About LEM rules

Rules can respond to one or more events. In many cases, you can base rules on several events that LEM correlates to trigger an action. You can also configure a rule to look for a single event.

Rules can only fire on normalized data and not on raw log data that is received.

Rules play a key role in detecting operational and compliance issues on your network, such as external breaches, insider abuse, and policy violations. The LEM console ships with a set of preconfigured rules to help you get started.

To view a short introductory video about rules and learn how to add preconfigured rules to LEM, click the video icon. See Find and add LEM rules to get started customizing preconfigured rules.

LEM rule scenarios

Countless scenarios may warrant a rule. Consider these combinations of rules and actions:

  • Respond to change management events with the Send Email Message action.
  • Respond to port scanning events with the Block IP action.
  • Respond to isolated spikes in network traffic with the Send Email Message or Disable Networking action.
  • Respond to users playing games on monitored computers with the Send Popup Message or Kill Process action.
  • Respond to users attaching unauthorized USB devices to monitored computers using the Detach USB Device action.

Any activity or event that can pose a threat to your network might warrant a LEM rule.

View rules, rule categories, and rule templates in the LEM console

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Build > Rules.

    Saved rules are listed in the Rules grid. The sidebar includes a search bar, and a menu of rule categories and tags.

  3. To view a list of matching templates in the Rule Templates grid (located below the Rules grid), select a rule category in the sidebar.

Rule configuration requirements and best practices

Review the following requirements and best practices about creating LEM rules.

Use descriptive rule names

To keep rules simple to manage, SolarWinds recommends creating the rule with a name that describes the event.

Set the Correlation, Correlation time, and Action

Each rule requires you to define three settings:

  • Correlation: The number of events that occur within a selected amount of time and the amount of time allocated to responding to the events.
  • Correlation time: The volume of events that match the correlation conditions and the rolling time window to evaluate the correlation.
  • Action: The action that occurs when the rule is triggered.

Activate a rule to upload local changes

When you create a new rule, or change an existing rule, you are working on a local copy of the rule. The LEM Manager cannot use the rule change until you activate it. Activating a rule tells the LEM Manager to reload its enabled rules and upload updates from your local copies.

Click the Activate button to activate rules whenever you create a new rule, edit an existing rule, or change the Enabled/Disabled or Test On/Test Off status. Otherwise, the LEM Manager will not recognize your changes. After activating rules, LEM begins processing all enabled rules.

See Enable and activate rules prior to testing for details.

Check the rule status for errors

Check the Rule Status below the Description field to view the rule status and errors. If the rule status is good, the status displays in green.

If the rule status is not good, maximize Rule Status to view the errors.

Verify that a rule fired

Check your console for InternalRuleFired events using either a filter or nDepth search. These events will show the triggered rule and when it occurred.

Test new rules before putting them into production

Before you put a rule into production, try it out in test mode. In test mode, the LEM Manager processes the rule alert messages, but does not execute any rule actions. This lets you see how the activated rule will behave without disrupting your network.

See Testing rules in LEM for details.