Submit a ticketCall us

Announcing NPM 12.2
With NPM 12.2 you can monitor your Cisco ASA firewalls, to monitor VPN tunnels for basic visibility and troubleshooting tunnels. NPM 12.2 also uses the SolarWinds Orion Installer so you can easily install and upgrade one or more Orion Platform products simultaneously.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Additional LEM Configuration and Troubleshooting Information > Getting Started with User-Defined Groups

Getting Started with User-Defined Groups

Customize the blank and sample user-defined groups in your LEM console to use with the default filters and associated rules, as well as your customer filters and rules.

Log & Event Manager comes with several default filters, rules, and groups you can use to monitor and respond to events on your network. Because IT environments that host LEM can vary, many of the user-defined groups are blank or contain suggested values by default.

Examples of default filters that use the blank and sample groups include:

  • Admin Account Authentication
  • Domain Controllers (all)

The Domain Controllers (all) filter uses a connector profile in the constant position by default. You can replace the profile with a user-defined group or directory service group if the tool profile is not sufficient for your environment. For additional information about connector profiles, see Create connector profiles to manage and monitor LEM agents.

Examples of rules that use the blank and sample groups include:

  • Authentication - Unknown User
  • Critical Account Logon Failures
  • Detach Unauthorized USB Devices
  • File Audit - Delete Sensitive Files
  • Non-Admin Server Logon
  • Vendor - Unauthorized Server Logon

Blank and sample user-defined groups to customize

SolarWinds recommends customizing the following blank and sample user-defined groups for your environment:

  • Admin accounts
  • Admin groups
  • Approved DNS servers
  • Authorized USB devices
  • Authorized VPN users
  • Sensitive files
  • Service accounts
  • Suspicious external machines
  • Suspicious local machines
  • Trusted IPs
  • Trusted server sites
  • Vendor amd contractor accounts
  • Vendor-authorized servers

The Admin Accounts group is used in several template rules as a placeholder for a custom list of administrative users, and represent the default administrative accounts in Windows and Unix/Linux environments. SolarWinds recommends you to clone this group before you customize it so you can use it in both of its capacities.

Customize user-defined groups (typical)

Complete the following procedure to customize any or all of the user-defined groups listed above. The procedure to create your own user-defined groups is similar. The difference is clicking plus icon > User Defined Group instead of editing an existing group.

If you decide to alter any group that contains a default or suggested value, SolarWinds recommends cloning the group first so you always have a backup of the default group. Cloning an existing group creates a duplicate group with the same name, but having a 2 at the end of the name.

  1. Open your LEM console and log into your LEM manager as an administrator.
  2. Click the Build tab, and then select Groups.
  3. Locate the group you want to edit.

    Use the search box or Type menu on the Refine Results pane if necessary.

  4. Click the gear icon next to the group, and then select Edit.

    If you want to clone the group, select Clone instead, and then repeat this step for the cloned group.

  5. Add an element to the group.
    1. Click Add Element, denoted by File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0E0/0W0/Button-Plus_16x15.png at the bottom of the details pane.
    2. Enter a nickname for the element in the Name field. This value is for reference only.
    3. Enter a value to define the element in the Data field (required). Consider using wildcard characters, such as asterisks ( * ), to abbreviate these entries as illustrated in the example at the end of this procedure.
    4. (Optional) Enter a description in the Description field.
    5. Click Save.
  6. To modify an element, click the element in the details grid, and then modify it in the Element Details form just as you would when adding a new element.

    To remove an element, click the element in the details grid, and then click Remove Element, denoted by a - icon at the bottom of the details pane.

  7. If you are finished editing the group, click Save on the bottom-right of the details pane.

Use the pre-populated User-Defined Groups as examples of what your custom groups might look like. The Data field is used for the correlation, while the Name field is for reference and the Description is optional.

The following is an excerpt from the default Admin Groups User-Defined Group:

Group Name: Admin Groups

Name Data
Administrators *Administrators*
Backup Operators *backup oper*
DNS Admins DNSAdmin*

Customize user-defined groups (variations)

The following are two variations you might want to use when setting up your filters, rules, and groups.

Using Directory Service groups for Windows users, groups, and computer accounts

Directory service groups are groups that LEM pulls from Active Directory. Use these groups instead of user-defined groups in your filters and rules to reduce the need for ongoing maintenance. For additional information, see Configure the Directory Service Query connector.

Auto-populate user-defined groups using the Add User-Defined Group Element active response

The Add User-Defined Group Element active response populates a pre-defined user-defined group with static or dynamic values, as defined by a LEM rule. Use this active response to populate a user-defined group based on a specific type of event, such as when you attach a USB device you want to tag as authorized, or when a user attempts to visit a prohibited website.

For additional information, see Auto-populate user-defined groups using a LEM??rule.
 

Last modified
16:35, 27 Jan 2017

Tags

Classifications

Public