Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Additional LEM Configuration and Troubleshooting Information > Auto-populating User-defined Groups Using a LEM Rule

Auto-populating User-defined Groups Using a LEM Rule

Table of contents
No headers
Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 13, 2016

Views: 48 Votes: 0 Revisions: 5

You can automate how you populate User-Defined Groups using the Add User-Defined Group Element active response in a LEM rule. This active response populates a pre-defined user-defined group with static or dynamic values, as defined by that rule.

Complete the following procedure to populate a User-Defined Group based on a specific type of event, such as when you attach a USB device you want to tag as authorized, or when a user attempts to visit a prohibited website.

For additional information about working with LEM rules, see Create rules from your LEM console to take automated action.

  1. Open your LEM console and log in to your LEM Manager as an administrator.
  2. Click Build > Rules.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/020/Button-Plus_18x16.png in the Rules toolbar to create a new rule.
  4. Enter a name and description for your rule.
  5. Populate the Correlations box with conditions that represent the event you want to trigger your rule. For the USB example:
    1. Click Events on the components pane on the left, and then enter SystemStatus without any spaces in the search box.
    2. Click SystemStatus, and then locate EventInfo from the Fields: SystemStatus list.
    3. Drag EventInfo into the Correlations box. The left side of your new condition should read, SystemStatus.EventInfo.
    4. Enter *Attached* into the Text Constant field, denoted by the pencil icon, on the left side of your new condition.
    5. To specify a computer for this procedure, create a second condition with SystemStatus.DetectionIP = *computerName*, where computerName is the hostname of the computer you want to specify.

      In this example, the computer you attach your authorized devices to must have a LEM Agent with USB Defender installed, whether you specify it in your rule or not.

  6. Click Actions on the components pane, and then locate Add User-Defined Group Element.
  7. Drag Add User-Defined Group Element into the Actions box.
  8. Within the Add User-Defined Group Element, select the appropriate User-Defined Group, such as Authorized USB Devices. If you do not find the User-Defined Group, perform the following:
    1. Close the action and select Build > Groups.
    2. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/020/Button-Plus_18x16.png button on the top right and to create your own User-Defined Group, or clone an existing group.
  9. Populate the action using the alerts present in your Correlations. For the USB example:
    1. Select Authorized USB Devices from the User Defined Group menu.
    2. Click Alerts on the components pane, and then verify that SystemStatus is still selected.
    3. Drag ExtraneousInfo from the Fields: SystemStatus list into the blank Value field in the action.
  10. Select Enable at the top of the Rule Creation window, and then modify the Test and Subscribe settings if you want.

    Putting a rule into Test allows the rule to function as needed, but the rule will not perform any of the actions listed. In this example, it will not add any information to the User-Defined Group.

  11. Click Save at the bottom of the Rule Creation window.
  12. Click Activate Rules at the top of the main Rules view.

Any time the event you defined in your rule occurs, the value you defined in the Value field of the action gets added to the User-Defined Group you specified. In the USB example, the attached device is added to the Authorized USB Devices group.

For additional information about working with LEM rules, see Create rules from your LEM console to take automated action.

Last modified
15:45, 13 Sep 2016

Tags

Classifications

Public