Find and add LEM rules

This section describes how to find and customize preconfigured LEM rules.

Find and add rules based on categories of interest

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, click OpsCenter.

  3. In the Getting Started widget, click Define Rules and Configure Alerts.

    By default, the Getting Started widget is in the top left part of the page.

  4. Select the check box next to the types of rules that you want to enable, and then click Next.

  5. Complete the fields and selections to define the condition, correlation time, and action for each new rule, and then click Apply.

  6. On the LEM toolbar, navigate to Build > Rules.

  7. In the Rules grid, locate a new rule, click , and then select Enable.

    A displays next to the enabled rule.

  8. Complete step 5 for each additional rule.

  9. Enable your rule. See Enable and activate rules prior to testing for details.

  10. Test the rules to verify they work as expected. See Testing rules in LEM for details.

Clone, customize, and enable a specific preconfigured rule

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Build > Rules.

  3. Use Refine Results in the sidebar to browse, search, or filter for specific rules or scenarios, or browse for a rule in the Rule Categories and Tags section.

  4. Select a rule to clone, click the corresponding , and then choose Clone.

  5. In the Clone Rule dialog box, select a Custom Rules folder, rename the rule, and then click OK.

  6. On the Rule Creation screen, customize the rule (if desired), and then select Enable.

  7. Click Save.

  8. To sync your local changes with the LEM appliance, click Activate Rules in the Rules grid. See Enable and activate rules prior to testing for details.

  9. Test the rules to verify they work as expected. See Testing rules in LEM for details.

Change Management rule example

Change management rules notify you when a user makes network configuration changes. For example:

  • Adding, changing, or deleting users in Active Directory
  • Installing software on monitored computers
  • Making changes to the firewall policy

You can create a general change management rule to instruct LEM to notify you when a user changes your network configuration, or you can create a more specific rule that applies to specific users, groups, or types of changes. Generally, if you can see an event in your console, you can create a rule for the event. Use your filters as a starting point for creating custom rules.

The following change management rule example notifies you by email when a user adds another user to an administrative group.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Build > Rules.

  3. To create a new rule, click .

  4. Enter an appropriate name for the rule. For example:

    New Admin User

  5. In the rule Correlations box, enter the event or event group.

    For example, you can use the NewGroupMember.EventInfo Equals *admin* condition to execute anytime LEM receives a NewGroupMember event with admin included anywhere in the Event Info field.

    1. In the left pane, click Events.

    2. At the top of the Events list, enter NewGroupMember to search for this event, and then select it in the list.

    3. In the Fields: NewGroupMemberlist, locate EventInfo, and then drag it into the Correlations box.

    4. To account for all variations on the word administrator, enter *admin* in the text field (denoted by a pencil icon in the Correlations box).

  6. Leave the Correlation Time box as is so your rule fires anytime LEM captures this type of event.

  7. Add the Send Email Message action to the Actions box.

    1. In the left pane, click Actions.

    2. Locate Send Email Message, and then drag the action into the Actions box.

    3. From the Email Template drop-down list, select a template.

    4. In the Recipients menu, select a LEM user.

    5. To complete the action, drag event fields or constants from the left pane into the Send Email Message form.

      Always use event fields for events in the Correlations box. For example, you can use NewGroupMember.DetectionTime to populate the Detection Time field in this example.

  8. In the Rule Creation form, select the Enable check box, and then click Save.

  9. To sync your local changes with the LEM appliance, click Activate Rules in the Rules grid.

    The LEM appliance will send an email anytime a user adds a user to any group in Active Directory that contains admin in its name.