LEM 6 3 1 Administrator Guide

ADMINISTRATOR GUIDE
Log & Event Manager

Version 6.3.1
Last Updated: Thursday, October 19, 2017
Retrieve the latest version from: https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/LEM_Documentation

Copyright © 2017 SolarWinds Worldwide, LLC. All rights reserved worldwide.
No part of this document may be reproduced by any means nor modified, decompiled, disassembled,
published or distributed, in whole or in part, or translated to any electronic medium or other means
without the written consent of SolarWinds. All right, title, and interest in and to the software and
documentation are and shall remain the exclusive property of SolarWinds and its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,

STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING
WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS
BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN
IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide,
LLC and its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or
pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be
common law marks, registered or pending registration in the United States or in other countries. All other
trademarks mentioned herein are used for identification purposes only and may be or are trademarks or
registered trademarks of their respective companies.
page 2
Table of Contents
LEM set-up, configuration, and maintenance 30
Logging in to LEM 31
Log in to the LEM web console 31
To log in to the LEM Manager 31
Supported and unsupported URLs 32
To log out of a LEM Manager 33
Log in to the LEM desktop console 33
To log in to the LEM desktop console 33
Log in to the LEM admin user interface 34
To log in to the LEM admin user interface: 34
Log in to the LEM CMC command line interface 34
CMC Access Restrictions 35
Log in to the CMC command-line interface using the hypervisor virtual console 35
Log in to the CMC command-line interface using SSH 36
Setting up a new LEM installation 38
Set up the first LEM Manager instance in the web console 38
Install the LEM license using the web console 38
Verify that the LEM desktop console can connect after you activate the license 39
Run the activate command to secure LEM and configure network settings 39
To run the Activate command: 40
Use the LEM Getting Started wizards 41
Open the Getting Started wizards 42
Use the Configure Basic LEM Settings wizard to set up Active Directory monitoring and email
alerts 42
Use the Add Nodes wizard to add a syslog node to LEM 45
Use the Add Rules wizard to set up LEM rules 46
page 3
ADMINISTRATOR GUIDE: LOG & EVENT MANAGER
Configuring LEM settings and services 48
Starting and Stopping LEM components 48
Stop or restart the LEM Manager 49
Start and stop the LEM Agent on Windows 49
Set the date, time, and time zone on your LEM VM 49
Managing LEM VMs and appliances in the LEM console 51
View LEM license information 51
Enable LEM license recycling 52
Configure the settings used to log in to the LEM VM 52
Add another LEM VM or appliance to the console 53
Copy data about a LEM VM or appliance 56
Remove a LEM VM or appliance from the console 56
Configure the Email Active Response connector in LEM 57
Requirements 57
Configure the Email Active Response connector 57
Test the Email Active Response connector 59
Configure Active Directory and LEM to work with LEM rules and filters 60
Configure the Directory Service Query Connector 60
Enable LEM to receive SNMP traps by turning on the SNMP Trap Logging Service 61
To enable or disable the LEM SNMP Trap Logging Service: 62
Send SNMP traps from LEM to other applications by turning on the SNMP Request Service 64
To enable or disable the SNMP Request Service 64
Configure LEM to store original log messages (nDepth log retention) 66
About nDepth log retention 67
Configure LEM Manager to store original log files in their own database 68
Configure connectors to send original log data to LEM 68
View and search your original log messages 69
Configure the LEM event distribution policy 69
page 4
Practical uses for event distribution policy 69
Open the Event Distribution Policy window 70
Configure the event distribution policy 71
Push event policy to lower-level event types 71
Export a Manager event policy 72
Collecting Windows Filtering Platform (WFP) events in LEM 73
About Windows WFP events and LEM performance 73
Configure LEM to collect WFP events (Optional) 73
Securing LEM 75
LEM security checklist: Ensure that only authorized users can access LEM 75
General security tasks 75
Securing the CMC command-line interface 76
Securing the LEM reports application 76
Restrict SSH access to the LEM CMC interface 76
To remove access restrictions from the CMC interface 77
Restrict access to the LEM reports application 77
Understand your options for securing LEM reports 77
Restrict access to LEM reports to specific computers 78
Remove all LEM reports access restrictions 78
Enable transport layer security (TLS) in the LEM reports application 78
Enable TLS on a standalone LEM VM or appliance 79
Set up a dedicated LEM user for accessing reports 80
Configure the Reports application to use TLS 80
Enable TLS on a LEM Manager with a separate database appliance 81
Import certificates into the LEM Manager and database 82
Import a self-signed certificate into the LEM Manager 82
Managing LEM system resources 83
Allocate CPU and memory resources to the LEM VM 83
page 5
About incoming data traffic 84
Use the LEM console to view resource allocations and VM details 84
View vSphere reservation settings for LEM 85
To change vSphere reservations for LEM 86
View reservations settings using the CMC command-line 86
View Hyper-V reservation settings for LEM 87
Manage LEM data storage 87
About the three LEM data stores 88
Strategies for managing your LEM data storage needs 88
Viewing LEM database usage numbers 89
Create a disk usage alert in LEM to warn you when a disk reaches a set limit 90
LEM tuning and periodic maintenance tasks 93
Integrating LEM with other SolarWinds products 95
Monitor LEM from NPM and the Orion Web Console using SNMP 96
Step 1: Enable the SNMP Request Service 96
Step 2: Set up the Orion Console for SNMP monitoring 96
Troubleshooting your Orion connection 98
Managing users in LEM 99
Adding and managing LEM users 100
About LEM roles 100
About LEM user accounts 101
How Active Directory accounts work in LEM 102
Import an Active Directory user into LEM 102
Create a local LEM user account 103
The "User information for..." form 103
View user accounts in the LEM console 105
View the system privileges associated with a role 106
Edit user account settings 107
page 6
Delete a user account from a LEM Manager instance 107
Set the global password policy for LEM users 108
Set up Active Directory authentication in LEM 109
Gather some required information 109
Create a user in Active Directory that LEM can use to log in 109
Create custom security groups in Active Directory for LEM to use 110
Configure or view Active Directory authentication settings in LEM 111
Add an Active Directory user to LEM 114
Set up Active Directory authentication in LEM 6.3.0 and older 116
Configure the Directory Service Query connector 116
Test the Directory Service Query connector settings 117
Import your Active Directory organizational groups into LEM 117
Import an Active Directory user and assign the user LEM login rights 118
Set up single sign-on (SSO) in LEM 119
Set up Active Directory authentication in LEM 119
Generate a keytab file using Ktpass 119
Configure SSO settings in LEM using the Admin web console 121
Configure web browser settings for SSO 122
Internet Explorer 122
Mozilla Firefox 123
Google Chrome and Opera 123
Configure LEM for either SSO-only authentication, or SSO and local authentication 124
Configure SSO settings in LEM using the command-line 125
Change the LEM CMC password 128
Recover a lost CMC password 128
Specify the filters that users assigned the Monitor role can use in the LEM console 129
Sending event data to LEM via Agents, syslog, and SNMP 130
Get started adding systems and devices to LEM 131
page 7
About the LEM Agent 131
About sending log events directly to LEM 132
Configure LEM Agents after they are installed 133
View the LEM Agents monitored by each LEM Manager 133
About the LEM Agent for Windows connectors 133
Enable additional connectors to add extra log sources to LEM 134
Create connector profiles to manage and monitor LEM Agents 135
About connector profiles 135
About the connector-profile group type 136
Connector profile guidelines 136
Creating a connector profile: process overview 136
Create a connector profile:detailed steps 137
Step 1: Configure the Agent that will serve as a template for your connector profile 137
Step 2: Select the Agents that are members of the profile 139
Step 3: Verify the connector status 139
Edit LEM Agent connector-profile settings 140
Open the connector profile settings for editing 140
Clone a connector-profile instance 140
Editing a connector profile instance 141
Edit the connector-profile settings 141
Add additional connectors to a connector profile 144
Add syslog and Agent nodes to LEM 145
Add a syslog node to LEM using the "Add Node" wizard 145
Use "Scan for new nodes" to find new syslog sources and add connectors 145
Manually add a new Agent or syslog node connector 147
Other ways to add nodes to LEM 147
Updating LEM Agents 149
Manually update LEM Agents on Windows installations using the LEM Local Agent Installer 149
page 8
Manually upgrade LEM Agents on Unix, Linux, Mac, and Windows hosts using LEM Remote Agent
Installers 150
Download the LEM Remote Agent Installer 150
Run the LEM Remote Agent installer 150
Set up a separate syslog server for use with LEM 153
LEM connectors: Normalize events sent from specific products on your network 155
Configuring LEM connectors for Agent and non-Agent devices 156
Configure connectors for the devices that you want to monitor with LEM 156
Configure LEM Manager connectors 157
Configure the sensor and actor connectors for each LEM Agent 157
Connectors grid icons 157
Configure Agent connectors 158
Use connector profiles to configure multiple Agents 158
Manage LEM connectors Start stop edit and more 159
Open a connector configuration form 159
Open a Manager connector configuration form 159
Open an Agent’s connector configuration form 160
Find a connector 160
Add a new connector instance 160
Start a connector instance 162
Stop a connector instance 162
Edit a connector instance 162
Delete a connector instance 163
Apply a LEM connector update package 164
Enable global automatic connector updates 164
Update connectors on-demand 164
Update LEM connectors manually using the CMC interface 165
Troubleshooting LEM connector upgrades 165
page 9
LEM connector categories 167
Configure LEM to monitor firewalls, proxy servers, domain controllers, and more 172
Configure LEM to monitor firewalls for unauthorized access 173
Configure a firewall to log to a LEM appliance 173
Configure a firewall connector on a LEM Manager 173
View network traffic from specific computers 174
Clone and enable a LEM rule to identify port scanning traffic 175
Configure LEM to monitor proxy servers for suspicious URL access in LEM 176
Set your proxy server to log to a virtual appliance 176
Configure a proxy server connector on a LEM Manager 176
Clone and enable the Known Spyware Site traffic rule 177
Configure LEM to monitor anti-virus software for viruses that are not cleaned 178
Configure antivirus software to Log to a LEM appliance 178
Configure the antivirus connector on the LEM Manager 178
Creating a LEM rule to track when viruses are not cleaned 179
Configure LEM File Integrity Monitoring (FIM) to monitor Windows files, folders, and registry keys 180
Features of FIM 180
Add a FIM connector to an Agent to monitor a node 180
Step 1: Add a FIM connector to a node 181
Step 2: Configure rules and specific actions for your monitored files 181
Editing Monitors 181
Promoting a Monitor to a Template 182
Deleting a Monitor 182
Add conditions to a directory that FIM is watching 182
Editing Conditions 182
Deleting Conditions 183
FIM connector advanced settings 183
Enable Windows file auditing for use with LEM 186
page 10
To enable object auditing in Windows 186
To enable file auditing on a file or folder in Windows 186
Configure Windows audit policy for use with LEM 188
Requirements 188
Windows Audit Policy 188
Best practice 189
Set the Windows audit policy 189
Default Domain Controllers Policy 190
Default Domain Policy 190
Configure the USB Defender local policy connector in LEM 194
Configure LEM to monitor Microsoft SQL databases for changes to tables and schemas 195
Configure your database servers 195
Install MSSQL Auditor on a LEM Agent 195
Configure MSSQL Auditor on your servers 196
Configure the MSSQL Auditor Connector on a LEM Agent 196
Send notifications of Microsoft SQL database change attempts 197
Configure LEM to monitor Windows domain controllers for brute force hacking attempts 198
Install and configure the LEM Agent 198
Install a LEM Agent on a single Windows domain controller 199
Configure additional connectors on your LEM Agent 199
Create a filter for all activity in a Connector Profile 200
Clone and enable the Critical Logon Failures rule 201
Tune Windows Logging for LEM implementation 201
Configure LEM to track Cisco buildup and teardown events 202
Tracking Buildup Events 202
Tracking tear-down Events 202
Enabling LEM to track buildup and teardown events 203
LEM groups: Organize data elements for use with rules and filters 204
page 11
About LEM groups 205
About LEM Group Types 205
User-defined groups 205
Event groups 206
Directory Service groups 206
Time-of-day sets 206
Connector profiles 206
Email template 206
State variables 207
How groups are added to filters and rules in the LEM console 207
Manage LEM groups: Add, edit, view, and more 209
Open the Groups View in the LEM console 209
Find a group with the Refine Results pane 210
Add a new group 212
Edit a group 212
Clone a group 212
Export a group 213
Import a group 213
Delete a group 214
Configure user-defined groups in LEM 215
How rules and filters use user-defined groups 215
Create or edit a user-defined group 216
Customize the blank and sample user-defined groups included with LEM 217
Customize user-defined groups 218
Configure event groups in LEM 220
Create or edit an event group 220
Configure directory service (DS) groups in LEM 222
About directory service (DS) groups 222
page 12
Create a directory service group and synchronize it with Active Directory 223
View a directory service group member in the LEM console 224
Directory service group grid columns 224
Remove a directory service group from LEM 224
Configure the connector-profile group type in LEM 225
Configure state variables in LEM 226
Add a new state variable field 227
Edit a state variable field 227
Delete a state variable field 228
Manage state variable folders 228
Configure Time of Day Sets in LEM 229
Create or edit a Time of Day Set 229
Use a Time of Day Set in a filter or rule 230
LEM filters: Capture real-time events and historical data with filter criteria 232
About LEM filters and filter categories 233
Use filters to group a particular type of event or to monitor specific events 233
About the default filters included with LEM 234
Finding and viewing filters in Monitor view 234
About LEM filter categories 235
About the Filters sidebar 235
Default filters included with LEM 235
Overview Filters 236
Security Filters 236
IT Operations Filters 237
Change Management Filters 238
Authentication Filters 239
Endpoint Monitoring Filters 239
Compliance Filters 240
page 13
Create a new LEM filter for real-time monitoring 241
Create a new LEM filter 241
Create a LEM filter from a specific event 243
Manage LEM filter categories: Add, edit, view, and more 244
Add a new filter category 244
Rename a filter category 244
Move a filter category up in the list 245
Move a filter to another category 245
Move a filter category to another workstation 245
Create a backup copy of a filter category for archival purposes 246
Export a filter or filter category 246
Import a filter or filter category 246
Delete a filter category 247
Manage LEM filters: Add, edit, view, and more 248
Open filters in the LEM console 248
Manage filter-based widgets in Monitor view 249
Create a new filter 249
Edit an existing filter 250
Share a filter with another user 251
Clone a filter 251
Copy a filter 251
Create a backup copy of a filter for archival purposes 251
Export a filter 252
Import a filter 252
Delete a filter 252
Send a filter to nDepth 252
Start, stop, and pause filters in LEM 253
About starting, stopping, and pausing filters 253
page 14
Turn a LEM filter on 253
Turn a LEM filter off 253
Pause one LEM filter 254
Pause all LEM filters 254
LEM widgets and the Ops Center: Visually monitor network events in LEM 255
About LEM widgets 256
Widget icons 257
View specific widget data 257
Refresh widget data 258
View a widget legend 258
Widgets that ship with the LEM console 258
Manage LEM widgets with Widget Manager: Add, edit, and more 261
About the Widget Manager 261
Locate widgets 262
Add a master widget to the dashboard 262
Edit a dashboard widget 263
Delete a dashboard widget 263
Open a filter from a widget 263
Move (relocate) a widget 264
Resize a widget 264
Create and edit widgets with Widget Builder 265
Create a new widget 265
Edit a master widget 266
Edit a dashboard widget 266
Configure the Widget Builder form 267
Enter the general widget settings 267
Enter the visual configuration settings 268
Enter the data configuration settings 268
page 15
Using nDepth widgets in LEM 270
About nDepth widgets 270
View nDepth widget details 271
Create a search string from a widget item 271
Add a new nDepth widget 271
Edit an nDepth widget 272
Add a chart widget to the nDepth dashboard 272
LEM rules: Automate how LEM responds to events 273
About LEM rules 274
LEM rule scenarios 274
View rules, rule categories, and rule templates in the LEM console 275
Rule configuration requirements and best practices 275
Use descriptive rule names 275
Set the Correlation, Correlation time, and Action 275
Activate a rule to upload local changes 275
Check the rule status for errors 276
Verify that a rule fired 276
Test new rules before putting them into production 276
Create email templates for use with LEM rules 277
About LEM email templates 277
Managing email templates and template folders 277
Best practices to keep rules, events, and emails simple to manage 278
Create or edit an email template 278
Find and add LEM rules 281
Find and add rules based on categories of interest 281
Clone, customize, and enable a specific preconfigured rule 282
Change Management rule example 282
Create a new LEM rule to monitor and respond to events 284
page 16
Create a new rule 284
Example: Create a Change Management rule 287
About the Change Management rule example 287
Create the example Change Management rule 288
Manage LEM rules: Edit, view, export, and more 290
Activate a rule 290
Add tags to a rule 290
Edit a rule 291
Edit a locked rule 291
Clone a rule 291
Share a rule with another user 292
Create a backup copy of a rule for archival purposes 292
Export a rule 292
Import a rule 293
Delete a rule 293
Test, enable, and disable rules in LEM 294
About selecting multiple rules to test, enable, or disable 294
Enable and activate rules prior to testing 294
Enable rules from the Rules grid 294
Enable rules from the Rule Creation screen 295
Testing rules in LEM 295
Enable test mode in the Rules grid 295
Disable test mode in the Rules grid 296
Enable test mode from the Rule Creation screen 296
Disable test mode from the Rule Creation screen 297
Disable rules in LEM to stop them from processing 297
Disable rules from the Rules grid 297
Disable rules from the Rule Creation screen 298
page 17
Use the Send Email Message action in LEM rule creation 299
Add or edit a Send Email Message action 299
Notify a LEM user when a rule triggers an alert (Subscribe a user to a rule) 301
Subscribe users from the Rules grid 301
Subscribe users from the Rule Creation screen 301
LEM response actions: Respond to network and system events in LEM 303
About LEM response actions 304
About LEM active response 304
Select an event response 304
Select an event response using drag-and-drop text 305
Use LEM active responses to perform Windows actions related to users, groups, and domains 306
Configure an active response connector on a LEM Agent 307
Actions LEM can take to respond to events 307
Use the Computer-based active responses in LEM 317
Requirements 317
To configure the Windows active response connector on a LEM Agent 318
Create or clone rules to perform the action: 318
Use the Append Text to File active response in LEM 319
Requirements 319
To configure the Windows active response connector on a LEM Agent: 320
Auto-populate user-defined groups using a LEM rule 321
Use the Block IP active response in LEM 323
Requirements 323
Configure the Detach USB Device active response in LEM 325
Verify that USB Defender is installed on a LEM Agent 325
Configure the Windows Active Response connector on a LEM Agent 325
Detach USB devices 326
Configure the Disable Networking active response in LEM 327
page 18
Re-enable networking on a computer affected by the active response 327
Configure the Kill Process active response in LEM 328
Configure a Kill Process active response rule 328
Building custom filter and rule expressions in LEM 330
Comparing values with operators in LEM filters and rules 331
About operators in LEM 331
Select a new operator 331
Operator tips 332
Table of operators 332
Examples of AND and OR conditions 333
Get started building custom filter expressions in LEM 335
About custom filter expressions 335
Examine the default filters included with LEM 336
Create conditions to filter event reporting 337
Configure event filter notifications in LEM 339
Selecting the notification method 339
Notifications table 339
Get started building custom rule expressions in LEM 342
About custom rule expressions 342
Use the ToolAlias field in LEM rules and filters to capture traffic from a specific device 343
Create a filter to capture events from a specific device 343
Verify that the correct Alias value is associated with the connector 344
nDepth search: Explore event history using nDepth and other LEM utilities 345
About LEM nDepth search 346
nDepth visual tools 346
nDepth primary uses 346
Events and Log Messages 347
Common data fields in nDepth search 347
page 19
Open nDepth search in LEM 348
Open nDepth search 348
Open nDepth from another data source 349
Search normalized data using nDepth search in LEM 351
Create an nDepth query 351
Choose an event in Monitor view to send to nDepth for historical search 351
Choose a filter in Monitor view to send to nDepth for historical search 352
Create an nDepth query for all activities by a single user 352
Delete items from search strings 353
Adjust the time frame for your nDepth query 353
Search raw log messages using nDepth search in LEM 354
To view and search original log messages using nDepth 354
Manage nDepth search queries in LEM: Save, schedule, run on-demand, and more 355
Save an nDepth search query 355
Edit a saved nDepth search query 356
Run a saved nDepth search query on-demand 356
Schedule a saved nDepth search query 356
Delete a saved nDepth search query 357
Export nDepth search results in CSV format 357
Export nDepth search results in PDF format 358
Visualize search results and take action with nDepth widgets and the Respond menu in LEM 359
About the Explore and Respond menus 359
Respond to an event with the nDepth Respond menu 359
About nDepth widgets 360
View widget details 361
Create a search string from a widget item 361
Create a new nDepth widget with nDepth Widget Builder 361
Edit an nDepth widget 362
page 20
Add a chart widget to the nDepth dashboard 362
Use the explorer utilities in LEM to search or analyze nDepth query results 363
About the Explorer utilities 363
Open the explorer utilities from the nDepth view to investigate event details 363
Open the explorer utilities from Monitor view or the Utilities view 364
Collect and view NetFlow and sFlow data in LEM 365
About the Flow explorer 365
Enable Flow collection and analysis in LEM 365
View Flow data in the LEM console 366
LEM reports: Create reports for regulatory and compliance purposes 367
About LEM reports 368
LEM reports overview 368
About Report Categories 368
About report Levels 368
About scheduled and on-demand reports 369
Open the LEM reports application 369
To automatically Run as administrator every time you run Reports 369
Setting up the LEM reports application 370
Configure the LEM reports application to communicate with the LEM database 370
Secure the LEM reports application 371
Select a default primary data source 372
Configure a syslog server (Optional) 372
The LEM reports application interface 374
The Reports application features 374
Menu button 376
Quick Access toolbar 377
Default commands 377
Customize the Quick Access Toolbar 377
page 21
Move the Quick Access Toolbar 378
Minimize the ribbon 379
The Preferences group 379
Find, filter, and group LEM reports 381
Find a LEM report by title 381
Find reports for specific industries 381
Industry Options 382
View LEM report properties 384
Filter and sort LEM report lists in the reports application 384
Filter the report list to reduce the number of listed reports 385
Change a filter setting 385
Sort the report list 386
Turn off report filters 386
Manage report categories 386
Create a list of favorite LEM reports 387
Step 1: Search the reports 388
Step 2: Add a report to your Favorites tab 388
Remove a report from the Favorites tab 389
Search LEM reports for specific text 389
View the text-based details of a report 390
Use the Search tool 390
Customize and share report filters in the LEM reports application 390
Create a custom report filter in the LEM reports application 391
Save a custom report filter in the LEM reports application 392
Open a saved custom report filter in the LEM reports application 393
Categorize and display LEM reports by group 393
Create a report group in the LEM reports application 394
View the reports within a group in the LEM reports application 395
page 22
Create a sub-group in the LEM reports application 396
Run a LEM report on-demand or schedule a LEM report to run later 397
Run an on-demand report in the LEM reports application 397
Create a scheduled report in the LEM reports application 398
Step 1: Selecting the report you want to schedule 399
Step 2: Add a new scheduled report task 401
Step 3: Schedule the report 401
Step 4: Select the advanced scheduling options 403
Step 5: Stating when the system can or cannot run the task 405
Step 6: Assign the data source and scope 406
Assign the task scope 407
Step 7: Export a scheduled report 408
Remove a report from the report scheduler 408
Configure Windows Task Scheduler to run the default LEM Batch Reports 409
Prepare the INI file 409
Schedule the Reports to Run using Windows Task Scheduler 409
Default Report Schedules 411
Edit a scheduled report in the Task Scheduler 411
Create a custom LEM report 413
Create a custom report in the LEM reports application 413
Export and save a copy of the filtered LEM report with a new name 415
Open a custom report in the LEM reports application 416
Use the Select Expert tool to create a more focused LEM report 417
View the text-based details of a report 417
Run a report query using the Select Expert tool 417
Restore the original report after using the Select Expert tool 419
Manage LEM reports: Open, print, and more 420
Open your saved reports 420
page 23
View the master report sections 421
Hide and show a master report sub-topic pane 422
View the report pages 423
Magnify and reducing report pages 424
Stop a report in progress 424
Edit a scheduled report task 424
Export a report 425
Print reports 426
Set up your printer preferences 427
Set up your printer preferences 427
Default reports included with LEM 428
Scheduling terminology used in this topic 428
Audit reports included with LEM 428
Security reports included with LEM 454
Support reports included with LEM 475
The LEM command-line interface: Using the CMC 478
About the CMC command line 479
Special characters allowed in CMC commands and passwords 479
LEM CMC main menu 480
Top-Level CMC commands 480
LEM CMC appliance menu 481
LEM CMC manager menu 484
LEM CMC nDepth menu 487
LEM CMC service menu 488
LEM console help 491
About the LEM console 492
Console Views 492
Grids 493
page 24
Rearrange grid columns 493
Sort a grid by columns 493
LEM console grid column and data field descriptions 494
Ops Center view in the LEM console 497
The Ops Center view 497
The User Details widgets 498
The Node Details widgets 499
The Widget Manager and Widget Builder 499
The Widget Manager UI 500
The Widget Builder UI 501
Monitor view in the LEM console 503
The Monitor view 503
The Filters pane 505
The Filter Notifications pane 505
The Events grid 506
The Widget pane 507
The Event Details window 508
The Respond menu 510
The Explore menu 512
Notifications 512
Nodes 512
Appliances 512
The Filter Creation form 512
The Filter Creation form 513
The filters and groups list pane 514
Managing events in Monitor view 516
Review an event 517
To apply a filter to the Monitor event stream 517
page 25
To view the event details for a specific event in the event stream 517
Change the widget display for a selected filter 517
To edit a widget chart presentation in Monitor view 518
Sort the events grid 518
Highlight events 518
Copy event data to the clipboard 519
Tag events as Read or Unread 520
Remove events 520
Explore view in the LEM console 521
The nDepth view 521
The nDepth search view 522
The nDepth history pane 523
The nDepth filters and groups list pane 524
The nDepth search bar 525
The nDepth histogram 528
The nDepth explorer toolbar 531
The nDepth word cloud 532
The nDepth tree map 533
The Result Details view 534
Search Builder 538
The Utilities view 540
The Event explorer utility 542
The Whois explorer utility 544
nDepth explorer 545
The NSLookup explorer utility 545
The Traceroute explorer utility 546
The Flow explorer utility 546
Execute a Whois, NSLookup, or Traceroute task from an event or search result 546
page 26
Execute a blank Whois, NSLookup, or Traceroute task 547
Display flow data 547
Common data field categories in LEM nDepth search 547
Common data field categories in Events Mode 547
Common data field categories in Log Messages mode 548
Build view in the LEM console 549
The Groups view 550
The Refine Results form in the Groups sidebar 551
The Rules view 553
The Rules grid 554
The Refine Results form in the Rules sidebar 555
The Rule Categories & Tags pane in the Rules sidebar 556
Rule Creation screen and the Rule Builder form 557
Rule Creation screen 557
The Rule Builder form 559
The Correlations box 562
About advanced thresholds 564
The Actions box 566
Users view in the LEM console 568
Users view main page elements 569
The Users grid 570
The Refine Results form 570
The "User Information for" form 571
The Privileges screen 572
Manage view in the LEM console 573
The Appliances view 573
The Appliances main view 575
The "Connect to SolarWinds Log & Event Manager Appliance" form 580
page 27
The "Configure your SolarWinds Log & Event Manager Appliance" form 581
The Connector Configuration form 581
The Event Distribution Policy form 594
Nodes view 595
The Nodes main view 596
Nodes grid columns 596
The Connector Configuration form 599
LEM troubleshooting 600
Troubleshoot alerts in the LEM console 601
Step 1: Troubleshoot syslog devices 601
Step 2: Troubleshoot device logging 602
Troubleshoot conflicting devices 603
Step 3: Troubleshoot Agent devices and connectors 603
Step 4: Apply the latest connector update package 604
Step 5: Contact SolarWinds Technical Support 604
Generate a syslog sample from the LEM appliance 605
Troubleshoot the LEM desktop console 606
The LEM desktop console cannot resolve the LEM VM hostname 606
The LEM desktop console cannot connect after you activate the license or change the LEM VM
hostname 606
Troubleshoot LEM Agents and network devices 608
Determine if LEM is receiving data from the device that you are troubleshooting 608
Troubleshoot devices not logging to a log file 609
Troubleshoot devices logging to a log file 609
Troubleshoot a LEM Agent 609
Troubleshoot a missing LEM Agent 610
Troubleshoot a disconnected LEM Agent 610
Edit or delete the spop.conf file 610
page 28
Troubleshoot a connected LEM Agent 611
Contact SolarWinds Customer Support 611
Troubleshoot syslog error messages in LEM 612
LEM console does not display syslog data 612
Identify your syslog data facilities containing log data 612
Configure a connector from the facility to the device 614
View the data from the device 615
Troubleshoot LEM rules and email responses 616
General rule troubleshooting 616
The rule fires but you do not receive an email 617
The rule does not fire and expected alerts do not display 617
Alerts display but the rule does not fire 619
The rule fires but the email is blank 620
View and modify the time on your LEM appliance 620
The rule is not triggered when it should be 621
Troubleshoot the LEM reports application 622
Troubleshoot the LEM reports application database connection 622
Repair the LEM reports application 623
Glossary of LEM terms 624
page 29
LEM set-up, configuration, and maintenance

This chapter describes how to set up LEM following installation, and how to configure LEM to interact with
other services in your IT environment.
In this chapter:
• Logging in to LEM 31
• Setting up a new LEM installation 38
• Configuring LEM settings and services 48
• Securing LEM 75
• Managing LEM system resources 83
• Integrating LEM with other SolarWinds products 95
page 30
Logging in to LEM
This section describes how to log in to the various user interfaces that you will need to work with LEM.
In this section:
• Log in to the LEM web console 31
• Log in to the LEM desktop console 33
• Log in to the LEM admin user interface 34
• Log in to the LEM CMC command line interface 34
Log in to the LEM web console

Use the web console to manage and monitor the LEM application.
In this topic:
• To log in to the LEM Manager 31
• Supported and unsupported URLs 32
• To log out of a LEM Manager 33
l If this is the first time you are opening the console, see "Set up the first LEM Manager
instance in the web console" on page 38 on page 1.
l After logging in, see "About the LEM console" on page 492 for additional console help.
To log in to the LEM Manager

1. Open a web browser and enter the web console URL that was provided when you configured the
LEM VM on either VMware vSphere or Microsoft Hyper-V, for example:
http(s)://<IP address of LEM VM>:8080/lem/
page 31
2. Enter your user name and password.
Only existing administrator, auditor, and monitor users can log in to LEM. Contacts cannot log
in. See "About LEM roles" on page 100 for details.
3. Click Connect.

The connected icon displays in the Status column to indicate that you are logged in to the selected
Manager.
The console restores the view that was open the last time you closed the console.
l To add an additional LEM Manager instance to the console, see "Add another LEM VM or
appliance to the console" on page 53.
When you connect to the web console for the first time, LEM prompts you to authenticate to the host
Manager. If you have additional Managers associated with the console, log in to configure each Manager or
view their events. When you log out, you are disconnected from additional Managers in the web console.
To disconnect from the host Manager, close the browser window.
Supported and unsupported URLs

If you are using the hostname for the URL, add the LEM hostname or IP address into DNS.
Port 8080 is unsecure and is automatically disabled after activation has been completed. Port 8443
is always available.
page 32
SUPPORTED URLS UNSUPPORTED URLS
http://<your_ip_address> https://<your_ip_address>
http://<your_ip_address>:8080/lem https://<your_ip_address>:8443/lem
http://<your_hostname>
https://<your_hostname>:8080/lem
https://<your_hostname>:8443/lem
To log out of a LEM Manager

1. In the toolbar, choose Manage > Appliances.
2. In the Appliances grid, click next to the appliance and select Log out.
The disconnected icon displays in the Status column to indicate that you are logged out of the
selected Manager.
Log in to the LEM desktop console

The optional desktop console provides the same functionality of the LEM web console in a Windows-only
native app. The desktop console is used to manage and monitor LEM (same as the web console), however,
the desktop console requires that you install the free Adobe AIR runtime on your computer. To learn how
to install the LEM desktop console and the Adobe AIR runtime, see "Install the LEM desktop console" in the
LEM Installation Guide.
l To learn more about Adobe AIR, visit the "What is Adobe AIR?" page:
http://www.adobe.com/products/air.html.
l After logging in, see "About the LEM console" on page 492 for additional console help.
To log in to the LEM desktop console

1. Open the console application on your local system.
Only existing administrator, auditor, and monitor users can log in to LEM. Contacts cannot log
in. See "About LEM roles" on page 100 for details.
3. Click Connect.
The console restores the view that was open the last time you closed the console.
page 33
Log in to the LEM admin user interface

Use the LEM admin user interface to perform the following administrator functions:
l Configure and manage LDAP and SSO settings

l Look up which Active Directory group are mapped to LEM roles.
l Enable or disable user access to the console
Use a login account in the Admin Group to log in to the LEM admin user interface.
To log in to the LEM admin user interface:

1. Open a web browser and connect to the LEM admin user interface using the following URL:
https://<lem_manager_IP_address>:8443/mvc/login
If you have not yet activated LEM, or if you reopened port 8080, use the following URL:
http://<lem_manager_IP_address>:8080/mvc/login
You can use the command line to configure these settings by entering admin at the cmc>
prompt.
2. Log in using your Active Directory credentials, or enter administrator credentials in the user name
and password fields, and then click Login.
The default user name and password is admin.
Your login screen will vary depending on the options you selected during setup.
Log in to the LEM CMC command line interface

In this topic:
• CMC Access Restrictions 35
page 34
• Log in to the CMC command-line interface using the hypervisor
virtual console 35
• Log in to the CMC command-line interface using SSH 36
Use the CMC command-line interface (CLI) to perform administrative tasks such as:
l Rebooting or shutting down the LEM VM

l Upgrading the LEM Manager software
l Applying connector updates
l Deploying new connector infrastructure to LEM Managers and Agents
l And more
There are two ways to log in to the CMC CLI:
l Connect using the console provided with your hypervisor

l Connect using a secure shell (SSH) client such as PuTTY
CMC Access Restrictions

The following access restrictions apply to the CMC command-line interface:
l You do not need an account with root access to administer LEM from the CMC command line.
l You do not need to enter the CMC user name and password to log in to the CMC command line
using the hypervisor virtual console.
l You do need to enter the CMC user name and password to log in to the CMC command line using
SSH. The user name is cmc and the default CMC password is password. See "Change the LEM CMC
password" on page 128 to change it.
l SSH access to the CMC interface can be restricted by IP address or host name. If enabled, this
security feature blacklists everyone from logging in to the CMC interface except those users who
connect from an explicitly allowed IP address or host name. See "Restrict SSH access to the LEM CMC
interface" on page 76 for details.
Log in to the CMC command-line interface using the hypervisor virtual console
1. Open your hypervisor and connect to the LEM VM:
l For VMware vSphere, click the Console tab, select Advanced Configuration on the main console
screen, and press Enter to access the command prompt.
l For Hyper-V, click Action > Connect, and then click the Console tab.
See your hypervisor documentation for additional information about using the virtual console.
page 35
2. Use the arrow keys to navigate to Advanced Configuration and press Enter.
The CMC menu displays with a cmc> prompt.
Next steps:
l See "The LEM command-line interface: Using the CMC" on page 478 for a list of supported
commands.
Log in to the CMC command-line interface using SSH
See "CMC Access Restrictions" on the previous page for information about credentials and SSH
access restrictions.
You can connect to LEM using a secure shell (SSH) client (such as PuTTY). The following steps show how to
configure PuTTY to open the CMC command line, but these settings will work in any SSH client.
1. Open PuTTY and verify that Session is selected in the Category section.
2. Enter the following:

l Host Name (or IP address) – Enter the IP address of the LEM VM. In this example, the IP
address is 10.1.1.200.
l Port – Enter 32022 or 22.
l Protocol – Select SSH.
l Saved Sessions – Enter LEM Manager, and then click Save.
page 36
3. Click Open.
Next time double-click LEM Manager in the Saved Session box to open the connection.
4. Log in to the appliance:

a. At the log in as prompt, type cmc and press Enter.
b. At the password prompt, type your password and press Enter.
The default CMC password is password. See "Change the LEM CMC password" on
page 128 to change it. For help recovering a lost CMC password, contact SolarWinds
Support.
The cmc> prompt opens with a list of available commands.
Next steps:
l See "The LEM command-line interface: Using the CMC" on page 478 for a list of supported
commands.
page 37
Setting up a new LEM installation

The following tasks should be completed after you install the LEM VM:
• Set up the first LEM Manager instance in the web console 38
• Install the LEM license using the web console 38
• Run the activate command to secure LEM and configure network

settings 39
• Use the LEM Getting Started wizards 41
Set up the first LEM Manager instance in the web console

Follow this procedure to set up the initial LEM Manager instance in the console. To add additional
LEM Manager instances to LEM, see "Add another LEM VM or appliance to the console" on page 53.
1. Open the LEM console. See "Log in to the LEM web console" on page 31 or "Log in to the LEM
desktop console" on page 33 for steps.
When you start the console for the first time, the Manage > Appliances view opens so that you can
configure the LEM Manager instance.
If the Appliances view did not open, click Manage > Appliances.
2. Add the LEM Manager instance to the Console.
3. Log in to the LEM Manager through the Console.
4. Configure the Manager properties by completing the Properties form.
5. Configure the Manager connectors with the Connector Configuration window.
6. (Optional) Assign the Manager alert distribution policy with the Event Distribution Policy window.
Install the LEM license using the web console

This section describes how to install the license in LEM.
See "Licensing LEM" in the LEM Installation Guide to learn how LEM is licensed.
Log in with Administrator privileges.
2. Choose Manage > Appliances, and then click the License tab in the Properties area.
3. Select the LEM Manager to be licensed in the Appliances grid.
4. Enter the License Key in the Key field.
page 38
5. Enter your name, email address, and phone number in the appropriate fields.
6. Click Activate.
7. When prompted, click OK to activate your license.
See also:
l "View LEM license information" on page 51

l "Enable LEM license recycling" on page 52
Verify that the LEM desktop console can connect after you activate the license
If you are using the optional LEM desktop console, the console automatically tries to reconnect to the LEM
Manager after you activate the license.
If the desktop console cannot connect, see "Troubleshoot the LEM desktop console" on page 606 for
troubleshooting steps.
Next steps:
l See "Run the activate command to secure LEM and configure network settings" below
Run the activate command to secure LEM and configure network settings
In this section:
• To run the Activate command: 40
Run the Activate command after you install the license (see "Install the LEM license using the web
console" on the previous page for help). This command will help secure LEM from unauthorized users.
The activation procedure prompts you to complete the following tasks:
l Configure a static IP address and hostname for the LEM VM

l Configure a secure password
l Lock down web port 8080 and redirect access to port 80 for increased security
l Verify your network configuration
l Specify a list of IP addresses that can access LEM reports (optional)
l Export the SSL certificate that ensures secure communications between the LEM desktop console
and the LEM Manager
Port 8080 is unsecure and is automatically disabled after activation has been completed. Port 8443
is always available.
page 39
To run the Activate command:

1. Open the CMC command line. See "Log in to the LEM CMC command line interface" on page 34 for
steps. The default password is password.
2. Configure LEM to use a static IP address:
SolarWinds recommends configuring a static IP address for the LEM VM. If you use DHCP
instead and your IP address changes, your deployed Agents may be disconnected and require
additional troubleshooting to resolve.
a. At the cmc> prompt, type appliance and press Enter.

The prompt changes to cmc::appliance> to indicate that you are in the appliance configuration
menu.
b. Type activate and press Enter.
The Activation splash screen opens.
c. Press Enter to go to the next screen.
d. When prompted, select Yes to configure a static IP address for the LEM VM.
e. At the cmc::appliance> prompt, type netconfig and press Enter.
f. At the prompt, type static and press Enter.
g. Follow the steps on your screen to configure the Manager Appliance network parameters.
Be sure to enter a value for each prompt. Leaving blank entries results in a faulty
network configuration that requires you to rerun netconfig.
h. Record the IP address assigned to the LEM VM. You will use this IP address to log in to the
LEM console.
3. When prompted to change the hostname, select either Yes to specify a hostname, or No to accept the
default hostname.
To specify a hostname, use the following naming conventions:
l Hostname labels can only contain the following:
l ASCII letters A through Z (letters are not case sensitive)
l Digits 0 through 9
l Hyphens (-)
l Hostnames cannot start with a digit or a hyphen, and must not end with a hyphen.
l No other symbols, punctuation characters, or white spaces are permitted.
4. When prompted to specify a list of IP addresses that can access reports, SolarWinds recommends
selecting Yes.
page 40
5. Confirm your network configuration:
a. Enter viewnetconfig at the cmc::appliance> prompt to confirm your network
configurations.
To ensure secure communications between LEM and the LEM desktop console, the LEM
VM automatically exports an SSL certificate when the activation completes. Following
activation, the LEM desktop console securly connects with the LEM VM on port 8443.
b. Follow the prompts to export the certificate to a network share.
Use the LEM Getting Started wizards

In this section:
• Open the Getting Started wizards 42
• Use the Configure Basic LEM Settings wizard to set up Active

Directory monitoring and email alerts 42
• Use the Add Nodes wizard to add a syslog node to LEM 45
• Use the Add Rules wizard to set up LEM rules 46
The LEM Getting Started wizards guides you through a series of setup tasks, including:
l Mail server integration

l Active Directory monitoring
l Adding additional devices and systems that LEM should monitor, such as firewalls and user
workstations
l Basic rules setup that defines how LEM alerts you when specific conditions occur on your network
page 41
Open the Getting Started wizards

1. Open the LEM web console. See "Log in to the LEM web console" on page 31 for steps.
2. Click the OpsCenter tab.
By default, the Getting Started widget is located in the top left part of the page.
3. Choose from the following:

l To connect LEM to your mail server and Active Directory, click "Configure Basic LEM
Settings". See "Use the Configure Basic LEM Settings wizard to set up Active Directory
monitoring and email alerts " below for details.
l To open the Add Node(s) wizard, click "Add Nodes to Monitor." See "Use the Add Nodes
wizard to add a syslog node to LEM" on page 45 for details.
l To open the Add Rules wizard, click "Define Rules and Configure Alerts." See "Use the Add
Rules wizard to set up LEM rules" on page 46 for details.
l To watch instructional videos about filters, reports, nDepth searches, custom rules, and
more, click"Advanced LEM Tools."
Use the Configure Basic LEM Settings wizard to set up Active Directory monitoring and
email alerts
Use this wizard to connect LEM to:
l Your mail server so that LEM can send out email alerts
l Active Directory so that LEM can alert you to changes in your AD groups and also monitor AD
accounts
page 42
SET UP LEM TO SEND EMAIL ALERTS
Configure email alerting so that users receive email alerts when assigned alert events occur. LEM can
connect to an email server or SMTP relay server to forward email notifications. If you already configured
email alerts, click Skip to go to the "Configure Active Directory Connection" screen.
You will need the following information to complete this task:
l The IP address or hostname of your primary or relay email server

l A valid email address you can use for testing
To edit email alert settings at a later date, see "Configure the Email Active Response connector in
LEM" on page 57 for steps.
TO CONFIGURE EMAIL ALERTING:
1. If you have not yet done so, open the "Configure Basic LEM Settings" wizard so that the "Configure
Email Alerting" screen is displayed. See "Open the Getting Started wizards" on the previous page for
help.
page 43
2. Complete the form:
FIELD DESCRIPTION
Mail Host Enter the name or IP address of your SMTP mail server.
Port Enter the port number your SMTP server uses if it does not use port 25.
Transport Enter the protocol for sending outbound email messages from LEM Manager to
Protocol the email server. Choose from SMTP, SSL, or TLS.
If you choose SSL or TLS, be sure to enter the correct port number in the port
field. SolarWinds strongly recommends using TLS or SSL if you use a third-party
email server.
Return Enter a return email address that is appropriate for your domain, for example
Address noreply@example.com.
Return Display Enter an appropriate display name for email messages sent from LEM Manager.
Name For example, you can enter System Alert or Security Alert.
Authentication If your email server requires you to authenticate before you send an email, or if
Server User you use a third-party service such as Microsoft Office 365, enter the user account
Name that LEM Manager can use to authenticate to your email host.
Authentication Enter the password for the user account.

Server
Password
3. If you are using a secured email server, add the LEM VM IP address as an authorized source.
4. Click "Test Connection" to test your settings.
Email alerting is properly configured if you receive a SolarWinds test message.
5. Click Next to go to the "Configure Active Directory Connection" screen.
See also:
l "Troubleshoot LEM rules and email responses" on page 616
SET UP LEM TO MONITOR ACTIVE DIRECTORY ACCOUNTS
Complete this configuration so that LEM can monitor Active Directory (AD) accounts and alert you to
changes to AD accounts and groups. After completing the form, LEM will establish an LDAP connection to
your Active Directory server and import your organizational groups.
This configuration step allows LEM to monitor Active Directory accounts. It does not allow users to
log in to LEM with their Active Directory credentials. See "Set up Active Directory authentication in
LEM" on page 109 to configure LEM for Active Directory authentication.
page 44
TO CONFIGURE LEM TO CONNECT TO ACTIVE DIRECTORY
1. Be sure that the "Configure Basic LEM Settings" wizard is open and the "Configure Active Directory
Connection" screen is displayed. See "Open the Getting Started wizards" on page 42 for help.
FIELD DESCRIPTION
Domain Name Enter the fully-qualified domain name of the Active Directory server.
Directory Service Enter the IP address or host name of the Active Directory server. This server
Server is commonly the domain controller.
User Name Enter the user account that LEM Manager should use to authenticate to
Active Directory if authentication is required to connect to the server.
Password Enter the password for the account.
Encryption Choose "TLS" or "SSL" if the Active Directory server supports encryption.
Otherwise, choose "No SSL" to leave communications unencrypted.
Custom Port If using a non-standard port number, enter it here.
3. Click "Test Domain Connection" to test your settings.

If the test is successful, the Active Directory connection is now enabled.
4. Click Finish.
Use the Add Nodes wizard to add a syslog node to LEM

The "Add Nodes" wizard steps you through adding a network device node to LEM.
ADD A SYSLOG NODE WITH THE ADD NODES WIZARD
1. In the Getting Started wizards section, click "Add Nodes to Monitor." See "Open the Getting Started
wizards" on page 42 for help.
2. Select "syslog" from the Select node type menu.
The "Add Node(s)" screen opens.
a. Step 1: Provide node information – Enter either the IP address or the hostname of the syslog
node that you are adding to LEM, then select a name from the Vendors list.
b. Step 2: Configure node so LEM can receive its Syslog messages – Follow the onscreen steps and
select the "I have configured this node so that LEM can receive its Syslog messages" check box.
c. Click Next.
LEM scans for new devices and the "Nodes Found" tab opens.
page 45
See "Add syslog and Agent nodes to LEM" on page 145 for information about adding other types of
nodes.
See also:
l "Troubleshoot syslog error messages in LEM" on page 612
Use the Add Rules wizard to set up LEM rules

The Add Rules wizard guides you through the following tasks, which are required to enable bulk basic
rules:
l Set up email actions

l Set up email alert recipients
l Set up rule categories. The wizard suggests important rules to enable.
ADD A RULE WITH THE ADD RULES WIZARD
1. Click "Define Rules and Configure Alerts" to open the wizard. See "Open the Getting Started wizards"
on page 42 for help.
You can also open the LEM rules wizard by choosing Build > Rules and clicking Add Rules in
the Rules area.
2. Select the rules categories you wish to use from the Rules Category screen, and then click Next.
page 46
3. Select the rules to add within the chosen categories, and then click Next.
4. Configure your Email Server Settings if you have not already done so previously. See "Set up LEM to
send Email Alerts" on page 43 for more information.
5. Select the email recipients, and then click Next.
6. Review the rules summary page for all rule categories, and then click Finish.
See "Find and add LEM rules" on page 281 for more information about adding rules.
page 47
Configuring LEM settings and services

This section describes how to configure LEM to interact with the other systems and services in your IT
environment.
See "Sending event data to LEM via Agents, syslog, and SNMP" on page 130 to learn how to
configure LEM to receive log events from other systems and services in your IT environment.
In this section:
• Starting and Stopping LEM components 48
• Set the date, time, and time zone on your LEM VM 49
• Managing LEM VMs and appliances in the LEM console 51
• Configure the Email Active Response connector in LEM 57
• Configure Active Directory and LEM to work with LEM rules and
filters 60
• Enable LEM to receive SNMP traps by turning on the SNMP Trap

Logging Service 61
• Send SNMP traps from LEM to other applications by turning on the

SNMP Request Service 64
• Configure LEM to store original log messages (nDepth log retention) 66
• Configure the LEM event distribution policy 69
• Collecting Windows Filtering Platform (WFP) events in LEM 73
Starting and Stopping LEM components

In this section:
• Stop or restart the LEM Manager 49
• Start and stop the LEM Agent on Windows 49
Use these steps to start and stop the LEM Manager and the LEM Agents.
page 48
Stop or restart the LEM Manager
These steps also apply to the LEM VM and LEM appliance.
Do not right-click the host and choose “power off” or “shutdown guest.” You can corrupt the LEM
database and file system if you do not shut down LEM properly.
steps.
2. Type appliance at the cmc> prompt.
l To shut down the VM:
a. Type shutdown at the cmc::appliance> prompt.
b. Follow the commands to shut down the LEM VM.
l To restart the VM:
a. Type reboot at the cmc::appliance> prompt.
b. Follow the commands to restart the LEM VM.
Start and stop the LEM Agent on Windows

1. Press the Windows key + R to open the Run dialog box.
2. Type services.msc and press Enter.
The Services window opens.
3. Scroll down to SolarWinds Log and Event Manager Agent and select it.
4. Click the Stop or Start buttons near the top of the window to stop or start the service.
Set the date, time, and time zone on your LEM VM

This topic describes how to synchronize the date and time settings on the hypervisor and the LEM VM.
The LEM VM is configured to synchronize with the hypervisor date and time by default. If the time is off by
more than five minutes, the LEM rules will not operate properly.
page 49
steps.
2. Update the time zone in your LEM Manager:
a. At the cmc> prompt, type appliance and press Enter.
b. At the cmc::appliance> prompt, type dateconfig and press Enter.
c. Press enter and enter the current date in month/day/year format (MM/DD/YYYY).
d. At the cmc::appliance> prompt, type tzconfig and press Enter.
e. Press enter and follow the onscreen prompts to configure the time zone.
f. At the cmc::appliance> prompt, type exit and press Enter to return to the main menu.
3. Update the time in your hypervisor:
a. At the cmc> prompt, type manager and press Enter.
b. At the cmc::manager> prompt, type viewsysinfo and press Enter.
The system information info displays.
Virtualization Platform: VMware

----------------------------------------
Clock
Synchronization : Enabled
Hypervisor Time : 6 May 2016 09:07:31
Guest Time : Fri May 6 09:07:31 2016
c. Using the keyboard, scroll down to Hypervisor Time and change the date and time so they
match the date and time in the LEM Manager.
Press h for help with moving and line editing commands.
d. Using the keyboard, scroll down to Guest Time and ensure that the date and time matches the
same settings in the LEM appliance.
4. Type Exit and press Enter.
5. Type Exit and press Enter again to exit the CMC interface.
page 50
Managing LEM VMs and appliances in the LEM console
This topic shows you how to use the console to manage one or more LEM Managers or LEM VMs.
In this topic:
• View LEM license information 51
• Enable LEM license recycling 52
• Configure the settings used to log in to the LEM VM 52
• Add another LEM VM or appliance to the console 53
• Copy data about a LEM VM or appliance 56
• Remove a LEM VM or appliance from the console 56
View LEM license information

Use the following steps to view LEM license information.
See "Licensing LEM" in the LEM Installation Guide to learn how LEM is licensed.
Each time you create a VM desktop, an Agent connects to LEM and allocates a license. This process repeats
as desktops are added or removed.
2. Click Manage > Appliances.
3. Select a LEM Manager (LEM VM instance) in the Appliances grid.
page 51
4. Go to the Properties pane and select the License tab.
FIELD DESCRIPTION
Total Nodes Displays the total number of nodes allowed by your SolarWinds LEM license.
Total Unused Displays the number of unallocated nodes.

Nodes
Total Agent Displays the number of nodes allocated to LEM agent devices (such as
Nodes workstations or servers).
Total Non-Agent Displays the number of nodes allocated to non-agent devices (such as firewalls
Nodes and switches).
Maintenance Displays the date your current maintenance contract with SolarWinds Support
Expiration Date expires.
The Properties pane refreshes automatically when the LEM Manager is updated. This ensures
that you are looking at the most current information.
Enable LEM license recycling

License recycling allows you to collect and reuse licenses from nodes that have not sent an event to the
LEM Manager within a specified amount of time.
To enable license recycling:
1. Go to the LEM license tab as described in the previous task (view LEM license information).
2. Select the Enable license recycling check box and complete the form.
3. Select a defined time frame to recycle the license when a node has not sent an event.
4. Select the time and day to check for recyclable licenses.
5. Click the Nodes to check drop-down menu and select an option.
6. Click Update License.
Configure the settings used to log in to the LEM VM

page 52
3. Select a LEM Manager (LEM VM instance) in the Appliances grid.
4. Go to the Properties pane and select the Login tab.
5. Edit the form fields and click Save.
FIELD DESCRIPTION
Username Enter the user name to log in with if configuring the console to log in
automatically.
Password Enter the password if configuring the console to log in automatically.
Leave this field empty if you want the console to prompt for a password
when logging in.
Login Automatically log in to the Manager when you open the console. Clear this check
Automatically box if you prefer to log in manually.
Next Time
Save Enable the console to save the LEM Manager user name and password locally. If
Credentials the Login Automatically Next Time check box is selected, the console will
automatically log on to the Manager when the console is started. Otherwise, the
console automatically provides the user name and password when you manually
log in to the Manager.
Reconnect on Enable the console to reconnect with the LEM Manager when the Manager is
disconnection disconnected for any reason.
/ Try to
reconnect
every n
seconds
Timeout Select to have the Console quit its reconnection attempts with the LEM Manager
reconnection after a given number of tries, especially if the previous connection attempts were
attempts unsuccessful.
after n tries
Add another LEM VM or appliance to the console
See "Set up the first LEM Manager instance in the web console" on page 38 if you are configuring
LEM for the first time.
l If your deployment requires multiple Mangers, use a unique hostname for each instance to
page 53
ensure proper event flow and console function. SolarWinds recommends giving each Manager
a unique name before adding it to your LEM system.
l Completing these steps will add the LEM VM or appliance to both the web console and the
desktop console
1. If adding a physical LEM appliance, locate and record the appliance serial or registration number.
This information is required for a future step.
4. Click in the Appliances toolbar.
The "Connect to SolarWinds Log & Event Manager Appliance" form opens.
page 54
5. Complete the fields in the form.
FIELD DESCRIPTION
Name or IP Enter the LEM VM name or IP address.
Username Enter the user name to log in with.
Login on Select to automatically log in to LEM when the console is started.

console
startup
Save Select to save the login user name and password.

Credentials
Appliance Select the appropriate LEM Manager or server.

Type
Connection Enter the port number used by the console to communicate with the Manager
Port network appliance or database.
The secure port number is 8443. This value defaults to 8080 for virtual appliances in
the evaluation phase. This field only applies when the Appliance Type is Manager.
Model Select "Virtual" if LEM is deployed as a VM, or select the appropriate appliance model
(applies to older versions of LEM).
If you don't know the model type, select Unknown. If your model type does not
appear in the drop-down list, select Other. Your selection will not impact Manager
operations. If you selected a listed model type, an image of the appliance displays in
the Details pane.
Level This option does not apply if LEM is deployed as a VM. If you are adding a physical
appliance, select the appliance level. This value is related to the appliance capacity
and performance. If you are not sure which level to choose, select Unknown.
Service Tag Enter the LEM appliance serial or registration number. This number uniquely
identifies this piece of equipment and its specific configuration properties.
Icon Color Select the desired color for your icon.
6. Click Connect to add the appliance and close the form.
7. Enter the virtual appliance IP address, and then click Connect.
page 55
8. When the installation is completed, change your LEM password.

The LEM desktop software requires that you change your LEM password after installation. This
password must be between 6 and 40 characters, and must contain at least one capital letter and one
number. The default user name is Admin and the password is Password.
See "Set the global password policy for LEM users" on page 108 to learn about minimum
password requirements in LEM.
9. Click OK.

The VM or appliance is added to the console.
Copy data about a LEM VM or appliance

To copy data about a LEM instance to your computer's clipboard, complete these steps. You can paste the
data into another application for analysis (Microsoft Excel, for example), or the Remote Agent Installer for
updates.
The LEM remote Agent installer pushes LEM Agents to Microsoft Windows hosts across your
network.
3. In the Appliances grid, select the appliances you want to copy.
4. Click in the Appliances toolbar and select:
l Copy Selected – Copy the data for the selected appliances
l Copy All – Copy the data for every appliance in the grid
The appliance data is copied to your clipboard and can now be pasted into another application.
Remove a LEM VM or appliance from the console

3. In the Appliances grid, select the appliance you want to remove.
4. Click and select Delete.
5. At the confirmation prompt, click Yes to remove the VM/appliance.
The VM/appliance is removed from the Appliances grid.
page 56
Configure the Email Active Response connector in LEM
In this topic:
• Requirements 57
• Configure the Email Active Response connector 57
• Test the Email Active Response connector 59
Configure the Email Active Response connector in your LEM Manager to send automated emails to console
users when a rule is triggered. This connector specifies the SMTP Relay mail host that your Manager uses
to send emails and provides the requisite server credentials.
If you used the LEM Getting Started Wizard to set up your LEM environment, then the Email Active
Response connector is already configured. See "Set up LEM to send Email Alerts" on page 43 for
more information.
Requirements
l An email server that allows LEM Manager to relay email messages through it
l IP address or hostname of your email server
l A return email address for bounced messages and replies
l User credentials for your email server, only if your email server requires internal users to
authenticate to send email
To configure LEM to use Office 365 as a mail host, see the following knowledge base article:
https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Configure_LEM_to_
send_email_via_Office_365
Configure the Email Active Response connector

1. Log in to your LEM console as an administrator.
3. Click next to your LEM Manager and select Connectors.
4. Enter Email Active Response in the Refine Results search box.
5. Click next to the master connector and select New.
page 57
6. Complete the fields in Email Active Response window.
a. Enter a connector name in the Alias field.

b. Enter the mail host IP address in the Mail Host field.
If you use a hostname in the Mail Host field, LEM Manager must be able to resolve the mail
host from the DNS entries you entered during your LEM network configuration.
c. Enter 25 in the Port field.
d. Click the Transport Protocol drop-down menu and select SMTP.
e. Enter a return address in the Return Address field.
This field is pre-populated with noreply@solarwinds.com. Be sure to change this email

address.
f. If the email server requires an Active Directory user to send email, enter the authentication
server username and password in the appropriate fields.
If the email server requires an email to be sent from a computer within the domain, the
email server must have an exception created for the LEM hostname. LEM cannot join the
domain.
g. Enter a valid email address in the Test E-mail Address field.
You can click and generate a test email after you configure and start the connector.
7. Click Save.

8. Locate the new connector in the Connector window Status column.
9. Click next to your connector and select Start.
A indicates that the connector is running.
page 58
Test the Email Active Response connector
Send a test email to verify that the connector is working properly.
l If you receive an email, the connector is working properly.

l If you do not receive an email, the LEM Internal Events filter provides the following information:
l Event Name: InternalInfo
l Event Info: Email notification failed
l Extraneous Info: Information about the failure. For example, server not reachable,
authentication issue, and so on.
Modify the connector configuration as required and then resend a test email.
See also:
l "Troubleshoot LEM rules and email responses" on page 616
page 59
Configure Active Directory and LEM to work with LEM rules and filters
This topic explains how to set up LEM to connect with Active Directory so that you can use Active Directory
groups containing user and computer accounts with LEM rules and filters.
In this topic:
• Configure the Directory Service Query Connector 60
LEM groups that synch with Active Directory are called directory service groups (or DS groups). DS
groups are only available on LEM Manager instances that complete the following integration steps.
After you complete these integration steps, see "Configure directory service (DS) groups in LEM" on
page 222 to learn how to manage DS groups.
Configure the Directory Service Query Connector

Complete these steps on the LEM Manager that will implement DS groups.
Before you begin, gather the following information to configure the Directory Service Query Connector:
l Either the IP address or fully-qualified domain name (FQDN) of the Active Directory server.
l The domain credentials for an account that the Directory Service Query connector can use.
SolarWinds recommends using a service account with a non-expiring password. This account does
not need elevated privileges (such as Domain Admin privileges).
To get directory server details, open a Windows command prompt on a computer on the correct
network and type nslookup.
3. Click the gear icon next to the LEM Manager and select Connectors.
4. Enter Directory Service Query in the search box on the Refine Results pane.
5. Click the gear icon next to the master connector, and select New.
page 60
6. Complete the Directory Service Query connector form:
a. In the Domain Name field, enter the fully-qualified domain name for your directory service
server using lowercase characters.
For example, solarwinds.com.
b. In the Directory Service Server field, enter the IP address or hostname of your directory service
server.
SolarWinds recommends using the IP address to avoid possible DNS issues. The LEM network
configurations (netconfig) allow for setting or changing the DNS server to resolve the host.
c. Enter the domain credentials for a user account that the connector can use.
SolarWinds recommends using a service account with a non-expiring password, otherwise you
will have to manually update the connector every time the password expires. This account
does not need elevated privileges. When entering domain credentials, provide only the user
name.
d. Enter the domain credentials for a user account that the connector can use.
must manually update the connector every time the password expires. This account does not
need elevated privileges. When entering domain credentials, provide only the user name.
7. When finished, click Save.
8. Locate the new instance of the connector. The gray icon in the Status column indicates that the
connector is not running.
9. Click the gear icon next to the new connector and select Start. A green icon in the Status column
indicates that the connector is running.
To test the connector settings, click the Test Domain Connection button. Test results are displayed as an
alert in the SolarWinds Alerts filter. The test does not display a pop-up message.
Next steps:
See "Configure directory service (DS) groups in LEM" on page 222 to learn how to sync Active Directory
groups with DS groups.
Enable LEM to receive SNMP traps by turning on the SNMP Trap Logging
Service
In this topic:
• To enable or disable the LEM SNMP Trap Logging Service: 62
Turn on the SNMP Trap Logging Service to enable LEM to receive SNMP traps from devices and
applications on your network. LEM can correlate events sent as SNMP traps from devices that have a
device-specific connector.
page 61
LEM can also correlate performance alerts sent as SNMP traps from the following SolarWinds solutions:
l Network Performance Monitor (NPM)

l Server & Application Monitor (SAM)
l Virtualization Manager (VMan)
The SNMP Trap Logging Service must be enabled to correlate events sent by these SolarWinds products.
l LEM receives SNMP traps on port 162.

l The "SNMP Trap Listening Service" was renamed to the "SNMP Trap Logging Service" in LEM
version 6.3.0.
See also:
l To configure LEM to output SNMP traps, turn on the SNMP Request Service. See"Send SNMP
traps from LEM to other applications by turning on the SNMP Request Service" on page 64 to
learn how.
l To configure LEM to communicate with NPM and the Orion Web Console, see "Monitor LEM
from NPM and the Orion Web Console using SNMP" on page 96.
Complete the following steps to enable (or disable) the SNMP Trap Listening Service in LEM.
To enable or disable the LEM SNMP Trap Logging Service:

steps.
2. At the cmc> prompt type:
service
3. At the cmc::service> prompt type:
snmp
A prompt similar to the following displays:
SNMP Trap Logging Service is DISABLED
Would you like to ENABLE the SNMP Trap Logging Service? [Y/n]
If the service is running, the prompt displays:
SNMP Trap Logging Service is RUNNNING
Would you like to STOP the SNMP Trap Logging Service? [Y/n]
4. Type Y or n and press Enter.
The SNMP Trap Logging Service is configured.
page 62
5. Next, a prompt similar to the following displays:
SNMP Request Service is DISABLED
Would you like to ENABLE the SNMP Request Service? [Y/n]
The SNMP Request Service is not the same as the SNMP Trap Logging Service:
l The LEM SNMP Request Service sends SNMP traps outside of LEM
l The LEM SNMP Trap Logging Service receives SNMP traps from other devices. See "Send
SNMP traps from LEM to other applications by turning on the SNMP Request Service"
on the next page for more information.
Type Y or n and press Enter.

l If you enabled the SNMP Trap Logging Service, the following message displays:
The SNMP Trap Logging Service is started.
l If you disabled the SNMP Trap Logging Service, the following message displays:
The SNMP Trap Logging Service is stopped.
6. Type exit at the cmc::service> prompt .
Type exit again to log out and close the CMC command-line
page 63
Send SNMP traps from LEM to other applications by turning on the SNMP
Request Service
In this topic:
• To enable or disable the SNMP Request Service 64
Turn on the SNMP Request Service to allow LEM to output SNMP traps to one or more applications on your
network. Starting with version 6.3.0 LEM supports SNMP version 2 and SNMP version 3.
The SNMP Request Service must be turned on in LEM to do the following:
l Send SNMP traps to devices when LEM rules fire.

l Use NPM and the SolarWinds Orion Web Console to monitor LEM system resources such as CPU
and memory.
l If you use SolarWinds Network Performance Monitor (NPM) in your environment:

1. Enable the SNMP Request Service using the steps on this page.
2. See "Monitor LEM from NPM and the Orion Web Console using SNMP" on page 96 to
set up the Orion Console for SNMP monitoring.
l To configure LEM to receive SNMP traps, see "Enable LEM to receive SNMP traps by turning
on the SNMP Trap Logging Service" on page 61 for steps.
To enable or disable the SNMP Request Service

steps.
2. At the cmc> prompt type:
service
page 64
3. At the cmc::service> prompt type:
snmp
SNMP Trap Logging Service is DISABLED

Would you like to ENABLE the SNMP Trap Logging Service? [Y/n]
The SNMP Trap Logging Service is not the same as the SNMP Request Service. The LEM SNMP
Trap Logging Service receives SNMP traps from other devices, whereas the LEM SNMP Request
Service outputs SNMP traps outside of LEM. See "Enable LEM to receive SNMP traps by
turning on the SNMP Trap Logging Service" on page 61 for more information.
4. Do not change the status of this service unless you know what you are doing.
Type Y or n to go to the next step and press Enter.
SNMP Request Service is DISABLED

Would you like to ENABLE the SNMP Request Service? [Y/n]
5. Type Y or n to enable or disable the service and press Enter.

If you enabled the SNMP Request Service, the following prompt displays:
Enter the port number to access SNMP on LEM (default: 161):
6. Type the port number that LEM should use to communicate with SolarWinds Network Performance
Manager (NPM), and then press Enter.
Ports 161 and 162 are standard.
The following prompt displays:
Enter the username to access SNMP on LEM (default: orion):
7. Type the user name to use, and then press Enter.
Enter the password hashing algorithm (SHA1, MD5 or NO for no

authentication, default: SHA1):
page 65
8. Enter an option, and then press Enter.

Enter the authentication password (default: orion123):
9. Type the password, and then press Enter.

Enter the communication encryption algorithm (AES128, DES56 or NO for no

encryption, default: AES128):
10. Enter an option, and then press Enter.

Enter the encryption key(default: orion123):
11. Type the encryption key, and then press Enter.

The SNMP Request Service is started.
12. Type exit at the cmc::service> prompt to return to the main menu.
Type exit again to log out and close the CMC command-line
Configure LEM to store original log messages (nDepth log retention)

LEM can store raw (un-normalized) log messages for retention and search purposes. To enable this
feature, configure the LEM Manager and the applicable connectors accordingly.
In this topic:
• About nDepth log retention 67
• Configure LEM Manager to store original log files in their own

database 68
• Configure connectors to send original log data to LEM 68
• View and search your original log messages 69
nDepth log retention refers to storing raw data (that is, original log messages) in a separate
database. Other than the name, nDepth log retention is separate from the nDepth search engine
that is available in the LEM console under Explore > nDepth.
page 66
About nDepth log retention
This section describes nDepth log retention.
WHY USE A SEPARATE NDEPTH VM?
A separate nDepth appliance provides additional capacity to store and retrieve raw log messages. If long-
term storage of original log messages is a priority, then consider a separate nDepth VM. Otherwise, a
separate instance is probably unnecessary. For more information contact your SolarWinds sales
representative or SolarWinds Technical Support.
l Rules do not fire on raw (non-normalized) log data. Rules can only fire on normalized data.
l Raw (non-normalized) log messages do not appear in Monitor view in the Console.
l If you enable original log storage (raw database storage), and you enable connectors to send
data to both databases, LEM storage requirements may double for the same retention
period, and extra resource reservations of at least two additional CPUs and 8-16GB of RAM
may be required.
INSTALLING A SEPARATE NDEPTH APPLIANCE OR VM
In this configuration, each LEM Manager has its own dedicated nDepth appliance or VM that stores the
original log files from each host (network device) and source (application or connector) that the LEM
Manager monitors. You still access and explore this information using the LEM console's nDepth view even
though it resides in a separate appliance or VM.
l To use a separate nDepth appliance or VM, you must install it before you begin using nDepth.
Contact SolarWinds Technical Support for instructions on installing a separate appliance.
l If you are not using a separate appliance, this procedure is not required, because short-term log
messages are stored directly on LEM.
CONFIGURING NETWORK CONNECTORS FOR USE WITH NDEPTH
Each data-gathering connector (or, sensor connector) must be configured for use with nDepth log retention.
First decide which network devices, applications, and connectors monitored by the Manager should send
raw log messages to nDepth. Next, configure each of these connectors for use with nDepth. You can route
connector log messages directly to LEM, directly to nDepth, or to both.
See "Configure connectors to send original log data to LEM " on the next page for more information.
SolarWinds recommends configuring each connector so it routes its log messages to both nDepth
and LEM. This allows you to receive events on these connectors, and to search log messages stored
on the separate nDepth instance.
page 67
Configure LEM Manager to store original log files in their own database
The following procedure must be completed prior to configuring any connector to send log
messages to your LEM appliance.
steps.
2. At the cmc> prompt, enter manager.
3. At the cmc::manager> prompt, enter configurendepth and follow the prompts to configure
your LEM Manager to use an nDepth server:
a. Enter y at the Enable nDepth? prompt.
b. If you are prompted with Run nDepth locally? (Recommended), enter y. This will configure
a separate database on your LEM appliance to store original log files.
c. If your LEM implementation consists of several appliances, follow the prompts to complete
the process for your dedicated database or nDepth appliance. For additional information
about this process, contact Support.
4. Back at the cmc::manager> prompt, enter exit to return to the previous prompt.
5. At the cmc> prompt, enter ndepth.
6. At the cmc::nDepth# prompt, enter start. This command will start the Log Message
search/storage service.
7. Enter exit to return to the previous prompt.
8. Enter exit to log out of your LEM appliance.
Configure connectors to send original log data to LEM

1. Open the connector for editing in the Connector Configuration window for the LEM Manager or
LEM Agent, as applicable:
l If the connector has already been configured, stop the connector by clicking gear > Stop, and
then click gear > Edit.
l If the connector has not been configured, create a new instance of the connector by clicking
gear > New next to the connector you want to configure.
2. In the Connector Details pane, change the Output value to Alert, nDepth. Leave the nDepth Host
and nDepth Port values alone unless otherwise instructed by Support.
The Output values are defined as:
l Alert: Sending data to the alert database>
l nDepth: Sending data to the RAW (original log) database
For help, see "The Connector Configuration form fields for data-gathering (sensor) connectors " on
page 585
3. If you are finished configuring the connector, click Save.
page 68
4. Start the connector by clicking gear > Start.
5. Click Close to close the Connector Configuration window.
6. Repeat these steps for each connector you want to send original log data to your LEM appliance.
View and search your original log messages

See "Search raw log messages using nDepth search in LEM" on page 354 for details.
Configure the LEM event distribution policy

In this topic:
• Practical uses for event distribution policy 69
• Open the Event Distribution Policy window 70
• Configure the event distribution policy 71
• Push event policy to lower-level event types 71
• Export a Manager event policy 72
Configure the event distribution policy to choose which events should go to the LEM console, and which
should go to the local LEM database. This topic explains how to configure the event distribution policy on
the LEM Manager.
Practical uses for event distribution policy

Many data sources generate events that are difficult to control at a granular level, or they generate events
of little or no value. SolarWinds recommends removing these events from the system to reduce the volume
and noise sent to the LEM console and LEM database. By configuring the event distribution policy, you can
disable (or exclude) specific event types at the event level from being sent to any or all of these
destinations. The data sources continue to generate these events, and you can enable them at any time,
but the selected system destinations will ignore them while they are disabled.
Additionally, you may have events that you want to monitor in the console, but that do not require long-
term storage or reporting. In this case, you can configure the event distribution policy to disable database
storage for those events, but enable processing by the console.
See also: "Collecting Windows Filtering Platform (WFP) events in LEM" on page 73
page 69
Open the Event Distribution Policy window

3. Click next to the targeted LEM Manager in the Appliances grid, and then select Policy.
The Event Distribution Policy for [Manager] window appears.
If you open the Event Distribution Policy window while it is in use by a user, a Policy Locked message
appears. You can choose to take over the window, or view it in read-only mode. Any Full User can
unlock any other user.
The following table describes the key features of the Event Distribution Policy window.
FIELD DESCRIPTION
Event/Field Lists event categories and event types. Click ▼ to maximize an event category.
Console Select a check box to indicate whether a particular event time or event category is sent to
the console or local database.
Database
When selected, the event type is router to that particular destination. Clear a check box to
Warehouse
prevent the event type from being routed to that destination.
Rules
Export Exports a Manager event policy to a spreadsheet file.
Click to select the Apply State to Branch command. This command pushes (or propagates)
the selected event node check box settings down to the related, lower-level event types in
the node tree hierarchy.
page 70
FIELD DESCRIPTION
Description Provides a description of the event type or event category currently selected in the grid.
Configure the event distribution policy

Use the Event Distribution Policy window to configure your event distribution policy. Locate the event types
you need, and then select the appropriate check boxes to determine whether these event types are routed
to a particular destination.
1. Open the Event Distribution Policy window. See "Open the Event Distribution Policy window" on the
previous page for steps.
2. Locate the events that you want to disable by either browsing the alert taxonomy or by using the
search box under Refine Results.
You can locate all of the events listed below by typing Windows Security in the search box.
3. Select or clear the check boxes in the Console, Database, Warehouse, or Rules columns as
appropriate:
l Clear the Console box to prevent LEM Manager from showing an alert in the LEM console.
l Clear the Database box to prevent LEM Manager from storing the alert in the LEM database.
l Clear the Warehouse box to prevent LEM Manager from sending the alert to an independent
database warehouse.
l Clear the Rules box to prevent LEM Manager from processing the alert against LEM rules.
l Select any check box to enable processing for the alert at any of the four levels listed above.
4. Click Apply to save your changes.
5. Click Save to save your changes and exit the Alert Distribution Policy window.
This process may require 30 seconds to several minutes to complete.
Push event policy to lower-level event types

Use the Apply State to Branch command to propagate (or push) event distribution policy settings from a
high-level event type to each of its lower-level “child” event types in the event hierarchy.
For example, if you select the top Security Event row and select the corresponding Console and Warehouse
check boxes. Clicking Apply State to Branch assigns the same Console and Warehouse check box settings
to every child item associated with Security Event. When you save your configuration, the policy causes all
child event types of Security Event to send events to all user consoles and your data warehouse.
page 71
To push policy configure event distribution policy downward:
1. Open the Event Distribution Policy window for a selected Manager. See "Open the Event
Distribution Policy window" on page 70 for steps.
2. In the Event/Field grid, locate the event type that is a parent to the event types you want to
configure.
3. In the parent row, define the policy by selecting or clearing the Console, Database, Warehouse, and
Rules check boxes.
4. Click next to the targeted row and select Apply State to Branch.
The Console pushes (or propagates) the parent row check box settings down to each of its lower-level
event types in the node tree hierarchy.
If you select one or more of the parent row check boxes, the console selects the same check box
settings for each related lower-level event type in the node tree. When you save your configuration,
the policy begins sending the “child” event types to the selected destinations.
If you clear any of the parent row check boxes, the console disables the same check box settings
from each related lower-level event type in the node tree. When you save your configuration, the
policy stops sending those event types to those destinations.
5. Click OK to save your changes.
The Console implements the new policy.
Export a Manager event policy

You can export a Manager event policy to a spreadsheet file to:
l View and manipulate the policy information in a spreadsheet application, such as Microsoft Excel.
l Provide SolarWinds with a copy of your policy information for technical support or troubleshooting
purposes.
To export a Manager policy:
1. Open the Event Distribution Policy window for a selected Manager. See "Open the Event Distribution
Policy window" on page 70 for steps.
2. At the top of the window, click Export.
The Save As form appears.
3. In the Save In box, select the folder you want to export to.
4. In the File Name box, enter a name and file type for the exported file.
In the file name, include an XLS file type to save the file as a Microsoft Excel spreadsheet.
5. Click Save to save the file.
The Console saves the file to the folder and with the file name you specified.
You can now view the Manager policy information in a spreadsheet file, such as Excel.
page 72
Collecting Windows Filtering Platform (WFP) events in LEM
In this topic:
• About Windows WFP events and LEM performance 73
• Configure LEM to collect WFP events (Optional) 73
Windows Filtering Platform (WFP) logs firewall and IPsec related events to the System Security Log. These
alerts are background events that require additional LEM resources to process and are not recommended
for an optimized LEM deployment.
About Windows WFP events and LEM performance

By default, WFP logging is disabled in the Windows Security Log connector. Tuning out Windows noise in
group policies has the following advantages:
l Reduces the space that these events occupy in the Security Event log
l Reduces network activity
l Reduces demand on LEM system resources (such as CPU, memory, and disk space)
The Windows Security Log connector stopped collecting WFP data in LEM version 6.2.
Configure LEM to collect WFP events (Optional)

If necessary, you can enable WFP event logging in LEM.
SolarWinds strongly recommends that you keep WFP logging turned off.
To collect WFP events in LEM, configure the Windows Filtering Platform Events connector. Enabling this
connector will result in LEM collecting a huge volume of data . To manage this data, see the following
sections.
IMPROVE LEM PERFORMANCE BY TUNING WINDOWS WFP EVENTS
If you collect WFP events in LEM, SolarWinds recommends tuning WFP in your Active Directory group
policies to decrease the load that background events place on the LEM Manager. The following tables
describe alerts located in the Event Distribution Policy in LEM Manager. You can filter out these events by
clearing the appropriate check boxes in the Console, Database, Warehouse, and Rules columns. LEM will
process the remaining events.
In LEM, the terms event and alert are interchangeable .
SolarWinds recommends disabling WFP alerts using Group or Local Policy.
page 73
The ProviderSID value in the following alerts match the Windows Security Auditing Event
ID format where Event ID is one of the Windows Event IDs listed in the following table.
ALERT NAME WINDOWS EVENT ID

TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit 5152, 5156
PPTPTrafficAudit 5152
TABLE OF DESCRIPTIONS BY EVENT ID
EVENT ID BRIEF DESCRIPTION

5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen on

a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port
page 74
Securing LEM
This section documents how to secure LEM to prevent unauthorized access.
In this section:
• LEM security checklist: Ensure that only authorized users can

access LEM 75
• Restrict SSH access to the LEM CMC interface 76
• Restrict access to the LEM reports application 77
• Enable transport layer security (TLS) in the LEM reports application 78
LEM security checklist: Ensure that only authorized users can access LEM
Complete the tasks on this checklist to help prevent unauthorized users from accessing LEM.
In this topic:
• General security tasks 75
• Securing the CMC command-line interface 76
• Securing the LEM reports application 76
General security tasks

1. Read the "Log & Event Manager Appliance Security and Data Protection"blog post on
Thwack:
https://thwack.solarwinds.com/community/solarwinds-community/product-
blog/blog/2015/03/02/log-event-manager-appliance-security-and-data-protection
2. Run the activate command from the CMC command line.
See "Run the activate command to secure LEM and configure network settings" on page 39 for
steps.
3. Set the minimum password requirements for local LEM user accounts.
See "Set the global password policy for LEM users" on page 108 for steps.
4. Restrict the filters that Monitor role users can access.
See "Specify the filters that users assigned the Monitor role can use in the LEM console" on
page 129 for steps.
page 75
Securing the CMC command-line interface

1. Change the default CMC password.
See "Change the LEM CMC password" on page 128 for steps.
2. Restrict SSH access to the CMC command-line interface.
(Optional) This procedure blacklists everyone from logging in to the CMC interface except those
users who connect from an explicitly allowed IP address or host name.
See "Restrict SSH access to the LEM CMC interface" below for steps.
Securing the LEM reports application

1. Secure the LEM reports application.
See "Restrict access to the LEM reports application" on the facing page for steps.
2. Enable transport layer security (TLS) between the LEM reports application and the LEM
database.
(Optional) The Transport Layer Security (TLS) option introduces an extra level of security for data
transfers between a LEM database and the Reports application.
See "Enable transport layer security (TLS) in the LEM reports application" on page 78 for steps.
Restrict SSH access to the LEM CMC interface

In this topic:
• To remove access restrictions from the CMC interface 77
Users who have CMC command-line interface (CLI) access can connect to the LEM VM and perform
administrative tasks. You can restrict SSH access to the CMC interface by IP address or host name. This
optional procedure blacklists everyone from logging in to the CMC interface except those users who
connect from an explicitly allowed IP address or host name.
To restrict SSH access to the CMC command line:
steps.
2. Type service and press Enter.
3. Type restrictssh and press Enter.
4. Complete the wizard to limit access to the LEM cmc console by IP address or host name. You can
enter multiple addresses and host names separated by a space.
Test the restriction by attempting to log in from a blacklisted host or IP address. Repeat the test to confirm
that you can log in from whitelisted hosts and IP addresses.
page 76
To remove access restrictions from the CMC interface
Complete the steps to allow users from any IP address or host name to access the CMC interface using
SSH.
steps.
2. Type service and press Enter.
3. Type unrestrictssh and press Enter.
4. Complete the wizard to remove access restrictions.
Test the restriction by logging in from a previously blacklisted host or IP address.
Restrict access to the LEM reports application

This topic documents how to secure the LEM reports application so that only authorized users can access
it.
In this topic:
• Understand your options for securing LEM reports 77
• Restrict access to LEM reports to specific computers 78
• Remove all LEM reports access restrictions 78
Understand your options for securing LEM reports

LEM allows unrestricted access to the LEM reports application by default. The following options are
available to limit who can access the reports application:
l Access can be restricted to specific computers.

l Access can be restricted by port number. The reports application communicates over port 9001.
You can restrict access to this port the same way that you can restrict SSH access to LEM on port
32022, or LEM console access on ports 8443/8080.
l The LEM reports application can be configured to require a user name and password.
To encrypt communication between the LEM reports application and the LEM database, see "Enable
transport layer security (TLS) in the LEM reports application" on the next page.
page 77
Restrict access to LEM reports to specific computers

steps.
2. At the cmc> prompt, type service.
3. At the cmc::service> prompt, type restrictreports.
4. When prompted, press the Enter key.
5. Enter the IP addresses of the computers that you want to allow to run the LEM reports application,
separated by spaces.
Ensure that the list you provide is complete. Your entry will override any previous entries.
6. Type y to confirm your entry.

7. Type exit to return to the cmc> prompt.
8. Type exit to log out of the CMC command line.
Remove all LEM reports access restrictions

steps.
2. At the cmc> prompt, type service.
3. At the cmc::service> prompt, type unrestrictreports.
4. When prompted, press the Enter key.
Removing LEM reports restrictions will make the LEM database accessible to any computer on
your network that is running the LEM reports application.
5. Type exit and press Enter to return to the cmc> prompt.
6. Type exit and press Enter to log out of the CMC command line.
Enable transport layer security (TLS) in the LEM reports application

In this topic:
• Enable TLS on a standalone LEM VM or appliance 79
• Set up a dedicated LEM user for accessing reports 80
• Configure the Reports application to use TLS 80
• Enable TLS on a LEM Manager with a separate database appliance 81
• Import certificates into the LEM Manager and database 82
page 78
• Import a self-signed certificate into the LEM Manager 82
The Transport Layer Security (TLS) option introduces an extra level of security for data transfers between
the LEM reports application and the LEM database.
l By default, TLS is disabled on versions of LEM that have been upgraded from LEM version
6.0.1 or earlier.
l The procedure to enable TLS differs depending on your LEM configuration (standalone or with
a dedicated database appliance).
l When enabling TLS, the LEM certificate for accessing the web or AIR console needs to be
rebuilt. Machines used to access LEM web or AIR console must re-import their certificates.
In this topic:
• Enable TLS on a standalone LEM VM or appliance 79
• Set up a dedicated LEM user for accessing reports 80
• Configure the Reports application to use TLS 80
• Enable TLS on a LEM Manager with a separate database appliance 81
• Import certificates into the LEM Manager and database 82
• Import a self-signed certificate into the LEM Manager 82
Enable TLS on a standalone LEM VM or appliance

Use these steps if the LEM database is located on the same VM or appliance as the LEM Manager. This is
the most common arrangement.
steps.
Steps 2 – 6 below are required to upgrade older versions of LEM. If you have LEM version 6.0.1
or later, go to step 7. The default hostname is swi-lem.
2. At the cmc> prompt, type appliance.

3. At the cmc::appliance> prompt, type hostname.
4. Enter the name of the LEM Manager at the prompt “Please enter the new hostname…”
Enter the currently-used hostname if you do not want the LEM Manager name to change.
page 79
5. At the cmc::appliance> prompt, type exit.

6. At the cmc> prompt, type manager.
7. At the cmc::manager> prompt, type exportcert.
8. Follow the prompts to export the LEM Manager CA certificate.
An accessible network share is required. Once the export is successful, you will see the following
message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ... Success.
9. At the cmc::manager> prompt, enter enabletls.
10. At the cmc::manager> prompt, enter restart.
Set up a dedicated LEM user for accessing reports
Starting with LEM 6.0.1, a user account with the Reports role is required to access LEM from the LEM
reports application.
l If a suitable user with the Reports role already exists, go to "Configure the Reports
application to use TLS" below.
l An Active Directory user can be a Reports user if LEM is set up to authenticate to Active
Directory. See "Import an Active Directory user into LEM" on page 102 and specify the
Reports role in the LEM Groups field.
l Otherwise, complete the following steps to create a user with the Reports role in the LEM
console.
2. Click Build > Users.
3. Click + to create a new LEM user.
4. Complete the fields as required.
5. Select the Reports option form in the LEM Role drop-down menu.
The Administrator and Auditor roles can also query LEM using the LEM reports application.
6. Save the new user.
Configure the Reports application to use TLS

1. Start the LEM reports application. See "Open the LEM reports application" on page 369 for steps.
2. Click the Configure drop-down menu and select Managers > Credentials and Certificates.
3. Click the green button.
4. Enter the Manager IP or hostname.
5. Fill in the credentials of the user created previously in the LEM web console.
page 80
6. Select the Use TLS connection option.
You can also ping the address you specified by clicking Test Connection. This option does not
perform credentials validation or TLS availability check.
7. Click the green button again to add a new Manager.

8. Click the Certificates tab.
9. Click Import Certificate.
10. Browse and Open LEM certificate (the network share folder specified during the certificate export).
11. Use the certificate from the Database Appliance in case you have LEM configured with a dedicated
database.
12. Close the Manager Configuration window.
If LEM changed its host name, importing the LEM CA certificate again is not required.
Enable TLS on a LEM Manager with a separate database appliance

Typically the LEM database is located on the same VM or appliance as the LEM Manager. If your LEM
deployment has a separate LEM database, follow these steps.
steps.
3. At the cmc::appliance> prompt, type hostname.
4. At the prompt Please enter the new hostname, enter a name for the LEM Manager.
If you do not want your LEM Manager name to change, enter the currently-used hostname.
5. At the cmc::appliance> prompt, type exit.

7. At the cmc::manager> prompt, type exportcert.
8. Follow the prompts to export LEM CA certificate.
An accessible network share is required. Once the export is successful, the following message
displays:
Exporting CA Cert to \\server\share\SWICAert-hostname.crt ... Success.
9. At the cmc::manager> prompt, type enabletls.
To use the custom CA to sign a database or LEM Manager certificate, generate and sign the
certificate after you change the hostname.
page 81
Import certificates into the LEM Manager and database

LEM Manager and database nodes need to trust each other’s certificates. This can be done by importing
certificates from both sides.
This procedure is not required if you upgraded from LEM 6.0.0 or earlier, or if version 6.0.1 or later
was deployed and the CA was used to sign both LEM certificates.
steps.
3. At the cmc::manager> prompt, type importl4ca.
4. Choose the network share location specified during certificate export of Database.
5. When prompted for a file name, specify the name of a Database certificate.
Enter the full file name, including the file extension.
6. Open the cmc prompt on the LEM database machine.
8. At the cmc::manager> prompt, enter importl4ca.
9. Choose the network share location specified during certificate export of Manager.
10. When prompted for a file name, specify the name of the LEM Manager certificate.
Next steps:
l "Set up a dedicated LEM user for accessing reports" on page 80

l "Configure the Reports application to use TLS" on page 80
Import a self-signed certificate into the LEM Manager

Use the importcert command in the CMC to import a signed certificate by any CA into the manager.
steps.
2. At the prompt, enter manager.
3. At the cmc::manager> prompt, type importcert.
4. Choose the network share path.
5. When prompted, confirm the share name.
6. When prompted for a file name, enter the full name of the certificate, including the CER extension.
7. When completed, the following message appears:
Certificate successfully imported.
page 82
Managing LEM system resources
This section describes how to manage the hardware and software resources that LEM requires to work
properly.
In this section:
• Allocate CPU and memory resources to the LEM VM 83
• Manage LEM data storage 87
• LEM tuning and periodic maintenance tasks 93
Allocate CPU and memory resources to the LEM VM

By default, LEM deploys with 8GB of RAM and 2 CPUs on the VMware ESX(i) and Microsoft Hyper-V
platforms. For LEM to work properly, you must allocate sufficient CPU and memory resources to the LEM
VM. This topic describes how to check resource settings and make updates.
In this topic:
• About incoming data traffic 84
• Use the LEM console to view resource allocations and VM details 84
• View vSphere reservation settings for LEM 85
• To change vSphere reservations for LEM 86
• View reservations settings using the CMC command-line 86
• View Hyper-V reservation settings for LEM 87
See LEM 6.3.1 system requirements in the LEM Installation Guide for hardware and software sizing
requirements.
As of version 6.3.0, LEM can send SNMP version 3 alerts to SolarWinds Network Performance
Manager (NPM). This configuration allows you to monitor CPU, memory, and other critical LEM
components from the SolarWinds Orion Web Console.
Log & Event Manager collects data from a continuous stream of traffic that fluctuates based on user,
server, and network activity. The type and volume of traffic varies based on the device sending the traffic
and the audit and log settings on those devices.
page 83
About incoming data traffic

Log & Event Manager receives data from syslogs and traps using up to 500 connectors that receive data
traffic from several supported network devices. These connectors translate (or normalize) the data into a
readable and understandable format you can view in the LEM console.
The connectors display in the Monitor view, pass through the rules engine for specified actions, and move
into a database for retrieval by the LEM Reports or nDepth search function. To process the data in real-
time, Log & Event Manager requires system resource reservations from the virtual appliance host.
When the volume of traffic exceeds 15 million events per day, be sure to reserve additional system
resources to support the additional data traffic.
Use the LEM console to view resource allocations and VM details

The Appliances grid lists the LEM VMs registered with the console and their corresponding details.
Below the Appliances grid, the Details pane lists information about the selected VM. (If the Details
and Properties panes are not visible, click the Appliances tab at the bottom of the screen.)
page 84
Details pane descriptions
FIELD DESCRIPTION
Platform The Manager platform name, which can be Trigeo SIM, VMware vSphere, or
Microsoft HyperV.
CPU Reservation The reserved CPU memory. Reserving CPU memory ensures enough system
resources are available for the allocated CPUs.
Number of CPUs The number of processors allocated to the virtual appliance.
Memory Allocation The maximum amount of memory the Manager can use. Set this value at or above
the reservation value. You can define this value in the VM configuration. Setting
memory allocation to a greater value than the memory reservation has little effect
on LEM performance.
Memory The amount of memory reserved for this system.

Reservation
Status The current connection status of the selected Manager or appliance.
Name The Manager or appliance name.
Type The appliance type (Manager, Database Server, nDepth Server, Logging Server, or
Network Sensor).
Version The Manager or appliance software version.
IP Address The Manager or appliance IP address.
Port The port number used by the LEM console to communicate with the Manager or
appliance.
You can view your reservation settings using vSphere or an SSH client (such as PuTTY). See your VMware
vSphere documentation for details about configuring resources, reservations, and storage on a vSphere
virtual appliance.
View vSphere reservation settings for LEM

You can view reservation settings using the vSphere client. See your VMware vSphere documentation for
details about configuring resources, reservations, and storage on a vSphere virtual machine.
1. Log into vSphere and check the Settings/Reservations.

2. Select LEM from the list (name listed may not be the host name), and view the Summary tab to find
the number of CPUs (such as 2 vCPU).
LEM requires at least two CPUs. The highest working setting for any LEM appliance is 16 CPUs.
page 85
3. Provisioned Storage on the right side of the screen shows the total disk space LEM can use.
l If LEM is set for thick provisioning, the used storage is always the total disk space.
l Thin provisioning allows the used storage to grow to the total amount of storage allocated.
4. On the Resource Allocation tab, note the CPU reservation on the left, and the memory reservations
on the right.
5. At the bottom left, check the CPU reservation. 2.0Ghz is LEM's minimum setting. To support higher
speeds, see your VMware documentation for configuration information.
6. See the Memory reservation at the bottom right. This reservation is normally set at 8 GB or higher.
The Memory must be the same value or higher than the reservation. Memory reservations can be set
as high as 64GB of RAM, which can support over 150 million events per day.
To change vSphere reservations for LEM

1. Shut down the LEM VM. See "Starting and Stopping LEM components" on page 48 for steps.
2. Right-click the LEM VM to edit settings.
Select the Hardware tab and change the allocated memory size.
3. Select the Resources tab and change the CPU and memory settings.
l Set the limit to unlimited for both CPU and memory reservations.
4. Select OK to save the changes.
5. Use the vSphere console to start the LEM VM.
View reservations settings using the CMC command-line

steps.
2. Type manager at the cmc> prompt.
3. Type viewsysinfo and press Enter.
The system returns memory and CPU information, as well as LEM version and license information.
4. Type :q to return to the cmc::manager> prompt.
5. Type exit to exit the manager menu.
6. Type exit at the cmc> prompt to exit the CMC command line.
page 86
View Hyper-V reservation settings for LEM
Use the following tables to verify your Hyper-V client settings. For details about setting resources,
reservations, and storage on a Hyper-V virtual appliance, see your Microsoft Hyper-V documentation.
MEMORY SETTINGS
SETTING VALUE
Static RAM 8GB, 16GB, 24GB, 32GB, 64GB, 128GB, 256GB
Memory Weight High
CPU SETTINGS (WINDOWS SERVER 2008)
SETTING VALUE
Number of processors 2, 4, 6, 8, 10, 12, 14, 16
VM reserve CPU cycles 100%
Limit CPU Cycles 100%
Relative weight for CPU 100%
CPU SETTINGS (WINDOWS SERVER 2012)
SETTING VALUE
CPU memory details Click the Advanced tab and set the view and details
CPU Priority High
Reserve CPU cycle 100%
Limit CPU cycles 100%
Manage LEM data storage

This topic addresses LEM database management.
In this topic:
• About the three LEM data stores 88
• Strategies for managing your LEM data storage needs 88
page 87
• Viewing LEM database usage numbers 89
• Create a disk usage alert in LEM to warn you when a disk reaches a
set limit 90
About the three LEM data stores

By default, the LEM database is allowed 230 GB of the 250 GB allocated to the LEM virtual appliance. This
partition consists of three data stores:
l Syslog store
l Events store
l Original or raw log data store (optional)
The syslog storeconsists of all syslog or SNMP log data sent to the LEM VM. LEM reads and processes the
data in real time, and then sends it to the event store for long-term storage. LEM stores the original data for
50 days in its original format (in case you need to review it). The data in the syslog store is compressed and
rotated daily to maintain a consistent 50-days worth of data. The amount of data stored here should level
off at around the 50-day mark.
The event store (the second store) contains all normalized events generated by the LEM Manager and LEM
Agents. Data in this store is compressed at ratios of 40:1 to 60:1, which equates to an average compression
rate of 95–98%. Both nDepth and the LEM reports application query the event store for event data when
they run.
The original log store (the third store) is an optional store for original or raw log messages that can be
searched using Log Message queries in nDepth. The data in this store can come from LEM Agents or other
devices logging to the LEM appliance. You can configure if data is sent to this store at the connector level,
so not all devices have to store raw log messages in this manner.
For more information about storing original log messages, see "Configure LEM to store original log
messages (nDepth log retention)" on page 66.
Strategies for managing your LEM data storage needs

Depending on the needs of your environment, you can use one or more of the alternate storage methods
listed below.
l Back up the LEM VM on a regular basis. This will provide offline storage for your LEM data stores.
l Decrease the number of days that syslog/SNMP data is stored in LEM.
l Deploy another LEM VM to be used as a syslog server.
l Deploy another LEM VM to be used as a database server.
l Increase the space allocated to your LEM VM.
page 88
To get help with any of these methods, submit a ticket to Customer Support:
https://customerportal.solarwinds.com/support/submit-a-ticket
Viewing LEM database usage numbers

There are three locations to find metrics that indicate how the LEM database is used:
l Disk Usage summary in the CMC

l Database maintenance report
l Log storage maintenance report
VIEW THE DISK USAGE SUMMARY
When you use the command line to log in to LEM, LEM automatically generates a Disk Usage summary. You
can also generate an ad hoc disk usage summary by running the diskusage command from the cmc
>appliance prompt. The two lines to note here are Logs/Data and Logs.
l The Logs/Data figure represents the total space being utilized by the LEM database. This value is
presented in the percent % (usedG/allocatedG) format, where percent is the percent of the allocated
space currently being used, and allocated is the total amount of space currently allocated to the
LEM database.
l The Logs figure represents the amount of space used by the syslog store. This figure is included in
the used figure noted above. To figure out how much space is currently being used by the Event
store, subtract the Logs value from the used value. If you are storing original log messages in the
LEM database, the above calculation shows the combined space utilized by both your Event and
original log stores.
VIEW THE DATABASE MAINTENANCE REPORT
Run the Database Maintenance Report in LEM reports to view a snapshot of your current database usage.
The report includes the following values:
l Disk Usage Summary – provides disk usage values in terms of the percentage of space allocated to
the LEM database
l Disk Usage Details – provides disk usage values in terms of physical file size
l Database Time Span (days) – shows how many days worth of live event data is currently stored in
the LEM database
l Other Files – represents the amount of space used by the syslog store
For more information, see the following KB article in the Customer Success Center:
"Use the LEM Database Maintenance Report to See Retention and Volume of Traffic." https://sup-
port.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Use_the_LEM_Data-
base_Maintenance_Report_to_See_Retention_and_Volume_of_Traffic
page 89
VIEW THE LOG STORAGE MAINTENANCE REPORT
Run the log storage maintenance report in LEM reports to get detailed information about the original log
store. If you have not enabled LEM to store original log messages, this report will be blank.
For more information, see the "Live Data Storage Retention in LEM" knowledge base article in the
Customer Success Center:
https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Live_Data_Storage_
Retention_in_LEM
Create a disk usage alert in LEM to warn you when a disk reaches a set limit
You can create a disk usage alert from the CMC command line to warn you when a disk partition reaches a
preselected use limit. When the limit is reached, an InternalWarning event displays in the Monitor
view.
You can define the disk use limit by the percentage of unavailable disk space (such as 75%), or by the
amount of free disk space (such as 58G).
TO CREATE THE DISK USAGE ALERT:
steps.
2. At the cmc> prompt, enter appliance to access the Appliance menu.
page 90
3. At the cmc::appliance> prompt, enter diskusage to view the disk use of each partition. For
example:
cmc::appliance > diskusage

Checking Disk Usage (this could take a moment)
... ....00.00.00.00.00.00.00.
Partition Disk Usage:
LEM: 35% (991M/3.0G)
OS: 45% (1.3G/3.0G)
Logs/Data: 1% (901M/234G)
Temp: 2% (252M/5.9G)
Database Queue(s): 4.0K (No alerts queued, 0 alerts waiting in memory)

Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
Console Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
DataCenter Queue: 2.1M (0 alerts queued, unknown number of alerts waiting
in memory)
EPIC Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
Forensic Database Queue: 2.1M (0 data queued, unknown number of data
items waiting in memory)
Logs: 1.3M
Tool Profiles Message Queue: 2.1M (0 alerts queued, unknown number of
alerts waiting in memory)
cmc::appliance >
page 91
4. At the cmc::appliance> prompt, enter diskusageconfig.

Each partition and corresponding disk use limit displays on your screen. For example:
cmc::appliance > diskusageconfig

Current Disk Usage Configuration:
# | Partition (filesystem) | Configured limit
===============================================
1 | LEM (/usr/local) | 90%
2 | OS (/) | 90%
3 | Logs/Data (/var/) | 10G
4 | Temp (/tmp) | 90%
You can define your disk use limit by the percentage of unavailable disk
space (such as 75%) or the amount of free disk space (such as 58G).
Enter the partition number you want to change (enter 'exit' and press
<Enter> to quit):
5. Enter the partition number you want to change, and then press Enter.
6. Enter the disk usage limit value in percentage (such as 75%) or size (such as 58G), and then press
Enter.
For example, to change the OS disk partition limit in step 3 from 45% to 40%, enter 40%. To change
the OS disk partition limit from 1.3 GB to 2.0 GB, enter 2GB.
Disk usage limit [90%, sizeK, sizeM, sizeG, sizeT] (default 90%): 40%
Limit '40%' for the 'OS' partition is set.
Press <Enter> to set the next partition. Enter 'exit' and press <Enter>
to quit:
7. Press Enter to set the next partition and repeat step 6 (if required).
See "Change the Logs/Data partition setting" below for additional information.
8. When you are finished, type exit, and then press Enter to quit.
CHANGE THE LOGS/DATA PARTITION SETTING
When you set the Logs/Data partition (3), a message prompts you to consider changing the database disk
configuration using the dbdiskconfig command. SolarWinds recommends setting the Logs/Data
partition and the database disk configuration to the same value.
page 92
TO CHANGE YOUR DATABASE DISK CONFIGURATION:
1. Finish configuring your partitions.

2. At the cmc::appliance> prompt, enter dbdiskconfig.
The following message displays:
Current configuration:
DoNotExceedPercentage = 90%
The Manager will restart and apply your changes. To exit, enter 'exit'
and press Enter.
Enter a new value for DoNotExceedPercentage (default 90):
Please enter an inter number 0-100 or 'exit'
3. At the prompt, enter a usage limit value between 0 and 100, and then press Enter.
If you enter a value less than 25, the partition will be deleted when this value is reached.
The database disk configuration value is saved, and the appliance restarts the Manager Service.
VIEW A DISK USAGE EVENT
Log in to your LEM console as an administrator and click to open Monitor view. The event displays in the All
Events grid.
For example, if you set the OS disk partition limit as a percentage, the following event displays in the All
Events grid when the limit is reached:
If you set the OS disk partition limit as a file size, the following event displays in the All Events grid when
the limit is reached.
Select the event in the grid and review the content in the Event Details tab for additional information.
LEM tuning and periodic maintenance tasks

SolarWinds recommends that you complete the tasks in this topic to ensure that LEM performs optimally
as your network changes.
Complete the following tasks to ensure that LEM uses processor and memory resources efficiently.
page 93
REVIEW YOUR RULE CONFIGURATIONS
Review your rules periodically to ensure that they are not triggering too frequently. This can be caused by:
l Low threshold settings. Consider increasing the threshold for rules that trigger due to network
traffic.
l Broadly-defined conditions. Define rules to apply only to specific user names, IP addresses, or
systems. Consider whether a different set of rules with different conditions could serve two distinct
areas of your environment.
l Rules using event groups instead of a single event or subset of events. Rules that detect
authentication or network traffic may trigger on additional events, but may only apply to a subset
of those events.
VALIDATE YOUR VIRTUAL APPLIANCE RESERVATIONS
System requirements can change over time, so periodically review your resource allocations. See
"Managing LEM VMs and appliances in the LEM console " on page 51 for details.
page 94
Integrating LEM with other SolarWinds products
This section describes how to configure LEM to work in combination with other SolarWinds products.
In this section:
• Monitor LEM from NPM and the Orion Web Console using SNMP 96
page 95
Monitor LEM from NPM and the Orion Web Console using SNMP
In this topic:
• Step 1: Enable the SNMP Request Service 96
• Step 2: Set up the Orion Console for SNMP monitoring 96
• Troubleshooting your Orion connection 98
If you use Network Performance Manager (NPM) and the SolarWinds Orion Web Console, you can use it to
monitor CPU, memory, and other critical resources utilized by LEM. Complete the steps in this topic to
configure LEM to communicate with NPM.
As of version 6.3.0, LEM can use SNMP version 3 to communicate with SolarWinds Network
Performance Manager (NPM). Versions of LEM older than 6.3.0 can send SNMP traps to other
devices when rules fire, but older LEM versions do not support sending health or status updates to
other devices over SNMP.
In this topic:
• Step 1: Enable the SNMP Request Service 96
• Step 2: Set up the Orion Console for SNMP monitoring 96
• Troubleshooting your Orion connection 98
Step 1: Enable the SNMP Request Service

See "Send SNMP traps from LEM to other applications by turning on the SNMP Request Service" on
page 64 for details. After you enable and configure the SNMP Request Service, go to the next step, "Set up
the Orion Console for SNMP monitoring."
Step 2: Set up the Orion Console for SNMP monitoring

When you are finished enabling the SNMP Request Service, log in to the Orion Web Console and set up the
LEM Manager as a monitored node on the Orion Platform.
1. Log in to your Orion Web Console as an administrator.

2. Click Settings > Manage Nodes, and then click Add a Node.
If the node already exists and it is not managed, click the node and select Not Managed Node > Yes
to manage the node.
The Define Node window displays.
page 96
3. In the Polling Hostname or IP Address field, enter the IP address of the LEM Manager.
4. Under Polling Method, select Most Devices: SNMP and ICMP.
5. Select your polling method settings.
a. Select SNMPv3 for the SNMP version.

b. Enter the port number used to access SNMP on the LEM appliance.
c. Under SNMPv3 Credentials, enter the user name used to access SNMP on the LEM appliance.
d. Under SNMPv3 Authentication, enter the hashing algorithm method and password.
e. Under SNMPv3 Privacy / Encryption, enter the communication encryption algorithm and
password.
f. Accept the default selections in the remaining options.
6. Click TEST to test the connection.
Test Successful displays if the connection is good.
page 97
7. Click Next.

Orion authenticates the LEM Manager and runs a discovery to locate the resources available to
monitor on the LEM appliance. The discovered resources will list all of the elements that are
available to monitor. Orion will automatically provide a list of selected resources based on the device
type.
8. In the Choose Resources window, select the resources to monitor on the node, and click Next.
9. In the Add Application Monitors window, click Next.
10. In the Change Properties window, click Next.
11. Click OK, Add Node.
The LEM appliance is added to the Orion Web Console for monitoring.
Troubleshooting your Orion connection

If you cannot establish a connection between your LEM appliance and the Orion Platform:
l Ensure that the settings you entered in the Define Node window match the settings used to enable
the SNMP Request Service.
l Review the Orion logs located at c:\ProgramData\SolarWinds\Discovery for errors.
See Unable to add nodes through the Web Console for additional troubleshooting information.
page 98
Managing users in LEM
This chapter contains topics related to managing LEM user accounts, including managing user access to
LEM data.
In this chapter:
• Adding and managing LEM users 100
• Set the global password policy for LEM users 108
• Set up Active Directory authentication in LEM 109
• Set up Active Directory authentication in LEM 6.3.0 and older 116
• Set up single sign-on (SSO) in LEM 119
• Change the LEM CMC password 128
• Specify the filters that users assigned the Monitor role can use in
the LEM console 129
page 99
Adding and managing LEM users

Access to LEM data requires a user account. Even basic access, such as receiving notifications sent by LEM
through email or SMS text message, requires a user account.
In this topic:
• About LEM roles 100
• About LEM user accounts 101
• How Active Directory accounts work in LEM 102
• Import an Active Directory user into LEM 102
• Create a local LEM user account 103
• View user accounts in the LEM console 105
• View the system privileges associated with a role 106
• Edit user account settings 107
• Delete a user account from a LEM Manager instance 107
About LEM roles

To restrict user access to sensitive data, user accounts need to be assigned to a LEM role. There are six
LEM role types: Administrator, Auditor, Monitor, Contact, Guest, and Reports. Role types are described in the
following table.
ROLE DESCRIPTION
Administrator The default user. This role cannot be deleted and has full access to the LEM
console.
SolarWinds does not recommend multiple users sharing the Admin

account for auditing purposes.
Auditor User has extensive view rights to the system, but cannot modify anything other
than their own filters.
Monitor User has read-only access to the LEM console. See "Specify the filters that users
assigned the Monitor role can use in the LEM console" on page 129 to configure
the filters assigned to this role. Users assigned to this role cannot edit filters.
page 100
ROLE DESCRIPTION
Contact User cannot log in to the LEM console, but can receive external notifications such
as email sent to either the user's email address, imported distribution lists, or
cellular email-to-SMS addressees for texts. Use this role if you have an external
incident resolution or trouble ticket system, or if you have a user who does not
need to access the console.
Guest User has extensive view rights to the system, but cannot modify anything other
Reports User cannot log in to the LEM console, but can access the LEM reports
application. This role can access the LEM database over a secure channel if TLS
encryption is enabled. See "Enable transport layer security (TLS) in the LEM
reports application" on page 78 for details.
Do not confuse roles and groups:
l Roles restrict the actions a user can perform in LEM.

l Groups organize related elements into logical units so that they can be used in LEM rules and
filters.
About LEM user accounts

There are two ways to add a user account in LEM:
l Add an Active Directory user account

l Create a local user account
SolarWinds recommends using Active Directory accounts if Microsoft Active Directory is in use at
your organization.
Each user should have a valid email address so that the user can receive notifications sent by LEM.
SolarWinds recommends that you create distinct users for each individual who needs to receive email
notifications from LEM Manager. If you want to send identical notifications to your IT department
personnel, associate a distribution list email address to all relevant users.
To establish minimum password requirements for local user accounts in LEM, see "Set the global
password policy for LEM users" on page 108.
page 101
How Active Directory accounts work in LEM

You can configure LEM to allow users to log in with their Active Directory credentials. Using Active Directory
for user authentication means you do not have to maintain duplicate user accounts in LEM, and users do
not have to remember an additional user name and password just for LEM.
See "Set up Active Directory authentication in LEM" on page 109 to configure LEM to allow users to
log in with their Active Directory credentials.
LEM roles are mapped to DS groups in Active Directory if AD authentication is enabled.
See "Configure or view Active Directory authentication settings in LEM" on page 111 to look up
which Active Directory groups are mapped to LEM roles.
LEM supports Active Directory single sign-on. If single sign-on is enabled, users can bypass the LEM login
screen and go straight to the application if they are already logged in to another application that accepts
the user's AD credentials.
See "Set up single sign-on (SSO) in LEM" on page 119 to configure LEM to allow users to bypass the
LEM login screen if they are already logged in to an application that accepts the user's AD
credentials.
LEM can use Active Directory groups of Windows users and computer accounts in LEM rules and filters.
Any changes made to users or groups in Active Directory propagate to rules and filters in LEM.
See "Configure directory service (DS) groups in LEM" on page 222 for details.
Import an Active Directory user into LEM

Before you create an Active Directory user account:
l Complete the steps in this topic: "Set up Active Directory authentication in LEM" on page 109
l Be sure to either map your Active Directory groups to LEM security groups, or create at least
one custom security group in Active Directory for LEM to use. If you created custom LEM
security groups in Active Directory, populate the groups with AD users before continuing. See
"Create custom security groups in Active Directory for LEM to use" on page 110 for details.
l Verify that the user account includes a valid email address.
LEM requires an email address to create a user account. LEM uses the email address to send
the user a notification when an assigned alert event occurs.
page 102
3. Click and select Import LEM User. The Import Users form opens.
4. Complete the Import Users form and click Import.
FIELD DESCRIPTION
LEM Groups Select the LEM security group that the Active Directory user belongs to.
Search User Type at least the first three characters of the user name.
Search Click to find matching users.
Available Users Select one or more users to import and click the green and white arrow button.
Selected Users Lists the AD user (or users) to import.

The Active Directory user is imported.
Create a local LEM user account

If you have multiple LEM Manager instances, open the menu next to the and choose the LEM
Manager instance that you want to add the user account to.
3. Click and select LEM User.
4. Complete the form in the "User Information for: <New User>" section, and then click Save. See the
following table for help with form fields.
The local user account is added to the Users grid.
The "User information for..." form
FIELD DESCRIPTION
User Name Enter a user account name. You cannot use admin_role, audit_role, or reports_
role for the user name.
First Name Enter the user's first name.
Last Name Enter the user's last name.
page 103
FIELD DESCRIPTION
Password Enter a user password to access the Manager. This can be an initial system password or a
temporary password that is assigned to replace a forgotten password.
If you are creating a Contact user, a password is not required.
If the Must Meet Complexity Requirements check box is selected in the Manage >
Appliance > Properties > Settings tab, the console enforces the following policy:
l Passwords must have a minimum of six characters. Spaces are not allowed.
l Passwords must have two of the following three attributes: at least one special
character, at least one number, and a mix of lowercase and uppercase letters.
Confirm Enter the password again.

Password
LEM Role Select a LEM role for this user.
l Administrator has full access to the system, and can view and modify everything.
l Auditor has extensive view rights to the system, but cannot modify anything other
l Monitor can access the console, cannot view or modify anything, and must be
provided a set of filters. See "Specify the filters that users assigned the Monitor role
can use in the LEM console" on page 129 for steps.
l Contact cannot access the console, but can receive external notification.
l Guest has extensive view rights to the system, but cannot modify anything other
l Reports cannot log in to the LEM console, but can log in to the LEM reports
encryption is enabled. See "Enable transport layer security (TLS) in the LEM reports
application" on page 78 for details.
View Role Click to open the role privileges assigned to the new user. Role privileges cannot be
changed.
Description Type a brief description (up to 50 characters). For example, provide the user title, position,
or area of responsibility.
Contact Enter an email address. LEM Manager notifies users by email about network security
Information events. You can add as many email addresses as required.
page 104
FIELD DESCRIPTION
1. Type an email address and click to add the address to the Contact Information
box. Use the following format:
username@example.com
2. Click Save, and then click to send a test email to the email address.
3. Verify that the user received the email test message.
If the message was not received, edit the email address or adjust the email
connector settings in the manager.
4. Repeat these steps to add additional email addresses.
View user accounts in the LEM console

The Users grid opens.
3. Click a column heading to sort the table. For example, click LEM Role to sort users by role. Click again
to reverse-sort.
page 105
View the system privileges associated with a role

After you select a user role, you can click View Role to view the system privileges associated with the user
role.
The Users grid opens.
3. Select a user in the Users grid.
Details about the user display in the User Information pane.
4. In the User Information pane, click View Role.
The Privileges pop-up window opens.
This information in the Privileges pop-up window is read-only and cannot be changed.
5. Click Close to return to the console.
page 106
Edit user account settings
You can update all user settings in the Build > Users view. Only the description and role can be edited for
Active Directory users.
3. In the Users grid, click next to a user and select Edit.
4. Update the user information in the User Information pane.
To delete an email address, click next to each email address you want to delete.
5. Click Save.
The user information is updated.
To establish minimum password requirements for local user accounts in LEM, see "Set the global
password policy for LEM users" on the next page.
Delete a user account from a LEM Manager instance

You cannot delete the admin user from the system.
3. In the Users grid, locate the user you want to delete.
4. In the Users grid, click next to the targeted user and select Delete.
5. When prompted, click Yes to confirm the delete.
The user is removed from the Users list and is no longer authorized to use the Manager.
page 107
Set the global password policy for LEM users

This topic describes how to set minimum password requirements for local LEM user accounts.
3. In the Properties pane, click the Settings tab.
4. Adjust the Minimum Password Length setting according to your preference.
5. Select the Must Meet Complexity Requirements check box to require complex passwords for LEM
users.
Complex passwords must include any three of the following four character types:
l Capital letters
l Lower-case letters
l Numerals (0–9)
l Symbols (!, @, #, etc.)
5. Click Save.
page 108
Set up Active Directory authentication in LEM
Set up Active Directory authentication to allow users to log in to LEM with their Active Directory (AD)
credentials.
l These steps apply to LEM version 6.3.1 and newer. To configure older versions of LEM for
LDAP authentication, see "Set up Active Directory authentication in LEM 6.3.0 and older " on
page 116.
l This task configures LEM for Active Directory authentication. See "Set up LEM to monitor
Active Directory Accounts " on page 44 to configure LEM to monitor Active Directory accounts
for security violations.
In this topic:
• Gather some required information 109
• Create a user in Active Directory that LEM can use to log in 109
• Create custom security groups in Active Directory for LEM to use 110
• Configure or view Active Directory authentication settings in LEM 111
• Add an Active Directory user to LEM 114
Gather some required information

Before you begin, gather the following:
l The domain credentials for an account that LEM can use to log in to Active Directory. SolarWinds
recommends using a service account with a non-expiring password. This account does not need
elevated privileges.
Create a user in Active Directory that LEM can use to log in

1. Log in to the domain controller and open Active Directory Users and Computers.
2. Create a user account that LEM can use to log in to Active Directory. SolarWinds recommends using
a service account with a non-expiring password. This account does not need elevated privileges
(such as Domain Admin privileges).
page 109
Create custom security groups in Active Directory for LEM to use

User access in LEM is based on Active Directory group membership.
l If you have at least LEM version 6.3.1 Hotfix 2, you can use your existing Active Directory
groups for alerts, reports, and so on. Skip this section and go to the next section: Configure or
View LDAP configuration settings in LEM.
l If you have either LEM version 6.3.1, or LEM version 6.3.1 Hotfix 1, complete the steps in this
section to create the required custom security groups in Active Directory.
To create custom security groups:
1. Log in to the domain controller and open Active Directory Users and Computers.
2. Create at least one security group called ROLE_LEM_ADMINISTRATORS. Group names must be
identical to the names given below, otherwise users cannot log in to the LEM console. SolarWinds
recommends creating LEM group names using capital letters to help you quickly identify LEM groups
in Active Directory.
You can add up to six of the following LEM custom groups:
l ROLE_LEM_ADMINISTRATORS (Required if you are using LEM 6.3.1 Hotfix 1 or older.)
l ROLE_LEM_ALERTS_ONLY
l ROLE_LEM_AUDITOR
l ROLE_LEM_GUESTS
l ROLE_LEM_CONTACTS
l ROLE_LEM_REPORTS
The ROLE_LEM_CONTACTS group is only used for email notification in rules. Users added to this
group do not have login rights.
page 110
Configure or view Active Directory authentication settings in LEM
1. Open the LEM admin console. See "Log in to the LEM admin user interface" on page 34 for steps.
You can also configure LDAP configuration settings from a command line by entering admin at the
cmc> prompt.
2. Click LDAP Configuration in the Authentication menu.
The LDAP Configuration Management screen opens.

l To configure a new Active Directory LDAP integration profile, click Add New Configuration.
The Create LDAP Configuration page opens.
l To view or edit settings for an existing Active Directory integration profile, click Edit.
The LDAP Configuration page opens.
l To disable an Active Directory integration profile, click the green check mark to make the gray x
visible.
l To enable a disabled Active Directory integration profile, click the gray x to make the green
check mark visible.
l To delete an Active Directory integration profile, click Delete.
page 111
4. To create or edit the LDAP configuration, complete the form, and then click Save. Or click Cancel after
you review your previously saved LDAP connection settings.
Starting with LEM 6.3.1 Hotfix 2 you can configure LEM to use existing groups for alerts, audit,
reports, and so on. Expand the "Advanced Settings" section to specify custom group names
when creating or editing the LDAP configuration settings.
FIELD DESCRIPTION
LDAP Enter a friendly name of your choosing for the LDAP configuration.
Configuration
Name
IP Address or Enter the IP address or host name of your LDAP server.

Hostname
Domain (LEM 6.3.1 Hotfix 2 and newer only) Enter the fully-qualified domain name for
the account store.
page 112
FIELD DESCRIPTION
Directory Use the format account_name@example.com.
Service Server SolarWinds recommends using a Directory Service account to prevent integration
User Name issues if the software license expires. The user name does not require special
privileges (such as Domain Admin) to be a Directory Service user.
Directory Enter the password for the user account.

Service Server
Password
Use SSL (Optional) Select to use the transport layer security protocol (LDAPS) for a
Encryption secure connection. This option directs traffic from the LEM VM to a designated
server (usually a domain controller) for use with the Directory Service tool.
LDAP Port If this field is left empty, LEM uses the default LDAP port (port 389). Otherwise,
enter the port number used by your domain controller. The default LDAP port
with SSL encryption (LDAPS) is 636.
Advanced (LEM 6.3.1 Hotfix 2 and newer only)

Settings
l Domain Specify any Domain Alias names that should be authenticated using this LDAP
Aliases configuration. (The role/group names configured on this page will also apply.)
(Optional)
l NetBIOS Specify any NetBIOS names that should be authenticated using this LDAP
Names configuration. (The role/group names configured on this page will also apply.)
(Optional)
l Admin Specify the DS group in Active Directory to use for the LEM administrator role. If
Group you do not specify a name, the default ROLE_LEM_ADMINISTRATORS group is
(Optional) used.
l Alerts Specify the DS group in Active Directory to use for the LEM alerts role. If you do
Only not specify a name, the default ROLE_LEM_ALERTS_ONLY group is used.
Group
(Optional)
l Audit Specify the DS group in Active Directory to use for the LEM auditor role. If you
Group do not specify a name, the default ROLE_LEM_AUDITOR group is used.
(Optional)
page 113
FIELD DESCRIPTION
l Guest Specify the DS group in Active Directory to use for the LEM guest role. If you do
Group not specify a name, the default ROLE_LEM_GUESTS group is used.
(Optional)
l Notify Specify the DS group in Active Directory to use for the LEM notifications role. If
Only you do not specify a name, the default ROLE_LEM_CONTACTS group is used.
Group
(Optional)
l Reports Specify the DS group in Active Directory to use for the LEM reports role. If you
Group do not specify a name, the default ROLE_LEM_REPORTS group is used.
(Optional)
Your LDAP configuration settings are now complete.
To test the settings, log in with a user name and the fully-qualified domain name (FQDN). The user
name and fully-qualified domain should be formatted as follows: user@example.com or
example.com\user.
Add an Active Directory user to LEM

To grant a user access to LEM, add the user to the appropriate role (security group) in Active Directory.
1. Open Active Directory Users and Computers.

2. Add the user to the appropriate role (security group) in Active Directory. Users added to the ROLE_
LEM_CONTACTS group do not have sufficient privileges to log in to LEM.
l For LEM 6.3.1 Hotfix 2 and higher, add the user to an Active Directory security group that is
configured for use with LEM. To see which groups are configured for LEM, open the "LDAP
Configuration Management" page and expand the list under "Advanced Settings." See
"Configure or view Active Directory authentication settings in LEM" on page 111 for details.
l For LEM version 6.3.1, or LEM version 6.3.1 Hotfix 1, add the user to one of the Active
Directory security groups listed under "Create custom security groups in Active Directory for
LEM to use" on page 110. At least one user should be assigned to the ROLE_LEM_
ADMINISTRATORS security group.
page 114
When configuring user accounts, make sure the user's Primary group is not assigned to a custom
group, otherwise the user cannot log in to LEM. The user will see an "Invalid username and
password" message instead, and a message similar to the following will be logged:
[LemSpringSecurityAuthManager] {http-nio-8080-exec-1:349} Authentication

failed: User is not member of any required role group!
page 115
Set up Active Directory authentication in LEM 6.3.0 and

older
These steps apply to LEM version 6.3.0 and older. To configure newer versions of LEM (version 6.3.1
and above), see "Set up Active Directory authentication in LEM" on page 109
Complete the steps in this topic to allow users to log in to LEM with their Active Directory credentials.
• Configure the Directory Service Query connector 116
• Import your Active Directory organizational groups into LEM 117
• Import an Active Directory user and assign the user LEM login
rights 118
Configure the Directory Service Query connector

Before you begin, gather the following:
l The domain credentials for an account that the Directory Service Query connector can use.
2. Select the LEM Manager.
4. Click the gear icon next to your LEM Manager and select Connectors.
5. Enter Directory Service Query in the search box on the Refine Results pane.
6. Click the gear icon next to the master connector on the right, and select New.
page 116
7. Complete the Directory Service Query connector form:
a. In the Domain Name field, enter the fully-qualified domain name for your directory service
server using lowercase characters.
For example, example.com.
b. In the Directory Service Server field, enter the IP address or hostname of your directory service
server.
SolarWinds recommends using the IP address to avoid possible DNS issues. The LEM network
configurations (netconfig) allow for setting or changing the DNS server to resolve the host.
c. Enter the domain credentials for a user account that the connector can use.
will have to manually update the connector every time the password expires. This account
does not need elevated privileges. When entering domain credentials, provide only the user
name.
d. Enter the domain credentials for a user account that the connector can use.
must manually update the connector every time the password expires. This account does not
need elevated privileges. When entering domain credentials, provide only the user name.
8. When finished, click Save.
9. Locate the new instance of the connector. The gray icon in the Status column indicates that the
connector is not running.
10. Click the gear icon next to the new connector and select Start. A green icon in the Status column
indicates that the connector is running.
A green icon in the Status column indicates that the connector is running.
Test the Directory Service Query connector settings

1. Click the "Test Domain Connection button" at the bottom of the connector settings pane.
2. Create an nDepth query. See "Create an nDepth query" on page 351 for steps.
l Expand the Event Groups menu, select Any Alert, and drag EventInfo into the nDepth search
bar.
l Enter *Connection to* in the search field.
3. Run the search.
4. Choose the Results Details icon on the nDepth explorer toolbar to view the results.
5. Check the EventInfo field to verify that it does not say “Connection to Directory Service failed.”
Import your Active Directory organizational groups into LEM

Complete these steps to import your directory service groups into LEM Manager and start the group
synchronization process. The synchronization process runs every five minutes as long as the connector is
running.
page 117
Before you begin, the Directory Service Query connector must be configured on LEM Manager.
1. Log in to the LEM console.

2. Click Build > Groups.
3. Click the plus button in the upper right corner and select Directory Service Group.
4. In the details pane at the bottom of the LEM console window, select a group category from the folder
tree on the left to populate the Available Groups pane on the right.
5. Check the boxes next to the groups you want to import into LEM Manager.
6. Repeat Steps 4 and 5 until you have selected all of the groups you want to import.
7. Click Save.
Import an Active Directory user and assign the user LEM login rights
1. Log in to the LEM console.
3. Click + and select Import LEM User.
The Import Users dialog opens.
4. Complete the form to select the user to be given LEM console login rights.
l LEM Groups – Choose All to search for a user across all security groups, or choose a specific
security group to limit your search to just that group.
l Search User – Type a portion of the user name to search for. You must type at least three
letters.
l Search – Click search to get a list of users that meet the search criteria. Search will not return
more than 10 users.
l Available Users – Select one or more users to import from the search results.
l Selected Users – Click the green arrow to move users from the Available Users list to the
Selected Users list.
5. Click Import.
The system adds the user to the Users view list.
6. In the Users list, select the user and verify that the user's email address appears in the Contact
Information box.
If the email address is missing, Active Directory is not configured to supply this information and you
will not be able to send email notifications to this user. You can create the email address or add it to
a local user when rules fire.
page 118
Set up single sign-on (SSO) in LEM
LEM supports Active Directory single sign-on (SSO). When enabled, LEM does not request a user name and
password if the user is already logged in to Active Directory (AD). Instead, AD authenticates the user in the
background, and automatically logs the user in to LEM with the appropriate user access rights. User access
in the LEM consoles (desktop, web, and the LEM reports application), is based on AD group membership.
In this topic:
• Set up Active Directory authentication in LEM 119
• Generate a keytab file using Ktpass 119
• Configure SSO settings in LEM using the Admin web console 121
• Configure web browser settings for SSO 122
• Configure LEM for either SSO-only authentication, or SSO and local

authentication 124
• Configure SSO settings in LEM using the command-line 125
Set up Active Directory authentication in LEM

First configure Active Directory authentication and verify that users can log in to LEM with their AD
credentials. For details, see "Set up Active Directory authentication in LEM" on page 109. After verifying
that users can log in to LEM with their AD credentials, complete the next step.
Generate a keytab file using Ktpass

To configure LEM for Active Directory SSO, a Kerberos keytab file is required. LEM uses this file to
authenticate users with Active Directory and to enforce user account security. The keytab file is exported
from Active Directory and imported into LEM, and contains a table of Active Directory user accounts, along
with the encrypted hash of each users' password. Ktpass is the Windows Server command-line tool that
generates the .keytab file, as well as the shared secret key that LEM uses to securely authenticate users
with ActiveDirectory.
Before you run the ktpass command, gather the following information:
l Fully-qualified domain name (FQDN) of the LEM VM – The FQDN is the complete domain name of the
LEM virtual machine on the Internet. It includes the host name (the label assigned to a device on the
network), and the name of the domain that hosts the device. For example, if the device name is swi-
lem and the company domain is yourcompany.local, the FQDN is swi-
lem.yourcompany.local.
page 119
l Realm – This is the Active Directory Domain Services (AD DS) domain name. The realm name is used
to route authentication requests to the Active Directory server that holds user credentials. The realm
name is case sensitive and normally appears in upper-case letters. To simplify your Kerberos client
configuration, make the realm name identical to your DNS domain name by only using upper-case
letters. For example, if YourCompany belongs to the DNS domain name yourcompany.com, the
Kerberos realm should be YOURCOMPANY.COM.
l Service principal name (SPN) – The SPN provides an alias (or pointer) to your domain account. The
SPN consists of the FQDN, followed by the @ symbol, followed by the realm.
For example, the SPN for a device named swi-lem located at http://www.yourcompany.com would be
http/swi-lem.yourcompany.local@YOURCOMPANY.COM where swi-lem.yourcompany.local is the
FQDN, and YOURCOMPANY.COM is the realm.
1. Do the following to obtain the LEM host name and IP address:
a. Open the LEM CMC command line. See "Log in to the LEM CMC command line interface" on
page 34 for steps.
b. At the prompt, enter appliance to access the Appliance menu.
c. At the prompt, enter viewnetconfig.

d. When prompted, enter b to select the brief network configuration.
e. Record the domain name, host name, and the host name's resolved IP address.
f. Exit the management console.
2. Create a new user (host) in DNS:
a. Open DNS manager on your domain controller.
b. Create an A record entry for LEM on the DNS server using the host name and IP address. Verify
that DNS Manager populated the domain field with the correct domain membership.
3. Open Active Directory Users and Computers.
4. Create an organizational unit (OU) and name it Keytab.
5. Select the Keytab OU and create a new user account (or Service Principle Name [SPN]).
Write down the SPN. You will need it in a later step.
page 120
6. Use the Kerberos keytab file using the ktpass command:
a. Log in to the Active Directory server as an administrator.
b. Open a command prompt as an administrator.
c. Run the following ktpass command:
ktpass -princ HTTP/<fqdn>@<REALM> -pass <SPN_account_password>

-mapuser <domain_name>\<user_name> -pType KRB5_NT_PRINCIPAL -crypto
ALL -out c:\lem.keytab
If you receive an error when you run the command, replace the -mapuser argument
with -mapuser <user_name>.
The ktpass command takes the following arguments:

l -princ specifies the server principal name (SPN) in the form HTTP/<fqdn>@<REALM>.
You will use this path in your LEM configuration.
l -pass is the SPN account password.
l -mapuser maps the Kerberos principle name (specified in the -princ argument) to
the specified domain account.
l -pType specifies the principal type as Kerberos 5 for Microsoft Windows.
l -crypto specifies the encryption type. Entering ALL indicates all supported types. This
can include Data Encryption Standard (DES), Rivest Cipher 4 (RC4), and Advanced
Encryption Standard (AES) encryption types. See "ktpass" on the Microsoft TechNet
website for more information about supported crypto types.
l -out specifies the name and location for the generated Kerberos 5 keytab file.
7. Navigate to the keytab file location (for example, c:\lem.keytab specified in the -out argument).
8. Import the keytab file into LEM to allow LEM access to Active Directory.
Configure SSO settings in LEM using the Admin web console

You can use the command line to configure SSO settings in LEM. For details, see "Configure SSO
settings in LEM using the command-line" on page 125.
1. Open a web browser and connect to the LEM Admin user interface using the following URL:
https://<lem_manager_IP_address>:8443/mvc/login
If you have not yet activated LEM, or if you reopened port 8080, use the following URL:
http://<lem_manager_IP_address>:8080/mvc/login
You can also access the Admin user interface by entering admin at the cmc> prompt.
2. Enter your name and password in the log in screen.
The Settings / Authentication page opens.
page 121
3. Click SSO Configuration.
a. Enter the SPN in the Service Principle Name (SPN) field. See "Generate a keytab file using
Ktpass" on page 119 for details.
For example: http/swi-lem.yourcompany.local@YOURCOMPANY.COM
b. Click Browse and select the keytab file.
5. Click Save.
Your keytab file is uploaded to LEM. If you are logged in as a local user, LEM logs you out of the
Admin user interface.
SSO is now configured on LEM.
Configure web browser settings for SSO

Follow the appropriate procedure to enable Kerberos authentication for SSO in your web browser.
Internet Explorer
By default, Internet Explorer does not restrict the transmission of login credentials for intranet sites.
However, your company may have policies that have this restriction on intranet sites.
page 122
To add the LEM Manager URL to the list of trusted intranet sites:
1. Open Internet Options.

2. Under Security, set your local intranet sites to automatically detect an intranet network with no
other options.
3. In your Local intranet Advanced settings, add your FQDN or URL as a website in the Local Intranet
zone.
For example:
swi-lem or https://swi-lem
4. Save your settings and close Internet Options.
Mozilla Firefox
1. Open Firefox and enter about:config in the address bar.
2. Enter network.negotiate-auth.trusted-uris in the Filter field.
3. Double-click network.negotiate-auth.trusted-uris in the list.
4. Enter the fully-qualified domain name (FQDN) or URL that you use for LEM.
For example: mylemappliance.example.com
The web browser is now configured for SSO.
Google Chrome and Opera

Add the LEM Manager URL to the list of trusted intranet sites in Internet Explorer, and then install Chrome
or Opera on your workstation. Chrome and Opera inherit their settings from Internet Explorer if they were
installed after you entered the trusted intranet sites into Internet Explorer.
page 123
Configure LEM for either SSO-only authentication, or SSO and local

authentication
Complete these steps to configure which credentials users can use to log in to LEM. You can allow users to
log in with either local LEM credentials or SSO (LDAP) credentials, or you can restrict users to only SSO
(LDAP) credentials.
1. Log in to the LEM admin user interface. See "Log in to the LEM admin user interface" on page 34
for steps.
2. Click SSO Configuration.
The SSO Configuration Management screen opens.
3. Click the toggle switch to enable the service.
4. Click the Enabled authentications list and choose from the following:
l Credentials and SSO – Allows users to log in with either local LEM credentials or SSO (LDAP)
credentials.
l SSO only – Restricts users to log in with only SSO (LDAP) credentials.
5. Click Save.
Updates take place immediately. Log in using the appropriate credentials to verify that the settings are
correct.
page 124
Configure SSO settings in LEM using the command-line
Use these alternate steps if you do not want to use the LEM admin user interface to upload the keytab file.
(You do not have to repeat this process if you already uploaded the keytab file to LEM.)
1. Log in to the CMC command-line interface. See "Log in to the LEM CMC command line interface" on
page 34 for steps.
2. At the cmc> prompt, enter import
3. Follow the prompts on your screen to complete the import.

The file is uploaded in the appliance file system.
4. Return to the management console menu.
5. At the cmc> prompt, enter admin to access the admin command-line interface.
7. Arrow down to LOGIN, and press Enter.
page 125
8. Arrow down to SSO configuration, and press Enter.
9. Arrow down to Add New Configuration and press Enter.
The content on this screen may vary with your LEM implementation.
10. Enter your SSO configuration settings.
a. Enter the Service Principle Name (SPN). See "Generate a keytab file using Ktpass" on page 119
for details.
For example: http/swi-lem.yourcompany.local@YOURCOMPANY.COM
b. Enter the path to your keytab file using the following syntax:
/var/transfer/storage/<your_keytab_file_name>.keytab
page 126
11. Arrow down to Save, and press Enter.
The upload is completed.
12. Exit the management console.
SSO is now configured on your appliance.
Updates take place immediately. Log in using the appropriate credentials to verify that the settings are
correct.
page 127
Change the LEM CMC password

In this section:
• Recover a lost CMC password 128
The CMC command-line interface (CLI) is used to connect to the LEM VM and perform administrative tasks.
SolarWinds recommends that you periodically change the password used to access the CMC command-
line.
These steps require the current CMC password. The default password is password.
1. Log in to the CMC command-line interface. See "Log in to the LEM CMC command line interface" on
page 34 for steps.
2. Type appliance and press Enter.
3. Type password and press Enter.
4. Complete the wizard to change the password. See "Special characters allowed in CMC commands
and passwords" on page 479 for help choosing a CMC password.
5. Type exit and press Enter to return to the root CMC command line.
Type exit and press Enter again to log out and close the CMC interface.
Test the new CMC password by logging back in to the CMC interface.
Recover a lost CMC password

Contact SolarWinds Support for help if you no longer have the CMC password needed to log in to the CMC
interface. You can still access the CMC interface without the CMC password by logging into the VM console
through the hypervisor and clicking on Advanced Configuration.
page 128
Specify the filters that users assigned the Monitor role can
use in the LEM console
LEM users assigned to the Monitor role can use the filters they have access to, but they cannot create, edit,
delete, or import/export filters.
See "About LEM roles" on page 100 to learn more.
By default, this role has access to the same set of filters as other users. To remove and/or modify the filters
that Monitor-role users can access in the console, complete the following steps. You will need to complete
some of these steps on the end-user's computer. When the user logs in to LEM using the same computer
and Windows profile, they will only have access to the filters specified.
2. Temporarily assign the user to the Administrator role.
3. Instruct the user to log in to the LEM console using their Windows profile.
4. Change the filters as needed, deleting any unnecessary filters.
If you created and exported the filters in a previous procedure, you can add new filters to the
user Filters list by creating or importing the filter as appropriate. To remove a filter from the
user Filter list, point to the filter and click x that appears to the right.
5. Log out the user and close the console window.
6. Using your administrator login, change the user back to the Monitor role.
7. From the user computer, have the user log in with their credentials, and then click Monitor.
The user should only see the specified filters.
page 129
Sending event data to LEM via Agents, syslog, and
SNMP
This chapter describes how to configure LEM to receive events from systems, devices, and applications in
your IT environment. LEM can receive events sent by LEM Agents, syslog, and SNMP.
In this chapter:
• Get started adding systems and devices to LEM 131
• Configure LEM Agents after they are installed 133
• Create connector profiles to manage and monitor LEM Agents 135
• Edit LEM Agent connector-profile settings 140
• Add syslog and Agent nodes to LEM 145
• Updating LEM Agents 149
• Set up a separate syslog server for use with LEM 153
LEM can correlate SNMP traps from devices and applications that have a corresponding connector.
To configure LEM to receive SNMP traps, turn on the SNMP Trap Logging Service. See "Enable LEM
to receive SNMP traps by turning on the SNMP Trap Logging Service" on page 61 for details.
page 130
Get started adding systems and devices to LEM

This topic documents how to add Agent devices (servers, domain controllers, and workstations), and non-
Agent devices (firewalls, router, and switches) to LEM.
In this topic:
• About the LEM Agent 131
• About sending log events directly to LEM 132
There are two ways to configure computers and devices on your network to send log events to LEM:
l To add servers, domain controllers, and workstations, install a LEM Agent.

l To add firewalls, routers, or switches, configure your devices to send log events directly to the
LEM VM using syslog or SNMP traps. After configuring your device to log to LEM, configure the
appropriate connectors directly on the LEM Manager.
To view a tutorial about adding devices to LEM, see:
http://video.solarwinds.com/watch/ap419n3ZdTdUCZnJiMwb2Y
About the LEM Agent

Install the LEM Agent on servers, domain controllers, and workstations to monitor local events on the
systems in your network. The LEM Agent is a stand-alone service that collects and normalizes log data on
the remote system before it is sent to the LEM Manager for processing.
See "Install LEM Agents to protect servers, domain controllers, and workstations" in the LEM
Installation Guide for installation steps.
LEM Agents can:
l Capture events in real-time.

l Encrypt and compress the data for efficient and secure transmission to the LEM Manager.
l Buffer the events locally if the Agent loses network connectivity to the LEM Manager.
In addition to monitoring local events, the Agent provides event alerting on workstations and servers. It is
also required for some active responses, including logging off a user, shutting down a computer, and
detaching a USB device. You can trigger actions manually from the LEM console using the Respond menu,
or you can create rules to take specific actions automatically.
page 131
Install the LEM Agent on computers that allow third-party software, including servers, domain controllers,
and workstations. On Windows, the LEM Agent captures log information from sources such as Windows
Event Logs, a variety of database logs, and local anti-virus logs.
SolarWinds recommends installing the LEM Agent if you have the option. If installing the LEM Agent
is not feasible, send log events directly to LEM.
About sending log events directly to LEM

Configure non-Agent devices, such as firewalls, routers, or switches, to send log events directly to the LEM
Manager using syslog or SNMP traps. Then, configure the appropriate device connector on the LEM
Manager using the LEM console. For a complete list of supported devices, see the LEM Connector List on
THWACK:
https://thwack.solarwinds.com/community/log-and-event_tht/log-and-event-manager/lem-connector-list
See "Add syslog and Agent nodes to LEM" on page 145 for more information about configuring
devices that do not allow third-party software.
page 132
Configure LEM Agents after they are installed

This topic documents LEM Agent configuration tasks.
In this topic:
• View the LEM Agents monitored by each LEM Manager 133
• About the LEM Agent for Windows connectors 133
• Enable additional connectors to add extra log sources to LEM 134
After installation, the LEM Agent captures log information from sources such as Windows Event Logs,
database logs, and local antivirus logs. Additionally, the LEM Agent allows LEM to take specific actions that
you can define as rules. You can trigger actions manually from the LEM console using the Respond menu.
View the LEM Agents monitored by each LEM Manager

2. Choose Manage > Nodes.
The Nodes view displays the LEM Agents monitored by each of your LEM Managers.
About the LEM Agent for Windows connectors

The LEM Agent for Windows includes several preconfigured connectors that collect and display data from
these systems immediately after you install the LEM Agent. By default, the LEM Agent for Windows
includes the following preconfigured connectors:
l Windows Security Log (for the host OS version)

l Windows Active Response
l Windows Application Log
l Windows System Log
l For broader coverage on your Windows computers, configure specific connectors to obtain your
targeted data. See "Enable additional connectors to add extra log sources to LEM" on the facing
page for steps.
page 133
Enable additional connectors to add extra log sources to LEM
Use the following procedure to add additional log sources to your monitored Agent nodes (if desired).
2. Click Manage > Nodes, and then select the node you want to configure.
3. Click and select Connectors.
4. In the Connectors grid, select a supported device or application to log.
Enter a keyword in the Search field or click the Category drop-down menu to filter connectors
by category.
5. Click next to your selected connector and select Enable.

6. Click Close.
7. Repeat step 1 through 5 to add additional log sources to your nodes.
page 134
Create connector profiles to manage and monitor LEM

Agents
This topic explains the purpose for connector profiles and provides instructions for creating them.
In this topic:
• About connector profiles 135
• About the connector-profile group type 136
• Connector profile guidelines 136
• Creating a connector profile: process overview 136
• Create a connector profile:detailed steps 137
See also:
l "Configure LEM Agents after they are installed" on page 133

l "Edit LEM Agent connector-profile settings" on page 140
About connector profiles

Use a connector profile to group Agents that share the same connector configuration. You can use the
profile to configure a set of standardized connector settings, and then apply those settings to all Agents
assigned to that profile. Once applied, every Agent in the profile will have the same connector settings.
Connector profiles maintain all Agents in a profile by updating only the profile connector configuration.
The system then propagates your changes to all of the Agents in the profile.
Most Agents in a network have only a few different connector configurations. Using Connector profiles, you
can streamline the process of connecting your network security products to LEM. If you decide not to use
connector profiles, you must create at least one connector instance for every product that you intend to
integrate with LEM, and then repeat this process for each Agent.
A well-planned set of connector profiles provides you with a versatile and efficient method for configuring
and maintaining your Agent connector configurations. You can create as many connector profiles as you
need to reflect each of your common connector configurations. For example, you can set up a standard
user workstation profile, a web server profile, and so on. SolarWinds provides several default connector
profiles that address common configurations.
page 135
About the connector-profile group type
LEM lets you use connector profiles in filters, rules, and searches. After you define a connector profile, you
can use it in rules and filters to include or exclude the Agents associated with that profile. For example,
you can create a filter using the Domain Controller connector-profile group to shows you web traffic from
the computers in that group.
Groups organize related elements for use with LEM rules and filters. See "About LEM groups" on
page 205 for information about the various LEM group types.
Connector profile guidelines

A well-planned set of connector profiles provides you with a versatile and efficient method of updating
and maintaing your Agents’ connector configurations.
When you configure your connector profiles, use the following guidelines:
l An Agent can only be a member of one connector profile. You cannot add an Agent to multiple
connector profiles.
l You can only add a connector profile to one LEM Manager at a time. Each connector profile you
create only applies to the LEM Manager you selected when you created the profile. To copy a
connector profile for use with another LEM Manager, export the profile and then import it into the
other Manager's Groups grid. See "Export a group" on page 213 for steps.
Creating a connector profile: process overview

This section provides an overview of the steps required to create a connector profile. Creating a connector
profile is a three-step process:
1. Install the LEM Agent software on all of the systems that you want to include in your new connector
profile, then configure a single LEM Agent to serve as the template for your connector profile.
2. Add the Agents to the connector profile. When completed, the system applies the template to all
Agents in the profile.
3. Verify the connector status.
When you select an Agent for a template, ensure the Agent has a configuration that mirrors your concept
of the final connector configuration.
You can prepare a template Agent in advance by configuring an Agent you know will be a member of the
new profile. When completed, use the Agent as the template for the new profile. This process minimizes
your need to edit the profile connector configuration in the future.
page 136
To clone and/or edit a connector-profile, see "Edit LEM Agent connector-profile settings" on
page 140
Create a connector profile:detailed steps

In this section:
• Step 1: Configure the Agent that will serve as a template for your
connector profile 137
• Step 2: Select the Agents that are members of the profile 139
• Step 3: Verify the connector status 139
This section provides detailed instructions for creating a connector profile.
Step 1: Configure the Agent that will serve as a template for your connector profile
2. Open the Build > Groups view.
3. On the Groups grid connector bar, click and select Connector Profile.
page 137
4. Complete the connector profile selections.
The following table describes how to configure the Connector Profile form fields.
FIELD DESCRIPTION
Name Enter a name for the connector profile.
Description Briefly describe the connector profile.
Template Click the Template drop-down menu and select the Agent with the connector
configuration that will provide the template for this profile. If you decide not to use a
template, select None.
For best results, select a template when you create a new connector profile.
Otherwise, the profile will delete the connectors on every Agent in the profile.
If you decide not to use a template, click Edit Connectors and add connectors to the
profile before you add Agents and save the profile. Otherwise, there will be no
connectors in the profile. When you save the profile, any Agents in the profile will
lose their connectors.
LEM Click the Manager drop-down list and select the Manager that will host the group.
Manager If you are editing an existing group, this field displays the Manager currently hosting
the profile.
If your targeted Manager is not included in the list, click Manage > Appliances and
log on to the Manager. You must be logged on to a Manager to create groups
Save Click Save to save your changes.
5. Click Save.

The new connector profile appears in the Groups grid.
page 138
Step 2: Select the Agents that are members of the profile

Before you begin, be sure that the connector profile you created in step 1 is selected in the Groups grid.
The Connector Profile form contains two columns:
l Available Agents list each Agent that is not in the connector profile for the associated Manager.
l Contained Agents list the Agents included in the connector profile.
To add Agents to a Connector Profile:
1. In the Groups grid, locate and double-click the new connector profile.
The profile appears in the Connector Profile form. The Agent you selected as a template appears in the
Contained Agents list by default.
2. Add or remove Agents from your connector profile.
Click or to move one or all selected Agents from the Available Agents column to the Contained
Agents column. These Agents are added to the connector from the connector profile.
Click or to move one or all selected Agents from the Contained Agents column to the Available
Agents column. These Agents are removed from the connector profile.
3. Click Save.
The system applies the configuration to every Agent you added to the profile.
If you remove an Agent from a connector profile that was previously saved with that profile, the
Agent retains the connector configuration from the profile, but will no longer have membership in
the profile.
Step 3: Verify the connector status

Some Agents in a connector profile will not use the same logging path for a particular connector. Be sure
to check the configured connector status of each Agent. If the connector status is a icon, the connector
is not running and may have a different logging path. To resolve this issue, add another connector
instance to the profile connector catalog that points to an alternate logging path or create a new profile
with an alternate logging path.
page 139
Edit LEM Agent connector-profile settings
This topic describes how to clone or edit a connector profile, and how to add, edit, or delete the connector
instances associated with a connector profile.
In this topic:
• Open the connector profile settings for editing 140
• Clone a connector-profile instance 140
• Editing a connector profile instance 141
• Edit the connector-profile settings 141
• Add additional connectors to a connector profile 144
See also:
l "Create connector profiles to manage and monitor LEM Agents" on page 135
Open the connector profile settings for editing

3. In the Groups grid, locate the connector profile you want to edit.
4. Click and select Edit.
The Connector Profile pane opens at the bottom of the page, displaying the Agents in the profile.
Clone a connector-profile instance

3. In the Groups grid, locate the connector profile you want to clone.
4. Click and select Clone.
The Groups grid displays a new instance of the connector profile.
5. See "Edit the connector-profile settings" on the next page to change the settings of the cloned
connector profile.
page 140
Editing a connector profile instance

Use the Edit Connectors command in the connector profile form to add, edit, or delete the connector
instances associated with the profile.
Changing a connector profile changes the connector configuration of every Agent associated with
the profile.
When you edit an Agent, you must stop and start each connector instance to edit the running Agent's
configuration. When you edit a connector profile configuration, stopping or starting each connector
instance is not required, but you must activate your changes.
When you edit the connector configuration in a connector profile, you are modifying the profile
configuration data, not the actual Agent. When you edit a connector profile, you do not change the Agents
that are members of the profile until you click Activate. After you activate the profile, the system
automatically updates all Agents that are members of the profile, stops each connector instance, makes
the necessary changes, and then restarts each connector instance.
Edit the connector-profile settings

Before you begin, see "Editing a connector profile instance" above.
page 141
3. In the Groups grid, locate the connector profile you want to edit.
page 142
5. In the Properties form, update the connector settings, as needed.
FIELD DESCRIPTION
Name Enter a name for the connector profile.
Description Briefly describe the connector profile.
LEM This field is read only. To copy a connector profile for use with another LEM
Manager Manager, export the profile and then import it into the other Manager's Groups
grid. See "Export a group" on page 213 for steps.
Available Add or remove Agents from your connector profile.

Agents /
Contained An Agent can only be a member of one connector profile. You cannot add
Agents an Agent to multiple connector profiles.
Click or to move one or all selected Agents from the Available Agents column
to the Contained Agents column. These Agents are added to the connector profile.
Click or to move one or all selected Agents from the Contained Agents column
to the Available Agents column. These Agents are removed from the connector
profile.
Edit Click Edit Connectors (in the bottom left corner of the Connector Profile pane) to
Connectors edit the connectors in the connector profile.
1. Find the connector to configure:
l Type part of the connector name in the search box, or use the filter
menus in the Refine Results pane.
l To restrict the list to only configured connectors, select Configured.
2. Click next to the connector instance, and then select New.
3. Complete the connector configuration form. The following fields are
common across most connectors:
l Alias: Enter a "user friendly" label for your connectors.
l Log File: Enter the location of the log file that the connector will
normalize. This is a location on either the local computer (Agents), or
the LEM appliance (non-Agent devices).
l Output, nDepth Host, and nDepth Port: You only need to configure
these values if LEM is configured to save raw (un-normalized) log
messages.
4. Click Save, and then choose from the following:
l Click Activate to apply your changes to all Agents associated with the
connector profile.
page 143
FIELD DESCRIPTION
l Click Discard to discard your changes and reload the previous

connectors configuration.
5. Click Close to close the Connector Configuration form and return to the
Groups grid.
6. Click Save to save the connector profile.

7. Click Activate to apply your changes to all Agents associated with the connector profile. Click Discard
to discard your changes and reload the previous connectors configuration.
At times, not all of the Agents in a profile will use the same logging path for a particular connector.
You can verify this by checking the Agent’s configured connector status. If a connector has a not
running status, the connector may have a different logging path.
To correct this problem, you may want to add another instance to the connector profile’s connector
catalog that points to the alternative logging path. You can also create a new profile that has the
alternative logging path.
8. Repeat this procedure for each connector instance you want to reconfigure.
9. Click Close to return to the Groups grid.
Add additional connectors to a connector profile

See "Edit the connector-profile settings" on page 141 and click Edit Connectors when you update the
connector settings.
page 144
Add syslog and Agent nodes to LEM

This topic documents several different ways you can add syslog and Agent nodes to LEM so that LEM can
monitor their events.
In this section:
• Add a syslog node to LEM using the "Add Node" wizard 145
• Use "Scan for new nodes" to find new syslog sources and add
connectors 145
• Manually add a new Agent or syslog node connector 147
• Other ways to add nodes to LEM 147
Add a syslog node to LEM using the "Add Node" wizard

Complete these steps to add a syslog node to monitor a network device. The wizard locates the new node
for you and recommends the appropriate connector.
2. Choose Manage >Nodes.
3. Click Add Node.
4. Select Syslog node.
5. Enter the IP Address of the node.
6. Select the node vendor from the list.
7. Configure the node so LEM can receive syslog messages.
8. Select the I have configured this node so that LEM can receive its Syslog messages check box.
9. Click Next.
LEM scans for new devices.
Use "Scan for new nodes" to find new syslog sources and add connectors
Use the Scan for New Nodes feature to configure and enable multiple connectors simultaneously.
2. Click the Ops Center view and locate the Node Health widget.
page 145
3. Click Scan for New Nodes in the widget toolbar.
LEM begins scanning for new nodes in your network. If new nodes are found, the New Connector(s)
found banner displays in the console. Otherwise, the No nodes found banner displays.
This process may require several minutes to complete. During the scan, a message displays
indicating that the scan is continuing in the background. A progress bar also displays at the
bottom of the console.
4. Click View Now.
5. Select the recommended connectors you want to install, and then Click Next.
Hover your cursor over the connector name for details.
6. Review the Summary information, and then click Finish.
The Nodes grid displays with the new nodes.

Click Monitor to view the events collected from the new nodes.
page 146
9. In the Refine Results pane, enter a keyword for your new connector.
10. Locate your connector in the list.
11. Click next to the connector and select Edit.

12. Edit your connector settings as required, and then click Save.
The node connector is enabled.
Manually add a new Agent or syslog node connector

2. Click Manage > Nodes.
3. Locate the nodes in the Nodes grid that are monitored by LEM.
4. Click next to your targeted node and select Connectors.
5. Search Agent nodes by category or use the search box to locate a node by keyword.
6. Click next to a search result and select new.
7. Configure the new node.
8. Click Start to start the node.
Other ways to add nodes to LEM

You can add nodes from the Getting Started wizard by clicking Add Nodes to Monitor.
A dialog box prompts you to choose the type of node you want to add.
Click the drop-down menu, select an Agent or non-Agent node to monitor, and follow the instructions to
add the monitored node.
page 147
You can also click Add Node in the Node Health widget to perform the same function.
page 148
Updating LEM Agents

This topic describes how to update LEM Agents on remote or local Windows computers.
In this topic:
• Manually update LEM Agents on Windows installations using the

LEM Local Agent Installer 149
• Manually upgrade LEM Agents on Unix, Linux, Mac, and Windows

hosts using LEM Remote Agent Installers 150
• Download the LEM Remote Agent Installer 150
• Run the LEM Remote Agent installer 150
Manually update LEM Agents on Windows installations using the LEM

Local Agent Installer
Check the LEM release notes or ReadMe file first to be sure that the LEM Agent version you are
planning to install is compatible with your installed LEM Manager version.
2. Click Manage > Nodes, and then select Agent.
3. In the Nodes pane, select the LEM Agent(s) to upgrade. Press <Ctrl> when you click to select more
than one Agent.
4. Select Add Node, and then select Agent node.
5. Select one of the following:
l Select Remote Installation if you need to push SolarWinds Log & Event Manager Agents to
Microsoft Windows hosts across your network.
l Select Local Installation if you will log in to the device that you want to install the Agent(s) on.
6. If installing locally:
a. Copy the setup.exe file to the computer's local hard drive.
Security settings in newer versions of Windows may require you to copy the setup.exe files to
the local hard drive on the computer.
b. Log into the computer, right-click the installer, select Runas administrator, and complete the
installation wizard.
page 149
Manually upgrade LEM Agents on Unix, Linux, Mac, and Windows hosts
using LEM Remote Agent Installers
If you are installing LEM Agents on the far end of a WAN link, copy the Remote Agent Installer executable to
the end of the WAN link and run it there. This will avoid using your WAN bandwidth to copy LEM Agents
multiple times.
Check the LEM release notes or ReadMe file first to be sure that the LEM Agent version you are
planning to install is compatible with your installed LEM Manager version.
Download the LEM Remote Agent Installer

The following LEM Agent installers are available from the SolarWinds customer portal:
l Windows Agent Installer

l Windows Remote Agent Installer
l Linux Agent Installer (32-bit)
l Linux Agent Installer (64-bit)
l AIX Agent Installer
l HPUX Itanium Agent Installer
l Solaris Intel Agent Installer
l Solaris Agent Installer
l Mac OS X Agent Installer
Run the LEM Remote Agent installer

1. Extract the contents of the installer zip file to a local or network location.
2. Run inremagent.exe.
3. Click Next to start the installation wizard.
4. Accept the End User License Agreement if you agree, and then click Next.
5. Specify a temporary folder on your computer to use for the installation process and click Next. The
default is C:\SolarWindsLEMMultiInstall.
6. Enter the hostname of your LEM Manager in the Manager Name field and click Next. Do not change
the default port values.
Use the fully qualified domain name for your LEM Manager when you deploy LEM Agents on a
different domain. For example, enter LEMhostname.SolarWinds.com.
page 150
7. Select Get hosts automatically or Get hosts from file (One host per line) and click OK.
l Get hosts automatically uses a NetBIOS broadcast to identify hosts on the same subnet and
domain as the computer running the installer.
l Get hosts from file (One host per line) prompts you to browse for a text file that includes the
hosts on which you want to install LEM Agents. Use this option for any of the following
reasons:
l You are deploying LEM Agents to computers on a different subnet than that on which
the computer running the installer resides. Your computer may be able to access these
subnets, but their hosts will not be recognized by the NetBIOS broadcast used to get
hosts automatically.
l You are deploying LEM Agents to a small segment of a large network, which could make
choosing them from a list time prohibitive.
l You are deploying LEM Agents in a network with a complex naming scheme, which
could make choosing hosts from a list time prohibitive.
The text file used for this option can contain hostnames, fully qualified domain
names or IP addresses, each on their own lines. If DNS names are used, the
computer running the installer must be able to resolve them.
8. Select the checkboxes next to the computers on which you want to install a LEM Agent.
9. Click Next.
10. Confirm the list provided is correct and click Next again.
11. Specify the Windows destination for the remote installation.
l The default paths are provided for all supported Windows systems. We strongly recommend
using the default paths, as the LEM Agent may not recognized as a service by Windows if it is
not installed in a system folder.
l The installer is set to automatically detect host operating systems by default, but you can also
specify an operating system if all of the target hosts are running the same one.
12. Click Next.
13. Specify whether or not you want to install USB-Defender with the LEM Agent and click Next. The
installer will include USB-Defender by default. To omit this from the installation, clear the Install
USB-Defender checkbox.
SolarWinds recommends installing USB-Defender on every system. USB-Defender will never

detach a USB device unless you have explicitly enabled a rule to do so. By default, USB-
Defender simply generates alerts for USB mass storage devices attached to your LEM Agents.
14. Confirm the settings on the Pre-Installation Summary and click Install.
15. Click Next after the installer extracts the installation files to the temporary directory.
The installer copies the extracted files to the installation directory.
page 151
After installation, the Agent automatically starts on each host. The installer removes the temporary
installation directory from your computer.
page 152
Set up a separate syslog server for use with LEM

This topic describes how to add a separate syslog server to LEM. The LEM VM includes a syslog server, but
you can add a separate syslog server.
This procedure uses the Node Health widget in the Ops Center to set up your syslog server. You can also
click "Add Nodes to Monitor" in the Getting Started widget to set up your syslog server.
You can monitor your switches, routers, and firewalls using a syslog server. This server collects and sends
syslog messages from non-Agent devices to the LEM Manager over TCP or UDP. Log & Event Manager uses
this information to monitor syslog events and displays all events in the Monitor view.
Each device is paired with a connector, enabling Log & Event Manager to parse messages from the syslog
server and normalize the log message content to a LEM event.
2. Click Ops Center and locate the Node Health widget.
3. In the widget toolbar, click Add Node.
4. Select Syslog node in the Specify Nodes to Add screen.
5. Enter your syslog server IP address. This device will send syslog event logs to the LEM Manager.
6. Click the Node Vendor drop-down menu and select the node vendor.
page 153
7. Follow the instructions in the window to configure your node and send syslog messages to the LEM
appliance.
If you need help enabling syslog, click the vendor link.

If the vendor is not in the list, click Other vendors to access the SolarWinds Knowledge Base.
8. After you configure the node, select the check box in the window and click Next.
The wizard locates the new node and recommends the appropriate connector.
Connectors enable Log & Event Manager to parse messages from syslog devices and
normalize the original log message content to a LEM event.
If the LEM virtual appliance receives logs from the new device, it automatically detects and presents
the device name or IP address.
9. Click Finish to confirm the device is identified correctly.
The syslog node displays in the Node Health widget.
10. (Optional) Based on your LEM deployment architecture, repeat this procedure to add a second
syslog server in a multiple location deployment with two or more syslog servers.
page 154
LEM connectors: Normalize events sent from

specific products on your network
Configure connectors to intercept events sent from a specific product on your network and converts those
events into normalized messages that LEM can understand.
In this chapter:
• Configuring LEM connectors for Agent and non-Agent devices 156
• Manage LEM connectors Start stop edit and more 159
• Apply a LEM connector update package 164
• LEM connector categories 167
page 155
Configuring LEM connectors for Agent and non-Agent
devices
This topic describes how to configure LEM connectors.
In this topic:
• Configure connectors for the devices that you want to monitor

with LEM 156
• Configure LEM Manager connectors 157
• Configure the sensor and actor connectors for each LEM Agent 157
• Configure Agent connectors 158
• Use connector profiles to configure multiple Agents 158
Configure connectors for the devices that you want to monitor with LEM
l To configure Agent connectors, choose Manage > Nodes.
l To configure non-Agent connectors, choose Manage > Appliances.
3. Click next to the LEM Agent or LEM Manager instance that you want to configure, and then select
Connectors.
4. Find the connector to configure:
l Type part of the connector name in the search box, or use the filter menus in the Refine
Results pane.
l To restrict the list to only configured connectors, select Configured.
5. Click next to the connector instance, and then select New.
6. Complete the connector configuration form. The following fields are common across most
connectors:
l Alias: Enter a "user friendly" label for your connectors.
l Log File: Enter the location of the log file that the connector will normalize. This is a location on
either the local computer (Agents), or the LEM appliance (non-Agent devices).
l Output, nDepth Host, and nDepth Port: You only need to configure these values if LEM is
configured to save raw (un-normalized) log messages.
7. Click Save.
page 156
8. In the Tools list, click the gear icon next to the new connector (denoted by an icon in the Status
column), and then select Start.
9. Verify that the connector is working:
a. Click Monitor on the Console navigation bar.
b. Check the SolarWinds Events filter to verify the connector started.
c. Create a filter to test the new connector. For example, check the default Firewall filter after
configuring your firewall connector.
Configure LEM Manager connectors

2. Choose Manage > Appliances.
3. Open the Connector Configuration for [Manager] form.
4. Add a connector instance for each product event log source.
5. When you are finished, start the connector instance.
6. Repeat Steps 6 and 7 for each product or device logging to the Manager computer.
7. Repeat Steps 4–8 for each Manager until you configured connectors for each point on your network.
Configure the sensor and actor connectors for each LEM Agent
Use the connector configuration form to connect the Agent connector to the target product that is either
installed on, or remotely logging to the Agent computer. After configuring the Agent connectors, the
Manager can monitor and interact with the products and devices on that computer.
Agent connectors run locally to monitor log files, as well as data logged to the Agent computer from remote
devices that cannot run an Agent. The active response connectors (actors) allow the Agent to receive
instructions from the Manager and perform active responses locally on the Agent computer, such as
sending pop-up messages or detaching USB devices.
Connectors grid icons

The following table describes the icons used in the Connectors grid.
ICON DESCRIPTION
A product sensor. The sensor displays the name of the product it is designed to monitor.
A product actor that performs an active response. The actor displays the name of the product it
is designed to interact with.
page 157
ICON DESCRIPTION
A configured instance of a sensor connector. The Status column displays Stopped or Running
for each instance.
A configured instance of an actor connector. The Status column displays Stopped or Running
for each instance.
Configure Agent connectors

Follow this procedure to configure the connectors (sensors and actors) used by the Agent to monitor and
interact with each network security product and device running on the Agent computer.
2. Open the Manage > Nodes view.
3. Search for the IP address or host in the Nodes grid.
4. Click beside the hostname or IP address, and select Connectors.
5. In the Refine Results pane, enter a search term that describe the connector you need.
6. Click beside your targeted connector and select New.
7. Complete the connector information form, and then click Save.
Some connectors require the exact path of the Windows log and some just read the Windows
Event Viewer logs.
8. When you are finished, start the connector instance.

9. Repeat steps 3 through 7 for each product or device that the Agent is monitoring on the Agent
computer.
If you are not using connector profiles, repeat steps 2 through 7 for each Agent until you have
configured the connectors for each point on your network. If you are using connector profiles, you
can use a configured Agent as a template for a connector profile.
Use connector profiles to configure multiple Agents

Most Agents in a network include a few different connector configurations. You can streamline your
connector configuration process by creating connector profiles. A connector profile groups Agents that
share the same connector configuration.
For more information, see "Create connector profiles to manage and monitor LEM Agents" on page 135.
page 158
Manage LEM connectors Start stop edit and more

This topic describes how to work with LEM connectors.
In this topic:
• Open a connector configuration form 159
• Find a connector 160
• Add a new connector instance 160
• Start a connector instance 162
• Stop a connector instance 162
• Edit a connector instance 162
• Delete a connector instance 163
Use the Connector configuration form to:
l Configure and manage the LEM Manager sensor, actor, and notification connectors.
l Configure and manage the Agent sensor and actor connectors.
l Change the connectors configured in the Agent Connectors Profile.
To change a Connector Profile's membership and properties, edit the Connector Profile in the Build >
Groups view.
You must be logged in to a Manager before you can configure its connectors or its Agents’
connectors.
Open a connector configuration form

Use this form to add connector instances for each network security product or device the Manager or
Agent monitors or interacts with on the Manager computer.
Open a Manager connector configuration form

3. Locate your targeted Manager in the Appliances grid.
4. Click and log in to the Manager (if required).
page 159
Use this form to open an existing connector or add a new connector instance. See Find a connector
or Add a new connector instance below for steps.
Open an Agent’s connector configuration form

3. In the Nodes grid, locate an Agent.
If the Agent is not in a connector profile, the Connector Configuration for [Agent] form displays.
If the Agent is in a connector profile, the Agent Connector Configuration prompt appears. A prompt
warns you that the Agent belongs to a connector profile.
Find a connector
1. Open the connector configuration form. See "Open a connector configuration form" on the previous
page for help.
The Connector Configuration form opens.
2. Search for a connector as follows:
l To view all configured connectors: Leave the search box empty, choose All from the
Category and Status menus, and select the Configured option.
l To search for a connector by name: Enter part of the name in the search box on the Refine
Results pane.
l To view all of the connectors in a category: Leave the search box empty and choose from
the Category menu.
l To view all of the connectors that are either stopped or running: Leave the search box
empty, choose All from the Category menu, and choose Running or Stopped from the Status
menu.
The Connectors grid updates to show the matching connectors.
Add a new connector instance

Use the Connector Configuration form to configure the connection settings for:
l Each sensor that collects data from a network security product event logs.
l Each actor that initiates an active response from a network security product or device.
page 160
Each sensor or actor connector configuration is a connector instance. Most products write to one log
source and require a single connector instance. However, some products write to more than one log file.
For these products, create separate connector instances for each log source. When a product requires
more than one instance, you can differentiate between them by assigning each instance to a unique name
called an alias.
1. Open the connector configuration form for a Manager or Agent. See "Open a connector
configuration form" on page 159 for help.
2. Use the Refine Results pane to select a connector Category.
3. In the Connectors grid, select a connector to configure.
l The icon indicates a sensor connector.
l The icon indicates an actor connector.
4. Click and select New.
A form displays under the Connectors grid.
The fields on the form vary for each connector. For new instances, the form displays the default
connector settings required to configure the product or device. In most cases, you can save the
connector with its default settings. However, you can change the settings as required.
5. Complete the Properties form as required.
Hover over each selection to view the tooltip.
6. Click Save to save the connector configuration as a new connector instance.
l If you configured a sensor, a sensor connector instance icon displays below the connector.
l If you configured an actor, an actor connector instance icon appears below the connector.
l The icon in the Status column indicates the connector instance is stopped. All new
connector instances automatically have a Stopped status.
7. Start the connector instance.
Click and select Start.
The system starts the connector instance, and the connector Status icon changes to a Started icon.
8. Repeat steps three through seven for each additional connector instance required to integrate this
product or device with the LEM.
page 161
Start a connector instance
When you finish adding or reconfiguring a connector instance, start the connector instance to enable the
connector configuration.
When you start a sensor connector instance, the sensor starts monitoring the product event log. When you
start an actor connector instance, the actor starts initiating active responses on the product when
requested by policy.
1. Open the connector configuration form for your targeted Manager or Agent.
2. In the Connectors grid, select the connector instance you want to start.
3. Click and select Start.
The system starts the connector instance, and the Status icon changes to a Started icon.
If the connector fails to start, the console displays a warning or failure event that describes the problem.
Normally, connectors fail to start because:
l The network security device log file does not exist.

l The Agent does not have permission to access the file.
Stop a connector instance

Stop a connector instance before you edit or delete a connector instance. This process prevents the
connector from gathering data for the console and initiating active responses on a network security
product or notification system. After a connector instance is stopped, you can edit, delete, or restart the
instance as required. The connector instance remains stopped until you restart the instance.
1. Open the Connector Configuration form for your targeted Manager or Agent.
2. In the Connectors grid, select the connector instance you want to stop.
3. Click and select Stop.
The system stops the connector instance, and the Status icon changes to a Stopped icon.
Edit a connector instance

You can edit an existing connector instance configuration settings, but you cannot edit its name (alias). If
you need to rename a connector instance alias, delete the current connector instance and create a new
instance with the new name. You cannot edit the log file value for some Windows event log sensors.
1. Open the Connector Configuration form for the targeted Manager or Agent.
2. In the Connectors grid, select your targeted connector instance.
She system stops the connector instance, and the status icon changed to a Stopped icon.
page 162
5. Update the connector settings in the Properties form as required.

6. Click Save.
7. Click and select Start.
The system starts the connector instance, and the Status icon changes to a Started icon.
Delete a connector instance

You can delete an obsolete or incorrect connector instance when required.
1. Open the Connector Configuration form for the targeted Manager or Agent.
2. In the Connectors grid, select the connector instance you want to delete.
The system stops the connector instance, and the Status icon changes to a Stopped icon.
The connector instance disappears from the Connectors grid.
Do not recreate the connector until it is completely removed. This process may require up to
two minutes to complete.
page 163
Apply a LEM connector update package
This topic documents different options for updating LEM connectors.
In this topic:
• Enable global automatic connector updates 164
• Update connectors on-demand 164
• Update LEM connectors manually using the CMC interface 165
• Troubleshooting LEM connector upgrades 165
Enable global automatic connector updates

When enabled, this feature automatically updates Agents as they connect.
3. Click the Settings tab in the Properties pane.
4. Select "Enable Global Automatic Updates" under the Remote Updates heading.
Update connectors on-demand

3. In the Appliances toolbar, click the Connector Updates drop-down menu and select Update now.
page 164
Update LEM connectors manually using the CMC interface

Customer Support occasionally provides stand-alone connector updates to address unmatched data alerts
in your environment.
1. Go to the SolarWinds Customer Portal and download the Connector Update package from the
Additional Components page.
2. Prepare the update package:
a. Open the SolarWinds-LEM-Connectors folder.
b. Copy the LEM folder to the root of a network share. For example: C:\share\LEM\.
steps.
4. At the cmc> prompt, enter manager.
5. At the cmc::manager> prompt, enter sensortoolupgrade.
6. Press the Enter key to start the upgrade process.
7. Enter n to indicate that the update is located on the network.
8. Press the Enter key to continue.
9. Enter the path to the network share where the update package is located. Specify the path using the
following UNC format: \\server\volume\file
10. Enter y to confirm your entry.
11. Enter the domain and user name for a user that can access the share. Use the following format:
domain\user
12. Enter yto confirm your entry.
13. Enter the password for the user.
Re-enter the password to confirm your entry.
14. Enter 1 to start the update.
The update will take several minutes.
Verify that the configured connectors restart after they are updated by watching for
InternalToolOnline alerts in the default SolarWinds Alerts filter in the LEM console.
15. After the update is finished, type exit twice to exit the CMC interface.
Troubleshooting LEM connector upgrades

During the update process, the update script restarts all configured LEM connectors. In most cases,
restarted connectors trigger one offline and one online alert in your LEM console.
An InternalWarning alert may appear, indicating that a connector started at the beginning of the
corresponding log file. This alert may be caused by:
page 165
l An unnecessary connector. For example, you could have an NT DNS connector configured on a
server that is not running the DNS service.
l A misconfigured connector. For example, you could have a connector pointing to the wrong
location for the requisite log file.
l The device associated with the connector rotated its logs while the connector was offline.
Below is the event information for the InternalWarning alert.
EventInfo: -1:Start location was -1. Init set to 'newest' record, record
info: 1 - 193 (101 - 293) @ -1. InsertionIP: lab-vm-exc10.lab.exc Manager:
lem DetectionIP: 10.0.0.1 InsertionTime: 11:51:04 Thu Jun 16 2016
DetectionTime: 11:51:04 Thu Jun 16 2016 Severity: 2 ToolAlias: NT DNS
InferenceRule: ProviderSID: FASTCenter normal error ExtraneousInfo:
Component: FASTCenter:NT DNS Description: -1:Start location was -1. Init set
to 'newest' record, record info: 1 - 193 (101 - 293) @ -1. Detail:
StackTrace:
page 166
LEM connector categories

The table in this section describes the various categories of network security products that can be
connected to LEM. The Description column describes how the connectors (sensors and actors) typically
work with each type of product or device. The Use with columns indicate if each product type requires
Manager connectors, Agent connectors, or both.
USE WITH
CATEGORY DESCRIPTION
MANAGERS AGENTS
Anti-Virus This category lets you configure sensors for use ● ●
with common anti-virus products. These products
protect against, isolate, and remove viruses,
worms, and Trojan programs from computer
systems.
To configure an anti-virus connector, the anti-virus

software must be currently installed on the Agent
computer.
Some anti-virus connectors can also be run on the

Manager by remotely logging from an Anti-Virus
server.
Due to software conflicts, SolarWinds recommends

running only one brand of anti-virus software per
computer.
Application Switch This category lets you configure sensors for use ●
with application switches. Application-Layer
switches transmit and monitor data at the
application layer.
Database This category lets you configure sensors for use ● ●

with database auditing products. These products
monitor databases for potential database
intrusions, changes, and database system events.
File Transfer and This category lets you configure sensors for use ●
Sharing with file transfer and file sharing products. These
products are used to share files over the local
network and the Internet. Monitoring these
products provides information about what files are
transferred, by whom, and system events.
page 167
USE WITH
MANAGERS AGENTS
Firewalls This category lets you configure sensors and ● ●
actors for use with applications and devices used
to protect and isolate networks from other
networks and the Internet.
Firewall sensors connect to, read, and retrieve

firewall logs. Most firewalls also have an active
response connector. These connectors configure
actors that interface with routers and firewalls to
perform block commands. Actors can perform
active responses either via telnet or a serial or
console cable. Normally, you will configure these
connectors on the Manager.
To configure a firewall connector, the firewall

product must already be installed on the Agent
computer, or it must be remotely logging to an
Agent or Manager. Normally, you will configure
these connectors on the Manager.
You must also configure each firewall’s data

gathering and active response capabilities
separately. For example, configuring a firewall’s
data gathering capabilities does not configure the
firewall’s active response settings.
Identity and Access This category lets you configure sensors for use ●
Management with identity access, identity management, and
other single-sign on connectors. These products
provide authentication and single-sign on
capabilities, account management, and other user
access features. Monitoring these products
provides information about authentication and
management of accounts.
page 168
USE WITH
MANAGERS AGENTS
IDS and IPS This category lets you configure sensors and ● ●
actors for use with network-based and host-based
intrusion detection systems. These products
provide information about potential threats on the
network or host, and can be used to raise alarms
about possible intrusions, misconfigurations, or
network issues.
Generally, network-based IDS and IPS connectors

are configured to log remotely, while host-based
IDS and IPS systems log locally on an Agent
system. Some network-based IPS systems provide
the capability to perform an active response via
their actor connector, allowing you to block an IP
address at the IPS device.
Manager This category lets you configure sensors for use ●

with the Manager and other Appliances. These
connectors monitor for conditions on the Manager
that may be informational or display potential
problems with the appliances.
Network This category lets you configure sensors for use ● ●

Management with network management connectors. These
connectors monitor for different types of network
activity from users on the network, such as
workstation-level process and application
monitoring. Generally, these systems are
configured to log remotely from a central
monitoring server.
Network Services This category lets you configure sensors for use ● ●
with different network services. These connectors
monitor service-level activity for different network
services, including DNS and DHCP. Most network
services are configured to log locally on an Agent's
system. However, some are configured to log
remotely.
page 169
USE WITH
MANAGERS AGENTS
Operating Systems This category lets you configure sensors for use ●
with utilities in the Microsoft Windows operating
system that monitor system events.
This category includes a Windows Active Response

connector. This connector configures an actor that
enables Windows active response capabilities on
Agents using Windows operating systems. This
allows LEM to perform operating system-level
responses, such as rebooting computers, shutting
down computers, disabling networking, and
disabling accounts.
To configure an operating system connector, the

operating system software must already be
installed on the Agent computer.
If you perform the remote Agent installation, the

Windows NT/2000/XP Event Application Logs and
System Logs connectors are configured by default.
Proxy Servers and This category lets you configure sensors for use ● ●
Content Filters with different content monitoring connectors.
These connectors monitor user network activity for
such activities as web surfing, IM/chat, and file
downloads, and events related to administering
the monitoring systems themselves. Generally,
these connectors are configured to log remotely
from the monitoring system.
page 170
USE WITH
MANAGERS AGENTS
Routers/Swi This category lets you configure sensors, and in ● ●
some cases actors, for use with different routers
and switches. These connectors monitor activity
from routers and switches such as
connected/disconnected devices,
misconfigurations or system problems/events,
detailed access-list information, and other related
messages. Some routers/switches have the
capability to configure an actor connector to block
an IP address at the device. Generally, these
connectors are configured to log remotely from the
router/switch.
System Scan This category lets you configure sensors for use ●
Reporters with different asset scanning connectors, such as
vulnerability scanners. These connectors provide
information about potential vulnerabilities,
exposures, and misconfigurations with different
devices on the network. Generally, these
connectors create events in the 'Asset' categories
in the event tree.
System Connectors This category lets you configure the Manager with ●
an external notification system, so LEM can
transmit event messages to LEM users via email or
pager.
VPN and Remote This category lets you configure sensors and ● ●
Access actors for use with Virtual Private Network (VPN)
server products that provide secure remote access
to networks. Normally, you will configure these
connectors on the Manager.
Web Server This category lets you configure sensors for use ●
with Web server products. To configure a web
server connector, the web server software must
already be installed on the Agent or Manager
computer.
page 171
Configure LEM to monitor firewalls, proxy servers,
domain controllers, and more
This chapter includes information to help you configure LEM components to monitor and protect specific
systems and devices on your network.
In this chapter:
• Configure LEM to monitor firewalls for unauthorized access 173
• Configure LEM to monitor proxy servers for suspicious URL access

in LEM 176
• Configure LEM to monitor anti-virus software for viruses that are

not cleaned 178
• Configure LEM File Integrity Monitoring (FIM) to monitor Windows

files, folders, and registry keys 180
• Enable Windows file auditing for use with LEM 186
• Configure Windows audit policy for use with LEM 188
• Configure the USB Defender local policy connector in LEM 194
• Configure LEM to monitor Microsoft SQL databases for changes to

tables and schemas 195
• Configure LEM to monitor Windows domain controllers for brute

force hacking attempts 198
• Configure LEM to track Cisco buildup and teardown events 202
page 172
Configure LEM to monitor firewalls for unauthorized access

In this section:
• Configure a firewall to log to a LEM appliance 173
• Configure a firewall connector on a LEM Manager 173
• View network traffic from specific computers 174
• Clone and enable a LEM rule to identify port scanning traffic 175
Configure LEM Manager to monitor your firewalls and detect unauthorized access such as port scans,
unusual data packets, network attacks, and unusual traffic patterns.
To set up a firewall monitor, configure your firewalls to log to LEM, and then configure a new connector in
the LEM Manager. When an unauthorized user attempts to access your LEM VM or appliance, the event
displays in the default Firewall filter running on the LEM console. You can also create custom filters that
display network traffic to and from specific computers, as well as view web traffic and other traffic events
across your network.
To view a tutorial about the threat intelligence feed available in LEM, see:
https://play.vidyard.com/MWe7pTouvKvpes8Z91fjSA
For more information, see "Using the Threat Intelligence Feed in LEM" in the SolarWinds Success
Center:
https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Using_the_Threat_
Intelligence_Feed_in_LEM
Configure a firewall to log to a LEM appliance

You can configure your LEM appliance to collect firewall information from firewalls manufactured by
Cisco®, Check Point® Software Technologies, Juniper® Networks, and others. Set your firewall to log to your
LEM appliance to centralize its log data with your LEM events. See the SolarWinds Success Center or
contact Technical Support for more information.
Configure a firewall connector on a LEM Manager

After you configure your firewall to log to your LEM appliance, configure the corresponding connector on
your SolarWinds LEM Manager. Many of the firewall connectors are similar, and some will include unique
settings.
page 173
This example describes how to configure a Cisco ASA firewall and IOS connector on your LEM Manager.
Log in as an administrator.
2. Click the Manage tab and select Appliances.
3. Click next to the SolarWinds LEM Manager and select Connectors.
4. In the Connector Configuration window, enter Cisco ASA in the search box.
5. Click next to the Cisco ASA and IOS connector, and click New.
6. Replace the Alias value with a descriptive connector alias.
For example:
ASA Firewall
Include firewall in the Alias field to ensure the default Firewall filter captures your firewall
data.
7. Verify the Log File value matches the local facility defined in your firewall settings.
8. Click Save.
9. Click next to the new connector instance (indicated by an icon in the Status column) and select
Start.
The firewall connector is configured in the LEM console.
View network traffic from specific computers

You can create custom filters that highlight specific firewall events. For example, to monitor traffic from a
specific computer, create a filter for all network traffic coming from the targeted computer. Use connector
profiles and other groups to broaden or refine the scope of custom filters.
The following procedure provides an example of creating a filter to monitor all traffic from a targeted
computer.
2. Click the Monitor tab.
3. In the Filters pane, click and select New Filter.
4. Enter a Name and Description for the filter.
5. In the Filter Creation pane, click Event Groups and select Network Audit Alerts.
6. In the Fields: Network Audit Alerts list, click and drag SourceMachine into the Conditions box.
7. In the Constant field (highlighted with a pencil icon), enter a wild card character (*) to avoid entering
the fully qualified domain name of the computer.
page 174
Use a Connector instead of a Text Constant to filter for all network traffic coming from a group of
similar computers.
8. Click Save.
Clone and enable a LEM rule to identify port scanning traffic

To identify suspicious firewall traffic indicative of port scanning, clone and enable the PortScans rule. This
rule generates a default TCPPortScan event, which the SolarWinds LEM console displays in the default
Security Events filter. Use this event to monitor suspicious network traffic and prevent unauthorized
access to your firewall.
2. Click the Build tab and select Rules.
3. In the Refine Rules pane, enter:
PortScans
4. Click next to the rule and select Clone.
5. Select the folder to store the cloned rule, and click OK.
6. In the Rule Creation window, select Enable.
7. (Optional) Tune the rule to match your environment.
For example, you can:
l Subscribe to the rule to track activity in the Subscriptions report.
l Increase the number of events in the Correlation Time box to modify how frequently the rule
fires.
l Omit vulnerability scanners from the Correlations by changing the TCPTrafficAudit "exists"
condition to
TCPTrafficAudit .SourceMachine = Your Scanners
where Your Scanners is a user-defined group, connector profile, or directory service group
that represents the targeted group of computers.
l Modify the default action or add additional actions to perform tasks such as send an email
message or block an IP address.
8. When completed, click Save.
9. In the main Rules screen, click Activate Rules.
page 175
Configure LEM to monitor proxy servers for suspicious URL
access in LEM
In this section:
• Set your proxy server to log to a virtual appliance 176
• Configure a proxy server connector on a LEM Manager 176
Monitor proxy servers to track network users who attempt to access suspicious websites using partial or
complete URL addresses. Configure your proxy server to log to LEM and set up the appropriate connector
on your SolarWinds LEM Manager.
Set your proxy server to log to a virtual appliance

Set your proxy server to log to LEM to centralize its log data with your LEM events. You can integrate proxy
servers from popular vendors such as Websense and Barracuda.
Because the integration process is different for each vendor, each proxy server is documented separately
in the SolarWinds Success Center. If a knowledge base article is not available, contact Customer Support.
Configure a proxy server connector on a LEM Manager

After you configure your proxy server to log to your LEM appliance, configure the corresponding connector
on your LEM Manager. Many of the proxy server connectors are similar with some unique settings.
The following procedure describes how to set up a connector for a Websense proxy server. You can find
instructions for additional firewall connectors in the SolarWinds knowledge base.
1. Open the console and log in to the LEM Manager as an administrator.
3. Locate your LEM Manager in the grid.
5. In the Connector Configuration window, enter Websense Web Filter in the search box.
6. Click next to the Websense Web Filter and Websense Web Security connector and click New.
7. Replace the Alias value with a custom alias or accept the default.
8. Click Save.
9. Click next to the new connector instance and select Start.
page 176
Clone and enable the Known Spyware Site traffic rule

You can track when users attempt to access suspicious websites by partial or complete URL addresses by
enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event by default you
can use in conjunction with the Incidents report to notify auditors that you are auditing critical events on
your network.
Before you enable this rule, ensure your proxy server transmits complete URL addresses to your LEM
Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If
your proxy server does not log web traffic events with this level of detail, check the events coming from
your firewalls, as they can sometimes be used for this rule as well.
1. Open the console and log into the LEM Manager as an administrator.
2. Click Build > Rules.
3. Click Default Rules in the Refine Results pane.
4. Enter Known Spyware Site Traffic in the Refine Results search box.
6. Select the folder where you want to save the cloned rule, and then click OK.
7. Select Enable in the Rule Creation window.
8. Click Save.
9. On the main Rules screen, click Activate Rules.
page 177
Configure LEM to monitor anti-virus software for viruses that
are not cleaned
In this section:
• Configure antivirus software to Log to a LEM appliance 178
• Configure the antivirus connector on the LEM Manager 178
• Creating a LEM rule to track when viruses are not cleaned 179
You can monitor your antivirus software performance by configuring the software to log to LEM. When
completed, set up the appropriate connector on the LEM Manager, and then use the LEM console to view
events in the default Virus Attack filter.
Configure antivirus software to Log to a LEM appliance

Set your antivirus software to log to LEM. This process centralizes the antivirus log data with your existing
LEM events.
You can integrate LEM with antivirus software from manufacturers such as Symantec and McAfee. See the
SolarWinds Knowledge Base or contact SolarWinds Support for more information.
Configure the antivirus connector on the LEM Manager

The following procedure describes how to configure the Symantec Endpoint Protection 11 connector on the
LEM Manager.
1. Replace the Alias value with a custom alias or accept the default.
2. Ensure that the Log File value matches the Log Facility defined in your antivirus settings.
4. Click the Manage tab and select Appliances.
5. Click next to your SolarWinds LEM Manager and select Connectors.
6. In the Connector Configuration window, enter the following in the search box:
Symantec Endpoint Protection
7. Click next to the Symantec Endpoint Protection 11 connector and select New.
page 178
For Symantec Endpoint Protection (SEP), the Log Facility is equal to the local facility on LEM, plus 16.
For example, the default Log File for /var/log/local6.log on SolarWinds LEM corresponds to Log
Facility 22 in your Symantec Endpoint Protection 11 settings.
8. Click Save.

9. Click next to the new connector instance and select Start.
Creating a LEM rule to track when viruses are not cleaned

Clone and enable the Virus Attack – Bad State rule to track virus attacks reported by your anti-virus
software. The Bad Virus State User-Defined Group defines a bad state as any virus that is not fully cleaned
by your anti-virus software. This includes any virus that is not addressed, quarantined, or renamed.
The default action for this rule is to generate a HostIncident event, which you can use in conjunction
with the Incidents report to notify auditors you are auditing the critical events on your network.
3. In the search box, enter:
Virus Attack - Bad State
5. Select the folder to store cloned rule and click OK.
6. Select the Enable check box.
7. Click Save.
page 179
Configure LEM File Integrity Monitoring (FIM) to monitor
Windows files, folders, and registry keys
In this section:
• Features of FIM 180
• Add a FIM connector to an Agent to monitor a node 180
• Add conditions to a directory that FIM is watching 182
• FIM connector advanced settings 183
File Integrity Monitoring (FIM) monitors all file types for unauthorized changes. Using FIM, you can detect
changes to critical files to ensure systems have not been compromised.
Please note that FIM does not support the monitoring of network shares. Only local drives are
supported.
FIM can detect unauthorized modifications to configuration files, executables, log and audit files, content
files, database files, web files, and so on. When FIM detects that a monitored file has changed, it logs an
event. The event then prompts LEM to execute the configured action. You can build correlation rules to act
as a second-level filter to send an alert if certain patterns of activity occurs (not just single instances).
When an alert is triggered, the data is in context with your network and other system log data.
Features of FIM
l Monitor real-time access and identify users who change file and registry keys
l Configure file and directory logic and registry keys and values to monitor different types of access
(create, write, delete, change permissions/metadata)
l Standardize configurations across many systems
l Configure monitoring templates to monitor the basics and create and customize your own
monitors
l Configure templates for rules, filters, and reports to assist in including FIM events
Add a FIM connector to an Agent to monitor a node

First add the FIM connector to an Agent, and then customize it. You can assign one instance of a FIM File
and Directory connector, and one instance of a FIM Registry connector to an Agent.
page 180
Step 1: Add a FIM connector to a node

3. Select a node to monitor.
5. Type FIM in the Refine Results pane.
FIM Registry and FIM File and Directory connectors display in the search results.
6. Select either the FIM File and Directory connector, or the FIM Registry connector.
7. Click and select New.
The FIM Connector configuration screen opens.
8. Do one of the following:
l Select a template from the Monitor Templates section. Several monitoring template are
available to assist you in creating custom templates and configurations.
Click and select Add to selected monitors.
The monitor template moves to the Selected Monitor section.
l Click Add Custom Monitor in the Selected Monitors section.
Step 2: Configure rules and specific actions for your monitored files
1. In the Selected Monitors section, click next to the monitor you added in Step 1, and then choose
Edit Monitor.
2. Enter a monitor name and description.
3. Click Add New to add conditions to the monitor.
The Add Condition configuration screen opens.
4. Complete the Add Condition form and click Save. See "Add conditions to a directory that FIM is
watching" on the facing page for help completing the form.
5. Click Save Changes to save the monitor configuration for this FIM connector.
6. Click Save to save the FIM connector configuration for this Agent.
Editing Monitors
1. Select a Monitor from the Selected Monitors pane.
2. Click and select Edit monitor
page 181
Promoting a Monitor to a Template
1. Select the Monitor to be promoted.
2. Click the gear icon and select Promote monitor to template.
3. Click Yes to promote this monitor to a template. The monitor is now available in the Monitor
Templates pane.
Deleting a Monitor
1. Select the monitor to be deleted.
3. Click Remove. The monitor is then removed from the Selected Monitors pane.
Add conditions to a directory that FIM is watching

1. Click Add New in the Conditions window.
2. Click Browse to select a File and Directory or a Registry key to watch.
3. Click OK.
4. Select whether the files are recursive or non-recursive. Refer to the table below for more
information.
Recursive The folder selected and all its sub-folders which match the given
mask will be monitored for corresponding selected operations.
Non-recursive Only the files in the selected folders will be monitored.
5. Enter a Mask using the asterisk (*) as a wildcard, for example: *exe or directory*
6. For a FIM File and Directory, select Create, Read, Write, and Delete for Directory, File, Permissions, and
Other operations. For a FIM Registry, select Create, Read, Write, and Delete for Key and Value
operations.
For information about the "Other" option, refer to the Microsoft MSDN information.
7. Click Save.
Editing Conditions
1. Select the condition to be edited in the Conditions window.
2. Click Edit.
3. Click Browse to select a File and Directory or a Registry key to watch.
4. Click OK.
page 182
5. Select whether the files are recursive or non-recursive. Refer to the table below for more
information.
Recursive The folder selected and all its sub-folders which match the given
mask will be monitored for corresponding selected operations.
Non-recursive Only the files in the selected folders will be monitored.
6. Enter a Mask. For example, *exe or directory*.

7. For a FIM File/Directory, select Create, Read, Write, and Delete for Directory, File, Permissions, and
Other operations. For a FIM Registry, select Create, Read, Write, andDelete for Key and Value
operations. For more information on Other, refer to the Microsoft MSDN information.
8. Click Save.
Deleting Conditions
1. Select the condition to be deleted in the Conditions window.
2. Click Delete.
3. Click Remove.
FIM connector advanced settings

1. Complete the Advanced Connector Settings form according to the device you're configuring. The
following fields/descriptions are common for most connectors:
Log Directory When you create a new alias for a connector, LEM automatically places a default log
file path in the Log Directory field. This path tells the connector where the operating
system stores the product’s event log file.
In most cases, you should be able to use the default log file path that is shown for the
connector. These paths are based on the default vendor settings and the product
documentation for each product. If a different log path is needed,
To manually change the log file location:
1. Enter or paste the correct path in the Log Directory field.
2. Stop the Agent.
page 183
3. Manually update the Agent's spop.conf property
o com.solarwinds.lem.fim.minifilter.fs
LogLocation for a file and directory connector. This appears as
%SystemDrive%\\Mylocation\\FileSystem in the config file.
o com.solarwinds.lem.fim.minifilter.registry
LogLocation for a registry connector . This appears as C:\\My other
log location\\Registry in the config file.
4. Restart the Agent.
Log Data Type to Select either nDepth, Alert, or Alert, nDepth. To store a copy of the original log data in
Save addition to normalized data, change the Log Data Type to Save to Alert, nDepth.
Storage for original log data must also be enabled on the appliance.
nDepth Host If you are using a separate nDepth appliance (other than LEM), type the IP address or
host name for the nDepth appliance. Generally, the default setting is correct. Only
change it if you are advised to do so.
nDepth Port If you are using a separate nDepth appliance (other than the SolarWinds LEM), type
the port number to which the connector is to send nDepth data. Generally, the
default setting is correct. Only change it if you are advised to do so.
Sleep Time Type or select the time (in seconds) the connector sensor is to wait between event
monitoring sessions. The default (and minimum) value for all connectors is one (1)
second. If you experience adverse effects due to too many rapid readings of log
entries, increase the Sleep Time for the appropriate connectors.
Windows NT-based connectors automatically notify Windows Event Log sensors of

new events that enter the log file. Should automatic notification stop for any reason,
the Sleep Time dictates the interval the sensor is to use for monitoring new events.
Wrapper Name This is an identification key that the SolarWinds LEM uses to uniquely identify the
properties that apply to this particular connector. This is read-only information for
SolarWinds reference purposes.
Tool Version This is the release version for this connector. This is read-only information for
reference purposes.
Enable When this option is selected, the connector starts when you click Save.
Connector Upon
Save
page 184
7. After completing the form, click Sold.

8. If you did not select the Enable Connector Upon Save option, navigate to the Connectors list and
click the gear button next to the new connector (denoted by an icon in the Status column), and
then select Start.
9. After starting the connector, verify that it is working by checking for events on the Monitor tab.
page 185
Enable Windows file auditing for use with LEM
In this section:
• To enable object auditing in Windows 186
• To enable file auditing on a file or folder in Windows 186
Enable file auditing in Windows to monitor events related to users accessing, modifying, and deleting
sensitive files and folders on your network. To maximize the value of this type of auditing, enable auditing
on a file server on which you have installed a LEM Agent, and only for the specific files and folders you
want to monitor. If you enable auditing on all files or folders, or even a large number of them, you will
create an unnecessary burden on LEM.
Complete the two-part process below to first enable object auditing on your server, and then enable file
auditing on the files and folders that you want to audit. Provided Windows is logging the events and your
server has a LEM Agent installed on it, the LEM console will begin displaying the new file auditing alerts
immediately.
To enable object auditing in Windows

1. Open Administrative Tools > Local Security Policy.
2. Expand Local Policies and click Audit Policy in the left pane.
3. Select Audit object access in the right pane, and then click Action > Properties.
4. Select Success and Failure.
5. Click OK.
6. Close the Local Security Policy window.
To enable file auditing on a file or folder in Windows

1. Locate the file or folder you want to audit in Windows Explorer.
2. Right-click the file or folder and then click Properties.
3. Click the Security tab.
4. Click Advanced.
5. Click the Auditing tab.
6. If you are using Windows Server 2008, click Edit.
7. Click Add.
8. Enter the name of a user or group you want to audit for the selected file or folder, and click Check
Names to validate your entry. For example, enter Everyone.
9. Click OK.
page 186
10. Select Success and Failure next to full control to audit everything for the selected file or folder.
11. Optionally, clear Success and Failure for unwanted events, such as:
l Read attributes
l Read extended attributes
l Write extended attributes
l Read permissions
12. Click OK in each window until you are back at the Windows Explorer window.
13. Repeat these steps for all files or folders you want to audit.
page 187
Configure Windows audit policy for use with LEM
The Windows audit policy determines the amount of data that Windows Security logs on domain
controllers and other computers in the domain. This section covers
In this section:
• Requirements 188
• Windows Audit Policy 188
Verbosity is the amount of known data.
See Microsoft's TechNet knowledge base for details on Windows Audit Policy Definitions. These definitions
are effective from both a best-practice and compliance standpoint, and are based on customer experience
and recommendations from Microsoft.
See also:
l Audit Policies and Best Practices for LEM in the SolarWinds Success Center.
Requirements
Using the Windows Audit Policy with LEM requires:
l Windows Server 2003 or higher

l Permissions to change the Windows Audit Policy at the domain controller and domain level
l SolarWinds LEM installation
Windows Audit Policy

The following events and descriptions are adapted from information available on the Microsoft
TechNet knowledge base. You can query relevant articles on TechNet by searching for audit policy
best practice.
EVENT DESCRIPTION
Audit account logon events Represents user log on or log off instances on a computer logging those
events. These events are specifically related to domain logon events and
logged in the security log for the related domain controller.
page 188
EVENT DESCRIPTION
Audit account management The change management events on a computer. These events include
all changes made to users, groups and machines.
Audit logon events Represents user log on or log off instances from a computer logging
those events. These events are logged in the security log of the local
computer onto which the user is logging, even when the user is actually
logging onto the domain using their local computer.
Audit object access Track users accessing objects with their own system access control lists.
These objects include files, folders and printers.
Audit policy change Represents instances where local or group policy changed. These
changes include user rights assignments, audit policies and trust
policies.
Audit privilege use Track users accessing objects based on their privilege level. These
objects include files, folders and printers, or any object with its own
system access control list defined.
Audit process tracking Logs all instances of process, service, and program starts and stops. This
can be useful to track both wanted and unwanted processes, such as AV
services and malicious programs.
Audit system events Includes start up and shut down events on the computer logging them,
along with events that affect the system’s security. These are operating
system events and are only logged locally.
Best practice
Windows audit policy is defined locally for each computer. SolarWinds recommends using group policy to
manage the audit policy at both the domain controller and domain levels.
Set the Windows audit policy

Use the Group Policy Object Editor to set your Windows audit policy settings on desktop systems running
at least Windows 7, and servers running Windows Server 2008 and 2012. The following procedure applies
to setting up sub-category-level auditing.
page 189
1. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security
Options > Audit > Force Audit Policy Subcategory Settings and select enabled.
2. Change or set the policies in Computer Configuration > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > Audit Policies.
When enabling the Force Audit Policy Sub-category option, set the sub-category auditing to be
enabled and the category-level auditing will be disabled.
Default Domain Controllers Policy

Select Success and Failure for all policies except:
l Audit object access

l Audit privilege use
Default Domain Policy

The Default Domain Policy applies to all computers on your domain except your domain controllers. For
this policy, select Success and Failure for:
l Audit account logon events

l Audit account management
l Audit logon events
l Audit policy change
l Audit system events
You can also select Success and Failure for audit process tracking critical processes (such as the AV
service) or unauthorized programs (such as games or malicious executable files).
Enabling auditing at the audit level will increase the number of events in the system logs. As a result, your
LEM database will quickly expand as it collects these logs.
Similarly, there could be bandwidth implications as well. This is dependent upon your network traffic
volume and bandwidth capacity. Since Agent traffic is transmitted to the Manager as a real time trickle of
data, bandwidth impact is minimal.
SolarWinds recommends meeting PCI Auditing. However, this may be applicable to other auditing as well.
For more information, see PCI Compliance and Log and Event Manager.
CATEGORY OR SUB-CATEGORY SETTING

System
Security System Extension No Auditing
page 190

System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
Object access
File System Success and Failure
Registry Success and Failure
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share Success and Failure
page 191
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events Success and Failure
Account Management
page 192

User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Failure
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
page 193
Configure the USB Defender local policy connector in LEM
The USB Defender Local Policy connector enables a LEM Agent to enforce restrictions on USB devices, even
when the Agent is not connected to the LEM Manager. Instead of using rules when disconnected, the
connector uses a list of permitted users or devices. The Agent compares the fields in all USB device-
attached events to a locally stored white list of users or devices. If none of the fields match an entry on the
list, the Agent detaches the device.
See also:
l "Configure the Detach USB Device active response in LEM" on page 325
When the Agent is connected to the Manager through the network, the Manager rule also applies. Any
devices listed in the local white list must be in the User Defined Group for authorized devices. Otherwise,
the rule takes effect and the device detaches even though it was allowed by the white list in the USB
Defender local policy. When the Agent is connected, the USB Defender Local Policy and the LEM rule are
active.
1. Create a text file with one entry per line.

This file serves as the local policy. Each entry can be a user name or a USB device ID, from the
Extraneous Info field of an attached alert.
4. Click next to the target node and select Connectors.
5. Enter USB defender in the Refine Results window.
6. In the Connectors grid, locate the USB Defender Local Policy connector.
7. Click next to the connector and select New.
8. Click … in the UDLP pane and locate the text file you created above.
9. Upload your list to the connector, and then click Save.
10. When the new connector appears in the Connectors list, click and select Start.
The authorized devices in the local white list must also be in the UDG for Manager Detach
Unauthorized USB rule or the rule on the Manager enforces detachment when the laptop is
connected to the network. In reverse, if you are using a blacklist and the device is in the USB Local
Policy and not in the User Defined Group of the rule, the device still detaches.
Having a device or user in one white list or black list and not in the other is not recommended and
yields inconsistent results.
page 194
Configure LEM to monitor Microsoft SQL databases for

changes to tables and schemas
In this section:
• Configure your database servers 195
• Install MSSQL Auditor on a LEM Agent 195
• Configure MSSQL Auditor on your servers 196
• Configure the MSSQL Auditor Connector on a LEM Agent 196
• Send notifications of Microsoft SQL database change attempts 197
You can track successful or failed attempts to access your database tables and schemas by installing
MSSQL Auditor for Windows on a LEM Agent running SQL Server 2008 or later with Profiler. This
configuration allows you to monitor your local or remote SQL Server databases.
MSSQL Auditor runs as a service in conjunction with the LEM Agent service.
Configure your database servers

Download MSSQL Auditor for Windows from the Customer Portal and install the software on your server.
When configured and enabled, the software provides your SolarWinds LEM Agent access to details about
any database configuration changes to your database server.
To enable the SolarWinds LEM Agent access to details about your database configuration changes, install
the following software on your database server:
l Microsoft SQL Server 2008 or later
l Microsoft .NET 3.5 and 4.0 Framework
l SolarWinds LEM Agent for Windows
When completed, install the MSSQL Auditor for Windows on your server.
Install MSSQL Auditor on a LEM Agent

1. Download the MSSQL Auditor for Windows from the SolarWinds Customer Portal.
2. Double-click the EXE file to begin the installation.
3. Click Next to start the wizard.
4. Accept the End User License Agreement if you agree, and click Next.
page 195
5. Click Change to specify an installation folder, or accept the default and click Next.
6. Click Install.
7. When the installation is finished, select Launch SolarWinds MSSQL Auditor, and click Finish.
Configure MSSQL Auditor on your servers

If you did not select Launch SolarWinds MSSQL Auditor after installing the application, you can launch the
application from the SolarWinds Log and Event Manager program group in your Start menu.
1. Enter the name of the SQL server to monitor in the SQL Server\Instance field, and click Add Server.
To specify an instance other than the default, enter your server name in the following format:
Server\Instance
2. Repeat step 1 for any additional servers you need to monitor.
3. To use an account other than the Local System Account to run MSSQL Auditor on your database
server, select This Account in the Run Service As and provide the appropriate credentials.
SolarWinds recommends using an account in the sysadmin role on your database. The account only
requires Execute permissions for any stored procedures with the xp_trace prefix.
4. In the Manage Auditor Service section, click Start Auditor Service.
5. Click OK.
Configure the MSSQL Auditor Connector on a LEM Agent

2. Click the Manage tab and select Nodes.
3. Locate the LEM Agent for your database server and verify it is connected to your LEM Manager.
4. Click next to the SolarWinds LEM Agent and select Connectors.
5. In the Refine Results search box, enter:
MSSQL
6. Click next to the SolarWinds Log and Event Manager MSSQL Auditor connector and select New.
7. Create a new alias name for the connector or accept the default.
8. Verify that the Log File field value matches the folder name that stores the logs on your database
server, and then click Save.
9. Click next to the new connector instance, and click Start.
10. Repeat step 1 through step 9 for the MSSQL 2000 Application Log connector.
page 196
Send notifications of Microsoft SQL database change attempts

Clone and enable the MSSQL Database Change Attempt rule to track user attempts to change properties
on a monitored Microsoft SQL Server database. The default rule action generates a HostIncident event
you can use in conjunction with the Incidents report to notify auditors that you are auditing the critical
events in your network.
2. Click the Build tab, and select Rules.
3. In the Refine Results search box, enter:
MSSQL Database Change Attempt
4. Click next to the rule, and select Clone.
5. Select the folder where the cloned rule will be stored, and click OK.
7. Click Save.
page 197
Configure LEM to monitor Windows domain controllers for
brute force hacking attempts
In this section:
• Install and configure the LEM Agent 198
• Clone and enable the Critical Logon Failures rule 201
• Tune Windows Logging for LEM implementation 201
Monitor your Windows domain controllers using the SolarWinds LEM Agent. After you install and configure
the Agent, the software tracks "brute force" and other types of hacking attempts to your domain controllers
and report all events to the LEM Manager.
These events include:
l Unauthorized access to your administrative accounts

l Failed logon attempts
l Account lockouts
l User and group modification
l Change management events
Install the SolarWinds LEM Agent on all domain controllers to ensure the LEM Manager captures all of your
domain events (even if they are not replicated across all domain controllers).
You can view the events in the LEM console using the change management filter and create custom filters
to report all activity on your domain controllers.
Install and configure the LEM Agent

When you install the LEM Agent, you have the option to install USB Defender. This application works
together with the LEM Agent to provide real-time notification when a USB drive is installed in your domain
controller server. By default, USB Defender generates events related to USB mass storage devices attached
to your LEM Agents.
For additional security, Microsoft implemented a method in their operating system to log security events.
As a result, SolarWinds LEM Agents on systems running Windows Server 2008, Windows Vista, or Windows
7 require different connectors than the Agents running on systems with the legacy Windows operating
systems.
If you are running both old and legacy Windows operating systems in your environment, create a
connector profile for each operating system.
page 198
For LEM Agent software and hardware requirements, see the "LEM 6.3.1 system requirements" in the LEM
Installation Guide.
Install a LEM Agent on a single Windows domain controller

1. Download the SolarWinds LEM Agent installer for Windows from the SolarWinds Customer Portal.
2. Extract the ZIP file contents to a local or network directory.
3. Run Setup.exe.
4. Click Next to start the installation wizard.
5. Accept the End User License Agreement if you agree, and click Next.
6. Enter the host name of your LEM Manager in the Manager Name field, and click Next.
Do not change the default port values.
7. Confirm the Manager Communication settings and click Next.

8. (Optional) Select the Install USB Defender check box to install USB Defender with the LEM Agent.
9. Confirm the settings on the pre-Installation summary, and click Install.
10. When the installation is completed, click Next to start the LEM Agent service.
11. Inspect the Agent log for any errors, and click Next.
12. Click Done to exit the installer.
The LEM Agent is installed on your system and begins sending events to your LEM Manager and LEM
console.
The LEM Agent continues running on your system until you uninstall the software or manually stop
the LEM Agent service.
Configure additional connectors on your LEM Agent

2. Click Manage, and then click Nodes.
3. Locate the LEM Agent in the list.
Use the Refine Results pane, if needed.
4. Click next to the LEM Agent and select connectors.

5. Locate and select the connector you want to configure.
Use the Refine Results pane if needed.
6. Click next to the connector, and select New.

7. Modify the connector (if required), and click Save.
page 199
8. Click next to the new connector instance (indicated by an icon in the Status column), and select
Start.
10. Configure the following connectors that apply to your installation on your Windows domain
controllers :
l Windows Directory Service Log
l Windows DNS Server Log
l Windows DHCP Server version
MAINTAIN AND MONITOR MULTIPLE DOMAIN CONTROLLER AGENTS
Connector Profiles help you maintain and monitor multiple domain controllers in your LEM console. You
can use these profiles to configure and modify connector settings at the profile level, as well as provide a
group you can use to filter incoming event traffic from your LEM Agents to your LEM console.
CREATE A CONNECTOR PROFILE BASED ON A SINGLE SOLARWINDS LEM AGENT
Follow this procedure to create a connector profile based on a single LEM Agent and a corresponding filter
to monitor activity on all systems in the profile.
1. Install the LEM Agent software on all systems you want to include in your new connector profile.
2. Configure a single LEM Agent to serve as the template for your connector profile.
3. In the LEM console, select the Build tab, and click Groups.
4. Click and select Connector Profile.
5. Enter a profile name and description.
6. Select the new LEM Agent from the Template list, and click Save.
7. Locate your new connector profile in the Groups list.
Use the Refine Results pane if needed.
8. Click next to your connector profile and select Edit.

9. In the Available Agents pane, locate the SolarWinds LEM Agents you want to add to your connector
profile.
10. Click the arrow next to each LEM Agent you want to add to the Contained Agents pane.
11. When completed, click Save.
Create a filter for all activity in a Connector Profile

1. Open the LEM console and log on to the LEM Manager as an administrator or auditor.
2. Click Monitor.
3. Click on the Filters pane and select New Filter.
4. Enter a Name and Description for the filter.
page 200
5. Click Event Groups in the Filter Creation list.

6. Click Any Alert.
7. In the Fields: Any Alert list, click and drag DetectionIP into the Conditions box.
8. Click Connector Profiles in the Filter Creation list.
9. Click and drag your connector profile into the Conditions box, replacing the Text Constant field
denoted by a pencil icon.
10. Click Save.
Clone and enable the Critical Logon Failures rule

Clone and enable the Critical Account Logon Failures rule to track failed logon attempts to the default
Windows Administrator account. The default action for this rule is to generate a HostIncident event,
which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical
events on your network.
1. Open the LEM console and log on to the LEM Manager as an administrator.
3. Enter Critical Account Logon Failures in the Refine Results pane search box.
5. Select the folder where you want to save the cloned rule, and click OK.
6. Select Enable in the Rule Creation window, and click Save.
7. On the main Rules screen, click Activate Rules.
The rule is enabled.
Tune Windows Logging for LEM implementation

After you install and configure your LEM Agents, optimize your LEM deployment by tuning your Windows
operating system to log the specific events you want to see in your LEM console and store in your LEM
database. Set your group and local policies according to your environment requirements. See "Configure
Windows audit policy for use with LEM" on page 188 for more information.
page 201
Configure LEM to track Cisco buildup and teardown events
In this section:
• Tracking Buildup Events 202
• Tracking tear-down Events 202
• Enabling LEM to track buildup and teardown events 203
You can enable LEM to track buildup and tear-down events that occur on your network.
To monitor accepted traffic, use the log target in your accepted ACLs instead of the buildup logging. This
lets you control the accepted traffic that will generate an alert. To monitor the information about the actual
NAT, consider the event load this will create. Plan a test phase where you turn it on and determine if it is
valuable to you for further investigation.
If you need to monitor unmodified log data (versus the normalized data), consider the nDepth original log
message store. Remember that this process requires additional disk space.
Also, consider whether you need both buildups and tear-downs, or just buildup messages. The tear-down
NAT messages include the same information as the built messages, along with some duration and size
information that may or may not be useful. Colleges and universities that use the built messages do not
rely on the tear-down messages. They only need to know a connection was established for verification,
analysis, and correlation.
Be sure to check your syslog data to determine and enable only those buildup or teardown events are of
use.
Tracking Buildup Events

LEM is preconfigured to capture Cisco events 302003, 302009, and 603108.
You can configure LEM to capture Cisco firewall buildup events as well. The primary buildup event to use
for TCP tracking is 302013. Other buildup events include 302015, 302017, 302020, 302303, 305009, 305011,
and 609011. Check the description of these events in the Cisco System Log Messages Guide located on the
Cisco website to ensure you need to capture these events.
Tracking tear-down Events

Out of the box, LEM captures Cisco event 603019.
page 202
You can also enable LEM to capture Cisco firewall tear-down NAT events. The teardown sibling to buildup
even 302013 is 302014. Other events include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and
609002. You can see description of these events in the Cisco System Log Messages Guide to make sure
they are ones you want to capture.
Enabling LEM to track buildup and teardown events

1. Ensure that your firewalls are sending log events to LEM, and that the appropriate LEM connector is
monitoring your firewall data.
2. Access the firewalls that contain the buildup and tear-down messages you need to monitor and
adjust the severity level of those events from 6 (the default) to 0.
For more information, see the Changing the Severity Level of a Syslog Message section in the
Monitoring the Security Appliance page on the Cisco site.
page 203
LEM groups: Organize data elements for use with
rules and filters
In LEM, a group is an object that organizes elements for use with rules and filters. This chapter describes
the seven types of groups in LEM, and provides information about managing groups.
In this chapter:
• About LEM groups 205
• Manage LEM groups: Add, edit, view, and more 209
• Configure user-defined groups in LEM 215
• Configure event groups in LEM 220
• Configure directory service (DS) groups in LEM 222
• Configure the connector-profile group type in LEM 225
• Configure state variables in LEM 226
• Configure Time of Day Sets in LEM 229
page 204
About LEM groups

In this section:
• About LEM Group Types 205
• How groups are added to filters and rules in the LEM console 207
Groups in LEM are objects that organize related elements for use with rules and filters. Groups can contain
elements such as events, IP addresses, computer names, user accounts, and so on. After a group is
defined, it can be referenced from multiple rules and filters.
Do not confuse groups and roles:
l Groups organize related elements into logical units so that they can be used in rules and
filters.
l Roles restrict the actions that users can perform in LEM. See "About LEM roles" on page 100
for information about LEM role types.
About LEM Group Types

There are seven group types in LEM:
l User Defined Groups

l Event Groups
l Directory Service Groups
l Time of Day Sets
l Connector Profiles
l Email Templates
l State Variables
Each group type is briefly described below.
User-defined groups
User-defined groups contain data specific to your environment, such as user and computer names, the
names of sensitive files, trusted IP addresses, and so on. User-defined groups are typically used in rules
and filters to whitelist or blacklist events that LEM should include or ignore when evaluating rules and
filters. LEM ships with more than two dozen user-defined groups that need to be populated with values for
your environment. See "Configure user-defined groups in LEM" on page 215 for more information. You
can also create rules that auto-populate user-defined groups with values. See "Auto-populate user-
defined groups using a LEM rule" on page 321 for details.
page 205
Event groups
Event groups gather similar events into a single category for use with rules and filters. For example, create
an event group for events that should all trigger the same response from LEM. If an event in the group
occurs, LEM will fire the rule for that group. LEM ships with more than a dozen predefined event groups,
such as: virus/scanner events, process start/stop events, change management events, and so on.
Directory Service groups

Directory Service groups (DS groups) are groups of users or computers that LEM imports from Microsoft
Active Directory. DS groups are synchronized with Active Directory every five minutes. Use DS Groups in
rules and filters to match specific users or computers. For example, use a DS group in a filter to limit the
scope of events to only users or computers in that group.
Time-of-day sets
Time-of-day sets are defined time periods that you can use in rules and filters. Use time-of-day sets to
perform specific actions at different hours of the day. For example, if you define a time-of-day set for
"Working Hours,” and another for “Outside Working Hours,” you can assign different rules to each set. LEM
ships with the following predefined time-of-day sets: business hours, early shift, graveyard shift, late shift,
normal shift, and reboot cycle.
Connector profiles
Connector profiles are groups of Agents with common connector configurations. Most Agents in a network
only have a few different network security connector configurations. Using connector profiles, you can
group Agents by their common connector configurations, and enable your rules and filters to include or
exclude the Agents associated with a particular profile.
Email template
Email templates are pre-formatted email messages that your rules use to notify you when an event occurs.
page 206
State variables
State variables are used in rules to represent temporary or transitional states. For example, you can create
a state variable to track the state of a particular system, setting it to a different value depending on
whether the system comes online or goes offline.
How groups are added to filters and rules in the LEM console
This section demonstrates how groups are used in filters and rules.
The following image shows the "Filter Creation" screen in the LEM console. On the left side, groups are
organized by group-type. On the right side, the filter definition pane shows that the "Service Audit Alerts"
event group is included as a condition of the filter.
page 207
The next image shows the "Rule Creation" screen in the LEM console. Again, groups are organized by
group-type on the left side. On the right side, the rule definition pane shows two different groups in the
Correlations section: the "Network Audit Alerts" event group, and the "Approved DNS Servers" user-
defined group. Four child fields are specified in the "Network Audit Alerts" event group: SourcePort,
DestinationPort, SourceMachine, and DestinationMachine.
page 208
Manage LEM groups: Add, edit, view, and more

In this topic:
• Open the Groups View in the LEM console 209
• Find a group with the Refine Results pane 210
• Add a new group 212
• Edit a group 212
• Clone a group 212
• Export a group 213
• Import a group 213
• Delete a group 214
Default groups that have not been saved under a new name will revert to their original settings the
next time you upgrade LEM. SolarWinds recommends that you clone any group that is included with
LEM before you make changes to the group. This practice will prevent groups with custom values
from being overwritten. See "Clone a group" on page 212 for more information.
Open the Groups View in the LEM console

To open the Groups view in the LEM console, choose Build > Groups. Use the Groups view to create, name,
configure, and organize your groups.
The following screen capture shows the Groups view in the LEM console.
page 209
Refer to the table for descriptions of the columns in the Groups grid.
FIELD DESCRIPTION
Opens a menu of commands you can perform on a selected grid item.
Type The group type.
Name The group name.
Description The group description. Pointing to this field displays the complete description as a
tooltip.
Created By The console user who created the group.
Created Date The group creation date.
Modified By The console user who last modified the group.
Modified Date The recent date when the groups were modified.
Manager The Manager name associated to the group.
The Groups grid lists every group associated with a LEM Manager instance. If you manage multiple LEM
Managers from a single console, and each LEM Manager has a copy of a group, the group will appear
multiple times in the grid.
To sort groups by LEM Manager or by group type, click the corresponding column headings.
Find a group with the Refine Results pane

Use the Refine Results pane to filter the groups grid and reduce the number of groups displayed. The
Refine Results pane displays items that match the filter criteria, and hides everything else. For example, to
only view Time of Day Set items, type Time of Day Set in the search field. To restore hidden items,
either click Reset, or select All in the refinement lists.
page 210
The following screen capture shows the Refine Results pane.
Refer to the table for descriptions of the controls in the Refine Results pane.
FIELD DESCRIPTION
Reset Returns the form and the Groups grid to their default settings.
Search Enter your search text in the text box. The grid displays only those groups that
match or include your entered text. For example, type Email Template to only
view Email Template items.
Type Select the group type that displays in the grid.
Manager Select a Manager to display groups associated with the Manager.
Created By Select the console user who created the group and display groups from this
user.
Created Date Range Enter or select a date range to display groups created within your date range.
Modified By Select the console user who last modified the group and display groups
modified by that user.
Modified Date Range Type or select a date range to display groups modified on or within your
selected date range.
page 211
Add a new group
When you create a group, it is only added to the LEM Manager that is selected when you create the group.
To copy a group for use with another LEM Manager, export the group and then import it into the other
Manager's Groups grid. See "Export a group" on the next page for steps.
3. Click in the top-right corner of the Groups grid and select the group type you want to create.
The Group Details pane opens to display an editable form for your selected group type.
4. Complete the form and click Save.
Choose from the following topics for help completing the form:
l "Create or edit a user-defined group" on page 216
l "Create or edit an event group" on page 220
l "Create a directory service group and synchronize it with Active Directory" on page 223
l "Create or edit a Time of Day Set" on page 229
Edit a group
3. Click next to the group that you want to edit, and choose Edit.
The Group Details pane opens to display an editable form for your selected group type.
4. Edit the form and click Save.
Clone a group
When you clone a group, you copy an existing group and label it with a new name. Cloning allows you to
create group variations for use with your rules and filters.
Cloned groups are created on the same LEM Manager instance as the original instance. To
duplicate a group for use with another LEM Manager, export the group and import it from the
Groups grid. See "Export a group" on the next page for steps.
page 212
3. Click next to the group that you want to clone, and choose Clone.
The cloned group displays in the Groups grid below the original instance.
A cloned group uses the same group name as the original group, followed by an integer. For
example, a clone of the Disk Warning group would be called Disk Warning 2. A second clone
would be called Disk Warning 3, and so on.
4. Rename and edit the group's settings as needed.
Export a group
Export a group to save a copy of the group outside of LEM. You can also export a group from one LEM
Manager and import it into another Manager. You can only export one group at a time.
3. Click next to the group that you want to export, and choose Export.
The Save As dialog box opens.
4. Choose the location that you want to save the group file to, and click Save.
The exported group file is saved with a .swgrp file extension.
You can now import the group for use with another Manager.
Import a group
You can import groups from a remote source into the Groups grid. You can import a group that you
exported from another LEM Manager instance, or you can import a group provided by SolarWinds. You can
only import one group at a time.
3. Click in the top-right corner of the Groups grid, and then choose Import.
The Open dialog box opens.
4. Navigate to the group file that you want to import and select it.
Group files have a .swgrp file extension.
5. Click Open.
The group is added to the Groups grid.
6. In the Group Details pane, assign the group to a LEM Manager instance.
Complete the remaining selections.
page 213
7. Click Save to send the imported group to the LEM Manager.
8. If you are working with email templates or state variables, drag the new group from the Groups
grid into the folder (in the Folders pane) that stores the group.
Delete a group
3. Click next to the group that you want to delete, and choose Delete.
The group is removed from the Groups grid.
page 214
Configure user-defined groups in LEM

User-defined groups contain values relevant to your IT environment, such as user and computer names,
sensitive file locations, trusted IP addresses, and so on. Like other groups, they contain information that
you can use in rules and filters. This topic provides steps to add and edit values in user-defined groups.
You can also create rules that auto-populate user-defined groups with values. See "Auto-populate user-
defined groups using a LEM rule" on page 321 for details.
In this topic:
• How rules and filters use user-defined groups 215
• Create or edit a user-defined group 216
• Customize the blank and sample user-defined groups included

with LEM 217
• Customize user-defined groups 218
If Active Directory is available, use directory service groups to add user and computer accounts to
rules and filters. A user-defined group cannot be synchronized with Active Directory, but a directory
service group can synchronize with Active Directory every five minutes. See "Configure directory
service (DS) groups in LEM" on page 222 for details.
How rules and filters use user-defined groups

Following are a few rules that depend on user-defined groups:
l A rule that stops LEM from blocking accounts in a user-defined group of trusted administrator
accounts.
l A second rule that sends out an alert when an account in the same user-defined group of trusted
admin accounts logs in or makes changes.
l A rule that checks a user-defined group containing trusted IP addresses to see if it should block a
certain IP address.
Rules and filters typically make use of user-defined groups in slightly different ways:
l In a rule, user-defined groups are typically used like a white list or black list that tell LEM which
events it should include or ignore.
l In a filter, user-defined groups limit the scope of the filter to items that belong to the group.
page 215
Rules that use user-defined groups include:
l Authentication - Unknown User

l Critical Account Logon Failures
l Detach Unauthorized USB Devices
l File Audit - Delete Sensitive Files
l Non-Admin Server Logon
l Vendor - Unauthorized Server Logon
Filters that use user-defined groups include:
l Admin Account Authentication

l Domain Controllers (all)
Create or edit a user-defined group

See "Add a new group" on page 212 or "Edit a group" on page 212 to get started adding or editing a
group. You can create as many user-defined groups as you need to support your rules and filters. Well-
planned groups provide flexibility.
You can only add a group to one LEM Manager at a time. To copy a group for use with another LEM
Manager, export the group and then import it into the other Manager's Groups grid. See "Export a
group" on page 213 for steps.
The following image shows the user-defined group form. The form lists the elements that are configured
for the group.
The following table describes how to configure the form fields for user-defined groups.
FIELD DESCRIPTION
Name Enter a name for the group.
page 216
FIELD DESCRIPTION
Description Briefly describe the purpose of the group.
LEM Click the Manager drop-down list and select the Manager that will host the group.
Manager
If you are editing an existing group, this field displays the hosting Manager.
Click at the bottom of the form to add an element to the group. When you finish
entering values, click Save at the bottom of the Element Details form.
Click to remove an element from the group.
Element Name – The name of the data element.

Details
Data – The specific element that you want to include or ignore in your rules and filters. You
can use an asterisk ( * ) as a wild card to include all similar data elements.
Description – A description of the element and its intended use.
Save Click Save in the bottom-right corner to make your group changes permanent.
Customize the blank and sample user-defined groups included with LEM
SolarWinds recommends customizing the following blank and sample user-defined groups for your
environment:
l Admin accounts
l Admin groups
l Approved DNS servers
l Authorized USB devices
l Authorized VPN users
l Sensitive files
l Service accounts
l Suspicious external machines
l Suspicious local machines
l Trusted IPs
l Trusted server sites
l Vendor and contractor accounts
l Vendor-authorized servers
page 217
The Admin Accounts group is used in several template rules as a placeholder for a custom list of
administrative users. This group represents the default administrative accounts in Windows and
Unix/Linux environments. SolarWinds recommends that you clone this group before you customize
it so that you can use it in both capacities. See "Clone a group" on page 212 for more information.
Customize user-defined groups

SolarWinds recommends cloning any group that contains a default or suggested value before you alter it.
This practice ensures that you have a backup of the default group should you need it later. See "Clone a
group" on page 212 for more information.
Complete the following procedure to customize any or all of the user-defined groups listed above.
3. Locate the group you want to edit.
Use the search box or Type menu on the Refine Results pane if necessary.
4. Click the gear icon next to the group, and then select Edit.
If you want to clone the group, select Clone instead, and then repeat this step for the cloned
group.
5. Add an element to the group:

a. Click Add Element, denoted by at the bottom of the details pane.
b. Enter a nickname for the element in the Name field. This value is for reference only.
c. Enter a value to define the element in the Data field (required). Consider using wildcard
characters, such as asterisks ( * ), to abbreviate these entries as illustrated in the example at
the end of this procedure.
d. (Optional) Enter a description in the Description field.
e. Click Save.
6. To modify an element, click the element in the details grid, and then modify it in the Element Details
form just as you would when adding a new element.
To remove an element, click the element in the details grid, and then click Remove Element, denoted
by a - icon at the bottom of the details pane.
7. If you are finished editing the group, click Save.
Use the pre-populated User-Defined Groups as examples of what your custom groups might look like. The
Data field is used for the correlation, while the Name field is for reference and the Description is optional.
page 218
The following is an excerpt from the default Admin Groups User-Defined Group:
Group Name: Admin Groups
NAME DATA
Administrators *Administrators*
Backup Operators *backup oper*
DNS Admins DNSAdmin*
page 219
Configure event groups in LEM
In this section:
• Create or edit an event group 220
Event groups organize similar events for use with rules and filters. For example, if you add an event group
to a rule, the rule will fire any time an event in the group occurs. LEM ships with more than a dozen
predefined event groups, for example: virus/scanner events, process start/stop events, change management
events, and so on.
Create or edit an event group

See "Add a new group" on page 212 or "Edit a group" on page 212 to get started adding or editing a
group.
The following table describes how to configure the form fields for event groups.
FIELD DESCRIPTION
Name Enter a name for the event group.
Description Briefly describe the purpose of the event group.
LEM Manager Click the Manager drop-down list and select the Manager that will host the group.
If you are editing an existing group, this field displays the hosting Manager.
Events Select the events to include in the group.
l Click to search for a specific event.

l Click to view the events lists in tree view.
page 220
FIELD DESCRIPTION
l Click to view an itemized list of events.
page 221
Configure directory service (DS) groups in LEM
This topic explains how to manage Active Directory groups for use with LEM rules and filters.
In this topic:
• About directory service (DS) groups 222
• Create a directory service group and synchronize it with Active

Directory 223
• View a directory service group member in the LEM console 224
• Directory service group grid columns 224
• Remove a directory service group from LEM 224
Complete the following tasks before you configure directory service groups for the first time:
l Configure the Directory Service Query Connector

l Sync Active Directory with LEM
See "Configure Active Directory and LEM to work with LEM rules and filters" on page 60 for
instructions.
About directory service (DS) groups

Active Directory groups that are configured to sync with LEM are called directory service groups (or DS
groups). DS groups contain either Windows users or computer accounts. Any changes that you make in
Active Directory propagate to LEM rules and filters.
If Active Directory is available, use directory service groups to add user and computer accounts to rules
and filters. A user-defined group cannot be synchronized with Active Directory. Allowing LEM to access
Active Directory directly via a directory service group means you do not have to maintain duplicate groups
of user and computer records in LEM, saving time and reducing the risk of human error. Following
integration, you can white-list or black-list select Active Directory groups using LEM rules and filters.
See "About LEM groups" on page 205 to learn about the various group types that organize elements
into logical units so that they can be used as parameters in rules and filters.
page 222
Create a directory service group and synchronize it with Active Directory

Complete these steps to select which Active Directory groups to synchronize with LEM. The synchronization
process runs every five minutes as long as the connector is running.
Before you begin, the Directory Service Query connector must be configured on the LEM Manager.
3. Click in the upper right corner of the Groups toolbar and select Directory Service Group.
The Select Directory Service Group form opens.
4. Select from the list the LEM Manager that will use the DS groups.
5. Use the folder tree on the left to populate the Available Groups pane on the right. The form displays
the actual contents (folders and Group categories) of your directory service system.
Each folder contains the group categories associated with that area of your directory service. You can
maximize a folder to display the group categories within the folder.
The Available Groups section lists a different set of group categories with each folder you select. For
example, clicking the Users folder displays a different set of group categories compared to the
Laptops folder.
6. Select the directory service groups that you want to import into LEM Manager.
7. Repeat the previous two steps until you have selected all of the groups that you want to import.
8. Click Save.
The system synchronizes the DS groups to LEM and adds them to the Groups grid.
You can now use the DS groups with your rules and filters.
page 223
View a directory service group member in the LEM console
The Groups grid displays various LEM groups, including each directory service group synchronized with
LEM. Select a DS group in the grid to view the members of that group in the Directory Service Group pane.
2. Choose Build > Groups.
3. In the Groups grid, select the directory service group you want to view.
To sort groups by group type, click the Type column heading.
The Directory Service Group pane lists the group members.
Directory service group grid columns

The Directory Service Group pane lists each computer account and user account associated with the DS
group. The following table describes each grid column.
COLUMN DESCRIPTION
Type Displays an icon that shows if the group member is a user or a computer. The
computer icon represents a computer account. The person icon represents a
user account.
Name The name of the group member.
Description The description associated with the group member.
SAM Name The account name of the member.
Principal Name The principal name of the member.
Distinguish Name The complete distinguished name of the member.
Email The email address of the member.
Remove a directory service group from LEM

Directory service groups can be deleted from LEM the same as any other group. See "Delete a group" on
page 214 for steps. Deleting a DS group does not remove the group from Active Directory, however. You
can restore a DS group at any time.
page 224
Configure the connector-profile group type in LEM

Use the connector-profile group type to maintain and monitor LEM Agents that share a common connector
configuration. For example, a connector profile can help you maintain and monitor multiple domain
controllers. Most Agents in a network only have a few different connector configurations. By using
connector profiles, you can create rules and filters that include or exclude Agents that share the same
connector configuration.
For more information about connector profiles, see "Create connector profiles to manage and monitor
LEM Agents" on page 135.
page 225
Configure state variables in LEM
In this section:
• Add a new state variable field 227
• Edit a state variable field 227
• Delete a state variable field 228
• Manage state variable folders 228
Use the Groups grid to add, edit, and delete state variables and the number, text, and time fields
associated with each variable.
State variables are used in rules to represent temporary or transitional states. For example, you can create
a state variable to track the state of a particular system, setting it to a different value depending on
whether the system comes online or goes offline.
You can also configure rules to monitor the contents of a state variable to validate or invalidate a rule. For
example, you can set a DEFCON value and ensure that the DEFCON value is over 3 before notifying your
on-call staff.
If you require permanent lists of data that can be preserved over long periods of time, you can use User-
Defined Groups in a similar manner.
page 226
Add a new state variable field

2. In the Groups grid, click and select State Variable.
If you are editing a state variable, click next to the variable and select Edit.
The State Variables pane displays as an editable form. If you are editing an existing state variable,
the form displays any preconfigured fields.
3. In the Name box, enter a name for the state variable.
4. Click the Manager drop-down menu and select the LEM Manager instance that will host the state
variable. If you are editing an existing group, this field displays the hosting Manager.
5. Click to display the Add Variable Field form.
6. In the Name box, enter a name for the state variable field.
7. In the Type list, select the type of state variable the field represents—Text, Number, or Time.
8. Click Save in the first column to save the field.
The new State Variable field displays in the State Variables grid with the field name and comparison
type.
9. Repeat steps 5 through 8 for each field you want to add to the state variable.
10. Click Save in the right column to save the state variable settings.
The new state variable displays in the Groups grid and the State Variables list in Rule Builder. You
can incorporate this state variable whenever you add or edit a rule.
Edit a state variable field

2. Select a state variable in the Groups grid.
The State Variables pane opens as an editable form.
page 227
4. In the Fields grid, select the state variable field you want to edit.
The Add Variable Field form displays, showing the current field configuration.
5. Edit the field Name or Type as required.
6. Click Save to apply your changes.
The updated field appears in the fields grid.
7. Click Save in the right column button to save your changes to the state variable.
Delete a state variable field

2. Select a state variable you want to delete.
4. In the Groups grid, do either of the following:
The State Variables pane opens as an editable form.
5. In the Fields grid, select the field you want to delete.
6. Click to delete the field.
The field is removed from the Fields grid.
7. Click Save to save the changes.
Manage state variable folders

As with rules and email templates, you can use the Folders pane to organize your state variables into
folders and sub-folders. You can add, rename, move, and delete state variable folders.
page 228
Configure Time of Day Sets in LEM

In this section:
• Create or edit a Time of Day Set 229
• Use a Time of Day Set in a filter or rule 230
Use Time of Day Sets in filters and rules to target specific time frames, such as business hours, off hours,
or specific shifts. For example, if you define two different sets for Business Hours and Outside Business
Hours, you can assign different rules to each of these sets. During working hours you may want your rules
to alert a system administrator through email, whereas outside of business hours the rule can send an
alert and also shut down the offending PC.
LEM includes the following Time of Day Sets by default:
NAME DESCRIPTION
Business Hours 6:30 AM to 12:00 PM and 1:00 PM to 4:30 PM, Monday through Friday
Early Shift 3:30 AM to 1:30 PM, 7 days a week
Graveyard Shift 9:00 PM to 4:30 AM, 7 days a week
Late Shift 3:00 PM to 12:00 AM, 7 days a week
Normal Shift 7:30 AM to 5:30 PM, 7 days a week
Reboot Cycle 2:00 AM to 3:00 AM, Sunday only
Create or edit a Time of Day Set

See "Add a new group" on page 212 or "Edit a group" on page 212 to get started adding or editing a Time
of Day Set.
You can only add a new Time of Day Set to one LEM Manager at a time. To copy a Time of Day Set for
use with another LEM Manager, export it and then import it into the other Manager's Groups grid.
See "Export a group" on page 213 for steps.
page 229
The following table describes the Time of Day Set form fields.
FIELD DESCRIPTION
Name Enter a name for this Time of Day Set.
Description Briefly describe the purpose of the set.
LEM Click the Manager drop-down list and select the Manager that will host the Time of Day Set.
Manager If you are editing an existing Time of Day Set, this field displays the hosting Manager.
Time grid The time grid is based on a one-week period and includes:
boxes
l Seven rows, where each row represents one day of the week.
l 24 numbered columns, where each column represents one hour of the day. The
white column headers represent morning hours (midnight to noon). The shaded
column headers represent evening hours (noon to midnight).
l Columns with two check boxes that divide each hour into two 30-minute periods.
(Each box represents a half-hour.)
Select the boxes for the half-hour increments that you want to include in the Time of Day
Set.
Click and drag to select or clear a range of boxes with one click.
Save Click Save in the bottom-right corner to make your group changes permanent.
Use a Time of Day Set in a filter or rule

1. Locate and click the alert or alert group you want to use in your filter or rule.
2. Locate and drag DetectionTime from the Fields list to the Conditions box.
3. Click Time of Day Sets on the Components pane.
page 230
4. Locate the time of day set you want to use and drag it into the conditions area to replace the Text
Constant field, (denoted by a pencil icon).
5. To view all events outside your selected period, click the operator between the field and your Time of
Day Set in the conditions area.
The operator changes to Does Not Contain.
6. Click Save if you are finished creating or editing your filter or rule.
If you modified a rule, click Activate Rules in the Rules view.
page 231
LEM filters: Capture real-time events and
historical data with filter criteria
In this chapter:
• About LEM filters and filter categories 233
• Create a new LEM filter for real-time monitoring 241
• Manage LEM filter categories: Add, edit, view, and more 244
• Manage LEM filters: Add, edit, view, and more 248
• Start, stop, and pause filters in LEM 253
page 232
About LEM filters and filter categories

This topic introduces filters and briefly describes the default filters included with LEM.
In this topic:
• Use filters to group a particular type of event or to monitor

specific events 233
• About the default filters included with LEM 234
• Finding and viewing filters in Monitor view 234
• Default filters included with LEM 235
Filters capture events and alerts that take place on your network. (In LEM, the terms event and alert are
interchangeable.)
The LEM console uses event filters to manage events. You can turn filters on and off, pause filters to sort or
investigate events, perform actions to respond to events, and configure filters to notify you when they
capture a particular event. Filters can also display widgets, which are charts and graphs that visually
represent the event data.
Filter conditions can be broad or specific. For example, you can create a filter without conditions that
captures all events, regardless of the source or event type, or you can create a filter that has one specific
condition, such as "UserLogon Exists," which only captures user logon events.
Create filters when you want to group a particular type of event. For example, you can create filters
to collect all events from your domain controllers, or all events for a specific type of user.
Create rules when you want LEM to take some kind of action in response to one or more events.
Use filters to group a particular type of event or to monitor specific events

Use filters to group a particular type of event. For example, you can create filters to collect:
l All events from your firewalls

l All events from your domain controllers
l All events for a specific type of user
l All events except for recurring, expected events
page 233
Create custom filters to monitor specific events, such as:
l Change Management filters to monitor configuration changes users create in your network.
l High Volume Event filters to monitor traffic spikes or unexpected off-peak traffic.
l General Interest filters to monitor log in failures and failed authentications.
A failed authentication is an event triggered by three logon failures by the same account
within an extremely short period of time.
l Rule Scenario Event filters to determine if you have the appropriate events to create a rule for a
specific scenario.
l Daily Problem Event filters to monitor basic operational problems (such as account lockouts) in real
time.
About the default filters included with LEM

SolarWinds LEM ships with filters that support best practices in the security industry. You can modify
these filters to meet your needs, or you can create an unlimited number of custom filters. A single set of
filters can monitor data collected across multiple LEM Managers.
Finding and viewing filters in Monitor view

In this section:
• About LEM filter categories 235
• About the Filters sidebar 235
To find a filter in LEM, open the Monitor tab in the LEM console, and click Filters in the top-left part of the
screen to open the Filters sidebar. Expand a category to view its filters. To view a brief description of a
filter, hover your cursor over it.
Filtered events are listed in the event grid, or you can view filtered event data using a variety of charts and
graphs called widgets. Filters can also use the console to signal that they have captured a particular event
by displaying a pop-up message, by playing a sound, or by using blinking text.
page 234
Filters are located in the Filters pane, where they are grouped into different categories.
About LEM filter categories

By default, filters are grouped into the following seven categories in the Filters pane:
l Overview
l Security
l IT Operations
l Change Management
l Authentication
l Endpoint Monitoring
l Compliance
You can also add, edit, rename, export, import, and delete filter categories. See "Manage LEM filter
categories: Add, edit, view, and more" on page 244 for details.
About the Filters sidebar

The number to the right of each filter name shows the number of events associated with that filter. Filters
shown in gray italics are currently turned off. To move a filter from one category to another, click and drag
it to its new location.
Default filters included with LEM

This section lists the default filters included with LEM.
In this section:
• Overview Filters 236
• Security Filters 236
• IT Operations Filters 237
page 235
• Change Management Filters 238
• Authentication Filters 239
• Endpoint Monitoring Filters 239
• Compliance Filters 240
Overview Filters
DEFAULT
NAME DESCRIPTION
STATUS
All Events Displays all events from all sources. On
Subscriptions Filters events related to rules subscribed to the specified user. On
LEM Internal Events Filters events related to LEM operations, including informational, On
warning, and audit events.
Rule Activity Displays all activated rules. On
Security Filters
DEFAULT
NAME DESCRIPTION
STATUS
Incidents Filters all events categorized as Incidents. On
Security Events Filters events categorized as attack activity or potentially suspicious. On
Network Event Threats Filters events with source or destination detected in the threat On
intelligence feed as potentially bad actors.
All Firewall Events Filters events from firewall devices that match the targeted name. On
All Threat Events Filters all events with the source or destination detected in the On
threat intelligence feed as potentially bad actors.
Denied ACL Traffic Filters events from network devices that indicate denied ACL Off
activity.
Unusual Network Filters unusual network traffic and scans. On
page 236
DEFAULT
NAME DESCRIPTION
STATUS
Traffic
Blocked Web Traffic Filters events from proxy servers or other web servers that blocked On
an attempt to access a URL.
Proxy Bypassers Filters web traffic users who are bypassing your proxy server. Off
Web Traffic - Spyware Filters web traffic events to potential spyware sites. Off
Virus Attacks Filters events that indicate potential virus detection. On
IDS Scan / Attack Filters security events detected by IDS tools (such as Snort). On
Activity
Security Processes Filters security-related process activities. On
File Audit Failures Filters events that indicate failed attempts to access files. On
IT Operations Filters
DEFAULT
NAME DESCRIPTION
STATUS
All Domain Controller Displays all traffic from machines in the Domain Controllers tool Off
Events profile.
All Web Traffic Filters all web traffic-related events from network devices, proxy On
servers, and web servers.
Software Filters events related to software installation and updates. On

Installation/Update
Service Events Filters events related to starting and stopping services, as well as On
service warnings and information.
System Events Filters events related to system availability and status On

information.
Error Events Filters events from all sources that contain "error". On
Warning Events Filters events from all sources that contain "warning". On
Windows Error Events Filters events from Microsoft Windows event logs that contain On
"error".
page 237
DEFAULT
NAME DESCRIPTION
STATUS
Error Events for Device Filters events from a specific device that contain "error". Off
Web Traffic for Source Filters web traffic emanating from a certain source machine. Off
Machine
All Network Traffic Filters all network traffic-related events from all devices and On
systems.
FTP Traffic Filters TCP traffic events between one or more FTP ports reported On
by any device or system.
SNMP Traffic Filters UDP traffic events between one or more SNMP ports On
reported by any device or system.
SMTP Traffic Filters UDP traffic events between one or more SMTP ports On
reported by any device or system.
Change Management Filters
DEFAULT
NAME DESCRIPTION
STATUS
General Change Filters all events that indicate changes to devices, systems, users, On
Management groups, and domains.
User Account Changes Filters changes to existing user accounts. On
Machine Account Filters changes to existing machine accounts. On

Changes
Group Changes Filters creation, deletion, and changes to groups. On
Domain & Membership Filters new and deleted domain accounts (including users/groups) On
Changes and domain changes.
Device/System Policy Filters events related to policy changes on devices and systems. On
Changes
All File Audit Activity Filters events related to all types of audited file access. On
USB File Auditing Filters file-related alerts from Agents running USB Defender On
page 238
Authentication Filters
DEFAULT
NAME DESCRIPTION
STATUS
User Logons Filters all types of user logons. On
Interactive User Logons Filters background network logon types. On
Remote User Logons Filters events that indicate remote Windows system logons. On
Failed Logons Filters events that indicate failed logon attempts to devices and On
systems.
Account Lockouts Filters events that indicate an account was locked out. On
Authentication Event Filters authentication events with a source or destination detected On

Threats in the threat intelligence feed as potentially bad actors.
Admin Account Filters authentication events related to specified administrative Off

Authentication accounts.
Endpoint Monitoring Filters
DEFAULT
NAME DESCRIPTION
STATUS
Workstation Logon/Logon Filters non-network workstation logon/logon failure to a domain On
Failure Activity or local account.
Local Account Filters any user-related audit events that are not to or from the On
Authentication/Changes corporate domain.
Software Installed on Filters software installations on workstation systems. On

Workstations
USB-Defender Events Filters USB Defender events. On
Workstation Events with Filters all events detected on endpoints with a source or On
Threats destination detected in the threat intelligence feed as
potentially bad actors.
page 239
Compliance Filters
DEFAULT
NAME DESCRIPTION
STATUS
Top PCI Events Filters the most common PCI events of interest, which include Off
change management, unexpected file access, incidents, and
attacks.
Top HIPAA Events Filters file activity, changes, and incidents related to HIPAA events. Off
Top Banking Filters common banking compliance events, including change Off
Compliance Events management, users and groups, and potentially suspicious attack
activity.
page 240
Create a new LEM filter for real-time monitoring

This topic describes how to create a new LEM filter. It covers how to create a filter by clicking New Filter in
the Filters pane, and how to create a new LEM filter from an existing event.
In this topic:
• Create a new LEM filter 241
• Create a LEM filter from a specific event 243
See also:
l "Get started building custom filter expressions in LEM" on page 335 to learn how to write
custom filter expressions
Create a new LEM filter

You can create custom filters from the Monitor view in your LEM console to display real-time traffic from
your monitored computers and devices.
Log in as an administrator or auditor.
2. Click Monitor to open Monitor view.
3. In the Filters pane, click and select New Filter.
4. Enter a filter name and description.
5. Change the Lines Displayed value to modify the number of events your filter can store in memory.
The default value is 1000.
page 241
6. Configure the correlations (or relationships) that define the filter. These correlations define the
events that must occur for the filter to take effect.
a. Drag Event or Event Group items from the filters and groups list pane into the Correlations
box. Click to add a group.
You can create custom correlations in Monitor view and nDepth view using the filters and
groups list pane. It contains categorized lists of events, event groups, event fields, Groups
(from the Groups grid), profiles, and constants that you can use to create conditions for your
filters, rules, and search queries.
b. Click the correlations connector bar. Select AND to determine if the alert conditions must all
apply or OR if any alert conditions apply to prompt a response.
If your correlations require a value, populate the value using one of the following procedures:
l Enter a static text value in the Text Constant field, denoted by a pencil icon. Use asterisks (*) as
wildcard characters to account for any number of characters before, within, or after your text
value.
l Drag a group from the list pane to replace the Text Constant field. The most commonly used
groups include User Defined Groups, Connector Profiles, Directory Service Groups, and Time Of
Day Sets.
l Drag an Event field from an existing event in your Correlations to replace the Text Constant
field. This will result in a parameter that states whether values from different Events in your
Correlations should match.
page 242
7. If you want to change the operators in your conditions, click the operator until you find the one you
want.
There are two types of operators: Condition and Group.
l Condition operators are found between your events and their values. Examples include Equals,
Does Not Equal, Contains, and Does Not Contain. Rule Creation only displays the operators that
are available for the values in your Correlations.
l Group operators are found outside of your correlation groups. The two options are And (blue)
and Or (orange).
For more information see "Comparing values with operators in LEM filters and rules" on
page 331.
8. Maximize the Notifications group and drag a notification into the Notifications box.
9. Set your AND and OR operators as required.
10. Click Save.
Your filter is saved.
Create a LEM filter from a specific event

To create a new LEM filter for a specific event type, click Create a Filter From This Event at the top of the
Event Details pane.
Log in as an administrator or auditor.
2. Click Monitor to open Monitor view.
3. In the Event Grid select the event that you want to create a filter for.
4. Click Create a Filter From This Event.
A new filter displays in the Filters pane.
5. (Optional) Modify the new filter to display more specific data.
a. Select the filter in the Filters pane.
b. Click the gear icon at the top of the Filters pane, and then select Edit.
c. Edit the filter by selecting the Events tab in Filter Creation, selecting fields to monitor more
specific details of this event type, and then clicking Save.
page 243
Manage LEM filter categories: Add, edit, view, and more
This topic describes how to work with filter categories (which the LEM console calls filter groups). Use these
steps to customize filter categories to suit your needs. See "About LEM filters and filter categories" on
page 233 for general information about filter categories.
In this topic:
• Add a new filter category 244
• Rename a filter category 244
• Move a filter category up in the list 245
• Move a filter to another category 245
• Move a filter category to another workstation 245
• Create a backup copy of a filter category for archival purposes 246
• Export a filter or filter category 246
• Import a filter or filter category 246
• Delete a filter category 247
Add a new filter category

2. Click Monitor.
3. In the Filters pane, click and select New Group.
A new filter category appears in the Filters pane.
4. Enter a name for the category and press Enter.
The new filter category appears in the Filters list.
Rename a filter category

2. Click Monitor.
3. In the Filters pane, select the category you want to rename.
page 244

5. Enter a new name for the category and press Enter.
The category name is changed.
Move a filter category up in the list

By default, new filter categories appear at the bottom of the Filters pane. You can rearrange them so that
they appear in a different order.
2. Click Monitor.
3. In the Filters pane, click and drag the filter category title bar to a new position.
Move a filter to another category

You can click and drag filters between categories.
2. Click Monitor.
3. In the Filters pane, click to expand the filter category that contains the filter you want to move.
4. Click and drag the filter to another category.
The filter appears in its new category.
Move a filter category to another workstation

See "Export a filter or filter category" on the facing page for steps.
page 245
Create a backup copy of a filter category for archival purposes
See "Export a filter or filter category" below for steps.
Export a filter or filter category

Export filters when you need to:
l Move one or more filters to another workstation so that another LEM console user can use the
same filters
l Export one or more filters to a folder for backup or archival purposes
l Send SolarWinds Technical Support a copy of the filter for troubleshooting purposes
Use the Export Filter command to export a single filter. Use the Export Filter Group command to export all
of the filters in a filter category.
2. Click Monitor.
3. In the Filters pane, select the filter or the filter category that you want to export.
4. Click and select Export Filter or Export Filter Group.
The Save As dialog box opens.
5. Choose the location that you want to save the file to, and click Save.
The exported filter file is saved with a .swfil file extension.
The exported filter group file is saved with a .swfgp file extension.
Import a filter or filter category

Use the Import Filters/Group command to import either a .swfil filter file, or a .swfgp filter group file
into LEM. See "Export a filter or filter category" above to create the .swfil or .swfgp file.
2. Click Monitor.
3. If importing a single filter, select the filter category that you want to add the imported filter to.
4. Click and select Import Filters/Group.
The Open dialog box opens.
5. Navigate to the filter or filter group file that you want to import.
Filter files have a .swfil file extension; filter group files have a .swfgp file extension.
6. Click Open.
The filter or filter category is added to the Filters pane.
page 246
Delete a filter category

Before you delete a filter category, move any filters that you want to save to another filter category.
Deleting a filter category deletes all of the filters stored within that category, as well as all of the
widgets associated with the filters.
2. Click Monitor.
3. In the Filters pane, select the filter category you want to delete.
4. Click in the filter header.
5. Click Yes to confirm the delete.
The filter category and all of its filters are deleted. The filter category no longer appear in the Filters pane.
page 247
Manage LEM filters: Add, edit, view, and more
This topic describes how to work with filters in the LEM console. See "About LEM filters and filter
categories" on page 233 for general information about filter categories.
See "Building custom filter and rule expressions in LEM" on page 330 to learn how to write filter
and rule expressions.
In this topic:
• Open filters in the LEM console 248
• Manage filter-based widgets in Monitor view 249
• Create a new filter 249
• Edit an existing filter 250
• Share a filter with another user 251
• Clone a filter 251
• Copy a filter 251
• Create a backup copy of a filter for archival purposes 251
• Export a filter 252
• Import a filter 252
• Delete a filter 252
• Send a filter to nDepth 252
Open filters in the LEM console

2. Click Monitor.
The LEM console switches to Monitor view. The Filters pane in the top left corner lists filters and filter
categories.
3. Click a filter category to expand it and view its filters.
4. Click a filter to view its events in the event grid.
page 248
Manage filter-based widgets in Monitor view

See "The Monitor view" on page 503.
Create a new filter

2. Click Monitor.
3. In the Filters pane, click to select a filter category for the new filter. This tells LEM which category to
add the filter to.
4. Click in the Filters toolbar and select New Filter.
The Filter Creation window opens.
5. Complete the form.
See "Building custom filter and rule expressions in LEM" on page 330 to learn how to write
filter and rule expressions.
l See the following table for help completing the Filter Creation page.
l Use the Filter Status section to verify, troubleshoot, and resolve any problems with the filter
logic.
6. Click Save.
The new filter displays in the selected filter group.
page 249
The Filter Creation form fields
COLUMN DESCRIPTION
Name Enter a filter name. This name will identify the filter in the Filters pane.
Lines Select the total number of events to display for this filter. You can select up to 2,000
Displayed lines. The default value is 1,000 lines.
Description Enter a short description of the filter.
Conditions Drag one or more event(s) and/or LEM group(s) into the Conditions box. See "Create
(box) conditions to filter event reporting " on page 337 for more information.
Notifications To have LEM display a notification when a filter captures an event, drag the notification
(box) from the Notifications group into the Notifications box and configure the notification
method. Notifications include displaying a pop-up message, displaying new events as
unread, playing a sound, or using blinking text to display the filter name.
Edit an existing filter

You can edit an existing filter using the Filter Creation window. After you open the filter, you can change
the name, description, configuration, and notification settings.
2. Click Monitor.
3. In the Filters pane, expand the filter group that contains the filter that you want to edit.
4. Select the filter to edit, then click on the Filters toolbar and select Edit.
The selected filter opens in the Filter Creation window.
5. Edit the Filter Creation form as needed.
Use the Filter Status section to verify, troubleshoot, and resolve any problems with the filter logic.
l See "The Filter Creation form" on page 512 for help completing the form.
l See "Get started building custom filter expressions in LEM" on page 335 for information about
constructing filters.
6. Click Save to save your changes.
page 250
Share a filter with another user

See "Export a filter or filter category" on page 246 for steps.
You need the Administrator or Auditor role to share a filter with another user. To share a filter with
Monitor-role users, see "Specify the filters that users assigned the Monitor role can use in the LEM
console" on page 129.
Clone a filter
When you clone a filter, you copy an existing filter and label it with a new name. Cloning allows you to
quickly create filter variations.
2. Click Monitor.
3. In the Filters pane, select the filter that you want to clone.
4. Click on the Filters toolbar and select Clone.
LEM creates a cloned copy of the filter below the original filter and appends Clone to the name.
5. To edit the filter and rename it, select the filter, click , and select Edit.
6. Edit the Filter Creation form and click Save.
The cloned filter is saved to your Filters list.
Copy a filter
Copy a filter if you want the filter to appear in more than one filter category.
2. Click Monitor.
3. In the Filters pane, open the filter group that contains the filter that you want to copy.
4. In the Filters pane, select the filter category that you want to copy the filter to.
5. Select the filter that you are copying, then press Ctrl and drag the filter to the targeted group.
A copy of the filter appears in the new filter group.
Create a backup copy of a filter for archival purposes

page 251
Export a filter
Export a filter when you need to:
l Move a filter to another workstation so that another LEM console user can use the same filter
l Export a filter to a folder for backup or archival purposes
l Send SolarWinds Technical Support a copy of a filter for troubleshooting purposes
Import a filter
See "Import a filter or filter category" on page 246 for steps.
Use the Import a filter command to import a .swfil file into LEM.
Delete a filter
Deleting a filter will also delete any widgets associated with the filter. Deleted filters and widgets
cannot be restored.
2. Click Monitor.
3. In the Filters pane, select the filter that you want to delete.
4. Click next to the filter.
5. Click Yes to confirm the delete.
The filter disappears from the Filters pane.
Send a filter to nDepth

To view historical filter data about a filter while in Monitor mode, select the filter, click in the Filters
pane, and select Send to nDepth. The console will open the filter in the nDepth search engine under
Explore mode. See "Choose a filter in Monitor view to send to nDepth for historical search" on page 352
for steps.
page 252
Start, stop, and pause filters in LEM

This topic describes how to start, stop, and pause filters in the LEM console.
In this topic:
• About starting, stopping, and pausing filters 253
• Turn a LEM filter on 253
• Turn a LEM filter off 253
• Pause one LEM filter 254
• Pause all LEM filters 254
About starting, stopping, and pausing filters

Filters starts collecting events from the moment they are turned on. Turn off LEM filters that you do not
need to conserve system resources. Pause a filter if you need to inspect a set of event messages and you
do not want to see new incoming messages scrolling across the grid. You can pause one filter or all filters
in the console.
See "About LEM filters and filter categories" on page 233 for general information about filters.
Turn a LEM filter on

2. Click Monitor.
3. In the Filters pane, select the filter that you want to turn on.
4. Click in the Filters pane and choose Turn On.
The filter is now active and the title no longer appears grayed out.
Turn a LEM filter off

2. Click Monitor.
3. In the Filters pane, select the filter you want to turn off.
4. Click in the Filters pane and choose Turn Off.
The filter title changes to gray italics to indicate that it is off.
page 253
Pause one LEM filter
2. Click Monitor.
3. In the Filters pane, select the filter you want to pause.
The event grid updates to display the filter you selected.
4. Click and choose Pause.
A label with the word Paused appears next to the filter.
To resume, click and select Resume.
Pause all LEM filters

2. Click Monitor.
3. In the Filters pane, click and choose Pause All.
A label with the word Paused appears next to all filters that are not turned off.
To resume, click and select Resume All.
page 254
LEM widgets and the Ops Center: Visually monitor

network events in LEM
In this chapter:
• About LEM widgets 256
• Manage LEM widgets with Widget Manager: Add, edit, and more 261
• Create and edit widgets with Widget Builder 265
• Using nDepth widgets in LEM 270
page 255
About LEM widgets
This topic provides general information about widgets.
In this topic:
• Widget icons 257
• View specific widget data 257
• Refresh widget data 258
• View a widget legend 258
• Widgets that ship with the LEM console 258
Widgets present important high-level information in an easy-to-read graphical format, such as a chart or a
graph. They provides special dashboard functionality, such as displaying real-time information about
network activity, or providing tools for investigating events and related details.
LEM provides a library of widgets, or you can create your own by using filters that you have customized to
monitor specific activity. If your widget includes charts, you can click a specific line, bar, or pie wedge to
open the source filter. The corresponding filter opens the Monitor view, and displays the targeted filter
information. The filter lists only the events that correspond with the selected chart item.
See "Open a filter from a widget" on page 263 for information about using widget filters.
In the LEM console, widgets are primarily displayed in OpsCenter View. You can add and arrange widgets
on this page as needed to help troubleshoot network issues and recognize potential problems before they
occur. Widgets also appear in Monitor view and Explore > nDepth view.
l In Monitor view, widgets allow you to view graphical views of your filters along with their grid-based
views. See for more information.
l In nDepth view, each widget represents a high-level graphical view of the specific network activity
associated with your nDepth search results. See "Using nDepth widgets in LEM" on page 270 for
details.
You can edit or remove existing widgets, or rearrange widgets to meet your personal preferences. Widgets
can be resized, but sizes and aspect ratios are enforced to keep the Ops Center tidy and organized.
To get started with widgets, click a widget and review its ToolTips for more information, or use the control
options on the toolbar to change the widget setting display format.
page 256
Widget icons
The following table describes the function of each button on a widget toolbar.
BUTTON FUNCTION
Opens the widget in the Widget Builder to edit the settings.
Rotates the widget interface to display the presentation format

settings.
Refreshes the widget data.
Maximizes the widget to full-screen mode.
Deletes the widget from the dashboard (in normal dashboard mode)
When you edit a rotated (or flipped) widget, it closes the widget edit
mode and returns it to the normal desktop view.
Opens the widget legend.
View specific widget data

Widget graphs and charts display basic high-level information. Each widget includes tooltips that provide
specific data about each bar, line, or wedge in the chart. This information is typically the reported event,
event group, or event field and its corresponding occurrences.
To view specific chart data, mouse over a bar, line, or pie slice and the tooltip appears, providing specific
data about your targeted item.
page 257
Refresh widget data
On the widget toolbar, click refresh to display the latest data from your network. Widgets automatically
refresh according to the refresh rate configured in the widget. If a widget has a slow refresh rate (as
indicated at the bottom of the widget), you can click refresh or edit the Refresh setting in the widget.
Refreshing a widget displays the most current real-time data from your network traffic.
View a widget legend

Each widget bar chart, graph, and pie chart includes a legend that defines the items in the illustration.
Click to view the legend.
Widgets that ship with the LEM console

The following table describes the widgets that ship with the LEM console.
WIDGET NAME/FILTER DESCRIPTION

All Events Displays all events from all filters.
Events by Event Type Displays a count of the top 10 events by event type (event name).
Events by Connector Displays the number of events captured by each configured connector, over
Name time.
Events per Minute Displays the total count of events per minute for the last 15 minutes.
Change Management Displays events related to changes occurring on the network.
Change Management Displays the top 10 Agents generating change management events
page 258

Events by Agent
Change Management Displays the top 10 change management events by event type.
Events by Type
Failed Logons Displays all user account failed logon attempts.
Failed Logons by User Displays the top five failed logons by user account name.
Account
File Audit Failures Displays FileAuditFailure events that show failed attempts to access
audited files.
File Audit Failures by File Displays the top 10 file names generating file audit failures.
Name
File Audit Failures by Displays the top 10 source accounts generating file audit failures.
Source Account
Firewall Displays all events from firewall devices.
Firewall Events by Displays the top five firewalls generating firewall events
Firewall
Firewall Events by Type Displays the top five firewall events by event type.
Incidents Displays all Incident events.
Incidents by Rule Name Displays the top five incidents by the name of the rule that generated the
Incident.
Interactive Logons by Displays the top 10 user logons by user account name.
User Account
My Rules Fired by Rule Displays the top five subscribed events by the name of the rule that
Name generated them.
Network Events Displays all Network events.
Network Events by Displays the top 10 machines generating network events.

Source Machine
Network Event Trends Displays the top 10 network-related events by event type.
Rule Activity Shows all of the rules that have fired.
Rules Fired by Rule Displays the top five rules fired by rule name.
page 259
Name
Security Processes Displays process launches and exits from processes in the "Security
Processes" User-Defined Group, which is used to monitor critical security-
related processes.
Security Processes by Displays the top 10 Agents generating security process events.
Agent
Subscriptions Displays events created by rules you are "Subscribed" to in the Rules area.
SolarWinds Events Displays all Internal events (events generated during operation of the LEM).
Unusual Network Traffic Displays events that indicate unusual or suspicious network traffic.
Unusual Network Traffic Displays the top five destinations for unusual network traffic.
by Destination
Unusual Network Traffic Displays the top 10 sources of unusual network traffic.
by Source
USD Defender Displays all USB-Defender events.
USB-Defender Activity by Displays the top 5 Agents with the most USB-Defender events.
Detection IP
USB File Auditing Displays USB-Defender's File Auditing events.
USB File Auditing by Displays the top five Agents with the most USB file auditing events.
Detection IP
User Logons Displays all user account logons
User Logons by Agent Displays the top five Agents reporting user logons.
User Logons by Source Displays the top five user logons by source machine.
Machine
User Logons by User Displays the top 10 user logons by user account name.
Account
User Logons (Interactive) Displays interactive user account logons.
Virus Attacks Displays all virus attack events.
Virus Attacks by Source Displays the top 5 sources of virus attacks or infections.
Machine
page 260
Manage LEM widgets with Widget Manager: Add, edit, and

more
Use the Widget Manager to manage your dashboard widgets.
In this topic:
• About the Widget Manager 261
• Locate widgets 262
• Add a master widget to the dashboard 262
• Edit a dashboard widget 263
• Delete a dashboard widget 263
• Open a filter from a widget 263
• Move (relocate) a widget 264
• Resize a widget 264
About the Widget Manager

Widget Manager includes Widget Builder, which provides the tools you need to create new master widgets.
Master widgets are widget templates located in LEM's Widget Manager categories list. Copy a master widget
to the OpsCenter dashboard or to Monitor view to create a dashboard widget. Because all dashboard
widgets operate independently of the master widget, editing a master widget will not impact the
corresponding dashboard widget.
Using Widget Manager, you can:
l Create, edit, and delete master widgets

l Add or delete widgets from the dashboard
To access Widget Manager, click the Ops Center view and then click Widget Manager.
page 261
This screen capture shows the "Widget manager" portion of the Ops Center view in the LEM console:
Locate widgets
Widgets are stored in the Ops Center and Monitor views.
The Ops Center view stores all master widgets it in the Widget Manager Categories list. Dashboard widgets
cannot be stored in the Widget Manager.
The Monitor view displays master widgets in the Widgets pane based on the filter you select as a data
source. Dashboard widgets do not appear in the Widgets pane.
Add a master widget to the dashboard

You can add a copy of a master widget to the dashboard from the Widgets pane or Widget Builder. After
you copy the widget to the dashboard, you can edit the widget as required. The original widget remains
with its filter in the Categories pane.
2. Click Ops Center to open the Ops Center view.
3. Click Widget Manager in the Ops Center toolbar.
4. Select a filter in the Categories pane.
5. In the Widgets pane, select an available widget.
6. Click Add to Dashboard or drag the widget to the dashboard.
The widget is saved to the Ops Center dashboard.
To re-position the widgets on the dashboard, drag them to a new position.
page 262
Edit a dashboard widget

You can edit a dashboard widget without affecting the corresponding master widget. During the edit, the
Save to Dashboard option is disabled.
1. Locate a widget in the Ops Center dashboard.

2. Click on the widget toolbar.
3. Edit the widget in Widget Builder as required.
4. Click Save.
The widget is updated based on your new settings.
Delete a dashboard widget

Widgets can only be deleted from the Ops Center. You can delete dashboard widgets directly from the
dashboard.
2. Open the Ops Center view.
3. In the dashboard, locate the widget you want to delete.
4. Click on the widget toolbar.
5. When prompted, click Yes.
The widget is deleted from the dashboard.
You can recreate the dashboard widget from the master widget.
Open a filter from a widget

1. Click the Ops Center tab.
2. In the dashboard, locate the appropriate widget.
3. On the widget, click a chart element (line, bar, or pie wedge).
The Monitor view appears, displaying the filter used for the widget data source.
If your selected item does not appear in the Monitor event grid, modify the Scope setting in
the widget.
4. Click Ops Center in the top left corner to return to the dashboard.
page 263
Move (relocate) a widget
2. Click the Ops Center tab.
3. Click Widget Manager to close the Categories and Widgets panes (if required).
4. Click and hold the targeted widget header.
5. Drag the widget to a new location.
The remaining widgets rearrange on the dashboard to accommodate the new location.
6. Release the mouse button and drop the widget in the new location.
Resize a widget
To view a widget in full-screen mode, click maximize in the widget toolbar. To return the widget to its
original size, click maximize again.
To resize a widget in the dashboard, click and drag the bottom right corner of the widget until your desired
size is highlighted in the dashboard grid. When you release the mouse button, the widget adjusts to your
new size.
page 264
Create and edit widgets with Widget Builder

This topic describes how to configure the Widget Builder form when creating and editing widgets.
In this topic:
• Create a new widget 265
• Edit a master widget 266
• Edit a dashboard widget 266
• Configure the Widget Builder form 267
Widget Manager includes Widget Builder, which you will use to edit an existing widget or to create a new
master widget. After you create a widget, you can save a copy to the Ops Center dashboard.
Use the Widget Manager to edit any master widget associated with a filter. Edit a widget to change the
widget's name, behavior, or appearance, or if you want to create a new dashboard widget based on a
master widget configuration. When you save the widget, the widget displays in the Widget Manager and
the Widgets pane in the Monitor view.
Because all dashboard widgets operate independently of the master widget, editing a master
widget will not impact the corresponding dashboard widget. As a result, you can use a master
widget as a template for creating variations of the same widget for the dashboard.
Create a new widget

4. Click in the Categories toolbar to open Widget Builder.
5. Complete the Widget Builder form:
a. See "Enter the general widget settings" on page 267 for help.
b. See "Enter the visual configuration settings" on page 268 for help.
c. See "Enter the data configuration settings" on page 268 for help.
6. (Optional) Select the Save to Dashboard check box to save a copy to the Ops Center dashboard.
page 265
7. Click Save.
The new widget displays in the Widgets pane and is stored in the Categories pane under your selected filter
category.
If you selected the Save to Dashboard check box, the widget also appears in the Ops Center
dashboard.
Edit a master widget

4. Select a filter in the Categories pane.
The associated widgets display in the Widgets pane.
5. Drag the scroll bar to locate your targeted widget.
6. Click in the Categories toolbar.
7. Edit the widget configuration in Widget Builder as required:
a. See "Enter the general widget settings" on the next page for help.
8. (Optional) Select the Save to Dashboard check box to save a copy to the Ops Center dashboard.
9. Click Save.
The new widget configuration appears in the Widgets pane.
If you selected the Save to Dashboard check box, the widget also appears in the Ops Center
dashboard.
Edit a dashboard widget

3. Select a widget window and click Edit at the top of the widget window.
4. Update the form as needed:
a. See "Enter the general widget settings" on the next page for help.
5. Click Save.
The updated widget configuration displays in the Op Center Widget Manager, and the Widget pane
displays in the Monitor tab.
page 266
Configure the Widget Builder form

The following sections document the Widget Builder form.
In this section:
• Enter the general widget settings 267
• Enter the visual configuration settings 268
• Enter the data configuration settings 268
Enter the general widget settings

1. In the Name field, enter a name for the widget.
2. In the Description field, enter a description for the widget (up to 80 characters).
3. Click the Filter drop-down menu and select the filter data source.
When you select your filter data source, use the following conventions:
l If the filter appears in italics, the filter is turned off.
l If you create a widget from a disabled filter, the widget will not display any chart information
until the filter is re-enabled.
l When you create a widget in the Monitor tab, this field defaults to the currently-active filter. If
you select a different filter, the widget will be associated with your targeted filter and not the
active filter.
l When you create a widget in the Ops Center tab, this field defaults to the first option in the
list.
4. Enter the visual configuration settings.
page 267
Enter the visual configuration settings
1. Click the Visualization Type drop-down menu and select the appropriate graph.
2. Click Color and select a color palette for the chart or graph.
3. (Optional) In the X Axis Label field, enter a name for the chart or graph horizontal axis.
4. (Optional) In the Y Axis Label field, enter a name for the chart or graph vertical axis.
5. Enter the data configuration settings.
Enter the data configuration settings

1. Click the Field drop-down menu and select a data field to report in the widget.
2. Click the Show drop-down menu and select the data frequency reported in the widget.
Select Count to count the number of occurrences for the selected Field value. For example, if you
select EventID in the Field drop-down menu, the widget will count the number of events.
Select Distinct Count to count the number of occurrences when a unique event occurs. For example,
if you select a Field value such as Event Name or Detection IP, the widget counts each specific value
once. This option reports all values as 1 in a single-dimension chart. As a result, this option is best
suited for multidimensional charts.
3. Click the Sort drop-down menu and select the data sort method.
a. Select Descending to list the data from highest to lowest (Z to A or 10 to 1).
b. Select Ascending to list the data from lowest to highest (A to Z or 1 to 10)
4. (Optional) Click the Versus drop-down menu and select another data field (displayed in ascending
order) for second data dimension in the chart.
5. (Optional) Click the Split By drop-down menu and select another data field (displayed in ascending
order) for a third data dimension in the chart.
page 268
6. Click the Limit drop-down menu and select a value that limits the number of items to chart.
7. Click the Scope drop-down menus and select the appropriate time frame reported by the chart or
graph.
For example, selecting a scope of 30 minutes will display the last 30 minutes of data in the chart or
graph.
Choose a narrow scope for frequent events. Choose a wide scope for events that rarely occur.
8. Click the Resolution drop-down menus and select the time values (displayed as tick marks) for the
horizontal X-axis in the chart. This value is required when Versus is a time field.
For example, if your Scope is 30 minutes, you can set the Resolution to five minutes to indicate five-
minute tick marks on the X-axis.
9. Click the Refresh drop-down menus and select the data refresh rate for the widget display.
10. Click Save.
page 269
Using nDepth widgets in LEM
This topic documents how to use widgets in the Explore > nDepth view of the LEM console. For general
information about widgets, see "About LEM widgets" on page 256
In this topic:
• About nDepth widgets 270
• View nDepth widget details 271
• Create a search string from a widget item 271
• Add a new nDepth widget 271
• Edit an nDepth widget 272
• Add a chart widget to the nDepth dashboard 272
About nDepth widgets

nDepth includes a variety of commonly-used widgets similar to the widgets in the Ops Center. Each widget
represents a high-level graphical view of the specific network activity associated with your nDepth search
results. The widget displays the primary items generating an activity, as well as the count (or number of
incidents) for each item.
Use nDepth explorer views to create new widgets, change the look of existing widgets, add widgets to the
nDepth Dashboard, and remove widgets you no longer use. Click refresh on the widget toolbar to
display the latest data from your network.
page 270
View nDepth widget details

Click or point to an item in the widget to view details and statistics about the item.
Create a search string from a widget item

You can use items in widgets or any of the nDepth graphical tools to create new search strings, or to
append existing search strings.
1. On the search bar, click to delete the existing search string.
2. Click an item on a widget.
A new search string associated with the widget item appears in search box.
To append an existing search string with an item from a widget, click an item on the widget. In the search
box, a new search string associated with the widget item is appended to the existing search string.
Add a new nDepth widget

2. Open the Explore > nDepth view.
3. Click a view on the nDepth toolbar, such as bar charts, line charts, pie charts, or bubble charts.
The corresponding view appears.
4. On the view title bar, click to open the nDepth widget builder.
5. Complete the Widget Builder selections to configure the new widget. See "Configure the Widget
Builder form" on page 267 for help.
The new widget appears at the bottom of the chart view. When you configure the widget and choose
the Save to Dashboard option, the new widget also appears at the bottom of the nDepth dashboard.
page 271
Edit an nDepth widget
4. Click on the widget you want to edit.
5. Use the nDepth Widget Builder to reconfigure the widget. See "Configure the Widget Builder form"
The updated widget appears at the bottom of the view.
When you configure the widget and choose the Save to Dashboard option, the new widget also
appears at the bottom of the nDepth dashboard.
6. Click to refresh the widget data.
Add a chart widget to the nDepth dashboard

You can add an nDepth view (such as word cloud, tree view, or result details) to the nDepth Dashboard.
The word cloud, tree view, and result details view display by default. If you remove a view from the
dashboard, use this procedure to restore the view.
3. Use the nDepth explorer toolbar to open the chart view you want to work with.
4. In the view, locate the chart widget you want to add to the dashboard.
5. In the widget toolbar, click to move the widget to the dashboard.
The widget is copied to the bottom of the nDepth Dashboard.
Click to minimize the widget in the dashboard. To restore the widget, scroll down and click the
widget title bar.
page 272
LEM rules: Automate how LEM responds to
events
In this chapter:
• About LEM rules 274
• Create email templates for use with LEM rules 277
• Find and add LEM rules 281
• Create a new LEM rule to monitor and respond to events 284
• Manage LEM rules: Edit, view, export, and more 290
• Test, enable, and disable rules in LEM 294
• Use the Send Email Message action in LEM rule creation 299
• Notify a LEM user when a rule triggers an alert (Subscribe a user

to a rule) 301
page 273
About LEM rules

In this section:
• LEM rule scenarios 274
• View rules, rule categories, and rule templates in the LEM console 275
• Rule configuration requirements and best practices 275
Rules monitor event traffic and automatically respond to security events in real time, whether you are
monitoring the console or not. When an event (or a series of events) meets a rule condition, the rule
prompts the LEM Manager to take action. A response action can be discreet (for example, sending a
notification to select users by email), or active (for example, blocking an IP address or stopping a process).
See "About LEM response actions" on page 304 for information about response actions.
Rules can respond to one or more events. In many cases, you can base rules on several events that LEM
correlates to trigger an action. You can also configure a rule to look for a single event.
Rules can only fire on normalized data and not on raw log data that is received.
Rules play a key role in detecting operational and compliance issues on your network, such as external
breaches, insider abuse, and policy violations. The LEM console ships with a set of preconfigured rules to
help you get started.
To view a short introductory video about rules and learn how to add preconfigured rules to LEM,
see:
http://video.solarwinds.com/watch/2imHNpmWYYZJRtV2r8ZMqB
To get started customizing preconfigured rules, see "Find and add LEM rules" on page 281
LEM rule scenarios

Countless scenarios may warrant a rule. Consider these combinations of rules and actions:
l Respond to change management events with the Send Email Message action.
l Respond to port scanning events with the Block IP action.
l Respond to isolated spikes in network traffic with the Send Email Message or Disable Networking
action.
page 274
l Respond to users playing games on monitored computers with the Send Popup Message or Kill
Process action.
l Respond to users attaching unauthorized USB devices to monitored computers using the Detach
USB Device action.
In essence, any activity or event that can pose a threat to your network might warrant a LEM rule.
View rules, rule categories, and rule templates in the LEM console
2. Click Build.
The LEM console switches to Build view. Saved rules are listed in the Rules grid. The sidebar includes a
search bar, and a menu of rule categories and tags.
3. Select a rule category in the sidebar to view a list of matching templates in the Rule Templates grid
(located below the Rules grid).
Rule configuration requirements and best practices

Review the following requirements and best practices about creating LEM rules.
Use descriptive rule names

To keep rules simple to manage, SolarWinds recommends creating the rule with a name that describes the
event.
Set the Correlation, Correlation time, and Action

Each rule requires you to define three settings:
l Correlation: The number of events that occur within a selected amount of time and the amount of
time allocated to responding to the events.
l Correlation time: The volume of events that match the correlation conditions and the rolling time
window to evaluate the correlation.
l Action: The action that occurs when the rule is triggered.
Activate a rule to upload local changes

When you create a new rule or change an existing rule, you are working on a local copy of the rule. The
LEM Manager cannot use the rule change until you activate it. Activating a rule tells the LEM Manager to
reload its enabled rules and upload updates from your local copies.
Click the Activate button to activate rules whenever you create a new rule, edit an existing rule, or change
the Enabled/Disabled or Test On/Test Off status. Otherwise, the LEM Manager will not recognize your
changes. After activating rules, LEM begins processing all enabled rules.
page 275
See "Enable and activate rules prior to testing" on page 294 for details.
Check the rule status for errors

Check the Rule Status below the Description field to view the rule status and errors. If the rule status is
good, the status displays in green.
If the rule status is not good, maximize Rule Status to view the errors.
Verify that a rule fired

Check your console for InternalRuleFired events using either a filter or nDepth search. These events
will show the triggered rule and when it occurred.
Test new rules before putting them into production

Before you put a rule into production, try it out in test mode. In test mode, the LEM Manager processes the
rule alert messages, but does not execute any rule actions. This lets you see how the activated rule will
behave without disrupting your network.
See "Testing rules in LEM" on page 295 for details.
page 276
Create email templates for use with LEM rules
Email templates are pre-formatted messages that LEM sends to users when alert events trigger a rule.
In this topic:
• About LEM email templates 277
• Managing email templates and template folders 277
• Create or edit an email template 278
If you have not yet configured LEM to connect to your mail server, see "Set up LEM to send Email
Alerts" on page 43 to configure it now.
About LEM email templates

You can use email templates to customize your email notifications when triggered as responses in your
rules. An email template includes static and dynamic text (or parameters). The static text lets you
customize the appearance of the email. The dynamic text is filled in from the original event that triggered
the rule to fire.
Create email templates to report specific information about an alert event and variables that capture
specific parameters about that event. For example, you can report which server is affected, what time the
event occurred, or which Agent was shut down. Or you can create an Account Lockout template to notify
key personnel when an account is locked out, or automatically file a trouble ticket. Create static text to
describe the event, and incorporate dynamic text that provides the account information from the original
event.
Create templates that are specific to an event type to avoid having to create one email template per rule.
For example, you can have one template for Account Modification that can provide a notification when a
user is added or removed from a group, when a password is reset, or when other account details are
changed. There is no limit to the number of templates you can create.
Managing email templates and template folders

You can organize your email templates into folders and sub-folders. Manage templates and folders using
the following operations:
l Email templates – You can add, edit, clone, and delete templates, and organize them into folders.
l Template folders – You can add, rename, move, and delete template folders as needed.
page 277
Best practices to keep rules, events, and emails simple to manage

To keep rules, events, and emails simple to manage, SolarWinds recommends the following:
l Create the rule with a name that describes the event.

l Create the email template with a name that describes the event.
l In the email template subject or message, enter the event or rule name to describe the event or
alert.
When you receive the email, you can identify the email template, the rule that fired, and the event that
caused the rule to fire.
Create or edit an email template

3. In the Groups grid, click and select Email Template, or select one of the existing email templates.
The Email Template form displays.
If you are editing an existing template, the form shows the parameters that are configured for the
template. Clone the template, and then modify the name and parameters of the template.
page 278
4. Complete the Email Template form.
a. In the Details pane, enter a template name.
This will be used in rules to reference the template.
b. To create dynamic text (parameters) for the rule:
i. Type a name in the Name field under the Parameters list and click .
For example, DetectionIP, DestinationAccount, EventInfo, and so on. This
name is a reference to the actual event data.
ii. Repeat this for all the parameters you want to add.
Each parameter is a variable that holds your data and places it in the right
location in the email. For example, for an Account Lockout template, consider
using the Time, Account, DC, and Machine parameters.
FIELD DESCRIPTION
LEM Select the LEM Manager that will host the template. If you are editing an existing
Manager template, this field displays the Manager associated with the template.
menu
(unlabeled)
Name Enter a name for the template. The name will be used in rules to reference the
template. The name should describe the event that occurred or the destination of
the email message.
From Enter who sent the message. For example, you can enter SolarWinds or Manager.
Subject Enter a subject for the message. The subject should indicate the nature of the alert
event.
To use a Parameter, enter the name as it appears in the parameters list, including
the dollar sign, or drag it from the Parameters list into where you want it to appear in
the subject.
Using a dynamic Parameter in the Subject provides a subject that includes

the user account name, source, or any other text from the originating event.
Message Enter the email message that LEM sends when an event occurs. Select and drag a
parameter from the Parameters list to the appropriate place in the message text.
Parameters serve as placeholders for information that LEM Manager fills in when the
email is sent.
page 279
FIELD DESCRIPTION
You can use a combination of static and dynamic text, such as Account
$Account locked out at $Time on DC $DC from computer
$Machine. This would display the following: Account testuser locked
out at 7/21/2016 8:05am on DC DC1 from computer PC1
Parameters Lists the variables that provide placeholders for specific items within the message
text. When LEM sends the message, LEM Manager prompts you to fill in the message
variables from the Events or Event Groups lists. LEM then completes the message by
filling in the variable parameters with the appropriate text. You can create a variable
for Agents, servers, or time, and you can add as many parameters as you need. For
example, you may want to add a parameter to be filled in with the affected Agent or
server name, and another parameter to be filled in with the time the event occurred.
To add and delete parameters, use the controls in the Name row at the bottom of the
screen.
(parameter) To add a message parameter to the email template, enter the parameter name and
Name click . Add additional parameters as needed for use with the message.
To delete a message parameter from the template, select the parameter that you
want to delete and then click .
5. Click Save to save the template.

The Email template is added to the Groups grid and will be available in the Actions component list
when you drag Send Email Message or Send Pager Message to the Actions box. LEM will prompts you
to fill in the message variables from the Events or Event Groups lists.
page 280
Find and add LEM rules
This topic describes how to find and customize preconfigured LEM rules.
In this topic:
• Find and add rules based on categories of interest 281
• Clone, customize, and enable a specific preconfigured rule 282
Find and add rules based on categories of interest

2. Click the OpsCenter tab.
3. In the Getting Started widget, click Define Rules and Configure Alerts.
By default, the Getting Started widget is located in the top left part of the page.
4. Select the check box next to the types of rules that you want to enable, and then click Next.
5. Complete the fields and selections to define the condition, correlation time, and action for each new
rule, and then click Apply.
6. In the console, click Build > Rules.
7. In the Rules grid, locate a new rule, click and select Enable.
A displays next to the enabled rule.
8. Complete step 5 for each additional rule.
9. Enable your rule. See "Enable and activate rules prior to testing" on page 294 for details.
10. Test the rules to verify they work as expected. See "Testing rules in LEM" on page 295 for details.
page 281
Clone, customize, and enable a specific preconfigured rule

3. Use Refine Results in the sidebar to browse, search, or filter for specific rules or scenarios, or browse
for a rule in the Rule Categories & Tags section.
4. Select a rule to clone, and then click the corresponding and choose Clone.
5. In the Clone Rule dialog box, select a Custom Rules folder, rename the rule, and click OK.
6. On the Rule Creation screen, customize the rule (if desired) and select Enable.
7. Click Save.
8. In the main Rules view, click Activate Rules to sync your local changes with the LEM appliance. See
"Enable and activate rules prior to testing" on page 294 for details.
Change Management rule example

Change management rules notify you when a user makes network configuration changes. For example:
l Adding, changing, or deleting users in Active Directory

l Installing software on monitored computers
l Making changes to the firewall policy
You can create a general change management rule to instruct LEM to notify you when a user changes your
network configuration, or you can create a more specific rule that applies to specific users, groups, or types
of changes. Generally, if you can see an event in your console, you can create a rule for the event. Use your
filters as a starting point for creating custom rules.
The following change management rule example notifies you by email when a user adds another user to
an administrative group.
3. Click to create a new rule using the Rule Creation screen.
4. Enter an appropriate name for the rule. For example:
New Admin User
page 282
5. In the rule Correlations box, enter the event or event group.
For example, you can use the NewGroupMember.EventInfo Equals *admin* condition to
execute anytime LEM receives a NewGroupMember event with admin included anywhere in the
Event Info field.
a. Click Events in the left pane.
b. At the top of the Events list, enter NewGroupMember to search for this event, and then select it
in the list.
c. In the Fields: NewGroupMemberlist, locate EventInfo and drag it into the Correlations box.
d. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account
for all variations on the word administrator.
6. Leave the Correlation Time box as is so your rule fires anytime LEM captures this type of event.
7. Add the Send Email Message action to the Actions box.
a. In the left pane, click Actions.
b. Locate Send Email Message and drag the action into the Actions box.
c. In the Email Template, click the menu and select a template.
d. In the Recipients menu, select a LEM user.
e. Drag and drop event fields or constants from the left pane into the Send Email Message form
to complete the action.
Always use event fields for events in the Correlations box. For example, you can use
NewGroupMember.DetectionTime to populate the Detection Time field in this
example.
8. In the Rule Creation form, select Enable and click Save.
9. In the main Rules view, click Activate Rules to sync your local changes with the LEM appliance.
The LEM appliance will send an email anytime a user adds a user to any group in Active Directory
that contains admin in its name.
page 283
Create a new LEM rule to monitor and respond to events

This topic describes how to create a custom rule to monitor and respond to events from your monitored
computers and devices.
See also:
l "Rule configuration requirements and best practices" on page 275

l "Building custom filter and rule expressions in LEM" on page 330 to learn how to write filter
and rule expressions
In this topic:
• Create a new rule 284
• Example: Create a Change Management rule 287
For a video presentation about creating rules in the LEM console, open the following URL in a web
browser:
http://embed.vidyard.com/share/k6zhzKy9VK9d5EibvfGTaN
Create a new rule

3. Click on the Rules toolbar.
4. Enter a name and description for the rule.
5. Click the drop-down menu and select the LEM Manager that will host this rule.
If you are editing a rule, this field displays the LEM Manager instance associated with the rule.
page 284
6. Click Add Tags.
Select the categories and tags for this rule, and then click OK.
7. Configure the correlations (or relationships) that define the rule. These correlations define the
events that must occur for the rule to take effect. You can coordinate multiple alert events into a set
of conditions that prompt the LEM Manager to issue a particular active response.
a. Drag Event or Event Group items from the list pane into the Correlations box. Click to add
a group.
b. Click the correlations connector bar. Select AND to determine if the alert conditions must
all apply or OR if any alert conditions apply to prompt a response.
If your correlations require a value, populate the value using one of the following procedures:
l Enter a static text value in the Text Constant field, denoted by a pencil icon. Use asterisks (*) as
wildcard characters to account for any number of characters before, within, or after your text
value.
l Drag a group from the list pane to replace the Text Constant field. The most commonly used
groups include User Defined Groups, Connector Profiles, Directory Service Groups, and Time Of
Day Sets.
l Drag an Event field from an existing event in your Correlations to replace the Text Constant
field. This will result in a parameter that states whether values from different Events in your
Correlations should match.
page 285
8. If you want to change the operators in your conditions, click the operator until you find the one you
want.
l Condition operators are found between your events and their values. Examples include
Equals, Does Not Equal, Contains, and Does Not Contain. Rule Creation only displays the
operators that are available for the values in your Correlations.
l Group operators are found outside of your correlation groups. The two options are And (blue)
and Or (orange).
For more information see "Comparing values with operators in LEM filters and rules" on
page 331.
9. Configure the correlation time to establish the allowable frequency and time span that the
correlation events must occur before the rule applies.
a. Set the Events within and Response Window settings for your rule.
b. If the Events within value is 2 or more, click Advanced to select advanced threshold fields
and define an advanced response window for the alert fields within the grouping.
10. Configure the actions that occur when the events in the Correlations and the Correlations Time
boxes occur (for example, sending an email message to the system administrator or blocking an IP
address).
Use the following guidelines:
l All rules must have at least one action.
l Populate your action with constants or event fields as appropriate.
a. Click the Actions list.
b. Select and drag an action from the list into the Actions box.
For more information, see "About LEM response actions" on page 304.

For more information, see "LEM response actions: Respond to network and system events in
LEM" on page 303.
page 286
11. Apply the appropriate Enabled, Test, and Subscribe settings as appropriate.
a. Select the Enabled check box to enable the rule after you click Save. See "Enable and activate
rules prior to testing" on page 294 for details.
b. Select the Test check box to operate the rule in test mode before it is enabled. SolarWinds
recommends running each new rule in test mode to confirm that the rule behaves as
expected. See "Testing rules in LEM" on page 295 for details.
You must enable a rule before you can test it.
c. Click the Subscribe drop-down menu and select all users who subscribe to the rule. The
system will notify the subscribing users each time one of the subscribed-to rules triggers an
alert. The alerts will appear in their alert grid.
This option also tracks rule activity in the Subscriptions report in LEM Reports.
12. Click Save.

The new rule appears in the Rules grid.
You can click Apply to save your changes without closing the form.
13. Once your rule is in your Custom Rules folder, click Activate Rules to sync your local changes with the
rules folders on your LEM Manager and allow the new or updated rules to function properly.
When enabling or disabling rules, no changes will take effect until you click Active Rules.
Example: Create a Change Management rule

This section shows you how to create a rule in LEM by stepping you through an example.
To view a video tutorial about creating a rule to watch for unauthorized vendor access, see:
https://play.vidyard.com/MWe7pTouvKvpes8Z91fjSA
About the Change Management rule example

Rules in the Change Management category notify you when a user makes a network configuration change,
for example:
l Adding, changing, or deleting users in Active Directory

l Installing software on monitored computers
l Making changes to the firewall policy
page 287
You can create a general change management rule to instruct LEM to notify you when a user changes your
network configuration, or you can create a more specific rule that applies to specific users, groups, or types
of changes. Generally, if you can see an event in your console, you can create a rule for the event. Use your
filters as a starting point for creating custom rules.
The following change management rule example notifies you by email when a user adds another user to
an administrative group.
Create the example Change Management rule

3. Click to create a new rule using the Rule Creation screen.
4. Enter an appropriate name for the rule. For example:
New Admin User
5. In the rule Correlations box, enter the event or event group.
For example, you can use the NewGroupMember.EventInfo Equals *admin* condition to
execute anytime LEM receives a NewGroupMember event with admin included anywhere in the
Event Info field.
a. Click Events in the left pane.
b. At the top of the Events list, enter NewGroupMember to search for this event, and then select it
in the list.
c. In the Fields: NewGroupMemberlist, locate EventInfo and drag it into the Correlations box.
d. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account
for all variations on the word administrator.
6. Leave the Correlation Time box as is so your rule fires anytime LEM captures this type of event.
7. Add the Send Email Message action to the Actions box.
a. In the left pane, click Actions.
b. Locate Send Email Message and drag the action into the Actions box.
c. In the Email Template, click the menu and select a template.
d. In the Recipients menu, select a LEM user.
e. Drag and drop event fields or constants from the left pane into the Send Email Message form
to complete the action.
Always use event fields for events in the Correlations box. For example, you can use
NewGroupMember.DetectionTime to populate the Detection Time field in this
example.
8. In the Rule Creation form, select Enable and click Save.
page 288
10. In the main Rules view, click Activate Rules to sync your local changes with LEM.
The LEM Manager will send an email anytime a user adds a user to any group in Active Directory that
contains admin in its name.
page 289
Manage LEM rules: Edit, view, export, and more

This topic describes how to manage rules in the LEM console. Use the Build > Rules view to manage your
rules.
See the following topics to find, add, or create LEM rules:
l "Find and add LEM rules" on page 281

l "Create a new LEM rule to monitor and respond to events" on page 284
In this topic:
• Activate a rule 290
• Add tags to a rule 290
• Edit a rule 291
• Edit a locked rule 291
• Clone a rule 291
• Share a rule with another user 292
• Create a backup copy of a rule for archival purposes 292
• Export a rule 292
• Import a rule 293
• Delete a rule 293
Activate a rule
See "Enable and activate rules prior to testing" on page 294 for details.
Add tags to a rule

Tags make it easier to categorize and find rules. For example, if you want a rule to appear in several
different categories, select the corresponding tags.
1. Open the rule for editing. (See the next section for steps.)
2. At the top of the Rule Builder form, click "Add Tags."
The Tags dialog box opens.
3. Select one or more tags to add to the rule, and then click OK.
page 290
Edit a rule
Use the Rule Creation connector to modify or update a rule. When required, you can edit multiple rules at
the same time.
Disabling a rule is not required to edit a rule. When you edit a rule, you are editing a local copy until you
save and activate the rule. If the rule was enabled when you added your modifications, it will continue to
be enabled while you work on the new version. When you save the new version and click Activate Rules,
the LEM Manager replaces the original rule with the new version.
3. In the Rules Categories & Tags pane, maximize the category that contains the rules that you want to
edit.
4. In the Rules grid, select the rule (or rules) that you want to edit.
5. To edit a single rule, click next to the rule and select Edit. To edit multiple rules, click in the
Rules toolbar and select Edit.
The Rule Builder form displays with your selected rule. If you multiple rules, they display as cascaded
windows on the screen.
6. Edit your rules as required.
7. Click Save to save your rule changes.
Edit a locked rule

If a rule is locked, another user is currently editing the rule. You can open the rule in read-only mode to
see the rule details or break the lock and take control over the rule. The other user will not be able to save
any changes to the rule.
Clone a rule
The Clone command copies any existing rule, make changes to the copy, and then saves the copy with a
new name in one of your Custom Rules sub-folders. Use the Clone command to create variations of
existing rules. For example, you can clone a preconfigured rule and then adjust the cloned copy to suit
your specific needs.
A cloned rule must apply to the same LEM Manager as the original rule. You cannot clone a rule
from one Manager and save it for another Manager.
2. Open the Build > Rules view.
page 291
3. In the Rule Categories & Tags pane, maximize the category that contains the rules you want to
enable.
4. In the Rules grid, select the rule you want to clone.
6. In the Clone Rule form, enter a name for the rule in the Clone Name box.
7. In the Rule Categories & Tags pane, select which Custom Rules folder will store the cloned rule.
8. Click OK.
The cloned copy opens in Rule Creation so you can make changes.
Share a rule with another user

See "Export a rule" below for steps.
Create a backup copy of a rule for archival purposes

See "Export a rule" below for steps.
Export a rule
You can export a rule from one LEM Manager instance and import it into another LEM Manager instance.
You can also export rules to:
l Save archived copies in a safe place.

l Provide SolarWinds with a copy of your rule for technical support or troubleshooting purposes.
You can export multiple rules at the same time. The rules are saved to a new folder that contains each
rule.
3. In the Rule Categories & Tags pane, select the category that contains the rule you want to export.
4. In the Rules grid, select the rules you want to export.
5. On the Rules grid toolbar, click and select Export.
6. In the Save in box, locate the general area in which you want to save the exported rule folder.
7. In the File name box, enter folder name to contain the exported rules.
Rules are saved as XML files.
page 292
8. Click Save.
The rules are exported and saved in your selected folder. Each exported rule retains its name and
the export date and time.
If an Export Error message displays, one or more rules failed to export. If you are exporting multiple
rules, the message lists the failed and succeeded exported rules. Click OK to close the form.
Import a rule
You can import a rule from a remote source into a particular rule category. For example, you can import a
rule from one LEM Manager to another, or import a rule provided by SolarWinds. You can only import one
rule at a time.
3. On the Rules grid toolbar, click and select Import.
4. Locate and open the folder that contains the rule you want to import.
5. Select the rule file you want to import. These files are in XML format.
6. Click Open to import the file.
7. In the Import Rules form, click the Manager drop-down menu and select the Manager to associate
with this rule.
8. In the Rule Categories & Tags pane, select the category that will store the imported rule.
9. Click Import.
The system imports the rules into the designated rule folder.
Delete a rule
You can delete one rule at a time, or you can delete multiple rules. Once a rule is deleted, it can only be
restored by re-creating it or by importing a previously exported rule.
3. In the Rule Categories & Tags pane, select the folder that contains the rule you want to delete.
4. In the Rules grid, select the rule (or rules) you want to delete.
5. To delete a single rule, click button and select Delete. To delete multiple rules, click in the
Rules toolbar and select Delete.
6. At the Confirm Delete prompt, click Yes.
The rules disappear from the Rules grid.
7. Click Activate Rules to notify the LEM Manager component that the rules were deleted.
page 293
Test, enable, and disable rules in LEM

In this topic:
• About selecting multiple rules to test, enable, or disable 294
• Enable and activate rules prior to testing 294
• Testing rules in LEM 295
• Disable rules in LEM to stop them from processing 297
About selecting multiple rules to test, enable, or disable

You can select two or more rules at the same time to test, enable, or disable by selecting the rules in the
grid and clicking in the Rules toolbar. This command, however, acts as a toggle on each selected rule.
For example, if one rule is Test On and another is Test Off, performing this command on both rules at the
same time inverts the settings of both rules. As a result, the first rule is Test Off and the second rule is
Test On. When you perform this command on multiple rules, select rules that are in the same state—Test
On or Test Off, or Enabled or Disabled.
Enable and activate rules prior to testing

When selecting two or more rules at the same time to enable, select rules that are in the same
state—Enabled or Disabled. See "About selecting multiple rules to test, enable, or disable" above
for more information.
Enable rules from the Rules grid or directly from the Rules Creation screen. Instructions for both tasks are
provided.
Do not forget to activate your rule by clicking Activate Rules in the Rules toolbar. This step is
frequently overlooked.
Enable rules from the Rules grid

enable.
page 294
4. In the Rules grid, select the rule (or rules) you want to enable.
5. To enable a single rule, click next to the rule and select Enable. To enable multiple rules, click
in the Rules toolbar and select Enable.
The Enabled icons for each selected rule become active, indicating the rules are enabled.
6. Click Activate Rules in the Rules toolbar to activate the rule.
Enable rules from the Rule Creation screen

enable.
4. In the Rules grid, select the rule (or rules) you want to enable.
5. Click in the Rules toolbar and select Edit.
6. In the Rule window, select the Enable check box. Repeat this step for each additional opened rule.
7. Click Save.
The Rules grid displays with in the Enabled column for each enabled rule.
8. Click Activate Rules in the Rules toolbar to activate the rule.
Testing rules in LEM

Before you put a rule into production, try it out in test mode. In test mode, the LEM Manager processes the
rule alert messages, but does not execute any rule actions. This lets you see how the activated rule will
behave without disrupting your network.
When selecting two or more rules at the same time to test, select rules that are in the same state—
Test On or Test Off. See "About selecting multiple rules to test, enable, or disable" on the previous
page for more information.
Enable test mode in the Rules grid

3. In the Rule Categories & Tags pane, maximize the category that contains the rule you want to test.
4. Ensure that your selected rule has an Enabled icon in the Enabled column.
If the rule displays a disabled icon, enable the rule by clicking button and selecting Enable.
page 295
5. To place a single rule in test mode, click and select Test On / Test Off. To place multiple selected
rules in test mode, click and select Test On / Test Off.
In the Rules grid, the icon displays in the Test column for each rule in test mode.
6. Click Activate Rules.
The rules are now functional, but in test mode.
Disable test mode in the Rules grid

3. In the Rule Categories & Tags pane , maximize the category that contains the rule you want to test.
4. In the Rules grid, select the rule (or rules) you want to work with.
5. To disable test mode in a single rule, click and select Test On / Test Off. To disable test mode on
multiple selected rules, click and select Test On / Test Off.
In the Rules grid, the disabled icon appears in the Test column to indicate the rule is no longer in test
mode.
The rules are now fully functional.
Enable test mode from the Rule Creation screen

4. In the Rules grid, click to select the rule you want to test.
5. In the Rules grid toolbar, click Edit.
Rule Creation displays, showing the current rule configuration.
7. Select the Test check box.
To test a rule, the Enable and Test check boxes must be selected. If only Enable is checked, the rule
is enabled and ready for use. If only Test is checked, the rule will not be enabled, and the LEM
Manager will not be able to use it for testing.
8. Click Save.
9. In the Rules toolbar, click Activate Rules.
The rule is now in test mode.
page 296
Disable test mode from the Rule Creation screen
4. In the Rules grid, click to select the rule you want to test.
5. In the Rules grid toolbar, click Edit.
Rule Creation displays, showing the current rule configuration.
6. Clear the Test check box.
7. Click Save.
8. In the Rules toolbar, click Activate Rules.
The rule is now fully functional and no longer in test mode.
Disable rules in LEM to stop them from processing

The LEM Manager continues to use active rules as long as they are enabled. Turn off rules by disabling
them and clicking the Activate Rules command. Note that the Manager will continue to use disabled rules
until you confirm their “disabled” state with the Activate Rules command.
When selecting two or more rules at the same time to disable, select rules that are in the same
state—Enabled or Disabled. See "About selecting multiple rules to test, enable, or disable" on
page 294 for more information.
Disable rules from the Rules grid

disable.
4. In the Rules grid, select the rule (or rules) you want to disable.
5. To disable a single rule, click next to the rule and select Disable.
To disable multiple rules, click in the Rules toolbar and select Disable.
6. The Disabled icons for each selected rule become active, indicating the rules are now inactive.
The Manager stops processing the disabled rules.
page 297
Disable rules from the Rule Creation screen

1. Open the rule you want to disable in Rule Creation.
2. Clear the Enable check box.
3. Click Save.
4. Click Activate Rules in the Rules toolbar.
The Manager stops processing the disabled rule.
page 298
Use the Send Email Message action in LEM rule creation
In this section:
• Add or edit a Send Email Message action 299
Use the Send Email Message action to create a rule. Before you add an action, perform the following steps:
3. Enter user account lockout in the Refine Results search field.
4. Locate the User Account Lockout template in the Rule Templates grid.
5. Click next to the template and select Clone.
6. Edit the rule Correlations as required, and then click Save.
Add or edit a Send Email Message action

3. Click in the Rules toolbar to create a new rule.
4. Expand the Actions list.
5. Drag Send Email Message into the Actions box.
If you make a mistake, or decide you want to clear out the actions and start over, hover over
any action and click X or click Undo.
6. Click the Email Template drop-down menu and select your template.
If you forgot the name, you can always go back to Build > Groups to view your template details.
Your rule will still be open when you come back to Build > Rules.
7. Click the Recipients drop-down menu and select the users who need to be notified about this
event.
page 299
8. Populate the Send Email Message action with dynamic values from the event firing the rule.
a. Locate the Event or Event Group that contains your desired action. In this example, the User
Account Lockout (Updated) Rule uses the UserDisable event. Expand Events on the
components pane and type UserDisable in the search box.
b. Click the Event to populate its available fields in the Fields listing under the Events listing.
c. Drag the appropriate fields from the Fields listing into the Correlations box.
For example, the Email Template created in the related articles below require the following
fields: DetectionTime for the Time variable, SourceMachine for the Machine variable,
DestinationMachine for the DC variable, and DestinationAccount for the Account
variable.
After you enable the rule, you can also use the Test check box to place your rule in Test Mode.
When a test rule fires, InternalTestRule events display in the console to verify the trigger
and actions, but no action is taken.
10. Click Save to save your changes and exit Rule Creation.
Activate Rules is enabled in the Rule Creation toolbar. This allows you to batch up all your rule changes
in case you want to make multiple changes before changing the running state of the Manager.
11. Click Activate Rules to send your changes to the LEM Manager and enable your changes.
Your rule is active and your template is set up.
The next time your rule fires, the recipients specified in your rule will receive an email that matches
your specified format.
page 300
Notify a LEM user when a rule triggers an alert (Subscribe a
user to a rule)
In this section:
• Subscribe users from the Rules grid 301
• Subscribe users from the Rule Creation screen 301
You can assign rules to specific console users by adding them as a subscriber. The system will notify each
subscriber when the subscribed rule triggers an alert. These alerts display in the Monitor view for each
subscriber.
You can use rule subscriptions in conjunction with filters and reports to monitor activity for specific rules.
Each user can subscribe to as many different rules as required. You can also assign subscriptions when
you are creating the rule or at a later time from the Rules grid.
Subscribe users from the Rules grid

3. In the Rule Categories & Tags pane, maximize the category that contains your targeted rule.
4. In the Rules grid, select the targeted rule.
5. In the Rules grid toolbar, click the Subscribe drop-down menu.
This menu contains console users who are associated with the same LEM Manager as the selected
rule. A check box with a gray background indicates the user is subscribed to one or more of the
selected rules, but not all rules.
6. Select one or more users to subscribe to the rule.
l Select a clear check box to subscribe the user to all selected rules.
l Clear a gray check box to remove the user subscription to all selected rules.
7. Click Subscribe again to close the list.
The selected console users are subscribed to the selected rules.
Subscribe users from the Rule Creation screen

page 301
3. In the Rule Categories & Tags pane, maximize the category that contains your targeted rule.
4. In the Rules grid, select the targeted rule.
5. Click next to the rule and select Edit.
6. On the Rule Creation screen, click the Subscribe drop-down menu.
This menu contains console users who are associated with the same LEM Manager as the selected
rule. A check box with a gray background indicates the user is subscribed to one or more of the
selected rules, but not all rules.
7. Select the check box for each Console user who is to subscribe to this rule. Clear the check box for
each subscriber who is no longer to subscribe to this rule.
8. Click Subscribe to close the list.
9. Click Save.
The selected Console users are subscribed to the rule.
page 302
LEM response actions: Respond to network and
system events in LEM
In this chapter:
• About LEM response actions 304
• Use the Computer-based active responses in LEM 317
• Use the Append Text to File active response in LEM 319
• Auto-populate user-defined groups using a LEM rule 321
• Use the Block IP active response in LEM 323
• Configure the Detach USB Device active response in LEM 325
• Configure the Disable Networking active response in LEM 327
• Configure the Kill Process active response in LEM 328
page 303
About LEM response actions

In this topic:
• About LEM active response 304
• Select an event response 304
• Select an event response using drag-and-drop text 305
• Use LEM active responses to perform Windows actions related to

users, groups, and domains 306
• Actions LEM can take to respond to events 307
See "Create a new LEM rule to monitor and respond to events" on page 284 to learn how to create
an active response rule.
About LEM active response

An active response (also called an event response) in LEM is an action that LEM takes in response to
suspicious activity or an attack. Active response actions include the Block IP active response, the Disable
Networking active response, the Log off User active response, the Kill Process active response, the Detach USB
Device active response, and so on.
The Respond drop-down menu in Monitor view provides a list of actions you can execute for a specific
event message. Each Respond command opens the Respond form. This form includes data from the field
you selected and options for customizing the action—similar to configuring the active response for a rule
in the Rule Creation.
The Respond menu is context-sensitive. The event type or cell currently selected in the event grid
determines which responses you can choose.
Select an event response

In the Respond form, you can use the default field information to complete the form.
2. Click Monitor view, locate an event in the event grid, and click Pause.
3. Select the event in the grid.
page 304
4. Click Respond and select an action.
The drop-down menu contains a list of commonly-used actions. If your action does not appear
in the list, select All Actions.
5. In the Respond form, click the Action drop-down menu and verify the action to your selected event.
6. Complete any remaining fields in the form.

7. Click OK to execute the action.
8. Click Resume to receive new events in the event grid.
Select an event response using drag-and-drop text

In the Respond form, drag and drop information from the Event and Information fields into the
configuration fields to complete the form. Use this method to add content to a blank configuration field or
replace the content of an existing configuration field.
1. In the Monitor view, locate an event in the event grid and click Pause.
5. In the Respond form’s event information grid, scroll to locate the field that contains the data element
needed to configure the action.
page 305
6. Click and drag an event field into the appropriate action configuration field.
7. Complete any remaining fields as required.

Use LEM active responses to perform Windows actions related to users,

groups, and domains
Use the following user-based active responses to perform Windows-based actions related to users, groups,
and domains on your LEM Agents.
l Add Domain User To Group

l Add Local User To Group
l Create User Account
l Create User Group
l Delete User Account
l Delete User Group
l Disable Domain User Account
l Disable Local User Account
l Enable Domain User Account
l Enable Local User Account
l Log Off User
page 306
l Remove Domain User From Group
l Remove Local User From Group
l Reset User Account Password
These actions are useful to respond to unauthorized change management activity and to automate user-
related maintenance. They can be automated in a LEM rule, or executed manually from the Respond menu
in the LEM console.
Configure an active response connector on a LEM Agent

Configure the Windows active response connector on each LEM Agent that requires active responses.
You can deploy your LEM Agents and configure the Windows active response connector based on where
you want to perform these actions. To perform actions at the domain level, deploy a LEM Agent to at least
one domain controller. To perform actions at the local level, deploy a LEM Agent to each computer that
requires a response.
3. Locate the Agent in the Nodes grid that requires a connector.
4. Click next to the Agent and select Connectors.
5. Enter Windows Active Response in the Search box at the top of the Refine Results pane.
7. Enter a custom Alias for the new connector, or accept the default.
8. Click Save.
9. Click next to the new connector and select Start.
10. Click Close to exit the Connector Configuration window.
Actions LEM can take to respond to events

The following table lists the various actions a LEM Manager can take to respond to events. These actions
are configured in the Respond form when you are initiating an active response, and in the rules window’s
Actions box when you are configuring a rule's automatic response.
The table’s Action column lists the actions that are available. They are alphabetized for easy reference. The
Description column briefly states how the action behaves. The Fields column lists the primary data fields
that apply with each action. Some data fields will vary, depending on the options you select.
page 307
ACTION DESCRIPTION FIELDS

Add Domain This action adds a Domain Controller Agent
User To Group domain user to a
Select the event field or constant that defines the Agent on
specified user group
which the group to be modified resides.
that resides on a
particular Agent. To modify a group at the domain level, specify a domain
controller as the Agent.
Group Name
Select the event field or constant that defines the group

that is to be modified.
Username
Select the event field or constant that defines the user who
is to be added to the group.
Add Local User This action adds a local Agent

To Group user to a specified user
group that resides on a
particular Agent.
To modify a group at the domain level, specify a domain
Group Name

Username
is to be added to the group.
Add User- This action adds a new User-Defined Group Element

Defined Group data element to a
From the User-Defined Groups list, select the User-Defined
Element particular user-defined
Group that is to receive the new data Element.
group.
Value
Select the event field or constant that defines the data

element that is to be added to the specified User-Defined
Group. The fields will vary according to which User-Defined
Group you select.
page 308
Append Text To This action appends text Agent
File to a file. This allows you
to data from an event
which the file to be appended is located.
and put it in a text file.
File Path
Select the event field or constant that defines the path to

the Agent file that is to be appended with text.
Text
Select the event field or constant that defines the text to be

appended to file.
Block IP This action blocks an IP IP Address

address.
Select the event field or constant that identifies the device’s
IP address.
Create User This action creates a Agent

Account new user account on an
Agent.
which the new user account is to be added.
To create a user account at the domain level, specify a

domain controller as the Agent.
Account Name
Select the event field or constant that names the account

that is to be created.
Account Password
Select the event field or constant that defines the password

that is to be assigned to the new account.
Create User This action creates a Agent

Group specified user group on
an Agent.
which the new user group is to reside.
A user group is a new
To create a user group at the domain level, specify a
group of Windows users
on a Windows PC,
server, or network who Group Name
are external to the LEM
system.
page 309

Select the event field or constant that defines which user
group is to be created.
Delete User This action deletes a Agent

Account user account from an
Agent.
which the user account is to be deleted.
To delete a user account at the domain level, specify a

Account Name
Select the event field or constant that names the account

that is to be deleted.
Delete User This action deletes a Agent

Group user group from a
particular Agent.
which the user group to be deleted resides.
To delete a user group at the domain level, specify a

Group Name
Select the event field or constant that defines the user

group that is to be deleted.
Detach USB This action detaches a Agent

Device USB mass storage
Select the event field or constant that defines the Agent
device that is connected
from which the USB device is to be detached.
to an Agent.
Device
Select the event field or constant that defines the device ID

of the USB device that is to be detached.
Disable Domain This action disables a Domain Controller Agent

User Account Domain User Account
Select the event field or constant that defines the Domain
on a Domain Controller
Controller Agent on which the domain user is to be
Agent.
disabled.
Destination Account
Select the event field or constant that defines the account

that is to be disabled.
page 310
Disable Local This action disables a Agent
User Account local user account on an
Agent.
which the local user is to be disabled.
Destination Account

that is to be disabled.
Disable This action disables an Agent

Networking Agent’s network access.
The result is that the that is to be disabled from the network.
specified Agent will be
Message
unable to connect to the
network. Type the message that is to appear on the Agent.
Disable This action disables a Domain Controller Agent

Windows Windows machine
Machine account that resides on
Controller Agent on which the account is to be disabled.
Account a Domain Controller
Agent. Destination Account
Select the event field or constant that specifies which

Windows account is to be disabled.
Enable Domain This action enables a Domain Controller Agent

User Account Domain User Account
on a Domain Controller
Controller Agent on which the domain user is to be
Agent.
enabled.
Destination Account

that is to be enabled.
Enable Local This action enables a Agent

User Account local user account on an
Agent.
which the local user is to be enabled.
Destination Account

that is to be enabled.
page 311

Enable This action enables a Domain Controller Agent
Windows Windows machine
Machine account that resides on
Controller Agent on which the account is to be enabled.
Account a Domain Controller
Agent. Destination Account
Select the event field or constant that specifies which

Windows account is to be enabled.
Incident Event This action escalates Event

potential issues by
Select which Incident Event the rule is to create.
creating an Incident
Event. Event Fields
From the list pane, select the events and constants that
define the appropriate data elements for each event fields
The fields vary, depending on which Incident Event event is
selected.
Infer Event This action escalates Event

potentially irregular
Select which Event the rule is to infer.
audit traffic into
security events by Event Fields
creating (or “inferring”)
From the list pane, select the events and constants that
a new event with a
define the appropriate data elements for each event field.
higher severity.
The fields vary, depending on the which event is selected.
Kill Process by This action terminates Agent

ID the specified process on
an Agent by using its
which the process is to be terminated.
process ID value.
Process ID
Select the event field or constant that identifies the ID

number of the process that is to be terminated.
Kill Process by This action terminates Agent

Name the specified process on
an Agent by referring to
which the process is to be terminated.
the process name.
Process Name
page 312
Select the event field or constant that identifies the name of
the process that is to be terminated.
Account Name

the account that is running the process to be terminated.
Log Off User This action logs the user Agent

off of an Agent.
from which the user is to be logged off.
Account Name
Select the event field or constant that identifies the specific

account name that is to be logged off.
Modify State This action modifies a State Variable

Variable state variable.
From the State Variables list, drag the state variable that the
rule is to modify.
State Variable Fields
From the appropriate component list, type or drag the data

element that is to be modified in the state variable. The
fields vary, depending on the which state variable is
selected.
Remove Domain This action removes a Domain Controller Agent

User From domain user from a
Select the event field or constant that defines the domain
Group specified user group
controller Agent on which the group to be modified resides.
that resides on a
particular Agent. Group Name

User Name
is to be removed from the group.
Remove Local This action removes a Agent

User From local user from a
Group specified user group
page 313

that resides on a Group Name
particular Agent.
User Name
is to be removed from the group.
Remove User- This action removes a User-Defined Group

Defined Group data element from a
From the User-Defined Groups list, select the user-defined
Element particular user-defined
group from which the specified data element is to be
group.
removed.
Value
Select the event field or constant that defines the data

element that is to be removed from the specified user-
defined group. The fields will vary according to which user-
defined group you select.
Reset User This action resets a user Agent

Account account password on a
Select the event field or constant that identifies the Agent
Password particular Agent.
on which the user password is to be reset.
To reset an account at the domain level, specify a domain

Account Name
Select the event field or constant that identifies the user

account that is to be reset.
New Password
Select the event field or constant that defines the user’s

new password.
Restart Machine This action reboots an Agent

Agent.
that is to be rebooted.
Delay (sec)
page 314
Type the time (in seconds) after the event occurs that the
Manager is to wait before rebooting the Agent.
Restart This action restarts the Agent

Windows specified Windows
Service service on an Agent.
on which the Windows service will be restarted.
Service Name

the service that is to be restarted.
Send Email This action sends a Email Template

Message preconfigured email
Select the template that the email message is to use.
message to a
predetermined email Recipients
distribution list.
Click the check boxes to select which users are to receive
the email message.
Email Fields
Either drag a field from the components list, or select a

constant from the components list to select the appropriate
data elements that are to appear in each email template
field. The fields vary, depending on which email template is
selected.
Send Popup This action displays a Agent

Message pop-up message to an
Agent.
that is to receive the pop-up message.
Account Name
Select the event field or constant that identifies the user

account to receive the message.
Message
Select the event field or constant that defines the message

that is to appear on the Agent’s monitor.
Shutdown This action shuts down Agent

Machine an Agent.
that is to be shut down.
page 315

Delay (sec)
Type the time (in seconds) after the event occurs that the
Manager is to wait before shutting down the Agent.
Start Windows This action starts the Agent

Service specified Windows
service on an Agent.
on which the Windows service is to be started.
Service Name
Select the event field or constant that defines the Windows

service that is to be started.
Stop Windows This action stops the Agent

Service specified Windows
service on an Agent.
on which the Windows service is to be stopped.
Service Name
Select the event field or constant that defines the Windows

service that is to be stopped.
page 316
Use the Computer-based active responses in LEM
In this section:
• To configure the Windows active response connector on a LEM

Agent 318
• Create or clone rules to perform the action: 318
To perform Windows-based actions related to computers and computer services on your LEM Agents, use
the following Computer-based active responses. These actions are useful to respond to insider abuse,
computer infections, and other suspicious activity. They can be automated in a LEM rule, or executed
manually from the Respond menu in the LEM console.
l Disable Windows Machine Account1

l Enable Windows Machine Account1
l Disable Networking
l Detach USB Device
l Restart Machine
l Restart Windows Service
l Send Popup Message
l Shutdown Machine
l Start Windows Service
l Stop Windows Service
Requirements
Configure the Windows Active Response connector on each LEM Agent on which you want to be able to use
these active responses.
Deploy your LEM Agents and configure the Windows Active Response connector based on where you want
to perform these actions. To perform actions at the domain level, deploy a LEM Agent to at least one
domain controller. To perform actions at the local level, deploy a LEM Agent to each computer you want to
be able to respond to.
page 317
To configure the Windows active response connector on a LEM Agent

2. Click the Manage tab, and then select Nodes.
3. Locate the LEM Agent on which you want to enable the connector.
4. Click the gear icon to the left of the LEM Agent, and then select Connectors.
6. Click the gear icon next to the connector, and then select New.
8. Click Save.
9. Click the gear icon next to the new connector, denoted by an icon in the Status column, and then
select Start.
Create or clone rules to perform the action:

1. When creating or cloning a rule, locate the action in the lower left part of the Rule Creation screen.
2. Drag the action under the rule Actions.
3. Fill in the appropriate fields.
page 318
Use the Append Text to File active response in LEM
In this section:
• To configure the Windows active response connector on a LEM

Agent: 320
Use the Append Text To File active response to append static or dynamic text to a flat text file on your
network. This action is useful for keeping a running list of deployed LEM Agents or tracking certain types of
activity across several users and computers. You can automate this response with a LEM rule, or execute it
manually from the Respond menu in the LEM console.
Requirements
To use this active response, ensure that the file you want to append already exists. Follow these guidelines
when creating the file:
l Use a .txt file, or a similar flat-text file format.

l Avoid using spaces in the file path or name.
l Note the complete file path and name, because you will need it to configure the active response.
Configure the Append Text to File active response and Windows active response connectors on each LEM
Agent on which you want to be able to use this active response.
To configure the Append Text to File action in a rule:
2. Create a new rule or edit an existing rule that triggers on a specific event.
3. Open the rule to edit, and select the actions in the left column.
4. Drag the Append Text to File action from the left to the Actions box under the rule.
5. Open the Constants on the left, and then drag the Text field to the empty box next to File Path under
the Append Text to File action.
6. Using the same event stated in the Correlations, select the event from the Events list on the left and
drag the DetectionIP field from the Fields list to the Agent under this action.
7. Fill in the directory structure in the File Path under this action, indicating the name of the file.
8. The Test field under the Append Text to File label will contain the text that you are inserting into the
file. If using plain text, drag the Text constant from the left to the empty box in the Text field.
9. Save the rule.
page 319
To configure the Append Text to File Active Response connector on a LEM Agent:
4. Click the gear icon to the left of the LEM Agent, and then select Connectors.
5. Enter Append Text to File in the Search box at the top of the Refine Results pane.
6. Click the gear icon next to the connector, and then select New.
8. Specify whether you want the connector to append data to a new line in the How to append menu.
9. Specify a Maximum file size(MB) or accept the default.
10. Click Save.
select Start.
To configure the Windows active response connector on a LEM Agent:

4. Click the gear icon to the left of the LEM Agent, and then select Connector.
6. Click the gear icon next to the connector and then select New.
8. Click Save.
select Start.
page 320
Auto-populate user-defined groups using a LEM rule
You can automate how you populate User-Defined Groups using the Add User-Defined Group Element
active response in a LEM rule. This active response populates a pre-defined user-defined group with static
or dynamic values, as defined by that rule.
Complete the following task to populate a user-defined group based on a specific type of event, such as
when you attach a USB device you want to tag as authorized, or when a user attempts to visit a prohibited
website.
For additional information about working with LEM rules, see "About LEM rules" on page 274.
3. Click in the Rules toolbar to create a new rule.
4. Enter a name and description for your rule.
5. Populate the Correlations box with conditions that represent the event you want to trigger your
rule. For the USB example:
a. Click Events on the components pane on the left, and then enter SystemStatus without any
spaces in the search box.
b. Click SystemStatus, and then locate EventInfo from the Fields: SystemStatus list.
c. Drag EventInfo into the Correlations box. The left side of your new condition should read,
SystemStatus.EventInfo.
d. Enter *Attached* into the Text Constant field, denoted by the pencil icon, on the left side of
your new condition.
e. To specify a computer for this procedure, create a second condition with
SystemStatus.DetectionIP = *computerName*, where computerName is the
hostname of the computer you want to specify.
In this example, the computer you attach your authorized devices to must have a LEM
Agent with USB Defender installed, whether you specify it in your rule or not.
6. Click Actions on the components pane, and then locate Add User-Defined Group Element.
7. Drag Add User-Defined Group Element into the Actions box.
8. Within the Add User-Defined Group Element, select the appropriate User-Defined Group, such as
Authorized USB Devices. If you do not find the User-Defined Group, perform the following:
a. Close the action and select Build > Groups.
b. Click button on the top right and to create your own User-Defined Group, or clone an
existing group.
page 321
9. Populate the action using the alerts present in your Correlations. For the USB example:
a. Select Authorized USB Devices from the User Defined Group menu.
b. Click Alerts on the components pane, and then verify that SystemStatus is still selected.
c. Drag ExtraneousInfo from the Fields: SystemStatus list into the blank Value field in the action.
10. Select Enable at the top of the Rule Creation window, and then modify the Test and Subscribe
settings if you want.
Putting a rule into Test allows the rule to function as needed, but the rule will not perform any of the
actions listed. In this example, it will not add any information to the User-Defined Group.
11. Click Save at the bottom of the Rule Creation window.
12. Click Activate Rules at the top of the main Rules view.
Any time the event you defined in your rule occurs, the value you defined in the Value field of the action
gets added to the user-defined group you specified. In the USB example, the attached device is added to
the Authorized USB Devices group.
page 322
Use the Block IP active response in LEM
Use the Block IP active response to block an IP address at your firewall using your LEM Manager. This
action is useful for blocking port scanners, and can be automated in a LEM rule, or executed manually
from the Respond menu in the LEM console.
In this section:
Requirements
You can use the Block IP active response with the following firewalls/modules.
l Cisco PIX
l Cisco ASA
l Cisco Firewall Services Module
l Fortigate Firwalls
l Juniper NetScreen
l Check Point OPSEC
l SonicWALL
l WatchGuard Firebox (including Vclass)
Configure the Active Response tool for one of the firewalls listed above on your LEM Manager.
To configure the Active Response connector for your firewall:
2. Click the Manage tab, and then select Appliances.
3. Click the gear icon to the left of your LEM Manager, and then select Connectors.
4. Select Firewalls from the Category list, and enter Active Response in the Search box at the top of
the Refine Results pane.
5. Click the gear icon next to the connector for your firewall, and then select New.
6. Complete the Connector Configuration form according to your firewall's specifications.
7. Click Save.
select Start.
page 323
To configure the Rule:
1. Identify the type of data that would trigger the rule. If needed, perform an nDepth search or view
the real-time data being received under Monitor in the Console (filters).
3. In the console, choose Build > Rules, click the + button at the top right to create a new rule, and enter
a descriptive name.
4. Locate the event type in the Events tab, the desired fields from the Field tab, and drag to the
Correlations box.
5. Click the Actions tab on the left and drag Block IP to the Actions box under the rule being created.
6. Enter the IP address to be blocked and save the rule.
ADDITIONAL INFORMATION
The Block IP active response creates a rule on your firewall to block the IP addresses you specify. To allow
an IP address through your firewall, delete or modify the rule on your firewall as appropriate.
page 324
Configure the Detach USB Device active response in LEM
In this section:
• Verify that USB Defender is installed on a LEM Agent 325
• Configure the Windows Active Response connector on a LEM

Agent 325
• Detach USB devices 326
Use the Windows active response to detach a USB device from a LEM Agent running USB Defender. This
action is useful for allowing only specific devices to be attached to your Windows computers or detaching
any device exhibiting suspicious behavior, and can be automated in a LEM rule, or executed manually from
the Respond menu in LEM console > Node List.
USB Defender is an option when the Agent is originally installed. If not installed at the time of Agent install,
re-install the Agent with USB Defender. Additionally, configure the Windows Active Response tool on each
LEM Agent where you require an active response.
Verify that USB Defender is installed on a LEM Agent

2. Click the Manage > Nodes.
3. If you have a long list of nodes, filter your list using the Node, OS, or USB drop-down menus.
You can install USB Defender only on Windows Agents.
4. Locate in the USB column, indicating that USB Defender is installed on the node.
5. If USB Defender is not installed on one or more LEM Agents, reinstall the Agent and ensure that you
select Install USB-Defender after you confirm the Manager Communication Settings.
Configure the Windows Active Response connector on a LEM Agent

3. Locate the LEM Agent that requires a new connector.
5. Enter Windows Active Response in the Refine Results search box.
page 325

7. Enter a custom alias name for the new connector, or accept the default.
8. Click Save.
Detach USB devices

By default, USB devices are audited and the USB File Audit Activity filter will display those events. The filter
is set for FileAuditAlerts.ProviderSID=*USB* To monitor all USB device activity, create a filter for
AnyAlert.ProviderSID=*USB*
USB devices are not detached by default. You must configure a rule to detach the device. The Templates
grid includes several templates you can clone and modify as needed.
You can enforce USB Defender policy locally. See "Configure the USB Defender local policy
connector in LEM" on page 194 for details.
page 326
Configure the Disable Networking active response in LEM
In this section:
• Re-enable networking on a computer affected by the active

response 327
Use the Disable Networking Active Response to disable networking on a LEM Agent at the Windows Device
Manager level. Use this active response for isolating network infections and attacks. You can automate the
active response in a LEM rule or manually execute the response from the Respond menu in the LEM
console.
Use caution with this active response, because it responds to the LEM Agent at the Device Manager level.
To avoid disabling networking unintentionally, consider placing new rules with this action in Test mode
until you are sure your correlations are configured appropriately.
Configure the Windows Active Response connector on each LEM Agent where you need a Disable
Networking active response.
3. Locate the LEM Agent that requires a new connector.
7. Enter a custom alias name for the new connector, or accept the default.
8. Click Save.
Re-enable networking on a computer affected by the active response

1. Log in to the computer locally with administrative privileges.
2. Open Device Manager in Control Panel > Administrative Tools > Computer Management.
3. Expand the Network adapters group.
4. Select the network adapter and click Action > Enable.
page 327
Configure the Kill Process active response in LEM

In this section:
• Configure a Kill Process active response rule 328
Use the Kill Process active response to end Windows-based processes in your LEM Agents. This response
helps to stop suspicious or unauthorized processes. You can automate the response using a LEM rule or
manually execute the response from the Respond menu in the LEM console.
Configure the Windows Active Response connector on a LEM Agent where you need an active response.
3. Locate the LEM Agent that requires the active response connector.
4. Click next to the targeted LEM Agent and select Connectors.
7. Enter a custom alias for the new connector or accept the default.
8. Click Save.
Configure a Kill Process active response rule

You can configure the rule a process by the detection IP address or the process name. Determine the type
of event that trigger the rule, which is typically an event like ProcessAudit.
The Kill Process active response functions according to the ProcessID field value of the corresponding LEM
alert. Use Kill Process By ID when the ProcessID value is a number, and use Kill Process By Name when
the ProcessID value is a name.
When you create LEM rules that utilize these actions, consider using both to account for variations
in Windows logging.
3. Select a rule template or an existing rule, or click in the toolbar to create a new rule.
page 328
4. Click the Events tab and select Process Audit.
5. To kill a process by the detection IP address:
a. Click the Events tab and select ProcessAudit.
b. In the Fields: ProcessAudit menu, click and drag the DetectionIP field into the Correlations
box.
To kill a process by name:
a. Click the Events tab and select ProcessAudit.
b. In the Fields: ProcessAudit menu, click and drag the DetectionIP field into the Correlations
box.
c. In the Fields: ProcessAudit menu, click and drag the SourceAccount field into the
Correlations box.
6. Click Save.
page 329
Building custom filter and rule expressions in LEM

In this chapter:
• Comparing values with operators in LEM filters and rules 331
• Get started building custom filter expressions in LEM 335
• Configure event filter notifications in LEM 339
• Get started building custom rule expressions in LEM 342
• Use the ToolAlias field in LEM rules and filters to capture traffic
from a specific device 343
page 330
Comparing values with operators in LEM filters and rules
This topic documents how to use operators to create custom filter and rule expressions in LEM.
In this topic:
• About operators in LEM 331
• Select a new operator 331
• Operator tips 332
• Table of operators 332
• Examples of AND and OR conditions 333
About operators in LEM

When configuring a LEM rule or a filter, if you drag an item from the list pane and position it next to an
event variable, an operator icon appears between them. The operator states how the event variable must
compare with the other item to be subject to the rule's or filter’s conditions. For example, an operator
might state that an event must be contained within a Time of Day Set, or it may state that an event only
applies to a particular Connector Profile.
l Condition operators are found between your events and their values. Examples include Equals,
Does Not Equal, Contains, and Does Not Contain. Rule Creation only displays the operators that are
available for the values in your Correlations.
l Group operators are found outside of your correlation groups. The two options are And (blue) and
Or (orange).
The operators that appear between two elements vary depending on your selections. The creation form
only allows comparisons that are logical for the specified elements.
Select a new operator

There are two ways to select an operator for a condition:
l Ctrl+click the operator to open a menu of valid operators, and then click the operator that you want
to use.
l Click the operator to cycle through the options that are valid for the current condition.
page 331
Operator tips
The following tips apply to operators:
l When comparing two numeric values, the full range of mathematical operator options is available.
l An IP address is treated as a string (or text) value. Therefore, operators are limited to “equal” and
“not equal.”
l DateTime fields have a default value of “> Time Now”, which means, greater than the current date and
time.
Table of operators
The following table describes each operator and how it should be interpreted when used as a filter
condition.
A list item (indicated with an * in the following table) can be another event variable, such as an
event field. For example, you may want to evaluate if an event's source is equal to a certain
destination. In this case, you would compare two event fields, such as SourceMachine =
DestinationMachine.
OPERATOR MEANING DESCRIPTION

Exists Use these operators to specify if a particular event or Event Group exists. Read
conditions with these operators as follows: “This [event/Event Group] must
[exist/not exist].”
Not exist
"Not exist" is only used in rules.
is in Use these operators when comparing event fields with groups (such as Event
Groups, User-Defined Groups, etc.). They determine the filter’s behavior, based
on whether or not the field is contained a specific Group.
Read conditions with these operators as follows:

is not in
l This [event field] must be in this [Group].
l This [event field] must not be in this [Group].
Equals Read conditions with these operators as follows:
l This [event variable] must equal this [list item*].
Does not l This [event variable] must not equal this [list item*].
equal Text comparisons (for IP addresses, host names, etc.) are limited to “equal” or
“not equal” operators.
page 332
OPERATOR MEANING DESCRIPTION
Greater Read conditions with these operators as follows:
than
l This [event variable] must be greater than this [list item*].
Greater l This [event variable] must be greater than or equal to this [list item*].
than OR
l This [event variable] must be less than this [list item*].
equal to
l This [event variable] must be less than or equal to this [list item*].
Less
than
Less
than OR
equal to
AND Conditions and groups of conditions are subject to AND and OR comparisons.
l The AND symbol means two or more conditions (or groups) must occur
together for the filter to apply. This is the default comparison for new
groups.
OR l The OR symbol means any one of several conditions (or groups) may
occur for the filter to apply. When comparing groups of distinct events,
you must use the OR symbol.
If you click an AND operator, it changes to an OR, and vice versa.
Examples of AND and OR conditions

Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions.
By default, new groups, conditions, and correlations appear with an AND condition. Both AND and OR
conditions can surround nested groups, and they can be used between groups on the same level to create
complex filter conditions or rule correlations.
EXAMPLE DESCRIPTION
If x AND y AND z occur, report the event. If all of the conditions apply, report the event.
If x OR y OR z occurs, report the event. If any of the conditions apply, report the event.
If (x AND y) OR z occurs, report the event. If conditions x and y occur, or if condition z occurs, report the
event.
If (a AND b) OR (x AND y) OR (z), occurs, In this case, you would create three groups, two nested
report the event. within the third:
page 333
EXAMPLE DESCRIPTION
l The nested groups are configured as (a AND b) and

(x AND y), joined with an OR.
l The outer group is configured as (z), surrounding the
nested groups with an OR.
“Condition1” AND In this example, the filter reports the event when it meets the
“Condition2 AND Condition3” OR following conditions:
“Condition4 AND Condition5.” Condition1 and Condition2 and Condition3, or
Condition1 and Condition4 and Condition5.
page 334
Get started building custom filter expressions in LEM
This topic provides information to help you write custom filter expressions in LEM.
In this topic:
• About custom filter expressions 335
• Examine the default filters included with LEM 336
• Create conditions to filter event reporting 337
See also:
l "Create a new LEM filter for real-time monitoring" on page 241 for step-by-step instructions.
l For help creating filters in Monitor view, see "The Filter Creation form" on page 512
About custom filter expressions

The Filter Creation screen is similar to the Rule Creation screen, but creating filters is more forgiving.
Filters report when events occur, so there is no harm if you create an unusual filter with logic issues.
Create filters using the Filters Creation screen to familiarize yourself with the logic and tools required to
create well-crafted rules.
When creating filter expressions, your conditions can be broad or specific. For example, the All Events filter
does not include specific conditions. As a result, it captures all events, regardless of the source or event
type. Conversely, the User Logons filter includes one condition: UserLogon Exists. This filter only
captures events with the UserLogon event type.
To create a custom filter, click Monitor, click in the Filters toolbar, and select Create. When completed,
the Filter Creation screen appears, providing the tools you need to create a custom filter.
page 335
Event filters are based on specific events or event groups listed in the left window pane. You can configure
your new event by dragging and dropping the event attributes into the Conditions and Notifications
configuration boxes. When a LEM Agent or Manager reports an event that matches the event filter
conditions, the event message appears in the events grid when the filter is active.
Each new filter is added to the Filters pane. Selecting a filter activates the filter in the events grid. The
events grid only displays event messages that meet your filter requirements.
For a video presentation about creating filters and monitoring events in LEM, open the following
URL in a web browser:
http://embed.vidyard.com/share/LVjS7MZPtX6MDG9n3E9LLr
Examine the default filters included with LEM

The LEM console includes a variety of filters that support security industry best practices. The following
steps describe how to open a filter and view the filter expression.
2. Click Monitor.
3. In the Filters pane, select the filter you want to examine.
The filter expression opens in the Filter Creation pane.
page 336
Create conditions to filter event reporting
The Conditions box appears in the Monitor view when you click in the Filters toolbar and select New
Filter. Use the Conditions box in conjunction with the Filters pane to configure the conditions that
determine events reported by a filter. Conditions are the various rules that state when the filter is to
display an event message.
To define conditions, drag event variables from the events, event groups, and fields lists into the
conditions box. Use the Conditions connectors to configure how these variables compare to other items,
such as time of day sets, connector profiles, user-defined groups, constants, and other event fields.
You can also compare groups with AND/OR conditions. The AND conditions state which events must occur
together before the filter shows an event. The OR conditions state that if any one of several conditions
occur, the filter shows the event. The combined conditions dictate when the event filter displays an event.
The filter ignores (and does not display) any events that do not meet these conditions.
The Conditions connectors enable you to configure relationships between events in the Conditions box
and to establish conditions when the event filter displays the event message.
Below is an example of the Conditions box.
The following table describes each feature of the Conditions box.
ITEM NAME DESCRIPTION

1 Group Configures groups based on the fields you drag from the Filters pane. Click ▼
to collapse an expanded group.
2 Nested group Deletes a condition or group, as well as any nested groups. Click to create
the nested group.
3 Delete Deletes a condition or group, as well as any nested groups. Click to delete
the group.
page 337

4 Event variable Stores event variables (such as events, event groups, and fields) dragged from
the Filters pane. As event messages stream into the console, the filter
analyzes the values associated with each event variable to determine if the
event message meets the filter conditions.
5 Operator Describes how the filter compares the event variable to another item to
determine if the event meets the filter conditions. Click the operator icon to
cycle through and select an operator. Press Ctrl and click the operator icon to
select an operator from a drop-down list.
6 List item Displays the non-event items from the Filters pane. Drag and drop a list item
into this field to define conditions based on your selected filter.
Some event variables automatically add a blank constant as the list item. You
can overwrite the constant with another list item or click the constant to add a
specific value for the constant. For example, clicking a text Constant turns the
field into an editable text box so you can type specific text. The text field also
allows wildcard characters.
Each list item has an icon that corresponds to the list it came from.
These icons let you to quickly identify what kinds of items are defining
your filter’s conditions.
7 Nested group Refines your conditions by comparing one group of conditions to another. You
can drag event variables and other items from the list pane into the nested
group boxes to create the logic for highly-complex and exact conditions. This
example above shows one nested group.
8 Boolean AND Combines or excludes keywords or fields in a search using the Boolean AND
operator operator.
9 Boolean OR Combines or excludes keywords or fields in a search using the Boolean OR

operator operator.
page 338
Configure event filter notifications in LEM
In this section:
• Selecting the notification method 339
• Notifications table 339
In Filter Creation, the Notifications box defines how the Console is to notify a user when the filter receives
an event. Each notification option instructs the Console to announce the event in a particular way. You can
have the filter display a pop-up message, display the event in bold text, play a warning sound, have the
filter name blink, or configure a combination of these methods.
Selecting the notification method

1. In the list pane, click the Notifications list.
2. Drag one or more notification option from the Notifications list to the Notifications box.
3. Configure each option, as described in the Notifications table, below.
Notifications table
The following table lists the various notification methods that can be employed to notify a user that a
filter’s event threshold has been met.
l The Notification column lists each options that is available in the list pane’s Notifications list. They
are alphabetized for easy reference.
l The Description column briefly states how each option behaves.
l The Fields column explains the data fields that can be configured for each option.
NOTIFICATION DESCRIPTION FIELDS

Display Popup Message This option causes the Notify on x events received
filter to display the
Type the number of events the filter must receive
Popup Notification form
before displaying the Popup Notification form.
when receiving an event.
Repeat on x events received
This form states the
name of the filter that is If you want the pop-up form to appear again
receiving the events, and after receiving repeated events, select the Repeat
that the filter’s event on check box.
threshold has been met.
page 339

From the form, the Then in the events received box, type how many
message recipient can more events the filter should receive before
choose to view the filter, issuing the pop-up form another time.
to turn off the pop-up
form for that filter, or to
turn off the pop-up form
for all filters.
Display New Events As This option displays new Not applicable

Unread events in the filter with
bold text.
They remain bold until

you acknowledge them
by clicking them or by
opening them in the
Event Explorer.
Enable Blinking Filter This option causes the Color

Name filter name to blink in
Click the Color button to open the Blink Color
the Filters pane.
form. Choose a color from one of the three color
palettes. Then click OK. The filter name will blink
in this color.
Time (ms)
Move the slider to select the amount of time

between blinks, in milliseconds.
Notify on x events received

before the filter tab begins blinking.
The filter tab stops blinking once you

acknowledge it by selecting it. If you want the tab
to begin blinking again after receiving repeated
events, select the Repeat on check box. Then in
the events received box, type how many more
events the filter should receive before it starts
blinking again.
page 340
Play Sound This option causes the Sound/Browse
filter to play a sound
To select a sound, click the Browse button. Then
upon receiving an event.
use the Open form to locate and select the sound
file that you want to use. Sound files must be of
the .wav file type.
When you are done, the name of the file should

appear in the Sound box. To test the sound, click
the “play” button.
Notify on x events received

before displaying the sound.
If you want the sound to play again after

receiving repeated events, select the Repeat on
check box.
Then in the events received box, type how many

more events the filter should receive before the
filter plays the sound another time.
page 341
Get started building custom rule expressions in LEM

This topic provides information to help you write custom rule expressions in LEM.
In this topic:
• About custom rule expressions 342
See also:
l "Rule Creation screen and the Rule Builder form" on page 557

l "Create a new LEM rule to monitor and respond to events" on page 284 for step-by-step
instructions.
l "The Rules view" on page 553
About custom rule expressions

Use caution when creating rules. SolarWinds recommends that you practice creating filters before you
start creating rules. Creating rules is similar to creating filters, but filters report event occurrences
whereas rules act on them.
Begin configuring rules when you are comfortable with configuring filters. Always test your rules
before implementing them.
You can create rules by configuring conditions between alert variables and other components (such as
time of day sets, user-defined groups, constants, and so on). Using rules, you can correlate alert variables
with other alerts and their alert variables.
You can configure rules to fire after multiple alerts occur. LEM remembers alerts that meet the basic rule
conditions and waits for additional conditions to be met. The rule does not execute until the alerts meet all
of the conditions and correlations defined for the rule.
When you correlate alert variables, you specify how often and in what time frame the correlations must be
met before the rule is triggered. The combined correlations dictate when the rule initiates an active
response.
page 342
Use the ToolAlias field in LEM rules and filters to capture
traffic from a specific device
In this section:
• Create a filter to capture events from a specific device 343
• Verify that the correct Alias value is associated with the connector 344
The ToolAlias field is a useful field to know if you have to create filters, rules, and searches that target
traffic from a specific device. Every device that sends events to LEM has an Alias property that you can
customize with a device-specific name. Use the ToolAlias field to examine the Alias property and find
events that match your filter criteria.
You can also use the DetectionIP event to monitor events from a device that has a specific IP address,
for example AnyAlert.DetectionIP=10.1.1.1.
Create a filter to capture events from a specific device

Use the ToolAlias field to create a filter that captures traffic from a specific device.
This procedure can also be applied to rules and searches.
2. Click Monitor.
3. Click in the Filters pane and select New Filter.
4. Select one of the following conditions from the Events or Event Group (but don't drag it into the
Conditions box yet):
l To view all traffic from your device, select Any Alert from the Events group.
l To view all network events from your device, select Network Audit Alerts in the Event Groups.
l To view web traffic from your device, select WebTrafficAudit from the Events group.
5. Below your selection, in the Fields list, select ToolAlias and drag it into the Conditions box.
6. In the Constant field in the Group box, enter filter criteria to match the Alias property of the device
that you want to track. Use asterisks (*) as wildcard characters to avoid entering the entire value.
For example, consider the default Firewall filter. Its condition is Any Alert.ToolAlias =
*firewall*. This assumes that the firewall connector was configured with a Tool Alias that
includes firewall in the name.
7. Click Save.
page 343
If your filter does not generate events in the LEM console, verify that the Tool Alias value matches the Alias
property for your device. See the next section for steps.
Verify that the correct Alias value is associated with the connector
The following procedure applies to devices configured to send logs to LEM. To verify Agent connectors, use
this same procedure, but apply it to the Agent associated with the connector instead.
3. Click next to the appropriate LEM Manager, and then select Connectors.
4. At the bottom of the Refine Results pane, select Configured.
5. Select the connector instance that you want to verify.
Configured tool instances appear with a in the Status column.
6. Verify that the Alias field value is correct.

To change the Alias property (optional):
a. Click next to the connector and select Stop.
b. Click next to the connector and select Edit.
c. Edit the Alias field value, and then click Save.
d. Click next to the connector and select Start.
7. Click Close.
page 344
nDepth search: Explore event history using
nDepth and other LEM utilities
The following sections describe how to perform a basic search with nDepth search, use nDepth's graphical
tools, use nDepth with other explorers, and respond to your results.
In this chapter:
• About LEM nDepth search 346
• Open nDepth search in LEM 348
• Search normalized data using nDepth search in LEM 351
• Search raw log messages using nDepth search in LEM 354
• Manage nDepth search queries in LEM: Save, schedule, run on-

demand, and more 355
• Visualize search results and take action with nDepth widgets and
the Respond menu in LEM 359
• Use the explorer utilities in LEM to search or analyze nDepth

query results 363
• Collect and view NetFlow and sFlow data in LEM 365
page 345
About LEM nDepth search

In this topic:
• nDepth visual tools 346
• nDepth primary uses 346
• Events and Log Messages 347
• Common data fields in nDepth search 347
The nDepth search engine can locate any event data that passes through a particular LEM Manager
instance. You can use nDepth to conduct custom searches, investigate your search results with a graphical
tools, investigate event data in other explorers, and take action on your findings.
For a video presentation about how to use nDepth in LEM, open the following URL in a web browser:
https://play.vidyard.com/legacy/PwhDBJiPvc1k7QeEHpfe9x
nDepth visual tools

nDepth summarizes and displays search results with several different visual tools that can also be
combined into a customizable dashboard. The tools are intuitive and interactive—you can point and click
to refine your searches. Each graphical tool provides an alternative view of the same data, so you can
examine your data from several perspectives. You can also view and explore a text-based view of the
actual data.
nDepth employs drag-and-drop tools that let you configure simple or even complex search criteria. You
can use these tools to dig deeper into your findings by adding search conditions, or by appending text to
existing search strings. nDepth also includes a tool called Search Builder that lets you configure complex
search criteria using the same sort of drag-and-drop interface found in Filter Creation.
nDepth primary uses

Use nDepth to do the following:
l Search normalized event data.
If the nDepth log retention option is enabled, nDepth search can also search raw (non-
normalized) log messages that are stored separately. See "Configure LEM to store original log
messages (nDepth log retention)" on page 66 to learn more about nDepth log retention.
page 346
l View, explore, and search significant event activity. nDepth summarizes event activity with simple
visual tools that you can use to easily select and investigate areas of interest.
l Use existing filter criteria from the Monitor view to create similar searches.
l Conduct custom searches. You can also create complex searches with the Search Builder, which is a
tool that behaves just like the Filter Builder. You can also save any search, and then reuse it at any
time by clicking it.
l Save and reuse custom searches.
l Schedule saved searches.
l Create your own custom widgets for the nDepth Dashboard.
l Export your findings to a printable report in PDF format, or your search results to a spreadsheet file
in CSV format.
l Use the Explore menu to investigate nDepth search results with other explorers.
l Use the Respond menu to take action on any of your findings.
l Export your findings to a report in PDF format.
Events and Log Messages

If the nDepth log retention option is enabled, LEM uses two data stores: the first data store is for
normalized event data, and the second data store is for original (raw) event data. Use the following nDepth
modes if nDepth log retention is enabled:
l Events mode. nDepth summarizes and explores your normalized event data. Normalized data
appears in Monitor view and is stored in the LEM database.
l Log Messages mode. nDepth summarizes and explores raw log messages received from the original
event logs. Use this mode if you have specific data analysis needs and understand how to interpret
raw log messages generated by network devices and tools.
Data storage is limited. If you have not configured a CMC option for archiving data, LEM will delete
the oldest data to make room for new data.
Common data fields in nDepth search

See "Common data field categories in LEM nDepth search" on page 547
page 347
Open nDepth search in LEM

This topic briefly describes the nDepth view and documents how to open it in the LEM console.
In this topic:
• Open nDepth search 348
• Open nDepth from another data source 349
Open nDepth search

To conduct custom searches in the LEM console, choose Explore > nDepth. Log in as an administrator or
auditor to use nDepth.
By default, the nDepth search period includes the last 10 minutes. Specifically, the search period starts at
the time you open nDepth, and stops 10 minutes prior.
The following illustration provides an overview of the nDepth view.
NUMBER ITEM DESCRIPTION

1 History Displays links to your recent nDepth search results.
2 Saved Searches Displays links to your saved nDepth search results.
3 List pane Displays categorized lists of events, event groups, event variables, and
page 348
additional options you can use to create conditions for your filters.
4 Search bar Searches all event data or the original log messages that pass through a
LEM Manager. Drag the toggle switch to select Drag & Drop or Text
Search mode.
5 Respond Displays a list of corrective actions you can execute when an event
occurs, such as shutting down a workstation or blocking an IP address.
6 Explore Displays several utilities you can use to research an event, including
Whois, Traceroute, and NSlookup.
7 Time Provides a drop-down menu to select the time range for your search.
8 Play Executes the selected search.
9 Histogram Displays the number of events or log messages reported within the
selected search time range.
10 Dashboard Displays the search results in all available widgets. You can change this
view by clicking a widget in the nDepth toolbar.
The icon indicates you are exploring event data. The icon indicates
you are exploring log messages.
11 nDepth Toolbar Organizes log data into categories to identify activity in your network.
Click a selection to display the category below the histogram.
Open nDepth from another data source

You can open nDepth from an existing data source, such as an event field or another explorer (such as
NSLookup, Whois, Traceroute, and Flow) to search for similar events and data.
1. Select the data you want to explore using one of the following methods:
l In the Monitor view event grid, select the event row or field you want to explore.
l In the Event explorer’s Event Details pane, event map, or event grid, click the item or field you
want to explore.
l In an explorer, select the data source you want to explore.
page 349
2. In the Explore menu on the Event grid, click nDepth.

The nDepth screen appears, and the nDepth search box contains the event or event field you are
exploring.
When you initiate an nDepth search from Monitor view, nDepth automatically searches all hosts and
sources for every instance of the selected event field that has occurred within a ten-minute period
around the event that you are exploring. This way, you can identify similar events that occurred
before and after the event you are exploring.
page 350
Search normalized data using nDepth search in LEM
This topic describes how to use nDepth to search for normalized event data that passes through a
particular LEM Manager.
In this topic:
• Create an nDepth query 351
• Choose an event in Monitor view to send to nDepth for historical

search 351
• Choose a filter in Monitor view to send to nDepth for historical

search 352
• Create an nDepth query for all activities by a single user 352
• Delete items from search strings 353
• Adjust the time frame for your nDepth query 353
Create an nDepth query

Log in as an administrator or an auditor.
2. Click Explore > nDepth.
3. Click x in the search bar to clear all existing parameters.
4. Drag search items to the search bar and enter a search expression.
5. Modify the default time frame as required.
6. Click to begin your search.
Choose an event in Monitor view to send to nDepth for historical search

3. In the nDepth filter sidebar, select a filter.
4. Locate an event in the event grid that you want to research.
5. Click Pause to stop the event feed.
page 351

7. Click the Explore drop-down menu and select nDepth.
The nDepth screen appears, displaying your results.
In the nDepth screen, you can narrow or widen your search timeline using the nDepth histogram. After you
establish your search timeline, click a tool in the nDepth toolbar to review your results.
Choose a filter in Monitor view to send to nDepth for historical search

You can select a real-time filter in Monitor mode to open in nDepth search. This task requires either the
Administrator or Auditor role.
2. Click Monitor.
3. In the filter sidebar, select the filter that you want to send to nDepth.
4. Click in the Filters pane and select Send to nDepth.
The filter opens in the nDepth search engine.
5. (Optional) Modify the nDepth search Conditions or time frame to fine tune your search.
Always click Search, denoted by a play button, after altering an nDepth search to get your new
results.
Create an nDepth query for all activities by a single user

Use nDepth to create queries for all activity related to a single user or group of users on your network. This
is currently the only method to perform this level of reporting and monitoring in LEM.
3. Click x in the search bar to clear all existing parameters.
4. Locate the User Name drop-down menu in the Refine Fields list.
5. Drag User Name into the Search Bar at the top. If you choose a different user, change the user next
to the pencil icon in the search.
page 352
6. Use this selection or change the user name in the Constant text box.
When you change the user name:
l Use trailing wild card characters (such as *) to search for part of a user name.
l Avoid using leading wild card characters whenever possible.
l Use user-defined groups or directory service groups to search for groups of users.
7. Modify the default time frame as required.
8. Click to begin your search.
Delete items from search strings

Click next to a condition in the search bar to delete a search string. You can delete individual conditions,
groups of conditions, or the entire string.
Adjust the time frame for your nDepth query

1. In the search bar, click the time selector drop-down menu and select Custom range.
2. Select the From and To dates and times in the calendars.
By default, the custom time frame shows the time frame of your last search.
3. Click outside the calendars to close.
Searches that require several minutes to complete or searching several events can result in
the search producing time outs or no results.
page 353
Search raw log messages using nDepth search in LEM

If the nDepth log retention option is enabled, you can use nDepth to view and search your original, non-
normalized log messages in the LEM console. For details, see "About nDepth log retention" on page 67.
In this topic:
• To view and search original log messages using nDepth 354
To view and search original log messages using nDepth

2. Choose Explore > nDepth.
On the far right of the search bar, move the switch from Events to Log Messages.
3.
This switch only appears if LEM is configured to store original log messages.
4. Construct an nDepth search as you would for normalized alerts:

l Use the drag-and-drop components on the left of the nDepth view
l Switch the search method from Drag & Drop Mode to Text Input Mode on the far left of the
search bar, and enter your search conditions in plain text.
See "Search normalized data using nDepth search in LEM" on page 351 for help.
5. Click Search.
page 354
Manage nDepth search queries in LEM: Save, schedule, run
on-demand, and more
This topic documents how to save an nDepth search query, run it on-demand or at a later date, and export
the search results. It also documents how to edit or delete saved queries.
In this topic:
• Save an nDepth search query 355
• Edit a saved nDepth search query 356
• Run a saved nDepth search query on-demand 356
• Schedule a saved nDepth search query 356
• Delete a saved nDepth search query 357
• Export nDepth search results in CSV format 357
• Export nDepth search results in PDF format 358
Search queries can be saved and scheduled. Save and export your search query for disaster recovery
purposes or to share it with another user when they are logged in to the console. A scheduled search can
email the results to a defined user.
Save an nDepth search query

1. Create and run an nDepth search query. See "Search normalized data using nDepth search in LEM"
2. Click in the nDepth toolbar and select Save As.
If you are modifying an existing saved search, click Save.
3. In the Search Name field enter a report name up to 200 characters in length, and then click OK.
SolarWinds recommends that you include the time frame in your search name, as saved
searches always run with the saved time frame by default. For example, enter All Firewall
Alerts - Last 24 Hours.
4. Click OK.

Your search appears in the Saved Searches pane appended with an icon.
indicates an event data search.
indicates an original log message search.
page 355
Edit a saved nDepth search query

To edit a saved search query, modify it and save it as a new search.
3. Click History to display the Saved Searches pane (if required).
4. In the Saved Searches pane, click the search you want to modify.
5. Reconfigure the search in the search bar.
6. Click and select Save.
The search is saved with the new configuration.
7. (Optional) Delete the old search query if you no longer need it. See "Delete a saved nDepth search
query" on the facing page for help.
Run a saved nDepth search query on-demand

Saved searches are stored and listed alphabetically in the Saved Searches pane.
4. In the Saved Searches pane, click the search you want run. Hover over the search for tooltip
information.
nDepth displays your search data.
Schedule a saved nDepth search query

Schedule a saved search to run automatically at a prescheduled time. You can also share scheduled
searches between users.
If the virtual appliance is offline for an extended amount of time (such as more than a day or two),
the active schedules may not run at the expected time until the appliance is back online for several
hours.
page 356
4. Select a Saved Search from the Saved Searches pane.
5. Click and select Schedule.
7. Click OK.
Delete a saved nDepth search query

You can permanently delete a search from your Saved Searches pane.
3. In the Saved Searches pane, hover over a search you want to delete.
4. Click to delete the search.
5. When prompted, click Yes to confirm.
The saved search is deleted.
Export nDepth search results in CSV format

You can only export text results in CSV format. To export charts and graphs, see the PDFexport procedure
below.
3. Review all alerts within the last ten minutes.
4. Modify the search to extend the time frame or use the Refine Fields pane to refine your search
parameters.
5. Click to retrieve your new results.
page 357
6. Click Result Details.

7. Click in the Result Details toolbar and select Export.
8. Click Yes to continue.
9. Save the file to the appropriate location.
Export nDepth search results in PDF format

You can export the results of your nDepth search to a printable report and save the report as a PDF file.
PDF reports are limited to 25,000 events or log messages. If you need a larger report, use the Result Details
view to export your search results to a spreadsheet in CSV format.
3. Review all alerts within the last ten minutes.
4. Modify the search to extend the time frame or use the Refine Fields pane to refine your search
parameters.
5. Click to retrieve your new results.
6. Click Result Details.
7. Click in the nDepth toolbar and select Export.
8. Customize your report layout:
a. Replace nDepth Export Report Title with a custom title as required.
b. Click the page thumbnails and remove page elements (such as charts, graphics, and text) as
required.
c. Adjust the page layout to Portrait or Landscape as required.
d. (Optional) Add a new page, click the Items tab, and drag item elements to add additional charts
to your report.
Some components, such as Result Details, are limited to where they can be dropped.
e. (Optional) Click the Saved Layouts tab and click to create a new layout or save your layout.
9. Click Export to PDF.
10. Save the file to the appropriate location.
page 358
Visualize search results and take action with nDepth widgets
and the Respond menu in LEM
This topic documents how to use the Respond menu, and how to work with nDepth widgets.
For details about each nDepth widget type, also see "The nDepth view" on page 521.
In this topic:
• About the Explore and Respond menus 359
• Respond to an event with the nDepth Respond menu 359
• About nDepth widgets 360
• View widget details 361
• Create a search string from a widget item 361
• Create a new nDepth widget with nDepth Widget Builder 361
• Edit an nDepth widget 362
• Add a chart widget to the nDepth dashboard 362
About the Explore and Respond menus

The Respond and Explore drop-down menus are located at the top of the nDepth view.
l The Respond menu provides a list of corrective actions you can take in response to an event
presented in an explorer, such as shutting down a workstation.
l The Explore menu lists utilities you can use to investigate an event, event detail, or nDepth search
result. For more information see "Use the explorer utilities in LEM to search or analyze nDepth
query results " on page 363.
Respond to an event with the nDepth Respond menu

Use the actions in the Respond drop-down menu to respond to an issue reported in your nDepth search
results. For example, you can block a hostile IP address or send a user account a pop-up message if you
see an unusual event.
See "About LEM response actions" on page 304 for more information.
page 359
1. Run a search in nDepth. See "Search normalized data using nDepth search in LEM" on page 351 or
"Search raw log messages using nDepth search in LEM" on page 354 for help.
2. Select a results entry and then choose a response from the Respond menu at the top of the nDepth
page.
About nDepth widgets

nDepth provides a set of default widgets similar to the widgets in the Ops Center.
Each widget represents a high-level graphical view of the specific network activity associated wit h your
nDepth search results. The widget displays the primary items generating an activity, as well as the count
(or number of incidents) for each item.
Use nDepth explorer views to create new widgets, change the look of existing widgets, add widgets to the
nDepth Dashboard, and remove widgets you no longer use. Click refresh on the widget toolbar to
display the latest data from your network.
page 360
View widget details
Click or point to an item in the widget to view details and statistics about the item.
Create a search string from a widget item

You can use items in widgets or any of the nDepth graphical tools to create new search strings, or to
append existing search strings.
1. On the search bar, click to delete the existing search string.
2. Click an item on a widget.
A new search string associated with the widget item appears in search box.
To append an existing search string with an item from a widget, click an item on the widget. In the search
box, a new search string associated with the widget item is appended to the existing search string.
Create a new nDepth widget with nDepth Widget Builder

The corresponding view appears.
4. On the view title bar, click to open the nDepth widget builder.
5. Complete the widget builder selections to configure the new widget.
The new widget appears at the bottom of the chart view.
page 361
Edit an nDepth widget

4. Click on the widget you want to edit.
5. Use the nDepth Widget Builder to reconfigure the widget.
The updated widget appears at the bottom of the view.
6. Click to refresh the widget data.
Add a chart widget to the nDepth dashboard

You can add an nDepth view (such as word cloud, tree view, or result details) to the nDepth Dashboard.
The word cloud, tree view, and result details view display by default. If you remove a view from the
dashboard, use this procedure to restore the view.
3. Use the nDepth explorer toolbar to open the chart view you want to work with.
4. In the view, locate the chart widget you want to add to the dashboard.
5. In the widget toolbar, click to move the widget to the dashboard.
The widget is copied to the bottom of the nDepth Dashboard.
Click to minimize the widget in the dashboard. To restore the widget, scroll down and click the
widget title bar.
See also:
l "The nDepth view" on page 521 for information about each nDepth widget type
page 362
Use the explorer utilities in LEM to search or analyze nDepth
query results
This topic describes how to open the explorer utilities in LEM. The explorer utilities are available from
Monitor view, the Explore > nDepth view, and the Explore >Utilities view.
In this topic:
• About the Explorer utilities 363
• Open the explorer utilities from the nDepth view to investigate

event details 363
• Open the explorer utilities from Monitor view or the Utilities view 364
About the Explorer utilities

LEM includes the following Explorer utilities:
l Event
l nDepth
l NSLookup
l Whois
l Traceroute
l Flow
See "The Utilities view" on page 540 for documentation about each explorer. For the Flow utility, also
see "Collect and view NetFlow and sFlow data in LEM" on page 365.
Use these explorers to investigate event details in your nDepth search results. For example, you can
investigate a suspicious IP address with the NSLookup, Traceroute, or Whois explorers to better
understand who the IP address is assigned to.
Open the explorer utilities from the nDepth view to investigate event
details
1. Run a search in nDepth. See "Search normalized data using nDepth search in LEM" on page 351 or
"Search raw log messages using nDepth search in LEM" on page 354 for help.
2. Select a results entry and then click the Explore menu to choose an explorer utility.
3. Type the event details into the appropriate explorer field, and then click Search or Analyze
(depending on the type of explorer you chose).
page 363
Open the explorer utilities from Monitor view or the Utilities view
You can manually explore an IP address, host name, or domain name by opening an explorer in Monitor
view or the Utilities view.
2. Choose Explore > Utilities, or choose Monitor.
3. Click the Explore menu in the top-right corner to choose an explorer utility.
4. Type the event details into the appropriate explorer field, and then click Search or Analyze
(depending on the type of explorer you chose).
page 364
Collect and view NetFlow and sFlow data in LEM
This topic describes how to enable and view NetFlow and sFlow data. The Flow utilities are available from
Monitor view, the Explore > nDepth view, and the Explore >Utilities view.
In this topic:
• About the Flow explorer 365
• Enable Flow collection and analysis in LEM 365
• View Flow data in the LEM console 366
About the Flow explorer

Flow explorer performs flow analysis to determine which IP addresses or ports are generating or receiving
the most network traffic. Use this explorer to analyze the volume of data (in bytes or packets) transferring
to or from an IP address or port number on your network.
For example, if an unknown IP address displays at the top of the Flow explorer’s activity list, you can select
a bar on the graph or a row in the table and choose the Whois explorer from the Explore menu to identify
the IP address and why it is transmitting so much data.
LEM supports Flow exports from both NetFlow and sFlow devices. Use the Flow explorer in the LEM console
to view graphs, charts, and grids, as well as:
l Top Talkers by Internet Assigned Numbers Authority (IANA)-based Protocol

l Top Talkers by Port
l Top Talkers by Source/Destination Address
l Top Talkers by Total Bytes
l Top Talkers by Total Packets
See the manufacturer specifications to configure your devices to send Flow data to LEM. LEM supports
data on the 2100/UDP for NetFlow devices and 6343/UDP for sFlow devices.
Enable Flow collection and analysis in LEM

steps.
2. At the cmc> prompt, enter service.
3. At the cmc::service> prompt, enter enableflow.
4. To confirm your entry, enter y.
The Manager service on LEM automatically restarts.
page 365
5. At the prompt, enter n and follow the prompts to select the Flow collector and enable Flow Analysis
for Flow data collected on another system.
Otherwise, enter y.
6. Enter exit and press Enter to return to the cmc> prompt.
7. Enter exit and press Enter to log out of LEM.
View Flow data in the LEM console

2. Click Monitor.
3. Click the Explore drop-down menu and select Flow.
The Flow Explorer presents data in graph, chart, or grid formats.
page 366
LEM reports: Create reports for regulatory and
compliance purposes
In this chapter:
• About LEM reports 368
• Setting up the LEM reports application 370
• The LEM reports application interface 374
• The Preferences group 379
• Find, filter, and group LEM reports 381
• Run a LEM report on-demand or schedule a LEM report to run

later 397
• Create a custom LEM report 413
• Use the Select Expert tool to create a more focused LEM report 417
• Manage LEM reports: Open, print, and more 420
• Default reports included with LEM 428
page 367
About LEM reports

This topic introduces LEM reports and describes how to log in to the LEM reports application.
See "Install the LEM reports application" on page 1 in the LEM Installation Guide if you have not yet
installed the reports application.
In this topic:
• LEM reports overview 368
• Open the LEM reports application 369
LEM reports overview

The LEM reports application converts LEM database data into information that can be used to troubleshoot
and identify network problems. Run reports on your Log & Event Manager database to view events and
trends and make informed decisions about your network activity. You can run over 200 standard and
industry-specific reports that can help you make informed decisions about your network security.
About Report Categories

LEM reports are organized into categories:
l Standard Reports ship with LEM. Most standard reports capture specific event data that occurs
during a particular period.
l Industry Reports support the compliance and auditing needs of certain industries (such as
financial services and healthcare), and the accountability requirements of publicly-traded
companies.
l Custom Reports display reports you created to meet a specific need.
l Favorite Reports displays the standard, industry, and custom reports you use most often. You can
add and remove reports to this category as needed.
Standard and Custom reports are essentially the same report. The only difference is that Custom reports
are undocumented and created specifically by (or for) you.
About report Levels

There are three LEM report levels:
l A master report is a standard report that includes a series of subtopics, where each subtopic
contains a specific set of details about the higher-level master topic. Together, these topics create
the report, similar to chapters in a book. Master reports include a graphical summary page.
page 368
l A detail report is a report that includes all events and event details.
l A top report includes the top events for a selected category.
About scheduled and on-demand reports

The reports application can run scheduled or on-demand reports:
l Scheduled reports are reports you configure to automatically run on their own, on a particular
schedule, and without intervention.
l On-demand reports are reports you run only when you need them.
SolarWinds recommends identifying who needs to receive performance or status reports, and how
often they should receive them.
After you run a report, you can print it or export it to several supported formats, including PDF and
Microsoft Word).
Open the LEM reports application

Launch Reports as an administrator the first time you run the application. Depending on your Windows
security set up, you may always need to run reports using the Run as administrator option. See "To
automatically Run as administrator every time you run Reports" below for help.
1. Log on to the Windows computer that the LEM reports application is installed to.
Click Start and select All Programs.
2. Choose the SolarWinds folder, and then click the Reports shortcut.
The LEM reports application opens.
To automatically Run as administrator every time you run Reports

1. Right-click the Reports application icon.
2. Click Advanced on the Shortcut tab.
3. Select the Run as administrator checkbox and click OK.
page 369
Setting up the LEM reports application

Complete the steps in this topic after you install the reports application.
See "Install the LEM reports application" on page 1 in the LEM Installation Guide if you have not yet
installed the reports application.
In this topic:
• Configure the LEM reports application to communicate with the

LEM database 370
• Secure the LEM reports application 371
• Select a default primary data source 372
• Configure a syslog server (Optional) 372
Configure the LEM reports application to communicate with the LEM

database
Complete the following steps.
SolarWinds recommends that you create a special service account for use with the LEM reports
application. See "Create a local LEM user account" on page 103 for instructions and specify Reports
in the LEM Role field. The Administrator and Auditor roles can also use the LEM reports application.
1. Open the LEM reports application. See "Open the LEM reports application" on the previous page for
steps.
l Launch Reports as an administrator the first time you run the application. Depending
on your Windows security set up, you may always need to run reports using the Run as
administrator option. See "Setting up the LEM reports application" above for help.
l The first time you open Reports, a pop-up window displays the message A manager list
was not found. Please create a list containing at least one manager. This is not an error.
Click OK to close the pop-up window.
2. Click the Configure button (the button with a gear icon) on the Settings tab.
3. Choose Managers - Credentials and Certificates.
page 370
a. Manager name – Enter the IP address of the LEM Manager.
b. User name – Enter the service account user you created to log in to the LEM reports
application.
c. Enter the password for the service account user.
d. Select the green + button to save the credentials.
e. Close the window.
5. Click Test Connection to verify the connection.

See "Troubleshoot the LEM reports application database connection" on page 622 if the connection
failed.
6. Click OK.
The reports application is connected to the LEM database server.
Secure the LEM reports application

To secure the LEM reports application, see the following topics in the "Securing LEM" section of the
LEM Administrator Guide:
l "Restrict access to the LEM reports application" on page 77

l "Enable transport layer security (TLS) in the LEM reports application" on page 78
page 371
Select a default primary data source

Select the primary data source connection for running reports when you open the LEM reports application.
The connection settings display as the default setting in the Data Source drop-down menu.
You can select a different data source when you open the LEM reports application. The next time you open
the application, the setting defaults to the primary data source.
1. Open the LEM reports application. See "Open the LEM reports application" on page 369 for steps.
2. In the Settings tab, click Configure and select Primary Data Source.
3. In the Primary Data Source list, select the default data source.
4. Click Test Connection to verify your connection to the data source.
If the test succeeds, Ping Test success displays in the dialog box. If the test fails, an error message
displays. See "Troubleshoot the LEM reports application database connection" on page 622.
5. Click OK.
The default primary data source is configured.
Configure a syslog server (Optional)

You can enable a LEM Manager to send report log information to a syslog server to record all report-
related events and application messages. The server logs basic report activity, such as the user name,
report type, targeted database, report time, and any error messages that occur while generating the
report.
The syslog server is set to the Primary Manager by default, but can be set to any server running a standard
syslog service. The server must have an Agent installed to communicate with the LEM Manager.
2. In the Settings tab, click Configure and select Syslog Server.
The Set Syslog Server form displays.
page 372
3. In the Syslog Server (Host Name) box, enter the server host name.
4. Click Test.

The system tests the connection.
You must test the connection before the server can be accepted. A successful test does not
confirm that the host is a syslog server.
l If the ping test succeeds, "The Ping Test succeeded" displays in the dialog box with the host IP
address.
l If the ping test fails, an error message displays. Verify that you entered a host name that
matches a valid DNS entry, and click Test.
5. Click OK.
The syslog server is configured.
page 373
The LEM reports application interface

This topic describes the LEM reports application interface. See "About LEM reports" on page 368 for a LEM
reports overview and steps to log in to the reports application.
In this topic:
• The Reports application features 374
• Menu button 376
• Quick Access toolbar 377
• Minimize the ribbon 379
The Reports application features

This section describes the Reports application interface and its key features.
page 374
The following table describes the reports application.

1 Menu button Opens, saves, or prints a report. Also provides additional options for your report.
2 Quick Access Contains a set of commands independent of the currently-selected tab. You can
Toolbar customize the toolbar by adding buttons for the commands you use most often
and move the toolbar to two different locations. See the "Quick Access toolbar"
on page 377 for more information.
3 Ribbon Locates the commands you need to complete a task. Commands are organized in
logical groups under tabs. Each tab relates to a type of activity, such as running
and scheduling reports, or viewing and printing reports. To save space, you can
minimize the Ribbon, displaying only the tabs. See "Minimize the ribbon" on
4 Settings tab Helps you select the reports you want to run, open, and schedule. You can also
configure reports and the report data source settings.
5 View tab Provides options to print, export, resize and view a report.
Click this tab after you run a report to view the report contents.
6 Grouping bar Provides options to group, sort, and organize the reports list.
7 Report list/ Displays a list of standard reports by default. When you select a new report
Preview pane category, the grid displays the reports for your selected category. Use this grid to
select report that you want to run or schedule.
You can also filter and sort the grid to quickly find the reports you want to work
with.
When you open or run a report, this section changed into a report preview pane
that displays the report. The ribbon automatically switches to the View tab with a
toolbar to print, export, resize, or view the report.
page 375
Menu button
Click the menu button to open a drop-down menu and execute the most common report commands. In
Reports, the menu button opens a menu that lets you execute the most common report commands, as
described below.
MENU OPTION DESCRIPTION

Open Report Opens a report saved in RPT format. The report opens in the Reports Preview pane in
the View tab where you can view, search, print, and export the report. You can also
view and execute recently-opened report files.
Export Report Exports the selected report.
Schedule Report Configures a schedule to automatically run the selected report in the report list.
Print Report Prints your selected report to your default printer.
Printer Setup Opens a Print Setup dialog box to select a printer and customize the print settings.
Refresh Report Refreshes the report list for each report category. Select this option when you add
List new report files (such as new custom reports) that do not appear in the report list.
Exit Closes the Reports application.
page 376
Quick Access toolbar
The Quick Access toolbar contains a set of commands that are independent of the active tab. You can
customize the toolbar by adding buttons for the commands you use most often, and you can move the
toolbar to two different locations.
The Quick Access toolbar
Default commands
By default, the Quick Access Toolbar shows the commands listed in the following table.
BUTTON COMMAND DESCRIPTION

Open Opens a report saved in RPT format. The report opens in the Reports Preview
pane in the View tab where you can view, search, print, and export it.
Run Runs the report currently selected in the report list. If the report requires any
parameters, the Enter Parameter Values form displays. See Run and schedule
reports to run a report.
Refresh Refreshes the report list for each report category. Use this command if you
Report List added new report files (such as new custom reports) and they do not appear in
the report list. This command accesses the Reports directory on your computer,
retrieves information about all of the reports, and rebuilds the lists for each
report category.
Exit Exits the Reports application.
Customize the Quick Access Toolbar

You can customize the toolbar by adding or removing any command displayed on the ribbon, customizing
the toolbar with the commands you use most often.
page 377
1. Click the drop-down list next to the Quick Access Toolbar.
2. In the Customize Quick Access Toolbar form, add or remove commands from the toolbar.
To add a button to the toolbar, select the corresponding command check box.
To remove a button from the toolbar, clear the corresponding command check box.
To choose from a list of additional commands, click More Commands and use the Customize view to
add or remove commands to the toolbar.
TO ADD COMMANDS FROM THE RIBBON:
1. On the ribbon, click the appropriate tab or group to display the command you want to add to the
toolbar.
2. Right-click the command and click Add to Quick Access Toolbar on the shortcut menu.
The command displays in the toolbar.
Move the Quick Access Toolbar

The Quick Access Toolbar is located in the upper-left corner of the window next to the Reports Button
(default) or below the ribbon. You can move the toolbar to another location.
1. Click the drop-down list next to the Quick Access Toolbar.
The Customize Quick Access Toolbar form displays.
2. In the Customize Quick Access Toolbar form, move the toolbar below or above the ribbon.
To move the toolbar below the Ribbon, click Show Quick Access Toolbar Below the Ribbon.
To move the toolbar above the Ribbon, click Show Quick Access Toolbar Above the Ribbon.
page 378
Minimize the ribbon
You can minimize the ribbon to make more space available on your screen. When the Ribbon is minimized,
only the tabs display
To keep the ribbon minimized, click the drop-down list next to the Quick Access toolbar and select
Minimize the Ribbon. To use the ribbon while it is minimized, click the tab you want to use and select the
option or command you want to use. After you click the command, the ribbon returns to a minimized view.
To restore the Ribbon, click the drop-down list next to the Quick Access Toolbar and clear the Minimize the
Ribbon check box.
To toggle between full and minimized view, double-click the name of the active tab or press Ctrl+F1.
The Preferences group

Use the Configure drop-down menu in the Preferences group to link the LEM reports application to a data
source (such as a LEM Manager). You can select a primary data source, a syslog server, or a data
warehouse.
The following table describes each option in the Preferences group.
PREFERENCE / OPTION DESCRIPTION

Configure
Primary Data Source Provides the default data source to run reports when you open the LEM
reports application. This option becomes the default setting in the Data Source
drop-down menu.
Syslog Server Enables the selected LEM Manager to send report log information to a syslog
server. This server logs basic report activity, such as the user name, report
type, targeted database, report time, and any error messages that occur while
generating the report.
page 379
PREFERENCE / OPTION DESCRIPTION

Managers - Credentials Enables the LEM reports application to communicate with the LEM database
and Certificates server. You can use the Reports credentials to provide secure reporting, audit
users who access the server running on the LEM VM, enable third-party
authentication servers (such as Active Directory) for LEM reporting, and set up
roles for user access to prevent unauthorized users from accessing the LEM
reports application.
The selected LEM Manager name or IP address displays in and above the
Reports Data Sources drop-down menu.
Data Source
Data Source Selects the targeted data source to run reports. When you select a data source
in the drop-down menu, the data source temporarily overrides the Primary
Data Source (default) you selected as the primary data source in the Configure
drop-down menu.
page 380
Find, filter, and group LEM reports
This topic describes how to find and work with LEM reports.
In this topic:
• Find a LEM report by title 381
• Find reports for specific industries 381
• View LEM report properties 384
• Filter and sort LEM report lists in the reports application 384
• Manage report categories 386
• Create a list of favorite LEM reports 387
• Remove a report from the Favorites tab 389
• Search LEM reports for specific text 389
• Customize and share report filters in the LEM reports application 390
• Categorize and display LEM reports by group 393
Find a LEM report by title

2. Click the Settings tab.
3. Click the Category drop-down menu and select the category that contains your targeted report.
4. Click a report title and begin entering your report name.
The console highlights the first report that matches your text. For example, if you click Standard Reports
and enter Event, the system highlights Event Summary, which is the first matching report title.
Find reports for specific industries

Use the Industry Setup tab to select the industries and areas of regulatory compliance related to your
company. This helps you reduce the number of reports that display in the Industry Reports list.
2. In the Settings tab, click Manage and select Manage Categories.
3. In the Manage Categories form, click the Industry Setup tab.
The Classifications section lists industries and regulatory areas supported by standard Reports. The
Reports for section displays the standard reports that support your classification selections.
page 381
4. Select the check box for each industry related to your company.
The Reports for section displays all standard reports that support your selected industry.
5. Select the check box for each regulatory area related to your company.
See Industry options for more information.
6. Click OK.
Industry Options
Industry reports are standard reports designed to support the compliance and auditing needs of certain
industries. SolarWinds provides reports that support the financial services and health care industries, as
well as the accountability reporting needs of publicly traded companies. The following table describes the
compliance and auditing areas supported in the reports.
SUPPORTED INDUSTRY DESCRIPTION

Education
FERPA Federal Educational Rights and Privacy Act (FERPA), which gives parents and
eligible students certain rights with respect to their children's education
records.
Federal
CoCo UK Code of Connection regulations.
DISA STIG Defense Information Systems Agency's (DISA) Security Technical

Implementation Guide (STIG).
FISMA Federal Information Security Management Act (FISMA).
NERC-CIP North American Electric Reliability Council (NERC) Critical Infrastructure

Protection (CIP) reliability standards.
Finance
CISP Cardholder Information Security Program, which helps safeguard credit card
and bank card transactions at the point of sale, over the Internet, on the
phone, or through the mail. CISP helps protect cardholder data for
cardholders, merchants, and service providers.
COBIT Control Objectives for Information and related Technology (COBIT™). COBIT is
an open standard for IT security and control practices. It includes more than
320 control objectives and includes audit guides for more than 30 IT
processes.
GLBA Gramm Leach Bliley Act (GLBA).
page 382
SUPPORTED INDUSTRY DESCRIPTION
GLBA requires financial institutions to protect the security, integrity, and
confidentiality of consumer information. It affects banking institutions,
insurance companies, securities firms, tax preparation services, all credit card
companies, and all federally insured financial institutions.
Security information and event management (SIEM) plays a vital role in GLBA.
NCUA National Credit Union Administration (NCUA).
NCUA is the federal agency that charters and supervises federal credit unions
and insures savings in federal and most state-chartered credit unions across
the country through the National Credit Union Share Insurance Fund
(NCUSIF), a federal fund backed by the United States government.
PCI Payment Card Industry (PCI) Data Security Standard requirements of VISA CISP
and AIS, MasterCard SDP, American Express and DiscoverCard.
SOX Sarbanes-Oxley (SOX) Act of 2002. Sarbanes-Oxley protects company investors

by improving the accuracy and reliability of corporate disclosures made
pursuant to securities laws. Provisions within Sarbanes-Oxley hold executive
management and the board of directors liable for criminal and civil penalties.
Specifically, under Section 404 of the Sarbanes-Oxley Act, executives must
certify and demonstrate that they have established and are maintaining an
adequate internal control structure and procedures for financial reporting.
General
GPG13 Good Practice Guide 13 (GPG13), a mandatory aspect of CoCo compliance.
ISO 17799/ ISO 17799, ISO 27001, and ISO 27002 international security standards.
27001/27002
Healthcare
HIPAA Health Insurance Portability and Accountability Act (HIPAA), which requires
national standards for electronic health care transactions.
page 383
View LEM report properties

In the reports grid, select a report and click Report Properties. A dialog box displays with information about
your report.
Filter and sort LEM report lists in the reports application

In this section:
• Filter the report list to reduce the number of listed reports 385
• Change a filter setting 385
• Sort the report list 386
• Turn off report filters 386
Use the Reports window to filter your report list and display only those reports associated with a particular
report title, category, level, or type. You can also apply more than one filter at a time to display a very small
subset of the report list. If required, you can create your own custom filter, and save them for later use.
page 384
Each report list column header includes a drop-down menu that displays column filter options, as shown
below.
For example, selecting Audit reduces the list to show only the reports associated with the Audit category.
When you apply a filter, a yellow status bar appears below the reports list. The status bar lists which filters
are currently applied. You can use this list to remove each filter individually, or to remove them all at once.
Filter the report list to reduce the number of listed reports

1. Decide which column you want to use for the filter.
2. Click and select a filter option.
The report list refreshes to display the filtered list.
3. Repeat Step 2 for each additional filter you want to apply.
Change a filter setting

In the status bar below the report list, click and select a different filter option from your list of most
commonly-used filters.
page 385
Sort the report list

You can sort the report list by clicking the column headers. This sorts the entire report list by the contents
of your selected column in either ascending or descending order.
l The column header displays indicating the report list is sorted by this column in ascending
order.
l Click the column header again to reverse-sort the report list in descending order. The column
header displays indicating the report list is sorted by this column in descending order.
Turn off report filters

In the Reports window, when you are finished with a report filter, you can turn it off. Turning off a filter
refreshes the report list so that it displays the list without that column filter. You can turn off a single filter
or all of the filters at once.
To turn off a filter, clear the check box next to the filter in the status bar.
To turn off all of the filters, click in the status bar. The report list refreshes to display the list without
any filters.
Manage report categories

Use the Manage Categories form to select reports from several industries, including Federal, Education,
and Healthcare. You can search for specific reports and add reports to your Favorite Reports list.
page 386
Using the Industry Setup tab, you can select the industries and areas of regulatory compliance related to
your company. Reports related to the options you select display in the Industry Reports list.
The Favorites Setup tab includes a search option to list, sort, and group the report list by industry and
regulatory area. It highlights reports currently listed in your Favorite Reports list and allows you to add
new reports to the list.
The tab also includes a Favorites tab that displays your current list of favorite reports. You can use this
view to sort and group your favorite reports to locate a specific report. When needed, this view is also used
to remove a report from your list of favorites.
Create a list of favorite LEM reports

In this section:
• Step 1: Search the reports 388
• Step 2: Add a report to your Favorites tab 388
You can access frequently-used reports by adding them to the Favorite Reports list. This list can include
both standard and custom reports. To create a favorite reports list, search the reports and then add your
selections to your Favorites list.
Each authorized reports application user can set up a list of favorite reports. Each list is unique to the user
logged in to the console. A reports application user is determined by the user’s Windows account. If two
users on the same computer log in to the same account, they will share a list of favorites.
page 387
Step 1: Search the reports

2. In the Settings tab, click Manage and select Manage Categories.
3. Click the Favorites Setup tab.
4. Click the Search tab.
The Classifications section lists industries and regulatory areas supported by standard Reports. The
Reports Matching Search Criteria box lists all standard SolarWinds report. If a report appears
highlighted in green, the report is in your Favorite Reports tab.
5. In the Classifications section, select each industry or regulatory area related to your company.
6. Click Search.
The Reports Matching Search Criteria section displays all standard reports that support your options.
For example, if you select Finance, Search lists reports associated with Finance. If you selected
Finance and PCI, Search lists every report that is associated with either Finance or PCI.
You can organize the report list by sorting, filtering, and grouping the report list.
Step 2: Add a report to your Favorites tab

1. Locate a report in the report list to save to the Favorite Reports list.
2. Right-click the report and select Add to Favorites.
3. Click Apply.
The report is saved to your Favorites list.
page 388
Remove a report from the Favorites tab
When you remove a report from the Favorite Reports list, the report remains in its original category. It is
not deleted from the reports application.
2. On the Settings tab, click Manage and select Manage Categories.
3. Click the Favorites tab.
4. Select a report and click Remove From Favorites.
5. Click Apply.

The report is removed from the Favorites tab.
Search LEM reports for specific text

The Reports window includes a search tool in the View tab to search for key words or phrases in text-based
reports.
This tool only works when you are viewing a text-based view of a report in the Preview pane. You cannot
use this tool with graphical-only reports, or the default graphical view that is displayed when you first run
the report.
page 389
View the text-based details of a report

In the View tab, click the tree button to open the subtopics in the reports list. Click the content-based
subtopic to jump to that section of the report.
Use the Search tool

1. In the Reports window, open or run the report you want to view.
The report displays in the Preview pane.
2. Display the text-based details you want to search in the Preview pane.
3. In the View tab, click Search.
The Find form displays.
4. In the Find what box, type the text you want to search for.
5. Select Match whole word only to search for entire words that match, omitting matching letters within
words.
6. Select Match case to make the search sensitive to uppercase or lowercase letters.
7. In the Direction area, select Up to search from where you are now to the start of the document.
Select Down to search from where you are now to the end of the document.
8. Click Find Next.
The tool locates the next instance of the text in the report and highlights it for easy viewing.
9. Continue clicking Find Next for each remaining instance of the text you want to find.
10. Click Cancel to close the Search form.
Customize and share report filters in the LEM reports application

This topic describes how to create custom reports using multi-column filters, and share your custom
reports with other users.
In this topic:
• Create a custom report filter in the LEM reports application 391
• Save a custom report filter in the LEM reports application 392
• Open a saved custom report filter in the LEM reports application 393
page 390
Create a custom report filter in the LEM reports application
1. In the Reports window, click the report filter you want to use as a starting point.
2. At the bottom of the filter, click Customize.
The Filter Builder form displays.
In this example, the filter displays reports where the Category column equals Audit and the Type
column equals Authentication.
3. Click the options in the form to select the column, column option, and specific conditions that define
the filter.
4. Click OK or Apply to apply the filter.
page 391
Save a custom report filter in the LEM reports application

1. Create a custom report filter. See "Create a custom report filter in the LEM reports application" on
the previous page for details.
2. Click Save As and select the folder where you want to store the file.
3. Enter a filter name in the File name box.

4. Click Save.
The filter is now saved and available for later use.
page 392
Open a saved custom report filter in the LEM reports application
1. Click Customize.
2. Click Open in the Filter builder form.
3. Click the Look in drop-down menu, and then locate and open the filter.
4. In the Filter Builder form, click OK or Apply.

The custom filter is applied to the report list.
Categorize and display LEM reports by group

In this topic:
• Create a report group in the LEM reports application 394
• View the reports within a group in the LEM reports application 395
• Create a sub-group in the LEM reports application 396
You can sort the report list into groups of reports by dragging one or more column headers into the
grouping box. This allows you to quickly organize and display groups of reports that fall into very specific
categories. For example, to group reports by category, drag the Category column header from the report
list into the grouping box.
You can rearrange the report list into groups defined by items from the Category column, as shown below.
page 393
Groups change the report list into a series of nodes. There is a separate node for each unique item or
category from the column that defines the grouping. The nodes are alphabetized, and each node is named
by the column and category that defines the grouping.
For example, the Category column that defines the grouping in the example above includes three unique
categories: Audit, Security, and Support. Grouping by the Category column creates three nodes: Category:
Audit, Category: Security, and Category: Support. Opening a particular node displays only the reports
associated with the particular grouping configuration.
You can group reports by any column header in the report list (such as Title, Category, Level, and Type).
You can also create sub-groups to create parent-child hierarchies. For example, you could create a
Category group and a Type sub-group.
Create a report group in the LEM reports application

To create a report group, decide which column defines the report groupings.
Next, drag the column header into the area above the Reports Title column. In this example, the Category
header was dragged to the area above the Reports Title column. The report list now displays a separate
node for each unique item that is in the column that is defining the grouping. The nodes are alphabetized
and labeled for easy reference.
page 394
View the reports within a group in the LEM reports application
Click a node to display a list of reports that fall within that grouping. To close the node, click it again.
page 395
Create a sub-group in the LEM reports application

1. Drag another column header into the Drag a column header here to group by that column area.
2. Perform one of the following steps:

l Place the new column header above the existing header to have the new header act as the
primary grouping. In the example shown above, the report list would be grouped by Level
and then Type.
l Place the new column header below the existing header to have the new header act as the
secondary grouping. In the example shown above, the report list would be grouped by Type
and then Level.
The report list refreshes to display two levels of nodes—one level of nodes for the primary group, and one
set of nodes for the secondary group.
3. To view the reports within a particular grouping, click a higher-level group node, and then a sub-
group node.
The report list displays only those reports that apply to both groupings.
4. Repeat Steps 1 and 2 for each additional grouping you require.
page 396
Run a LEM report on-demand or schedule a LEM report to
run later
This topic describes how to run a LEM report on-demand, as well as schedule reports to run automatically.
This topic also documents how to run the default LEM Batch Reports using Windows Task Scheduler.
In this topic:
• Run an on-demand report in the LEM reports application 397
• Create a scheduled report in the LEM reports application 398
• Configure Windows Task Scheduler to run the default LEM Batch

Reports 409
• Edit a scheduled report in the Task Scheduler 411
Run an on-demand report in the LEM reports application

2. On the Settings tab, click the Data Source drop-down menu and select a LEM Manager instance (the
IP address or hostname of your LEM VM).
3. (Optional) Click the Category drop-down menu and select a report category filter—for example, Audit.
4. Select a report title and click Run in the toolbar.
page 397
5. Select your start and end date and time parameters, and then click OK.
The report displays in the View tab.
This process may take several minutes to complete.
6. Click Print in the toolbar to send the report to a local or network printer.
Click Export to export the report to the appropriate format (such as a PDF or a Microsoft Word
document).
Create a scheduled report in the LEM reports application

The following list provide an overview of the report scheduling process. Each step is described in greater
detail in the subsections that follow.
2. Select the report that you want to schedule, and then click Schedule.
3. Name the scheduled task to distinguish it from other similar tasks.
4. Set the schedule parameters.
This states when the scheduled report runs.
page 398
5. Apply any advanced scheduling options.
6. Define when the system can and cannot run the task.
7. Apply the scheduled report to the data source (Manager) for which you want a report. Then define
the scope, which is the period you want to the report to cover.
When the system runs the report, it retrieves any pertinent events that occurred within the period
defined by the scope.
8. Select any export options for the report.
This allows you to export to the folder of your choice, and in a format that is easy to read and print. If
you do not export the report, it will automatically print to your default printer.
Repeat this process for each report you want to schedule.
You can create more than one schedule for the same report. This allows you to run the same report
on different LEM Managers or run the same report in different intervals (such as daily, weekly, or
monthly), each with a different scope.
Step 1: Selecting the report you want to schedule

In this step, you will select the report you want to schedule, and then open the Report Scheduler Tasks
window.
2. In the Settings tab, click the Category drop-down menu and select a report category
The report list displays all saved reports in the category.
3. In the Report Title column, locate the report you want to schedule.
page 399
4. Right-click the report and select Schedule Report.

The Report Scheduler Tasks window appears.
The Event Summary box only displays the tasks that apply to your selected report.
5. Add, edit, and delete your scheduled report tasks.
page 400
Step 2: Add a new scheduled report task
Name and configure the new scheduled task associated with this report.
1. Click Add in the Reports Scheduler Tasks window.

2. Enter a name for the report, and then click OK.
The task scheduler form displays.
3. Verify that the path in the Run field is correct. Click Browse and select the correct path, if required.
4. Verify that the user name in the Run as field is correct.
To change the user path, use the following format:
[Domain]\[UserName].
5. Click Set password to set up a password for the current user to run the report.
6. Select the Enabled check box to run the scheduled task using the schedule you select in the
Schedule tab.
Clear the check box to disable the schedule.
8. Complete the Task tab as described in the table.
Step 3: Schedule the report

Create the report schedule. The settings on the Schedule tab tell the system when to run the report.
page 401
You can create multiple schedules for each report that is within the same scope. For example, you can run
an event summary report for the current week and display the running total for the week at each hour.
When completed, you can set the report to Week: Current and have multiple schedules that run on an
hourly schedule and on a twice-daily schedule.
1. Click the Schedule tab.
For new tasks, the tab states that the task is not scheduled.
2. Click New to create a new report schedule.
3. Complete the Schedule tab selections.

The new report schedule displays in the list box near the top of the tab.
page 402
Step 4: Select the advanced scheduling options
If you clicked Advanced in the Schedule tab, the Advanced Schedule Options dialog box displays. You can
schedule start and end dates for the report, or set a task to repeat for a set period of time.
1. Click Advanced in the Schedule tab.

2. Select the start and end dates.
3. Select the Repeat task check box if you want the system to stop running the repeated tasks.
4. In the Until section, select the time or how long you want the task to run.
By limiting the task run time, you can prevent the task from running continuously if a problem
should occur.
page 403
5. Select If the task is still running, stop it at this time to stop the system from running a report when
the Time or Duration setting occurs. Clear this check box to have the system finish running a report
that overlaps the Time or Duration setting.
The following illustration displays the valid and invalid date formats for reports.
In this example, the configured report runs every four hours, starting on Monday, August 18, and
running through Sunday, August 30. Each time the task runs, the system will stop it if it continues to
run for more than one hour.
6. Click OK to save your changes and exit the form.
You return to the task scheduler form.
page 404
Step 5: Stating when the system can or cannot run the task
Use the Settings tab to select when the system can and cannot run the task.

2. Complete the selections as required.

4. Click OK to close the task scheduler form and return to the Report Scheduler Tasks window.
page 405
Step 6: Assign the data source and scope

Assign the task to a particular data source (or Manager) and define the task scope (the period you want the
report to cover). When the system runs the report, it retrieves any relevant events that occurred within the
period defined by the scope.
1. Select the report schedule you want to assign.
2. Click Load to View or Edit.

The Report Execution Settings For Selected Task section is enabled.
3. Use this section to configure the report execution settings for the task (report schedule) you selected
above.
4. Use the Select the report data source list to select the Manager or to which you want to assign this
task.
You can only assign a task to a single Manager. If you need to assign a similar or identical task
to a second Manager, create a new task.
page 406
Assign the task scope
In the Report Scope box, set up the task scope for this data source. The scope is the event period (or time
frame) for the events you want the report to cover.
1. Click the Date Range drop-down menu and select the date range you want the report to cover for
this task and data source.
In this example, the date range is Day: Today. The report will cover the period from 12:00:00 AM to
11:59:59 PM of the current date.
If you select Week: Previous, the scheduled report will contain information from the last full week—
from 12:00:00 AM the last Monday to 11:59:59 PM the last Sunday. For example, if today is
Wednesday the 11th, the task runs from 12:00:00 AM on the 2nd to 11:59:59 PM on the 8th.
Select one of the following date ranges:
l Day: Today: Run for the specified time frame on the current (today’s) date.
l Day: Yesterday: Run for the specified time frame on the previous (yesterday’s) date.
l Week: Current: Run from one week ago to the current time.
l Week: Previous: Run from 12:00:00 AM last Monday to at most 11:59:59 Sunday. This report
will capture the last full week of data.
l Month: Current: Run from one month ago to the current time.
l Month: Previous: Run from 12:00:00 AM on the first of the month until 11:59:59 PM on the
last day of the month. This will report will capture the last full month of data.
l User Defined: Run another report scope. Use this option to schedule reports for arbitrary
periods or periods that are outside of the conventional scope of a day, week, or month.
2. Enter or select a start time and end time for reporting events that occurred on this Manager. The
report will only show those events that occurred on the Manager within this period.
If you select a week or month scope, you cannot edit the Start and End date and time fields.
3. To configure the report so it automatically exports to a file, go to the next step. Otherwise, click Save.
The Count Settings area only applies to count-based reports, such as “Top 20” reports.
4. In the Number of Items box, type or select the number of items you want the report to track.
page 407
Step 7: Export a scheduled report

You can enable the report utility to automatically export a scheduled report in PDF format to a specific
folder. Otherwise, the system will send the report to your default printer.
1. Open the Report Scheduler Tasks window.

2. Select the scheduled report task you want to export in the Task Description box.
3. Select the Export check box in the Report Settings tab to name and export this report when the task
scheduler runs this report.
4. Click the Format drop-down menu and select a file format to export the report.
5. Click the folder icon, locate the folder where you want to save the report, and a unique file name for
the report.
If the report has multiple schedules, give each scheduled report a different name. Otherwise, the
exported file names files will overwrite each other or increment according to the If File Exists setting.
6. In the If File Exists list, choose one of the following options:
l Select Increment to store the new report along with any previous versions of the report in the
folder. The reports application increments each report by appending the report file name
with an underscore and a digit. For example, [FileName]_1.pdf.
l Select Overwrite to have each new version of the report overwrite the previous version of the
report in the folder.
7. Click Save.
8. Click Close to close the Report Scheduler Tasks window and return to the Reports window.
9. Repeat Step 2: Adding a new scheduled report task through Step 7: Export a scheduled report for
each report you want to schedule and assign to a particular data source.
Remove a report from the report scheduler

3. Click the Category drop-down menu and select Standard Reports or Custom Reports.
The grid displays all reports in your selected category.
4. In the Report Title column, click the name of the scheduled report for which you want to delete the
task schedule.
5. Click Schedule.
6. In the Report Scheduler Tasks window, select the scheduled report in the Task Description list that
includes the schedule you want to delete.
page 408
7. Click Modify.
The task schedule form displays.
8. In the Task Schedule window, click the Schedule tab and select the Show Multiple Schedules check
box.
9. In the schedule list box, select the schedule you want to delete, and then click Delete.
10. Click Close to close the Report Scheduler Tasks form.
Configure Windows Task Scheduler to run the default LEM Batch Reports
The LEM reports application includes a default batch set of .ini files used to schedule reports. These
files contain the configurations necessary to schedule several best-practice reports on either a daily or
weekly basis, depending on the scope.
Prepare the INI file

Modify the default .ini files in the LEM reports installation directory to specify the hostname of the LEM
Manager or LEM database in your environment, and the export destination for your scheduled reports.
To modify the default INI files:
1. Navigate to the LEM Reports installation directory and open the SchedINI folder:
l On 32-bit computers: C:\Program Files\SolarWinds Log and Event Manager
Reports
l On 64-bit computers: C:\Program Files (x86)\SolarWinds Log and Event
Manager Reports
2. Open each of the BRPT*.ini files and make the following changes in a text editor:
l Replace the default value next to Manager1 with the hostname of the LEM Manager or
database appliance in your environment. Use the hostname of your LEM database appliance
if you have a dedicated appliance to store your normalized LEM alert data.
l Modify the ExportDest file path if you want to customize the location to which LEM Reports
saves the exported reports. The default file path is %ProgramFiles%\SolarWinds Log
and Event Manager Reports\Export.
3. Save your changes and close the files.
Schedule the Reports to Run using Windows Task Scheduler

Schedule your batch reports to run using Windows Task Scheduler. Complete the following procedure
twice: once for the daily reports and once for the weekly reports.
page 409
To schedule reports using Windows Task Scheduler:
1. Create a new scheduled task by opening Control Panel > Administrative Tools > Task Scheduler.
2. Select Task Scheduler Library.
3. Click Create Basic Task in the Actions pane.
4. Enter a name for your task that reflects the frequency of the scheduled task. For example, enter LEM
Reports - Weekly for the weekly task, and then click Next.
5. Select Daily or Weekly, depending on what batch of reports you are scheduling, and then click Next.
6. Set the start time and frequency for your scheduled reports, and then click Next.
l For the daily task: 1 AM, Recur every 1 Day
l For the weekly task: 3 AM, Recur every 1 week, Monday
7. Select Start a program, and then click Next.
8. For the Program/script field, click Browse to browse for SWLEMReports.exe. See Step 1 in "Prepare
the INI file " on the previous page for the default installation paths.
9. In the Add arguments (optional) field, enter the following, according to the task being created:
l Use the %ProgramFiles(x86)% environment variable on 64-bit computers.
l The /l at the beginning of the additional argument is optional. This generates a log file
called SWLEMReports.log when Task Scheduler runs your task. The file is saved in
%ProgramFiles%\SolarWinds Log and Event Manager Reports.
10. For the daily task: /l "%ProgramFiles%\SchedINI\BATCHDay.ini"
11. For the weekly task: /l "%ProgramFiles%\SchedINI\BATCHWeek.ini"
12. Click Next.
13. Verify the task details on the Summary dialog, select Open the Properties dialog for this task when I
click Finish, and then click Finish.
14. Click Change User or Group to change the user account task scheduler should use to complete the
task.
l Provide a user with administrator level permissions.

l If you specified a network location in Step 2 in "Prepare the INI file " on the previous
page, provide a user with write permissions to that folder.
l Use a service account to avoid having to maintain the task according to your password
change policy.
15. On the Properties window, select Run whether user is logged on or not.
16. Select Run with highest privileges.
17. Select the appropriate operating systems in the Configure menu, and then click OK to save your
changes and exit the Properties window.
18. Enter the Windows password for the user specified for this task, and then click OK.
page 410
Default Report Schedules
Once configured, the scheduled tasks run and export the following reports:
DAILY REPORTS
l EventSummary.pdf
l SubscriptionsByUser.pdf
l Incidents.pdf
l NetworkTrafficAudit.rpt
WEEKLY REPORTS
l MaliciousCode.rpt
l NetSuspicious.rpt
l NetAttackAccess.rpt
l NetAttackDenial.rpt
l Authentication.rpt
l FileAudit.rpt
l MachineAudit.rpt
l ResourceConfiguration.rpt
l You can open reports with the .rpt extension in the LEM reports application for filtering
and exporting. If you have a program like Crystal Reports associated with this file format,
you can access these reports with the LEM reports application by opening LEM Reports first
and then clicking Open on the Settings tab.
l If you create a scheduled report, you can remove the task from Windows task scheduler, and
the .ini file will still be under the SchedINI directory. You can change the name of the
RPTxxxxx-x.ini to BRPTxxxxx-x.ini, and add the file to the BatchDay.INI or the
BatchWeek.INI.
Edit a scheduled report in the Task Scheduler

When you create custom and scheduled reports, SolarWinds recommends that you document your
procedures for disaster recovery.
The scheduled Report INI files are located in: Program Files\SolarWinds Log and Event
Manager Reports\SchedINI. These report INI files are generated automatically when you schedule a
report in the LEM console. If you need to edit an INI file or change a report format, add the corresponding
report format after the equal sign to the line containing "ExportFormat= ".
The following table identifies the number assigned to each possible format for a LEM report.
page 411
NUMBER REPORT FORMAT

1 Excel: MS Excel 97-2000, with headings format
2 Exceldata: MS Excel 97-2000, data only format
3 HTML32: HTML version 3.2 format
4 HTML40: HTML version 4.0 format
5 PDF: Adobe Portable Document format
6 RTF: Rich Text Format
7 CSV: Separated Values Text format
8 TAB: Tab Separated text format
9 Text: Text based report format
10 Word: MS Word Document format
11 XML: XML Document format
12 RPT: Crystal RPT w/ Data format
Below is an example of a LEM scheduled report INI file:
[TaskSetup]
Keyword=2009331
Filename=C:\Program Files\SolarWinds Log and Event Manager
Reports\Reports\RPT2009-33-1.rpt
[DSNManager]
Manager1=sherman
[RptParams]
RptDateRangeDesc=DAY_P
RptDateRange=2
RptStartTime=12:00:00 AM
RptStopTime=11:59:59 PM
TopN=20
[Export]
DoExport=T
ExportDesc=EXCEL
ExportFormat=1
ExportDest=C:\Program Files\SolarWinds Log and Event Manager Reports\Export
ExportFileName=format1.xls
ExportOverWrite=INCREMENT
page 412
Create a custom LEM report
This topic describes how to customize a LEM report.
In this topic:
• Create a custom report in the LEM reports application 413
• Export and save a copy of the filtered LEM report with a new name 415
• Open a custom report in the LEM reports application 416
To view a tutorial about filtering and exporting LEM Reports, see:

http://video.solarwinds.com/watch/pMuk9eqsTPtja99u4EUvrx
Create a custom report in the LEM reports application

If you want to report about a specific event (such as a user logon failure), you can create a custom report
that reports on a specific field. Using the left menu in the reports application to select the field for your
report.
1. Run a report. See "Run an on-demand report in the LEM reports application" on page 397 for help.
The report opens on the View tab.
2. In the left column of the report, select the field you want to query.
3. On the View tab, examine the report to identify the value you want to use in your filter.
Hover over any value in the report to view a tooltip that contains its complete field name as it
is used in Select Expert.
page 413
4. Click Select Expert.

The Select Expert dialog box opens.
The Select Expert tool filters the report to show only the type of data that you want to see in
your custom report. See "Use the Select Expert tool to create a more focused LEM report" on
5. Click New.

The Fields dialog box opens.
6. Select a field to report on, and then click OK.
7. Click the Boolean drop-down menu and select your comparison value.
8. Select or enter a second value. Click New to select or enter additional fields and expand your query.
page 414
9. Click OK.
Select Expert filters out only the information in your query.
All fields are listed as column labels across the top. You can also mouse over data to display the
reported field.
10. Click Print to print your report.

Click Export to export your report to a PDF, Word Document, or other format.
Export and save a copy of the filtered LEM report with a new name
1. Create and run the custom report. See "Create a custom report in the LEM reports application" on
page 413 for help.
2. On the View tab, click Export.
The Export dialog box opens.
3. Select Crystal Reports (RPT) from the Format menu.
Leave Destination set to Disk file, and then click OK.
4. In the Save File window, navigate to the following folder:
C:\Program Files (x86)\SolarWinds Log and Event Manager
Reports\CustomReports
This is the default location for 64-bit operating systems. If you are using a 32-bit operating
system, the default folder would be C:\Program Files\SolarWinds Log and Event
Manager Reports\CustomReports.
5. In the File name field, type a name for your filtered report to identify the report by the file name
under Custom Reports
6. Click Save.
page 415
Open a custom report in the LEM reports application

2. In the Reports window, click the Settings tab.
3. In the Category list, select Custom Reports.
4. On the Quick Access toolbar, click the Refresh Report List icon or press F5.
When the refresh completes, the new custom report appears in the list, and displays any changes made to
its Properties.
5. Launch your custom report for any time frame.
page 416
Use the Select Expert tool to create a more focused LEM
report
In this topic:
• View the text-based details of a report 417
• Run a report query using the Select Expert tool 417
• Restore the original report after using the Select Expert tool 419
The Select Expert tool lets you execute queries to create a smaller, more focused report from a larger text-
based report.
You can use this tool when you are viewing the text-based view of a report in the Preview frame. You
cannot use this tool with the default graphical view displayed when you first run the report.
To View the text-based details of a report, check that the View tab is open and click the tree button
to open the subtopics in the reports list. Click the content-based subtopic to jump to that section of
the report.
If using the Select Expert to filter report data by date or time fields (such as InsertionTime or
DetectionTime) results in an error, clear the error prompt, return to the Select Expert, and delete
the time-based filter. To filter by time and date, you must run the report with the specified range.
View the text-based details of a report

In the View tab, click the tree button to open the subtopics in the reports list. Click the content-based
subtopic to jump to that section of the report.
Run a report query using the Select Expert tool

1. Run a report. See "Run an on-demand report in the LEM reports application" on page 397 for help.
The report opens on the View tab.
2. In the View tab, locate the View group and click Select Expert.
page 417
3. Click either the New button or the <New> tab.
The Fields form displays with the various report fields you can query on this report.
Click Browse to display list of available fields you can select with the tool.
4. Select the field you want to query, and then click OK.
The Select Expert form displays.
The first tab displays your selected field name. It lists the query options for that field and includes
an adjacent list where you can select a specific value.
5. In the left drop-down menu, select a query option for the field.
page 418
6. In the adjacent right-hand list box, select a specific value for the field.
You can click Browse Data to view a complete list of values in the report for that field. From the
Browse Data box, you can select a value, and then click Close to apply that value to the query.
7. Repeat Steps 3 – 6 for each field you want to add to the query.
8. Click OK to close the form and apply the query.
The new report displays in Preview frame.
You can use the Preview frame’s toolbar to save or export the report.
Restore the original report after using the Select Expert tool
When you are through querying a report with the Select Expert tool, you can restore the report to its
original state.
To turn off the Select Expert settings:
1. In the View tab in the View group, click Select Expert.
The Select Expert form displays.
2. Click Delete to remove the query options.

3. Click OK.
The original report appears in the Preview frame.
page 419
Manage LEM reports: Open, print, and more

This topic describes how to manage LEM reports in the reports application.
In this topic:
• Open your saved reports 420
• View the master report sections 421
• Hide and show a master report sub-topic pane 422
• View the report pages 423
• Magnify and reducing report pages 424
• Stop a report in progress 424
• Edit a scheduled report task 424
• Export a report 425
• Print reports 426
• Set up your printer preferences 427
• Set up your printer preferences 427
Open your saved reports

Whenever a report is saved or exported to RPT format, you can use the Open command to reopen and view
the report contents. This applies to scheduled reports that the system ran and saved, as well as on-
demand reports that you ran and exported for later viewing.
page 420
2. Click the Menu button and select Open Report.
The Open Report File form appears.
3. Use the Open Report File form to locate the report file you want to view.
If you cannot locate the report, be sure you selected Crystal Reports (*.rpt) in the File type list.
4. Select the file and click Open.
The report opens in the Reports Preview pane.
View the master report sections

Some standard reports are “master” reports. A master report is a report that includes a series of subtopics,
where each subtopic contains a specific set of details about the higher-level master topic. Together, these
topics create the report, similar to chapters in a book.
When a report includes more than one subtopic, a subtopic pane displays in the Preview pane. The
subtopic pane lists the subtopics found in the report. If you click a subtopic, the Preview pane displays the
first page of that section of the report.
page 421
To view a section of a master report, select the subtopic you want to review. The Preview pane displays the
first page of that section in the report.
Hide and show a master report sub-topic pane

When you preview a master report, Tree is enabled in the View tab. Click Tree to toggle between hiding
and revealing the report’s sub-topic pane.
You can hide the subtopic pane in the View tab by clicking Tree. The subtopic pane is hidden, as shown
below.
page 422
To restore the sub-topic pane, click Tree again. The subtopic pane displays again.
View the report pages

In the reports application, the Navigate group provides tools to browse through the pages of a multi-page
report. If the report includes only one page, the toolbar is disabled.
Click or to move to the first or last page of the report. Click or to move to the previous or next
page of the report.
The Page field displays the page number currently active in the Preview frame, as well as the total number
of pages in the report. A + next to a page number indicates additional pages in the report.
To determine how many pages are in the report, click in the toolbar. This takes you to the last page of
the report, forcing the console to determine how many pages there are. It also causes the + to display the
actual number of pages.
You can also use this feature to display a particular page of the report. In the Page box, enter a page
number you want to view and press Enter. The Preview frame displays your selected page.
page 423
Magnify and reducing report pages

Use the Zoom feature to resize a report. You can select a percentage or have the report expand or reduce
to fit the Preview pane. Click the Zoom drop-down menu and select an option to resize your report in the
Preview pane.
Stop a report in progress

To stop running or loading a report that is progress, click Stop on the status bar.
Edit a scheduled report task

When required, you can edit a scheduled report task or task schedule by editing the task settings. This
process allows you to modify your report scheduling when conditions change within your organization.
1. Open the Reports application. See "Open the LEM reports application" on page 369 for steps.
3. Click the Category drop-down menu and select Standard Reports or Custom Reports.
4. In the Report Title column, select the report that requires a schedule change and click Schedule.
5. In the Report Scheduler Tasks window, select the report schedule you want to edit and click Modify.
page 424
6. In the Scheduler window, edit the Task, Schedule, and Settings tabs as required.
To change the settings for a particular schedule, click the Schedule tab and select the schedule you
want to change. Use the boxes to change the settings, then click Apply.
7. Click OK to close the window.
8. Make any additional changes to the Report Settings as required in the Report Schedule Tasks
window.
9. Click Save.
10. Click Close to close the Report Scheduler Tasks window.
Export a report
You can export a report from the Preview pane into several formats, including:
l Adobe Portable Document File (PDF)

l Crystal Reports RPT file
l HTML
l Microsoft Excel file
LEM officially supports PDF and RPT formats.
page 425
To export a report:
1. In the Reports window, open or run the report you want to export.
2. On the View tab in the Output group, click Export.
The Export form displays.
3. In the Format list, select the fine type to save the report.
The Description box at the bottom of the form describes your selected file format.
4. Use the Destination list to browse to the folder and save the file.
5. Click OK.
The system saves the file in your selected format to your destination folder.
Print reports
You can print any report displayed in the Preview pane.
1. In the Reports window, open or run the report you want to print.
2. In the View tab, click Print in the Output group.
3. In the Print form, select the printer and any print options.
4. Click Print.
The report is sent to your printer based on your print options.
page 426
Set up your printer preferences
Use the Printer Setup command to define the default print settings (such as Portrait or Landscape) for
printing your reports.
1. In the Reports window, open or run the report you want to print.
The report appears in the Preview pane.
2. On the View tab, click Printer Setup in the Preferences group.
3. In the Page Setup dialog box, select the appropriate options.
4. Click OK.

The report is printed according to your selected print options.
page 427
Default reports included with LEM

This section describes the reports included with LEM and suggests how often to run each report.
In this section:
• Scheduling terminology used in this topic 428
• Audit reports included with LEM 428
• Security reports included with LEM 454
• Support reports included with LEM 475
Scheduling terminology used in this topic

This section describes the scheduling terminology used in the reports table.
SCHEDULE DESCRIPTION
Daily Run and review this report once each day.
Weekly Run and review this report once each week.
As needed SolarWinds suggests that you run these reports only when needed for specific auditing
purposes, or when you need the details surrounding a Priority event or a suspicious
event.
As requested These reports are diagnostic tools and should only be run at the request of
SolarWinds' technical support personnel.
Audit reports included with LEM

The following table lists and describes each audit report, listed alphabetically by title.
TITLE DESCRIPTION FILE NAME SCHEDULE

Authentication This report lists all authentications tracked by RPT2003-02.rpt Weekly
Report the SolarWinds system, including user logon,
logoff, failed logon attempts, guest logons, and
so on.
page 428
Authentication This report lists event events that are related RPT2003-02-10.rpt As needed
Report - to authentication and authorization of
Authentication accounts and account “'containers'” such as
Audit groups or domains. These events can be
produced from any network node including
firewalls, routers, servers, and clients.
Authentication This report lists event events that are related RPT2003-02-9.rpt As Needed
Report - to suspicious authentication and authorization
Suspicious events. These events include excessive failed
Authentication authentication or authorization attempts,
suspicious access to unauthenticated users,
and suspicious access to unauthorized services
or information.
Authentication This report lists the Top User Log On events RPT2003-02-6-2.rpt As needed
Report - Top User grouped by user name.
Log On by User
Authentication This report lists the Top User Log On Failure RPT2003-02-7-2.rpt As needed
Report - Top User events grouped by user name.
Log On Failure by
User
Authentication This report shows logon, logoff, and logon RPT2003-02-8.rpt As needed
Report - failure activity to the SolarWinds Console.
SolarWinds
Authentication
Authentication User Logoff events reflect account logoff events RPT2003-02-5.rpt As needed
Report - User Log from network devices (including network
Off infrastructure devices). Each event will reflect
the type of device from which the user was
logging off. These events are usually normal
events but are tracked for consistency and
auditing purposes.
page 429

Authentication User Logon events reflect user account logon RPT2003-02-6.rpt As needed
Report - User Log events from network devices monitored by
On SolarWinds (including network infrastructure
devices). Each event will reflect the type of
device that the logon was intended for along
with all other relevant fields.
Authentication This report lists all account logon events, RPT2003-02-6-1.rpt As needed
Report - User Log grouped by user name.
On by User
Authentication User Logon Failure events reflect failed account RPT2003-02-7.rpt As needed
Report - User Log logon events from network devices (including
On Failure network infrastructure devices). Each event will
reflect the point on the network where the user
was attempting logon. In larger quantities,
these events may reflect a potential issue with
a user or set of users, but as individual events
they are generally not a problem.
Authentication This report lists all account logon failure RPT2003-02-7-1.rpt As needed
Report - User Log events, grouped by user name.
On Failure by
User
Change This report includes changes to domains, RPT2006-20.rp As needed

Management - groups, machine accounts, and user accounts.
General
Authentication
Related Events
Change This report includes changes to domains, RPT2006-20-01.rpt As needed

Management - including new domains, new members, and
General modifications to domain settings.
Authentication:
Domain Events
page 430
Change This report lists changes to domain type. These RPT2006-20-01-7.rpt As needed
Management - events are uncommon and usually provided by
General the operating system. Usually, these changes
Authentication: are made by a user account with
Domain Events - administrative privileges, but occasionally a
Change Domain change will happen when local system
Attribute maintenance activity takes place.
Change This report lists event events that occur when RPT2006-20-01-4.rpt As needed
Management - an account or account container within a
General domain is modified. Usually, these changes are
Authentication: made by a user account with administrative
Domain Events - privileges, but occasionally an event occurs
Change Domain when local system maintenance activity takes
Member place. Events of this nature mean a user,
machine, or service account within the domain
has been modified.
Change This report lists event events that occur upon RPT2006-20-01-8.rpt As needed
Management - removal of a trust relationship between
General domains, deletion of a subdomain, or deletion
Authentication: of account containers within a domain. Usually,
Domain Events - these changes are made by a user account
Delete Domain with administrative privileges.
Management - an account or account container has been
General removed from a domain. Usually, these
Authentication: changes are made by a user account with
Domain Events - administrative privileges, but occasionally they
Delete Domain occur when local system maintenance activity
Member takes place.
page 431

Change This report lists event events that happen RPT2006-20-01-5.rpt As needed
Management - when the alias for a domain member has been
General changed. This means an account or account
Authentication: container within a domain has an alias created,
Domain Events - deleted, or otherwise modified. This event is
Domain Member uncommon and is used to track links between
Alias domain members and other locations in the
domain where the member may appear.
Change This report lists authentication, authorization, RPT2006-20-01-1.rpt As needed

Management - and modification events that are related only
General to domains, subdomains, and account
Authentication: containers. These events are normally related
Domain Events - to operating systems. However, they can be
DomainAuthAudit produced by any network device.
Management - creation of a new trust relationship between
General domains, creation of a new subdomain, or
Authentication: creation of new account containers within a
Domain Events - domain. Usually, these creations are done by a
New Domain user account with administrative privileges.
Management - an account or an account container (a new
General user, machine, or service account) has been
Authentication: added to the domain. Usually, these additions
Domain Events - are made by a user account with
New Domain administrative privileges, but occasionally they
Member occur when local system maintenance activity
takes place.
Change This report lists changes to groups, including RPT2006-20-02.rpt As needed

Management - new groups, members added/removed to/from
General groups, and modifications to group settings.
Authentication:
Group Events
page 432
Change This report lists event events that occur when a RPT2006-20-02-6.rpt As needed
Management - group type is modified. Usually, these changes
General are made by a user account with
Authentication: administrative privileges, but occasionally a
Group Events - they occur when local system maintenance
Change Group activity takes place.
Attribute
Management - deletion of a new group of any type. Usually,
General these additions are made by a user account
Authentication: with administrative privileges.
Group Events -
Delete Group
Management - an account or group has been removed from a
General group. Usually, these changes are made by a
Authentication: user account with administrative privileges,
Group Events - but occasionally they occur when local system
Delete Group maintenance activity takes place.
Member
Change This report lists authentication, authorization, RPT2006-20-02-1.rpt As needed

Management - and modification events related only to
General account groups. These events are normally
Authentication: operating system related, however could be
Group Events - produced by any network device.
Group Audit
Change This report lists NewGroup events. These RPT2006-20-02-4.rpt As needed

Management - events occur upon creation of a new group of
General any type. Usually, these additions are made by
Authentication: a user account with administrative privileges.
Group Events -
New Group
page 433

Change This report lists NewGroupMember events. RPT2006-20-02-2.rpt As needed
Management - These events occur when an account (or other
General group) has been added to a group. Usually,
Authentication: these additions are made by a user account
Group Events - with administrative privileges, but occasionally
New Group an event will occur when local system
Member maintenance activity takes place. A new user,
machine, or service account has been added to
the group.
Change This report includes changes to machine RPT2006-20-03.rpt As needed

Management - accounts, including enabling/disabling
General machine accounts and modifications to
Authentication: machine account settings.
Machine Account
Events
Change This report lists MachineDisable events. These RPT2006-20-03-3.rpt As needed

Management - events occur when a machine account is
General actively disabled and/or when an account is
Authentication: forcibly locked out by the operating system or
Machine Account other authentication tool. These events are
Events - Machine usually operating system related and could
Disabled reflect a potential issue with a computer or set
of computers.
Change This report lists MachineEnable events, which RPT2006-20-03-1.rpt As needed

Management - reflect the action of enabling a computer or
General machine account. These events are normally
Authentication: related to the operating system, and will
Machine Account trigger when a machine is “enabled,” normally
Events - Machine by a user with administrative privileges.
Enabled
page 434
Change This report lists MachineModifyAttribute RPT2006-20-03-2.rpt As needed
Management - events, which occur when a computer or
General machine type is changed. These events are
Authentication: uncommon and usually provided by the
Machine Account operating system.
Events - Machine
Modify Attribute
Change This report includes changes to user accounts, RPT2006-20-04.rpt As needed

Management - including enabling/disabling user accounts
General and modifications to user account settings.
Authentication:
User Account
Events
Change This report lists UserDisable events. These RPT2006-20-04-3.rpt As needed

Management - events occur when a user account is actively
General disabled and/or when a user is forcibly locked
Authentication: out by the operating system or other
User Account authentication tool. These events are usually
Events - User related to the operating system and can reflect
Disabled a potential issue with a user or set of users.
Change This report lists UserEnable events, which RPT2006-20-04-1.rpt As needed

Management - reflect the action of enabling a user account.
General These events are normally related to the
Authentication: operating system . They occur both when an
User Account account is unlocked after lockout due to
Events - User unsuccessful logons, and when an account is
Enabled “enabled” in the traditional sense.
Change This report lists UserModifyAttribute events RPT2006-20-04-2.rpt As needed

Management - that occur when a user type is changed. These
General events are uncommon and usually provided by
Authentication: the operating system.
User Account
Events - User
Modify Attributes
page 435

Change This report includes accesses to network RPT2006-21.rpt As needed
Management - infrastructure device policy, including viewing
Network or changing device policy.
Infrastructure:
Policy/View
Change
Change This report includes creations of RPT2006-22-01.rpt As needed

Management - Windows/Active Directory groups.
Windows/Active
Directory
Domains: Group
Created
Change This report includes deletions of RPT2006-22-02.rpt As needed

Management - Windows/Active Directory groups.
Windows/Active
Directory
Domains: Group
Deleted
Change This report includes Windows/Active Directory RPT2006-22.rpt As needed

Management - group-related events.
Windows/Active
Directory
Domains: Group
Events
Change This report includes changes to RPT2006-22-03.rpt As needed

Management - Windows/Active Directory group properties,
Windows/Active such as the display name.
Directory
Domains: Group
Property Updated

Management - machine-related events.
Windows/Active
Directory
Domains:
Machine Events
page 436
Management - Windows/Active Directory machine accounts.
Windows/Active
Directory
Domains:
Machine Events -
Account Created

Windows/Active
Directory
Domains:
Machine Events -
Account Deleted
Change This report includes disables of RPT2006-23-03.rpt As needed

Windows/Active
Directory
Domains:
Machine Events -
Account Disabled
Change This report includes enables of Windows/Active RPT2006-23-04.rpt As needed

Management - Directory machine accounts.
Windows/Active
Directory
Domains:
Machine Events -
Account Enabled
page 437

Management - Windows/Active Directory machine account
Windows/Active properties, such as the display name.
Directory
Domains:
Machine Events -
Account
Properties
Update
Change This report includes additions of RPT2006-23-06.rpt As needed

Management - Windows/Active Directory machine accounts to
Windows/Active groups.
Directory
Domains:
Machine Events -
Added To Group

Management - Windows/Active Directory machine accounts to
Windows/Active Organizational Units.
Directory
Domains:
Machine Events -
Added To OU
Change This report includes removals of RPT2006-23-08.rpt As needed

Management - Windows/Active Directory machine accounts
Windows/Active from groups.
Directory
Domains:
Machine Events -
Removed From
Group
page 438
Management - Windows/Active Directory machine accounts
Windows/Active from Organizational Units.
Directory
Domains:
Machine Events -
Removed From
OU

Management - Windows/Active Directory user accounts to
Windows/Active critical groups, such as Domain or Enterprise
Directory Admins.
Domains: New
Critical Group
Members

Management - Organizational Unit-related events.
Windows/Active
Directory
Domains: OU
Events
Change This report includes creation of RPT2006-24-01.rpt As needed

Management - Windows/Active Directory Organizational Units.
Windows/Active
Directory
Domains: OU
Events - OU
Created
Change This report includes deletion of RPT2006-24-02.rpt As needed

Management - Windows/Active Directory Organizational Units.
Windows/Active
Directory
Domains: OU
Events - OU
Deleted
page 439

Change This report includes updates to RPT2006-24-03.rpt As needed
Management - Windows/Active Directory Organizational Unit
Directory
Domains: OU
Events - OU
Properties
Update

Management - user-related events.
Windows/Active
Directory
Domains: User
Events

Management - Windows/Active Directory user accounts.
Windows/Active
Directory
Domains: User
Events - Account
Created

Windows/Active
Directory
Domains: User
Events - Account
Deleted
Change This report includes disables of RPT2006-25-03.rpt As needed

Windows/Active
Directory
Domains: User
Events - Account
Disabled
page 440
Change This report includes enables of Windows/Active RPT2006-25-04.rpt As needed
Management - Directory user accounts.
Windows/Active
Directory
Domains: User
Events - Account
Enabled
Change This report includes user-driven disables of RPT2006-25-05.rpt As needed

Management - Windows/Active Directory user accounts, such
Windows/Active as a user triggering an excessive failed
Directory password limit.
Domains: User
Events - Account
Lockout

Management - Windows/Active Directory user account
Directory
Domains: User
Events - Account
Properties
Updated

Directory
Domains: User
Events - Added
To Group

Directory
Domains: User
Events - Added
To OU
page 441

Management - Windows/Active Directory user accounts from
Directory
Domains: User
Events - Removed
From Group

Management - Windows/Active Directory user accounts from
Directory
Domains: User
Events - Removed
From OU
File Audit Events This report tracks file system activity RPT2003-05.rpt Weekly
associated with audited files and system
objects, such as file access successes and
failures.
File Audit Events - File Attribute Change is a specific File Write RPT2003-05-41.rpt As needed
File Attribute event generated for the modification of file
Change attributes (including properties such as read-
only status). These events may be produced by
any tool that is used to monitor the activity of
file usage, including a Host-Based IDS and
some Operating Systems.
File Audit Events - File Audit events are used to track file activity RPT2003-05-11.rpt As needed
File Audit on monitored network devices, usually through
the Operating System or a Host-Based IDS.
These events will note success or failure of the
requested operation.
File Audit Events - File Audit Failure events are used to track RPT2003-05-12.rpt As needed
File Audit Failure failed file activity on monitored network
devices, usually through the Operating System
or a Host-Based IDS. These events will note
what requested operation failed.
page 442
File Audit Events - File Create is a specific File Write event RPT2003-05-42.rpt As needed
File Create generated for the initial creation of a file.
These events may be produced by any tool that
is used to monitor the activity of file usage,
including a Host-Based IDS and some
Operating Systems.
File Audit Events - File Data Read is a specific File Read event RPT2003-05-31.rpt As needed
File Data Read generated for the operation of reading data
from a file (not just properties or status of a
file). These events may be produced by any
tool that is used to monitor the activity of file
usage, including a Host-Based IDS and some
Operating Systems.
File Audit Events - File Data Write is a specific File Write event RPT2003-05-43.rpt As needed
File Data Write generated for the operation of writing data to a
file (not just properties or status of a file).
Operating Systems.
File Audit Events - File Delete is a specific File Write event RPT2003-05-44.rpt As needed
File Delete generated for the deletion of an existing file.
Operating Systems.
File Audit Events - File Execute is a specific File Read event RPT2003-05-32.rpt As needed
File Execute generated for the operation of executing files.
Operating Systems.
page 443

File Audit Events - File Handle Audit events are used to track file RPT2003-05-21.rpt As needed
File Handle Audit handle activity on monitored network devices,
usually through low level access to the
Operating System, either natively or with or a
Host-Based IDS. These events will note success
or failure of the requested operation.
File Audit Events - File Handle Close is a specific File Handle Audit RPT2003-05-22.rpt As needed
File Handle Close event generated for the closing of file handles.
These events may be generated by a tool that
has low-level file access, such as an Operating
System or some Host-Based IDS'.
File Audit Events - File Handle Copy is a specific File Handle Audit RPT2003-05-23.rpt As needed
File Handle Copy event generated for the copying of file handles.
These events may be generated by a tool that
has low-level file access, such as an Operating
System or some Host-Based IDS'.
File Audit Events - File Handle Open is a specific File Handle Audit RPT2003-05-24.rpt As needed
File Handle Open event generated for the opening of file
handles. These events may be generated by a
tool that has low-level file access, such as an
Operating System or some Host-Based IDS'.
File Audit Events - File Link is a specific File Write event generated RPT2003-05-45.rpt As needed
File Link for the creation, deletion, or modification of
links to other files. These events may be
produced by any tool that is used to monitor
the activity of file usage, including a Host-
Based IDS and some Operating Systems.
File Audit Events - File Move is a specific File Write event RPT2003-05-46.rpt As needed
File Move generated for the operation of moving a file
that already exists. These events may be
produced by any tool that is used to monitor
the activity of file usage, including a Host-
Based IDS and some Operating Systems.
page 444
File Audit Events - File Read is a specific File Audit event RPT2003-05-33.rpt As needed
File Read generated for the operation of reading files
(including reading properties of a file or the
status of a file). These events may be produced
by any tool that is used to monitor the activity
of file usage, including a Host-Based IDS and
some Operating Systems.
File Audit Events - File Write is a specific File Audit event RPT2003-05-47.rpt As needed
File Write generated for the operation of writing to a file
(including writing properties of a file or
changing the status of a file). These events may
be produced by any tool that is used to
monitor the activity of file usage, including a
Host-Based IDS and some operating systems.
File Audit Events - Object Audit events are used to track special RPT2003-05-51.rpt As needed
Object Audit object activity on monitored network devices,
usually through the Operating System or a
Host-Based IDS. Generally, Objects are special
types of system resources, such as registry
items or user account databases. These objects
may be actual 'files' on the system, but are not
necessarily human readable. These events will
note success or failure of the requested
operation.
File Audit Events - Object Audit Failure events are used to track RPT2003-05-52.rpt As needed
Object Audit special object activity on monitored network
Failure devices, usually through the Operating System
or a Host-Based IDS. Generally, Objects are
special types of system resources, such as
registry items or user account databases.
These objects may be actual 'files' on the
system, but are not necessarily human
readable. These events will note a failure of
the requested operation.
page 445

File Audit Events - Object Delete is a specific Object Audit event RPT2003-05-53.rpt As needed
Object Delete generated for the deletion of an existing
object. These events may be produced by any
tool that is used to monitor the activity of file
and object usage, including a Host-Based IDS
and some Operating Systems.
File Audit Events - Object Link is a specific Object Audit event RPT2003-05-54.rpt As needed
Object Link generated for the creation, deletion, or
modification of links to other objects. These
events may be produced by any tool that is
used to monitor the activity of file and object
usage, including a Host-Based IDS and some
Operating Systems.
Incident Events This report tracks the Incident, HostIncident, RPT2006-19.rpt Daily
HybridIncident and NetworkIncident events
that have been generated to reflect enterprise-
wide issues.
Inferred Events This report tracks events that are triggered by RPT2006-27.rpt As needed
correlations built in the SolarWinds Rule
Builder.
Inferred Events This report tracks events that are triggered by RPT2006-27-01.rpt As needed
by Inference Rule correlations, and orders them by the
correlation rule name.
Log Track activity associated with account events RPT2003-03.rpt Weekly

On/Off/Failure such as log on, log off and log on failures. This
is a refined version of the Authentication
Report that does not include SolarWinds
authentication events. It is more appropriate
for management reports or audit reviews than
regular use.
page 446
Network Traffic Track activity associated with network traffic RPT2003-06.rpt Daily, if
Audit audit events such as TCP, IP and UDP events. needed
Specifically, this report tracks regular network
traffic activity, such as encrypted traffic, web
traffic, and other forms of UDP, TCP and ICMP
traffic. It gives you both an overview and some
details of exactly what is flowing through your
network. This report can be quite large.
Network Traffic ApplicationTrafficAudit events reflect network RPT2003-06-11.rpt As needed

Audit - traffic that is mostly or all application-layer
Application data. Events that are children of
Traffic ApplicationTrafficAudit are also related to
application-layer resources. Events placed in
the parent ApplicationTrafficAudit event itself
are known to be application-related, but are
not able to be further categorized based on the
message provided by the tool or because they
are uncommon and rarely, if ever, imply
network attack potential.
Network Traffic This report lists all Application Traffic events RPT2003-06-11-2.rpt As needed
Audit - (such as WebTrafficAudit), grouped by
Application destination machine/IP.
Traffic by
Destination
Machine
Audit - (such as WebTrafficAudit), grouped by provider
Application SID.
Traffic by
Provider SID
Audit - (such as WebTrafficAudit), grouped by source
Application machine/IP.
Traffic by Source
Machine
page 447

Audit - (such as WebTrafficAudit), grouped by the
Application SolarWinds sensor tool alias that reported each
Traffic by Tool event.
Alias
Network Traffic Configuration Traffic Audit events reflect RPT2003-06-02.rpt As needed

Audit - application-layer data related to configuration
Configuration of network resources. Included in
Traffic ConfigurationTrafficAudit are protocols such as
DHCP, BootP, and SNMP.
ConfigurationTrafficAudit events generally
indicate normal traffic, however, events of this
type could also be symptoms of
misconfiguration, inappropriate usage,
attempts to enumerate or access network
devices or services, attempts to access devices
that are configured via these services, or other
abnormal traffic.
Network Traffic CoreTrafficAudit events reflect network traffic RPT2003-06-03.rpt As needed

Audit - sent over core protocols. Events that are
Core Traffic children of CoreTrafficAudit are all related to
the TCP, IP, UDP, and ICMP protocols. Events of
this type and its children do not have any
application-layer data. Events placed in the
parent CoreTrafficAudit event itself are known
to be a core protocol, but are not able to be
further categorized based on the message
provided by the tool.
Network Traffic This report lists all Core Traffic events (such as RPT2003-06-03-2.rpt As needed
Audit - Core TCPTrafficAudit), grouped by destination
Traffic by machine/IP.
Destination
Machine
page 448
Audit - Core TCPTrafficAudit), grouped by provider SID.
Traffic by
Provider SID
Audit - Core TCPTrafficAudit), grouped by source
Traffic by Source machine/IP.
Audit - Core TCPTrafficAudit), grouped by the SolarWinds
Traffic by Tool tool sensor alias that reported the event.
Alias
Network Traffic Encrypted Traffic Audit events reflect RPT2003-06-04.rpt As needed

Audit - Encrypted application-layer traffic that has been
Traffic encrypted and is intended for a secure host.
Included in Encrypted Traffic Audit are client
and server side application events, such as key
exchanges, that normally occur after the low-
level session creation and handshaking have
completed.
Network Traffic Link Control Traffic Audit events are generated RPT2003-06-05.rpt As needed
Audit - for network events related to link level
Link Control configuration. Link Control Traffic Audit events
Traffic generally indicate normal traffic, however,
events of this type could also be symptoms of
misconfiguration at the link level,
inappropriate usage, or other abnormal traffic.
Network Traffic Members of the Network Audit tree are used to RPT2003-06-06.rpt As needed
Audit - Network define events centered on usage of network
Traffic resources/bandwidth.
Network Traffic Point To Point Traffic Audit events reflect RPT2003-06-07.rpt As needed
Audit - application-layer data related to point-to-point
Point to Point connections between hosts. Included in Point
Traffic To Point Traffic Audit are encrypted and
unencrypted point-to-point traffic.
page 449

Network Traffic Remote Procedure Traffic Audit events reflect RPT2003-06-08.rpt As needed
Audit - Remote application-layer data related to remote
Procedure Traffic procedure services. Included in Remote
Procedure Traffic Audit are the traditional RPC
services used to service remote logons and file
shares, and other services which require
remote procedure access to complete
authentication, pass data, or otherwise
communicate. RemoteProcedureTrafficAudit
events generally indicate normal traffic for
networks that have remote procedure services
on their network; however, events of this type
could also be symptoms of inappropriate
access, misconfiguration of the remote
procedure services, errors in the remote
procedure calls, or other abnormal traffic.
Network Traffic Routing Traffic Audit events are generated for RPT2003-06-09.rpt As needed
Audit - Routing network events related to configuration of
Traffic network routes, using protocols such as IGMP,
IGRP, and RIP. RoutingTrafficAudit events
generally indicate normal traffic, however,
events of this type could also be symptoms of
misconfigured routing, unintended route
configuration, or other abnormal traffic.
Network Traffic Time Traffic Audit events reflect application- RPT2003-06-10.rpt As needed
Audit - layer data related to network time
Time Traffic configuration. Included in TimeTrafficAudit are
protocols such as NTP and activities, such as
detection of client-side network time updates.
Network Traffic This report lists the Top Application Traffic RPT2003-06-01-2.rpt As needed
Audit - events (such as WebTrafficAudit), grouped by
Top Application source machine/IP.
Traffic by Source
page 450
Network Traffic This report lists the Top Core Traffic events RPT2003-06-03-2.rpt As needed
Audit - (such as TCPTrafficAudit), grouped by source
Top Core Traffic machine/IP.
by Source
Network Traffic WebTrafficAudit events reflect application- RPT2003-06-01.rpt As needed

Audit - layer data related to web services. Included in
Web Traffic WebTrafficAudit are client and server web
events from web servers, web applications,
content filter related events, and other web
services. WebTrafficAudit events generally
indicate normal traffic, however, events of this
type could also be symptoms of inappropriate
web usage, potential abuse of web services, or
other abnormal traffic.
Network Traffic This report lists all WebTrafficAudit events RPT2003-06-01-2.rpt As needed
Audit - Web grouped by destination machine/IP.
Traffic by
Destination
Machine
Network Traffic This report lists Web Traffic Audit events RPT2003-06-01-3.rpt As needed
Audit - grouped by provider SID.
Web Traffic by
Provider SID
Network Traffic This report lists all WebTrafficAudit events RPT2003-06-01-1.rpt As needed
Audit - Web grouped by source machine/IP.
Traffic by Source
Machine
Network Traffic This report lists Web Traffic Audit events RPT2003-06-01-0.rpt As needed
Audit - grouped by tool alias.
Web Traffic by
Tool Alias
page 451

Network Traffic This report lists the most frequently visited RPT2003-06-01-5.rpt As needed
Audit - URLs grouped by the requesting client source
Web URL machine.
Requests by
Source Machine
Network Traffic This report shows graphs of the most RPT2003-06-01-4.rpt As needed
Audit - frequently visited URLs for each client source
Web URL machine.
Requests by
Source Machine -
Graphs
Resource The Resource Configuration report details RPT2003-08.rpt Weekly

Configuration events that relate to configuration of user
accounts, machine accounts, groups, policies
and their relationships. Items such as domain
or group modification, policy changes, and
creation of new network resources.
Resource Events that are part of the Auth Audit tree are RPT2003-08-01.rpt As needed
Configuration - related to authentication and authorization of
Authorization accounts and account containers such as
Audit groups or domains. These events can be
produced from any network node including
firewalls, routers, servers, and clients.
Resource Domain Auth Audit events are authentication, RPT2003-08-02.rpt As needed

Configuration - authorization, and modification events related
Domain only to domains, subdomains, and account
Authorization containers. These events are normally
Audit operating system related, however could be
produced by any network device.
Resource Group Audit events are authentication, RPT2003-08-03.rpt As needed

Group Audit only to account groups. These events are
normally operating system related, however
could be produced by any network device.
page 452
Resource Machine Auth Audit events are authentication, RPT2003-08-04.rpt As needed
Machine only to computer or machine accounts. These
Authorization events can be produced from any network
Audit node including firewalls, routers, servers, and
clients, but are normally operating system
related.
Resource Policy Audit events are used to track access, RPT2003-08-06.rpt As needed
Configuration - modification, scope change, and creation of
Policy Audit authentication, domain, account, and account
container policies. Many of these events reflect
normal system traffic. Most PolicyAudit events
are provided by the Operating System.
Resource User Auth Audit events are authentication, RPT2003-08-05.rpt As needed

User only to user accounts. These events can be
Authorization produced from any network node including
Audit firewalls, routers, servers, and clients.
page 453
Security reports included with LEM

The following table lists and describes each of the security reports, listed alphabetically by title.
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Authentication Failed Authentication events occur when a user has made several RPT2003- As
Report - Failed attempts to authenticate themselves which has continuously 02-1.rpt needed
Authentication failed, or when a logon failure is serious enough to merit a
security event on a single failure.
Authentication This report shows logins to various Guest accounts. RPT2003- As

Report - Guest 02-2.rpt needed
Login
Authentication Restricted Information Attempt events describe a user attempt to RPT2003- As

Report - access local or remote information that their level of authorization 02-3.rpt needed
Restricted does not allow. These events may indicate user attempts to
Information exploit services which they are denied access to or inappropriate
Attempt access attempts to information.
Authentication Restricted Service Attempt events describe a user attempt to RPT2003- As

Report - access a local or remote service that their level of authorization 02-4.rpt needed
Restricted does not allow. These events may indicate user attempts to
Service exploit services which they are denied access to or inappropriate
Attempt access attempts to services.
Console The Console report shows every event that passes through the RPT2003- As
system in the given time interval. It mimics the basic management 10.rpt needed
console view. It does not contain the same level of field detail, but
it is useful to get a quick snapshot of activity for a period, a lunch
hour, for example. This report can be very large, so you will only
want to run for small time intervals, such as hours.
Console - An overview of all events during the specified time range. Shows RPT2003- As
Overview graphs of the most common generic event field data from the 10-00.rpt needed
console report.
Event Event Summary Sub Report - Attack Behavior Statistics RPT2003- As

Summary - 01-02.rpt needed
Attack
Behavior
Statistics
page 454
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Event Event Summary Sub Report - Authorization Audit Statistics RPT2003- As

Authorization
Audit
Statistics
Event The event summary report gathers statistical data from all major RPT2003- Daily
Summary - event categories, summarizes it with a one-hour resolution, and 01.rpt
Graphs presents a quick, graphical overview of activity on your network.
Event Event Summary Sub Report - Machine Audit Statistics RPT2003- As

Machine Audit
Statistics
Event Event Summary Sub Report - Policy Audit Statistics RPT2003- As

Policy Audit
Statistics
Event Event Summary Sub Report - Resource Audit Statistics RPT2003- As

Resource
Audit
Statistics
Event Event Summary Sub Report - Suspicious Behavior Statistics RPT2003- As

Suspicious
Behavior
Statistics
Event Event Summary Sub Report - Top Level Statistics RPT2003- As

Top Level
Statistics
page 455
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Machine Audit Track activity associated with machine process and service audit RPT2003- Weekly
events. This report shows machine-level events such as software 09.rpt
installs, patches, system shutdowns, and reboots. It can be used
to assist in software license compliance auditing by providing
records of installs.
Machine Audit This report tracks activity associated with file system audit events RPT2003- As
- including mount file system and unmount file system events. 09- needed
File System These events are generally normal system activity, especially 010.rpt
Audit during system boot.
Machine Audit Mount File System events are a specific type of File System Audit RPT2003- As
- File System that reflect the action of creating an active translation between 09- needed
Audit - Mount hardware to a usable files system. These events are generally 012.rpt
File System normal during system boot.
Machine Audit Unmount File System events are a specific type of File System RPT2003- As
- File System Audit that reflect the action of removing a translation between 09- needed
Audit - hardware and a usable files system. These events are generally 013.rpt
Unmount File normal during system shutdown.
System
Machine Audit This report tracks activity related to processes, including RPT2003- As
- Process processes that have started, stopped, or reported useful process- 09- needed
Audit related information. 030.rpt
Machine Audit This report lists Process Audit events that are generated to track RPT2003- As
- Process launch, exit, status, and other events related to system processes. 09- needed
Audit - Usually, these events reflect normal system activity. Process- 031.rpt
Process Audit related activity that may indicate a failure will be noted separately
from normal activity in the event detail.
Machine Audit Process Info is a specific type of Process Audit event that reflects RPT2003- As
- Process information related to a process. Most of these events can safely 09- needed
Audit - be ignored, as they are generally normal activity that does not 032.rpt
Process Info reflect a failure or abnormal state.
Machine Audit Process Start is a specific type of Process Audit event that RPT2003- As
- Process indicates a new process has been launched. Usually, Process Start 09- needed
Audit - reflects normal system activity. 033.rpt
Process Start
page 456
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Machine Audit Process Stop is a specific type of Process Audit event that RPT2003- As
- Process indicates a process has exited. Usually, Process Stop reflects 09- needed
Audit - normal application exit, however in the event of an unexpected 034.rpt
Process Stop error the abnormal state will be noted.
Machine Audit Process Warning is a specific type of Process Audit event that RPT2003- As
- Process indicates a process has returned a 'Warning' message that is not 09- needed
Audit - a fatal error and may not have triggered an exit of the process. 035.rpt
Process
Warning
Machine Audit This report tracks activity related to services, including services RPT2003- As
- Service Audit that have started, stopped, or reported useful service-related 09- needed
information or warnings. 040.rpt
Machine Audit This report tracks ServiceInfo events, which reflect information RPT2003- As
- Service Audit related to a particular service. Most of these events can safely be 09- needed
- Service Info ignored, as they are generally normal activity that does not reflect 041.rpt
a failure or abnormal state.
Machine Audit This report tracks ServiceStart events, which indicate that a new RPT2003- As
- Service Audit system service is starting. 09- needed
- Service Start 042.rpt
Machine Audit This report tracks ServiceStop events, which indicate that a RPT2003- As
- Service Audit system service is stopping. This activity is generally normal, 09- needed
- Service Stop however, in the event of an unexpected stop the abnormal state 043.rpt
will be noted.
Machine Audit This report lists ServiceWarning events. These events indicate a RPT2003- As
- Service Audit service has returned a Warning message that is not a fatal error 09- needed
- Service and may not have triggered an exit of the service. 044.rpt
Warning
Machine Audit This report tracks activity associated with system status and RPT2003- As
- System Audit modifications, including software changes, system reboots, and 09- needed
system shutdowns. 020.rpt
Machine Audit Machine Audit events are used to track hardware or software RPT2003- As
- System Audit status and modifications. These events are generally acceptable, 09- needed
- Machine but do indicate modifications to the client system that may be 021.rpt
Audit noteworthy.
page 457
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Machine Audit SoftwareInstall events reflect modifications to the system at a RPT2003- As

- System Audit software level, generally at the operating system level (or 09- needed
- Software equivalent, in the case of a network infrastructure device). These 025.rpt
Install events are generated when a user updates a system or launches
system-native methods to install third party applications.
Machine Audit SoftwareUpdate is a specific type of SoftwareInstall that reflects a RPT2003- As

- System Audit more current version of software being installed to replace an 09- needed
- Software older version. 026.rpt
Update
Machine Audit System Reboot events occur on monitored network devices RPT2003- As
- System Audit (servers, routers, etc.) and indicate that a system has restarted. 09- needed
- System 022.rpt
Reboot
Machine Audit System shutdown events occur on monitored network devices RPT2003- As
- System Audit (servers, routers, etc.) and indicate that a system has been 09- needed
- System shutdown. 023.rpt
Shutdown
Machine Audit SystemStatus events reflect general system state events. These RPT2003- As
- System Audit events are generally normal and informational, however, they 09- needed
- System could potentially reflect a failure or issue which should be 024.rpt
Status addressed.
Machine Audit This report tracks activity associated with USB-Defender, including RPT2003- As
- insertion and removal events related to USB Mass Storage 09- needed
USB-Defender devices. 050.rpt
Malicious This report tracks event activity associated with malicious code RPT2003- Weekly
Code such as virus, Trojans, and worms, both on the network and on 04.rpt
local machines, as detected by anti-virus software.
Malicious Members of the Service Process Attack tree are used to define RPT2003- As
Code - Service events centered on malicious or abusive usage of services or user 04-01.rpt needed
Process Attack processes. These events include abuse or misuse of resources
from malicious code placed on the client system.
page 458
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Malicious Trojan Command Access events reflect malicious or abusive usage RPT2003- As
Code - Trojan of network resources where the intention, or the result, is gaining 04-05.rpt needed
Command access to resources through malicious code commonly known as
Access Trojan Horses. This event detects the communication related to
Trojans sending commands over the network (infecting other
clients, participating in a denial of service activity, being
controlled remotely by the originator, etc.). Trojans are generally
executables that generally require no user intervention to spread
and contain malicious code that is placed on the client system
and used to exploit the client (and return access to the originator
of the attack) or exploit other clients (used in attacks such as
distributed denial of service attacks).
Malicious Trojan Infection Access events reflect malicious or abusive usage RPT2003- As
Code - Trojan of network resources where the intention, or the result, is gaining 04-04.rpt needed
Infection access to resources through malicious code commonly known as a
Access Trojan Horse. This event detects the infection traffic related to a
Trojan entering the network (generally with intent to infect a
client). Trojans are generally executables that generally require
no user intervention to spread and contain malicious code that is
placed on the client system and used to exploit the client (and
return access to the originator of the attack) or exploit other
clients (used in attacks such as distributed denial of service
attacks).
Malicious Trojan Traffic Access events reflect malicious or abusive usage of RPT2003- As
Code - Trojan network resources where the intention, or the result, is gaining 04-02.rpt needed
Traffic Access access to resources through malicious code commonly known as a
Trojan Horse. This event detects the communication related to
Trojans over the network (generally, 'trojaned' clients calling home
to the originator). Trojans are generally executables that generally
require no user intervention to spread and contain malicious
code that is placed on the client system and used to exploit the
client (and return access to the originator of the attack) or exploit
other clients (used in attacks such as distributed denial of service
attacks).
page 459
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Malicious Trojan Traffic Denial events are a specific type of Denial event RPT2003- As
Code Report - where the transport of the malicious or abusive usage originates 04-03.rpt needed
Trojan Traffic with malicious code on a client system known as a Trojan. The
Denial intent, or the result, of this activity is inappropriate or abusive
access to network resources through a denial of service attack.
Trojan Traffic Denial events may be attempts to exploit
weaknesses in software to gain access to a host system, attempts
to exploit weaknesses in network infrastructure equipment to
enumerate or reconfigure devices, attempts to spread the Trojan
to other hosts, or other denial of service activities.
Malicious Virus Attack events reflect malicious code placed on a client or RPT2003- As
Code Report - server system, which may lead to system or other resource 04-06.rpt needed
Virus Attack compromise and may lead to further attack. The severity of this
event will depend on the ActionTaken field, which reflects
whether the virus or other malicious code was successfully
removed.
Malicious Virus Summary Attack events reflect malicious code placed on a RPT2003- As
Code Report - client or server system, which may lead to system or other 04-07.rpt needed
Virus resource compromise and may lead to further attack. The severity
Summary of this event will depend on the Action Taken field which reflects
Attack whether the virus or other malicious code was successfully
removed. These events differ from Virus Attack in that they may
be a composite of virus events normally due to a scheduled scan
on the client system as opposed to a real-time scan
Malicious Virus Traffic Access events reflect malicious or abusive usage of RPT2003- As
Code Report - network resources where the intention, or the result, is gaining 04-08.rpt needed
Virus Traffic access to resources through malicious code commonly known as
Access viruses. This event detects the communication related to viruses
over the network (generally, the spread of a virus infection or an
incoming virus infection). Viruses are generally executables that
require user intervention to spread, contain malicious code that is
placed on the client system, and are used to exploit the client and
possibly spread itself to other clients.
page 460
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network This report tracks activity associated with top-level NetworkAttack RPT2003- As
Events: Attack events. 11-00.rpt needed
Behavior
Network This report shows malicious asset access via the network. For RPT2003- Weekly
Events: Attack example, attacks on FTP or Windows Network servers, malicious 11.rpt
Behavior - network database access, abuses of services, or attempted
Access unauthorized entry.
Network Children of the Access tree define events centered on malicious RPT2003- As
Events: Attack or abusive usage of network bandwidth/traffic where the 11-01.rpt needed
Behavior - intention, or the result, is inappropriate or abusive access to
Access - network resources.
Access
Network Application Access events reflect malicious or abusive usage of RPT2003- As

Events: Attack network resources where the intention, or the result, is gaining 11-02.rpt needed
Behavior - access to resources where the related data is mostly or all
Access - application-layer. Generally, ApplicationAccess events will reflect
Application attempted exploitation of weaknesses in server or client software,
Access or information that is restricted/prohibited by device access
control or policy.
Network Configuration Access events reflect malicious or abusive usage of RPT2003- As

Behavior - access to resources via resource configuration traffic (using
Access - protocols such as DHCP, BootP, and SNMP). Generally, these
Configuration events will reflect attempted exploitation of weaknesses in the
Access configuration server or client software or attempts to gain system-
level access to configuration servers themselves. In the case of
SNMP and similar configuration protocols, it could reflect an
attempt to enumerate a device or devices on the same network
for further attack.
page 461
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Core Access events reflect malicious or abusive usage of network RPT2003- As
Events: Attack resources where the intention, or the result, is gaining access to 11-04.rpt needed
Behavior - resources where the related data is mostly or all core protocols
Access - Core (TCP, UDP, IP, ICMP). Generally, CoreAccess events will reflect
Access attempted exploitation of weaknesses in network protocols or
devices with intent to gain access to servers, clients, or network
infrastructure devices.
Network Database Access events reflect malicious or abusive usage of RPT2003- As

Behavior - access to resources via application-layer database traffic.
Access - Generally, these events will reflect attempted exploitation of
Database weaknesses in database server or client software.
Access
Network File System Access events reflect malicious or abusive usage of RPT2003- As
Behavior - access to resources via remote file system traffic (using protocols
Access - File such as SMB and NFS). Generally, these events will reflect
System Access attempted exploitation of weaknesses in the remote file system
server or client software or attempts to gain system-level access
to remote file system servers themselves.
Network File Transfer Access events reflect malicious or abusive usage of RPT2003- As
Behavior - access to resources via application-layer file transfer traffic.
Access - File Generally, these events will reflect attempted exploitation of
Transfer weaknesses in file transfer server or client software.
page 462
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Link Control Access events reflect malicious or abusive usage of RPT2003- As
Behavior - access to resources where the related data is low-level link control
Access - Link (using protocols such as ARP). Generally, Link Control Access
Control Access events will reflect attempted exploitation of weaknesses in
switching devices by usage of malformed incoming or outgoing
data, with intent to enumerate or gain access to or through
switching devices, clients that are also on the switching device,
and entire networks attached to the switching device. In some
cases, a managed switch with restrictions on port analyzing
activity may be forced into an unmanaged switch with no
restrictions - allowing a malicious client to sniff traffic and
enumerate or attack.
Network Mail Access events reflect malicious or abusive usage of network RPT2003- As
Behavior - resources via application-layer mail transfer, retrieval, or service
Access - Mail traffic. Generally, these events will reflect attempted exploitation
Access of weaknesses in mail-related server or client software.
Network Naming Access events reflect malicious or abusive usage of RPT2003- As

Behavior - access to resources via application-layer naming service traffic
Access - (using protocols such as DNS and WINS). Generally, these events
Naming will reflect attempted exploitation of weaknesses in the naming
Access server or client software.
Network News Access events reflect malicious or abusive usage of network RPT2003- As
Behavior - resources via application-layer news traffic (over protocols such
Access - News as NNTP). Generally, these events will reflect attempted
Access exploitation of weaknesses in the news server or client software.
page 463
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Point To Point Access events reflect malicious or abusive usage of RPT2003- As
Behavior - access to resources via point to point traffic (using protocols such
Access - Point as PPTP). Generally, these events will reflect attempted
to Point exploitation of weaknesses in point to point server or client
Access software, attempts to enumerate networks, or attempts to further
attack devices on trusted networks.
Network Printer Access events reflect malicious or abusive usage of RPT2003- As

Behavior - access to resources via application-layer remote printer traffic.
Access - Generally, these events will reflect attempted exploitation of
Printer Access weaknesses in the remote printer server or client software.
Network Remote Console Access events reflect malicious or abusive usage RPT2003- As
Events: Attack of network resources where the intention, or the result, is gaining 11-14.rpt needed
Behavior - access to resources via application-layer remote console service
Access - traffic (services such as telnet, SSH, and terminal services).
Remote Generally, these events will reflect attempted exploitation of
Console weaknesses in the remote console server or client software.
Access
Network Remote Procedure Access events reflect malicious or abusive RPT2003- As

Events: Attack usage of network resources where the intention, or the result, is 11-15.rpt needed
Behavior - gaining access to resources via remote procedure call traffic
Access - (using protocols such as the traditional RPC services, RMI, and
Remote CORBA). Generally, these events will reflect attempted exploitation
Procedure of weaknesses in the remote procedure server or client software
Access or attempts to gain system-level access to remote procedure
servers themselves.
page 464
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Routing Access events reflect malicious or abusive usage of RPT2003- As

Behavior - access to resources where the related data is routing-related
Access - protocols (RIP, IGMP, etc.). Generally, Routing Access events will
Routing reflect attempted exploitation of weaknesses in routing protocols
Access or devices with intent to enumerate or gain access to or through
routers, servers, clients, or other network infrastructure devices.
These routing protocols are used to automate the routing process
between multiple devices that share or span networks.
Network Time Access events reflect malicious or abusive usage of network RPT2003- As
Behavior - resources via application-layer remote time service traffic (using
Access - Time protocols such as NTP). Generally, these events will reflect
Access attempted exploitation of weaknesses in the remote time server
or client software.
Network Virus Traffic Access events reflect malicious or abusive usage of RPT2003- As
Behavior - access to resources through malicious code commonly known as
Access - Virus viruses. Generally, these events will reflect attempted exploitation
Traffic Access of weaknesses in the web server or client software.
Network Web Access events reflect malicious or abusive usage of network RPT2003- As
Behavior - resources via application-layer WWW traffic. Generally, these
Access - Web events will reflect attempted exploitation of weaknesses in the
Access web server or client software.
Network Track activity associated with network denial or relay attack RPT2003- Weekly
Events: Attack behaviors. This report shows malicious asset relay attempts and 12.rpt
Behavior - denials of service via the network. For example, FTP bouncing,
Denial / Relay Distributed Denial of Service events, and many protocol abuses.
page 465
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Application Denial events are a specific type of Denial event RPT2003- As
Events: Attack where the transport of the malicious or abusive usage is 12-01.rpt needed
Behavior - application-layer protocols. The intent, or the result, of this activity
Denial / Relay is inappropriate or abusive access to network resources through a
- Application denial of service attack. Application Denial events may be
Denial attempts to exploit weaknesses in software to gain access to a
host system, attempts to exploit weaknesses in network
infrastructure equipment to enumerate or reconfigure devices, or
other denial of service activities.
Network Configuration Denial events are a specific type of Denial event RPT2003- As
Events: Attack where the transport of the malicious or abusive usage is protocols 12-02.rpt needed
Behavior - related to configuration of resources (DHCP, BootP, SNMP, etc.).
Denial / Relay The intent, or the result, of this activity is inappropriate or abusive
- access to network resources through a denial of service attack.
Configuration ConfigurationDenial events may be attempts to exploit
Denial weaknesses in configuration-related software to gain access to a
host system, attempts to exploit weaknesses in network
Network Core Denial events are a specific type of Denial event where the RPT2003- As
Events: Attack transport of the malicious or abusive usage is core protocols (TCP, 12-03.rpt needed
Behavior - IP, ICMP, UDP). The intent, or the result, of this activity is
Denial / Relay inappropriate or abusive access to network resources through a
- Core Denial denial of service attack. Core Denial events may be attempts to
exploit weaknesses in software to gain access to a host system,
attempts to exploit weaknesses in network infrastructure
equipment to enumerate or reconfigure devices, or other denial
of service activities.
Network Children of the Denial tree define events centered on malicious or RPT2003- As
Events: Attack abusive usage of network bandwidth/traffic where the intention, 12-04.rpt needed
Behavior - or the result, is inappropriate or abusive access to network
Denial / Relay resources through a denial of service attack.
- Denial
page 466
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network File System Denial events are a specific type of Denial event RPT2003- As
Events: Attack where the transport of the malicious or abusive usage is remote 12-05.rpt needed
Behavior - file system-related protocols (NFS, SMB, etc.). The intent, or the
Denial / Relay result, of this activity is inappropriate or abusive access to
- File System network resources through a denial of service attack. File System
Denial Denial events may be attempts to exploit weaknesses in remote
file system services or software to gain access to a host system,
attempts to exploit weaknesses in network infrastructure
equipment to enumerate or reconfigure devices, or other denial
of service activities.
Network File Transfer Denial events are a specific type of Denial event RPT2003- As
Events: Attack where the transport of the malicious or abusive usage is 12-06.rpt needed
Behavior - application-layer file transfer-related protocols (FTP, TFTP, etc.).
Denial / Relay The intent, or the result, of this activity is inappropriate or abusive
- File Transfer access to network resources through a denial of service attack.
Denial FileTransferDenial events may be attempts to exploit weaknesses
in file transfer-related software to gain access to a host system,
attempts to exploit weaknesses in the software to enumerate or
reconfigure, or other denial of service activities.
Network Link Control Denial events are a specific type of Denial event RPT2003- As
Events: Attack where the transport of the malicious or abusive usage is link level 12-07.rpt needed
Behavior - protocols (such as ARP). The intent, or the result, of this activity is
Denial / Relay inappropriate or abusive access to network resources through a
- Link Control denial of service attack. LinkControlDenial events may be attempts
Denial to exploit weaknesses in link-level control software to gain access
to a host system, attempts to exploit weaknesses in network
page 467
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network MailDenial events are a specific type of Denial event where the RPT2003- As
Events: Attack transport of the malicious or abusive usage is application-layer 12-08.rpt needed
Behavior - mail-related protocols (SMTP, IMAP, POP3, etc.) or services
Denial / Relay (majordomo, spam filters, etc.). The intent, or the result, of this
- Mail Denial activity is inappropriate or abusive access to network resources
through a denial of service attack. MailDenial events may be
attempts to exploit weaknesses in mail-related software to gain
access to a host system, attempts to exploit weaknesses in the
software to enumerate or reconfigure, or other denial of service
activities.
Network Children of the Relay tree define events centered on malicious or RPT2003- As
Events: Attack abusive usage of network bandwidth/traffic where the intention, 12-09.rpt needed
Behavior - or the result, is relaying inappropriate or abusive access to other
Denial / Relay network resources (either internal or external). Generally, these
- Relay attacks will have the perimeter or an internal host as their point
of origin. When sourced from remote hosts, they may indicate a
successful exploit of an internal or perimeter host.
Network Remote Procedure Denial events are a specific type of Denial RPT2003- As
Events: Attack event where the transport of the malicious or abusive usage is 12-10.rpt needed
Behavior - remote procedure-related protocols (traditional RPC, RMI, CORBA,
Denial / Relay etc.) or service (portmapper, etc.). The intent, or the result, of this
- Remote activity is inappropriate or abusive access to network resources
Procedure through a denial of service attack. RemoteProcedureDenial events
Denial may be attempts to exploit weaknesses in remote procedure
services or software to gain access to a host system, attempts to
exploit weaknesses in the software to enumerate or reconfigure,
or other denial of service activities.
Network Routing Denial events are a specific type of Denial event where RPT2003- As
Events: Attack the transport of the malicious or abusive usage is routing-related 12-11.rpt needed
Behavior - protocols (RIP, IGMP, etc.). The intent, or the result, of this activity
Denial / Relay is inappropriate or abusive access to network resources through a
- Routing denial of service attack. Routing Denial events may be attempts to
Denial exploit weaknesses in routers or routing software to gain access
to a host system, attempts to exploit weaknesses in the routing
software or service to enumerate or reconfigure, or other denial of
service activities.
page 468
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Web Denial events are a specific type of Denial event where the RPT2003- As
Events: Attack transport of the malicious or abusive usage is application-layer 12-12.rpt needed
Behavior - web-related protocols (HTTP, HTTPS, etc.) or services (CGI, ASP,
Denial / Relay etc.). The intent, or the result, of this activity is inappropriate or
- Web Denial abusive access to network resources through a denial of service
attack. Web Denial events may be attempts to exploit weaknesses
in web-related software to gain access to a host system, attempts
to exploit weaknesses in the software to enumerate or
reconfigure, or other denial of service activities.
Network Track activity associated with suspicious network behaviors such RPT2003- Weekly
Events: as reconnaissance or unusual traffic. Specifically, this report 07.rpt
Suspicious shows potentially dangerous activity, such as excessive
Behavior authentication failures, port scans, stack fingerprinting, and
network enumerations.
Network Application Enumerate events reflect attempts to gather RPT2003- As

Events: information about target hosts, or services on target hosts, by 07-01.rpt needed
Suspicious sending active application-layer data which will elicit responses
Behavior - that reveal information about the application or host. This
Application enumeration may be a command sent to the application to
Enumerate attempt to fingerprint what is allowed or denied by the service,
requests to the application which may enable an attacker to
surmise the version and specific application running, and other
information gathering tactics. These enumerations may result in
information being provided that can allow an attacker to craft a
specific attack against the host or application that may work
correctly the first time - enabling them to modify their
methodology to go on relatively undetected.
page 469
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Banner Grabbing Enumerate events reflect attempts to gather RPT2003- As

Suspicious sending a request which will elicit a response containing the host
Behavior - or service's 'banner'. This 'banner' contains information that may
Banner provide a potential attacker with such details as the exact
Grabbing application and version running behind a port. These details
Enumerate could be used to craft specific attacks against hosts or services
that an attacker may know will work correctly the first time -
enabling them to modify their methodology go on relatively
undetected.
Network Core Scan events reflect attempts to gather information about RPT2003- As
Events: target networks, or specific target hosts, by sending scans over 07-03.rpt needed
Suspicious core network protocols (TCP, IP, ICMP, UDP) which will elicit
Behavior - responses that reveal information about clients, servers, or other
Core Scan network infrastructure devices. The originating source of the scan
is generally attempting to acquire information that may reveal
more than normal traffic to the target would, information such as
a list of applications listening on ports, operating system
information, and other information that a probe may discover
without enumeration of the specific services or performing attack
attempts.
Network Enumerate events reflect attempts to gather information about RPT2003- As

Events: target networks, or specific target hosts, by sending active data 07-04.rpt needed
Suspicious which will elicit responses that reveal information about clients,
Behavior - servers, or other network infrastructure devices. The originating
Enumerate source of the enumeration is generally attempting to acquire
information that may reveal more than normal traffic to the target
would.
Network Footprint events reflect attempts to gather information about RPT2003- As

Events: target networks by tracing the network through routers, clients, 07-05.rpt needed
Suspicious servers, or other network infrastructure devices. The originating
Behavior - source of the footprint is generally attempting to acquire
Footprint information that may reveal more about network behavior than
normal traffic to the target would.
page 470
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network General Security events are generated when a supported product RPT2003- As
Events: outputs data that has not yet been normalized into a specific 07-17.rpt needed
Suspicious event, but is known to be security issue-related.
Behavior -
General
Security
Network Host Scan events reflect attempts to gather information about RPT2003- As
Events: specific target hosts by sending scans which will elicit responses 07-06.rpt needed
Suspicious that reveal information about clients, servers, or other network
Behavior - infrastructure devices. The originating source of the scan is
Host Scan generally attempting to acquire information that may reveal more
than normal traffic to the target would, such as a list of
applications on the host, operating system information, and other
information that a probe may discover without enumeration of
the specific services or performing attack attempts. These scans
generally do not occur across entire networks and generally have
the intent of discovering operating system and application
information which may be used for further attack preparation.
Network ICMP Query events reflect attempts to gather information about RPT2003- As
Events: specific target hosts, or networks, by sending ICMP-based queries 07-07.rpt needed
Suspicious that will elicit responses that reveal information about clients,
Behavior - servers, or other network infrastructure devices. The originating
ICMP Query source of the scan is generally attempting to acquire information
that may reveal more than normal traffic to the target would, such
as operating system information and other information that a
probe may discover without enumeration of the specific services
or performing attack attempts. These scans generally do not occur
across entire networks, contain many sequential ICMP packets,
and generally have the intent of discovering operating system and
application information which may be used for further attack
preparation.
page 471
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network MS Networking Enumerate events reflect attempts to gather RPT2003- As

Suspicious sending active data to Microsoft networking services (using
Behavior - MS protocols such as NetBIOS and SMB/CIFS) that will illicit responses
Network that reveal information about the application, host, or target
Enumerate network. This enumeration may be a simple command sent to the
networking service to attempt to fingerprint what is allowed or
denied by a service, requests to a service that may enable an
attacker to surmise the version and specific service running,
requests to a service that may enable an attacker to fingerprint
the target network, and other information gathering tactics. These
enumerations may result in information being provided that can
allow an attacker to craft a specific attack against the networking
service, host, or application that may work correctly the first time -
enabling them to modify their methodology to go on relatively
undetected.
Network Members of the NetworkSuspicious tree are used to define events RPT2003- As
Events: regarding suspicious usage of network bandwidth/traffic. These 07-09.rpt needed
Suspicious events include unusual traffic and reconnaissance behavior
Behavior - detected on network resources.
Network
Suspicious
Network Port Scan events reflect attempts to gather information about RPT2003- As
Events: target networks, or specific target hosts, by sending scans over 07-10.rpt needed
Suspicious core network protocols (TCP, IP, ICMP, UDP) that will elicit
Behavior - Port responses that reveal information about clients, servers, or other
Scan network infrastructure devices. The originating source of the scan
is generally attempting to acquire information that may reveal
more than normal traffic to the target would, such as a list of
applications listening on ports, operating system information, and
other information that a probe may discover without enumeration
of the specific services or performing attack attempts. Port Scans
specifically operate by sending probes to every port within a
range, attempting to identify open ports that may use applications
or services that are easy to enumerate and attack.
page 472
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Children of the Recon tree reflect suspicious network behavior RPT2003- As
Events: with intent of gathering information about target clients, 07-11.rpt needed
Suspicious networks, or hosts. Reconnaissance behavior may be valid
Behavior - behavior on a network, however, only as a controlled behavior in
Recon small quantities. Invalid reconnaissance behavior may reflect
attempts to determine security flaws on remote hosts, missing
access control policies that allow external hosts to penetrate
networks, or other suspicious behavior that results in general
information gathering without actively attacking.
Network Remote Procedure Enumerate events reflect attempts to gather RPT2003- As

Suspicious sending active data to Remote Procedure services (using protocols
Behavior - such as RMI, CORBA, and traditional RPC) that will elicit responses
Remote that reveal information about the application or host. This
Procedure enumeration may be a simple command sent to the remote
Enumerate procedure service to attempt to fingerprint what is allowed or
denied by the service, requests to the remote procedure service
that may enable an attacker to surmise the version and specific
service running, and other information gathering tactics. These
enumerations may result in information being provided that can
allow an attacker to craft a specific attack against the remote
procedure service or application that may work correctly the first
time - enabling them to modify their methodology to go on
relatively undetected.
Network Scan events reflect attempts to gather information about target RPT2003- As
Events: networks, or specific target hosts, by sending scans which will 07-13.rpt needed
Suspicious elicit responses that reveal information about clients, servers, or
Behavior - other network infrastructure devices. The originating source of
Scan the scan is generally attempting to acquire information that may
reveal more than normal traffic to the target would, information
such as a list of applications listening on ports, operating system
information, and other information that a probe may discover
without enumeration of the specific services or performing attack
attempts.
page 473
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Network Stack Fingerprint events reflect attempts to gather information RPT2003- As

Events: about specific target hosts by sending a certain set of packets to 07-14.rpt needed
Suspicious probe a device's network stack, which will elicit responses that
Behavior - reveal information about clients, servers, or other network
Stack infrastructure devices. The originating source of the scan is
Fingerprint generally attempting to acquire information that may reveal more
than normal traffic to the target would, such as operating system
information (including type and version) and other information
that a probe may discover without enumeration of the specific
services or performing attack attempts. These scans generally do
not occur across entire networks and generally have the intent of
discovering operating system information which may be used for
further attack preparation.
Network Trojan Scanner events reflect attempts of Trojans on the network RPT2003- As
Events: to gather information about target networks, or specific target 07-15.rpt needed
Suspicious hosts, by sending scans which will elicit responses that reveal
Behavior - information about the host. The originating Trojan source of the
Trojan scan is generally attempting to acquire information that will
Scanner reveal whether a target host or network has open and available
services for further exploitation, whether the target host or
network is alive, and how much of the target network is visible. A
Trojan may run a scan before attempting an attack operation to
test potential effectiveness or targeting information.
Network Unusual Traffic events reflect suspicious behavior on network RPT2003- As

Events: devices where the traffic may have no known exploit, but is 07-16.rpt needed
Suspicious unusual and could be potential enumerations, probes,
Behavior - fingerprints, attempts to confuse devices, or other abnormal
Unusual traffic. Unusual Traffic may have no impending response,
Traffic however, it could reflect a suspicious host that should be
monitored closely.
Priority Event This report is no longer in use. The Priority Event report tracks RPT2003- As
(reference) those events that the user has identified as a priority event. These 16.rpt needed
events appear in the Priority filter of the Console.
page 474
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Priority Event This report is no longer in use. This report mirrors the standard RPT2003- As
By User Priority Event report but groups the events received by Console 17.rpt needed
(reference) User account. The same event may be seen by many users, so this
report tends to be much larger than the standard Priority Event
report.
Rule The Rule Subscriptions report tracks those events that the user RPT2006- Daily
Subscriptions has subscribed to monitor. 28-01.rpt
by User
SolarWinds The SolarWinds Action Report lists all commands or actions RPT2003- As
Actions initiated by SolarWinds Network Security. 18.rpt needed
Support reports included with LEM

Support Reports are diagnostic tools used by SolarWinds Customer Support. Only run these reports at the
request of SolarWinds. The reports are listed alphabetically by title.
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Agent This report is a diagnostic tool used by Customer Support, and RPT2009- As
Connection generally run only at their request. This report tracks internal 33-1.rpt requested
Status Agent online and offline events.
Connection generally run only at their request. This report tracks internal 33-2.rpt requested
Status by Agent online and offline events grouped by Agent.
Agent
Connection generally run only at their request. This report shows high level 33.rpt requested
Summary summary information for when Agents go online and offline.
Audit - Audit - Internal Audit Report RPT2006- As

Internal 31-01.rpt requested
Audit Report
page 475
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Audit - Internal Audit Report grouped by User RPT2006- As

Internal 31-02.rpt requested
Audit Report
by User
Maintenance generally run only at their request. This report displays internal 32.rpt requested
Report event data for possible misconfigured Agents.
Database This report is a diagnostic tool used by Customer Support, and RPT2006- As
Maintenance generally run only at their request. 26.rpt requested
Report
List of Rules This report lists available rules for the Rule Subscriptions. RPT2006- As
for Rule 29-02.rpt needed
Subscriptions
List of This report lists the rules that users have subscribed to. RPT2006- As
Subscription 29-03.rpt needed
Rules by User
List of Users This report lists each user entered. Currently, the users are only RPT2006- As
used for Rule Subscriptions. 29-01.rpt needed
Tool This report is a diagnostic tool used by Customer Support, and RPT2003- As
Maintenance generally run only at their request. List of New Tool Data events 14.rpt needed
by Alias based on Tool Alias.
by Insertion based on Agent InsertionIP.
Point
by Provider based on ProviderSID.
Maintenance generally run only at their request. The report displays a 14.rpt requested
Detail Report summary of all SolarWinds error messages received from various
tools.
page 476
FILE S
TITLE DESCRIPTION
NAME CHEDULE
Maintenance generally run only at their request. The report displays a 13.rpt requested
Report summary of unique SolarWinds error messages received from
various tools.
page 477
The LEM command-line interface: Using the CMC

In this chapter:
• About the CMC command line 479
• LEM CMC main menu 480
• LEM CMC appliance menu 481
• LEM CMC manager menu 484
• LEM CMC nDepth menu 487
• LEM CMC service menu 488
page 478
About the CMC command line
The CMC provides a command-line interface (CLI) for performing routine administrative tasks on a LEM VM.
See "Log in to the LEM CMC command line interface" on page 34 for login steps and information
about credentials and SSH access restrictions.
Use CMC commands for tasks such as:
l Upgrading the Manager software

l Manually applying connector updates
l Deploying new connector infrastructure to the Managers and Agents
l Rebooting or shutting down the network appliance
l Configuring trusted reporting hosts
l Configuring supplemental services on the Manager appliance
l Controlling your nDepth appliance
Special characters allowed in CMC commands and passwords

The following table lists the special characters you can use in your CMC commands and passwords.
CHARACTER EXAMPLE
Capital letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
Lower-case letters abcdefghijklmnopqrstuvwxyz
Numerals 0123456789
Symbols _ ` ~ ! @ # $ % ^ & * ( ) - = + ' [ { ] } \ | ; : a " A , 1 <

. > / ?
White spaces command1 command2 command3
page 479
LEM CMC main menu

The CMC main menu opens when you log in to the CMC command-line interface.
See "About the CMC command line " on the previous page for information about using the CMC
command line.
Top-Level CMC commands

Commands are listed in order of appearance.
COMMAND DESCRIPTION
appliance Displays the appliance menu to run network and system commands on the LEM
VM. You can activate the VM, configure network parameters, and change the CMC
password. See "LEM CMC appliance menu" on the facing page for more
information.
manager Displays the manager menu where you can run upgrade and debug commands
on the LEM Manager. You can install a LEM hotfix, start and stop the LEM Manager
service, and import a certificate used for desktop console communication. See
"LEM CMC manager menu" on page 484 for more information.
service Displays the service menu to run restrictions, SSH, and Snort commands. You
can start and stop the SSH Service, copy Snort rules to a network share, and
restrict access to the reports application by IP address or host name. See "LEM
CMC service menu" on page 488 for more information.
ndepth Displays the ndepth menu to run nDepth configuration and maintenance
commands. You can set your log message archive and backup share settings,
restart the Log Message search or storage service, and start and stop the Log
Message search and storage services. See "LEM CMC nDepth menu" on page 487
for more information.
upgrade Installs the LEM upgrade package that you will use to upgrade your LEM VM.
admin Opens the admin command-line interface in the Lynx text browser.
import Imports a keytab file from Active Directory into LEM. This file is required to
configure LEM for Active Directory single sign-on. See "Set up single sign-on (SSO)
in LEM" on page 119 for details.
help Displays the Help menu.
exit Exits the CMC management console.
page 480
LEM CMC appliance menu
The cmc::appliance> menu includes commands for managing network and system settings.
See "About the CMC command line " on page 479 for information about using the CMC command
line.
Type the appliance command at the main menu to open the cmc::appliance> prompt. Commands
available from the appliance menu are listed in the following table in alphabetical order.
A ü in the "Restart Required" column indicates that a command requires an automatic restart of the LEM
Manager service. See "Starting and Stopping LEM components" on page 48 for help.
RESTART
COMMAND DESCRIPTION
REQUIRED
activate Configures essential LEM features. This command should be
run after you install the LEM license.
See "Run the activate command to secure LEM and configure

network settings" on page 39 for documentation.
checklogs Shows the contents of the LEM log files from sources such as
syslog and SNMP.
clearsyslog Removes all rotated and compressed local files.
cleantemp Removes temporary files LEM created during normal operation.

Run this command to recover used disk space, or at the
suggestion of SolarWinds Support.
dateconfig Sets/shows the LEM VM's date and time.
dbdiskconfig Configures the database retention setting (that is, the ü

percentage of free space for the database). This command
requires an automatic restart of the LEM Manager service.
diskusage Checks disk usage consumed by the LEM Manager and several
other internal components (such as the database or log files),
and provides a summary. This information is included when
you send SolarWinds Support information using the support
command.
diskusageconfig Sets the LEM Manager disk usage limit by the percentage of
unavailable disk space or the amount of free disk space.
page 481
RESTART
COMMAND DESCRIPTION
REQUIRED
editbanner Edits the SSH login banner.
exit Exits the appliance menu and returns to the main menu.
exportsyslog Exports the system logs.
hostname Changes the hostname of the LEM VM.
import Imports the SIM or LEM backup to the LEM.
limitsyslog Interrogates and/or changes the number of rotated log files to

be kept.
multimanagerconfig Enables or disables the multimanager.
If you enable multimanager, some security scanners

may generate cross-domain security warnings about
LEM. If this feature is not required, keep it disabled.
setlogrotate Sets the syslog rotation frequency to either hourly or daily.
netconfig Configures network settings for the LEM VM, such as the IP
address, subnet mask, and DNS server(s).
ntpconfig Configures the Network Time Protocol (NTP) service on the LEM
VM for synchronization with a time server.
password Changes the CMC user password.
ping Pings other IP addresses or host names from the LEM VM to

verify network connectivity.
reboot Reboots the LEM VM.
resetsystemmac Resets the MAC address of the LEM VM.
shutdown Shuts down the LEM VM.
top Displays and monitors CPU and memory usage, as well as per
process information for the Manager Network Appliance.
tzconfig Configure the LEM VM's time zone information.
viewnetconfig Displays the LEM VM's network settings, such as the IP address,
subnet mask, and DNS server(s).
page 482
RESTART
COMMAND DESCRIPTION
REQUIRED
exit Exits the appliance menu and returns to the main menu.
page 483
LEM CMC manager menu

The cmc::manager> menu includes commands for upgrading and debugging LEM.
See"About the CMC command line " on page 479 for information about using the CMC command
line.
Type the manager command at the main menu to open the cmc::manager> prompt. Commands
available from the manager menu are listed in the following table in alphabetical order. A ü in the
"Restart Required" column indicates that a command requires an automatic restart of the LEM Manager
service. See "Starting and Stopping LEM components" on page 48 for help.
RESTART
COMMAND DESCRIPTION
REQUIRED
actortoolupgrade Upgrades the LEM Manager’s Actor Tools from CD or floppy ü
disk.
archiveconfig Configures the LEM Manager appliance database archives to a

remote file share on a daily, weekly, or monthly schedule.
backupconfig Configures the LEM Manager appliance software and

configuration backups to a remote file share on a daily, weekly,
or monthly schedule.
cleanagentconfig Reconfigures the Agent on the current LEM Manager instance

to connect to a new LEM Manager.
configurendepth Configures the LEM VM to use a self-signed certificate.
confselfsignedcert Configures the LEM Manager to use an nDepth server.
dbrestart Restarts the database.
debug Sends debugging information from the LEM Manager to any

given email address. The email message contains a collection
of data that can be useful in diagnosing problems.
disabletls Disables TLS for the database connections.
enabletls Enables TLS for the database connections.
exit Exits the manager menu and returns to the main menu.
page 484
RESTART
COMMAND DESCRIPTION
REQUIRED
exportcert Exports the CA certificate so that you can import it into a
computer running the LEM console or the LEM reports
application.
exportcertrequest Exports the LEM Manager certificate (along with its public and
private key) so that your certificate authority (CA) can sign it
using PKI tools.
hotfix Installs a LEM hotfix.
importcert Imports a certificate signed by any certificate authority (CA). A ü

certificate is required to encrypt communication with the LEM
console or the LEM reports application.
importl4ca Imports a CA of the other node in an L4 configuration. ü
licenseupgrade Upgrades your LEM Manager license. ü
logbackupconfig Configures the Manager appliance remote log backups to a

remote file share on a daily, weekly, or monthly schedule.
resetadmin Resets the admin password to password. This command does ü

not affect other users on the system, and all settings are
preserved.
restart Restarts the LEM Manager service. This will take the Manager ü
offline for 1–3 minutes.
sensortoolupgrade Upgrades the LEM Manager’s Sensor Tools from the command
line. See for details.
showlog Allows you to page through the LEM Manager’s log file.
showmanagermem Displays the LEM Manager's configured memory utilization

settings.
start Starts the LEM Manager service. If the Manager is already

started, then nothing will happen.
stop Stops the LEM Manager service. This makes the Manager ü
inactive until it is started again.
page 485
RESTART
COMMAND DESCRIPTION
REQUIRED
support Sends debugging information via email to
support@SolarWinds.com. This command prompts you for your
name and email address. It then sends SolarWinds a collection
of data that can be useful in diagnosing problems.
togglehttp Enables or disables HTTP on port 80. ü
viewsysinfo Displays appliance settings and other information that is

useful for support and troubleshooting.
watchlog Displays 20 lines of the current LEM Manager log file and
monitors the log for further updates. Any new log entries
appear as they are written to the log.
page 486
LEM CMC nDepth menu
The cmc::ndepth> menu includes commands for managing one or more nDepth VMs or appliances.
line.
Type the ndepth command at the main menu to open the cmc::ndepth> prompt. Commands available
from the ndepth menu are listed in the following table in alphabetical order. A ü in the "Restart Required"
column indicates that a command requires an automatic restart of the LEM Manager service. See "Starting
and Stopping LEM components" on page 48 for help.
RESTART
COMMAND DESCRIPTION
REQUIRED
exit Exits the nDepth menu and returns to the main menu.
logmarchiveconfig Sets the Log Message archive share settings.
logmbackupconfig Sets the Log Message backup share settings.
restart Restarts the Log Message search/storage service. ü
start Starts the Log Message search/storage service.
stop Stops the Log Message search/storage service.
page 487
LEM CMC service menu

The cmc::service> menu includes commands for managing restrictions, SSH access, and Snort.
line.
Type the service command at the main menu to open the cmc::service> prompt. Commands
available from the service menu are listed in the following table in alphabetical order. A ü in the "Restart
Required" column indicates that a command requires an automatic restart of the LEM Manager service.
See "Starting and Stopping LEM components" on page 48 for help.
RESTART
COMMAND DESCRIPTION
REQUIRED
copysnortrules Copy the existing Snort rules from the current LEM Manager
instance onto a disk or network file share. This allows you to
retrieve the Snort rules from the LEM Manager’s hard drive and
make any rule updates or modifications. This requires a
formatted disk or a network file share.
disableflow Disables the flow Collection Service on the appliance (and in

the SolarWinds Explorer).
enableflow Enables the flow Collection Service on the appliance (and in the ü
SolarWinds Explorer).
exit Exits the service menu and returns to the main menu.
help Displays a brief description of each command within the

service menu.
loadsnortbackup Loads Snort rules from “factory default” on the LEM Manager.
This allows you to revert to the Snort rules’ original default
settings in case of an error. This command overwrites any
changes that were made to the main set of rules with the
original rules that were installed with the SolarWinds system.
loadsnortrules Loads Snort rules from a disk or a network file share onto the
LEM Manager. This allows you to update the Snort rules on the
Manager. The disk must be in the same format (that is, use the
same names and directories) that the copysnortrules
command uses to issue the original rules, otherwise the rules
will not be updated.
page 488
RESTART
COMMAND DESCRIPTION
REQUIRED
restartsnort Restarts the Snort service.
restartssh Restarts the SSH service. If the SSH service is running, this
command stops and then restarts the service.
restrictconsole Restricts access to the LEM console to only certain IP addresses

or hostnames. This command prompts you to provide the IP
addresses or hostnames that should be allowed access. Once
the restriction is in place, only the listed IP addresses or
hostnames can connect to the LEM console. Also see
unrestrictconsole.
restrictreports Restricts access to reports to only certain IP addresses or

hostnames. This command prompts you to provide the IP
addresses or hostnames that should be allowed access. Once
the restriction is in place, only the listed IP addresses or
hostnames can create and view reports. Also see
unrestrictreports.
restrictssh Restrict the SSH service to only certain IP addresses. This

command prompts you to provide the IP addresses that should
be allowed access. Once the restriction is in place, only the
listed IP address and user combinations can connect to the
LEM Manager using the SSH service. Also see
unrestrictssh.
snmp Configures the SNMP Services.
l See "Enable LEM to receive SNMP traps by turning on

the SNMP Trap Logging Service" on page 61 to configure
LEM to receive SNMP traps.
l See "Monitor LEM from NPM and the Orion Web
Console using SNMP" on page 96 to configure LEM and
NPM to monitor LEM's CPU, memory, and other critical
components.
startssh Starts the SSH service.
stopopsec Terminates any connections from the LEM Manager VM to

Check Point® Open Platform for Security (OPSEC) hosts.
page 489
RESTART
COMMAND DESCRIPTION
REQUIRED
stopssh Stops the SSH service. If you issue this command, you can only
access the LEM Manager with a keyboard and monitor until you
issue a reboot command.
To restrict access to the SSH service (outside of the user name

and password requirements), see the restrictssh
command.
unrestrictconsole Removes access restrictions placed on the LEM console. The

only remaining protection is the user name and password
combination. This command removes all other restrictions and
allows system users with a user name and password to
connect to the console.
unrestrictreports Removes access restrictions placed on the LEM reports

application. The only remaining protection is the user name
and password combination. This command removes all other
restrictions and allows anyone who has either the reports
application or any alternative database connection software
installed, to create and view reports and browse the database,
provided that they have a valid username and password.
unrestrictssh Removes access restrictions placed on the SSH service. The

only remaining protection is the user name and password
combination
page 490
LEM console help
This section documents the screens that make up the LEM web console and desktop console.
In this section:
• About the LEM console 492
• Ops Center view in the LEM console 497
• Monitor view in the LEM console 503
• Explore view in the LEM console 521
• Build view in the LEM console 549
• Manage view in the LEM console 573
page 491
About the LEM console

Use the console to manage and monitor LEM. This documentation topic applies to both the desktop
console and the web console.
In this section:
• Console Views 492
• Grids 493
• LEM console grid column and data field descriptions 494
To open the LEM console, see "Log in to the LEM web console" on page 31 or "Log in to the LEM
The LEM console displays normalized information about the events on your monitored devices in real time.
The items in this section address how to use the LEM console to view, respond to, and search for these
events on a day-to-day basis. Unless otherwise stated, the functionality described in this section is
identical between the web and desktop consoles.
For a video tour of the LEM console, see

http://video.solarwinds.com/watch/HqqCayj4P5HMMRf5fn2jFW.
Console Views
The console is organized into functional areas called views. These views organize and present different
information about the components that comprise the LEM system.
The views are located in the toolbar. You can access six top-level views in the console.
l Ops Center provides a graphical representation of your log data. It includes several widgets that
help you identify problem areas and show trends in your network. You can select additional
widgets from the widget library or add custom widgets that reflect your log activity.
l Monitor displays events in real time as they occur in your network. You can view the details of a
specific event or focus on specific types of events. This view also includes several widgets to help
you identify trends or anomalies that occur in your network.
l Explore provides tools for investigating events and related details.
l Select nDepth to search or view event data or log messages.
l Select Utilities to view additional utilities, such as Whois and NSlookup.
page 492
l Build creates user components that process data on the LEM Manager.
l Select Groups to build and manage groups.
l Select Rules to build and manage policy rules.
l Select Users to add and manage console users.
l Manage manages properties for appliances and nodes.
l Select Appliances to add and manage appliances.
l Select Nodes to add and manage Agents.
l Analyze is a placeholder for future improvements.
Grids
Grids are used throughout the console. Using Grids, you can perform common tasks such as selecting rows
and grid cells, resizing grid columns, rearranging grid columns, and sorting a grid by columns.
Rearrange grid columns

Rearrange the grid column order to meet your needs. The columns remain in your set order until you exit
the console. When you reopen the console, the columns return to their default order.
To rearrange a grid column, click and drag the column header to a new position.
Sort a grid by columns

Sort grid data in each view by clicking the column headers. Each column can be sorted in ascending or
descending order.
To sort a grid by one column, click the selected column header. The ▲ indicates sorting in ascending order
(from A to Z). The ▼ indicates sorting in descending order (from Z to A).
In the Monitor view, you can sort a grid by multiple columns by pressing the Ctrl key and clicking each
column header. The sorting order number is displayed next to ▲ or ▼ in each selected column.
Before you sort the Monitor view event grid, click Pause to stop the incoming event traffic. Click Resume to
start the incoming event traffic.
page 493
LEM console grid column and data field descriptions

The following table explains the meaning of each grid column or data field that can appear in various alert
grids, event grids, and information panes throughout the Console. The actual columns and fields that are
shown vary according to the alert, view, or grid you are working with. But the meaning of these fields
remains the same, regardless of where you see them.
For convenience, the fields are listed in alphabetical order.
GRID COLUMN OR FIELD DESCRIPTION

EventName The name of the event.
ConnectionName The name of the dial-up or VPN connection.
ConnectionStatus The current status of the dial-up or VPN connection.
DestinationMachine The destination IP address of the network traffic.
DestinationPort The destination port number of the network traffic.
DetectionIP The source network node for the alert data. This is usually a Manager or an
Agent and is the same as the InsertionIP field. It can also be a network
device, such as firewall or an intrusion detection system that may be sending
log files over a remote logging protocol.
DetectionTime The time the network node generated the data. This is usually the same as the
InsertionTime field, but they can differ when the Agent or Manager is
reading historical data, or if a network device has an incorrect time setting.
EventInfo A short summary of the alert details. Additional details appear in the following
fields, but EventInfo provides enough information to view a “snapshot” of
the alert information.
ExtraneousInfo Additional information relevant to the alert, but not reflected in other fields.
This can include information useful for correlating or summarizing alert
information in addition to the EventInfo field.
Host The node the log message came from (the LEM or Agent that collected the
message for forwarding to nDepth).
HostFromData The originating network device (if different than the node) that the message
came from. Normally, Host and HostFromData are the same, but in the case
of a remote logging device (such as a firewall) this field reports the original
remote device's address.
page 494
InferenceRule The name of the correlation that caused this alert. The InferenceRule field
will generally be blank, but in cases where the alert was related to a rule, it
displays the rule name.
InsertionIP The Manager or Agent that first created the alert. This is the source that first
read the log data from a file or other source.
InsertionTime The time the Manager or Agent first created the alert. This time indicates
when the data was read from a log file or other source.
IPAddress The IP address associated with the alert. This is a composite field, drawn from
several different alert fields. It shows all the IP addresses that appear in alert
data.
Manager The name of the Manager that received the alert. For data generated from an
Agent, this is the Manager the Agent is connected to.
Order In the Event explorer’s event grid, the Order field indicates when each event
occurred:
indicates the event occurred before the central event shown in the event
map.
indicates the event occurred during (as part of) the central event shown in
the event map.
indicates the event occurred after the central event shown in the event
map.
Protocol Displays the protocol associated with this alert (TCP or UDP).
ProviderSID A unique identifier for the original data. Generally, the ProviderSID field
includes information that can be used in researching information on the alert
in the originating network device vendor's documentation.
SourceMachine The IP address the network traffic is coming from.
SourcePort The port number the network traffic is coming from.
ConnectorAlias The Alias Name entered when configuring the connector on the Manager or
Agent.
ConnectorId The actual connector that generated the log message.
ConnectorType Connector category for the connector that generated the log message.
page 495

Username The user name associated with the alert. This is a composite field, drawn from
several different alert fields. It shows all the places that user names appear in
alert data.
page 496
Ops Center view in the LEM console
In this section:
• The Ops Center view 497
• The Widget Manager and Widget Builder 499
The Ops Center view

In this topic:
• The User Details widgets 498
• The Node Details widgets 499
Choose Ops Center in the LEM console to open the Ops Center view. Use this view to monitor network and
system events using widgets. Widgets provide special dashboard functionality, such as displaying real-
time information, or providing tools for investigating events and related details.
This topic provides page-level help for the Ops Center view in the LEM console.
See also: "LEM widgets and the Ops Center: Visually monitor network events in LEM" on page 255
This screen capture shows the Ops Center view in the LEM console:
The following table describes the default UI elements on the Ops Center view page:
NAME DESCRIPTION
Widget Manager Opens and closes the Widget Manager. The Widget Manager includes the
Categories and Widgets panes.
Getting Started Tips and shortcuts to get you started configuring and exploring LEM.
Node Health A status view of each device monitored by LEM.
thwack Community & Access to useful information from the thwack community.
Support
Top 10 Events Displays the top 10 events in the selected time range.
Help Links to different resources to help you learn more about LEM
page 497
NAME DESCRIPTION
What's New in LEM A list of items added or improved in this version.
Events per Minute Displays the total count of events per minute for the past 15 minutes.
Custom Widget Displays an example of what you can create on a custom widget.
Top 10 Nodes by # of Displays the top 10 most active nodes (by number of events).
Events
Top 10 Users by # of Displays the top 10 users with the most events in the selected time range.
Events
Network Events by Source Displays the top 10 machines generating network events.
Machine
User Logons by Source Displays the top 5 user logons by source machine.
Machine
Data Simulator Plays back different kinds of simulated network data.
Top 10 Rules by Number Displays the top 10 most commonly triggered rules and how many times
of Rules Fired each rule was triggered over a selected time period.
The User Details widgets

In the "Top 10 Users by # of Events" widget, click a user to open the User Details page. Every user has a
User Details page that displays all related information, including all events for the selected user.
This screen capture shows the User Details page, which contains the "User:Details" and "User:All Events"
widgets.
THE USER: DETAILS WIDGET
This widget displays detailed user information, such as user name, Manager, user type, and so on.
THE USER: ALL EVENTS WIDGET
This widget displays all event statistics generated by the selected user with a corresponding graph. Click
an event to see the Event Details page for the selected event.
The User:All Events menus allow you to:
l Filter events by event group

l Switch between Grid and Details views
l Filter events by date and time
page 498
Color-coding allows you to easily locate events that may need attention. A green line on a graph represents
informational events. A yellow line represents warning events. And a red line represents critical events.
The Node Details widgets

In the "Top 10 Nodes by # of Events" widget, click a node to open the Nodes Details page. This page
displays an overview about every device monitored by LEM.
This screen capture shows the Nodes Details page, which contains the "Node: Details," "Node: Connectors
Applied," and "Nodes: All Events" widgets.
THE NODE: DETAILS WIDGET
This widget displays detailed information about the specified node, such as node IP, node name, last event,
and so on.
THE NODE: CONNECTORS APPLIED WIDGET
This widget provides a list of connectors configured for the selected node and whether the connectors are
enabled or disabled. You can also turn the connectors on or off and configure new connectors.
THE NODE: ALL EVENTS WIDGET
This widget lists all events generated by the selected node and displays statistics of the events in a graph.
Click an event to view the Event Details page for the selected event.
Using this widget, you can filter events by event group, switch between Grid and Details views, and adjust
the view from the last ten minutes to last week.
Color-coding allows you to highlight events that may need attention. A green line on a graph represents
informational events; a yellow line represents warning events; and a red line represents critical events.
The Widget Manager and Widget Builder

In this topic:
• The Widget Manager UI 500
• The Widget Builder UI 501
Use the Widget Manager to select widgets to add to a dashboard. Use the Widget Builder to create a new
widget or edit an existing widget.
This topic provides page-level help for the Widget Manager and Widget Builder pages in the LEM
console. For more information, see:
page 499
l "Manage LEM widgets with Widget Manager: Add, edit, and more" on page 261
l "Create and edit widgets with Widget Builder" on page 265
This screen capture shows the "Widget Manager" portion of the Ops Center view in the LEM console:
The Widget Manager UI

The following table describes the Widget Manager UI elements:
NAME DESCRIPTION
Categories pane Lists widgets you can add to the dashboard by category.
The Name column lists each available widget filter with one or more master
widgets.
The Count column lists the number of widgets associated with each filter. Click
the Name or Column headers to rearrange the categories by name or count.
Opens the Widget Builder to add a new master widget to the selected category.
Opens the Widget Builder to edit the selected widget in the Widgets pane.
Widgets pane Displays the master widgets associated with each filter.
Use this pane to create dashboard widgets and delete master widgets from the
selected filter.
Add to Dashboard Adds a copy of a selected master widget to the dashboard.
Delete Widget Deletes the master widget currently displayed in the Widgets pane.
Deleting a master widget does not delete the dashboard widgets included with
a widget filter.
page 500
The Widget Builder UI
Enter the general widget settings
1. In the Name field, enter a name for the widget.
2. In the Description field, enter a description for the widget (up to 80 characters).
3. Click the Filter drop-down menu and select the filter data source.
When you select your filter data source, use the following conventions:
l If the filter appears in italics, the filter is turned off.
l If you create a widget from a disabled filter, the widget will not display any chart information
until the filter is re-enabled.
l When you create a widget in the Monitor tab, this field defaults to the currently-active filter. If
you select a different filter, the widget will be associated with your targeted filter and not the
active filter.
l When you create a widget in the Ops Center tab, this field defaults to the first option in the
list.
4. Enter the visual configuration settings.
ENTER THE VISUAL CONFIGURATION SETTINGS
1. Click the Visualization Type drop-down menu and select the appropriate graph.
2. Click Color and select a color palette for the chart or graph.
3. (Optional) In the X Axis Label field, enter a name for the chart or graph horizontal axis.
4. (Optional) In the Y Axis Label field, enter a name for the chart or graph vertical axis.
5. Enter the data configuration settings.
page 501
ENTER THE DATA CONFIGURATION SETTINGS
1. Click the Field drop-down menu and select a data field to report in the widget.
2. Click the Show drop-down menu and select the data frequency reported in the widget.
Select Count to count the number of occurrences for the selected Field value. For example, if you
select EventID in the Field drop-down menu, the widget will count the number of events.
Select Distinct Count to count the number of occurrences when a unique event occurs. For example,
if you select a Field value such as Event Name or Detection IP, the widget counts each specific value
once. This option reports all values as 1 in a single-dimension chart. As a result, this option is best
suited for multidimensional charts.
3. Click the Sort drop-down menu and select the data sort method.
a. Select Descending to list the data from highest to lowest (Z to A or 10 to 1).
b. Select Ascending to list the data from lowest to highest (A to Z or 1 to 10)
4. (Optional) Click the Versus drop-down menu and select another data field (displayed in ascending
order) for second data dimension in the chart.
5. (Optional) Click the Split By drop-down menu and select another data field (displayed in ascending
order) for a third data dimension in the chart.
6. Click the Limit drop-down menu and select a value that limits the number of items to chart.
7. Click the Scope drop-down menus and select the appropriate time frame reported by the chart or
graph.
For example, selecting a scope of 30 minutes will display the last 30 minutes of data in the chart or
graph.
Choose a narrow scope for frequent events. Choose a wide scope for events that rarely occur.
8. Click the Resolution drop-down menus and select the time values (displayed as tick marks) for the
horizontal X-axis in the chart. This value is required when Versus is a time field.
For example, if your Scope is 30 minutes, you can set the Resolution to five minutes to indicate five-
minute tick marks on the X-axis.
9. Click the Refresh drop-down menus and select the data refresh rate for the widget display.
10. Click Save.
page 502
Monitor view in the LEM console
In this section:
• The Monitor view 503
• The Filter Creation form 512
• Managing events in Monitor view 516
The Monitor view

In this topic:
• The Filters pane 505
• The Filter Notifications pane 505
• The Events grid 506
• The Widget pane 507
• The Event Details window 508
• The Respond menu 510
• The Explore menu 512
• Notifications 512
• Nodes 512
• Appliances 512
Monitor view displays all monitored events on your network in real time. It include features to help you
review and analyze current events on your network.
This topic provides page-level help for the Monitor view in the LEM console.
See also:
l "About LEM filters and filter categories" on page 233

l "LEM filters: Capture real-time events and historical data with filter criteria" on page 232
page 503
This screen capture shows the Monitor view in the LEM console:
Monitor view includes:
l An All Events pane that displays a real-time event stream where you can apply event filters
l An Events Details pane that displays details for any event you highlight in the event stream
l A Widgets pane that displays a graphical representation of the current filter (if available)
l Several default filters to refine the data you see in the event stream
l A GUI filter editor called Creation to create and edit event filters
Raw (un-normalized) log messages do not appear in Monitor view, even if the nDepth log retention
feature is enabled. Further, rules can only fire on normalized data and not on raw log data that is
received.
page 504
The Filters pane
The Filters pane stores all filters you can apply to the console event messages.
All filters are stored in groups. To add a filter to the events grid, click a filter group and then click a filter.
The events grid title changes to the name of the event and the grid refreshes and displays the incoming
events allowed by the filter conditions.
Click to create your own custom filters and filter groups. Click to edit, pause, resume, turn on, turn
off, import, export, or delete filters.
The Filter Notifications pane

The Filter Notifications pane summarizes the event activity from your active notification filters that use
blink, popup, or sound notifications. Click a filter name to view the events associated with the targeted
filter.
page 505
The Events grid

The Events grid displays the events that occur for your selected filter. This grid displays each event that
occurs for your selected filter, as well as every event logged to each Manager. The title bar displays the
filter name you selected in the Filters pane.
As the Agents monitor each configured data source on your network, they send the events to each
Manager. In turn, the event grid displays the events logged to each Manager that is connected to the
console. By default, incoming events always appear at the top of the grid, allowing the Monitor view to
always display the most recent activity.
The toolbar includes additional options:
l Respond. Click this option to respond to a particular event message. For example, you can choose
to block an IP address, or restart or shut down machine that is the event activity source.
l Explore. Click this option to select a particular event message or one of its specific data elements
with an explorer. The selected cell (or string) determines the explorers you can choose.
l Pause. Click this option to stop the event traffic reported by the filter. When finished, click Resume
to continue.
l Highlight Selected Row(s). Click to highlight rows in the Events grid with a selected color.
l Settings. Click and select an option to mark messages as read or unread, remove messages, or
copy event information.
page 506
The Widget pane
The Widget pane displays the widgets associated with the filter currently applied to the events grid.
Widgets automatically refresh themselves to reflect changes in events grid filtering.
You can view the widgets associated with this filter by clicking the drop-down menu and selecting an
option.
You can also:
l Click to change the presentation format (such as pie chart, bar chart, and so on).
l Click to create a new widget.
l Click to open Widget Builder and create a new widget.
l Click to display the widget legend.
l Hover your mouse over a format item to view specific information.
CHANGE THE WIDGET DISPLAY FOR A SELECTED FILTER
1. In the LEM console, click Monitor.

2. In the Filters pane, maximize a category and click the filter you want to modify.
3. In the Widgets pane, click the drop-down menu and select the widget you want your filter to
display.
page 507
The Event Details window

The Event Details pane displays specific information about the last event you selected in the Events grid.
When you click an event, the event is highlighted in the Event Details pane, along with supporting
information. To view the event details for a specific event, select the event in the event stream and review
the results in the Event Details pane.
You can also:
l Click to create a filter for this event.

l Click to view the previous or next event.
l Click to view the event description.
l Click to return to the event details.
The window fields vary according to your selected event type. For example, network-oriented events
display IP addresses and ports in the window. Account-oriented events display account names and
domains. The window may also include a severity level.
Click or the up and down arrow keys to select the previous or next event in the events grid.
page 508
EVENT DESCRIPTION WINDOW
The Event Description window displays a description of your selected event in the events grid.
Click to review the event description.
Click to return to the Event Details window.
Click to select the previous or next event and event description in the events grid.
EVENT SEVERITY LEVELS
Each event is assigned a number indicating its severity. The following table explains each severity level.
Level Name Description
0 Debug Detailed event information used for debugging by SolarWinds engineers.
1 System Error Part of the system is unusable.
2 Informational SolarWinds informational messages only.
3 Normal Audit Normal behavior, but could be part of a signature attack.
4 Normal Notice Normal behavior that you should monitor.
5 Suspicious Normal behavior under most circumstances, but should be investigated.
6 Threatening Investigation and action is required.
7 Critical Immediate action is required.
page 509
THE "CREATE A FILTER FROM THIS EVENT" BUTTON
Click in the Event Details or Event Description windows to create a new filter that captures the currently
selected event type. When completed, the Monitor view opens with the new filter open in the events grid.
The new filter appears in the Filters pane under the last selected filter. If required, you can edit the filter
so it captures specific events. See "Manage LEM filters: Add, edit, view, and more" on page 248 for help.
The Respond menu

The Respond drop-down menu in Monitor view provides a list of actions you can execute for a specific
event message.
Each Respond command opens the Respond form. This form includes data from the field you selected and
options for customizing the action—similar to configuring the active response for a rule in the Rule
Creation.
The Respond menu is context-sensitive. The event type or cell currently selected in the event grid
determines which responses you can choose.
SELECT AN EVENT RESPONSE
In the Respond form, you can use the default field information to complete the form.
1. In Monitor view, locate an event in the event grid and click Pause.
5. Complete any remaining fields in the form.

page 510
SELECT AN EVENT RESPONSE USING DRAG-AND-DROP TEXT
In the Respond form, you can drag and drop information from the Event and Information fields into the
configuration fields to complete the form. Use this method to add content to a blank configuration field or
replace the content of an existing configuration field
1. In Monitor view, locate an event in the event grid and click Pause.
5. In the Respond form’s event information grid, scroll to locate the field that contains the data
element needed to configure the action.
6. Click and drag an event field into the appropriate action configuration field.
page 511
7. Complete any remaining fields as required.

The Explore menu

See "The Utilities view" on page 540.
Notifications
The Notifications tab at the bottom of the Monitor view page summarizes the event activity from each of
your active notification filters that use blink, popup, or sound notifications. Click a filter name in this tab to
view the events associated with the targeted filter.
Nodes
The Nodes tab at the bottom of the Monitor view page opens the Nodes screen in Manage view, allowing
you to connect or disconnect from a Manager, add a Manager Agent, and configure rules, policies, and
network security connectors that apply to each Manager
Appliances
The Appliance tab at the bottom of the Monitor view page opens the Appliance screen in Manage view to
add, configure, and maintain each virtual appliance associated with and monitored by the LEM system.
Appliances is used here as a generic term that includes Managers, as well as database, logging, network,
and nDepth servers.
The Filter Creation form

In this topic:
• The Filter Creation form 513
• The filters and groups list pane 514
Use the Filter Creation form to create or edit filters in Monitor view in the LEM console.
This topic provides page-level help for the Filter Creation form in the LEM console.
page 512
See also:
l "LEM filters: Capture real-time events and historical data with filter criteria" on page 232
l "Create a new LEM filter for real-time monitoring" on page 241
l "Get started building custom filter expressions in LEM" on page 335
The Filter Creation form

Use the Filter Creation form to create or edit a filter in Monitor view.
COMPONENT DESCRIPTION
The Filter Creation Contains categorized lists of events, event groups, event variables, groups,
sidebar (also called profiles, and constants you can use to create conditions for your filters.
the List pane)
If more than one Manager is linked to the console, each item in the list pane lists
the associated Manager.
The Events list contains a search box and associated buttons that switch the view
between tree and list views.
Name Displays the filter name.
Lines Displayed Selects the number of lines displayed in the screen.
Description Displays the filter description.
Filter Status Lists warnings and error messages about the current configuration logic in your
filter.
page 513
COMPONENT DESCRIPTION
Conditions Defines the data conditions reported by the filter.
To configure a condition, drag items listed in the List pane into the Conditions
box.
Notifications Defines how the console responds to your event (such as a sound or pop-up
message).
Undo Reverts the screen to your last desktop action (up to 20 actions).
Redo Forwards the screen to your next saved desktop action (up to 20 actions).
Save Saves your filter changes.
Cancel Cancels your filter changes.
The filters and groups list pane

The following screen capture shows the filters and groups list pane on the Filter Creation screen in
Monitor view.
To open the list pane, click Monitor, then click Filters to open the Filters sidebar, and then choose New
Filter or Edit from the or menus.
This table describes each option on the Filter Creation screen sidebar in Monitor view.
FILTER DESCRIPTION
Events All console event types. Click to display the list as a hierarchical node
tree. Click to list event types alphabetically, regardless of their
position in the hierarchy.
Event Groups Preconfigured groups of events used to initiate a specific event filter
condition or rule creation.
page 514
FILTER DESCRIPTION
User-Defined Groups Groups of preferences used in rules and event filters to match, include,
or exclude events, information, or data fields based on their
membership with a particular Group. In most cases, these groups are
used in rules for choosing which events to include or to ignore. These
groups apply to Managers and are created in the Group Builder.
Connector Profiles Groups of Agents with common connector configurations. Use connector
profiles with rules and filters to include or exclude Agents associated
with a particular profile. You can create connector profiles in the Build >
Groups grid.
Directory Service Groups Preconfigured groups of network computers and system users you can
use in rules and filters. They allow you to match, include, or exclude
events to specific users or computers based on their group
membership. These groups are synchronized through the Build >
Groups grid.
Time Of Day Sets Specific groups of hours you can associated with rules and event filters.
You can use time of day sets to enable your filters to include or exclude
messages that occur during the hours associated with a particular time
of day set, or to have your rules take different actions at different times
of day. You can create time of day sets in the Build > Groups grid.
Subscription Groups All console user names, and the Manager associated with each user.
Each name represents the list of rules subscribed to each individual
user. When you add a subscription group to a filter, you can build the
filter so it only displays events messages related to specific rules that a
particular user is interested in (or “subscribed to”). You can create
subscription rules in the Build > Groups grid.
Constants The constants rules and filters can use for comparing event data. These
include text, number, and time.
Notifications Various notification methods the console can use to announce an event
message for the filter. You can have the console display a pop-up
message, display the new event as “unread,” play a sound, or have the
filter name blink. You can also configure multiple notification methods
for the same filter. This list only applies to filters.
page 515
Managing events in Monitor view

In this topic:
• Review an event 517
• To apply a filter to the Monitor event stream 517
• To view the event details for a specific event in the event stream 517
• Change the widget display for a selected filter 517
• To edit a widget chart presentation in Monitor view 518
• Sort the events grid 518
• Highlight events 518
• Copy event data to the clipboard 519
• Tag events as Read or Unread 520
• Remove events 520
This topic describes how to work with events in Monitor view.
This topic provides help for Monitor view in the LEM console. For Monitor view page-level help, see
"The Monitor view" on page 503.
Events are messages created from Agent, Manager, and network device log entries. These log entries are
processed (or normalized) to extract information and display the data in a common table format instead of
the often convoluted format you see in the source data. The normalized events are sent from the Agent to
the Manager for processing. At the Manager, the events are processed against your rules, sent to the
database for archiving, and sent to the LEM console for monitoring.
When you click a filter in the Filters pane, inbound traffic is channeled through the filter and displayed in
the events pane. You can pause the incoming event stream, sort and highlight the data, and respond to
events with a corrective action. When completed, you can resume the incoming traffic that appears in the
events grid.
To learn how to use LEM to view all real-time and historical activity from a single IP address, open
the following URL in a web browser:
https://play.vidyard.com/wDGZ1B5oQdQ2BN1PXYQvbR
page 516
Review an event
Click Monitor.
2. In the Filters pane, select a filter.
3. Locate an event in the event grid you want to explore.
4. Click Pause to stop the event feed.
6. Click the Explore drop-down menu and select Event.
The Event explorer displays all events associated with your selected event. Your selected event name
displays in the History pane.
Click Event Details to view additional event information.
To apply a filter to the Monitor event stream

Click Monitor.
2. Click Filters in the top left corner to open the Filters sidebar.
3. Expand a filter category and select a default or custom filter from the Filters list.
The events grid title bar displays the name of your selected filter, and the grid refreshed to display
incoming events that match the conditions of your filter.
LEM saves event filters on the workstation running the LEM console. If you move to another workstation,
you can export the filters to your new workstation and import them into the console.
To view the event details for a specific event in the event stream
1. Apply a filter to the Monitor event stream (as described above).
2. Select the event in the event stream and review the results in the Event Details pane.
Change the widget display for a selected filter

Click Monitor.
2. In the Filters pane, maximize a category and click the filter you want to modify.
3. In the Widgets pane, click the drop-down menu and select the widget you want your filter to display.
page 517
To edit a widget chart presentation in Monitor view

Widgets displayed in Monitor view allow you to reconfigure the chart settings to suit your needs. These
settings include the visualization type (line, bar, pie, or table), the color palette, and the X and Y axis labels.
2. Click Monitor.
3. In the Monitor dashboard, locate the widget you want to reconfigure.
4. Click in the widget toolbar.
The widget rotates the interface to display the presentation format settings.
5. Reconfigure the widget settings as required.
Your options are limited to the selected widget and the data it reports. For example, widgets
that report in one dimension may be limited to a pie chart, while information in two
dimensions can be reported in a bar or line chart.
6. Click to close.

The widget rotates, displaying the information in your chosen format.
Sort the events grid

You can sort the events in the events grid by clicking the appropriate column header. For example, if you
click the Event Name column header, the grid sorts the filtered events by event name in ascending order.
If you click the column header again, the events are sorted in descending order.
1. On the events grid toolbar, click Pause.

2. Click the appropriate column header to sort your filtered events.
3. When completed, click Resume to continue receiving filtered traffic.
Highlight events
In the Monitor view events grid, you can highlight events to call attention to them or mark them for future
reference. This allows the events to stand out as you scroll through the contents of the grid. You can
highlight multiple events at the same time. You can also choose the color you want for each set of events
you are highlighting.
Click Monitor.
2. In the Filters pane, select a filter from a filter group.
3. On the events toolbar, click Pause to temporarily stop all incoming events.
Pausing incoming events is not required, but it places all events in static mode for review.
page 518
4. In the events grid, click the events you want to highlight.
Press <Ctrl> to select two or more events.
5. On the events grid toolbar, click to highlight a row with selected color or enter hexadecimal
value.
The events appear in your selected color.
6. Click Resume to resume the incoming web traffic.
DISABLE HIGHLIGHTED EVENTS
1. On the events grid toolbar, click Pause to temporarily stop all incoming events.
2. In the events grid, select the appropriate events to disable the highlight.
Press <Ctrl> to select multiple events.
3. On the events grid toolbar, click the drop-down menu and select No Color.
4. Click Resume to resume all incoming events.
Copy event data to the clipboard

Copy event data for single or multiple events from the Monitor view events grid or Event Details pane to
your clipboard. This allows you to paste the data into another application (such as Microsoft Excel for
comparison or analysis), share the data with someone who does not have a console, or send to SolarWinds
for technical support.
Click Monitor.
3. In the events grid, select the event you want to copy.
4. In the events grid, click and select Copy.

The event data is now copied to your clipboard (as text).
page 519
Tag events as Read or Unread

You can mark events in event filter as unread and read. This process allows you to track examined and
unexamined events.
Click Monitor.
The events grid displays your selected filter.
3. In the events grid, select the events you want to mark as read or unread.
4. Press <Ctrl> to select two or more events.
5. In the events grid, click and select one of the following options:
l Mark Unread identifies one or more selected events as unread in bold text. Any events
captured by other filters appear as unread in those filters as well.
l Mark Read identifies one or more selected events as read in non-bold text.
l Mark All Unread identifies all events as read in bold text.
l Mark All Read identifies all events as read in non-bold text.
The grid refreshes based on your selection.
Remove events
You can remove one or all events from a filter. This allows you to clean a filter of historical information that
is no longer important.
Click Monitor.
3. In the events grid, select the events you want to remove.
4. In the events grid, click and select Remove to remove your events.
Select Remove All to remove all events.
The selected events are removed from the grid.
page 520
Explore view in the LEM console
In this section:
• The nDepth view 521
• The Utilities view 540
• Common data field categories in LEM nDepth search 547
The nDepth view

In this topic:
• The nDepth search view 522
• The nDepth history pane 523
• The nDepth filters and groups list pane 524
• The nDepth search bar 525
• The nDepth histogram 528
• The nDepth explorer toolbar 531
• The nDepth word cloud 532
• The nDepth tree map 533
• The Result Details view 534
• Search Builder 538
The nDepth search engine (Explore > nDepth) locates and analyzes events on your network.
This topic provides help for the nDepth view in the LEM console. For more information, see "nDepth
search: Explore event history using nDepth and other LEM utilities" on page 345
page 521
The nDepth search view

The following illustration shows the nDepth view.

1 History Displays links to your recent nDepth search results.
2 Saved Searches Displays links to your saved nDepth search results.
3 Filters and Displays categorized lists of events, event groups, event variables, and
groups sidebar additional options you can use to create conditions for your filters.
4 Search bar Searches all event data or the original log messages that pass through a
LEM Manager. Drag the toggle switch to select Drag & Drop or Text
Search mode.
5 Respond Displays a list of corrective actions you can execute when an event
occurs, such as shutting down a workstation or blocking an IP address.
6 Explore Displays several utilities you can use to research an event, including
Whois, Traceroute, and NSlookup.
7 Time Provides a drop-down menu to select the time range for your search.
8 Play Executes the selected search.
page 522
9 Histogram Displays the number of events or log messages reported within the
selected search time range.
10 Dashboard Displays the search results in all available widgets. You can change this
view by clicking a widget in the nDepth toolbar.
The icon indicates you are exploring event data. The icon indicates
you are exploring log messages.
11 nDepth Toolbar Organizes log data into categories to identify activity in your network.
Click a selection to display the category below the histogram.
The nDepth history pane

Each nDepth explorer search adds an item to the Explore view history pane.
The represents an event data search. The represents an original log message search.
The following illustration displays an nDepth search of event data. When you hover over a history item, you
can view the number of search results and your search string text.
A new search adds a history item. If you click an earlier history item, the system takes you back to that
search and does not make a new item. After you modify your nDepth search parameters and perform a
new search, that search becomes a new history item.
page 523
The nDepth filters and groups list pane

Below is an example of the filters and groups list that displays in the Explore > nDepth view.
The following table describes each option in the filters and groups list pane.
FILTER DESCRIPTION
Refine Fields The top 100 data details for each field found in your nDepth search
results. The details change, depending on whether you are searching
event data or log messages. You can use these details to create, refine,
or append nDepth search conditions. Click ABC to sort the details
alphabetically within each category. Click 321 to sort the details by
frequency within each category. The items that occur most often appear
first within each category.
Managers The various appliances monitored by the console. Use this list to select
the Manager for your nDepth search. If you stored the original event log
on a separate nDepth appliance, select this appliance to search that
data.
In Drag & Drop Mode, you can drag an item from this list into the search
box to include that item in the search string. When using Search
Builder, you can drag an item from this list into the Conditions box.
Events All console event types. Click to display the list as a hierarchical node
tree. Click to list event types alphabetically, regardless of their
position in the hierarchy.
User-Defined Groups Groups of preferences used in rules and event filters to match, include,
or exclude events, information, or data fields based on their
membership with a particular Group. In most cases, these groups are
used in rules for choosing which events to include or to ignore. These
groups apply to Managers and are created in the Group Builder.
Connector Profiles Groups of Agents with common connector configurations. Use connector
page 524
FILTER DESCRIPTION
profiles with rules and filters to include or exclude Agents associated
with a particular profile. You can create connector profiles in the Build >
Groups grid.
Directory Service Groups Preconfigured groups of network computers and system users you can
use in rules and filters. They allow you to match, include, or exclude
events to specific users or computers based on their group
membership. These groups are synchronized through the Groups grid.
Subscription Groups All console user names, and the Manager associated with each user.
Each name represents the list of rules subscribed to each individual
user. When you add a subscription group to a filter, you can build the
filter so it only displays events messages related to specific rules that a
particular user is interested in (or “subscribed to”). You can create
subscription rules in the Groups grid.
The nDepth search bar

The search bar provides a method to search all event data or the original log messages that pass through
a LEM Manager. You can search logs from various devices using predefined search parameters (such as
Change Management Events) or search for specific data using a text search. The toggle switch in the
search bar allows you to switch between the drag-and-drop and text search modes.
The following table describes the key features of the nDepth search bar.
NAME DESCRIPTION
Mode Use this toggle switch to select how you intend to enter the search string for your queries:
selector
l Select Drag & Drop Mode (upper position) to drag items from the list pane or the
Result Details view directly into the search box. This is the recommended position, as
it is it the easiest to use.
l Select Text Input Mode (lower position) to type a search string directly in the search
box. In this mode, the search box also shows the text version (or search string) of any
search that is being run or configured in Search Builder or the Saved Searches pane.
Search This box contains your search conditions. You can enter search conditions a number of
box different ways.
Click a delete button next to a condition or a group to remove that condition or group from
the current search configuration.
page 525
NAME DESCRIPTION
The search bar includes AND and OR operators. These operators let you include AND and OR
AND relationships between conditions and groups of conditions, when you have multiple
conditions in your search string. Click the operator icon to toggle between AND and OR
OR relationships.
Group When you have a group of conditions, the search bar displays the conditions as a summary.
summary To see the actual conditions, point to them. A ToolTip appears that shows each condition in
the group.
Click this Delete All button to delete the entire contents of the search box, so you can begin a
new search.
Click this button to begin a search, or to stop a search that is in progress.
l Click to begin searching.
l If the search button turns red , it means the current search configuration is invalid.
l Click to stop a search that is in progress.
Time In the time selector, select a time frame for the search. If needed, you can create your own
selector custom time frame.
Data Use this toggle switch to choose the data you want to nDepth to explore:
selector
l Select Events (left position) to search LEM's normalized event data. This is the event
data that appears in the Monitor view.
l Select Log Messages (right position) to search the actual log entries that are recorded
on your network products' log files. If Log Messages is disabled, it means your
equipment is either disabled, or it does not have the capacity to store and search the
original log messages. However, you can still search the data in the Events position.
DRAG-AND-DROP SEARCH MODE
When the toggle switch is in the (up) position, nDepth search is in Drag and Drop Mode. In this mode,
you can drag items from the List pane or Results Details directly into the search box to initiate a search for
a specific event.
In this mode, the search bar includes AND and OR operators. These operators let you include AND and OR
relationships between conditions and groups of conditions, when you have multiple conditions in your
search string.
page 526
For example, when you click a saved search, the search parameter populates the search bar. The icon at
the end of the search bar indicates an OR operator.
When you click the operator icon, it changes to the AND operator.
Click next to a condition or a group to remove your condition or group from the current search
configuration.
The search bar synchronizes with Search Builder.
CREATING SEARCH CONDITIONS
The following table describes how to add search conditions in Drag & Drop Mode and in Text Input Mode.
MODE
DRAG
TO DO THIS
AND TEXT
DROP
Clear a search from the search Click Delete All next to Play on the search ● ●
box bar.
Add a new search Clear a search from the search box, and then add ● ●
new search conditions using any method listed in
this table.
Add conditions to an existing Use any method listed in this table. nDepth ● ●
search automatically adds new search conditions to the
search string.
Add a search condition from a Click an item in a graphical tool to add that item ● ●
widget or other graphical tool to the search box.
Add a search condition from the In the Refine Fields list, double-click an item. ● ●
list pane
In any list, click and drag an item into the search ●
box.
page 527
MODE
DRAG
TO DO THIS
AND TEXT
DROP
Add a search from Search Builder Configure a search with Search Builder. Search ● ●
Builder automatically populates the search bar
with the search configuration. The search bar and
Search Builder are different views of the same
search.
Add a search condition from the Select a character string from the data, and then ● ●
Result Details view double-click the string to add it to the search box.
Select a character string from the data, and then ●

drag it into the search box.
Select a character string from the data, and then ●

copy and paste it into the text box.
Type a search string Type a search string directly in the search box. ●
Perform the search Click Play on the search bar. ● ●
The nDepth histogram

The nDepth histogram displays the number of events or log messages reported within your search time
frame. nDepth returns search results chronologically so you can investigate a specific interval. You can
minimize the search window to take a closer look or maximize the window to view additional activity.
nDepth's histogram summarizes event activity within a particular period. By default, the histogram
displays the last 10 minutes of event activity. The bright zone shows the period that is currently being
reported. The gray zones show activity outside of the reported period.
page 528
The bottom time bar is divided into one-minute intervals. The top bar is divided into 30-second intervals.
The histogram displays a separate bar for each 30-second interval. Time is displayed in 24-hour (military)
time.
Clicking a bar opens a pop-up window that shows a histogram for that bar's interval. Depending on range
of the search's time frame, these intervals can be as little as 5-seconds. Pointing to a bar shows the total
number of events that occurred in that interval. Clicking a bar opens a pop-up window to show a
histogram for the selected interval.
When you switch to the Result Details view, the histogram displays two dashed vertical lines. These lines
are markers, indicating where you are in the histogram for each page of the search results. The lines show
the times of the first and last event on the current Result Details page.
By default, the ▲ shows the time of the first result on the page. If you select an event in the Result Details
box, the pointer shows the time of that event.
When you view the search results of events number 1-200, the left line shows the time of event number 1,
and the right line shows the time of event number 200. If you click event number 150, the ▲ shows the
time that event occurred.
SEARCH ACTIVITY ASSOCIATED WITH A PARTICULAR HISTOGRAM BAR
Use the histogram to search the event activity associated with a particular vertical bar in the histogram.
To search activity for a bar, double-click a vertical bar. nDepth automatically refines the search and
refreshes the data to show only the events from the time frame associated with that bar.
ADJUST THE SEARCH PERIOD
You can use the nDepth histogram to move the search period to an earlier or later start time. For example,
when you search a 30-minute time frame, you can search the data for the same period, but adjust the
search period within the 30-minute time fame.
page 529
1. Move your mouse pointer over the histogram.

2. Locate the gray slider that appears in the window.
3. Drag the slider to the left to move the period to an earlier starting point. Drag the slider to the right
to move the period to a later starting point.
As you move the slider, a ToolTip displays the period's midpoint time.
4. Click to run the search for the new time frame.
nDepth automatically refines the search and refreshes the data to display only the events from the
new time frame. Modifying the period automatically changes the search bar time selector to Custom.
5. Click to restore the previous time frame (if desired).
CHANGE THE PERIOD START AND END TIME
You can use the nDepth histogram to change the search period by changing its start time and end time.
For example, if you run a search for a 30 minute period, you can expand the time frame (for example, 45
minutes) or reduce the time frame (for example, 20 minutes),
1. Move your mouse pointer over the vertical bar.

2. Drag the vertical bar to a new destination.
Drag the left or right slider to change the time frame start or end time, respectively. When you
release the slider, a tooltip shows the new start time.
3. Click to run the search for the new time frame.
nDepth automatically refines the search and refreshes the data to show only the events from the
new time frame. Changing the time frame automatically changes the search bar time selector to
Custom.
4. Click to restore the previous time frame (if desired).
page 530
The nDepth explorer toolbar
This toolbar provides links to dashboards that display your data in different formats. You can also access
Search Builder and details about your search results from the toolbar.
The following table describes the function of each option on the nDepth explorer toolbar. Each option
provides a different view of the data from the most recent search.
In any explorer view, if a particular chart configuration does not logically apply to the data you are
exploring, that chart is disabled.
TOOL VIEW DESCRIPTION

Dashboard Displays each nDepth view as a small widget. You can minimize and maximize
each widget or edit the chart widgets to change their appearance. This is the
default view.
Word Displays keyword phrases that appear in your event data. Phrases appear in a
Cloud size and color that relate to their frequency. You can filter this view to zero in on a
range of activity or click a phrase to create or append a search based on that
phrase.
Tree Map Displays the items that appear most often in the data as a series of categorized
boxes that correspond with the data categories in the Refine Fields list.
The box size in each category is associated with its relative frequency. The more
often an item occurs, the larger its box appears. You can hover over small boxes
to open a tooltip and display its contents or click a box to create or append a
search based on that item.
Bar Charts A group of widgets that display your most frequent data items as a series of bar
charts, which correspond to the relative frequency. The more often an item
occurs, the larger its bar appears. You can hover over a bar to open a tooltip or
click a bar to create or append a search based on that item.
Line Charts A group of widgets that display your most frequent data items as a series of line
graphs. The height of point on the graph corresponds with the item's relative
frequency. The more often an item occurs, the higher the point appears on the
graph. You can point to an item on the graph to show information about it. You
can also click a point on the graph to create or append a search based on that
item.
page 531
TOOL VIEW DESCRIPTION

Pie Charts A group of widgets that display your most frequent data items as a series of pie
charts. The size of each pie wedge corresponds with the relative frequency. The
more often an item occurs, the larger its wedge appears. You can hover over a
wedge to view additional information or click a wedge to create or append a
search based on that item.
Bubble A group of widgets that display your most frequent data items as a series of
Charts circles or bubbles. The size of each bubble corresponds with the relative
frequency. The more often an item occurs, the larger its bubble appears. You can
hover over a bubble to display additional information or click a bubble to create
or append a search based on that item.
Result A text-based view of the data you are investigating. This view also supports
Details nDepth search capabilities. You can create or refine searches by dragging and
dropping search strings from the data into the search box.
Search A graphical interface used to create and refine complex searches. You can drag
Builder items from the nDepth list pane directly into the Search Builder Conditions box to
configure complex searches. Search Builder is similar to the Filter Creation tool.
The nDepth word cloud

The nDepth word cloud summarizes your event activity by displaying the top 100 keyword phrases that
appear in your event messages.
Click in the toolbar to open the widget.
Phrases appear in a size and color that relates to their frequency. Phrases that appear in warm colors (red,
orange, and yellow) and in larger print represent the phases that occur most frequently. These are your
hot items.
page 532
Phrases that appear in cool colors (green and blue) and in smaller print occur with the least frequency.
These are your cool items. Cool items may still be important. They just occur less frequently than hot
items.
VIEW STATISTICS IN THE WORD CLOUD
A word cloud includes statistics about each item listed in the cloud. To view your cloud statistics, point to a
phrase in the word cloud. A tooltip displays, showing the keyword phrase, its count (the number of times it
occurs in the reported period), and its percentage. The percentage is based on the relative frequency of
the phrase compared to other reported phrases.
FILTER THE WORD CLOUD CONTENTS
Two horizontal bars display at the bottom of the word cloud. The top bar is a color gradient that goes from
red (hot) to blue (cool). These colors correspond with the colors of the phrases displayed in the Word
Cloud.
The lower bar controls which parts of the gradient the word cloud are allowed to display. You can use this
bar to filter the world cloud so it only displays that section of the gradient you want to see. By default, the
word cloud displays everything associated with the entire gradient—all items that are hot, cool, and in
between.
By default, the word cloud displays the top 100 phrases, and the sliders are automatically adjusted to this
width. If you manually adjust the sliders, nDepth remembers the left position and automatically adjusts
the right position so the word cloud displays up to 100 phrases between the left and right positions. If all
100 phrases can be shown within the positions you've selected, the sliders will stay in place.
Slider settings are stored with each word cloud. As a result, you can create word clouds in the dashboard
that are adjusted differently from the primary word cloud view.
To hide hot items, drag the lower bar's left-hand slider to the right. To hide cool items, drag the lower bar's
right-hand slider to the left. To restore the Word Cloud, drag the sliders back to their far-left and far-right
positions.
EXPLORING ITEMS IN THE WORD CLOUD
You can use the word cloud to explore a particular phase, by using as the basis for a new search, or to
append an existing search. To explore an item in the word cloud, click the phrase you want to explore.
When the phrase appears in the search bar, click to show the results associated with your search.
The nDepth tree map

The tree map summarizes your event activity in categories based on common event data fields. The size of
each box corresponds with the relative frequency of its occurrence. The more often a detail occurs, the
larger its box appears.
Click the in the toolbar to open the widget.
page 533
Most categories correspond with actual event fields, as they appear in the Monitor view. When you are
working with log messages, the tree map organizes into categories based on common log message data
fields. Some data categories may not always be present. If there is no event activity associated with a
particular data category or field, it will not appear in the tree map.
The items that appear in the tree map view are the same source files data field categories and values
listed in the Refine Fields list at the top of the list pane. You can click and select an item from the tree map
as a search condition. If a box is too small to show its contents, point to it to open a tooltip that displays its
contents.
RESIZE TREE MAP CATEGORIES
To maximize a category, click in the targeted box toolbar. When maximized, a tree map category can
show very small items within it. If a box is too small to show its contents, you can point to it to open a
tooltip that shows its contents.
To restore a category to its proportional size, click icon in the targeted box toolbar.
EXPLORE ITEMS IN THE TREE MAP
You can use the Tree Map to explore a particular item by using the item as the basis for a new search, or
to append an existing search. Click the item you want to explore. A search string for that item appears in
the search bar. Click on the search bar. After a moment, nDepth refreshes to show the results
associated with your search.
The Result Details view

The Results Details view displays the raw data displayed in the graphical views. You can create or refine
searches by dragging and dropping search strings from the search data into the nDepth search box.
page 534
You can use Result Details in Events mode to view and search normalized event data found in the Monitor
view or Log Messages mode to view and search the original log message data collected and stored on the
LEM (or another dedicated nDepth appliance).
You can use your nDepth search results to refine your nDepth searches, explore event details with other
explorers, or initiate an active response to event details.
INTERPRET SEARCH RESULTS IN EVENTS MODE
Use Events mode to search all normalized event data reported in the Monitor view. This data is pulled
from the LEM appliance.
The following table describes how to interpret your data search results in Events mode.
NAME DESCRIPTION
Event number The incremented event number. Each row represents a new event.
Date and time The time and date the event occurred.
stamp
Event name The name of the event that occurred.
EventInfo Additional information about the event. You can select these details to refine your
nDepth search, explore them with other explorers, or respond to them with an active
response.
INTERPRETING SEARCH RESULTS IN LOG MESSAGES MODE
In Log Messages mode, you can use nDepth to search all of the original log messages that pass through a
particular network appliance (or host). Below is an example of the nDepth Result Details view with the
original log message data.
page 535
The following table explains how to interpret search results of data in Log Messages mode.

1 Event number The incremented event number. Each row represents a new event.
2 Data and time The time and date the event occurred.
stamp
3 Log message The log message that matched your search criteria.
4 Host The Manager or appliance that logged the message.
5 ToolId The actual product or tool that generated the message.
6 ToolType The SolarWind tool category that generated the message.
Tool IDs and Tool Types match SolarWinds tool configuration categories.
ADDING SEARCH STRINGS FROM RESULT DETAILS
Use the following procedures in the Results Details view to highlight and select character strings and
create new search conditions from the data.
TO DO THIS
Selecting data
Highlight a continuous character Point to the character string.

string
Select a continuous character Point to the character string to highlight it. Click the string to select
string it.
After you select a character string, an orange box surrounds the

string. Every matching character string in the search results is
selected as well.
Select a phrase (two or more Click the first character in the string, and then drag across the
character strings separated by string to select the remaining content.
spaces)
After you select a character string, an orange box surrounds the
string. Every matching character string in the search results is
selected as well.
Select a data row Click the event number in the row. When the row is selected, an
orange highlight bar appears to the left of the row.
page 536
TO DO THIS
Creating search conditions from Result Details data
Clear the search box to add a new 1. On the search bar, click to clear the search box.
search condition
2. Add a new search condition by using any of the techniques
in this table.
Add a search condition from Result 1. Select a character string in the data.
Details data
2. Double-click the selected string to add it to the search box.
Select a character string in the data, and then drag it into the
search box.
Copy and paste a character string 1. Change the search bar to Text Input mode.
from Result Details data into the
2. Select a character string in the data.
search box
3. Copy the search string.
4. Click the search box, and then paste the character string
into the text box.
Type a search string in the search 1. Change the search bar to Text Input mode.
box
2. Type the search string directly in the search box.
Add conditions to an existing 1. In the data, select the character string you want to append
search to the existing search conditions.
2. Double-click the selected string or drag the string into the
search box.
Your selection is appended to the existing conditions.
USING EXPLORERS WITH RESULT DETAILS
Use the nDepth Result Details view to access additional explorers to investigate specific details that you
find in your nDepth search results.
You can select specific values and pass them in to the value-based explorers (such as Whois, NSLookup,
and Traceroute). For example, you can investigate a suspicious IP address with these explorers to learn
more about that IP address.
When you view data in Events mode, each row in the search results represents the data for an individual
event. You can select the row for an event you want to explore, and then pass the row into the Event
Explorer to explore that event.
page 537
To explore details in search results:
1. Open the Result Details view.

2. Select the character string or row you want to explore.
Select the character string you want to investigate. When selected properly, the character string is
surrounded by an orange box.
If you are viewing data in Events mode, select the row you want to explore in the Event Explorer.
When you select a row, an orange highlight bar appears to the left of the row.
3. Click Explore and select the explorer you want to use.
The Explore > Utilities view displays, and the system passes the selected data to your selected
explorer.
4. Click Search or Analyze to explorer the string.
Search Builder
This section describes the main features of Search Builder.
The following table describes the Search Builder features.
Item Name Description
1 Undo Click to undo your last action. You can undo up to 50 steps.
page 538
Redo Click to redo the last action. You can redo up to 50 steps.
2 Search bar Displays the current search parameters.
If the search bar is in Drag and Drop mode, it displays your configuration
search parameters, which match the parameters in the Conditions box. If the
search bar is in Text Input mode, the search bar displays the current search
parameter as a search string.
3 List pane Contains categorized lists of events, event groups, event variables, groups,
profiles, and constants you can use to creating conditions for your filters. For
nDepth searches, you can only use the Refine Fields and Managers lists.
The Refine Fields list summarizes all of the primary event details from your
search results. The Managers list includes each Manager and appliance that
can be used with nDepth for searching data.
4 Histogram pane Investigates a specific time interval. Drag the left and right borders to
increase or decrease the search time line.
5 Executes the search.
6 Conditions box Defines the conditions for the data reported by the filter. Configure
conditions by dragging items from the list pane into the Conditions box.
7 Adds a new group within the group box. A group within a group is a nested
group.
Each group is subject to AND and OR relationships with the groups around it
and within it. By default, new groups appear with AND comparisons.
8 Deletes a condition, group, and any groups nested within the group.
9 Group Individual groups (and the entire Conditions box) can be expanded or
collapsed to show or hide their settings:
l Click to expand a collapsed group.

l Click to ▼ collapse an expanded group. The number that appears in
parentheses indicates how many conditions are contained in the
group.
After you configure a group, you can collapse it to avoid any unwanted
changes.
page 539
10 Boolean operators that define the relationships between your search

AND conditions. Click the operator icon to toggle between AND and OR conditions.
OR
The Utilities view

In this topic:
• The Event explorer utility 542
• The Whois explorer utility 544
• nDepth explorer 545
• The NSLookup explorer utility 545
• The Traceroute explorer utility 546
• The Flow explorer utility 546
• Execute a Whois, NSLookup, or Traceroute task from an event or

search result 546
• Execute a blank Whois, NSLookup, or Traceroute task 547
• Display flow data 547
The Utilities view (Explore > Utilities) provides several IT analysis utilities, including Whois, NSLookup,
Traceroute, and Flow (sFlow and NetFlow). These utilities are also available from the Explore > nDepth view,
and Monitor view.
page 540
This topic provides help for the Utilities view in the LEM console. For more information, see "Use the
explorer utilities in LEM to search or analyze nDepth query results " on page 363.
This screen capture shows the Utility view in the LEM console:
The following table describes the key features of the Explore > Utilities view.
NAME DESCRIPTION
History pane Displays a record of your explorer viewing history. Selecting an item in the history
list displays the corresponding explorer event in the Explorer pane.
Utilities pane Displays the explorers that are currently open. You can have multiple explorers
open at the same time.
Cascade button Arranges the open explorer windows so they appear in an organized cascade.
Respond Responds to the event or event field that is the subject of the active explorer. You
can also use the Respond menu to take action even when no explorer windows are
open or active.
page 541
NAME DESCRIPTION
Explore Contains options to open the other explorers. You can explore the event message
or event field that is the subject of the active explorer or open a blank explorer to
manually enter the item you want to explore.
Explorer windows The active explorers within the Utilities pane. You can minimize, resize, and close
each explorer window, as needed.
Minimized Any explorers that you have minimized appear at the bottom of the Utilities pane
explorers as a title bar. Click a title bar to reopen that explorer.
The Event explorer utility

The Event explorer displays all events related to an event that you select in the Monitor view events grid.
You can view events that occurred before, during, and after a selected event to identify the root cause of
the event. This approach can help you visualize how an event occurred, as well as the system’s response to
that event.
When you explore an event, the console sends a request to the LEM Manager to determine which events
are related to the event. In response, the Event explorer displays the events that triggered the event, as
well as the events that resulted because of the event (such as a response or notification).
The Event explorer includes three sections: Event Details, Event Map, and Event Grid. This example shows
an event explorer that provides information about the TCPPortScan event selected in the Monitor events
grid.
page 542
EVENT DETAILS
The Event Details pane provides detailed information about the event you select in the Monitor grid.
Information about the event data fields may vary depending on the selected event type. For example,
network-oriented events display fields for IP addresses and ports, while account-oriented events display
account names and domains.
Click Event Details to open the Event Details window. Click to read the event description and to
return to the event details. If you need to research this event further, click to create a filter that displays
this event type in the Monitor view event grid. The filter will display in the Filters pane under the last
selected grid. When you complete your event review, click to move to the previous or next event in the
grid.
EVENT MAP
The Event Map displays a graphical view of the event you are exploring, as well as the triggering and
proceeding events. This allows you to move through the entire chain of events to analyze the relationships
between each event.
Event explorer always places your selected event in the center of the map. Related prior events that
triggered your selected event display to the left. If no prior events exist, a box labeled None displays in the
map. Related events that follow the central event appear to the right. These events were caused by the
central event (such as system responses). If no events follow, a box labeled None displays. If the same
event occurs multiple times, they appear together in a box.
Events that appear in the event map can be events, rules, or commands (system responses to an event).
Each event type includes an icon that categorizes the event, as shown below.
ICON DESCRIPTION
Audit Event tree event.
Security Event tree event.
Asset Event tree event.
Incident Event tree event.
Internal Event tree event that is not related to rules or active response activity.
An internal command indicating the system is responding to an event.
Rule activity from a rule in test mode or a rule that initiated an active response.
page 543
EVENT GRID
The event grid lists all events that appear in the event map in chronological order—from the earliest event
(top) to the latest event (bottom). The grid is useful for comparing events and exploring event data.
The event grid’s Order column icons indicate when each event occurred, as shown below.
ICON DESCRIPTION
The event occurred before the central event.
The event occurred during (as part of) the central event.
The event occurred after the central event.
The Whois explorer utility

Whois explorer is a network utility that identifies the source of an IP address or domain name based on
how it is registered with domain and network authorities. This explorer contacts the central databases for
IP addresses and domain names and returns the results of any of your searches. It can tell you where
something is located physically in the world, and who actually owns the device you are trying to locate. For
example, you can use this explorer to identify who owns a domain that corresponds to the IP address that
caused a rule to fire.
The example on the left shows the results for an IP address. The example on the right shows the results
for the SolarWinds domain name, SolarWinds.com. From these results, you can find out who owns the IP
address and where the server is hosted.
Opening the Whois Explorer adds a Whois explorer icon in the History pane of the Explore view.
page 544
nDepth explorer
nDepth is a search engine that locates all event data or the original log messages that pass through a
particular LEM Manager. The log data is stored in real time as it occurs from each host (network device)
and source (application or tool) that is monitored by the LEM Manager. You can use nDepth to conduct
custom searches, investigate your search results with a graphical tools, investigate event data in other
explorers, and take action on your findings.
For more information about nDepth search, see:
l "Search normalized data using nDepth search in LEM" on page 351

l "The nDepth view" on page 521
The NSLookup explorer utility

The NSLookup explorer is a network utility that resolved IP addresses to host names and host names to IP
addresses. Use this explorer to locate a name that corresponds to the IP address that caused the rule to
fire. For example, you can resolve yourcompany.com to an IP address.
In this example, NSLookup explorer is searching for IP address of 192.168.168.10. The explorer retrieved
the corresponding host name, which is grendel.corp.trigeo.com.
Opening the NSLookup explorer adds an NSLookup explorer icon to the History pane in the Explore
view.
page 545
The Traceroute explorer utility

Traceroute explorer is a network utility that traces network links (or hops) from your host computer to a
specific destination. Use this explorer to determine the network connections between yourself and the IP
address that caused a rule to fire.
In this example, Traceroute explorer is tracing IP address 192.168.167.1. The interface displays the hops
between your computer and the destination IP address. In this example, connecting to the IP address
required two hops.
Opening the Traceroute Explorer adds a Traceroute explorer icon in the History pane of the Explore
view.
The Flow explorer utility

Flow explorer performs flow analysis to determine which IP addresses or ports are generating or receiving
the most network traffic. Use this explorer to analyze the volume of data (in bytes or packets) transferring
to or from an IP address or port number on your network.
For example, if an unknown IP address displays at the top of the Flow explorer’s activity list, you can select
a bar on the graph or a row in the table and choose the Whois explorer from the Explore menu to identify
the IP address and why it is transmitting so much data.
For more information, see "Collect and view NetFlow and sFlow data in LEM" on page 365.
Execute a Whois, NSLookup, or Traceroute task from an event or search result

1. Locate and select the event or search result you want to explore.
2. Click Explore and select an option in the drop-down menu.
page 546
Execute a blank Whois, NSLookup, or Traceroute task
1. Click the Explore tab and select Utilities.
2. Click Explore on the Utilities title bar and select a utility.
3. Complete the form for the utility, and click Search.
Display flow data

LEM supports flow exports from both NetFlow and sFlow devices. Use the Flow Explorer in the LEM console
to view graphs, charts, and grids.
See "Collect and view NetFlow and sFlow data in LEM" on page 365 to enable flow collection and
analysis on the LEM appliance.
Common data field categories in LEM nDepth search

In this topic:
• Common data field categories in Events Mode 547
• Common data field categories in Log Messages mode 548
The categories in this topic frequently appear in the Refine Fields list, the Tree Map view, and the Result
Details view.
This topic provides help for the Explore > nDepth view in the LEM console. For page-level help of the
nDepth view, see "The nDepth view" on page 521
Common data field categories in Events Mode

This table describes the data fields that are most commonly seen when working with event data.
FIELD DESCRIPTION
Event Name The name of the event.
Detection IP The network node that created the event data. The node is usually a Manager or an
Agent.
The DetectionIP is identical to the InsertionIP field, but can also be a network
device (such as a firewall or an intrusion detection system) that sends log files over a
remote logging protocol.
page 547
FIELD DESCRIPTION
Inference Rule The name of the correlation that caused the event. The Inference Rule field will
generally be blank, but displays the rule name when the event is related to a rule.
Insertion IP The Manager or Agent that created the event. This is the source that first read the
log data from a file or other source.
IP Address The IP address associated with the event. This is a composite field drawn from
several different event fields. It shows all the IP addresses that appear in event data.
Manager The Manager that received the event. For data generated from an Agent, this is the
Manager connected to the Agent.
Provider SID A unique identifier for the original data. Generally, this field includes information
used in researching information on the event in the originating network device
vendor documentation.
Severity The severity (0–7) of the event
Tool Alias The alias name entered used to configure the tool on the Manager or Agent.
User Name The user name associated with the event. This is a composite field, drawn from
several different event fields. It shows all the places that user names appear in event
data.
Common data field categories in Log Messages mode

This table describes the data fields that are most commonly seen when working with log messages. The
fields are listed here alphabetically.
FIELD DESCRIPTION
Host The node the log message came from (that is, the LEM or Agent that collected the
message for forwarding to nDepth).
HostFromData The originating network device (if different than the node) that the message came from.
Normally, Host and HostFromData are the same. In the case of a remote logging device
(such as a firewall) this field reports the original remote device's address.
ToolId The tool that generated the log message.
ToolType The category for the tool that generated the log message.
page 548
Build view in the LEM console
In this section:
• The Groups view 550
• The Rules view 553
• Rule Creation screen and the Rule Builder form 557
• Users view in the LEM console 568
page 549
The Groups view

In this topic:
• The Refine Results form in the Groups sidebar 551
Choose Build > Groups to open the Groups view in the LEM console. Use this screen to create and manage
groups in LEM.
This topic provides page-level help for the Groups view in the LEM console.
See also: "LEM groups: Organize data elements for use with rules and filters" on page 204
Below is an example of the Groups view.
The following table describes the meaning of each column in the Groups grid.
COLUMN DESCRIPTION
Opens a menu of commands you can perform on a selected grid item.
Type The group type.
Name The group name.
Description The group description. Pointing to this field displays the complete description as a
tooltip.
Created By The console user who created the group.
page 550
COLUMN DESCRIPTION
Created Date The group creation date.
Modified By The console user who last modified the group.
Modified Date The recent date when the groups were modified.
Manager The Manager name associated to the group.
The Refine Results form in the Groups sidebar

Use the Refine Results form to search for groups. The form returns matching results in the Groups grid.
The remaining grid items are available, but hidden. To restore the hidden items, click Reset or select All in
the refinement lists you are using.
The Groups grid displays all groups associated with each Manager connected to the console. If the
same group is configured for more than one Manager, it appears in the grid multiple times—once
for each associated Manager. Use the Refine Results form to apply filters to the Groups grid to
reduce the number of displayed groups.
When you select an option in the Refine Results pane, the grid refreshes to only display items that match
your selected refinement options. The remaining items are hidden in the grid. To restore these items, click
Reset or select All in your refinement lists.
Below is an example of the Refine Results form in the sidebar.
page 551
The following table describes the Refine Results form fields.
FIELD DESCRIPTION
Reset Returns the form and the Groups grid to their default settings.
Search Performs keyword searches for specific groups. To search, enter your search text
in the text box. The grid displays only those groups that match or include your
entered text.
Type Select the group type that displays in the grid.
Manager Select a Manager to display groups associated with the Manager.
Created By Select the console user who created the group and display groups from this
user.
Created Date Range Enter or select a date range to display groups created within your date range.
Modified By Select the console user who last modified the group and display groups
modified by that user.
Modified Date Range Type or select a date range to display groups modified on or within your
selected date range.
page 552
The Rules view
In this topic:
• The Rules grid 554
• The Refine Results form in the Rules sidebar 555
• The Rule Categories & Tags pane in the Rules sidebar 556
Choose Build > Rules to open the Rules view in the LEM console. Use this screen to create and manage
rules, rule categories, and rule templates. This topic describes the Rules grid and the sidebar.
This topic provides page-level help for the Rules view in the LEM console. See also:
l "LEM rules: Automate how LEM responds to events" on page 273

l "Building custom filter and rule expressions in LEM" on page 330
l "Rule Creation screen and the Rule Builder form" on page 557
The following screen capture shows the Rules view in the LEM console.
page 553
The Rules grid

The Rules grid contains all policy rules configured for all Managers connected to the console. The Manager
column indicates which Manager each rule applies to.
By default, this view displays the rules from the Custom Rules folder in the Folders pane. If you do not
have any custom rules, click the Rules folder to list the rules included with the console.
The following table describes each column in the Rules grid.
COLUMN DESCRIPTION
Opens a drop-down with a list of commands you can perform on selected grid item.
Enabled Indicates the rule availability for use with your policies.
indicates an enabled and active rule.
indicates a disabled and inactive rule.
Test Indicates the rule test mode status.
When a rule is in test mode, the event appears in the console. but it cannot perform
any active responses. This lets you see how the rule would behave when it is fully
enabled, but without risking any negative unintended consequences.
indicates the rule is in test mode.
indicates the rule is not in test mode.
You can only test an enabled rule.
Name The rule name.
Description The rule description. Pointing to this field displays the complete description as a
tooltip.
Folder The folder name (in the Folders pane) where the rule is stored.
Created By The console user who created the rule.
Created Date The date the rule was created.
Modified By The console user who last modified the rule.
Modified Date The date and time the rule was last modified.
Manager The Manager associated to the rule.
page 554
The Refine Results form in the Rules sidebar
Use the Refine Results form to search for rules and rule templates. The form returns matching results in
the Rules grid. The remaining grid items are available, but hidden. To restore the hidden items, click Reset
or select All in the refinement lists you are using.
The following table describes the fields that make up the Refine Results form in the Rules sidebar.
FIELD DESCRIPTION
Reset Click Reset to clear the form. This returns the form and the Rules grid to their
default settings.
Search Use this Search field to perform keyword searches for specific rules. To search,
type the text you want to search for in the text box. The grid displays only those
rules whose Name fields match or include the text you entered.
Enabled Select this check box to display Enabled rules only. Clear this check box to
display both Enabled and Disabled rules.
Test Select this check box to display rules that are in test mode. Clear this check box
to display rules that are in and out of test mode.
Manager Select a Manager to display all rules associated with the Manager.
page 555
FIELD DESCRIPTION
Created By Select the console user who created the rule and display only rules created by
that user.
Created Date Range Type or select a date range to display rules created within that date range.
Modified By Select the console user who last modified and display only rules modified by
that user.
Modified Date Range Type or select the date range to display rules that were modified on or within
that date range.
The Rule Categories & Tags pane in the Rules sidebar

Click a category to expand it and view the rules and rule templates filtered by the highlighted tag.
page 556
Rule Creation screen and the Rule Builder form
In this topic:
• Rule Creation screen 557
• The Rule Builder form 559
• The Correlations box 562
• About advanced thresholds 564
• The Actions box 566
Use the Rule Creation screen and the Rule Builder form to create or edit a rule. To open this form, choose
Build > Rules in the console, and click on the Rules toolbar.
This topic provides page-level help for the Rule Builder form in the LEM console.
For more information, see:
l "Create a new LEM rule to monitor and respond to events" on page 284

l "Get started building custom rule expressions in LEM" on page 342
Rule Creation screen
page 557
The following table describes the key features of the Rule Creation screen.
NAME DESCRIPTION
The "Back to Rules Hides Rule Creation and returns to the Rules grid. Rule Creation remains open
Listing" button in the background so you can return to it to continue working on your rules.
In the Rules grid, clicking Back to Rule Creation returns you to Rule Creation.
The Rule Creation Contains categorized lists of the components you can use when configuring
sidebar (also called policy rules.
the List pane)
l To view the contents of a component list, click its title bar.
l To add a component to a rule, select it from its list and then drag it into
the appropriate correlation box.
The Rule Builder form The working area where you name, describe, configure, edit, test, verify, and
(also called the Rule enable each rule.
window)
You can have multiple rule windows open at the same time. You can also
minimize, maximize, resize, and close each window, as needed.
Minimized rule Stores minimized Rule Builder forms at the bottom of the Rule Creation screen.
window bar Each minimized form shows the name of its rule. Click a minimized rule to open
the rule in the Rule Creation screen.
page 558
The Rule Builder form
The following table describes each key feature and field of a rule window.

Title bar Each rule you create or edit appears in its own configuration
window. Upon naming a rule, the window’s title bar displays
the name of the rule. You can also use the title bar to
minimize, maximize, and resize rule window. Minimized rule
windows appear at the bottom of the Rule Creation pane.
Name Type a name for the rule.
on When creating a new rule, use this list to select which

Manager the rule is to be associated with. Otherwise, when
editing a rule, this field displays which Manager the rule is
associated with.
page 559

Tags Click Add Tags to select categories and tags to add to the
rule. Tags make it easier to categorize and find rules. For
example, if you want a rule to appear in several different
categories, select the corresponding tags.
Description Type a description of what the rule does, or the situation for
which the rule is intended.
If the description extends beyond the visible area of the text

box, a larger text box appears, so you can type a detailed
description of the rule, its logic, its expected behavior, and
its active response. When you are done typing, either press
Tab or click anywhere outside the text box to close it.
Enable Select this check box to enable the rule. Clear this check box
to disable the rule.
Test Select this check box to place the rule in test mode. Clear
this check box to take the rule out of test mode.
Subscribe Use this list to select which Console users are to subscribe to
the rule. This means the system will notify the subscribing
users Consoles each time one of the subscribed-to rules
triggers an alert. The alerts will appear in their alert grid.
Rule Status The Rule Status bar lists warnings and error messages about
your rule's current configuration logic.
l Click > to view a list of warning and error messages.

l Click a message flag to provide detailed information
about the nature of that problem.
l Click a message to highlight the specific area or field
that is the source of that problem.
Correlations Use the Correlations box to configure correlations between

groups of alert events. You can coordinate multiple alert
events into a set of conditions that will prompt the Manager
to issue a particular active response.
page 560
You set up correlations by dragging items from the Events
and Event Groups lists into this box, and then setting the
specific conditions or for the alert that are to prompt action.
The Correlations connector bar lets you group alert

conditions, and determine if they must all apply (an AND
correlation) or if any of them may apply (an OR correlation) to
prompt a response.
Correlation Use the Correlation Time box to establish the allowable

Time frequency and time span in which the correlation events
must occur before the rule applies.
The Advanced section lets you define an alert event

threshold, and to define the re-inference period for the
threshold. The threshold tells the Manager which specific
fields to monitor to determine if a valid alert event has
occurred (i.e., when to “count” the alert).
The box’s Advanced section lets you define a Response

Window that lets the rule ignore any events that occur
outside (past or future) of the established period.
Actions Use the Actions box to dictate which actions the rule is to
execute when the events described in the Correlations and
Correlation Time boxes occur. Examples of actions include
sending an email message to your system administrator, or
blocking an IP address.
Undo/Redo Click the Undo button to undo your last desktop action. You
can click the Undo button repeatedly to undo up to 20 steps.
Click the Red button to redo a step that you have undone.
You can click the Redo button repeatedly to redo up to 20
steps.
You can only use Undo or Redo for any steps you made since
the last time you clicked Apply.
Save/Cancel/ Use these commands to save or cancel your work:

Apply
l Click Save to save your changes to a rule and close the
rule window.
page 561
l Click the Cancel button to cancel any changes you

have made to a rule since the last time you clicked
Save, and close the rule window. If you have any
unsaved changes, the system will prompt you to save
or discard them.
l Click Apply to save your changes to a rule, but keep
the rule window open so you can continue working.
You can click Apply at any time.
The Correlations box

To create a rule, you drag items from the list pane into the rule window’s Correlations box to configure the
relationships (or correlations) that define the rule. These correlations define the events that must occur for
the rule to take effect.
Creating rule correlations is a lot like configuring conditions for custom filters, so the Correlations box in
Rule Creation behaves a lot like the Conditions box in Filter Creation. The following table describes each
item shown in the Correlations box, above.
NAME DESCRIPTION
► Groups can be expanded or collapsed to show or hide their settings:
▼ l Click to >expand a collapsed group.

l Click to ▼ collapse an expanded group.
Once a group is configured properly, you may want to collapse it to avoid accidentally
changing it.
This is the Group button. It appear at the top of every group box. Click it to create a new
group within the group box. A group within a group is called a nested group. You may then
drag alert variables and other items from the list pane into the nested group box.
By using nested groups, you can refine correlations by combining or comparing one group of
correlations to another to create the logic for complex correlations.
Each group is subject to AND and OR relationships with the groups around it and within it.
By default, new groups appear with AND comparisons.
This is the Threshold button, which opens the Threshold form for a group. The Threshold
form is described below.
page 562
NAME DESCRIPTION
This is the Delete button. It appears at the top of every Group box and every correlation.
Click this button to delete a correlation or a particular group. Deleting a group also deletes
any groups that are nested within that group.
Event From the Events, Event Groups, or Fields list, drag an alert, Event Group, or alert field into the
variable Correlations box. This is called the alert variable. A rule can have multiple alerts and Event
Groups in its correlation configuration.
You can think of an alert variable as the subject of each group of correlations. As alerts
stream through the Manager, the rule analyzes the values associated with each alert
variable to determine if the alert meets the rule’s conditions. If so, the Manager either
initiates an active response, or stores the alert for comparison with other alerts that may
occur within the rule's allotted time frame.
Operators Whenever you drag a list item or a field next to alert variable, an operator icon appears
between them. The operator states how the filter is to compare the alert variable to the
other item to determine if the alert meets the rule’s conditions.
l Click an operator to cycle through the various operators that are available for that
comparison. Just keep clicking until you see the operator you want to use.
l Ctrl+click an operator to view all of the operators that are available for that
comparison. Then click to select the specific operator you want to use.
List item List items are the various non-alert items from the list pane. You drag and drop them into
groups to define rule correlations based on your Time Of Day Sets, Connector Profiles, User-
Defined Groups, Constants, etc.
Some alert variables automatically add a blank Constant as its list item. You can overwrite
the Constant with another list item, or you can click the Constant to type or select a specific
value for the constant.
Note that each list item has an icon that corresponds to the list it came from. These icons let
you to quickly identify what kinds of items are defining your rules’s correlations.
Threshold The Threshold section lets you define a threshold for the correlations in a Group box. You
can think of a threshold as a correlation frequency for the grouping; that is, the number of
times the events defined by the group must occur within a specified period before the rule
takes effect.
A group threshold behaves exactly like the threshold in the Correlation Time box.
page 563
NAME DESCRIPTION
This is the Set Advanced Threshold button. Whenever a group threshold’s number of Events
within [time] is greater than 1, this button becomes enabled so you can open the Set
Advanced Thresholds form. This form lets you specify advanced threshold fields and define
an advanced response window for the alert fields within the grouping.
Rule correlations and groups of correlations are subject to AND and OR comparisons. If you
AND click an AND operator, it changes to an OR, and vice versa.
OR
About advanced thresholds

Whenever a group threshold or the "Events within" box in the "Correlation Time" form has a value greater
than 1, the Set Advanced Thresholds icon is enabled. This icon opens the Set Advanced Thresholds form
so you can define an alert event threshold and the re-inference period for that threshold. The threshold
tells the Manager which specific alert fields to monitor to determine if a valid alert event has occurred
(such as when to count the alert).
For example, threshold event x must occur multiple times on the same destination computer with the
frequency defined in the Correlation Time box. Another example is threshold event y must occur on
different destination computers with the frequency defined in the Correlation Time box. When the
threshold event counter increases to the number displayed in the Events box, the threshold becomes true
and triggers the next set of conditions in the rule.
To open the form, click in the Correlations box on the nested group you want to work with.
SET AN ADVANCED THRESHOLD
1. Click the Set Advanced Thresholds icon to open the Set Advanced Thresholds form. See "About
advanced thresholds" above for help.
2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Use the adjacent fields
to type or select the threshold time interval and unit of measure.
The Re-Infer (TOT) option defines the period that an alert must remain above the threshold before
the system issues a new notification and/or active response.
For example, an alert exceeded the threshold and the Re-Infer (TOT) period for the alert is 1 hour. If
the alert stays above the threshold for more than 1 hour, the system will issue an additional
notification or active response at the end of 1 hour.
page 564
ADD A THRESHOLD FIELD
1. Click the Set Advanced Thresholds icon to open the Set Advanced Thresholds form. See "About
advanced thresholds" on the previous page for help.
2. At the bottom of the form, click Add.
The Available Fields pane has two boxes. The top box lists all of the alerts applied to the correlations
box. The bottom box lists the alert fields associated with the alert that is currently selected in the top
box.
3. In the top Available Fields box, select an alert. The fields associated with that alert appear in the
lower Available Fields box.
4. In the lower Available Fields box, select the alert field used to define the alert threshold.
5. Click the Select Modifier drop-down menu and select an option.
Select Same if the threshold will be defined by the selected field being the same multiple times.
Select Distinct if the threshold will be defined by the selected field being different each time.
6. Click to display the field and its modifier in the Selected Fields grid.
7. Repeat steps 2 through 6 for any additional threshold fields.
8. Click OK to save the fields to the threshold and close the form.
These fields raise the threshold for the correlation event and its active response to occur.
EDIT A THRESHOLD FIELD
You cannot actually edit a threshold field. Instead, you must delete it, and then replace it with a corrected
field configuration.
To replace a threshold field:
1. Click the Set Advanced Thresholds icon to open the advanced threshold you want to work with.
See "About advanced thresholds" on the previous page for help.
2. In the Selected Fields list, click to remove the field you want to change.
3. In the Available Fields list, select the appropriate alert, and then the alert field.
4. In the Select Modifier list, select the new modifier for the field (Same or Distinct).
5. Click to display the corrected field and its modifier in the Selected Fields box.
The corrected field and its modifier appear in the Selected Fields box.
6. Click OK to close the form.
DELETE A THRESHOLD FIELD
1. Click to open the advanced threshold you want to work with.
2. In the Selected Fields list, select the field you want to delete.
3. Click to remove the threshold field from the Selected Fields list.
4. Click OK to close the form.
page 565
The Actions box

Use the Actions box to define the action response that LEM should execute when the correlation events
specified by the rule occurs. You can assign more than one action to a rule. For example, you can shut
down an Agent and then notify your system administrator of the event through email.
The Actions box fields indicate where the action is performed, what the action does, and who receives the
action. For example, if you want a rule to disable a user, you can select Disable Domain User Account. To
apply the action, specify which account you want to disable and where you want to disable it (that is, which
Agent).
USING CONSTANTS AND FIELDS TO MAKE ACTIONS FLEXIBLE
When configuring an action, you can assign constants that define fixed parameters for a rule or alert fields
from the alerts in the Correlations box. Fields determine the rule parameters when some degree of
flexibility is required. Constants and fields are useful, but fields provide actions with a great deal of
flexibility.
For example, if you have two network users named Bob and Jane, you can disable Bob’s user account and
assign a constant to the rule that explicitly represents Bob’s account. However, this limits the rule to Bob's
account.
If you assign a field to the rule, the rule can be interpreted as follows: When user activity meets the
conditions in the Correlations box to prompt the Disable Domain User Account action, use the
UserDisable.SourceAccount field in the alert to determine which user account to disable.
If Bob triggered the rule, the Manager disables Bob’s account. But if Jane also triggers the rule, the
Manager can disable her account as well.
CONFIGURING ACTIONS FOR A RULE
1. In the list pane, click the Actions list.

2. Select and drag an action to the Actions box.
The top left of the Actions box shows the name the action that will execute. In most cases, the
Actions form prompts you for specific parameters about the computer, IP address, port, alert, user,
and so on that receives the action.
page 566
3. Use the list pane to assign the appropriate alert field or constant to each parameter.
a. In the Events or Event Groups lists, select and drag an alert field to the appropriate parameter
box in the Actions form.
b. (Optional) Select and drag a constant from the Constants lists to the parameter box in the
Actions form. Typically, you will select a text constant.
c. Double-click the parameter box to edit the constant.
4. Click Save to save your changes.
page 567
Users view in the LEM console

In this topic:
• Users view main page elements 569
• The Users grid 570
• The Refine Results form 570
• The "User Information for" form 571
• The Privileges screen 572
Choose Build > Users in the LEM console to open the Users view. Use this view to manage LEM user system
accounts.
This topic provides page-level help for the Users view in the LEM console.
See also: "Managing users in LEM" on page 99
The following screen capture shows the Users view in the LEM console.
page 568
Users view main page elements
This section describes the main elements on the Users view page.
NAME DESCRIPTION
Refine Results Filters the Users grid based on your selections.
Users grid Displays all users associated with each Manager throughout your network.
Click to add a user or import a user from Active Directory.
User Information Displays information about the user selected in the Users grid. The form is read-
for: only unless you are adding or editing a user.
page 569
The Users grid

By default, the Users grid displays all users configured for all Managers monitored by the console. Use the
Refine Results form to filter the contents of the grid.
COLUMN DESCRIPTION
Click to edit or delete the user account.
Status The user login status. Indicates if the user is currently logged in to the console.
indicates the user is logged in to the console.
indicates the user is not logged in to the console.
User/Group Name The account name used to log in to LEM Manager.
Type Indicates if the user account is a local LEM user account, or a Directory Service (DS)
account that is synchronized with Active Directory.
First Name The user's first name.
Last Name The user's last name.
LEM Role The LEM role type assigned to the user. There are six role types: Administrator,
Auditor, Monitor, Contact, Guest, and Reports.
Description A brief description of the user’s job function or responsibility.
Manager The LEM Manager where the user account is located.
Last Login Timestamp showing the time and date that the user last logged in to the system.
The Refine Results form

By default, the Users grid shows all users across all LEM Managers. Use the Refine Results sidebar to limit
the number of users displayed in the grid.
FIELD DESCRIPTION
Reset Click to return the grid and the form to their default settings.
Manager Select a LEM Manager instance to view only the user accounts located on the
selected instance.
LEM Role Select a role type to view only users that match that role type. By default, the grid
displays results for all LEM role types.
page 570
FIELD DESCRIPTION
Last Login Date Enter a start date and end date to view users who last logged in during the specified
Range date range.
The "User Information for" form
FIELD DESCRIPTION
User Name Enter a user account name. You cannot use admin_role, audit_role, or reports_
role for the user name.
First Name Enter the user's first name.
Last Name Enter the user's last name.
Password Enter a user password to access the Manager. This can be an initial system password or a
temporary password that is assigned to replace a forgotten password.
If you are creating a Contact user, a password is not required.
If the Must Meet Complexity Requirements check box is selected in the Manage >
Appliance > Properties > Settings tab, the console enforces the following policy:
l Passwords must have a minimum of six characters. Spaces are not allowed.
l Passwords must have two of the following three attributes: at least one special
character, at least one number, and a mix of lowercase and uppercase letters.
Confirm Enter the password again.

Password
LEM Role Select a LEM role for this user.
l Administrator has full access to the system, and can view and modify everything.
l Auditor has extensive view rights to the system, but cannot modify anything other
l Monitor can access the console, cannot view or modify anything, and must be
provided a set of filters. See "Specify the filters that users assigned the Monitor role
can use in the LEM console" on page 129 for steps.
l Contact cannot access the console, but can receive external notification.
l Guest has extensive view rights to the system, but cannot modify anything other
page 571
FIELD DESCRIPTION
l Reports cannot log in to the LEM console, but can log in to the LEM reports
encryption is enabled. See "Enable transport layer security (TLS) in the LEM reports
application" on page 78 for details.
View Role Click to open the role privileges assigned to the new user. Role privileges cannot be
changed.
Description Type a brief description (up to 50 characters). For example, provide the user title, position,
or area of responsibility.
Contact Enter an email address. LEM Manager notifies users by email about network security
Information events. You can add as many email addresses as required.
1. Type an email address and click to add the address to the Contact Information
box. Use the following format:
username@example.com
2. Click Save, and then click to send a test email to the email address.
3. Verify that the user received the email test message.
If the message was not received, edit the email address or adjust the email
connector settings in the manager.
4. Repeat these steps to add additional email addresses.
The Privileges screen

The Privileges screen provides details about the access, modify, and audit rights that are granted to each
LEM role type. This information is read-only and cannot be changed. See also "View the system privileges
associated with a role" on page 106
page 572
Manage view in the LEM console
Manage view provides details about your LEM installation and lets you manage LEM VMs and nodes.
In this section:
• The Appliances view 573
• Nodes view 595
The Appliances view

In this topic:
• The Appliances main view 575
• The "Connect to SolarWinds Log & Event Manager Appliance" form 580
• The "Configure your SolarWinds Log & Event Manager Appliance"

form 581
• The Connector Configuration form 581
• The Event Distribution Policy form 594
Use the Manage > Appliances view to add and manage LEM VMs, legacy appliances, and global settings.
This topic provides page-level help for the Appliances view in the LEM console. See also, "LEM set-
up, configuration, and maintenance" on page 30.
page 573
The following screen capture shows the Appliances view in the LEM console.
Tasks that you can perform using this view include:
l Connecting to (or disconnecting from) a particular LEM Manager.

l Adding a LEM Manager’s Agents.
l Configuring rules, policies, and network security connectors that apply to each Manager.
Commands in the Appliances view can take a while to execute, because they must remotely access
the Manager or network appliance.
The Appliances view is primarily concerned with managing LEM Managers. Customers with large
LEM installations that include older LEM appliances may also see other components in the
appliance list, including:
l Database servers
l Logging servers
l Network sensors
l nDepth servers
page 574
The Appliances main view
The following tables describe the Manage > Appliances view UI elements.
THE APPLIANCES MENU BAR
NAME DESCRIPTION
Adds a new Manager or network appliance to the console.
Displays a drop-down menu to copy, import, or export user settings. You can copy
grid information about your Manager and paste it to a Microsoft Excel spreadsheet
for analysis or to the Remote Agent installer for updates.
THE APPLIANCES GRID
The following table describes the columns and selections in the Appliances grid.
COLUMN DESCRIPTION
Displays a list of commands you can perform on the appliance.
When you select a Manager in the grid, use Logout, Configure, and Connectors for
connecting products to the appliance. Select Policy for assigning an event
distribution policy.
Status Displays the connection status of the appliance.
indicates connected and logged in.
indicates disconnected and logged off.
Name Displays the name of the Manager or appliance.
Type Describes the type of appliance as a Manager, database, logging server, or network
sensor.
Version Displays the LEM Manager software version.
Platform Displays the Manager platform name. The platform can be Trigeo SIM, VMware
vSphere, or Microsoft HyperV.
IP Address Displays the IP address of the Manager or appliance.
Port Displays the port number used by the console to communicate with the Manager,
network appliance, or database.
page 575
COLUMN DESCRIPTION
Connectors Indicates whether the appliance connectors are configured for automatic updates. If
Update Enabled the icon is green, LEM is set up to automatically update whenever SolarWinds
updates a connector. If the icon is gray, automatic connector updates are inactive
and must be turned on for automatic connector updates.
User Displays the user currently logged on to the Manager.
To automatically apply connector updates and manually apply individual connector updates, use
the Connector Updates menu at the top right of the Appliance grid.
THE DETAILS PANE
The Details pane displays essential information about a LEM VM or appliance, including the VM's name,
connection status, and IP address.
FIELD DESCRIPTION
Platform Displays the name of the Manager platform (VMware vSphere, Microsoft
HyperV, or Trigeo SIM).
CPU Reservation Displays the CPU space reservation. Reserving CPU space ensures you have
adequate resources available for the allocated CPUs.
Number of CPUs Displays the number of CPUs allocated to this LEM Manager.
Memory Allocation Displays the amount of memory allocated to this LEM Manager.
Memory Reservation Displays the amount of memory reserved for this system. Reserving memory
ensures enough system memory is available when needed.
Status Displays the LEM Manager or LEM appliance connection status.
Name Displays the LEM Manager or LEM appliance name.
Type Displays the appliance type: Manager, Database Server, nDepth, Logging
Server, or Network Sensor.
Version Displays the LEM Manager's software version.
IP Address Displays the LEM Manager or LEM appliance IP address.
Port Displays the port number used by the console to communicate with the LEM
Manager or LEM appliance.
page 576
THE PROPERTIES PANE
The properties pane consists of the Login, License, and Settings tabs.
The Properties pane is only used to configure LEM Manager settings. It is not active if you select
another type of LEM VM in the Appliances grid.
THE LOGIN TAB
FIELD DESCRIPTION
Username Enter the user name to log in with if configuring the console to log in automatically.
Password Enter the password if configuring the console to log in automatically.
Leave this field empty if you want the console to prompt for a password when
logging in.
Login Automatically log in to the Manager when you open the console. Clear this check box if
Automatically you prefer to log in manually.
Next Time
Save Enable the console to save the LEM Manager user name and password locally. If the
Credentials Login Automatically Next Time check box is selected, the console will automatically log
on to the Manager when the console is started. Otherwise, the console automatically
provides the user name and password when you manually log in to the Manager.
Reconnect on Enable the console to reconnect with the LEM Manager when the Manager is
disconnection disconnected for any reason.
/ Try to
reconnect
every n
seconds
Timeout Select to have the Console quit its reconnection attempts with the LEM Manager after a
reconnection given number of tries, especially if the previous connection attempts were
attempts after unsuccessful.
n tries
page 577
THE LICENSE TAB
The License tab summarizes your available and allocated licenses, and activates your SolarWinds LEM
license.
FIELD DESCRIPTION
Total Nodes Displays the total number of nodes allowed by your SolarWinds LEM license.
Total Unused Displays the number of unallocated nodes.

Nodes
Total Agent Displays the number of nodes allocated to LEM agent devices (such as workstations or
Nodes servers).
Total Non-Agent Displays the number of nodes allocated to non-agent devices (such as firewalls and
Nodes switches).
Maintenance Displays the date your current maintenance contract with SolarWinds Support
Expiration Date expires.
THE SETTINGS TAB
The Settings tab defines the LEM Manager password policy settings and the global automatic update
settings. Global automatic updates allow the LEM Manager to automatically send software updates to
Agents as new software becomes available.
FIELD DESCRIPTION
Password Policy
Minimum Password Length Enter or select the minimum number of required password characters.
Passwords must have at least six characters, but no more than 40
characters.
Must meet complexity Select this check box if passwords must meet the following complexity
requirements requirements:
l Passwords must not match or contain part of the user’s user name.
l Passwords must be at least six characters long.
page 578
FIELD DESCRIPTION
l Passwords must contain characters from three of the following

four categories:
n English uppercase characters (A through Z).
n English lowercase characters (a through z).
n Base 10 digits (0 through 9).
n Non-alphanumeric characters (!, $, #, %, ^, etc.).
Remote Updates
Enable Global Automatic Select this check box to enable a LEM Manager to update its qualifying
Updates Agents with the latest software updates. Clear this check box to disable
this feature.
Each Agent is also controlled by its Automatic Update settings on the

Agents grid. The Agent Automatic Updates setting is disabled if you select
the Enable Global Automatic Updates check box.
Maximum Concurrent Select how many Agents the LEM Manager can update at one time. The
Updates default value is 10.
If the number of Agents that require updates is greater than the value
you entered in this field, the remaining Agents are queued for updates
when an update slot is available.
Explorer Command Agent
Current Default Agent Select the default Agent for performing SolarWinds explorer functions,
such as NSLookup and Whois. For best results, choose an Agent that is
normally online and will return the expected results.
Connection Requests
Minutes Set the value for the amount of time before a timeout request is initiated.
Seconds Set the value for the amount of time before a timeout request is initiated.
SolarWinds Improvement Program
Email Address Enter your email address.
Send usage statistics to Select this check box to send statistics to SolarWinds.
SolarWinds to help us
improve our products
page 579
FIELD DESCRIPTION
Threat Intelligence
Allow LEM to detect threats This check box is active by default. Threat intelligence identifies events as
based on list of bad IP threats by matching event IP information against a list of known bad IP
addresses addresses.
Only administrators have permissions to enable or disable the threat intelligence feed. Disabling
and reenabling the threat intelligence feed forces a threat intelligence update and creates an
InternalAudit event. Restarting LEM also forces the threat intelligence feed to update.
The "Connect to SolarWinds Log & Event Manager Appliance" form
FIELD DESCRIPTION
Name or IP Enter the LEM VM name or IP address.
Username Enter the user name to log in with.
Login on Select to automatically log in to LEM when the console is started.

console
startup
Save Select to save the login user name and password.
page 580
FIELD DESCRIPTION
Credentials
Appliance Select the appropriate LEM Manager or server.

Type
Connection Enter the port number used by the console to communicate with the Manager network
Port appliance or database.
The secure port number is 8443. This value defaults to 8080 for virtual appliances in the
evaluation phase. This field only applies when the Appliance Type is Manager.
Model Select "Virtual" if LEM is deployed as a VM, or select the appropriate appliance model
(applies to older versions of LEM).
If you don't know the model type, select Unknown. If your model type does not appear in
the drop-down list, select Other. Your selection will not impact Manager operations. If you
selected a listed model type, an image of the appliance displays in the Details pane.
Level This option does not apply if LEM is deployed as a VM. If you are adding a physical
appliance, select the appliance level. This value is related to the appliance capacity and
performance. If you are not sure which level to choose, select Unknown.
Service Tag Enter the LEM appliance serial or registration number. This number uniquely identifies this
piece of equipment and its specific configuration properties.
Icon Color Select the desired color for your icon.
See also:
l "Add another LEM VM or appliance to the console" on page 53
The "Configure your SolarWinds Log & Event Manager Appliance" form
See "The "Connect to SolarWinds Log & Event Manager Appliance" form" on the previous page for help.
The Connector Configuration form

The following table describes the key features of the Connector Configuration form.
NAME DESCRIPTION
Sidebar Hides and open the Refine Results pane.
button
page 581
NAME DESCRIPTION
Refine Displays all supported products. You can apply filters to the grid to reduce the number of
Results displayed products and show only those products configured for use with this Agent. You
pane can also associate a particular product category or status (Running or Stopped).
Connectors The Connectors grid lists all of the sensor and actor connectors that are available to each
grid Agent. These connectors are what allow LEM to monitor and interact with your network
security products and devices.
Connectors are organized by category and product name. Each connector is named after
the third-party product it is designed to configure for use with LEM.
Click this button to create a new connector instance the sensor or actor that is currently
selected in the Connectors grid.
Properties This pane displays detailed information about the connector that is currently selected in
pane the Connectors grid.
l If the connector is not configured, this pane displays a description of the connector.
l If the connector is configured, this pane displays the configuration settings as read-
only information.
Whenever you add or edit a connector , this pane turns into an editable form for recording
the configuration settings.
CONNECTORS GRID COLUMNS
The following table briefly describes the meaning of each column in the Connector Configuration form’s
Connectors grid.
COLUMN DESCRIPTION
The gear button opens a menu of commands that apply to the connector that is currently
selected in the grid.
Status Shows the connector’s current connection status:
indicates the connector is connected and running.
indicates the connector is disconnected and not running.
Category The high-level connector category, such as anti-virus connectors, firewall connectors,
operating system connectors, etc.
Name The actor, sensor, or connector instance name. Typically, connectors are named after the
third-party products they are designed to configure for use with LEM.
page 582
THE CONNECTORS GRID ICONS
The following table describes the icons used in the Connector Configuration utility’s node tree.
ICON DESCRIPTION
A blue connector icon represents a sensor for a particular product. The sensor displays the name
of the product it is designed to monitor.
Each connector instance (or alias) that is currently configured to monitor that product is listed
below the connector. If no connector instances are listed, it means the product, on this Agent
computer, has not been configured for use with LEM.
Whenever you select a sensor in the grid, the lower pane displays the connector’s name and a
description of the sensor, when available.
The orange connector icon represents an actor for a product that can perform an active response.
The actor displays the name of the product it is designed to interact with.
Each connector instance (or alias) that is currently configured to initiate an active response on that
product is listed below the connector. If no connector instances are listed, it means the product, on
this Agent computer, has not been configured for use with LEM.
Whenever you select an actor in the grid, the lower pane displays the connector’s name and a
description of the actor, when available.
This icon represents a configured instance of a sensor connector. Each sensor can have more than
one instance, where each configuration is identified by a different name, called an alias. In the
grid, each configured connector instance appears below its connector.
Whenever you select a sensor connector instance in the grid, the lower pane displays the sensor
connector’s name, and the connector instance’s name (or alias) and configuration settings. The
Status column displays each instance’s current status—Stopped ( ) or Running ( ).
This icon represents a configured instance of an actor connector. Each actor can have more than
one instance, where each configuration is identified by a different name, called an alias. In the
grid, each configured connector instance appears below its connector.
Whenever you select an actor connector instance in the grid, the lower pane displays the actor
connector’s name, and the connector instance’s name (or alias) and configuration settings. The
Status column displays each instance’s current status—Stopped ( ) or Running ( ).
page 583
REFINING THE CONNECTORS GRID
By default, the Connectors grid shows every connector (sensor and actor) that can be configured for use
with a particular Agent or Manager. To help you work more efficiently with a long list of connectors, the
Refine Results pane lets you apply filters to the Connectors grid to reduce the number of connectors it
shows.
When you select options in the Refine Results pane, the Connectors grid refreshes to show only those
sensor and actors that match the options you have selected. The other connectors are still there; however,
they are hidden. To restore them to the grid, click the Reset button or select All in the refinement lists you
are using.
The following table explains how to use the Refine Results pane.
FIELD DESCRIPTION
Reset Clears the form and return the Connectors grid to its default state showing all connectors.
Search Performs keyword searches for specific products.
Configured Displays instances in the Connectors grid that are configured for your targeted Manager or
Connectors Agent.
Clear this check box to have the grid list both configured and unconfigured connectors.
Category Select a high-level category to list the connectors that are available to support third-party
products in that category. Each connector is named after the product it is designed to
configure for use with LEM.
If you cannot find a particular product, it is either not supported, or it is in a different

category.
Status Select Running to list all connectors currently running on your targeted Manager or Agent.
Select Stopped to list all connectors that currently stopped on your targeted Manager or
Agent.
page 584
THE CONNECTOR CONFIGURATION FORM FIELDS FOR DATA-GATHERING (SENSOR) CONNECTORS
This section describes each field on the Connector Configuration form when you configure sensors for
data-gathering connectors.
Not every field appears with every connector. The fields that appear depend on the connector that
you are configuring.
FIELD DESCRIPTION
Alias Type a name that easily identifies the application or appliance event log file that is
being monitored.
For active response connectors, we recommend you end the alias with “AR”. For
example, an alias for the Cisco PIX Active Response connector might be “Cisco PIX AR”.
This allows you to differentiate the active response connector from the data
gathering connector.
page 585
FIELD DESCRIPTION
Log File / Log When you create a new alias for a connector, LEM automatically places a default log
Directory file path in the Log File box. This path tells the connector where the operating system
stores the product’s event log file.
For most connectors, you can change the log file path, as needed. However, some
products write events to the Windows Application Log or the Windows System Log. In
these cases, you are actually configuring the sensor that monitors events that are
written to that log file. For these connectors, the Log File setting is disabled, and the
system automatically populates the Log File field with the name of the Windows event
log the sensor is monitoring.
In most cases, you should be able to use the default log file path that is shown for the
connector. These paths are based on the default vendor settings and the product
documentation for each product. If a different log path is needed, type or paste the
correct path in the Log File box, or use the Browse button to explore to correct folder
or file.
If you are uncertain about which file path to use, either refer to your original product
documentation, or contact SolarWinds Technical Support.
If the product creates separate log files based on the current date or some
other fixed interval, you can either select the log directory or any log file in
that directory. If you select a log file, LEM reads through the directory’s log
files in order, from the file you selected to the most current file. The LEM then
reads new files as they are added.
nDepth Host
Only change this value if LEM is configured for nDepth log retention. If LEM is
not configured to receive and store raw (un-normalized) log data in its own
database, changing this value can cause all alert data to queue indefinitely.
If you are using a separate nDepth appliance or nDepth VM, type the IP address or
host name for the nDepth instance. Generally, the default setting is correct. Only
change it if you are advised to do so.
nDepth Port
If you are using a separate nDepth appliance or nDepth VM, type the port number to
which the connector is to send nDepth data. Generally, the default setting is correct.
Only change it if you are advised to do so.
page 586
FIELD DESCRIPTION
New File Name Select the interval in which the connector posts and names each new log file. The
Interval interval tells the SolarWinds LEM when to begin reading the next log file. The default
setting is Daily: yymmdd.
Output
Select the appropriate data output option:
Event: This is the default option. It sends the connector’s log file data as events to the
SolarWinds LEM for processing by your correlation rules, associated active responses,
SolarWinds Consoles, and databases.
nDepth: This option sends the connector’s log file data to a separate nDepth
appliance for archiving. The data does not go to the SolarWinds LEM, so any potential
event activity does not appear in the Event Panel. However, you can still use the
Console's nDepth explorer to search the data on this appliance.
Event, nDepth: SolarWinds recommends that you choose this option if you want to
use nDepth to search log messages in addition to events. This option sends the
connector’s log file data to the SolarWinds LEM for event processing and to
SolarWinds nDepth for data archiving. This means the LEM reports potential event
activity in the Event Panel, and nDepth archives the connector’s output data for later
reference. Furthermore, you can use the Console's nDepth explorer to search either
type of data.
Server IP Type the IP address of the router or firewall. Use the following IP address format:
Address/ 192.123.123.123.
[Product] IP
Address/
[Product] Server
Sleep Time Type or select the time (in seconds) the connector sensor is to wait between event
monitoring sessions. The default (and minimum) value for all connectors is one (1)
second. If you experience adverse effects due to too many rapid readings of log
entries, increase the Sleep Time for the appropriate connectors.
Windows NT-based connectors automatically notify Windows Event Log sensors of

new events that enter the log file. Should automatic notification stop for any reason,
the Sleep Time dictates the interval the sensor is to use for monitoring new events.
page 587
FIELD DESCRIPTION
Connector This is the SolarWinds release version for this connector. This is read-only
Version information for reference purposes.
Wrapper Name This is an identification key that the SolarWinds LEM uses to uniquely identify the
properties that apply to this particular connector. This is read-only information for
SolarWinds reference purposes.
If the connector settings you need are not shown here, you are probably configuring an active response
connector. (See the next section.) When you finish configuring the connector settings, start the connector.
page 588
THE CONNECTOR CONFIGURATION FORM FIELDS FOR ACTIVE-RESPONSE (ACTOR) CONNECTORS
The following table describes fields on the Connector Configuration form when configuring actors for
active response connectors.
Not every field appears with every connector. The fields that appear depend on the connector that
you are configuring.
FIELD DESCRIPTION
Advanced These settings are no longer applicable.
Auth Port For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint
server via the LEA/OPSEC interface.
Base URL Type the URL to connect to the SonicWALL firewall and perform the login. Include
“http://” at the beginning of the URL.
SolarWinds does not support HTTPS. Only use this connector for older SonicWALL
firmware version.
Block Timeout For CheckPoint OPSEC firewalls, type the timeout in seconds for the blocks to
expire from the firewall. A value of zero (0) indicates“never expire.”
Client DN For CheckPoint OPSEC firewalls, type the client DN string. The “CN” and “O” must
be uppercase.
page 589
FIELD DESCRIPTION
Configuration Mode Select either telnet or SerialPort.
Enable Password Type the connector’s password for entering Enable mode.
Enable Windows For the Windows Active Response connector, select this check box to enable active
Active Response response settings.
From Zone Type the external zone used for configuring restrictions on firewall connections.
Incoming Interface Type the Interface for which the block is to be made effective; that is, the Interface
for which incoming traffic will be filtered to prevent traffic from the blocked IP
address.
Password / Login Type the connector’s login password. For some products, the password name must
Password be the same one that was used when the firewall was installed.
Port Name / Serial Select a serial port for performing active response via console cable, if applicable.
Port Name The port name represents the physical communication port on the computer. The
port name is only relevant if the Configuration Mode (below) is set to SerialPort.
/dev/ttyS0 = serial port 1, and
/dev/ttyS1 = serial port 2.
If the Configuration Mode is set to telnet, then this field is disabled and the Port
Name box reads: There are no ports available.
Remote Connection Type the firewall port used for connecting to and configuring the firewall.
Port
Server DN For CheckPoint OPSEC firewalls, type the server DN string. The “cn” and “o” must
be lowercase.
Server Port For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint
server via the SAM/OPSEC interface.
Server / Server Type the IP address of the router or firewall. This address allows LEM to perform
Address / IP active responses to events on that particular router or firewall. Use the following
Address / [Product] IP address format: 192.123.123.123.
IP Address
SSLCA For CheckPoint OPSEC firewalls, click Browse to locate the SSL certificate file to
upload to the server. If the connector is already configured, then use the existing
certificate on the server. You can use the same path for both the LEA (log reading)
and SAM (active response) certificates.
page 590
FIELD DESCRIPTION
Take Admin Control Only one person can configure the firewall at one time. Selecting this check box
allows LEM’s active response to take administrative control over the firewall when
a user is logged into the WatchGuard Management Console. That is, LEM
disconnects the user and takes control over the firewall.
To Zone Type the internal zone used for configuring restrictions on firewall connections.
Connector Type a name that easily identifies the product that LEM is to act on. For active
Configuration response connectors, we recommend you end the alias with “AR”. For example, an
Instance (Alias) alias for the Cisco PIX Active Response connector might be “Cisco PIX AR”. This
allows you to differentiate the active response connector from the data gathering
connector.
User Name / Login Type the user name needed to log onto and configure the firewall. For some
User Name products, the user name must be the same one that was used when the firewall
was installed.
If the connector settings you need are not shown here, you are probably configuring a connector (data
gathering) connector. When you finis configuring the connector settings, start the connector.
page 591
THE "SYSTEM TOOLS" CONNECTOR FORM FIELDS
LEM uses the System Tools connectors to interface with external notification systems.
FIELD DESCRIPTION
Append Text to File Active Response
Description Use this connector to have the Agent “write” the specified event data or text to the
specified file.
How to append Select Newline to write the event data to the file so that each event is on a distinct
line (that is, one event per line), by inserting a “return” or “newline” character.
Select No Newline to stream the event data to the file by appending the new data
immediately following any existing data in the file.
Maximum file size Type the allowable maximum file size for the text file, in Megabytes.
(MB)
Directory Service Query
Description Use this connector to have the Manager communicate with existing directory
services on the network to retrieve and update group information. This allows you
to synchronize your existing Directory Service Groups for use with rules and filters.
User Name Type a user name that is valid on the configured domain and server for
authenticating to the domain and retrieving group information.
Directory Service Type the IP address or host name of your directory services server (commonly, this
Server is a domain controller).
Domain Name Type the fully-qualified domain name of your directory services domain.
Password Type the password for the above user name that is valid on the configured domain
and server for authenticating to the domain and retrieving group information.
Directory Service Type the port used to communicate with the directory service server.
Server’s Port
Email Active Response
Description Use this connector to have a Manager automatically notify users of events by event
policy. The event policy requires configuration.
Return Display Type the name that you want to appear in the From field of active response e-mail
Name messages.
page 592
FIELD DESCRIPTION
Port Type the port used to communicate with the internal email server.
Return Address Type the email address that you want to appear in the From field of active response
email messages.
Mail Host Type the IP address or host name of an internal SMTP server that the Manager can
use to send email messages through without authentication.
Authentication Type the user name needed to access the internal email server, if required.
Server Username
Authentication Type the password needed to access the internal email server, if required.
Server Password
Test E-mail Type the e-mail address you want to use to test the Mail Host assignment. When
Address you click Test Email, a test message should appear at this email address.
Test Email button This button tests your email notification settings to ensure that you entered the
correct e-mail host.
Click Test Email. Then check the email address’s in-box. If you entered the correct
address, the in-box should receive the test message.
page 593
The Event Distribution Policy form

Configure the event distribution policy to control how events are routed through the LEM system.
FIELD DESCRIPTION
Event/Field Lists event categories and event types. Click ▼ to maximize an event category.
Console Select a check box to indicate whether a particular event time or event category is sent to
the console or local database.
Database
When selected, the event type is router to that particular destination. Clear a check box to
Warehouse
prevent the event type from being routed to that destination.
Rules
Export Exports a Manager event policy to a spreadsheet file.
Click to select the Apply State to Branch command. This command pushes (or propagates)
the selected event node check box settings down to the related, lower-level event types in
the node tree hierarchy.
Description Provides a description of the event type or event category currently selected in the grid.
See also:
l "Configure the LEM event distribution policy" on page 69 for more information.
page 594
Nodes view
In this topic:
• The Nodes main view 596
• Nodes grid columns 596
• The Connector Configuration form 599
Use the Manage > Nodes view to add and manage remote logging devices and LEM Agents.
This topic provides page-level help for the Nodes view in the LEM console. See also "Sending event
data to LEM via Agents, syslog, and SNMP" on page 130.
The following screen capture shows the Nodes view in the LEM console.
page 595
The Nodes main view

The following tables describe the Manage > Nodes view UI elements.
NAME DESCRIPTION
Sidebar Hides and opens the Refine Results pane.
Refine Results Applies filters to reduce the nodes that appear in the Nodes grid based on your
pane selection parameters (such as Manager or connector profile).
Nodes grid Displays all Agent and non-Agent nodes associated with each Manager and
appliance monitored by the LEM console. You can also add or scan for a new node.
Respond menu Performs a selected action on a specific Agent. For example, you can send an Agent a
pop-up message or shut down the host computer.
This menu is similar to the Respond menu in the Monitor view event grid.
Remote Updates This menu lets you control the Agent’s automatic update status. Remote updates are
menu a way for the Agent to automatically accept updated Agent software from the
Manager when new software becomes available.
The gear button at the top of the grid opens commands that you can perform on
multiple selections in the grid, and commands that do not require a grid selection. It
includes commands for copying Agent information and for deleting Agents.
Nodes grid columns

The following table describes the columns in the Nodes grid.
COLUMN DESCRIPTION
Add Node Displays a wizard to assist you with adding nodes.
Scan for New Scans syslog data sent to the LEM.

Nodes
Displays a menu of commands you can perform on the selected item.
l Select Connectors to configure an Agent connector.

l Select Delete to delete Agent licenses from a Manager.
l Select Copy to copy Agent information to configure the Remote Agent
Installer or for analysis in another application (such as Microsoft Excel).
Status The Agent’s current connection status:
page 596
COLUMN DESCRIPTION
ICON STATUS DESCRIPTION

Enabled The Agent is connected to a Manager.
Disabled The Agent is not connected to a Manager.
Node IP The node IP address.
Node Name The computer name that hosts the node. Typically, this is the computer name or
host name assigned to the node.
Agent Node The LEM Manager or Agent where the node logs are stored. This column is blank
for LEM Agents.
USB The current USB-Defender status of the node. A green icon indicates USB -
Defender is installed on the node. If no icon is present, USB Defender is not
installed on the node. This column is blank for non-Agent nodes.
Version The node software version number. This column is blank for non-Agent nodes.
OS The operating system of the computer hosting the node. This column is blank for
non-Agent nodes.
Profile The connector profile associated with the node (if applicable). This column is blank
for non-Agent nodes.
FIM The current FIM status of the node.

Operational At least 1 FIM connector is created and running for
this node.
Non-operational At least 1 FIM connector or FIM connector profile

configured for this node and driver are disabled.
No icon Not configured The node is not assigned to a FIM connector or FIM
connector profile. The connector is not configured
or running.
Updates Enabled This field indicates whether the node is enabled for receiving remote updates.
page 597
COLUMN DESCRIPTION

Enabled The Node is enabled for receiving remote updates.
Disabled The Node is disabled from receiving remote updates.
Update Status This field indicates the current software updated status for the Agent.

Current The Agent software is current.
Outdated The Manager is running an update that is newer than the

version used by this Agent.
Updating The Manager is sending an update to this Agent.
Queued The Agent is waiting to be updated while other Agents are

updated.
The Maximum Concurrent Updates setting located in the

Manage > Appliances view in the Properties pane >
Settings tab determines the number Agents that can be
updated at the same time.
Unknown The Manager cannot determine the Agent software

status.
Canceled The user canceled the update during the update process.
Error An error occurred during the update.
ID The Agent unique identification number.
Manager The Manager connected to the Agent. An Agent can only be connected to one
Manager.
Install Date The time and date the Agents were installed and connected to the Manager.
Last Connected The time and date the Agent was last connected to the Manager.
page 598
THE NODES "REFINE RESULTS" SIDEBAR
By default, the Agents grid shows every Agent associated with every LEM Manager that is monitored by the
LEM console. Use the Refine Results sidebar to limit the number of Agents displayed in the grid.
When you select options in the Refine Results pane, the grid refreshes to show only those items that match
the refinement options you have selected. The other items in the grid are still there, but they are hidden.
To restore them, click the Reset button or select All in the refinement lists you are using.
The following table explains how to use the Refine Results form.
FIELD DESCRIPTION
Reset Clear the forms and the Agents grid to their default settings, displaying all Agents for all
Managers.
Search Performs a keyword search for a specific Agent in the Name field.
Manager Select the Manager you want to work with. Select All to include Agents from every Manager.
Profile Select the connector profile you want to work with. Select All to include Agents from all
connector profiles.
Node Select whether you want to view Agent or non-Agent nodes.
Status Select the connection status of the Agents you want to work with (Connected or Not
Connected). Select All to include both.
Version Select the Agent software version. Select All to include Agents of every version.
OS Select the operating system of the computer hosting the Agent. Select All to include all
operating systems.
USB Select the USB-Defender status of the Agent (Installed or Not Installed). Select All to include
both.
The Connector Configuration form

See "The Connector Configuration form" on page 581
page 599
LEM troubleshooting
In this chapter:
• Troubleshoot alerts in the LEM console 601
• Troubleshoot the LEM desktop console 606
• Troubleshoot LEM Agents and network devices 608
• Troubleshoot syslog error messages in LEM 612
• Troubleshoot LEM rules and email responses 616
• Troubleshoot the LEM reports application 622
page 600
Troubleshoot alerts in the LEM console

This topic describes how to troubleshoot unmatched data or internal new connector data alerts that may
appear in your LEM console.
In this topic:
• Step 1: Troubleshoot syslog devices 601
• Step 2: Troubleshoot device logging 602
• Step 3: Troubleshoot Agent devices and connectors 603
• Step 4: Apply the latest connector update package 604
• Step 5: Contact SolarWinds Technical Support 604
Typically unmatched data and internal new connector data alerts indicate that one or more of the
connectors on the LEM VM or appliance cannot properly normalize the associated log data.
To troubleshoot these alerts:
1. Ensure that your syslog devices are sending logs to a syslog facility on your LEM appliance.
2. Determine which devices are logging to each facility, and whether those devices conflict with each
another.
3. Ensure that your LEM Agent connectors, such as Windows-based and database connectors are
running correctly.
4. Apply the latest connector update package.
5. Generate a syslog sample from the LEM appliance, and then open a ticket with SolarWinds
Technical Support for further assistance.
Step 1: Troubleshoot syslog devices

Complete the following troubleshooting procedures for devices that send logs to a syslog facility on your
LEM appliance.
1. Verify the connector and device are pointed at the same local facility.
2. Check the configuration on your device to determine what local facility it is logging to on your LEM
appliance. In some cases, you cannot modify this setting.
For additional information, search for your device in the Connectors section of the SolarWinds
Success Center. Except for CheckPoint firewall, the LEM receives UDP syslog data on port 514.
page 601
3. Verify that the connector is pointed to the same logging facility as the device.
a. Open the LEM console. See "Log in to the LEM web console" on page 31 or "Log in to the LEM
b. Click Manage > Appliances.
c. Locate your LEM appliance in the grid.
d. Click and select Connectors.
e. Locate the connector in the list.
Use the search box at the top of the Refine Results pane or select Configured.
f. Select the configured connector and view its details. Verify the Log File value matches the
output value in the device configuration.
4. If the device and connector configurations do not match, point the connector to the appropriate
location.
a. Click and select Stop.
b. Click and select Edit.
c. Change the Log File value so it matches your device.
d. Click Save.
e. Click and select Start.
For a video presentation about how to troubleshoot syslog nodes in LEM, open the following URL in
a web browser:
https://thwack.solarwinds.com/docs/DOC-176148
Step 2: Troubleshoot device logging

Certain devices (including Cisco devices) have similar logging formats that cause connector conflicts when
logging to the same facility on your LEM appliance. Use the following procedure and table to determine
what devices are logging to each facility, and whether those devices conflict with one another.
steps.
3. At the cmc::appliance> prompt, type checklogs.
4. Enter an item number to select and view a local facility.
5. To view the device sending the event, open the log facility.
The EPOCH timestamp (1427722392000) starts each event, which is the date and time in Unix
numeric format. The device sending the event (such as 192.168.2.251) follows. You will typically
see ProviderSID (ASA-1-106021), which is similar to an Event ID.
6. If two or more devices are logging to the same facility, see "Troubleshoot conflicting devices" on
the next page to determine whether those devices conflict with each other.
page 602
Troubleshoot conflicting devices

Different firewall types should log to different facilities. For example, Cisco firewalls and Palo Alto should
log to different facilities. However, both devices should log to their own facilities. Ensure that the devices in
each of these groups are logging to distinct local facilities on your LEM VM. For example, if a device in
Group 1 is logging to local1, make sure a device in Group 2 is not also logging to that facility.
SolarWinds recommends splitting the devices and vendors to different facilities. Having all devices
pointed at one facility with multiple connectors reading that facility will impact your LEM
performance.
GROUP DEVICES
Group 1 Cisco ASA
Cisco IOS
Cisco PIX
Group 2 Cisco Catalyst (CatOS)
Group 3 Cisco Wireless LAN Controller (WLC)
Group 4 Cisco Nexus
Group 5 Cisco VPN
Group 6 Dell PowerConnect
Step 3: Troubleshoot Agent devices and connectors

Complete the following procedure to troubleshoot LEM Agent connectors, such as Windows-based and
database connectors.
1. Verify the connector is pointing to the appropriate folder or event log.
2. Check the configuration on the host computer to determine which folder or event log it is logging in
to.
In some cases, you cannot modify this setting. For additional information, search the SolarWinds
Success Center for your device.
page 603
3. Verify that the connector is pointed to the same folder or event log as the device:
b. Click Manage > Nodes.
c. Locate the LEM Agent for the host computer.
d. Click and select Connectors.
e. Locate the connector in the list.
Use the search box in the Refine Results pane or select Configured.
f. Select the configured connector and view its details. Ensure the Log File value matches the
output value in the host computer configuration.
4. If the host computer and connector configurations do not match, point the connector to the
appropriate location:
a. Click and select Stop.
b. Click and select Edit.
c. Change the Log File value so it matches the host computer.
d. Click Save.
e. Click and select Start.
Step 4: Apply the latest connector update package

If you completed the procedures in this section and you still see the unmatched data or internal new
connector data alerts, apply the latest connector package before you contact Technical Support. See "Apply
a LEM connector update package" on page 164 to learn how.
Step 5: Contact SolarWinds Technical Support

If you are unable to resolve your issue using this article, open a ticket with SolarWinds Technical Support
for further assistance. Be prepared to provide the following information to a support technician:
l A copy of the LEM report (in Crystal Reports format) entitled Tool Maintenance by Alias for the last
24 hours or the period during that the unmatched data was detected.
l (Syslog devices only). A sample of the logs currently sent to LEM for the affected connector. For
more information, see Export log files using the CMC exportsyslog command.
l (Windows connectors only). A copy of the entire event log in English and EVTX formats.
l (Database connectors only). A sample of the event table containing the unread events and the
details about these events.
l (Database connectors only). The database schema (if available).
page 604
Generate a syslog sample from the LEM appliance

steps.
3. At the cmc::appliance> prompt, type exportsyslog.
4. Enter an item number to select a local facility to export.
5. Repeat the previous step to specify more than one facility.
6. Enter q to proceed.
7. Follow the on-screen instructions to complete the export.
page 605
Troubleshoot the LEM desktop console
Refer to the topics in this section if the LEM desktop console is not working properly.
In this topic:
• The LEM desktop console cannot resolve the LEM VM hostname 606
• The LEM desktop console cannot connect after you activate the
license or change the LEM VM hostname 606
The LEM desktop console cannot resolve the LEM VM hostname

Ensure that the system hosting the LEM desktop console can resolve the LEM VM hostname using either
DNS, or a manual entry in the Windows hosts file. If the desktop console cannot get an IP address for the
LEM VM hostname, the console will be unable to connect to the VM, or the connection may be unreliable.
On your DNS server, configure forward and reverse DNS entries (a HOST and PTR record) for the LEM VM
on your DNS server. When you create the DNS entries, use either the default hostname, or the hostname
you specified during activation.
If you cannot configure DNS directly on your DNS server, configure the local Windows hosts file on the
computer running the LEM desktop console.
Create a backup copy of your Windows hosts file before you edit it.
1. Open the hosts file in a text editor. The file is located here:
Windows\System32\drivers\etc\hosts
2. Add a line break, followed by a line with the LEM VM's IP address and hostname. The IP address
and hostname should be separated by a tab or space.
The LEM desktop console cannot connect after you activate the license or
change the LEM VM hostname
The desktop console automatically attempts to reconnect to the LEM Manager after you activate the
license. If the desktop console cannot connect, or if you changed the LEM Manager hostname, try the
following:
1. Log in to the LEM desktop console.

See "Log in to the LEM desktop console" on page 33 for steps.
page 606
2. Select Manage > Appliance.

3. Delete the LEM VM configuration.
4. Add back the LEM VM settings.
page 607
Troubleshoot LEM Agents and network devices
If you do not see the events you expected to see in the LEM console, use the following procedures to
troubleshoot your LEM Agents and network devices.
In this topic:
• Determine if LEM is receiving data from the device that you are
troubleshooting 608
• Troubleshoot devices not logging to a log file 609
• Troubleshoot devices logging to a log file 609
• Troubleshoot a LEM Agent 609
• Troubleshoot a missing LEM Agent 610
• Troubleshoot a disconnected LEM Agent 610
• Troubleshoot a connected LEM Agent 611
• Contact SolarWinds Customer Support 611
Determine if LEM is receiving data from the device that you are
troubleshooting
SolarWinds recommends starting with this task before moving on to the other troubleshooting tasks.
steps.
2. At the cmc> prompt, enter:
appliance
3. At the cmc::appliance> prompt, type:
checklogs
4. Enter an item number to select a local facility to view.
5. Search for the specific device logging to this facility (such as the product name, device name, or IP
address).
See also:
l "Troubleshoot devices not logging to a log file " on the next page
l "Troubleshoot devices logging to a log file " on the next page
page 608
Troubleshoot devices not logging to a log file

Perform the following procedure for network devices that do not show data on the LEM appliance.
1. Ensure that the device is configured to log to the LEM appliance.
2. Ensure that the device is logging to the correct IP address for the LEM appliance.
3. If the device sends SNMP traps to the LEM appliance, ensure that the LEM Manager is configured to
accept SNMP traps.
See "Enable LEM to receive SNMP traps by turning on the SNMP Trap Logging Service" on page 61
for details.
4. Ensure that a firewall is not blocking data communications between the device and the LEM
appliance.
Troubleshoot devices logging to a log file

Perform the following procedure for network devices that display data in LEM.
1. Ensure that the appropriate connector is configured on the LEM appliance.
2. Ensure that your configured connector is running.
3. If the connector is running, delete and recreate the connector instance.
Troubleshoot a LEM Agent

To begin, ensure that the LEM Agent is connected to the LEM appliance:
2. Click Manage and select Nodes.
3. In the Refine Results sidebar, click the Node drop-down menu and select Agent.
4. In the Status column, note the status icon for the LEM Agent:
l If the LEM Agent does not appear in the Nodes screen, see "Troubleshoot a missing LEM
Agent" on the facing page
l If the LEM Agent appears in the Nodes screen with a Connected status, see "Troubleshoot a
connected LEM Agent" on page 611
l If the LEM Agent appears in the Nodes screen with a Disconnected status, see
"Troubleshoot a disconnected LEM Agent" on the facing page.
See also:
l Troubleshoot LEM Agent connections, 64-bit in the SolarWinds Customer Success Center
l Troubleshoot LEM Agent connections, 32-bit in the SolarWinds Customer Success Center
page 609
Troubleshoot a missing LEM Agent
1. Verify that the LEM Agent is installed on the host computer.
2. Verify that the LEM Agent service is running on the host computer.
Troubleshoot a disconnected LEM Agent

1. On the host computer, verify that the LEM Agent Service is running.
If the service is not running, start the service.
If the service is running, go to the next step.
2. On the host computer, ping the LEM VM or appliance by hostname.
If the ping is successful, clear the LEM Agent certificate.
If the ping is not successful, go to the next step.
3. On the host computer, ping the LEM VM or appliance by IP address.
If the ping is successful, the LEM Agent is connected. See "Troubleshoot a connected LEM Agent" on
the next page.
If the ping is not successful:
a. Resolve any network or firewall issues between the LEM Agent and the LEM VM/appliance.
b. Change your DNS settings so the LEM Agent computer can resolve the LEM appliance
hostname (recommended).
c. Edit or delete the spop.conf file (based on your system bit type) so that the LEM Agent calls
the LEM VM or appliance by its IP address instead of its hostname. See "Edit or delete the
spop.conf file " below
Edit or delete the spop.conf file

Perform the following procedure so the LEM Agent calls the LEM appliance by its IP address (Windows
systems only).
1. Stop the SolarWinds Log and Event Manager Agent service.
2. If you are running a 32-bit Windows system, delete the spop folder. Do not delete the ContegoSPOP
folder.
The folder is located at:
C:\Windows\System32\ContegoSPOP\spop
If you are running a 64-bit Windows system:
a. Open the following directory:
C:\Windows\SysWOW64\ContegoSPOP\spop
b. Open the spop.conf file in a text editor.
c. Replace the ManagerAddress value with the LEM appliance IP address.
d. Save and close the file.
3. Start the SolarWinds Log and Event Manager Agent service.
page 610
Troubleshoot a connected LEM Agent

1. Verify that you configured the appropriate connectors on the LEM Agent.
For example, the LEM Agent for Windows runs the connectors for the Windows Application and
Security Logs by default. However, you must configure the connector for the DNS server role.
2. Verify that all configured connectors are running properly.
3. If all configured connectors are running properly, delete and recreate the non-working connectors.
Contact SolarWinds Customer Support

If events from your network device do not appear in the LEM console after completing these procedures,
send a screen shot of the device logging configuration screens and the appropriate system files to
SolarWinds Customer Support:
https://support.solarwinds.com/Success_Center
If you are running a 32-bit Windows system, send the following files to SolarWinds Customer Support:
l C:\Windows\System32\ContegoSPOP\spoplog.txt (the most recent version)

l C:\Windows\ System32\ContegoSPOP\tools\readerState.xml
If you are running a 64-bit Windows system, send the following files to SolarWinds Customer Support:
l C:\Windows\SysWOW64\ContegoSPOP\spoplog.txt (the most recent version)

l C:\Windows\SysWOW64\ContegoSPOP\tools\readerState.xml
page 611
Troubleshoot syslog error messages in LEM
In this topic:
• LEM console does not display syslog data 612
• Identify your syslog data facilities containing log data 612
• Configure a connector from the facility to the device 614
• View the data from the device 615
If a No Device Found error message displays in the widget, make sure that you configured the
device to send logs to the correct IP address. See "Troubleshoot alerts in the LEM console" on
page 601 for troubleshooting steps.
LEM console does not display syslog data

Verify that your devices are configured to forward syslog data to the LEM virtual appliance IP address. If
your appliance cannot receive logs, your device may not be supported.
If your devices are configured correctly and your LEM appliance is still not receiving syslog data, identify
the facilities that are collecting log data. When you complete this process, configure the appropriate
connector from the facility to the log device so Log & Event Manager can normalize and monitor this
information in the LEM Manager.
Identify your syslog data facilities containing log data

Verify that Log & Event Manager is receiving the raw data from your syslog devices.
See your hypervisor documentation for information about using the virtual console.
page 612
steps.
2. At the cmc> prompt, type Appliance.
3. At the cmc::appliance> prompt, type checklogs and press Enter.

The appliance displays all facilities receiving logs from syslog devices, such as firewalls, routers, and
switches.
In this example, 1, 12, and 18 are active syslog facilities because they contain stored log data.
Facilities 13, 15, 16, and 17 are inactive because their syslog log files are empty.
page 613
4. Match a facility with a monitored device.
a. Choose a facility number and record the local number (such as local2) for a future step.
b. Enter your chosen facility number (for example, 14 for local2) and press Enter.
c. Enter b or E to view the beginning or end of the log file, respectively, and press Enter.
d. Enter the number of lines to display on your screen, and then press Enter.
Pressing Enter defaults the output to 500 lines.
e. Press Enter again.

The raw data displays on your screen.
f. Review and match the data to a monitored syslog device in your network.
5. Repeat steps 3 and 4 in this section to match additional facilities with log data to a monitored
syslog device in your network.
Configure a connector from the facility to the device

The following table maps each syslog facility to the file name in the LEM Manager. The connectors defined
in LEM Manager read these logs to normalize the Log & Event Monitor events.
The hardened operating system will prevent you to access the file system.
SYSLOG FACILITY LOG FILE PATH

local0 /var/log/local0.log
After you verify that data is received from a device, manually enable the log connector that supports the
device. The connector maps events from the monitored Windows system event log to a LEM normalized
event.
page 614
1. Match the facility of your monitored device with the corresponding log file path.
4. Click next to the appliance name and select Connectors.
5. In the Refined Results pane search field, enter the brand name of the monitored device and press
Enter.
If your device does not display in the list, contact Customer Sales (for an evaluation license) or
Technical Support (for a production license) for assistance with unsupported devices.
6. Click next to your device and select New.

7. In the Log File field, make sure the localx portion of the path matches the facility number you
configured on your device or the facility you recorded in the previous procedure.
For example, if your recorded facility is local2, enter /var/log/local2.log in the field.
8. Verify that the remaining fields and selections are correct, and then click Save.
The connector displays in the Connectors grid with a gray status icon.
9. Click next to the connector and select Start.
When the status icon turns green, the LEM connector is configured correctly.
View the data from the device

After you configure a connector to the facility, verify that the LEM appliance is receiving log data from the
device.
You may need to authenticate to the device to generate data, as some devices do not generate a
continuous stream of data.
2. Click Monitor.
3. In the Filters pane, expand Overview and click All events.
4. Watch for new events that appear in the grid with the device IP address in the DetectionIP column.
When new events display with your device IP address, the device is sending log data to the LEM
appliance.
page 615
Troubleshoot LEM rules and email responses
This page provides troubleshooting steps to try if your LEM rules that are not firing as expected or if your
rules are not sending the expected notifications.
In this topic:
• General rule troubleshooting 616
• The rule fires but you do not receive an email 617
• The rule does not fire and expected alerts do not display 617
• Alerts display but the rule does not fire 619
• The rule fires but the email is blank 620
• The rule is not triggered when it should be 621
General rule troubleshooting

If you created a rule that generates unexpected results, verify the following to track down the root cause:
1. Click the Monitor tab and check for the requisite events.
For example, if your rule is based on the NewGroupMember event, locate a requisite event in the All
Events or default Change Management filter.
2. If you cannot view the requisite events, troubleshoot your devices and connectors to move the events
into LEM.
3. Check for an InternalRuleFired event in the SolarWinds Events filter.
If you see an InternalRuleFired event for your rule, go to the next step.
If you do not see an InternalRuleFired event for your rule, verify that:
l The rule is enabled.
l The Correlation Time or Response Window in your rule was not modified.
l You did not click Activate Rules after saving your rule.
l The time on your device is not more than five minutes off from the time on your LEM
appliance.
4. If you see an InternalRuleFired event for your rule but LEM does not respond to the rule as
expected, check the following:
l Send Email Message
Verify you configured and started the Email Active Response connector on the LEM Manager.
Additionally, verify you associated an email address for your selected LEM user as your email
account.
page 616
l Agent-based Actions
Verify you installed the LEM Agent on a computer that will respond to LEM.
l Block IP
If using the Block IP active response, verify that you configured the active response connector
for the targeted firewall that will respond to this action. The active response connector is
separate from the data-gathering connector.
The rule fires but you do not receive an email

Problem statement: You see the expected InternalRuleFired alerts in the default SolarWinds Alerts
and Rule Activity filters in the LEM console, but you are not getting the expected email notification.
To resolve this issue:
1. Verify that the ExtraneousInfo field of the InternalRuleFired alert shows the associated
email action in Email [recipient] format.
2. If this action is not present, add the Send Email Message action to the rule.
3. Verify that the intended recipient has an email address associated with his LEM user account:
Click Build > Users.
b. Click the LEM user account associated with the intended recipient.
4. If the Contact Information box is blank in the User Information pane, edit the user to add an email
address.
If you cannot add an email address to an Active Directory user, create a separate user, add the
email to that user account, and then select that user in the email template.
5. Verify that the Email Active Response connector is configured on your LEM Manager.
a. Click Manage > Appliances.
b. Click next to your LEM Manager and select Connectors.
c. In the Connector Configuration window, select the Configured check box.
6. If Email Active Response is not in the list, clear the Configured check box configure the missing
connector.
The rule does not fire and expected alerts do not display
Problem statement: You cannot see the expected InternalRuleFired alerts in the default SolarWinds
Alerts or Rule Activity filters in the LEM console or the alerts needed to fire your rule anywhere in your LEM
console.
page 617
To determine if the requisite alerts are in your LEM console, create a filter or nDepth search that matches
the correlations in your rule.
If the alerts are not present, complete the following procedure:
1. Review the network devices sending syslog data to the LEM and validate the configurations on that
network device to send data. Verify that one of your devices is logging the events you want to
capture.
For example:
l Remote logging devices, such as firewalls and web filters, should be logging your web traffic
events
l Domain controllers and end-user computers should be logging domain-level and local
authentication and change management events
If you have multiple domain controllers, they will not all replicate every domain event.
Each server only logs the events they execute.
l Other servers, such as database servers and web servers, should be logging events associated
with their particular functions.
2. Verify that the LEM is receiving data.
Verify that the LEM icons display a syslog or Agent connection. Syslog device IPs display with the
icon in the Manage > Nodes grid. Agent host names and IP addresses appear in the Manage > Nodes
list with the icon.
Next, verify that the syslog facility or Agent is receiving data. If a network syslog device is sending
syslog data to the LEM, you can view the LEM syslog files for that data.
a. Open the CMC command line. See "Log in to the LEM CMC command line interface" on
page 34 for steps..
b. Type appliance , and enter the checklogs command.
You can also open a PuTTY session on port 32022 as a cmc user.
c. View the syslog that was chosen by the network device. All of the data received in this area is
UDP traffic received on port 514.
3. If your device is not in the Nodes list, configure your computers by installing a LEM Agent or
configure other devices (such as firewalls) to log to your LEM VM or appliance. After your device is in
the list, continue to the next step.
page 618
4. If your device is in the Nodes list, configure the appropriate connectors:
Click Manage > Appliances.
b. Click next to the Agent or LEM Manager and select Connectors.
Use the Search box at the top of the Refine Results pane to locate the appropriate
connectors.
c. Configure the syslog connector according to your needs.

d. Click Manage > Nodes.
e. Click next to the Agent.
f. Configure the Agent connector as required.
Alerts display but the rule does not fire

Problem statement: You see the alerts required to fire your rule in the LEM console, but your rule still
doesn't fire.
1. Verify that all of your rules are activated in all open LEM consoles:
Click Build > Rules.
b. Click Activity Rules.
All rule changes you implemented in your LEM Manager are synchronized.
c. Repeat these steps for all open LEM consoles in your environment.
2. Compare the InsertionTime and DetectionTime values in the alerts you expected to fire your
rule.
If the time is off by more than five minutes, verify and correct the time settings on your LEM VM or
appliance, and any remote logging devices as necessary.
page 619
3. If your rules will not fire, restart the Manager service on your LEM VM/appliance.
In general, consider doing this once every six months:
a. Open the CMC command line. See "Log in to the LEM CMC command line interface" on
page 34 for steps.
b. At the cmc> prompt, enter manager and press Enter.
c. At the cmc::manager> prompt, type restart and press Enter.
d. Press Enter to confirm your entry.
Restarting the LEM Manager service disconnects the Manager for a few seconds. No
data is lost during this process.
e. Enter exit and press enter twice to leave the CMC interface.
The rule fires but the email is blank

Problem statement: You receive an email notification for the alert, but the fields in the custom email
template are blank.
3. Locate your rule in the Rules grid.
4. Click next to your targeted rule and select Edit. Notice that the files in the Action box are blank.
5. Copy the event assigned to this rule.
This is the string before the dot in the Correlation box.
6. Click Events and enter the event in the search field.
7. Drag the event fields required for your rule into the Actions box.
8. Click Save to close the Rule Creation window.
View and modify the time on your LEM appliance

steps.
2. At the cmc> prompt, enter appliance.
3. At the cmc::appliance> prompt, enter dateconfig.
page 620
4. Press Enter through all of the prompts to view the current date and time settings on your LEM
appliance.
By default, LEM receives a time synchronization from the VM host computer. Without the
synchronization, the LEM time is not correct and the rules may not trigger when required.
5. Disable the time sync on the VM host computer and enable LEM to receive time information from
an NTP server.
a. At the cmc::appliance> prompt, enter ntpconfig and press Enter.
b. Press Enter to start the configuration script.
c. Enter the IP addresses of your NTP servers separated by spaces.
d. Enter y and press Enter to verify your entry.
6. Enter exit and press Enter twice to leave the CMC interface.
The rule is not triggered when it should be

Check your rule logic and timestamps. The LEM VM host layer may need to be configured for NTP. By
default, rules will not fire when incoming data drifts more than five minutes from the LEM VM's clock.
steps.
2. Type appliance to enter the appliance menu.
3. Enter the dateconfig command, and confirm the date and time. You can change the time with
this command, but when the vSphere/Hyper-V time sync pushes the time to LEM, this will change.
page 621
Troubleshoot the LEM reports application
This topic provides information to help you troubleshoot LEM reports.
In this topic:
• Troubleshoot the LEM reports application database connection 622
• Repair the LEM reports application 623
Troubleshoot the LEM reports application database connection

Use the following table to troubleshoot error messages that may occur with the ping test used to test the
connection between the LEM reports application and the data warehouse or the primary data source.
PROBLEM OR ERROR
DESCRIPTION CORRECTION
MESSAGE
Manager ping The reports application was unable Confirm that you entered the
timed out. to connect to the LEM Manager host warehouse host name properly and it
name or IP address. Confirm the matches a valid DNS entry. Try
host name (or IP address) you entering the warehouse IP address in
entered is correct. the Host Name field.
Sending the Reports could resolve and connect Confirm that the host name (or IP
authentication packet to the IP address, but could not address) is correct and allows
failed. Could not flush authenticate to the database server connections from the location where
socket buffer. at that location. you are running the reports
application.
This error may also require you to

modify the report restrictions.
Server ping test Reports could resolve, connect to the Confirm that the host name (or IP
successful, but database IP address, and connect to SQL address) you specified contains the
connection test failed. Server, but could not log in using the SolarWinds database.
reports user credentials.
Login incorrect. The warehouse may require a
password for reporting purposes. In
Login failed for user
this case, click Security and enter the
[user name].
warehouse reporting password.
page 622
PROBLEM OR ERROR
DESCRIPTION CORRECTION
MESSAGE
Logon failed. The system running the LEM reports To resolve this issue, add the system
Database Vendor application is not on the list of running the reports application to the
Code 210
authorized reporting computers. list of authorized reporting computers.
To allow specific systems to run the

LEM reports application, or to remove
all reporting restrictions, see "Restrict
access to the LEM reports application"
on page 77.
Repair the LEM reports application

If you cannot open the LEM reports application or run reports, complete the following steps.
1. Uninstall the LEM Reports and Crystal Reports v11 Runtime.
2. Log in as an administrator and reinstall both components.
3. On older systems running Windows 7 and Windows Server 2008, adjust the LEM Reports properties
to run the program in Windows XP compatibility mode:
a. Right-click the LEM Reports shortcut on your desktop or in the SolarWinds Log and Event
Manager program group in your Windows Start menu and select Properties.
b. Click the Compatibility tab.
c. Select Run this program in compatibility mode for, and then select Windows XP (Service Pack
3).
d. Select Run this program as an administrator.
e. Click OK.
4. Launch LEM Reports.
page 623
Glossary of LEM terms
active response – An action that you or a LEM rule can take in response to suspicious activity or an attack.
Active response actions include the Block IP active response, the Disable Networking active response, the Log
off User active response, the Kill Process active response, the Detach USB Device active response, and so on.
actor – A connector sub-type that can perform an active response. The actor connector allows the Agent to
receive instructions from the LEM Manager and perform active responses locally on the Agent computer,
for example, sending pop-up messages or detaching USB devices. In the LEM console, an orange connector
icon represents an actor connector. Also see sensor.
Agent – In LEM, a software application that collects and normalizes log data before it is sent to the LEM
Manager. The Agent runs as a standalone service and provides additional event alerting on workstations
and servers. An Agent is required for some active responses, including logging off a user, shutting down a
computer, and detaching a USB device. LEM Agents use Secure Socket Layer/Transport Layer Security
(SSL/TLS) to securely transmit log data. Also see connector.
Agent node – In LEM, a single Agent, syslog, or SMTP instance that sends events to LEM. For example, an
environment with 10 routers, 50 switches, 5 firewalls, 300 servers, and 500 workstations has 865 nodes
sending data to LEM Manager.
alert – See event.
appliance – Originally, LEM was sold as a physical appliance that you deployed on your network. Today,
LEM is the virtual image of a Linux-based appliance.
CMC – A command-line interface you can use to interact with the LEM Manager VM to perform routine
administrative tasks without root access.
connector – In LEM, a connector is a stand-alone file that allows LEM to monitor and interact with third-
party vendor products, for example a firewall, an anti-virus application, a router, and so on. Each connector
is named after the specific product that it is designed to support.
Connectors can reside either on a LEM Agent, or on the LEM VM. Connectors installed on an Agent monitor
local log files, but they can also monitor events sent from remote devices that cannot run an Agent.
Connectors can intercept syslog events sent by third-party network devices and translate them into
normalized events. Whereas LEM Agents actively send normalized log events to the LEM Manager,
connectors rely on the host system to send syslog events to the LEM Manager.
Connectors have two subtypes: sensors and actors. A sensor retrieves data from the product that the
connector supports, whereas an actor carries out active responses.
console – See desktop console or web console.
correlation – See event correlation.
page 624
desktop console – The optional LEM desktop console lets you manage and monitor LEM without a web
browser. The desktop console provides the same functionality as the LEM web console, but as a Windows-
only native app.
directory service group – In LEM, directory service groups are Windows users and computer accounts
that LEM pulls from Active Directory. You can associate directory service groups with rules and filters. Use
directory service groups if Active Directory is available so that you do not have to manually update lists of
user and computer accounts in user-defined groups.
event – Any alert or notification written to a log that is monitored by LEM. In LEM, the terms event and alert
are interchangeable.
event correlation – The process of extracting useful and/or significant information from the large
number of events flowing in to LEM. Event correlation works by looking for and analyzing relationships
between different event sources.
event distribution policy – LEM's event distribution policy controls how events are routed through the
system. By configuring the event distribution policy, you can disable (or exclude) specific event types at the
event level from being sent to the LEM console and/or the LEM database. Use the event distribution policy
to prevent events of little or no value from being processed by the console or stored in the database.
event group – A group type used to organize events for use with rules and filters. If you use an event
group in a rule, LEM fires the rule when any event in the group triggers an alert.
event response – See active response.
facility code – A numeric code specified by the syslog protocol to identify the type of program that is
logging the message. Sixteen facility codes, ranging from 0 (kernel messages) to 15 (clock daemon), are
reserved for known program types, whereas facility codes 16 through 23 are reserved for local use (local
use 0 up to local use 7). In LEM, facility codes are used to route vendor-specific events to designated log
files.
filters – Filters capture events and alerts that take place on your network. Filter conditions can be broad or
specific. For example, you can create a filter without conditions that captures all events, regardless of the
source or event type, or you can create a filter that has one specific condition, such as "UserLogon Exists,"
which only captures user logon events. LEM ships with filters that support best practices in the security
industry. You can modify these filters to meet your needs.
filter groups – Also called filter categories. Filter categories are used to organize filters in LEM. LEM installs
with seven default categories in the Filters pane: Overview, Security, IT Operations, Change Management,
Authentication, Endpoint Monitoring, and Compliance. Administrators can remove or rename these
categories, or add new categories as needed.
page 625
File Integrity Monitoring – Also called FIM. A LEM feature that monitors system and user file activity to
protect sensitive information from theft, loss, and malware. FIM detects changes to critical files and
registry keys to ensure that they are not accessed or modified by unauthorized users. FIM ensures systems
comply with regulatory regulations, including Payment Card Industry Data Security Standard (PCI DSS),
Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley. FIM is enabled
either by adding a FIM connector to a node, or by adding FIM to an existing connector profile.
flat file log – Any log output to one or more ASCII-based text files. Systems that write to flat file logs
include Linux system logs, web server logs, DNS server logs, custom application logs, and others.
groups – In LEM, groups organize related elements into logical units so that they can be used in rules and
filters. Various group types are used to group events, data elements (such as IP addresses, user names,
web site URLs, and so on), Active Directory users and computers, email templates, Agents and connectors,
and time-of-day sets.
hypervisor – Computer software that runs virtual machines. The LEM VM can be installed on two
hypervisors: Microsoft Hyper-V Server, and VMware vSphere ESX 4.0 or ESXi 4.0 and later.
LEM console – See desktop console or web console.
LEM Manager – The LEM component that collects and processes log messages sent by one or more
network systems. The LEM Manager consists of a syslog server, an optimized database, a web server, a
correlation engine, and a hardened Linux operating system. LEM Manager is deployed as a single VM to a
hypervisor (either Hyper-V or vSphere) running on Windows Server.
Local Agent Installer – A standalone installer that you or another administrator runs on a local host
system to install the LEM Agent. The Local Agent Installer can be used for attended or unattended LEM
Agent installations. Also see Remote Agent Installer.
Manager – See LEM Manager.
NCR – An initialism for New Connector Request. An NCR is a request for SolarWinds to create a connector
for a system or application that does not have one.
NCD – An initialism for New Connector Data. An NCD is a request for SolarWinds to update an existing
connector to receive data that is either being missed or is coming in as unmatched.
nDepth log retention – The nDepth log retention component in LEM is a separate data store to which you
can send raw (un-normalized) log messages. The nDepth database is an optional component that is
disabled by default. To save raw log messages, you need to enable it. Note that, other than the name, the
nDepth log retention component is unrelated to the nDepth search engine.
nDepth search engine – The nDepth search engine can locate any event data, or any original log
message that passes through a particular LEM Manager instance. The log data is stored in real time as it
occurs from each host (network device) and source (application or tool) that is monitored by the LEM
Manager. You can use nDepth to conduct custom searches, investigate your search results with a graphical
tools, investigate event data in other LEM explorer utilities, and take action on your findings.
page 626
node – An Agent instance monitored by LEM. In the LEM console, choose Manage > Nodes to display the
Agents monitored by each of your LEM Managers.
normalization – The process by which LEM translates raw log data into a standard format prior to storing
the message in the database. The LEM Manager component and the LEM Agent component are both
capable of normalizing raw event messages received from devices on a network. If the nDepth log retention
feature is enabled, LEM also saves raw (un-normalized) log messages in a separate nDepth data store.
Ops Center – See Ops Center view .
Ops Center view – In the web console, the user interface view that provides a dashboard made up of
multiple widgets to help identify trends and problem areas in the network. Administrators can customize
the dashboard by adding, editing, and removing widgets.
Remote Agent Installer – A standalone installer that pushes LEM Agents to Microsoft Windows hosts
across your network without the need to step through an installation wizard. The installer unzips the
installation files to a temporary folder of your choice, searches for Windows systems across the network,
and installs the LEM Agent one at a time to the targeted systems. Also see Local Agent Installer.
reports application – An optional LEM component that can schedule and execute over 300 audit-proven
reports. Install the reports application on either a workstation or a separate networked server. The LEM
reports application requires the free Crystal Reports runtime application.
roles – LEM uses roles to restrict user access to sensitive data. Each LEM user account must be assigned to
one of six LEM role types: Administrator, Auditor, Monitor, Contact, Guest, and Reports.
rules – Rules monitor event traffic and automatically respond to events in real time. When an event (or a
series of events) meets a rule condition, the rule prompts the LEM Manager to carry out a response action.
A response action can be discreet, such as sending notifications to the appropriate users by email; or it
can be active, for example blocking an IP address or stopping a process.
sensor – A connector sub-type that cannot perform an active response. In the LEM console, a blue
connector icon represents a sensor connector. See also actor.
severity – In the syslog protocol, severity is a numeric code used to specify the urgency of the notification.
Severity ranges from 0 (emergency: system is unusable) to 7 (debug: debug-level messages).
SIEM – A category of software products and services that monitor and analyze security events generated
by applications and hardware devices on a network and send notifications when a set threshold is
reached. Template Product Name (LEM) is a fully-featured SIEM solution. SIEM is an initialism for security
information and event management.
single sign-on – LEM supports Active Directory single sign-on (SSO). When enabled, LEM does not request
a user name and password if the user is already logged in to Active Directory (AD). Instead, AD
authenticates the user in the background, and automatically logs the user in to LEM with the appropriate
user access rights.
page 627
SNMP, SNMP monitoring – Simple Network Management Protocol is used to collect information from
network devices. LEM can receive SNMP traps from SolarWinds solutions to correlate performance alerts
with LEM events. LEM can also send SNMP traps to SolarWinds solutions to enable NPM to monitor CPU,
memory, and other critical LEM components. Versions of LEM older than 6.3.0 do not support sending
health or status updates to other devices over SNMP. LEM versions older than 6.3.0 can only send SNMP
traps to devices when rules fire.
SSO– See single sign-on.
syslog – A message logging protocol used by a wide range of devices, including most network devices, such
as routers, switches, and firewalls. Devices send event notification messages to a central logging server (a
syslog server) that consolidates logs from multiple sources. Syslog messages have a numeric facility code
that LEM uses to route messages to a log. to specify the type of program that is logging the message, and a
numeric severity level to specify the urgency of the notification.
syslog server – A software application (such as Kiwi Syslog Server) that collects syslog messages and
SNMP traps from network devices (such as routers, switches, and firewalls).
USB defender – A free add-on for all LEM Agents installed on Windows computers. USB defender tracks
events related to USB mass storage devices like flash drives and smart phones, and allows the LEM
Manager to send commands to detach offending devices both manually and automatically.
user-defined group – User-defined groups are groups of data elements that can be used in rules and
filters to match, include, or exclude events, information, and data fields. Data elements can be IP
addresses, user names, email addresses, web site URLs, and so on.
virtual appliance – A type of virtual machine that hosts a single application on a hypervisor. To keep
things simple, the LEM documentation refers to the LEM virtual appliance as the LEM virtual machine (or
the LEM VM). The LEM virtual appliance runs on a hardened, Linux-based software stack that includes a
database, a web server, a correlation engine, a syslog server and a SNMP trap receiver.
vSphere – A hypervisor distributed by VMware. The LEM virtual machine can be deployed on vSphere.
web console – The primary LEM user interface that runs in a web browser. Use the web console to
manage and monitor the LEM application. The web console has five views: Ops Center (provides a
dashboard made up of widgets that display a graphical representation of your log data), Monitor (displays
events in real time as they occur on your network), Explore (provides tools for investigating events and
related details), Build (creates user components that process data in LEM Manager), and Manage (manages
properties for appliances and nodes). See also: desktop console.
page 628
widget – A user interface component that provides special dashboard functionality, such as displaying
real-time information about network activity, or providing tools for investigating events and related details.
In the LEM console, widgets are displayed in OpsCenter view, Monitor view, and nDepth view. Use Widget
Manager to select and add a widget to the dashboard. Use Widget Builder to create a new widget or edit an
existing widget. Master widgets are widget templates located in the Widget Manager categories list (in Ops
Manager view), in the Widgets pane based on the filter you select as a data source (in Monitor view), or in
the nDepth toolbar (in nDepth view). Copy a master widget to the OpsCenter dashboard or to Monitor view
to create a dashboard widget.
page 629

LEM 6 3 1 Administrator Guide

Uploaded by

Copyright:

Available Formats

LEM 6 3 1 Administrator Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LEM 6 3 1 Administrator Guide

Uploaded by

Copyright:

Available Formats

ADMINISTRATOR GUIDE

Log & Event Manager

Last Updated: Thursday, October 19, 2017

Retrieve the latest version from: https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/LEM_Documentation

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,

Log in to the LEM web console 31

To log in to the LEM Manager 31

Supported and unsupported URLs 32

To log out of a LEM Manager 33

Log in to the LEM desktop console 33

To log in to the LEM desktop console 33

Log in to the LEM admin user interface 34

To log in to the LEM admin user interface: 34

Log in to the LEM CMC command line interface 34

CMC Access Restrictions 35

Log in to the CMC command-line interface using SSH 36

Setting up a new LEM installation 38

Set up the first LEM Manager instance in the web console 38

Install the LEM license using the web console 38

To run the Activate command: 40

Use the LEM Getting Started wizards 41

Open the Getting Started wizards 42

Use the Add Nodes wizard to add a syslog node to LEM 45

Use the Add Rules wizard to set up LEM rules 46

Configuring LEM settings and services 48

Starting and Stopping LEM components 48

Stop or restart the LEM Manager 49

Start and stop the LEM Agent on Windows 49

Set the date, time, and time zone on your LEM VM 49

Managing LEM VMs and appliances in the LEM console 51

View LEM license information 51

Enable LEM license recycling 52

Configure the settings used to log in to the LEM VM 52

Add another LEM VM or appliance to the console 53

Copy data about a LEM VM or appliance 56

Remove a LEM VM or appliance from the console 56

Configure the Email Active Response connector in LEM 57

Configure the Email Active Response connector 57

Test the Email Active Response connector 59

Configure the Directory Service Query Connector 60

To enable or disable the LEM SNMP Trap Logging Service: 62

To enable or disable the SNMP Request Service 64

Configure LEM to store original log messages (nDepth log retention) 66

About nDepth log retention 67

Configure connectors to send original log data to LEM 68

View and search your original log messages 69

Configure the LEM event distribution policy 69

Open the Event Distribution Policy window 70

Configure the event distribution policy 71

Push event policy to lower-level event types 71

Export a Manager event policy 72

Collecting Windows Filtering Platform (WFP) events in LEM 73

About Windows WFP events and LEM performance 73

Configure LEM to collect WFP events (Optional) 73

General security tasks 75

Securing the CMC command-line interface 76

Securing the LEM reports application 76

Restrict SSH access to the LEM CMC interface 76

To remove access restrictions from the CMC interface 77

Restrict access to the LEM reports application 77