events that appear in the event map can be events, rules, or commands (system responses to an event). Each event type includes an icon that categorizes the event, as shown below.

Icon Description

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-AlertEvent.png

Audit Event tree event.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-InternalCommand.png

Security Event tree event.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-AssetAlerts.png Asset Event tree event.
File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-Incident2.gif Incident Event tree event.
File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-InternalAlert.png Internal Event tree event that is not related to rules or active response activity.
File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-InternalCommand2.png An internal command indicating the system is responding to an event.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-Rule.png

Rule activity from a rule in test mode or a rule that initiated an active response.

Event Grid

The event grid lists all events that appear in the event map in chronological order from the earliest event (top) to the latest event (bottom). The grid is useful for comparing events and exploring event data.

The event grid's Order column icons indicate when each event occurred, as shown below.

Icon Description
File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-BeforeEvent.png The event occurred before the central event.
File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-CentralEvent.png The event occurred during (as part of) the central event.
File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/090/0I0/Icon-AfterEvent.png The event occurred after the central event.

Review an event

  1. Open the Monitor view.
  2. In the Filters pane, select a filter.
  3. Locate an event in the event grid you want to explore.
  4. Click Pause to stop the event feed.
  5. Select the event in the grid.
  6. Click the Explore drop-down menu and select Event.

    The Event explorer displays all events associated with your selected event. Your selected event name displays in the History pane. Click Event Details to view additional event information.

 

Last modified
14:30, 12 Sep 2016

Tags

Classifications

Public