Submit a ticketCall us

Training Class Getting Started with SolarWinds Backup - February 28

This course offers customers an introduction to SolarWinds Backup, focusing on configuring the backup technology, taking backups, data restoration and data security. It is a great primer and will get you up to speed quickly on SolarWinds Backup.
Register for class.

Home > Success Center > Log & Event Manager (LEM) > Prevent a user from stopping the USB Defender service

Prevent a user from stopping the USB Defender service

Table of contents

Updated February 14, 2017


Users in your environment have administrator access and are able to disable their SolarWinds Log and Event Manager USB Defender service so they can attach their USB devices.


It is possible for you to remove certain permissions from the service to prevent them from adjusting it, that falls far into Windows territory, so we'll be covering alternative responses you can configure on your LEM.


  • All LEM versions
  • USB Defender installed on Windows hosts
  • Users of those hosts have access to stop services


Using ServiceStop events, we can easily clone a rule template to monitor for USB Defender stoppage and perform actions such as automatically restart the service or send an email alert to you.

  1. Go to Build > Rules and search for USB.
  2. Locate the USB-Defender Service Stopped template in the bottom section, click the gear icon, and clone it.
  3. Choose a user to receive the email alert in the Users dropdown.
  4. If you want to automatically restart the service, drag the Start Windows Service action from the Actions section on the left to below the Send Email Message action on the right.
  5. Populate the Agent and Service Name boxes in that section for this to function.
    1. Expand the Events section in the top left corner and locate the ServiceStop event.
    2. Drag the InsertionIP field from the Fields section on the left to the Agent box on the right.
    3. Drag the ServiceName field from the Fields section on the left to the Service Name box on the right.
    4. Save and then Activate the rule.






Last modified