Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Advanced LEM configurations > Add a rule to LEM

Add a rule to LEM

Created by Caroline Juszczak, last modified by Caroline Juszczak on Aug 22, 2016

Views: 47 Votes: 1 Revisions: 5

You can create a new rule in the Build > Rules view. Be sure to test your rules you implement them to ensure they do not cause any unpleasant consequences.

  1. Open the Build > Rules view.
  2. Click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0G0/Button-Add_14x12.png on the Rules toolbar.

  3. Enter a name and description for the rule.

  4. Click the drop-down menu and select the manager that will host this rule.

    If you are editing a rule, this field displays the manager associated to the rule.

  5. Click Add Tags.
  6. Select the categories and tags for this rule, and then click OK.


  7. Configure the correlations (or relationships) that define the rule. These correlations define the events that must occur for the rule to take effect. You can coordinate multiple alert events into a set of conditions that prompt the manager to issue a particular active response.


    1. Drag Event or Event Group items from the list pane into the Correlations box. Click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0G0/Button-AddGroup.png to add a group.
    2. Click the correlations connector bar. Select AND File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0G0/Operator-And_9x15.png to determine if the alert conditions must all apply or OR File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0G0/Operator-Or_10x17.png if any alert conditions apply to prompt a response.
  8. Configure the correlation time to establish the allowable frequency and time span that the correlation events must occur before the rule applies.


    1. Set the Events within and Response Window settings for your rule.
    2. If the Events within value is 2 or more, click Advanced File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0G0/Button-AddGroup.png to select advanced threshold fields and define an advanced response window for the alert fields within the grouping.
  9. Configure the actions that occur when the events in the Correlations and the Correlations Time boxes occur??(for example, sending an email message to the system administrator or blocking an IP??address). All rules must have at least one action.


    1. Click the Actions list.
    2. Select and drag an action from the list into the Actions box.
  10. Apply the appropriate Enabled, Test, and Subscribe settings as appropriate.


    1. Select the Enabled check box to enable the rule after you click Save.
    2. Select the Test check box to operate the rule in test mode before it is enabled. SolarWinds recommends running each new rule in test mode to confirm that the rule behaves as expected.

      You must enable a rule before you can test it.

    3. Click the Subscribe drop-down menu and select all users who subscribe to the rule. The system will notify the subscribing users each time one of the subscribed-to rules triggers an alert. The alerts will appear in their alert grid.

      This option also tracks rule activity in the Subscriptions report in LEM Reports.

  11. Click Save.

    The new rule appears in the Rules grid.

    You can click Apply to save your changes without closing the form.

  12. Click Activate Rules to use or test your rule.

Check the rule status and errors

Check the Rule Status below the Description field to view the rule status and errors. If the rule status is good, the status displays in green.


If the rule status is not good, maximize Rule Status to view the errors.


Last modified
13:17, 22 Aug 2016