Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Advanced LEM configurations > Manage LEM rules

Manage LEM rules

You can perform most management tasks from the Rule grid or in Rule Builder as you configure a rule. This section describes how to create rules only in very general terms. This section is not intended to be a tutorial, but rather a reference if you are unclear about how rule creation works.

Creating rules

Use the Rule Creation tool in the Build > Rules to configure new rules and edit existing rules.

You can create rules by configuring conditions between alert variables and other components (such as time of day sets, user-defined groups, constants, and so on). Using rules, you can correlate alert variables with other alerts and their alert variables.

You can configure rules to fire after multiple alerts occur. The manager remembers alerts if they meet the basic conditions of the rule and waits for the other conditions to be met as well. When all conditions are met, the fires the rule. The rule does not execute until the alerts meet all of the conditions and correlations defined for the rule.

When you correlate alert variables, you specify how often and in what time frame the correlations must be met before the rule is triggered. The combined correlations dictate when the rule initiates an active response.

Rule Creation connectors are similar to those in Filter Creation. However, filters report event occurrences, and rules act on them. There is no harm if you create a filter that is unusual or has logic problems. But this is not the always case with rules. Rules can have unexpected and sometimes unpleasant consequences if they are not configured exactly as you intend them to be.

Use caution when creating rules. Creating filters is an excellent way to familiarize yourself with the logic and connectors needed to create well crafted rules. Begin configuring rules when you are comfortable with configuring filters. Always test your rules before implementing them. Practice with filters before creating rules.

Rule creation view

The Rule Creation view is a different view of the Rules view you can use to configure and edit policy rules. The rule window is the window that you use to view, configure, and edit your policy rules. The Correlations box is a component of the rule window that is used to configure the specific correlations that define the rule.

The following table describes the key features of the Rule Creation connector.

Name Description

Back to Rules Listing

Hides Rule Creation and returns to the Rules grid. Rule Creation remains open in the background so you can return to it to continue working on your rules.

In the Rules grid, clicking Back to Rule Creation returns you to Rule Creation.

List pane

Contains categorized lists of the components you can use when configuring policy rules.

To view the contents of a component list, click its title bar. To add a component to a rule, select it from its list and then drag it into the appropriate correlation box.

Rule window

The working area where you configure name, describe, configure, edit, test, verify, and enable each rule.

You can have multiple rule windows open at the same time. You can also minimize, maximize, resize, and close each window, as needed.

Minimized rule window bar

Stores minimized rule windows at the bottom of the Rule Creation pane. Each minimized window shows the name of its rule. Click a minimized rule to open the rule in the Rule Creation pane.

Advanced thresholds

Whenever a group threshold or the Events within box in the Correlation Time form has a value greater than 1, the Set Advanced Thresholds icon File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Icon-AdvThreshold.png is enabled. This icon opens the Set Advanced Thresholds form so you can define an alert event threshold and the re-inference period for that threshold. The threshold tells the manager which specific alert fields to monitor to determine if a valid alert event has occurred (such as when to count the alert).

For example, threshold event x must occur multiple times on the same destination computer with the frequency defined in the Correlation Time box. Another example is threshold event y must occur on different destination computers with the frequency defined in the Correlation Time box. When the threshold event counter increases to the number displayed in the Events box, the threshold becomes true and triggers the next set of conditions in the rule.

To open the form, click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Icon-AdvThreshold.png in the Correlations box on the nested group you want to work with.

Set an advanced threshold

  1. Open the Set Advanced Thresholds form.

  2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Use the adjacent fields to type or select the threshold time interval and unit of measure.

    The Re-Infer (TOT) option defines the period that an alert must remain above the threshold before the system issues a new notification and/or active response.

    For example, an alert exceeded the threshold and the Re-Infer (TOT) period for the alert is 1 hour. If the alert stays above the threshold for more than 1 hour, the system will issue an additional notification or active response at the end of 1 hour.

Add a Threshold field

  1. Click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Icon-AdvThreshold.png to open the Set Advanced Thresholds form.
  2. At the bottom of the form, click Add.

    The Available Fields pane has two boxes. The top box lists all of the alerts applied to the correlations box. The bottom box lists the alert fields associated with the alert that is currently selected in the top box.

  3. In the top Available Fields box, select an alert. The fields associated with that alert appear in the lower Available Fields box.

  4. In the lower Available Fields box, select the alert field used to define the alert threshold.
  5. Click the Select Modifier drop-down menu and select an option.

    Select Same if the threshold will be defined by the selected field being the same multiple times.

    Select Distinct if the threshold will be defined by the selected field being different each time.

  6. Click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Button-Plus_16x15.png to display the field and its modifier in the Selected Fields grid.

  7. Repeat steps 2 through for any additional threshold fields.
  8. Click OK to save the fields to the threshold and close the form.

    These fields raise the threshold for the correlation event and its active response to occur.

Edit a threshold fields

You cannot actually edit a threshold field. Instead, you must delete it, and then replace it with a corrected field configuration.

To replace a threshold field:

  1. Click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Icon-AdvThreshold.png to open the advanced threshold you want to work with.
  2. In the Selected Fields list, click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Icon-Delete(WhtBlackX).png to remove the field you want to change.
  3. In the Available Fields list, select the appropriate alert, and then the alert field.
  4. In the Select Modifier list, select the new modifier for the field (Same or Distinct).
  5. Click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Button-Plus_15x13.png to display the corrected field and its modifier in the Selected Fields box.

    The corrected field and its modifier appear in the Selected Fields box.

  6. Click OK to close the form.

Delete a threshold field

  1. Click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Icon-AdvThreshold.png to open the advanced threshold you want to work with.
  2. In the Selected Fields list, select the field you want to delete.
  3. Click File:Success_Center/New_Articles/LEMUserGuide_MT/0B0/0O0/Icon-Delete(WhtBlackX).png to remove the threshold field from the Selected Fields list.

  4. Click OK to close the form.

 

 
Last modified
14:29, 24 Mar 2017

Tags

Classifications

Public