Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Prevent a user from stopping the USB Defender service

Prevent a user from stopping the USB Defender service

Table of contents

Updated February 14, 2017

Overview

Users in your environment have administrator access and are able to disable their SolarWinds Log and Event Manager USB Defender service so they can attach their USB devices.

 

It is possible for you to remove certain permissions from the service to prevent them from adjusting it, that falls far into Windows territory, so we'll be covering alternative responses you can configure on your LEM.

Environment

  • All LEM versions
  • USB Defender installed on Windows hosts
  • Users of those hosts have access to stop services

Steps

Using ServiceStop events, we can easily clone a rule template to monitor for USB Defender stoppage and perform actions such as automatically restart the service or send an email alert to you.

  1. Go to Build > Rules and search for USB.
  2. Locate the USB-Defender Service Stopped template in the bottom section, click the gear icon, and clone it.
  3. Choose a user to receive the email alert in the Users dropdown.
  4. If you want to automatically restart the service, drag the Start Windows Service action from the Actions section on the left to below the Send Email Message action on the right.
  5. Populate the Agent and Service Name boxes in that section for this to function.
    1. Expand the Events section in the top left corner and locate the ServiceStop event.
    2. Drag the InsertionIP field from the Fields section on the left to the Agent box on the right.
    3. Drag the ServiceName field from the Fields section on the left to the Service Name box on the right.
    4. Save and then Activate the rule.

 

 

 

 

 

Last modified

Tags

Classifications

Public