Defend Your Network with SolarWinds Log & Event Manager Custom Rules

Uploaded by solarwindsinc on 09.09.2011


This video addresses how to create a rule from scratch with multiple actions
using a common scenario.
In this case, we will create a rule to look for unauthorized change management
And when the rule fires,
it will be configured to notify us of the event via email
and log the offending user off.
To create the rule, we're going to click “+” in the Rules area of the console
and that takes us into Rule Creation.
We will call this rule
“Unauthorized Changes.”
Next, we will configure the correlations.
In this case,
we’re going to use an alert group
because there are several different types of change management events out
The group we will use is Auditable Events (All) because that tracks all auditable
user and domain events.
To specify that we only want events triggered by unauthorized users to fire
this rule,
we're going to use the Source Account field.
And we're also going to drag two instances of this field into the
Correlations because there are two things that we need to account for.
For the first line of logic
we will use a group on the variable side of our equation.
The group in this case
will be
the default Admin Accounts group.
However, in your life environment,
you will want to replace this group with either a custom admin accounts group
or directory service group.
In either case if you want to be sure that the group truly represents the
administrative users on your network.
For the next line of logic,
we will use a couple of wildcard characters to account for all share
level or machine level events.
So, basically any event where the username is preceded by a “$”
So, for the value, we will just type:
“*$*” (star, dollar sign, star),
where the stars are wildcard characters.
Finally to finish our correlations here,
we need to change the operators for each equation
to negative operators.
And we do that by simply clicking.
So, by doing it for our first line of logic, we change the operator to “Does
Not Contain.”
And we do so for second line of logic,
we see the operator is “Does Not Equal.”
So now our correlations are set to look for all change management events
where the source account is neither an administrator nor a share or a machine
The correlation time can be set at it’s default so now we can address the
As mentioned before we're going to use this the “Send Email Message” action
and the “Logoff User” action. So, I’ll drag those both into my actions area.
For the email message,
we’ll use the Default template, although any customer or default template can be
And then we'll select the default administrative “Admin” user.
Now to populate the fields of our actions,
we first need to look at the correlations.
Because remember the actions should always be driven by the alert or alert
found in your correlations.
In this case, it is “Auditable Events All.”
When we go back to the alert groups, we will find that that's already selected.
So now all we have to do is drag the appropriate fields over into our actions.
For the email message
all we have to do is find the field associated with the label
on the email template.
EventInfo will tell us a brief summary of what happened in the alert
and DetectionTime will give us the date and time at which that alert occurred.
Next, for the Log Off User action, we need to determine what field will represent
the agent involved in the alert.
Well, in this case the DetectionIP field will do the trick
because these types of events will be logged locally on your domain
So, if the user is logged onto the domain controller then that's the machine that
you would want to log them off of
in order for this action to be successful.
So we're going to take DetectionIP and drag that over to the Agent field
and then for the Account Name field we will use SourceAccount because that's the
user making the changes
so of course that's the user we want to log off.
once everything is configured we’ll double-check to make sure our rules
status is okay
and then we'll check the Enable box.
You can also check the Test box and subscribe users if you wish.
Now that I’m done, I’ll click save
and then
“Activate Rules.”
Now, anytime a change management event occurs in which the source account is
not an administrator,
this rule will fire. You will get an email about it and the offending user will be
logged off. To customize this rule for your own environment, remember to create a
custom admin accounts group
or configure the directory service tool on your manager
to ensure that you have a group of administrative users to use for the rule.
Also, you might want to consider some of the other actions that are available to
really fine tune the rule for your environment. Finally,
you may wish to clone the Auditable Events change policy violation rule that's in the
the Change Management subfolder of the NATO5 Rules folder.