Create a new LEM filter for real-time monitoring

This section describes how to create a new LEM filter. It covers how to create a filter by clicking New Filter in the Filters pane, and how to create a new LEM filter from an existing event.

Create a new LEM filter

You can create custom filters from the Monitor view in your LEM console to display real-time traffic from your monitored computers and devices.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log in as an administrator or auditor.

  2. On the LEM toolbar, click Monitor.

  3. In the Filters pane, click , and then select New Filter.

  4. Enter a filter name and description.

  5. Change the Lines Displayed value to modify the number of events your filter can store in memory.

    The default value is 1000.

  6. Configure the correlations (or relationships) that define the filter. These correlations define the events that must occur for the filter to take effect.

    1. Drag Event or Event Group items from the filters and groups list pane into the Correlations box. Click to add a group.

      You can create custom correlations in Monitor view and nDepth view using the filters and groups list pane. It contains categorized lists of events, event groups, event fields, Groups (from the Groups grid), profiles, and constants that you can use to create conditions for your filters, rules, and search queries.

    2. Click the correlations connector bar. Select AND to determine if the alert conditions must all apply or OR if any alert conditions apply to prompt a response.

    If your correlations require a value, populate the value using one of the following procedures:

    • Enter a static text value in the Text Constant field, denoted by a pencil icon. Use asterisks (*) as wildcard characters to account for any number of characters before, within, or after your text value.

    • Drag a group from the list pane to replace the Text Constant field. The most commonly used groups include User Defined Groups, Connector Profiles, Directory Service Groups, and Time Of Day Sets.

    • Drag an Event field from an existing event in your Correlations to replace the Text Constant field. This will result in a parameter that states whether values from different Events in your Correlations should match.

  7. If you want to change the operators in your conditions, click the operator until you find the one you want.

    There are two types of operators: Condition and Group.

    • Condition operators are found between your events and their values. Examples include Equals, Does Not Equal, Contains, and Does Not Contain. Rule Creation only displays the operators that are available for the values in your Correlations.
    • Group operators are found outside of your correlation groups. The two options are And (blue) and Or (orange).

    For more information see Compare values with operators in LEM filters and rules.

  8. Maximize the Notifications group and drag a notification into the Notifications box.

  9. Set your AND and OR operators as required.

  10. Click Save.

Create a LEM filter from a specific event

To create a new LEM filter for a specific event type, click Create a Filter From This Event at the top of the Event Details pane.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log in as an administrator or auditor.

  2. On the LEM toolbar, click Monitor.

  3. In the Event Grid, select the event that you want to create a filter for.

  4. From This Event, click Create a Filter.

    A new filter appears in the Filters pane.

  5. Modify the new filter to display more specific data (Optional).
    1. Select the filter in the Filters pane.
    2. Click the gear icon at the top of the Filters pane, and then select Edit.
    3. Edit the filter by selecting the Events tab in Filter Creation, selecting fields to monitor more specific details of this event type, and then clicking Save.