LEM6 2UserGuide

Copyright 2015 SolarWinds Worldwide, LLC. All rights reserved worldwide.
No part of this document may be reproduced by any means nor modified,

decompiled, disassembled, published or distributed, in whole or in part, or
translated to any electronic medium or other means without the written consent of
SolarWinds. All right, title, and interest in and to the software and documentation
are and shall remain the exclusive property of SolarWinds and its respective
licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER
TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON
SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND
NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS,
NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING
IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF
SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
The SOLARWINDS and SOLARWINDS & Design marks are the exclusive
property of SolarWinds Worldwide, LLC and its affiliates, are registered with the
U.S. Patent and Trademark Office, and may be registered or pending registration
in other countries. All other SolarWinds trademarks, service marks, and logos
may be common law marks, registered or pending registration in the United
States or in other countries. All other trademarks mentioned herein are used for
identification purposes only and may be or are trademarks or registered
trademarks of their respective companies.
LEM 6.2
9/1/2015
Table of Contents
Chapter 1: Introduction
How LEM Works
LEM Architecture
LEMManager
Protocols and Communication Direction
What is New in LEM 6.2.0
Chapter 2: Requirements
Virtual appliance minimum resource requirements
Desktop and reports consoles software requirements
Web console software requirements
Chapter 3: Introduction to the Console
Opening Views in the Console
Working with Grids
Rearranging Grid Columns
Sorting a Grid by its Columns
10
Logging In and Out of Managers
11
Logging Into a Manager
11
Logging Out of a Manager
12
Logging Out of the LEM Console
12
Chapter 4: Basic LEM Procedures
13
Ops Center
13
Monitor
14
Explore
14
Collecting and displaying flow data
15
Build
17
Rules Additional Details
17
Manage
17
Adding Devices
18
Agent Installation
19
Configuring Non-Agent Devices
20
i
LEM User Guide
Configuring Connectors for Agent and Non-Agent Devices
20
Troubleshooting
22
Additional Information
22
Creating Connector Profiles to manage LEM Agents:

Verifying Data
23
24
Which Do I Pick?
24
nDepth: A Fully Integrated IT Search Solution

25
25
LEM Reports: For Compliance and Historical Reporting Needs
26
Troubleshooting
27
28
Adding Filters
29
Which Do I Pick?
29
Use the Default Filters as Examples
29
Other Filter Scenarios
30
Example: Change Management
30
Troubleshooting
31
32
Adding Rules
32
Use Pre-configured Rules to Get Started
32
33
Other Rule Scenarios
34
Troubleshooting
35
36
Analyzing Data
36
Which Do I Pick?
37
37
Additional Information nDepth
38

Troubleshooting
38
40
ii
Table of Contents
Additional Information LEM Reports
41
Chapter 5: Leveraging LEM
42
Monitoring Windows Domain Controllers for Brute Force Hacking Attempts
42
Configuring the SolarWinds LEM Agent
42
Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts
46
Monitoring Firewalls for Port Scans and Malformed Packets
48
Setting a Firewall to Log to a LEM Appliance
48
Configuring a Firewall Connector on a LEM Manager
49
Viewing Network Traffic from Specific Computers
50
Creating a LEM Rule to Notify of Potential Port Scanning Traffic
50
Monitoring Antivirus Software for Viruses that are Not Cleaned
52
Setting Antivirus Software to Log to a LEM Appliance
52
Configuring the Antivirus Connector on a LEM Manager
52
Creating a LEM Rule to Track When Viruses Are Not Cleaned
53
Monitoring Proxy Servers for Suspicious URL Access
54
Setting Proxy Server to Log to a SolarWinds LEM Virtual Appliance
54
Configuring a Proxy Server Connector on a SolarWinds LEM Manager
54
Monitoring Microsoft SQL Databases for Changes to Tables and Schema
56
Leveraging the Incidents Report in Security Audits
59
Chapter 6: Ops Center
60
Widgets
60
User Details
62
User: Details Widget
62
User: All Events Widget
62
Node Details
62
Node: Details Widget
62
Node:Connectors Applied Widget
63
Node: All Events Widget
63
Widget Manager
63
Widget Builder
64
iii
LEM User Guide
Viewing specific widget data
68
Refreshing widget data
69
Opening a filterfrom a widget
69
Editing a widgets chart presentation
70
Resizing a widget
72
Viewing a widgets legend
72
Where to find widgets
73
Chapter 7: Monitor
74
Monitor View Features
74
Filters and Filter Groups
76
Standard LEM Filters
78
Filter Creation
80
Features of Filter Creation
81
Events
82
Applying a Filter to the Events Grid
83
Sorting the Events Grid
83
Highlighting Events
84
Copying Event Data to the Clipboard
85
Marking Events as Read and Unread
86
Removing Events
87
Using the Event Details/Event Description Pane

Event Severity Levels
88
90
Chapter 8: Explore
91
nDepth
91
nDepth's Visual Tools
92
nDepth's Primary Uses
92
Exploring Events vs. Log Messages
93
Opening nDepth
93
Opening nDepth From Another Data Source
94
Scheduled Saved Searches
96
iv
Table of Contents
nDepth's Search Bar
97
nDepth Explorer Toolbar
99
nDepth's History Pane
101
Using the nDepth Histogram
101
Histogram Features
102
Searching the Activity Associated with a Particular Histogram Bar
103
Moving the Search Period
104
Changing the Period's Start and End Time
105
Using Result Details
106
Interpreting Search Results in Events Mode
106
Interpreting Search Results in Log Messages Mode
107
Adding Search Strings from Result Details
108
Using Explorers with Result Details
110
Responding to Result Details
110
Exporting Result Details Data to a Spreadsheet
111
Common nDepth Data Fields
111
Common Data Fields Categories in Events Mode
112
Common Data Field Categories in Log Messages Mode
113
Using the Word Cloud
113
Opening the Word Cloud
114
Viewing Statistics in the Word Cloud
114
Filtering the Contents of the Word Cloud
114
Exploring Items in the Word Cloud
115
Using the Tree Map
116
Opening the Tree Map
116
Resizing Tree Map Categories
117
Exploring items in the Tree Map
117
Using nDepth widgets
117
Default nDepth Chart Widgets
118
nDepth Explorer and Widget Icons
118
v
LEM User Guide
Viewing a widget's details
119
Creating a search string from a widget item
120
Adding new nDepth Widgets
120
Editing nDepth Widgets
120
Adding a Chart Widget to the nDepth Dashboard
121
Adding a main nDepth view to the nDepth Dashboard
121
Using Search Builder
122
Opening Search Builder
123
Switching from the Search Bar to Search Builder
123
Search Builder features
124
Configuring a Search with Search Builder
127
Utilities
129
Explorer Types
130
NSLookup Explorer
132
Traceroute Explorer
132
Whois Explorer
133
Manually Exploring an Item
134
Chapter 9: Build
135
Groups
135
Group types
135
Groups View Features
137
Refining the Groups Grid
137
Rules
139
Rules View Features
139
Rules Grid Columns
139
Refine Results Form
140
Rule Categories and Tags
142
Rule Tagging
142
Users
143
Users View Features
143
vi
Table of Contents
Users Grid Columns
143
Refining the Users Grid
144
Viewing a Users System Privileges
145
Chapter 10: Manage
146
Appliances View Features
147
Appliances Grid Columns
147
Details Pane
149
Configuring a Manager's Properties
150
The Login Tab
150
The License Tab
152
License Recycling
153
The Settings Tab
153
Configuring Event Distribution Policy
156
Practical Uses for Event Distribution Policy
156
Opening the Event Distribution Policy Window
156
About the Event Distribution Policy Window
157
158
Pushing event policy to lower-level event types
159
Exporting a Managers Event Policy
160
Improving performance with event filtering (Windows only)
161
Table of Alerts with Windows Security Auditing Provider SIDs
162
Adding and Editing Nodes
163
Nodes View Features
163
Nodes Grid Columns
164
Adding a Syslog Node
167
Scan for New Nodes
168
Adding Nodes Manually
169
Refining the Agents Grid
169
Chapter 11: Adding and controlling users and groups

Adding New Users
171
171
vii
LEM User Guide
Editing User Settings
176
Deleting Users
176
Restricting LEM Reports
177
Chapter 12: Utilizing the Console
179
Creating filters for real-time monitoring
179
Creating conditions to filter event reporting
184
Creating a New Filter
187
Editing an Existing Filter
188
Cloning an Existing Filter
189
Pausing Filters
190
Resuming Paused Filters
190
Turning Filters On and Off
191
Copying a Filter
192
Importing a Filter
193
Exporting a Filter
193
Deleting a Filter
194
Managing Filter Groups
195
Adding a New Filter Group
195
Renaming a Filter Group
195
Rearranging Filter Groups
195
Moving a Filter From One Group to Another
196
Deleting a Filter Group
197
Responding to Events
197
Using the Respond Forms Drag and Drop Functionality

Review events with the Event explorer
198
200
Opening the Event explorer
200
Event Explorer features
200
Exploring events
202
Using the Event Map
202
Reading an Event Map
203
viii
Table of Contents
Event Map Legend
204
Using the Event Grid
204
Viewing information in the event grid
205
Exploring From the Event Grid
205
Using the Event Details Pane
205
Opening and Closing the Event Details Pane
206
Viewing an Events Event Details
206
Exploring From the Event Details Pane
206
Performing nDepth Searches
208
Creating Search Conditions
210
Deleting Items From Search Strings
211
Creating Custom time frames
212
Saving a Search
213
Using a Saved Search
214
Making Changes to a Saved Search
214
Exporting nDepth Search Results to PDF
215
Exploring Search Results from Graphical Views
216
Taking Action on Event Details
216
Deleting a Saved Search
217
217
219
220
Managing Connectors
221
Adding New Connector Instances
222
Starting a Connector Instance
224
Stopping a Connector Instance
225
Editing a Connector Instance
225
Deleting a Connector Instance
226
Creating Connector Profiles to Manage and Monitor LEM Agents

File Integrity Monitoring Connectors
227
228
ix
LEM User Guide
Features of FIM
229
What can FIM detect?
229
Adding a FIM Connector
230
Monitors
231
Adding Custom Monitors
231
Editing Monitors
231
Promoting a Monitor to a Template
231
Deleting a Monitor
231
Adding Conditions
232
Editing Conditions
232
Deleting Conditions
233
FIM Connector Advanced Settings
233
Managing Widgets
235
Opening and Closing the Widget Manager
235
Creating New Master Widgets
235
Editing Master Widgets
236
Adding Widgets to the Dashboard
237
Deleting Master Widgets
238
Editing a Dashboard Widget
239
Deleting Dashboard Widgets
239
Chapter 13: Advanced Configurations
240
Setting up an Appliance
240
Adding Appliances to the Console
240
Copying Appliance Data
242
Removing an Appliance
242
Managing Connectors
243
Configuring Manager Connectors (general procedure)
243
Configuring Agent Connectors (general procedure)
243
Using Connector Profiles to Configure Multiple Agents
244
Configuring email active response connectors
245
Table of Contents
Requirements
245
Configuring the email active response connector
245
Testing the Email Active Response Connector
246
Managing Groups
246
Adding a New Group
246
Editing a Group
247
Cloning a Group
247
Importing a Group
248
Exporting a Group
249
Deleting a Group
249
Configuring Event Groups
250
Event List Features
251
Configuring Directory Services Groups
253
How to Use Directory Services Groups
253
Synchronizing Directory Service Groups with LEM
253
Viewing a Directory Services Group Members
255
Directory Services Group Grid Columns
255
Deleting DS Groups
256
Configuring Email Templates
256
Step 1: Creating the Email Template
257
Step 2: Adding Message Parameters
258
Step 3: Creating the message
259
Managing email template folders
259
Configuring State Variables
259
Adding new State Variable fields
260
Editing State Variable fields
262
Deleting State Variable fields
262
Managing State Variable Folders
263
Configuring Time of Day Sets
263
Configuring a Time of Day Set
263
xi
LEM User Guide
Selecting periods in the time grid
265
Configuring User-Defined Groups
265
Examples of User-Defined Groups
265
Configuring a User-Defined Group
266
Adding data elements to a User-Defined Group
267
Editing a data element in a User-Defined Group
268
Deleting a data element from a User-Defined Group
269
Configuring Connector Profiles
270
Connector Profile Rules
270
Creating a Connector Profile (general procedure)
271
Step 1: Selecting a template for the profile
271
Step 2: Selecting the Agents that are members of the profile
272
Editing a Connector Profiles Connector Settings
274
Opening a Connector Profiles Settings
274
Adding a New Connector Instance
275
275
Managing Rules
276
Creating Rules
276
Rule Creation Features
277
Advanced Thresholds
278
Editing threshold fields
280
Deleting a threshold field
280
Using the Actions box
281
Using constants and fields to make actions flexible
281
Configuring a Rules Actions
281
Adding a New Rule
282
Rule Window Features
284
Correlations Box Features
287
Editing Rules
290
Subscribing to a rule
291
xii
Table of Contents
Enabling a rule
293
Placing rules in test mode
294
Activating rules
297
Disabling a rule
297
Cloning rules
299
Importing a rule
299
Exporting rules
300
Deleting Rules
301
Connector Configuration Features
302
Connectors Grid Columns
303
Connectors Grid Icons
304
Refining the Connectors Grid
305
Chapter 14: Reports
307
About Reports
308
Opening Reports
309
Using the Quick Access Toolbar
309
Default commands
310
Customizing the Quick Access Toolbar
310
Moving the Quick Access Toolbar
311
Minimizing the Ribbon
312
Configuring Report Preferences
313
Table of preferences
313
Selecting a (default) Primary Data Source
314
Configuring a syslog server
315
Configuring a Data Warehouse
317
Troubleshooting Database Connections
319
Managing report categories
321
Manage Categories form
321
Selecting reports for specific industries
322
Industry options
323
xiii
LEM User Guide
Creating a list of favorite reports
326
Removing a report from the Favorite Reports tab
327
Viewing Historical Reports
329
Working with report lists
329
Viewing lists of reports by category
329
Locating a report by title
330
Viewing a reports properties
331
332
Custom report filters
333
Creating a custom report filter
333
Saving a custom report filter
334
Opening a saved custom report filter
335
Exporting a report
336
Reports features
337
Key features of the Reports window
338
Using the Menu Button
340
Grouping reports
341
Creating a report group
342
Viewing the reports within a group
343
Creating a sub-group
343
Managing reports
345
Editing a scheduled report task
345
Deleting a schedule from a task
346
Deleting a scheduled report task
346
Printing reports
347
Printing a report
347
Setting up printer preferences
348
Filtering report lists
349
Filtering a report list
350
Changing a filter setting
350
xiv
Table of Contents
Turning off report filters
350
Running and Scheduling Reports
351
Running Reports on Demand
351
Report Errors
354
Scheduling Reports (process overview)
354
Step 1: Selecting the report you want to schedule
355
Step 2: Adding a new scheduled report task
356
Step 3: Scheduling the Report
358
Step 4: Selecting Advanced Scheduling Options
360
Step 5: Stating when the system can or cannot run the task
362
Step 6: Assigning the data source and scope
365
Step 7: Exporting a scheduled report
368
Searching reports for specific text
370
Viewing the text-based details of a report
370
Using the Search tool
370
Using the Select Expert tool
371
Running a query with the Select Expert tool
372
Restoring the original report
374
Sorting, filtering, and grouping report lists
374
Sorting the report list
374
Viewing reports
375
Opening your saved reports
375
Viewing the sections of a master report
376
Hiding and showing a master reports sub-topic pane
377
Viewing the pages of a report
379
Magnifying and reducing report pages
380
Stopping a report in progress
381
Chapter 15: Setting up an nDepth Appliance

Using a separate nDepth appliance
383
383
Installing a Separate nDepth Appliance
383
xv
LEM User Guide
Configuring Network Connectors for Use with nDepth
384
Alternate Storage Methods
384
Where to Find the Numbers
385
Disk Usage Summary
385
Log Storage Maintenance Report
386
386
Chapter 16: Enabling Transport Layer Security
388
Enabling Standalone LEM Appliance
388
Setting up a Dedicated LEM User for Reports Accessing
389
Configuring Reports Application
390
Enabling TLS on a LEM Manager with a Dedicated Database Appliance
390
Enabling TLS on LEM Database
391
Importing Certificates into the Manager and Database
392
Chapter 17: Troubleshooting
394
Troubleshooting Disconnected or Missing LEM Agents
394
Troubleshooting Connected LEM Agents
395
Troubleshooting Network Devices Logging to LEM
396
Troubleshooting Devices Logging to a Log File on the Appliance
398
Contacting Support
398
Appendix A: Standard Widget Tables
399
Appendix B: Events
402
Event types
403
Asset Events
403
Audit Events
407
Incident Events
425
Internal Events
426
Security Events
431
Appendix C: Appendix Event Data Fields
482
Appendix D: Connector Categories
485
Appendix E: CMC Commands
513
xvi
Table of Contents
Logging on to CMC
513
Using the CMC 'appliance' menu
515
Using the CMC'manager' Menu
516
Using the CMC 'ndepth' menu
518
Using the CMC 'service' Menu
519
Upgrading LEM Connectors
522
Updating connectors using the LEM Console
522
Updating connectors using the CMC interface
522
Appendix F: Report Tables
524
Table of Audit reports
524
Table of Security reports
551
Table of Support Reports
581
Report schedule definitions
583
Appendix G: Connector Configuration Tables
584
Connector Categories
584
Configuring Sensors
590
Configuring Actors
593
Setting up a Notification System
596
Appendix H: Filter Configuration Tables
599
Comparing Values with Operators
601
Selecting a new operator
601
Operator tips
602
Table of operators
602
Examples of AND and OR conditions
603
Configuring event filter notifications
604
Selecting the notification method
604
Notifications table
605
Appendix I: Rule Configuration Tables
608
Appendix J: Additional Configuration and Troubleshooting Information
626
Auto-populating User-Defined Groups Using a LEMRule

xvii
628
LEM User Guide
629
Configuring Default Batch Reports on Windows 7, 8 and Windows Server 2008, 2012
Computers
630
Choosing a Reports Computer
630
INI File Preparation
630
Scheduling the Reports to Run
631
Default Report Schedules
632
Daily Reports
633
Weekly Reports
633
Configuring LEMReports on Computers without the LEMConsole
634
Configuring Report Restrictions
635
Configuring the USB Defender Local Policy Connector
636
Configuring your LEM Appliance Log Message Storage and nDepth Search
638
Creating a Custom Filtered Report
640
Creating a Filter for a Specific Event Type
641
Creating Connector Profiles to Manage and Monitor LEMAgents
642
Creating Email Templates in the LEMConsole
644
Creating Rules from your LEMConsole to Take Automated Action
647
Creating Users in the LEMConsole
650
Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy
652
Table of Descriptions by Event ID
654
Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data
655
Enabling Windows File Auditing in Windows
656
Enabling LEM to Track Events
659
Filtering and Exporting LEMReports
661
Getting Started with User-Defined Groups
663
Using Directory Service Groups to account for Windows users, groups, and computer
accounts.
665
Extended Description
665
xviii
Table of Contents
Uses
666
Filters
666
Rules
666
Modifying Filters for Users with the Monitor Role
667
Output, nDepth Host, nDepth Port Fields
668
Report Formats and their Corresponding Numbers Listed in a LEM Scheduled Report INI
File
669
Troubleshooting LEMAgent Connections
671
Troubleshooting LEMRules and Email Responses
676
681
Troubleshooting Unmatched Data or Internal New Connector Data Alerts in the

LEMConsole
683
Troubleshooting Syslog Devices
683
Table of Conflicting Devices
685
Troubleshooting Agent Devices/Connectors
685
Contacting Support
686
Using the Append Text to File Active Reponse
688
Using the Block IPActive Response
691
692
Using the Computer-based Active Response
693
Using the Detach USBDevice Active Response
695
Using the Disable Networking Active Response
697
Using the Kill Process Active Response
699
Using the SolarWinds LEM Local Agent Installer Non-interactively
701
Using the SolarWinds LEM Remote Agent Installer
704
Using Time of Day Sets to Pinpoint Specific Time Frames in Filters and Rules
708
Using the User-based Active Response
711
Viewing All Traffic from a Specific Device in the LEMConsole
713
Windows Audit Policy and best practice
715
For Windows 7/8/2008/2012 (Sub-Category-Level Auditing):
xix
717
SolarWinds Log & Event Manager (LEM) is a state-of-the-art virtual appliance that
adds value to existing security products and increases efficiencies in
administering, managing and monitoring security policies and safeguards on your
network.
SolarWinds LEM is based on brand new concepts in security. You can think of it
as an immunity system for computers. It is a system that is distributed throughout
your network to several points of presence that work together to protect and
defend your network. SolarWinds LEM responds effectively with focus and speed
to a wide variety of threats, attacks, and other vulnerabilities.
SolarWinds LEM collects, stores and normalizes log data from a variety of
sources and displays that data in an easy to use desktop or web console for
monitoring, searching, and active response. Data is also available for scheduled
and ad hoc reporting from both the LEM Console and standalone LEM Reports
console.
Some common use cases for SolarWinds LEM include the following:
l
Correlating network traffic from a variety of sources using filters and rules.
Visualizing log data in dynamic graphs, charts and other widgets.
Monitoring USB mass storage device activity on network Agents.
l
l
Responding to countless threats, attacks and other vulnerabilities with easy

to use point-and-click and automated active responses.
Searching normalized log data for events of interest.
Change Management and other security-related reporting for management
and auditors.
How LEM Works

The SolarWinds LEM system is based on software modules called Agents, which
collect and normalize log data in real time before its processed by the virtual
appliance, and other non-Agent devices, which send their log data directly to the
Manager for both normalization and processing.
Agents are installed on workstations, servers, and other network devices where
possible. Agents communicate the log data from each devices security products
to the LEM virtual appliance. These security products include anti-virus software,
network-based intrusion detection systems, and logs from operating systems.
When an Agent cannot be installed on a device, that device can be set to send its
log data to the LEM Manager for normalization and processing. Examples of
devices that cannot host Agent software include firewalls, routers, and other
networking devices.
LEM accepts normalized data and raw data from a variety of devices. LEM agent
connectors normalize the data before sending the data to the LEM manager. Nonagent devices send their log data in raw form to the LEM manager. The following
diagram shows this flow of data and the ports involved. Once normalized, log data
is processed by the LEM Manager, which provides a secure management
clearinghouse for normalized data. The Managers policy engine correlates data
based on user defined rules and local alert filters, and initiates the associated
actions when applicable.
These actions can include notifying users both locally in the Console and by
email, blocking an IP address, shutting down or rebooting a workstation, and
passing the alerts on to the LEM database for future analysis and reporting within
the Reports application.
LEM Architecture
The LEM architecture is uniquely designed for gathering and correlating logs and
events in real-time at network speed and further defend the network using LEMs
Active Response Technology. The figure below illustrates the typical log sources
and LEM software components. It also illustrates the direction in which
communication is initiated and the network protocols used
LEMManager
LEMManager
The LEM Manager is a result of the Virtual Appliance that is deployed, it consists
of the following key components:
l
Hardened Linux OS
Syslog Server and SNMP Trap Receiver
High compression, search optimized database
Web server
Correlation engine
For Network Device log sources such as routers, firewalls, and switches, LEM
relies on these devices sending Syslog messages to the Syslog server running
on the LEM appliance.
For Servers and Applications LEM largely relies on a LEM Agent installed on
these servers. The LEM Agent has a negligible footprint on the server itself, and
provides a number of benefits to ensure logs are not tampered with during
collection or transmission while being extremely bandwidth friendly.
For Workstations, the LEM Agent used on Windows workstations is the same as
the one used for Windows servers.
Other SolarWinds solutions like Network Performance Monitor (NPM), Server &
Application Monitor (SAM) and Virtualization Manager (VMan) can send
performance alerts as SNMP Traps to LEM. LEM can correlate these performance
alerts with LEM events.
You can install the LEM Reports Console on any number of servers to schedule
the execution of over 300 audit-proven reports. From a security standpoint, the
command service > restrictreports can be used to limit the IPs that can run these
reports
Protocols and Communication Direction

Below is a summary of the protocols and communication direction.
l
Network devices can send Syslogs to LEM Manager over TCP or UDP. The
direction of this communication is from the network device to the LEM
Manager.
LEM Agents installed on servers and workstations initiate TCP connections
to the LEM Manager, so the Agents push data to the LEM Manager.

l
Threat intelligence feed

o
Automatically evaluate your traffic against a comprehensive, opensource database of malicious IP addresses
Get real-time historical visibility of traffic from known bad actors using
rules, filters, and search
Automatic connector updates

o
Enable automatic connector updates through the LEM Console.
Ensure you always the newest, most up-to-date connectors for all
devices.
Customer-requested improvements
o
LEM Virtual Appliance details from the LEM Console for effective
resource allocation
NTLMv2 authentication support for backup and archive functionality
FileAudit Event report bug fixes and enhancements
New connectors for Kareio, Blue Coat, Proofpoint, GENE6, and more
Different sized installations may require greater or fewer resources. For detailed
information on sizing and resource requirements, refer to the "Requirements"
section of the Log & Event Manager Deployment Guide.
Before installing, always make sure your hardware and software meet
the minimum requirements.
Virtual appliance minimum resource requirements

Software/Hardware
Virtualization platform
Requirements
l
VMware vSphere Hypervisor ESX/ESXi 4.0 or

later
Microsoft Hyper-V Server 2008 R2, 2012, and
2012 R2
CPUspeed
2 GHz
Memory
8 GB
Hard drive space
250 GB is advised for smaller deployments.
2.0 TB is advised for larger deployments.
Desktop and reports consoles software

requirements
Software/Hardware
Operating system,
and
desktop and reports
consoles
Requirements
Windows Vista
Windows 7
Windows 8
Windows Server 2008 and

2008 R2
Windows Server 2012 and
2012 R2
Windows 10
CPUSpeed
1 GHz Pentium III or equivalent
Memory
1 GB
Hard Drive Space
5 GB
Environment
Variables
Ability to install all software with administrator rights
Desktop console
Adobe Air 18
Web console software requirements

Software/Hardware
Adobe Flash
Supported browsers
Requirements
Flash Player 15
l
Internet Explorer 8 and later

The web console does not run on Internet Explorer
10 on Windows Server 2012.
Mozilla Firefox 10 and later
Google Chrome 17 and later
Chapter 3: Introduction to the

Console
The LEM Console is organized into different functional areas, called views.
These views organize and present different information about the components
that make up the LEM system.
l
In Ops Center, you'll find a dashboard view that presents visual

representations of your data.
In Monitor, you'll filter and view event details.
In Explore, you'll find utilities for investigating events and their details.
In Build, you'll create critical components of LEM that function on a

Manager for processing process data.
In Manage, you'll manage properties associated with Agents and
Managers, and configure data sources to integrate your network security
data with LEM.
Reports is a separate application. Its reporting tools let you run or schedule
reports about the data that is stored in your LEM database.
The following topics briefly explain the role of each view of the Console, the
views primary uses, and where to get information on performing key tasks within
that view. Topics are arranged here in an order that will help you understand the
most fundamental items first, such as events, event filters, and widgets. They then
progress to more advanced features, such as exploring events, and creating
Groups and rules.
Opening Views in the Console

The Console is made up of multiple views, where each view has a special
function.
To open a view:
l
l
l
l
To open the Ops Center view (to work with widgets), click Ops Center .
To open the Monitor view (to view, manage, and create filters), click
Monitor.
To open the Explore view (to work with explorers), click Explore .
To open the Explore view (to search or view event data or log messages),
click Explore and then select nDepth.
To open the Explore view (to view additional utilities), click Explore and
then select Utilities.
To open the Groups view (to build and manage Groups), click Build and
then select Groups.
To open the Rules view (to build and manage policy rules), click Build and
then select Rules.
To open the Users view (to add and manage Console users), click Build
and then select Users.
To open the Appliances view (to add and manage appliances), click
Manage and then select Appliances.
To open the Nodes view (to add and manage Agents), click Manage and
then select Nodes.
Working with Grids

Grids are used throughout the Console. The following topics explain how to
perform common tasks with grids, such as selecting rows and grid cells, resizing
grid columns, rearranging grid columns, and sorting a grid by its columns.
Rearranging Grid Columns
When needed, you can rearrange the order in which grid columns appears. The
columns will stay in their rearranged order until you exit the Console. Upon
reopening the Console, the columns revert to their default order.
To rearrange grid columns:
Click the header of the column you want to move; then drag it to the right or left
and drop it into the desired position.

You can sort the data in a grid by clicking its column headers. You can sort each
column in ascending (alphabetical) order, or in descending (reverse alphabetical)
order. In many cases, you can sort a grid by more than one column by using the
Ctrl+click method.
Note: Before sorting the Monitor views event grid, you must first click the grids
Pause button to stop the incoming event traffic. When you are done, click
Resume to continue receiving event traffic.
To sort a grid:
l
Click one of the grids column headers to sort the grid by that column. If the
column header shows an upward arrow, it means the column data is
sorted in ascending order (alphabetically, or from lowest to highest: A to Z, 1
to 0).
If the column header shows a downward arrow, it means the column data
is sorted in descending order (reverse alphabetical, or from highest to
lowest: Z to A, 0 to 1).
Click the column header again to sort the grid by the same column, but in
reverse order.
To sort a grid by multiple columns:

l
Press and hold the Ctrl key; then click another column header. You can tell
how the table is sorted by the small and arrows in the column headers,
and by the little numbers (1 and 2) that appear next to them. An up
arrow means the column is sorted in ascending order. A down arrow
means it is sorted in descending order. Then numbers state the column sort
order. 1 is the first sort, 2 is the second sort, and so on.
10
If a secondary columns sort order is in the wrong direction, press the Ctrl
key and click the column header again. This will reverse the columns sort
order.
By pressing Ctrl and then clicking the Name column, you can also sort the
tool names in ascending or descending order. In the example shown here,
the Name column was sorted in ascending order, so the specific tools
would appear in alphabetical order within each tool category.
Logging In and Out of Managers

When first connecting to the web console, you are prompted to authenticate to the
host manager. If you have additional managers associated with that console, log
in to configure them or view their events. Logging out will disconnect you from
additional managers in the web console. To disconnect from the host manager,
close the browser window.
Note: Only existing Administrator, Auditor, and Monitor Users can log on to
the system. Contacts cannot log on to LEM.
Logging Into a Manager

1. At the top of the LEM Console, click Manage and then click Appliances.
2. In the Appliances grid, click to select the appliance you want to work with.
3. Click the gear
button and then select Login. Depending on the
Managers Login tab settings (in the Properties pane), the LEM Console
may automatically log you on to the appliance. Otherwise, the Login form
appears.
4. In the Username box, type user name for this Manager.
5. In the Password box, type password for this Manager.
6. Click OK or press Enter to log on. A
icon appears in the Managers
Status column, indicating that you are logged on to that Manager.
11

1. At the top of the Console, click Manage and then click Appliances.
2. In the Appliances grid, click the gear
button for the Manager you want
to log out of, and then select Logout. After a moment, a
icon appears
in the Managers Status column, indicating that you are no longer logged
on to that Manager.
Logging Out of the LEM Console

Clicking the Logout button closes the Console window and disconnects the
Console from any connected Managers. Logging out of the Console causes it to
disappear to the Managers, but the Managers continue to gather information from
their Agents. However, when you reopen the Console, it will not display the
Manager and Agent event traffic that occurred when it was closed. Instead, the
event grid will be blank.
It is recommended that you keep the Console running either on your workstation
or a secondary workstation to best monitor events on a daily basis.
12

Click the
video icon to view the corresponding tutorial, which introduces LEM
and its basic tasks.
Access your log and event data using the LEM web console or local desktop
console. Both interfaces allow you to monitor your data in real time with filters,
respond automatically to specific events with rules, and analyze events on your
network with the nDepth search utility. Access all of these features and more on
the navigation bar at the top of the LEM Console window.
Ops Center
Use the Ops Center tab as a real-time graphical overview of the events on your
network. The Ops Center includes the following useful components:
l
A customizable dashboard with several default charts and graphs,

called widgets
The Widget Manager to browse, edit, add, and pin widgets
Informational widgets with links to videos, documents, and other

resources
To add a widget to the Ops Center dashboard:
l
1. In the LEM Console, click the Ops Center tab.

2. Click Widget Manager in the upper-right corner.
3. Find and select a filter from the Categories list.
4. In the Widgets pane, scroll through the available widgets to put the widget you
want in the main preview position.
5. Click Add to Dashboardin the upper-right corner.
6. To re-position the widgets on the dashboard, drag and drop them into a new
position.
To create a new widget using Widget Manager:
1. In the LEM Console, select the Ops Center tab.
13
2. Click Widget Manager in the upper-left corner.

3. Click the plus button ( + ) at the top of the Categories list.
4. Complete the Widget Builder form.
5. To pin the new widget to the dashboard, select Save to Dashboard.
6. Click Save.
Monitor
Use the Monitor tab to view all of the monitored events on your network in real
time. Monitor includes the following useful components:
l
l
l
l
A real-time event stream to which you can apply event filters

The Event Details pane, which displays the details for any event
you highlight in the event stream
A Widgets pane, which displays a graphical representation of the
current filter, if available
Several default filters to refine the data you see in the event stream
A GUI filter editor, called Filter Creation, to create and edit event
filters
To apply a filter to the Monitor event stream, select a default or custom filter
from the Filters list.
To view the Event Details for a specific event in the event stream, select the
event in the event stream.
To change the widget the Widgets pane displays for a filter:
1. In the LEM Console, select the Monitor tab.
2. Select the filter you want to modify in the Filters pane.
3. Click the menu at the top of the Widgets pane, and then select the widget you
want that filter to display.
Explore
Use the Explore tab menu to access several analysis utilities to get additional
information about the events you see in the LEM Console. Use the nDepth option
14

in the Explore menu to search and analyze the events on your network. nDepth
includes the following useful components:
l
A variety of clickable charts and utilities to view and refine search

results
A comprehensive toolbar to switch between multiple utilities and
views
A Result Details utility to view all of your search results in text
format
A PDF export utility to configure and export custom reports
Use the Utilities option in the Explore menu to access several IT analysis
utilities, including:
l
Whois
NSLookup
Traceroute
Flow (sFlow and NetFlow)

To execute a Whois, NSLookup, or Traceroute task from an event or search
result in the LEM Console:
l
1. Find the event or search result you want to explore further, and then select it.
2. Click the Explore menu on the Event Grid or nDepth title bar (next to
Respond), and then select the utility you want to use.
To execute a blank Whois, NDLookup, or Traceroute task in the LEM
Console:
1. Click the Explore tab on the navigation bar, and then select Utilities.
2. Click the Explore button on the Utilities title bar , and select the utility you
want to use.
3. Complete the form for the utility, and then click Search.
LEM supports flow exports from both NetFlow and sFlow devices. Use the Flow
Explorer in the LEM Console to viewgraphs, charts, and grids, including the
following.
15
Top Talkers by IANA-based Protocol
Top Talkers by Port
Top Talkers by Source/Destination Address
Top Talkers by Total Bytes
Top Talkers by Total Packets
Refer to the manufacturer specifications to configure your devices to send Flow

data to your LEM appliance. The LEM appliance supports data on the
2100/UDP for NetFlow devices and 6343/UDP for sFlow devices.
To enable flow collection and analysis on the LEM appliance:
1. Connect to your LEM virtual appliance using either the vSphere console
view, or an SSH client like PuTTY.
2. If you are using an SSH client, log in to your LEM virtual appliance using
your CMC credentials.
3. At the cmc> prompt, enter service.
4. At the cmc::scm# prompt, enter enableflow.
5. Enter y to confirm your entry.This command automatically restarts the
Manager service on the LEM appliance.
6. To enable Flow analysis for Flow data collected on another computer, enter
n and follow the prompts to specify the Flow collector. Otherwise, enter y.
7. Enter exit to return to the cmc> prompt.
8. Enter exit to log out of your LEM virtual appliance.
To view Flow data in the LEM Console:
1. Open your LEM Console and log in to the LEM Manager as an
administrator.
2. Open the Monitor, Utilities, or nDepth view.
3. Click the Explore menu, and then select Flow. The Flow Explorer presents
data in graph, chart, or grid formats
16
Build
Build
Use the Build tab menu options to customize LEM behavior. The Build menu
consists of the following options:
l
Groups: Create and manage lists of users, computers, and

information.
Rules: Create and manage rules that correlate events from different
systems and instruct the LEM appliance to respond accordingly.
Users: Create and manage LEM Console users.
For additional information about the Users and Groups options in the Build
menu, see:
l
Creating Users in the LEM Console
Rules Additional Details

View custom and pre-configured rules in the Rules view under the Build menu.
The Rules view consists of the following useful components:
l
A GUI editor, just like Filter Creation
A community rule set, organized by event-centric categories
35 active responses to assign to custom or pre-configured rules
Manage
Use the Manage tab menu to access details about your LEM architecture. The
Manage menu consists of the following options:
l
Appliances: Add LEM appliances to monitor in the LEM Console,

view your LEM license details, and configure global settings.
Nodes: View and manage LEM nodes, including remote logging

devices and LEM Agents.
To set your LEM Console authentication preferences:
l
1. In the LEM Console, click the Manage tab, and then select Appliances.
2. Click the Login tab on the Properties pane.
17
3. To enable the LEM Console to authenticate to your LEM appliance upon

launch, enter your LEM Username and Password.
4. To enable the LEM Console to ask you for your LEM password upon launch,
enter your LEM Username only.
5. Select Login Automatically Next Time.
6. Select Save Credentials.
7. Click Save.
To set the global password policy for LEM users:
1. In the LEM Console, click the Manage tab, and then select Appliances.
2. Click the Settings tab on the Properties pane.
3. Adjust the Minimum Password Length according to your preference.
4. To require complex passwords for LEM users, select Must Meet Complexity
Requirements.
Note: Complex passwords must include any three of the following four character
types:
l
Capital letters
Lower-case letters
Numerals (0-9)
Symbols (!, @, #, etc.)
5. Click Save.
Adding Devices
Click the
video icon to view the corresponding tutorial.
Configure your IT devices to work with LEM using one of two options:
l
l
Install the LEM Agent and connectors directly on the device

Set the device to log to LEM and then configure the appropriate connectors
directly on the LEM appliance.
Install the LEM Agent on computers that allow third party software. SolarWinds
provides LEM Agents for these operating systems:
18
Agent Installation
Microsoft Windows (local and remote installers)
Linux
Mac OS X
Solaris on Intel
Solaris on Sparc
HPUX on PA
HPUX on Itanium
AIX
Configure other devices, such as firewalls, routers, or switches to send logs

directly to the LEM appliance using syslog or SNMP traps.
Agent Installation
The LEM Agent is a necessary component to monitor local events on the
computers on your network. Install the LEM Agent on servers, domain controllers,
and workstations. The LEM Agent then captures log information from sources
such as Windows Event Logs, a variety of database logs, and local antivirus logs.
The LEM Agent also allows LEM to take specific actions that you use rules to
define. You can also trigger actions manually from the LEM Console using the
Respond menu.
Installing a LEM Agent:
1. Click the Add Nodes to Monitor link in the LEM Console Getting Started
wizard, or visit the SolarWinds Customer Portal for a complete list of available
downloads.
2. Download the appropriate installer, and then run it on the computer(s) you
want to monitor.
Note: If you are deploying LEMAgents to Windows computers, you can use the
Remote Agent Installer for a faster deployment.
View and manage installed LEM Agents in the Nodes view of the LEM Console.
The LEM Agent for Windows includes several pre-configured connectors so you
immediately start to see data from these computers after you have installed the
LEM Agent. By default, the LEM Agent for Windows includes the following preconfigured connectors:
19
Windows Security Log (for the host OS version)
Windows Active Response
Windows Application Log
Windows System Log
For other operating systems, or for broader coverage on your Windows

computers, configure specific connectors to get exactly what you are looking for.
Configuring Non-Agent Devices

Non-Agent devices include any supported network or security device on which
you cannot install a LEM Agent. Some common examples are firewalls, routers,
and switches. To monitor these devices with LEM, configure each device to log to
the LEM appliance using syslog or SNMP traps. Then, configure the appropriate
connector on the LEM appliance using the LEM Console.

The procedure for configuring connectors for Agent and non-Agent devices is
generally the same. The major difference is where you find the configuration
forms in the LEM Console. Complete the following procedure to configure
connectors for all the devices you want to monitor with LEM.
To configure connectors in the LEM Console:
1. In the LEM Console, click the Manage tab, and the select Appliances (for
non-Agent connectors).
2. Click the gear
button next to the LEM Node or Manager you want to
configure, and then select Connectors.
3. To view or modify the configured connectors, select Configured in the Refine
Results pane.
4. To find the connectors you need, use the search box and filter menus on the
Refine Results pane.
5. After you've identified the connector to be configured, click the gear
button next to it, and then select New.
20
6. Complete the Connector Configuration form according to the device you're

configuring. The following fields/descriptions are common for most
connectors:
l
l
Alias: a "user friendly" label for your connectors

Log File: the location of the log file the connector will normalize; this is a
location on either the local computer (Agents) or LEM appliance (nonAgent devices)
Output, nDepth Port: values used specifically for LEM environments that
are configured to store original log messages; for additional ixxnformation,
consult the resources at the end of this section
7. After completing the form, click Save.

8. In the Connectors list, click the gear icon next to the new connector (in the
Status column), and then select Start.
9. After starting the connector, verify it is working by checking for events on the
Monitor tab.
To configure FIM connectors in the LEM Console:
1. In the LEM Console, click the Manage tab, and the select Nodes.
2. Click the gear icon next to the LEM Node you want to configure, and then
select Connectors.
3. To find the connectors you need, enter FIM in the Refine Results search box.
4. Click the gear icon next to the connector to be configured, and then select
New.
5. In the Monitor Templates area, click the gear icon next to the desired Monitor
Template and select Add to selected monitors. The Monitor template moves
to the Selected Monitors area.
6. After completing the form, click Save.
7. In the Connectors list, click the gear icon next to the new connector (denoted
by an icon in the Status column), and then select Start.
8. After starting the connector, verify that it is working by checking for events on
the Montior tab.
21
Troubleshooting
If you have configured a device to log to the LEM appliance, but you cannot
determine the exact logging location, check the logging facilities on the LEM
appliance to determine where your data is going.
To check the logging facilities on the LEM appliance:
1. Connect to your LEM appliance using the VMware console view, or an SSH
client such as PuTTY.
2. To connect your appliance through SSH, log in as the CMC user, and provide
the appropriate password.
3. To connect your appliance using VMware,selectAdvanced
Configurationon the main console screen, and then pressEnterto get to the
command prompt.
4. At thecmc>prompt, enterappliance.
5. At thecmc::acm#prompt, enterchecklogs.
6. Enter an item number to select a local facility to view.
7. Look for indications of specific devices logging to this facility, such as the
product name, device name, or IP address.
8. After you have determined the facility your device is logging to, configure the
connector with the corresponding Log File value.
For additional troubleshooting tips related to LEM Agents or remote logging
devices, see:
l
l
Troubleshooting LEM Agent Connections

Troubleshooting Unmatched Dataor Internal New Tool Data events
in your LEM Console
For additional information about configuring devices to monitor with LEM, see
See "Leveraging LEM" on page 42
For additional information about installing LEM Agents on a variety of operating
systems, see the local and remote installations in Additional configuration and
integration information.
22

For additional information about how to tune Windows logging for your LEM
deployment, see the following:
l
How to enable file auditing in Windows

Create Connector Profiles to manage and monitor similar LEM Agents across
your network. Two common use cases for creating Connector Profiles are.
l
Configure and manage tools at the profile level to reduce the amount of
work you have to do for large LEM Agent deployments.
Create filters, rules, and searches using your Connector Profiles as Groups
of LEM Agents. For example, create a filter to show you all Web traffic from
computers in your Domain Controller Connector Profile.
Complete the two procedures below to create a Connector Profile using a single
LEM Agent as its template.
To create a Connector Profile using a LEM Agent as a template:
1. Configure the tools on the LEM Agent to be used as the template for your
new Connector Profile. These tools will be applied to any LEM Agents that
are later added to the Connector Profile.
2. Click the Build menu, and then select Groups.
3. Click the + menu, and then select Connector Profile.
4. Name the new Connector Profile and enter a profile description.
5. Select the LEM Agent you want to use as your template from the Template
list next to the Description field.
6. Click Save.
To add LEM Agents to your new Connector Profile:
1. Locate the new Connector Profile in the Build > Groups view.
2. Click the gear icon next to your Connector Profile, and then select Edit.
3. Move LEM Agents from the Available Agents list to the Connector Profile by
23
clicking the arrow next to them.

4. Click Save to finish adding LEM Agents to your Tool Profile.
The connector configurations set for the template agent can now be applied to
any agent added to the Connector Profile.
For a list of supported Agent and non-Agent devices, see this comprehensive list
of data sources for all your Logs & Events.
For additional information about configuring LEM and your connectors to store
original log messages, see the following:
l
Configuring Your LEM Appliance for Log Message Storage and

nDepth Search
Do not modify the Output, nDepth Host, or nDepth Port fields when
configuring LEM connectors unless your appliance is set up to store
original log data
Verifying Data
Click the
Now that LEM is collecting your log data, use nDepth and LEM Reports to search,
analyze, and report on that data. In most cases, use the nDepth Explorer in the
LEM Console to search and analyze your data. Use the stand-alone LEM Reports
application to report on your data.
Which Do I Pick?
Use nDepth if you want to perform immediate search or analysis tasks, or create
specific custom PDF reports. Use nDepth to:
l
l
Search your log data interactively

Search for specific variables, such as user names, IP addresses, or specific
events
Perform root-cause analysis
Troubleshoot specific issues
Explore data and produce custom PDF reports
Use LEM Reports if you want to view or schedule fixed reports for regulatory and
compliance purposes or to:
24
Automate reporting
Produce compliance reports
View reports based on specific regulatory compliance initiatives
Provide proof that you are auditing log and event data to auditors
Schedule formatted reports for LEM Reports to run and export automatically

Open nDepth in the LEM Console in any of these three ways:
1. Select an event on the Monitor tab, click the Explore menu, and then select
nDepth.
2. Select a filter in the Filters pane on the Monitor tab, click the gear
at the top of the Filters pane, and then select Send to nDepth.
icon
3. Click the Explore tab from anywhere in the LEM Console, and then select
nDepth.
Consult nDepth for several analytical connectors that it summarizes on both its
dashboard and toolbar. Use this view to:
l
l
l
l
Search original log messages (AKA "raw logs") or normalized events

View search results in several charts and graphs, and add values from
these visuals directly to your search just by clicking them
Refine the time frame of your searches using pre-defined or custom ranges
View the text output of your search results using the Result Details
connector on the nDepth toolbar
Export your search results in CSV or fully-customizable PDF format
Save searches for future use
For additional information about how to use nDepth to search and analyze your
data in the LEM Console, consult the following resources.
For examples of how to execute nDepth searches, see the following:
25
How to create an nDepth query for all activity by a single user
Sending Filters to nDepth for Historical Search
For additional information about how to save nDepth searches for future use, see
Save nDepth searches to quickly execute frequent queries.
For additional information about how to export nDepth search results in CSV or
PDF format, see Export nDepth results in custom or text formats for retention and
ad hoc reporting.
For additional information about configuring your LEM appliance to store and
search original log data, see:
l
Configuring Your LEM Appliance for Log Message Storage and nDepth
Search
Using your LEM Console to view and search original log messages
LEM Reports: For Compliance and Historical

Reporting Needs
LEM Reports is a stand-alone application that you install separately from the LEM
Console. Access LEM Reports using a shortcut, if available, or by navigating to
the SolarWinds Log and Event Manager application group in your Windows
Start menu.
Use LEM Reports to:
l
Run hundreds of pre-configured compliance and security reports
Schedule reports for LEM Reports to run automatically
Filter the reports list by industry or requirement
Run Master, Detail, or Top level reports according to how much information
you need
Use Select Expert to filter your report data by specific values, such as
computer name, IP address, or user name
Export reports into several formats, including PDF, CSV, and RPT
To get started with LEM Reports, filter the reports listing by the industries or
requirements relevant to your network. Then, the next time you open LEM
26
Troubleshooting
Reports, access your custom list of reports by clicking Industry Reports on the
main view.
To filter the reports list by industry or requirement:
1. Open LEM Reports.
2. On the Settings tab, click Manage, and then select Manage Categories.
3. Select your industries and requirements in the left pane. Mix and match as
necessary. For example, if you are a school that accepts credit card
payments, select Education, FERPA, and PCI.
4. Click OK.
5. To view the filtered list of reports, click the Category menu back on the
Settings tab, and then select Industry Reports.
Select which reports to run based on their values in the Level column on the
Settings tab:
l
Master: Reports at this level contain all of the data for their category. For
example, the master-level Authentication report contains all authenticationrelated data.
Detail: Reports at this level contain information related to a specific type of
event. For example, the Authentication Failed Authentications detail-level
report only contains data related to "Failed Authentication" events.
Top: Reports at this level display the top number of occurrences for a
specific type of event. Use the default top number, or Top N, of 10, or
customize this when you run the report.
Troubleshooting
If you have installed LEM Reports, but are unable to open the application or run
reports, complete the following procedures to troubleshoot the issue.
To troubleshoot application launch errors on computers running Windows Vista,
Windows7, and Windows Server 2008:
1. Uninstall LEM Reports and Crystal Reports v11 Runtime.
2. Reinstall both components as Administrator.
3. Adjust the LEM Reports properties to run the program in Windows XP
compatibility mode and as an administrator:
27
a. Right-click the LEM Reports shortcut on your desktop or in the SolarWinds

Log and Event Manager program group in your Windows Start menu, and
then select Properties.
b. Click the Compatibility tab.
c. Select Run this program in compatibility mode for, and then select
Windows XP (Service Pack 3).
d. Select Run this program as an administrator.
e. Click OK.
4. Launch LEM Reports.
To address "Logon failed. Database Vendor Code 210" errors:
Add the computer running LEM Reports to the list of authorized reporting
computers. By default, the LEM appliance restricts all access to LEM Reports. To
allow specific computers to run LEM Reports or remove all reporting restrictions,
complete the procedures in Configuring Report Restrictions.
For additional information about how to run, schedule, and configure formatted
compliance and security reports using LEM Reports, consult the following
resources.
l
See "Reports" on page 307
See "Report Tables" on page 524
For information about installing LEM Reports on computers without the LEM
Console, see Configuring LEM Reports on Computers without the LEM Console.
For information about how to schedule several best practice compliance and
security reports, see:
l
l
Configuring Default Batch Reports

Report Formats and their Corresponding Numbers listed in a LEM
scheduled report .ini file
For additional information about working with individual reports in LEM Reports,
see:
28
Adding Filters
Filtering and Exporting LEM Reports
Adding Filters
Click the
Filters group and display events that your LEM Agents and remote logging
devices send to LEM. They are based on events, which are the normalized
version of these network events. For LEM, the terms "events" and "alerts" are
interchangeable. View these events in real time on the Monitor tab in the LEM
Console.
Which Do I Pick?
Create filters when you want to group a particular type of event. The following are
just a few examples of what you might create a filter to catch:
l
All events from your firewalls
All events from your domain controllers
All events for a specific type of user
All events except for recurring, expected events
Create rules when you want LEM to take some kind of action in response to one
or more events. In many cases, you base rules on several events that LEM
correlates to trigger an action, but you can also configure a rule to look for a single
event. Rule actions include, but are not limited to:
l
Sending an email
Logging a user off
Shutting down a computer
Deleting an Active Directory group
Blocking an IP address
Use the Default Filters as Examples

The LEM Console includes several pre-configured filters on the Monitor tab.
Examine the conditions of these filters to get a sense of how broad or specific
filters can be. The following are two examples of these extremes:
29
All Events: This filter does not have any specific conditions, so it captures
all events, regardless of the source or event type.
User Logons: This filter has a single condition that means, "UserLogon
Exists." It captures all events with the event type "UserLogon" and nothing
else not user log offs, not user logon failures.
To view the conditions of a default filter:

1. In the LEM Console, click the Monitor tab.
2. Select the filter you want to examine in the Filters pane.
3. Click the gear
button at the top of the Filters pane, and then select Edit.
4. If you make any changes to the filter, click Save. Otherwise, click Cancel.
Other Filter Scenarios

Some scenarios may warrant a filter so you can monitor them more closely:
l
Change management events: Monitor configuration changes made to

your network.
High volume events: Watch for spikes of traffic, or unexpected off-peak
traffic.
Events of general interest: Keep track of logon failures and failed
authentications.
Note: A failed authentication is an event triggered by three logon failures by the

same account within an extremely short period of time.
l
Rule scenarios: Determine whether you have the right events to create a
rule for a specific scenario.
Daily problems: Get a head start on operational problems like account
lockouts by seeing the events in real time.

Create a change management filter to monitor configuration changes users make
to your network. Keep this filter general, as illustrated here, or refine it to show you
only certain changes or changes made by certain users.
To create a filter for all change management events:
30
Troubleshooting

2. Click the plus
Filter.
button at the top of the Filters pane, and then select New
3. Enter an appropriate name for the filter, such as Change Management

Events.
4. Fill the filter's Conditions box with an appropriate event or event group. For
this example, use an Event Group Exists condition to capture all events
from a certain group:
a. Click Event Groups on the left pane.
b. Find the Change Management Events event group, and drag it into the
Conditions box.
5. Click Save.The LEM Console takes you to the new filter on the Monitor tab.
Examine the events here, and click an event to see more information in the Event
Details pane.
Troubleshooting
If you have created a filter, but it is not capturing the expected events, check the
All Events filter to ensure the events are making it to the LEM Console.
To use the All Events filter to troubleshoot custom filters:
2. Click All Events in the Filters pane.
3. Locate an event you expected to see in your custom filter. If necessary,
pause the filter and sort it by any of the column headers.
4. If you locate a related event, verify the field-value combinations in the event
match the ones you used in your filter. For example, if your filter is looking
for *firewall* in the ConnectorAlias field, ensure the Connector Alias field in
your event contains the word firewall.
5. If you cannot locate a related event, verify one of your monitored devices is
logging the event, and that the device is sending its events to LEM. For
example, create another filter to show all events from the specific device
using the ConnectorAlias or DetectionIP event field.
31
For a general procedure and video addressing how to create filters in the LEM
Console, see Creating Filters for Real-time Monitoring in Your LEM Console.
For additional information about how to create filters for specific events, devices,
or time frames, see:
l
Quickly Creating a Filter for a Specific Event Type
Use Time of Day Sets to pinpoint specific time frames in filters and rules
Modifying Filters for 'Monitor' Users
Adding Rules
Click the
Rules correlate events that your LEM Agents and remote logging devices send to
LEM, and assign automatic actions or responses to those events. These actions
differentiate filters from rules: filters only display events, while rules instruct LEM
to take action. Rule actions include, but are not limited to:
l
Sending an email
Logging a user off
Shutting down a computer
Deleting an Active Directory group
Blocking an IP address
Use Pre-configured Rules to Get Started

The LEM appliance includes hundreds of pre-configured rules. Use these rules to
instruct LEM to respond to specific events on your network.
To clone and enable a rule for use on your network:
1. In the LEM Console, click the Build tab, and then select Rules.
2. Use the Folders list or the Refine Results pane to browse, search, or filter for
specific rules or scenarios.
3. After you find a rule you want to clone, click the gear
and then select Clone.
32
button next to it,
4. On the Clone Rule dialog, select a Custom Rules folder and rename the rule
if you wish, and then click OK.
5. In the Rule Creation view, customize the rule further if necessary, select
Enable at the top of the form, and then click Save.
6. Back in the main Rules view, click Activate Rules to sync your local changes
with the LEM appliance.
Create a change management rule to notify you anytime a user makes any kind of
change to your network configurations. Examples of such network changes
include:
l
Adding, changing, or deleting users in Active Directory
Installing software on monitored computers
Changing firewall policy
Create a general change management rule, similar to the filter illustrated in the
previous section, to instruct LEM to notify you anytime any user makes a
configuration change, or create a more specific rule to only fire for specific users,
groups, or types of changes.
Note: An important rule of thumb is, "If you can see it in your LEM Console, you
can build a rule for it." Remember to use your filters as a starting-place as you
consider creating custom rules.
To create a rule that sends you an email anytime someone adds a user to an
administrative group:
1. In the LEM Console, click the Build tab, and then select Rules.
2. Click the plus
button in the upper-right corner.
3. Enter an appropriate name for the rule, such as New Admin User.
4. Populate the rule's Correlations box with an appropriate event or event group.
For this example, use a NewGroupMember.EventInfo Equals *admin*
condition to fire anytime LEM gets a NewGroupMember event with the text,
admin anywhere in the EventInfo field:
a. Click Events>on the left pane.
33
b. At the top of the Events list, enter NewGroupMemberto search for that
event, and then select it in the list.
c. In the Fields: NewGroupMemeberlist, find EventInfo, and then drag it
into the Correlations box.
d. In the text field (denoted by a pencil icon in the Correlations box), enter
*admin* to account for all variations on the word "administrator."
5. Leave the Correlation Time box as-is so your rule fires anytime LEM captures
this type of event.
6. Add the Send Email Message action to the Actions box:
a. Click Actions on the left pane.
b. Find Send Email Message, and then drag it into the Actions box.
c. Select a template from the Email Template menu.
d. Select a LEM user from the Recipients menu.
e. Drag and drop event fields or constants from the left pane into the Send
Email Message form to complete the action.
Note: Always use event fields for the event(s) present in the Correlations box. For
example, use NewGroupMember.DetectionTime to populate the
DetectionTime field in this example.
7. Select Enable at the top of the Rule Creation form, and then click Save.
8. To sync your local changes with the LEM appliance, click Activate Rules
back in the main Rules view.
After you enable and activate this rule, the LEM appliance sends an email
anytime someone adds a user to any group in Active Directory that contains the
text, "admin" in its name.
For more detailed information about how to create LEM rules to take action on
your network, see Creating Rules from Your LEM Console to Take Automated
Action.
Other Rule Scenarios
Countless scenarios may warrant a rule. Consider these combinations of rules
and actions:
34
Troubleshooting
l
l
Respond to other change management events with the Send Email

Message action.
Respond to port scanning events with the Block IP action.
Respond to isolated spikes in network traffic with the Send Email
Message or Disable Networking action.
Respond to users playing games on monitored computers with the
Send Popup Message or Kill Process action.
Respond to users attaching unauthorized USB devices to monitored
computers using the Detach USB Device action.
Basically, any activity or event that can pose a threat to your network might
warrant a LEM rule.
Troubleshooting
If you have created a rule, but you are not getting the expected results, verify the
following to track down the root cause:
1. Check for the requisite events on the Monitor tab. For example, if your rule is
based on the NewGroupMember event, see if you can find one in the All
Events or default Change Management filter.
2. If you do not see the requisite events, troubleshoot your devices and
connectors to get the events into LEM. Otherwise, continue troubleshooting
here.
3. Check for an InternalRuleFired event in the SolarWinds Events filter.
4. If you do not see an InternalRuleFired event for your rule, check the following
to continue troubleshooting. Otherwise, skip to Step 5 to continue.
l
Is your rule enabled?
Did you modify the Correlation Time or Response Window in your rule?
Did you click Activate Rules after saving your rule?
Is the time on your device more than 5 minutes off from the time on your
LEM appliance?
5. If you see an InternalRuleFired event for your rule, but the rule LEM does not
respond as expected, check the following, according to the action you
configured:
35
Send Email Message: Verify you have configured and started the Email
Active Response connector on the LEM appliance.
Send Email Message: Verify you have associated an email address for the
LEM user you selected as your email recipient.
Agent-based Actions: Verify you have installed the LEM Agent on the
computer you want LEM to respond to.
Block IP:Verify you have configured the active response connector for the
firewall you want to use to take this action. The active response connector is
separate from the data gathering connector.
For more detailed information about how to troubleshoot LEM rules and active
responses, see Troubleshooting LEM Rules and Email Responses.
For a general procedure and video addressing how to create and clone rules in
the LEM Console, see Creating Rules from Your LEM Console to Take
Automated Action
For additional information about the active responses available for LEM rules,
see:
l
How does the Block IP active response work?
How does the Detach USB Device active response work?
How does the Append Text To File active response work?
How do the computer-based active responses work?
How do the user-based active responses work?
How do the Kill Process active responses work?
How does the Disable Networking active response work?
Analyzing Data
Click the
Now that LEM is collecting your log data, use nDepth and LEM Reports to search,
analyze, and report on that data. In most cases, use the nDepth Explorer in the
LEM Console to search and analyze your data. Use the stand-alone LEM Reports
application to report on your data.
36
Which Do I Pick?
Which Do I Pick?
Use nDepth if you want to perform immediate search or analysis tasks, or create
specific custom PDF reports. Use nDepth to:
l
l
Search your log data interactively

Search for specific variables, such as user names, IP addresses, or
specific events
Perform root-cause analysis
Troubleshoot specific issues
Explore data and produce custom PDF reports
Use LEM Reports if you want to view or schedule fixed reports for regulatory and
compliance purposes. Use LEM Reports to:
l
Automate reporting
Produce compliance reports
View reports based on specific regulatory compliance initiatives
Provide proof that you are auditing log and event data to auditors
Schedule formatted reports for LEM Reports to run and export

automatically

Open nDepth in the LEM Console in any of these three ways:
1. Select an event on the Monitor tab, click the Explore menu, and then select
nDepth.
2. Select a filter in the Filters pane on the Monitor tab, click the gear
at the top of the Filters pane, and then select Send to nDepth.
button
3. Click the Explore tab from anywhere in the LEM Console. Then selectnDepth.
Consult the nDepth dashborad and toolbar for information on several analytical
connectors. Use this view to:
37
l
l
l
l
Search original log messages (AKA "raw logs") or normalized events

View search results in several charts and graphs, and add values from
these visuals directly to your search just by clicking them
Refine the time frame of your searches using pre-defined or custom ranges
View the text output of your search results using the Result Details
connector on the nDepth toolbar
Export your search results in CSV or fully-customizable PDF format
Save searches for future use
Additional Information nDepth

For examples of how to execute nDepth searches, see:
l
How to create an nDepth query for all activity by a single user
Sending Filters to nDepth for Historical Search
For additional information about how to save nDepth searches for future use, see
Save nDepth searches to quickly execute frequent queries
For additional information about how to export nDepth search results in CSV or
PDF format, see "Export nDepth results in custom or text formats for retention and
ad hoc reporting."
For additional information about configuring your LEM appliance to store and
search original log data, see:
l
"Configuring Your LEM Appliance for Log Message Storage and

nDepth Search"
"Using your LEM Console to view and search original log
messages"
"Do not modify the Output, nDepth Host, or nDepth Port fields when
configuring LEM connectors unless your appliance is set up to store
original log data"

LEM Reports is a stand-alone application that you install separately from the LEM
Console. Access LEM Reports using a shortcut, if available, or by navigating to
38

the SolarWinds Log and Event Manager program group in your Windows Start
menu.
Use LEM Reports to:
l
Run hundreds of pre-configured compliance and security reports
Schedule reports for LEM Reports to run automatically
Filter the reports list by industry or requirement
Run Master, Detail, or Top level reports according to how much

information you need
Use Select Expert to filter your report data by specific values, such
as computer name, IP address, or user name
Export reports into several formats, including PDF, CSV, and RPT
To get started with LEM Reports, filter the reports listing by the industries or
requirements relevant to your network. Then, the next time you open LEM
Reports, access your custom list of reports by clicking Industry Reports on the
main view.
To filter the reports list by industry or requirement:
1. Open LEM Reports.
2. On the Settings tab, click Manage, and then select Manage Categories.
3. Select your industries and requirements in the left pane. Mix and match as
necessary. For example, if you are a school that accepts credit card payments,
select Education, FERPA, and PCI.
4. Click OK.
5. To view the filtered list of reports, click the Category menu back on the
Settings tab, and then select Industry Reports.
Select which reports to run based on their values in the Level column on the
Settings tab:
l
Master: Reports at this level contain all of the data for their
category. For example, the master-level Authentication report
contains all authentication-related data.
Detail: Reports at this level contain information related to a specific
type of event. For example, the Authentication Failed
39
Authentications detail-level report only contains data related to

"Failed Authentication" events.
l
Top: Reports at this level display the top number of occurrences for
a specific type of event. Use the default top number, or Top N, of 10,
or customize this when you run the report.
Troubleshooting
If you have installed LEM Reports, but are unable to open the application or run
reports, complete the following procedures to troubleshoot.
To troubleshoot application launch errors on computers running Windows Vista,
Windows7, and Windows Server 2008:
1. Uninstall LEM Reports and Crystal Reports v11 Runtime.
2. Reinstall both components as Administrator.
3. Adjust the LEM Reports properties to run the program in Windows XP
compatibility mode and as an administrator:
a. Right-click the LEM Reports shortcut on your desktop or in the
SolarWinds Log and Event Manager program group in your Windows
Start menu, and then select Properties.
b. Click the Compatibility tab.
c. Select Run this program in compatibility mode for, and then select
Windows XP (Service Pack 3).
d. Select Run this program as an administrator.
e. Click OK.
4. Launch LEM Reports.
To address "Logon failed. Database Vendor Code 210" errors:
Add the computer running LEM Reports to the list of authorized reporting
computers. By default, the LEM appliance restricts all access to LEM Reports. To
allow specific computers to run LEM Reports or remove all reporting restrictions,
complete the proceduresdescribed in Configuring Report Restrictions.
40

For additional information about how to run, schedule, and configure formatted
compliance and security reports using LEM Reports, consult the following
resources.
l
See "Reports" on page 307
See "Report Tables" on page 524
For information about installing LEM Reports on computers without the LEM
Console, see Configuring LEM Reports on Computers Without the LEM Console.
For information about scheduling several best practice compliance and security
reports, see:
l
l
Configuring Default Batch Reports on Vista/7/2008 Computers

Report Formats and their corresponding numbers listed in a LEM
scheduled report ini file
For additional information about working with individual reports in LEM Reports,
see:
l
Filtering and Exporting LEM Reports
41

This chapter provides a series of use cases to get you started with SolarWinds
LEM. Use these scenarios to ensure you have the most basic coverage in your
environment, though the third party products you use or other variables in your
network might be different than the ones provided in these examples.
Monitoring Windows Domain Controllers for

Brute Force Hacking Attempts
Monitor the Windows domain controllers to track failed logon attempts to
administrative accounts, which can be indicative of "brute force" or other hacking
attempts. Also, gain visibility into account lockout, user and group modification,
and other change management events across your network. Install a LEM Agent
on all domain controllers to ensure the LEM Manager captures all of your domain
events, even if they are not replicated across all of your domain controllers. View
the events in the default Change Management filter in your LEM Console, and
create custom filters to show all activity on these critical servers.

Install a LEM Agent and configure the appropriate connectors to monitor domain
events on your network along with local events on the servers themselves. Use
the procedures below to configure a SolarWinds LEM Agent on a single Windows
domain controller.
The following table provides the installation requirements for the LEM Agent:
Software/Hardware
Requirements
Operating System
AIX, Linux, Solaris, Windows Vista, Windows 7, Windows 8, Windows Server 2000, WindowsServer 2003,
Windows Server 2008
CPUSpeed
450 MHz Pentium III or equivalent
Memory
512 MB RAM
42
Software/Hardware
Requirements
Hard Drive Space
1 GB
Environment Variables
The ability to install all software with administrator rights
Installing a LEM Agent on a single Windows domain controller:

1. Download the SolarWinds LEM Agent installer for Windows.
a. If you are a licensed LEM customer, download the installer from
the SolarWinds customer portal.
b. If you are an evaluation LEM customer, see .
2. Extract the contents of the installer ZIP file to a local or network location.
3. Run Setup.exe.
4. Click Next to start the installation wizard.
5. Accept the End User License Agreement and click Next.
6. Enter the hostname of your LEM Manager in the Manager Name field and
click Next. Do not change the default port values.
7. Confirm the Manager Communication settings and click Next.
8. Specify whether to install USB-Defender with the LEM Agent and click
Next. The installer includes USB-Defender by default. To omit this from the
installation, clear the Install USB-Defender checkbox.
Note: Install USB-Defender on every system. USB-Defender never
detaches a USB device unless you have explicitly enabled a rule to do so.
By default, USB-Defender simply generates events related to USB mass
storage devices attached to your LEM Agents
9. Confirm the settings on the Pre-Installation Summary and click Install.
10. Once the installer finishes, click Next to start the LEM Agent service.
11. Inspect the Agent Log for any errors and click Next.
12. Click Done to exit the installer.
43

The SolarWinds LEM Agent continues running on your computer until you
uninstall or manually stop it. It begins sending events to your SolarWinds LEM
Manager immediately.
Configuring additional connectors on your SolarWinds LEM Agent:
1. Open your SolarWinds LEM Console and log into your SolarWinds LEM
Manager as an administrator.
2. Click the Manage tab, and then click Nodes.
3. Locate the LEM Agent in the list. Use the Refine Results pane on the left if
necessary.
4. Click the gear
Connectors.
button next to the LEM Agent (left), and then click
5. Locate the connector you want to configure in the list. Use the Refine
Results pane on the left if necessary.
6. Click the gear
button next to the connector (left), and then click New.
7. Modify the connector if necessary and then click Save.

8. Click the gear
button next to the new instance of the connector ,
indicated by an icon in the Status column, and then click Start.
9. Click Close to close the Connector Configuration window.
10. Configure the following additional connectors on your Windows domain
controllers, as applicable.
l
Windows Directory Service Log
Windows DNS Server Log
Windows DHCP Server version

Using Connector Profiles to Maintain and Monitor Multiple Domain Controller
Agents
l
Use Connector Profiles to maintain and monitor multiple domain controllers in the
LEM Console. Connector Profiles allows you to configure and modify connector
settings at the profile level, and they also provide a group by which you can filter
your event traffic coming into your SolarWinds LEM Console from your
SolarWinds LEM Agents. Use the procedures below to create a Connector Profile
based on a single SolarWinds LEM Agent and a corresponding filter to monitor
44
activity on the computers in that profile.

Note: Microsoft changed the way Windows computers log security events with
their latest operating system releases. For that reason, SolarWinds LEM Agents
on computers running Windows Server 2008, Windows Vista, or Windows 7
require different connectors than those Agents on computers running older
operating systems. If you are running both old and new versions of these
Windows operating systems in your environment, create a Connector Profile for
each operating system.
Creating a Connector Profile based on a single SolarWinds LEM Agent:
1. Install the SolarWinds LEM Agent software on all of the computers you want
to end up in your new Connector Profile.
2. Configure a single SolarWinds LEM Agent to serve as the template for your
Connector Profile.
3. In the LEM Console, select the Build tab, and then click Groups.
4. Click the
button in the upper right, and then click Connector Profile.
5. Enter a Name and Description for the Connector Profile.

6. Select the recently configured SolarWinds LEM Agent from the Template
list.
7. Click Save.
8. Locate your new Connector Profile in the Groups list. Use the Refine
Results pane on the left if necessary.
9. Click the gear
Edit.
button next to your Connector Profile (left), and then click
10. Locate the SolarWinds LEM Agents you want to add to your Connector
Profile in the Available Agents pane, and click the arrow next to them to add
them to the Contained Agents pane.
11. If you are finished adding SolarWinds LEM Agents to your Connector
Profile, click Save.
Creating a filter for all activity from the computers in a Connector Profile:
1. Open the SolarWinds LEM Console and log into the SolarWinds LEM
Manager as an administrator or auditor.
45
Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts
2. Click Monitor.
3. Click the
button on the Filters pane (left), and then click New Filter.
4. Enter a Name and Description for the filter.

5. Click Event Groups on the components list (left).
6. Click Any Event.
7. In the Fields: Any Event list below, click and drag DetectionIP into the
Conditions box (right).
8. Click Connector Profiles on the components list (left).
9. Click and drag your Connector Profile into the Conditions box (right),
replacing the Text Constant field, which is denoted by a pencil icon.
10. Click Save.
Creating a LEM Rule to Track Failed Login Attempts to

Administrative Accounts
Clone and enable the Critical Account Logon Failures rule to track failed login
attempts to the default Administrator account in Windows. The default action for
this rule is to generate a HostIncident event, which you can use in conjunction
with the Incidents report to prove to auditors that you are auditing the critical
events on your network.
Cloning and enabling the Critical Account Logon Failures rule:
2. Click the Build tab, and then click Rules.
3. Enter Critical Account Logon Failures in the search box at the top of the
4. Click the gear
button next to the rule (left), and then click Clone.
5. Select the folder where you want to save the cloned rule, and then click OK.
6. Select Enable at the top of the Rule Creation window, next to the
Description field.
46
7. Click Save.
8. Back on the main Rules screen, click Activate Rules.
Tuning Windows Logging for LEM Implementation
After you have installed and configured you SolarWinds LEM Agents, optimize
your SolarWinds LEM deployment by tuning Windows to log the specific events
you want to see in your SolarWinds LEM Console and store on your SolarWinds
LEM database. Use the recommendations below to get started with this tuning
process.
Note: Set group and local policies according to the needs of your environment.
We provide recommendations to illustrate common, but not universal, use cases.
For additional information about tuning Windows logging, see the Microsoft
TechNet knowledge base. .
Default Domain Policy
Configure logging for default domain policy in Windows as recommended in the
following table.
Policy
Success Failure Not Defined
Audit account logon events
Yes
Yes
Audit account management
Yes
Yes
Audit directory service access

Audit logon events
Not defined
Yes
Yes
Audit object access

Audit policy change
Not defined
Yes
Yes
Audit privilege use
Not defined
Audit process tracking
Yes
No
Audit system events
Yes
Yes
Default Domain Controller Policy

Configure logging for your default domain controller policy in Windows as
recommended in the following table.
47
Monitoring Firewalls for Port Scans and Malformed Packets
Policy
Success Failure
Yes
Yes
Yes
Yes
Audit directory service access Yes
Yes
Audit logon events
Yes
Yes
Audit object access1

Audit policy change
Yes
Yes
Audit privilege use
Yes
Yes
Yes
Yes
Audit system events
Yes
Yes
1Audit object access
is required for file auditing. For more information, see

Enabling Windows File Auditing.
For more information about the policies discussed above and how to configure
their auditing, see Audit Policy and Best Practice.
Monitoring Firewalls for Port Scans and

Malformed Packets
Monitor firewalls to detect port scans and other network attacks based on unusual
traffic patterns and malformed packets. Also, gain visibility into web traffic and
other network traffic events across your network. Configure your firewalls to log to
your SolarWinds LEM appliance and set up the appropriate connector on your
SolarWinds LEM Manager. View the events in the default Firewall filter in your
SolarWinds LEM Console, and create custom filters to show traffic to or from
specific computers.
Setting a Firewall to Log to a LEM Appliance

Set your firewall to log to your SolarWinds LEM appliance to centralize its log
data with the rest of your SolarWinds LEM events. The process for doing this is
different for each vendor, and it even differs across firewall versions. For that
reason, we document each firewall separately, which is beyond the scope of this
guide.
48
Firewalls from popular vendors such as Cisco, Check Point, and Juniper can be
integrated with SolarWinds LEM appliances. For more information, the
SolarWinds knowledgebase.
If your firewall vendor is not listed here, search for your vendor in the SolarWinds
knowledge base. If documentation is not available, please contact SolarWinds
Support.
Configuring a Firewall Connector on a LEM Manager

After you have set your firewall to log to your SolarWinds LEM appliance,
configure the corresponding connector on your SolarWinds LEM Manager. Many
of the firewall connectors are similar, though some will have a few unique
settings. The procedure below explains how to set up a connector for a Cisco PIX
firewall.
To configure the Cisco PIX and IOS connector on your SolarWinds LEM
Manager:
2. Click the Manage tab, and then click Appliances.
3. Click the gear
button next to the SolarWinds LEM Manager (left), and
then click Connectors.
4. In the Connector Configuration window, enter Cisco PIX in the search box
at the top of the Refine Results pane.
5. Click the gear
then click New.
button next to the Cisco PIX and IOS connector, and
6. Replace the Alias value with a more descriptive connector alias. For
example, PIX Firewall.
7. Use firewall somewhere in the Alias field to ensure the default Firewall filter
captures your firewall data.
8. Verify the Log File value matches the local facility defined in your firewall
settings.
9. Click Save.
49
10. Click the gear

button next to the new instance of the connector,

Create custom filters to make specific firewall events more visible than others. For
example, if you want to monitor all traffic coming from a specific computer more
closely than other firewall traffic, create a filter for all network traffic coming from
that source machine. Use Connector Profiles and other groups to broaden or
refine the scope of custom filters like this.
Creating a filter for all traffic from a specific computer:
Manager as an administrator or auditor.
2. Click Monitor.
3. Click the
button on the Filters pane (left), and then click New Filter.
4. Enter a Name and Description for the filter.

5. Click Event Groups on the components list (left).
6. Click Network Audit Events.
7. In the Fields: Network Audit Events list below, click and drag
SourceMachine into the Conditions box (right).
8. Enter the computer's name into the Text Constant field, which is denoted by
a pencil icon. Use a wildcard character (*) after the computer name to avoid
having to enter the computer's fully qualified domain name.
Note: Use a Connector instead of a Text Constant to filter for all network
traffic coming from a group of similar computers.
9. Click Save.
Creating a LEM Rule to Notify of Potential Port Scanning Traffic

Clone and enable the PortScans rule to recognize suspicious firewall traffic that
can be indicative of port scanning. The default action for this rule is to generate a
50
TCPPortScan event, which the SolarWinds LEM Console displays in the default
Security Events filter. Use these events to monitor suspicious network traffic and
potentially take action against an external source.
Cloning and enabling the PortScans rule:
2. Click the Build tab, and then click Rules.
3. Enter PortScans (one word) in the search box at the top of the Refine
Results pane.
4. Click the gear
Description field.
7. Optionally, to tune the rule to be more appropriate for your environment,
consider the following:
l
Subscribe to the rule to track its activity in the Subscriptions report.

Increase the number of events in the Correlation Time box to modify how
frequently the rule fires.
Omit vulnerability scanners from the Correlations by changing the
TCPTrafficAudit "exists" condition to TCPTrafficAudit .SourceMachine =
Your Scanners, where Your Scanners is a User-Defined Group, Connector
Profile, or Directory Service Group that represents that group of computers.
Modify the default action or add additional actions to do things such as
send an email message, or block an IP address.
9. If you are finished configuring your rule, click Save.

51
Monitoring Antivirus Software for Viruses that are Not Cleaned
Monitoring Antivirus Software for Viruses that are

Not Cleaned
Monitor your antivirus software to track whether or not your antivirus solution is
able to fully clean the viruses it detects. Configure your antivirus software to log to
your SolarWinds LEM appliance and set up the appropriate connector on your
SolarWinds LEM Manager. View the events in the default Virus Attack filter in
your SolarWinds LEM Console.
Setting Antivirus Software to Log to a LEM Appliance

Set your antivirus software to log to your SolarWinds LEM appliance to centralize
its log data with the rest of your SolarWinds LEM events. The process for doing
this is different for each vendor, and it even differs across antivirus versions. For
that reason, we document each antivirus solution separately, which is beyond the
scope of this guide.
You can integrate antivirus software from popular vendors such as Symantec, and
McAfee with your SolarWinds LEM appliance. For more information, see the
following:
To find instructions on itegrating your vendor's antivirus software, search the
SolarWinds knowledge base. If documentation is not available, please contact
SolarWinds Support.
Configuring the Antivirus Connector on a LEM Manager

.To configure the Symantec Endpoint Protection 11 connector on your
SolarWinds LEM Manager:
1. Replace the Alias value with a custom alias or accept the default.
2. Verify the Log File value matches the Log Facility defined in your antivirus
settings.
4. Select the Manage tab, and then click Appliances.
5. Click the gear
button next to your SolarWinds LEM Manager (left), and
52
6. In the Connector Configuration window, enter Symantec Endpoint

Protection in the search box at the top of the Refine Results pane.
7. Click the gear
button next to the Symantec Endpoint Protection 11
connector, and then click New.
8. Click Save.
9. Click the gear
Creating a LEM Rule to Track When Viruses Are Not Cleaned

Clone and enable the Virus Attack Bad State rule to track the state of virus
attacks reported by your antivirus software. The Bad Virus State User-Defined
Group defines a bad state as any virus that has not been fully cleaned by your
antivirus software. That is, any virus that has been left alone, quarantined, or
renamed.
The default action for this rule is to generate a HostIncident event, which you can
use in conjunction with the Incidents report to prove to auditors that you are
auditing the critical events on your network.
Cloning and enabling the Virus Attack Bad State rule:
2. Select the Build tab, and then click Rules.
3. Enter Virus Attack Bad State in the search box at the top of the Refine
Results pane.
4. Click the gear
Description field.
7. Click Save.
53
Monitoring Proxy Servers for Suspicious URL Access
Monitoring Proxy Servers for Suspicious URL

Access
Monitor proxy servers to track when users attempt to access suspicious websites
by partial or complete URL addresses. Configure your proxy server to log to your
SolarWinds LEM appliance and set up the appropriate connector on your
SolarWinds LEM Manager.
Setting Proxy Server to Log to a SolarWinds LEM Virtual Appliance

Set your proxy server to log to your SolarWinds LEM virtualappliance to centralize
its log data with the rest of your SolarWinds LEM events.
You can integrate proxy servers from popular vendors such as Websense and
Barracuda with your SolarWinds LEM virtual appliance.
The integration process is different for each vendor, so we document each proxy
server separately in the SolarWinds knowledge base. Search for your firewall
vendor in the SolarWinds knowledge base. If a knowledge base article is not
available, please contact SolarWinds Support.
Configuring a Proxy Server Connector on a SolarWinds LEM

Manager
After you have set your proxy server to log to your SolarWinds LEM appliance,
configure the corresponding connector on your SolarWinds LEM Manager. Many
of the proxy server connectors are similar, though some have a few unique
settings. The procedure below illustrates how to set up a connector for a
Websense proxy server, and you can find instructions for additional firewall
connectors in the SolarWinds knowledge base.
Configuring the Websense Web Filter and Websense Web Security connector:
2. Select the Manage tab, and then click Appliances.
3. Click the gear
button next to your SolarWinds LEM Manager (left), and
4. In the Connector Configuration window, enter Websense Web Filter in the
search box at the top of the Refine Results pane.
54
5. Click the gear

button next to the Websense Web Filter and Websense
Web Security connector , and then click New.
6. Replace the Alias value with a custom alias or accept the default.
7. Click Save.
8. Click the gear
button next to the new instance of the connector,
Creating a SolarWinds LEM Rule to Notify of Suspicious URL Attempts
Clone and enable the Known Spyware Site Traffic rule to track when users
attempt to access suspicious websites by partial or complete URL addresses.
The default action for this rule is to generate a HostIncident event, which you can
use in conjunction with the Incidents report to prove to auditors that you are
auditing the critical events on your network.
Note: Before enabling this rule, ensure your proxy server transmits complete URL
addresses to your SolarWinds LEM Manager by checking the URL field of any
WebTrafficAudit event generated by your proxy server. If your proxy server does
not log web traffic events with this level of detail, check the events coming from
your firewalls, as they can sometimes be used for this rule as well.
Cloning and enabling the Known Spyware Site Traffic rule:
1. Open theSolarWinds LEM Console and log into the SolarWinds LEM
3. Click Default Rules on the Refine Results pane (left).
4. Enter Known Spyware Site Traffic in the search box at the top of the
5. Click the gear
Description field.
55

8. Click Save.
Monitoring Microsoft SQL Databases for Changes

to Tables and Schema
Monitor databases to track successful or failed attempts to make changes to their
tables or schema. InstallMSSQL Auditoron a LEM Agent running Microsoft SQL
Profiler to monitor local or remote Microsoft SQL databases. MSSQL Auditor runs
as a service in addition to the LEM Agent service.
Configuring Database Servers
Install and configure MSSQL Auditor on your database server to allow
SolarWinds LEM Agent access to details about database configuration changes
on that computer.
Install the following components on your database server prior to installing
MSSQL Auditor.
l
Microsoft SQL 2005 or 2008 Profiler
Microsoft .NET 2.0 Framework
l SolarWinds LEM Agent for Windows

Installing MSSQL Auditor on a SolarWinds LEM Agent
1. DownloadSolarWinds-LEM-v6.2-MSSQLAuditor.zipfrom the SolarWinds

customer portal under Additional Components.
2. Runmssqlaudsetup.exe.
3. ClickNextto start the wizard.
4. Accept the End User License Agreement, and then clickNext.
5. ClickChangeto specify an installation folder, or accept the default, and
then click Next.
6. ClickInstall.
7. When the installation is finished, selectLaunch SolarWinds MSSQL
Auditor, and then clickFinish.
To configure MSSQL Auditor for use with your servers:
Note: If you did not selectLaunch SolarWinds MSSQL Auditorafter installing the
56
application, you can launch it from theSolarWinds Log and Event

Managerprogram group in yourStartmenu.
1. Enter the name of the SQL server to be monitored in theSQL
Server\Instancefield, and clickAdd Server.
Note: To specify an instance other than the default, enter your server name in the
following format:Server\Instance.
2. Repeat this step for all of the servers to be monitored.
3. To use an account other than the Local System Account to run MSSQL
Auditor on your database server,selectThis Accountin theRun Service
Assection, and provide the appropriate credentials.
Note: We recommend you use an account in the "sysadmin" role on your
database, though the account only needs to haveExecutepermissions for any
stored procedures with thexp_traceprefix.
4. Click Start Auditor Service, which is denoted by a green "Play" icon, in
theManage Auditor Servicesection.
5. Click OK.
Configuring the MSSQL Auditor Connector on a SolarWinds LEM Agent
To configure the MSSQL Auditor connector on your SolarWinds LEM Agent:
1. Open the SolarWinds LEM Console and log into theSolarWinds LEM
2. Select the Manage tab, and then clickNodes.
3. Locate the SolarWinds LEM Agent for your database server and verify it is
connected to your LEM Manager.
4. Click thegear
button next to the SolarWinds LEM Agent, and then
clickConnectors.
5. EnterMSSQLin the search box at the top of theRefine Resultspane.
6. Click thegear
button next to theSolarWinds Log and Event Manager
MSSQL Auditorconnector , and then clickNew.
7. Give the new connector a customAlias, or accept the default.
57
8. Verify that the value in theLog Filefield matches the folder in which the logs
are stored on your database server, and then clickSave.
9. Click the gear
10. Repeat these steps for theMSSQL 2000 Application Logconnector .
11. ClickCloseto close the Connector Configuration window.
Creating a SolarWinds LEM Rule to Send Notifications of Microsoft SQL Database Change Attempts
Clone and enable the MSSQL Database Change Attempt rule to track when
users attempt to change properties on a monitored Microsoft SQL database. The
default action for this rule is to generate a HostIncident event, which you can use
in conjunction with the Incidents report to prove to auditors that you are auditing
the critical events on your network. See "Leveraging the Incidents Report in
Security Audits" on page 59
Clone and enable the MSSQL Database Change Attempt rule to track when
users attempt to change properties on a monitored Microsoft SQL database. The
default action for this rule is to generate a HostIncident event, which you can use
in conjunction with the Incidents report to prove to auditors that you are auditing
the critical events on your network.
Cloning and enabling the MSSQL Database Change Attempt rule:
3. Enter MSSQL Database Change Attempt in the search box at the top of
the Refine Results pane.
4. Click the gear
Description field.
7. Click Save.
58
Leveraging the Incidents Report in Security

Audits
Auditors typically require that IT administrators review the critical events on their
networks on a daily basis. Create a method for reviewing these events by utilizing
Incident events as discussed in the previous sections in this chapter. After you
have defined your critical network events as Incidents, schedule the Incidents
report to run daily and follow the procedure suggested below to maintain a paper
trail to use during your security audits.
We recommend scheduling reports to run on a daily basis, one of which is the
Incidents report. Maintaining a paper trail for your security audits using the daily
Incidents report:
1. Open the Incidents report every day for the previous day.
2. Print the report and review its contents.
3. Document any action you took as a result of the report on the printed report
and sign it.
4. File the printed and signed report in a safe location for your next security
audit.
59

The Ops Center is a dashboard used for viewing and managing informational
widgets. Each widget represents a high-level graphical view of specific network
activity. Widgets are designed to present important high-level information in easyto-read graphical formats, such as charts and graphs. Widgets are filter-driven
that is, a filter is the data source for the graphical representation found in the
widget. In fact, widgets appear in Monitor, as well, so you can see graphical
views of your filters along with their grid-based views.
You can select from a library of commonly used widgets, or you can create your
own widgets. You can add or remove widgets, edit existing widgets, or resize,
refresh, and rearrange widgets to meet your personal preferences.
Click to select the widget you want to work with. You can point to the widget to
display ToolTips and details about its graph. You can also use the control options
on its toolbar to change the widgets settings display format.
You can resize widgets, but they are limited to certain sizes and aspect ratios to
keep the Ops Center tidy and organized.
The following table describes the key features of the Ops Center view.
Widgets
Each widget represents a high-level graphical view of specific network activity.
Widgets are designed to present important high-level information at a glance.
Most widgets filter the data source for what you are graphing in the widget.
Name
Description
Widget Manager
Click this button to alternately open and close the

Widget Manager. The Widget Manager includes
two panesthe Categories pane and the
Widgets pane.
Getting Started
Tips and shortcuts to get you started configuring

and exploring LEM
60
Name
Node Health
Description
A view of the status of each device being monitored by LEM.
thwack Community & Sup- Access to useful information from the thwack comport
munity.
Top 10 Events
Displays the top 10 events in the selected time

range.
Help
Links to different resources to help you learn more

about LEM
What's New in LEM
A list of items that have been added or improved in

this version.
Events per Minute
Displays the total count of events per minute for the

past 15 minutes.
Custom Widget
Example of what can be created on a custom widget.
Top 10 Nodes by # of
Events
Displays the top 10 most active nodes(by # of

events).
Top 10 Users by # of
Events
Displays the top 10 users with the most events in

the selected time range.
Network Events by
Source Machine
Displays the top 10 machines generating network

events.
User Logons by Source

Machine
Displays the top 5 user logons by source machine.
Data Simulator
Plays back different kinds of simulated network

data.
Top 10 Rules by Number

of Rules Fired
Displays the top 10 most commonly triggered rules

and how many times each has been triggered over
a selected time period.
61
User Details
User Details
From the Top 10 Users widget, click on a user to open the User Details page.
Every user has a User Details page that displays all related information, including
all events, for that user.
The User Details page contains the User:Details and User:All Events widgets.
User: Details Widget

Displays detailed user information such as User Name, Manager, User Type, etc.
User: All Events Widget
Lists all events generated by the selected user and displays statistics of the
events in a graph. Click an event to see the Event Details page for the selected
event.
The User:All Events menus provide several presentation options:
l
Filter events by event group
Switch between Grid and Details views
Select by time
Color-coding allows you to easily pick out events that might need attention. A
green line on a graph represents informational events, a yellow line represents
warning events, and a red line represents critical events.
Node Details
From the Top 10 Nodes, click a node to open the Nodes Details page. The Nodes
Details page displays overview information on every device that is monitored by
LEM.
The Nodes Details page contains the Node:Details, Node:Connectors Applied,
and Nodes:All Events widgets.
Node: Details Widget
Represents the detailed information about the specified node such as Node IP,
Node Name, Last Event etc.
62
Node:Connectors Applied Widget

l
Provides a list of connectors which are configured for the specified node
Shows whether the connector is enabled or not
Allows you to turn on or turn off connectors
Allows you to configure new connectors
Node: All Events Widget

Lists all events generated by the selected node and displays statistics of the
events in a graph. Click an event to see the Event Details page for the selected
event.
The Node:All Events menus provide several presentation options:
l
Filter events by event group
Switch between Grid and Details views
Select by time
Color-coding allows you to easily pick out events that might need attention. A
green line on a graph represents informational events, a yellow line represents
warning events, and a red line represents critical events.
Widget Manager
In the Ops Center, master widgets reside in the Widget Managers Categories
list. Dashboard widgets reside on the dashboard. Dashboard widgets cannot be
saved in the Widget Manager.
Name
Filters
pane
Description
Widgets are organized by filter. You can use the Filters pane to
view, add, and edit the master widgets that are associated with
each filter, and to create dashboard widgets from each master
widget.
The Name column lists each filter that has one or more master
widgets. The Count column states how many master widgets are
associated with each filter. You can also sort the columns of the
Filters pane.
63
Widget Builder
Name
Description
Opens the Widget Builder, so you can add a new master widget to
the selected category.
Opens the Widget Builder for the widget that is currently selected
in the Widgets pane. The Widget Builder lets you edit the
widgets settings.
Widgets
pane
The Widgets pane is used to view the master widgets that are
associated with each filter. You can also use this pane to create
dashboard widgets and to delete master widgets from the selected
filter.
Add to
This button adds a copy of the master widget that is currently
Dashboard shown in the Widgets pane to the dashboard.
Delete
Widget
This button deletes the master widget that is currently shown in the
Widgets pane. Deleting a master widget does not delete any of the
dashboard widgets that came from that widget.
Widget Builder
This topic explains how to use the Widget Builder, which is used to add a new
widget or edit the configuration of an existing widget.
The following table explains each field on the Widget Builder.
Field
Description
Name
Type a name for the widget. This name will appear in the
widgets title bar.
Filter
Select the filter that is to be the widget's data source. If a filter

name appears in italics, it means the filter is currently turned off.
When creating a widget from the Monitor view, this field defaults
to the filter that is currently active. If you select a different filter, the
widget will be associated with that filter, not the active filter.
When creating a widget from the Ops Center, this field defaults to
the first option in the list.
Note: If you create a widget from a filter that is turned off, the
64
Field
Description
widget will not display any chart information until the filter is
turned back on.
Description
Type a brief description of the information this widget is reporting.

You may use up to 80 characters.
Visual Configuration
Visualization Select the type of chart or graph you wantPie, Bar, Line, Table,
Type
etc. Select Table for those times when a table of values is a
useful way to view the data. You can display a widget with any of
these display types at any time. However, some display types
may not make sense for some widgets, depending on the
widgets content.
Color/
Color
Palette
Select a color palette for the chart or graph.
X-Axis Label If desired, type a label for the chart or graphs horizontal axis.
Y-Axis Label If desired, type a label for the chart or graphs vertical axis.
Preview
The Preview section shows what the widget will look like, based
on the options you have selected in the Visual Configuration
section.
Data Configuration
Field
Select a data field you want reported from those that are available
in the selected data source.
Show
Select how you want the frequency reported:

l
Count: (default) This option counts each occurrence of the

selected Field value. For example, if the Field you select is
EventID, you are counting the number of events. As a
practical matter, no matter which field you select, you are
counting events. But it is best to think of the widget as
counting occurrences of the field.
65
Widget Builder
Field
Description
l
Distinct Count: This option does not count repeating Field

values. Instead, it counts each time a distinctly different
event occurs. For example, if you select a Field value like
Event Name or Detection IP, the widget will count each
specific value only once.
When used in a single-dimension chart, the Distinct Count
option reports all values as 1, so this option is best used
with multi-dimensional charts.
Sort
Select how you want the data Show data sorted:

l
Descending (default) order is from highest to lowest (Z to

A, or 0 to 1, etc.).
Ascending order is from lowest to highest (A to Z, or 1 to 0,
etc.).
Sorting only applies when your Versus value is something other

than Time.
Versus
If you want a second dimension in the chart, select another data

field from those that are available in the selected data source.
This fields sort order is ascending.
Split By
If you want a third dimension in the chart, select another data field
from those that are available in the selected data source.
This fields sort order is ascending.
Limit
Most filters contain a data span that exceeds what is practical to

chart. The Limit value limits the number of items that will be seen.
Select a limit for the number of items that are to be charted. The
default value is 5.
For example, this can represent your Top 5 or Bottom 5,
depending on how you sort the data.
Scope
Select a value for the scope. This is the time frame reported by
the chart or graph. The scope is always measured backward from
the moment the chart is refreshed. For example, a scope of 30
66
Field
Description
minutes means the last 30 minutes.
The scope can be measured in Seconds, Minutes (default),
Hours, or Days. For events that happen frequently, choose a
narrow scope. For events that happen rarely, choose a large
scope.
Resolution
Select the time value that defines the tick marks that are to be
used on the charts horizontal X-axis. This field is required when
Versus is a Time Field.
For example, if you are looking at 30 minutes of data, a
Resolution of 5 Minutes means the bars or line chart data points
are drawn in 5 minute increments. In charts with wider scope, the
resolution could be hours or even days.
This option is disabled for widgets that are not reporting timebased data.
Refresh
Select the rate at which you want the widget to refresh its visual
display. This is necessary because the Console is monitoring
real-time data. Therefore, you need to periodically refresh the
chart.
Save and cancel

Save to
Dashboard
Select this option to save the new or updated widget to the

bottom of the Ops Center dashboard.
Save
Click Save to save the new or revised master widget.

Upon saving, the new widget configuration immediately appears
in the Op CenterWidget Manager and in the Monitor view's
Widget pane.
Cancel
Click Cancel to cancel your changes close the Widget Builder.
Widgets act as shortcuts to the event filters that are their data sources. This
means you can open the source filter directly from a widget. You do this by
clicking the specific line, bar, or pie wedge of chart that interests you. The
corresponding filter then opens in the Monitor view. The filter lists only the events
67

that correspond with the chart item selected. See Opening a filter from a widget for
information on using widget filters.
The following table describes the function of each button on a widget toolbar. All
of these buttons are on the widget toolbar, except for the legend button, which
appears in the lower-left corner of the widget.
Button
Function
Opens the widget in the Widget Builder, so you can edit its settings.
Flips the widget, so you can configure its presentation format.
Refreshes the widgets data.
Expands (maximizes) the widget to fill the desktop.
Restores the widget from its maximized size to its default size.
This button has two functions:
l
In normal dashboard mode, this button deletes the widget from the
dashboard.
When you are editing a flipped widget, this button closes the
widgets edit mode, and returns it to its normal desktop view.
Opens the widgets legend.

Widget graphs and charts display basic high-level information. However, each
widget includes ToolTips that show specific data about each bar, line, or wedge
in the chart. Typically, this information is the reported event, Event Group, or event
field, and its number of occurrences.
To view specific chart data:
Point to the specific bar, line, or wedge you want to know about and a ToolTip
appears, showing specific data about the item you are pointing to.
68
Refreshing widget data

On the widget toolbar, click the refresh
button to show the latest data from your
network.Widgets automatically refresh themselves according to the Refresh rate
that was set when the widget was created. If a widget has a slow refresh rate, you
can refresh it whenever you want. Refreshing a widget immediately updates it to
show the most current real-time data from your network traffic.
Opening a filterfrom a widget

Widgets act as shortcuts to the event filters that are their data sources. This
means you can open the source filter directly from a widget. You do this by
clicking the specific line, bar, or pie wedge of chart that interests you. The
corresponding filter then opens in the Monitor view. The filter lists only the events
that correspond with the chart item you selected.
To open a filter from a dashboard widget:
1. Open the Ops Center view.
2. In the dashboard, locate the widget you want to work with.
3. On the widget, click the specific line, bar, or pie wedge that interests you.
4. The Monitor view appears, with the event grid showing the filter that is the
widgets data source. Note that the event grid lists only those events that
correspond to the line, bar, or pie wedge that you clicked. Also note that the
filter is paused. Click Resume on the event grid toolbar to begin running the
69
filter again.
Note: It is possible for you to select an item in the widget that is no longer shown
in the Monitor's event grid. That is, the filter may actually show fewer events than
appear in the widget. This can happen if the widget's scope is broader than the
filter's scope. In this case, the filter may no longer have some of the data shown
by the widget, because the filter has had to make room for new data.
Remember, the widget's scope can be different than the filter's scope. The widget
tracks statistics about events that occurred over time (and perhaps a very large
time frame). The filter tracks only a certain quantity of events for a time frame that
may be much smaller than the widget's scope.
To think about it another way: the Console filters are aware of 10,000 events at a
time. With every refresh interval, a widget looks at those 10,000 events to draw a
line, bar, or wedge that matches the right count for that time. Those 10,000 events
are also displayed in the corresponding filter. But when the Console gets to
10,000 events, the widget doesn't "erase" any data points it has already drawn,
but the filter has to remove the oldest events from the grid to make room for new
data.

On the back of each widget there is a form that lets you change how the data is
presented on the widget. However, your options are limited to the type of widget
70
you are working with and the type of data it is reporting. For example, widgets that
only report data in one dimension may be limited to a pie chart, while information
in two dimensions can be reported in a bar chart or a line chart.
To edit a widgets presentation from the dashboard:
1. In the Ops Center dashboard, locate the widget you want to work with.
2. Click the configure
button on the widget toolbar.
3. The widget flips over to display its configuration options, as shown here.
4. Configure the widget, according to its configuration options. These options

are a sub-set of the fields on the Widget Builder.
To arrange widgets on the dashboard:
2. If needed, click Widget Manager to close the Categories and Widgets
panes. This provides the most space for arranging your widgets.
3. In the dashboard, drag a widgets title bar to move that widget into a new
position on the dashboard. As you move the widget around the dashboard,
the other widgets rearrange themselves and make room for your widget.
Upon releasing the mouse button, the widget snaps into place.
71
Resizing a widget
Resizing a widget
You can view widgets in full-screen mode or in their normal size. You can also
change the size of a widget to make it taller or wider. However, the widgets
different sizes must conform to the dashboards standard geometry.
To resize a widget:
In the Ops Center dashboard, drag the lower-right corner of the widget in any
direction. As you resize the widget, the surrounding widgets rearrange
themselves to make room for the larger one. Upon releasing the mouse button,
the widget snaps to the closest size allowed by the desktops geometry.
To show a widget in full-screen mode:
In the Ops Center dashboard, click the Maximize
toolbar. The widget takes up the entire dashboard.
button on the widgets
To restore a widget to its normal size:

In the Ops Center dashboard, click the Minimize
toolbar. The widget returns to its normal size.
button on the widgets
Viewing a widgets legend

Each widget bar chart, graph, and pie chart has a legend that explains what each
bar, line, or wedge in the chart represents.
To view a widgets legend:
Click the widgets legend
button. The chart legend appears, as shown here.
72
Where to find widgets

Widgets appear in two areasthe Ops Center and in the Monitor views
Widgets pane:
l
In the Ops Center, master widgets always reside in the Widget Managers
Categories list. Dashboard widgets always reside on the dashboard.
Dashboard widgets cannot be saved in the Widget Manager.
In the Monitor view, each master widget appears in the Widgets pane for
the filter that acts as its data source. Dashboard widgets do not appear in
the Monitor views Widgets pane.
73
Chapter 7: Monitor
The Monitor view is the heart of the LEM Console. As the name implies, it is used
for monitoring your network activity. In Monitor, you create filters and widgets that
group and display different events that come from your Agents, Managers, and
network devices.
Events are messages created from Agent, Manager, and network device log
entries. These log entries are processed (or normalized) to extract information
and display the data in a common column/field-based format, rather than the often
convoluted format you see in the source data. These normalized events are sent
from the Agent to the Manager for processing. At the Manager, the events are
processed against your Rules, sent to your Database for archiving, and sent to
the LEM Console for monitoring.
Monitor View Features

The following table describes the key features of the Monitor view.
Name
Description
Filters button
Click the Filters button to alternately show and hide the Filters
pane.
Filters pane
Stores all of the filters that you can apply to the Consoles
event messages.
l
Click a filter name to apply that filter to the events grid.

The events grid refreshes to show only the incoming
events allowed by the filters conditions.
Use the plus
button to create your own custom filters
and filter groups.

l
Use the panes gear

button to edit, pause, resume,
turn on, turn off, import, export, or delete filters.
74
Chapter 7: Monitor
Name
Events grid
Description
Agents monitor each configured data source on your network.
The Agents then send events to your Managers. The
Console's events grid displays every event that is logged to
each Manager the Console is connected to.
The grids title bar displays the name of that filter that is
currently applied. By default, incoming events always appear
at the top of the grid. This allows the Console to always show
the most recent event activity first.
Respond menu Use this menu to actively respond to a particular event

message. For example, you can choose to block an IP
address, or restart or shut down machine that is the source of
the event activity.
Explore menu
Use this menu to explore a particular event message or one of

its specific data elements with an explorer. The menu is
context-sensitive. The contents of the selected cell (called a
string) determines which explorers you may choose from.
Pause/Resume This button toggles to pause or resume the event traffic that is
currently being reported by the filter.
This button lets you highlight rows in the events grid with a
particular color. Highlighting can serve as a helpful visual
reference point for marking and locating specific events in the
grid.
The gear button in each row opens a menu of commands that
you can perform on the item that is currently selected in the
grid. You can use these commands to mark messages as read
or unread, to remove messages, or to copy event information.
Sort ( )
When a filter is paused, you can click the column headers to

sort the grid in ascending () or descending () order by each
of its columns.
Filter
Notifications
pane
The Filter Notifications pane summarizes the event activity

from each of your active notification filtersthese are filters
that use blink, popup, or sound notifications. Click a filter name
in this tab to view the events associated with that filter. This
75
Name
Description
pane behaves exactly like the status bar's Notifications tab.
Widgets pane
This pane displays the widgets associated with the filter that is
currently applied to the events grid. Widgets automatically
refresh themselves to reflect changes in events grid filtering.
You can use this pane view the different widgets associated
with the filter, change a widgets visualization type (bar chart,
pie chart, line graph, etc.), create a new widget, edit an existing
widget, or save a widget to the Ops Center dashboard.
Event Details
and
Description
Event Details and Event Description are two views of the

same pane. This pane displays detailed information about the
last event to be selected in the grid.
l
Notifications
The Event Details view displays specific technical

details about the event. You can also use this view to
create a filter based on the selected event, or to scroll
through the contents of the events grid.
The Event Description view displays a written
description of the event that is currently selected.
The Notifications tab summarizes the event activity from each

of your active notification filtersthese are filters that use blink,
popup, or sound notifications. Click a filter name in this tab to
view the events associated with that filter.

On a busy network, there can be millions of events each day. Therefore, the LEM
Console uses event filters to manage events. A filter is a subset of your events
that focuses on a particular type or group of events and hides all others. When
configuring a filter, you can examine and use individual event properties to
determine precisely which events are to appear in that filter.
Filters apply at the LEM Console level. This means they apply to all data sent
from every Manager monitored by the LEM Console. Filters also display events in
real time.
76
Chapter 7: Monitor
You can turn filters on and off, pause filters to sort or investigate their events,
perform actions to respond to events, and configure filters to notify you when they
capture a particular event. Filters can also display widgets, which are charts and
graphs that visually represent the event data. Widgets are described in more
detail below.
LEM ships with many commonly used filters that support best practices in the
security industry. However, you can create your own custom filters, or modify
existing filters to meet your needs. There is no limit to the number of filters a
LEMConsole can contain.
Filters are managed in the Filters pane. The Filters pane stores all of the filters
that can be applied to the Consoles events grid.
Filter Attributes
The number next to each filter shows the total number of events that are currently
associated with that filter. Positioning your pointer over a filter displays a Tooltip
that briefly describes the purpose of each filter, when such a description is
available. Any filters that appear in italics are currently turned off.
You can use the Filters pane to do any of the following tasks:
l
Create your own custom filters and reconfigure existing filters to meet your
needs.
77
Create filter groups for storing and organizing your filters.
Turn filters on and off, and pause them to stop the flow of event traffic.
Move filters from one filter group to another.
Copy filters.
Rename filters and filter groups.
Import and export filters.
Delete obsolete filters and filter groups.

LEM ships with some commonly used filters that support best practices in the
security industry. Each of these filters is described in the following table. They are
listed alphabetically for easy reference. The Default status column indicates if
the filter is On (visible) or Off (hidden) by default.
To add your own custom filters, see Utilizing the Console.
Note: If you are installing an upgrade, LEM automatically converts your existing
filters into the new graphical format described in see Utilizing the Console.
Filter
Description
Default
status
Admin Account
Authentication
Displays events for authentication to

administrative-level accounts.
Off
All Events
Displays all events from all sources.
On
Change
Management
Displays events for changes made to users,

groups, and devices.
On
Denied ACL Traffic Displays events for network traffic that has been
administratively denied.
Off
Domain Controllers Displays all events from domain controller

(all)
devices.
Off
Failed Logons
Displays failed logon attempts.
On
File Audit Failures
Displays FileAuditFailure events, which show

failed attempts to access audited files.
Off
78
Chapter 7: Monitor
Filter
Description
Default
status
Firewall
Displays all events from firewall devices.
On
FTP Traffic
Displays TCP Traffic to and from ports 20 and

On
21, indicating file transfer activity on the network.
IDS
Displays all events from network intrusion

detection devices.
On
Incidents
Displays all Incident Events.
On
Network Events
Displays all events in the NetworkAudit

category of the event tree.
On
Proxy Bypassers
Displays WebTrafficAudit events that are not

from a proxy server. This can indicates an
internal machine attempting to access the Web
directly, rather than by using the proxy server.
Off
Rule Activity
Displays InternalRuleFired and

InternalTestRule events, which indicate that
Rules have been triggered.
On
Security Events
Displays all events in the SecurityEvent

On
Security Processes Displays ProcessStart and ProcessStop

events related to critical security processes
running on machines. These processes include
anti-virus, anti-spyware, and firewall processes.
On
SMTP Traffic
Displays TCP traffic to and from port 25. It can

also identify potentially infected hosts.
On
SNMP Traffic
Displays network traffic to and from port 161.

This filter can be used to discover network scan
attempts and normal network monitoring tools.
On
Subscriptions
Displays events from user rule subscriptions.
On
Events
Displays all events in the InternalEvent

On
79
Filter Creation
Filter
Description
Default
status
Unusual Network
Traffic
Displays events in the NetworkSuspicious

On
branch of the event tree, which indicate that
potentially suspicious or unusual network activity
may be occurring.
USB File Auditing
Displays file-related events from Agents with

USB-Defender installed.
USB-Defender
Displays events from USB-Defender technology On

that are related to insertion and removal of USB
devices.
User Logon
(interactive)
Displays UserLogon events where the logon

type indicates a user physically logging on at a
machine, or interactively logging on to a remote
desktop.
User Logons
Displays all UserLogon events from all sources, On

indicating varying types of user authentication
and access.
Virus Attacks
Displays all VirusAttack events. VirusAttack

events are created when virus scanners detect
potentially malicious virus activity.
Off
Web Traffic for

Source Machine
Displays WebTrafficAudit events that match a

specific source machine. This filter can be used
to track a single machines web activity to
discover potentially abusive activity.
Off
Web Traffic
Spyware
Displays WebTrafficAudit activity to and from

URLs that are indicated by the Spyware Sites
User-Defined Group to be potentially malicious
websites.
Off
On
On
Filter Creation
The Monitor view has a Filter Creation tool where you create and edit your own
custom event filters, as well as edit any existing filters. Use this form to name,
80
Chapter 7: Monitor
describe, configure, and verify your filters.

Event filters are based on specific Events or Event Groups. You configure them
by dragging and dropping the filters Event attributes into configuration boxes.
When an Agent or Manager reports an event that conforms to the event filters
conditions, the event message appears in the events grid, whenever that filter is
active.
Each filter created is added to the Filters pane. Selecting the filter causes it to
become the active filter in the events grid. As with other filters, the events grid
show only those event messages that meet your filters requirements.
The possibilities for event filters are endless, so this section describes how to
create filters in general terms. This section is not intended to be a tutorial, but
rather a reference for you to fall back on if you are unclear about how any of the
custom filter forms elements, commands, or functions perform.
The tools in Filter Creation are very similar to those found in Rule Creation.
Filters report event occurrences, so there is no harm if you create a filter that is
unusual or has logic problems. But this is not the case when building rules
creating an incorrect rule can have unpleasant consequences. Therefore,
creating filters with Filter Creation is an excellent way to familiarize yourself with
the logic and tools needed to create well crafted rules.
Features of Filter Creation

Each element of the form is described in the following table.
Name
List pane
Description
This accordion pane is called the list pane. It contains
categorized lists of the events, event groups, event variables,
groups, profiles, and constants that you can use when creating
conditions for your filters
If more than one Manager is linked to the Console, each item in
the list pane lists the Manager it is associated with. Therefore,
some list items may appear to be listed multiple times. But in
reality, they are listed once for each Manager. Events are
universal to all Managers,so they do not show a Manager
association.
Filter
Use the top part of the form to name and describe the filter, so
81
Events
Name
Description
identification you can quickly identify it.

section
Filter Status The Filter Status bar lists warnings and error messages about
bar
your filters current configuration logic.
l
l
Conditions
box
Click >to view a list of warning and error messages.

Click a message flag to provide detailed information about
the nature of that problem.
Click a message to highlight the specific area or field that is
the source of that problem.
Use this box to define the conditions for the data that is to be
reported by the filter. You configure conditions by dragging items
from the list pane into the Conditions box.
Notifications Use this box to define how the Console is to event users of event
box
events, such as sound, pop-up message, etc.
Undo/Redo
Click the Undo button to undo your last desktop action. You can
click the Undo button repeatedly to undo up to 20 steps.
Click the Redo button to redo a step that you have undone. You
can click the Redo button repeatedly to redo up to 20 steps.
You can only use Undo or Redo for any steps you made since
the last time you clicked Save.
Save/Cancel Click Save to save your changes to a filter, close Filter Creation,
and return to the events grid.
Click the Cancel button to cancel any changes you have made to
a filter since the last time you clicked Save, exit Filter Creation,
and return to the events grid. If you have any unsaved changes,
the system prompts you to confirm that you want to cancel.
Events
The topics in this section explain how to use the events grid to apply filters to
incoming event traffic. It also explains how to use the events grid to pause, sort,
82
Chapter 7: Monitor
highlight, copy, read, remove, explore, and respond to events to take preventive
or corrective action.
Applying a Filter to the Events Grid

In the Monitor view, each item listed in the Filters pane represents a different
event filter. You can filter the events coming into the Console by selecting any of
these items.
To apply a filter:
1. Open the Monitor view.
2. In the Filters pane, click the title bar of the filter group you want to work with.
The filter group opens to list the filters that are available for that group.
3. Select the filter you want to apply to the events grid.
The events grid title bar displays the name of the filter you have selected,
and the grid refreshes to display only those events that meet the special
conditions of that filter.
LEM saves event filters on the workstation running the Console. If you
move to another workstation, the filters do not follow. However, you can
export the filters from one workstation and import them into another
workstation. For more information, see Importing a filter and Exporting a
filter.
Sorting the Events Grid

You can sort the events grid by any of its columns by clicking its column headers.
Doing so also changes how the graph is sorted. However, you must pause the
events grid before you can sort it. Pausing the grid temporarily stops the incoming
flow of event traffic.
For example, if you click the Event Name column header, the grid becomes
sorted by event names in ascending order. If you click the column header again, it
sorts the grid by that column in descending order.
To sort the events grid:
83
Highlighting Events
1. On the events grid toolbar, click Pause.

2. Sort the grid as you normally would. You can also sort the grid by more than
one column. For more information, see Sorting a grid by its columns.
3. When you are finished working with the sorted grid, click Resume to
continue receiving the filters unsorted event traffic.
Highlighting Events
In the Monitor views events grid, you can highlight events to call attention to
them or mark them for future reference. This allows the events to really stand out
as you scroll through the contents of the grid. You can highlight multiple events at
the same time. You can also choose the color you want for each set of events you
are highlighting.
To highlight events:
2. In the Filters pane, click to select the filter you want to work with. The events
grid displays the filter you have selected.
3. On the events grid toolbar, click Pause to temporarily stop any incoming
events.
Note: It is not required to pause a filter to highlight its events; however, it is
convenient. Pausing temporarily stops the flow of event traffic (freezing any
event movement in the grid) so you can easily select each item.
4. In the events grid, click to select the events you want highlighted.
5. On the events grid toolbar, click the arrow next to the highlight
button.
6. Use the color picker to select the highlight color you want. You can also
type the hexadecimal value of any color in the Web-safe color palette. In the
grid, the selected events become highlighted in the color you chose.
84
Chapter 7: Monitor
7. Click Resume to continue the flow of incoming event traffic.

To highlight more events with the same color:
1. In the events grid, click to select the events you want highlighted.
2. Click the marker part of the events grids highlight
events become highlighted with the marker color.
button. The selected
To turn an events highlighting off:

1. (Optional) On the events grid toolbar, click Pause to temporarily stop any
incoming events.
2. In the events grid, select the events for which you want to remove
highlighting.
3. On the events grid toolbar, click the arrow next to the highlight
button. Then click the No Color
the events.
button. The highlighting is removed from
4. Click Resume to continue the flow of incoming event traffic.
Copying Event Data to the Clipboard

When needed, you can copy event data from the Monitor view's events grid or
Event Details pane to your clipboard. This allows you to paste the data into
another application, such as Microsoft Excel, for comparison or analysis, to share
the data with someone who does not have a Console, or to send to SolarWinds
85

for technical support. You can copy the data for a single event or for multiple
events.
To copy event data from the events grid:
3. In the events grid, click to select the events you want to copy. You can
select multiple events.
4. Click the events grids gear
button and then click Copy.The event data
is now copied to your clipboard (as text), where it can be pasted into another
application.
To copy event data from the Event Details grid:
3. In the events grid, click to select the event you want to work with.
4. In the Event Details pane, click to select the rows you want to copy. You
can select multiple events.
button and then click Copy. The selected
event details are now copied to your clipboard (as text), where it can be
pasted into another application.

You may want to mark the events in event filter as being unread and read. A read
event is one that you have already looked at. An unread event is one you have
not looked at yet. By marking events this way, you can easily track which events
you have already examined.
To mark events as read and unread:
86
Chapter 7: Monitor

2. In the Filters pane, click to select the filter you want to work with.The events
3. In the events grid, select the events you want to mark as read or unread.
You can select multiple events. Skip this step if you are going to mark all of
the events as read or unread.
listed in the following table.
button, and then select one of the options
Command
Description
Mark
Unread
Select this command to mark the selected events as unread.

This means you have not looked at them yet. Unread events
appear in bold text. When a filter has the read/unread feature
turned on, any of its events that are captured by other filters
will appear as unread in those filters, too.
Mark
Read
Select this command to mark the selected events as having

been read. Events marked as read appear in normal text,
rather than bold text.
Mark All
Unread
Select this command to mark all of the events in the active

filter as unread. This means you have not looked at them yet.
Unread events appear in bold text.
Mark All
Read
Select this command to mark all of the events in the active

filter as having been read. Events marked as read appear in
normal text, rather than bold text.
The grid refreshes to show each rows read/unread status.
Removing Events
When needed, you can remove individual events from a filter, or all of the events
from a filter. You may want to do this to clean a filter of historical information that is
no longer important to you.
To remove individual events:
87

3. In the events grid, select the events you want to remove.
button, and then click Remove. The
selected events are removed from the grid.
To remove all events:
button, and then click Remove All. All of the
filters existing events are removed from the grid. The filter will now show
only new incoming events.

In the Monitor view, the right half of the lower pane has two different views to
show the properties of the event that is currently selected in the events grid:
l
The Event Details view displays detailed information about the event that is
currently selected in the grid. If more than one event is selected, it shows the
properties of the last event to be selected.
The Event Description view displays a written description of the last event
to be selected in the grid.
You can also use this pane to create a filter based on the selected event, or to
scroll through the contents of the events grid.
88
Chapter 7: Monitor
The Event Details view
The Event Description view
Button
Description
Click this button to create a new filter that captures the currently
selected event type. Upon doing so, the Monitor view opens,
with the new filter open in the events grid. The new filter appears
in the Filters pane, under the last selected filter. If needed, you
can edit the filter so it captures events of an even more specific
nature.
Click these buttons to move up and down among the events in
the event event grid. The pane shows detailed technical
information about each event that is selected. This lets you view
the technical details and written descriptions of each event in the
grid.
Remember, you can also use your keyboard's up () and down
() arrow keys:
l
To cycle through the events in the events grid, click

anywhere in the event event grid. Then use your up and
down arrow keys.
To cycle through the fields in the Event Details pane, click
anywhere in the Event Details grid. Then use your up and
down arrow keys.
89
Button
Description
Click this button to open the panes Event Details view. This
view shows detailed information about each of the selected
event's data fields. The actual fields that appear here vary,
according to the event type that is currently selected. For
example, network-oriented events show fields for IP addresses
and ports. Account-oriented events show account names and
domains.
Click this button to open the panes Event Description view,
which provides a detailed written description of the event type
that is currently selected.
Click the Print button to print this information from either view.

Each event is assigned a number that indicates its severity. The following table
explains each severity level.
Level
Name
Description
Debug
Designates detailed event information used for debugging

by SolarWinds engineers.
System Error Indicates that part of the system is unusable.
Informational Indicates SolarWinds informational messages only.
Normal
Audit
Indicates normal behavior, but could be part of a signature

attack.
Normal
Notice
Indicates normal behavior that should be monitored.
Suspicious
Indicates normal behavior under some circumstances, but

should be investigated.
Threatening Indicates that investigation is needed and possibly an

action.
Critical
Indicates that immediate action is needed.
90
Chapter 8: Explore
The Console's Explore area has two views:
l
The nDepth view contains a powerful search engine that lets you search all
of the event data or the original log messages that pass through a particular
Manager. The log data is stored in real time, as it originally occurs from
each host (network device) and source (application or tool) that is monitored
by the Manager.
nDepth summarizes and displays search results with several different visual
tools that can also be combined into a customizable dashboard. The tools
are intuitive and interactiveyou can point and click to view information or
refine your searches. Each graphical tool provides an alternative view of the
same data, so you can examine your data from several perspectives. You
can also view and explore a text-based view of the actual data.
nDepth employs drag-and-drop tools that let you configure simple or even
complex search criteria. You can use these tools to dig deeper into your
findings by adding search conditions, or by appending text to existing
search strings. nDepth also includes a tool called Search Builder that lets
you configure complex search criteria using the same sort of drag-and-drop
interface found in Filter Creation.
Many of the explorers are utilities used for finding out more about event
specific details, such as looking up IP addresses, domain names, and host
names. The Event explorer lets you view all of the events related to an
event message. It is designed to help you visualize how the event occurred
and the system's response to that event. You can follow the chain of events
that caused the event, and help determine its root cause.
The Utilities view contains several utilities, called explorers. You can think
of this view as a center for investigating events and their details.
nDepth
nDepth is a powerful search engine that lets you search all of the event data or
the original log messages that pass through a particular Manager. The log data is
91
Chapter 8: Explore
stored in real time, as it originally occurs from each host (network device) and
source (application or tool) that is monitored by the Manager. You can use nDepth
to conduct custom searches, investigate your search results with a graphical
tools, investigate event data in other explorers, and take action on your findings.
nDepth's Visual Tools

nDepth summarizes and displays search results with several different visual tools
that can also be combined into a customizable dashboard. The tools are intuitive
and interactiveyou can point and click to refine your searches. Each graphical
tool provides an alternative view of the same data, so you can examine your data
from several perspectives. You can also view and explore a text-based view of
the actual data.
nDepth employs drag-and-drop tools that let you configure simple or even
complex search criteria. You can use these tools to dig deeper into your findings
by adding search conditions, or by appending text to existing search strings.
nDepth also includes a tool called Search Builder that lets you configure complex
search criteria using the same sort of drag-and-drop interface found in Filter
Creation.
nDepth's Primary Uses

You can use nDepth to do any of the following:
l
l
l
Search either normalized event data or the original log messages. You can
also use nDepth to explore log messages that are stored on a separate
nDepth appliance.
Intuitively view, explore, and search significant event activity. nDepth
summarizes event activity with simple visual tools that you can use to easily
select and investigate areas of interest.
Use existing filter criteria from the Monitor view to quickly create similar
searches.
Create your own custom widgets for the nDepth Dashboard.
Conduct custom searches. You can also create complex searches with the
Search Builder, which is a tool that behaves just like the Filter Builder. You
can also save any search, and then reuse it at any time by clicking it.
Save and reuse custom searches.
Schedule saved searches
92
Export your findings to a printable report in PDF format, or your search

results to a spreadsheet file in CSV format.
Use the Explore menu to investigate nDepth search results with other
explorers.
Use the Respond menu to take action on any of your findings.
Export your findings to a report in PDFformat.

LEM has two data storage areas one to store the messages from the original
event logs, and one to store the normalized event data that the Console reports in
the Monitor view. You can use nDepth to explore either one of these sources:
l
In Events mode, nDepth summarizes and explores your event data. This is
the normalized data that appears in the Monitor view and is stored in the
LEM database.
In Log Messages mode, nDepth summarizes and explores the raw log
messages that are going into nDepth Log Storage from the original event
logs. This mode is intended for customers who have specific data analysis
needs, and who fully understand how to interpret the raw log messages that
are generated by their network devices and tools.
Note: The virtual appliance must be configured to store log message data. For
more information, see Configuring Your LEM Appliance for Log Message
Storage.
Be aware that data storage is limited. If you have not configured a CMCoption for
archiving data, LEM will delete the oldest data to make room for new data.
The topics in this chapter explain how to perform a basic searches with nDepth,
how to use nDepth's graphical tools, how to use nDepth with other explorers, and
how to respond to your findings.
Opening nDepth
You can open nDepth several ways. You can open the Explore >nDepth view
directly to conduct custom searches. Or you can open nDepth from an existing
data source, such as an event field or another explorer (NSLookup, Whois, and
Traceroute, and Flow), to search for similar events or data.
93
Chapter 8: Explore
By default, the nDepth search time is for the last 10 minutes (the end time is now,
and the start time is 10 minutes ago).

1. Do one of the following:
l
In the Monitor views event grid, select the event row or field you want
to explore.
In the Event explorers Event Details pane, event map, or event grid,
click the item or field you want to explore.
In an explorer, select the data source you want to explore.
2. In the Explore menu on the Event grid, click nDepth.

The Explore >nDepth view appears, and the nDepth search box contains
the event or event field you are exploring.
When you initiate an nDepth search from the Monitor view, nDepth
automatically searches all hosts and sources for every instance of the
selected event field that has occurred within a ten-minute period around the
event you are exploring. This way, you can identify similar events that
occurred before and after the event you are exploring.
The following table describes the key features of the Explore >nDepth view.
Name
History button
Description
Alternately hides and opens the History and Saved Searches
panes.
History pane Shows recent Explore activity. This pane is shared between the
Utilities view and the nDepth view..
Saved
Searches
pane
Lists any searches that you have saved. To begin using one of
these searches, click it to run that search. You can edit, schedule, and save changes to your saved searches. You can also
save variations on these searches as new searches.
nDepth
explorer
Use this window to create and run your searches, and to view,
explore, and respond to your search results.
94
Name
Undo/Redo
Description
Click the Undo button to undo your last action. You can undo up
to 20 actions.
Click the Redo button to redo a step that you have undone. You
can redo up to 20 actions.
Respond
Use this menu to initiate a response to a particular event, event,

or data field.
Explore
Use this menu to explore a particular data field with another

explorer.
Click the gear
l
Click Save to save any changes to the current search.
Click Save As to save the search for later use.
Click Schedule to create a scheduled search.
Click Delete Schedule to delete a scheduled search.
Search bar
Click Export to export nDepth's current search results to a

PDF document.
Use the search bar to:

l
List pane
button to do any of the following:
Select the type of data you want to exploreevent data

(default)or the original log messages.
Select the mode for configuring searchesdrag and drop,
or text entry.
Configure and select the search's time frame.
Run the search.
Stop a search that is in progress.
The list pane is the accordion list on nDepth's left side. It

contains categorized lists of items that you can use when
configuring search conditions. To use a list item as a search
condition, double-click it, or drag it from the list into the search
bar. You can also drag these items into the Search Builder to
95
Chapter 8: Explore
Name
Description
quickly configure complex searches.
Two of these lists appear only in nDepth:
l
The Refine Fields list categorizes and lists the primary

data details that are found in your nDepth search results.
You can use these details to create, refine, or append
nDepth searches.
The Managers list includes each Manager and appliance
that can be used with nDepth for searching data.
Histogram
Shows the number of events or log messages that were reported

within a particular period. You can expand or reduce this period,
as needed. You can also zoom in to a period to take a closer
look, or zoom out to see high-level activity.
Explorer
Shows different graphical and text-based views of your search

results, as well as a Dashboard view and the SearchBuilder.
You can click items in each graphical view to search for those
specific items. The title bar states which view is open, and the
icon on the title bar indicates which type of data you are
exploring:
means you are exploring event data.
means you are exploring log messages.
Toolbar
Use to select the nDepth explorer view you want to work in.
Scheduled Saved Searches

Saved searches can be scheduled to run automatically whenever you want.
Scheduled Searches can also be shared between users.
To schedule a Saved Search:
1. Select a Saved Search from the Saved Searches pane .
2. Click the gear
button and select Schedule.
3. Select the Run Search option you desire.
96
nDepth's Search Bar
4. Select the Start Date of the search.

5. Select the Create an event checkbox.
6. If you wish to send email, select the Send email checkbox, and then select
the recipients from the drop-down list.
7. Click OK.
Note: If the virtual appliance is offline for some time (such as more than a
day or two), the schedules that are run when the virtual appliance first
comes back online may not run at the expected time. The schedules run at
the next expected time after the appliance has been back online for a time.
nDepth's Search Bar

You can use the nDepth search bar to search all of the event data or the original
log messages that pass through a particular Manager. You can use the search
bar to perform simple searches and to append searches with basic search strings
You can use the search bar to configure highly specific or complex searches;
however, this is more easily done with Search Builder. To open Search Builder,
click the search bar. The searches you configure in Search Builder automatically
appear in the search bar.
The following table describes the key features of nDepth's search bar.
Name
Description
Mode
Use this toggle switch to select how you intend to enter the search
selector string for your queries:
l
Select Drag & Drop Mode (upper position) to drag items from
the list pane or the Result Details view directly into the search
box. This is the recommended position, as it is it the easiest to
use.
Select Text Input Mode (lower position) to type a search string
directly in the search box. In this mode, the search box also
shows the text version (or search string) of any search that is
being run or configured in Search Builder or the Saved
Searches pane.
97
Chapter 8: Explore
Name
Search
box
Description
This box contains your search conditions. You can enter search
conditions a number of different ways.
Click a delete button next to a condition or a group to remove that
condition or group from the current search configuration.
AND
OR
The search bar includes AND and OR operators. These operators let
you include AND and ORrelationships between conditions and
groups of conditions, when you have multiple conditions in your
search string. Click the operator icon to toggle between ANDand OR
relationships.
Group
When you have a group of conditions, the search bar displays the consummary ditions as a summary. To see the actual conditions, point to them. A
ToolTip appears that shows each condition in the group.
Click this Delete All button to delete the entire contents of the search
box, so you can begin a new search.
Click this button to begin a search, or to stop a search that is in
progress.
l
Click
to begin searching.
If the search button turns red

configuration is invalid.
Click
, it means the current search
to stop a search that is in progress.
Time
In the time selector, select a time frame for the search. If needed, you
selector can create your own custom time frame.
Data
Use this toggle switch to choose the data you want to nDepth to
selector explore:
l
Select Events (left position) to search LEM's normalized event

data. This is the event data that appears in the Monitor view.
Select Log Messages (right position) to search the actual log
entries that are recorded on your network products' log files. If
98
Name
Description
Events position.
nDepth explorer toolbar

The following table describes the function of each option on the nDepth explorer
toolbar. Each option provides a different view of the data from nDepth's most
recent search.
Tool
View
Description
Dashboard Opens the nDepth Dashboard. This is nDepth's default view.

It shows each nDepth view of the current search data as a
small widget. You can minimize and maximize each widget,
as needed. You can also edit the chart widgets to change
their appearance.*
Word
Cloud
Opens the Word Cloud, which shows keyword phrases that

appear in your event data. Phrases appear in a size and
color that relates to their frequency. You can filter this view to
zero in on a range of activity. You can also click a phrase to
create or append a search based on that phrase.
Tree Map
Opens the Tree Map, which shows the items that appear
most often in the data as a series of categorized boxes. The
box categories correspond with the those data categories
found in the Refine Fields list.
The size of a box within each category is associated with its
relative frequency. The more often an item occurs, the larger
its box appears. If a box is small, you can point to it to open a
ToolTip that shows its contents. You can also click a box to
create or append a search based on that item.
99
Chapter 8: Explore
Tool
View
Description
Bar Charts Opens the Bar Charts* view, which is a group of widgets that
shows your most frequent data items as a series of bar
charts. The size of each bar corresponds with the item's relative frequency. The more often an item occurs, the larger its
bar appears. You can point to a bar to show information
about it. You can also click a bar to create or append a
search based on that item.
Line
Charts
Opens the Line Charts* view, which is a group of widgets that

shows your most frequent data items as a series of line
graphs. The height of point on the graph corresponds with the
item's relative frequency. The more often an item occurs, the
higher the point appears on the graph. You can point to a
item on the graph to show information about it. You can also
click a point on the graph to create or append a search based
on that item.
Pie Charts Opens the Pie Charts* view, which is a group of widgets that
shows your most frequent data items as a series pie charts.
The size of each pie wedge corresponds with the item's relative frequency. The more often an item occurs, the larger its
wedge appears. You can point to a wedge to show information about it. You can also click a wedge to create or
append a search based on that item.
Bubble
Charts
Opens the Bubble Charts* view, which is a group of widgets

that shows your most frequent data items as a series of
circles or "bubbles." The size of each bubble corresponds
with the item's relative frequency. The more often an item
occurs, the larger its bubble appears. You can point to a
bubble to show information about it. You can also click a
bubble to create or append a search based on that item.
Result
Details
Opens the Result Details view, which is a text-based view of

all of the data you are investigating. This view also supports
nDepth's search capabilities by letting you create or refine
searches by dragging and dropping search strings from the
data into the search box.
100
Tool
View
Search
Builder
Description
Opens nDepth's Search Builder, which is a graphical
interface used to create and refine complex searches. You
can drag items from the nDepth's list pane directly into
Search Builder's Conditions box to quickly configure
complex searches. With a few minor differences, Search
Builder behaves just like the Filter Creation tool.
*In any explorer view, if a particular chart configuration does not logically apply to
the data you are exploring, that chart will be disabled.

Each nDepth explorer search adds an item to the Explore views History pane.
represents a search of event data.
represents a search of original log messages.
The history item shown below is for an nDepth search of event data. Pointing to
the item's history icon also displays the number of search results and the text of
your search string.
A new search always adds a history item. If you click an earlier history item, the
system takes you back to that search; it does not make a new item. As soon as
you change something in nDepth and perform a new search, that search
becomes a new history item.
Using the nDepth Histogram

nDepth's histogram shows the number of events or log messages that were
reported within the search's time frame. nDepth returns search results
chronologically, so you can use the histogram to investigate a particular interval,
101
Chapter 8: Explore
to move the search period, to zoom in to a period to take a closer look, or zoom
out to see high-level activity.
nDepth's histogram summarizes event activity within a particular period. This

histogram is for a search of the last 10 minutes of event activity. The bright zone
shows the period that is currently being reported. The gray zones show activity
outside of the reported period.
This example shows the histogram for a search that covers a recent 10-minute
period of activity. For this search, the bottom time bar is divided into one-minute
intervals. The bar above that is divided into half-minute (30-second) intervals. The
histogram displays a separate bar for each 30-second interval.
Histogram Features
The histogram has the following features:
l
l
l
l
l
The title bar shows the total number of events that were reported by the
search, as well as the search's time frame.
The gray zones preview results that are outside the search's time frame.
Each vertical bar in the histogram shows the total number of events that
happened within the corresponding period.
Time is provided in 24-hour (military) time.
Pointing to a bar shows the total number of events in that interval, as shown
above.
Clicking a bar opens a pop-up window that shows a histogram for that bar's
interval. Depending on range of the search's time frame, these intervals can
be as little as 5-seconds. Pointing to a bar shows the total number of events
102
that occurred in that interval.
Clicking a bar opens a pop-up window to show a histogram for that bar's
interval
l
When you are in the Result Details view, the histogram shows two dashed
vertical lines. These lines are markers that indicate where you are in the
histogram for each page of the search results. The lines show the times of
the first and last event on the current Result Details page.
By default, the pointer shows the time of the first result on the page. If you
select an event in the Result Details box, the pointer shows the time of that
event.
If you are looking at the search results of events number 1-200, the left line
shows the time of event number 1, and the right line shows the time of event
number 200. If you click event number 150, the pointer shows the time
that event occurred.

You can use the histogram to search the event activity associated with a
particular vertical bar in the histogram.
To search activity for a bar:
l
In the histogram, double-click a vertical bar.nDepth automatically refines the

search and refreshes the data to show only the events from the time frame
103
Chapter 8: Explore
associated with that bar.
Moving the Search Period

You can use the nDepth histogram to move the search period to an earlier or later
start time. For example, say you run a search for a 30 minute time frame. This
procedure lets you search the data for the same period (still 30 minutes), but from
a different starting point (maybe with a starting point of 2 hours ago).
To move the search period:
1. Point to the histogram's time bar. A slider appears. You can use this slider to
move the same search period to an earlier or later starting point. For
example, if the search period is 10 minutes, this slider moves that 10-minute
period to an earlier or later starting point. This lets you search your data for
the same period, but at some other starting point.
2. Drag the slider to move the search's period:

l
Drag the slider to the left to move the period to an earlier starting point.
Drag the slider to the right to move the period to a later starting point.
As you move the slider, a ToolTip displays the period's midpoint time.
3. Click
to run the search for the new time frame.nDepth automatically
refines the search and refreshes the data to show only the events from the
new time frame. Moving the period automatically changes the search bar's
time selector to Custom.
4. If desired, click
to restore the previous time frame.
104

You can use the nDepth histogram to change the search period by changing its
start time and end time. For example, say you run a search for a 30 minute period.
This procedure lets you expand the time frame (say to 40 minutes) or reduce the
time frame (say to 23 minutes).
To change a period's start or end time:
1. Point to anywhere on the histogram's vertical bars. Two sliders appear
between the active time and the gray zones. You can use these sliders to
expand or reduce the search time frame by changing its start time or end
time.
2. Drag the sliders to change the search's time frame:

l
Drag the left slider to change the time frame's start time. When you
release the slider, a ToolTip shows the new start time.
Drag the right slider to change the time frame's end time. When you
release the slider, a ToolTip shows the new end time.
3. Click
to run the search for the new time frame.nDepth automatically
refines the search and refreshes the data to show only the events from the
new time frame. Changing the time frame automatically changes the search
bar's time selector to Custom.
4. If desired, click
to restore the previous time frame.
105
Chapter 8: Explore
Using Result Details

Whenever you use nDepth, you can view the actual data the graphical views are
based on by opening the Result Details view. Result Details is a text-based
view of all of the data you are investigating. However, Result Details also
supports nDepth's search capabilities, by letting you create or refine searches by
dragging and dropping search strings from the search data into nDepth's search
box.
You can use Result Details in Events mode to view and search the normalized
event data found in the Monitor view, or in Log Messages mode to view and
search the original log message data that is collected and stored on the LEM(or
some other dedicated nDepth appliance, as applicable).
You can use nDepth's search results to refine your nDepth searches, to explore
event details with other explorers, or to initiate an active response to event details.
The following topics describe the key features of the Result Details view, as well
as how to perform the primary tasks associated with this view.
Interpreting Search Results in Events Mode

In Events mode, you can use nDepth to search all of the normalized event data
that is reported in the Monitor view. This data always comes from LEM.
The following table explains how to interpret search results of data in Events
mode.
Name
Event
number
Description
The number to the far left is a counter for each event that is
reported in the nDepth search results. Each event gets its own
number.
Each row represents a different event. To make viewing easier,
each event appears with an alternating gray or white background.
The number of events that appear depend entirely on your search
conditions.
Data and
time stamp
The time and date the event occurred.
Event name The name of the event that occurred.
106
Name
Description
Event details The rest of the information in the box is made up of event details.
You can select these details to refine your nDepth search, to
explore them with other explorers, or to respond to them with an
active response.

In Log Messages mode, you can use nDepth to search all of the original log
messages that pass through a particular network appliance (or host).
nDepth Result Details view, showing original log message data

The following table explains how to interpret search results of data in Log
Messages mode.
Item
Name
Event
number
Description
The number to the far left is a counter for each log message
(or event)that is reported in the nDepth search results.
Each event gets its own number.
Each row represents a different event.To make viewing
easier, each event appears with an alternating gray or
white background. The number of events that appear
depend entirely on your search conditions.
Data and
time stamp
The time and date the event occurred.
Log message
The first line of event displays the actual log message that
matched your search criteria.
107
Chapter 8: Explore
Item
Name
Description
Host
The network device the message came from (that is, the
Manager or appliance that is storing the message).
ToolId
The actual product or tool that generated the message.
ToolType
SolarWinds's tool category for the tool that generated the

message.
Note: Tool IDs and Tool Types match SolarWindss tool
configuration categories.

When using the Result Details view, use the following procedures to highlight
and select character strings, and to create new search conditions from the data.
To
Do this
Selecting data
Highlight a continuous
character string
Point to the character string.
Select a continuous
character string
Point to the character string to highlight it; then click

to select it.
Upon selecting a character string, an orange box
surrounds the string. In addition, every matching
character string in the search results becomes
selected, too.
Select a phrase (two or

more character strings
separated by spaces)
Click the first character in the string, then drag across

the string to select the rest of it.
Select a data row
Click the row's event number (the far left column of
Upon selecting a character string, an orange box

surrounds the string. In addition, every matching
character string in the search results becomes
selected, too.
108
To
Do this
the row). When the row is selected, an orange
highlight bar appears to the left of the row.
Creating search conditions from Result Details data

Clear the search box to
add a new search
condition
1. On the search bar, click

box.
to clear the search
2. Add a new search condition by using any of the

techniques in this table.
Add a search condition
from Result Details data
Select a character string in the data. Then doubleclick the selected string to add it to the search box.
Select a character string in the data; then drag it into
the search box.
Copy and paste a

character string from
Result Details data into
the search box
1. Change the search bar to Text Input Mode.

2. Select a character string in the data.
3. Press Ctrl+C to copy the search string.
4. Click the search box, and then press Ctrl+V to
paste the character string in the text box.
Type a search string in

the search box
1. Change the search bar to Text Input Mode.

2. Type the search string directly in the search
box.
Add conditions to an
existing search
1. In the data, select the character string you want

to append to the existing search conditions.
2. Do either of the following:
l
Double-click the selected string.
Drag the string into the search box.
In either case, your selection is appended to

the existing conditions.
109
Chapter 8: Explore
Using Explorers with Result Details

You can use nDepth's Result Details view to access other explorers. This allows
you to use other explorers to investigate specific details that you find in your
nDepth search results.
l
You can select specific values, and pass them into the value-based
explorers, such as Whois, NSLookup, and Traceroute. For example, you
could investigate a suspicious IPaddress with these explorers to learn more
about that IP address.
When you are viewing data in Events mode, each row in the search results
represents the data for an individual event. You can select the row for an
event you want to explore, and then pass the row into the Event Explorer to
explore that event.
To explore details in search results:

1. In the Result Details view, select the item you want to explore:
l
Select the character string you want to investigate. When selected

properly, the character string is surrounded by an orange box.
If you are viewing data in Events mode, you can select the row that
you want to explore in the Event Explorer. When you select a row, an
orange highlight bar appears to the left of the row.
2. In the Explore menu, select the explorer you want to use.

The Explore >Utilities view appears, and the system passes the selected
data to the explorer you selected.
3. Click Search or Analyze, as applicable, to explorer the string.
Responding to Result Details

As with other explorers, you can respond to any item that is reported in nDepth's
search results. If you see something unusual, you may want to take some kind of
corrective action. For example, you could send a user account a popup message,
or block a hostile IP address. Use the following procedure to initiate a response or
corrective action to a particular event or event detail.
To respond to a search result:
110
1. In the Result Details view, select the character string you want to respond
to. When selected properly, the character string is surrounded by an orange
box.
2. In the Respond menu, select which response you want to take.
If nDepth is in Events mode, the event or the selected text appears in the
Respond form.
3. Complete the Respond form, as applicable for the response.

Use the following procedure to export your nDepth search results to a
spreadsheet. This lets you open, view, manipulate, and analyze your data in a
spreadsheet application, such as Microsoft Excel. Spreadsheets are saved in
comma-separated values (.csv) format.
To export nDepth search results to a spreadsheet:
1. In nDepth, run the search you want to export.
2. Open the Result Details view.
3. Click the gear
form appears.
icon and then click Export to CSV. The Save Data As
4. Select the folder in which you want to save the file.

5. In the File name box, type a name for the file, if you want one different from
the default name given.
6. Click Save. The Console exports the data to a .csv file, in the folder you
selected. To stop this operation, you can click Cancel at any time before the
data export is complete. Once exported, you may open the file in a
spreadsheet application.
Common nDepth Data Fields

These categories frequently appear in the Refine Fields list, the Tree Map view,
and the Result Details view.
111
Chapter 8: Explore
Common Data Fields Categories in Events Mode

This table describes the data fields that are most commonly seen when working
with event data. The fields are listed here alphabetically.
Field
Description
Event Name
The name of the event.
Detection IP
The network node that is the originating source of the event

data. This is usually a Manager or an Agent and is the same
as the Insertion IP field, but can also be a network device
such as firewall or an intrusion detection system that may be
sending log files over a remote logging protocol.
Inference Rule
The name of the correlation that caused the event. The

Inference Rule field will generally be blank, but in cases
where the event was related to a rule, it displays the rule
name.
Insertion IP
The Manager or Agent that first created the event. This is the
source that first read the log data from a file or other source.
IP Address
The IP address associated with the event. This is a

composite field, drawn from several different event fields. It
shows all the IPaddresses that appear in event data.
Manager
The name of the Manager that received the event. For data
generated from an Agent, this is the Manager the Agent is
connected to.
Provider SID
A unique identifier for the original data. Generally, the Provider SID field includes information that can be used in
researching information on the event in the originating network device vendor's documentation.
Severity
The severity (07) of the event
Tool Alias
The Alias Name entered when configuring the tool on the

Manager or Agent.
User Name
The user name associated with the event. This is a

composite field, drawn from several different event fields. It
112
Field
Description
shows all the places that user names appear in event data.

This table describes the data fields that are most commonly seen when working
with log messages. The fields are listed here alphabetically.
Field
Host
Description
The node the log message came from (that is, the LEM or
Agent that collected the message for forwarding to nDepth).
HostFromData The originating network device (if different than the node) that
the message came from. Normally, Host and HostFromData
are the same, but in the case of a remote logging device (such
as a firewall) this field reports the original remote device's
address.
ToolId
The actual tool that generated the log message.
ToolType
Tool category for the tool that generated the log message.
Using the Word Cloud
nDepth's Word Cloud. You can use the sliders on the lower bar to filter the items
shown in the World Cloud.
113
Chapter 8: Explore
nDepth's Word Cloud summarizes your event activity by showing the top 100
keyword phrases that appear in your event messages. Phrases appear in a size
and color that relates to their frequency:
l
Phrases that appear in warmer colors (red, orange, and yellow)and in

larger print represent the phases that occur most frequently. You can think of
these as your "hot" items.
Phrases that appear in cooler colors (green and blue) and in smaller print
are those that occur with the least frequency. You can think of them as
"cool" items. Cool items may still be important; they just occur far less
frequently than "hot" items.
Opening the Word Cloud
On the nDepth toolbar, click the
icon.
Viewing Statistics in the Word Cloud

Word Cloud includes statistics about each item that is listed in the cloud.
To see statistics:
l
Point to a phrase in the Word Cloud. A ToolTip appears showing the

keyword phrase, its count (the number of times it occurs in the reported
period), and its percentage. The percentage is based on the phrase's
relative frequency, compared to the other reported phrases.
Filtering the Contents of the Word Cloud

There are two horizontal bars at the bottom of the Word Cloud:
l
The top bar is a color gradient that goes from red (hot)to blue (cool). These
colors correspond with the colors of the phrases shown in the Word Cloud.
The lower bar controls which parts of the gradient the Word Cloud is
allowed to show. You can use this bar to filter the World Cloud so that it only
shows that section of the gradient you want to see. By default, the Word
Cloud shows everything associated with the entire gradientall items that
are hot, cool, and in between.
114

By default, the Word Cloud displays the top 100 phrases, and the sliders are
automatically adjusted to this width. If you manually adjust the sliders, nDepth
remembers the left position and automatically adjusts the right position so the
Word Cloud displays up to 100 phrases between the left and right positions. If all
100 phrases can be shown within the positions you've selected, the sliders will
stay in place.
Slider settings are remembered with each Word Cloud. This means you can
create Word Clouds for the Dashboard that are adjusted differently from the
primary Word Cloud view.
To filter the contents of the World Cloud:
l
To hide hot items, drag the lower bar's left-hand slider to the right.
To hide cool items, drag the lower bar's right-hand slider to the left.
To restore the Word Cloud, drag the sliders back to their far-left and far-right
positions.

You can use the Word Cloud to explore a particular phase, by using as the basis
for a new search, or to append an existing search.
To explore an item in the Word Cloud:
1. In the Word Cloud, click the phrase you want to explore. The phrase
appears in the search bar.
2. On the search bar, click the search
button.After a moment, nDepth
refreshes to show the results associated with your search.
115
Chapter 8: Explore
Using the Tree Map
nDepth's Tree Map

The items that appear in nDepth's Tree Map view are the same Source Files data
field categories and values listed in the Refine Fields list (at the top of the list
pane).
l
When you are working with events, the Tree Map organizes itself into
categories based on common event data fields.. Most categories
correspond with actual event fields, as they appear in the Monitor view.
When you are working with log messages, the Tree Map organizes itself
into categories based on common log message data fields.
Note: Some data categories may not always be present. If there is no event
activity associated with a particular data category or field, it will not appear in the
Tree Map.
The size of each box corresponds with the relative frequency of its occurrence. So
the more often a detail occurs, the larger its box appears.
Click to select an item from the Tree Map as a search condition. If a box is too
small to show its contents, point to it to open a ToolTip that shows its contents.
Opening the Tree Map

On the nDepth toolbar, click the
116
icon.

Use the following procedures to resize each category box in the Tree Map is
associated with the relative frequency of its occurrence.
To maximize a category:
l
Click the
icon on the box's toolbar.
Note: Even when maximized, a Tree Map category can show very small
items within it. Don't forget, if a box is too small to show its contents, you can
point to it to open a ToolTip that shows its contents.
To restore a category to its proportional size:
l
Click the
icon on the box's toolbar.
Exploring items in the Tree Map

You can use the Tree Map to explore a particular item, by using that item as the
basis for a new search, or to append an existing search.
To explore an item in the Tree Map:
1. In the Tree Map, click the item you want to explore. A search string for that
item appears in the search bar.
2. On the search bar, click the search
button. After a moment, nDepth
refreshes to show the results associated with your search.
Using nDepth widgets

nDepth comes with a series of commonly used widgets. These widgets behave
very much like the widgets in the Ops Center. Each widget represents a highlevel graphical view of the specific network activity associated with your nDepth
search results. It shows the primary items that are generating that activity, as well
as the count (or number of incidents)for each item.
117
Chapter 8: Explore
A typical nDepth widget

You can use nDepth's explorer views to create new widgets, change the look of
existing widgets, add widgets to the nDepth Dashboard, and remove widgets you
no longer user.
Default nDepth Chart Widgets

On the widget toolbar, click the refresh
the latest data from your network.
button. The widget refreshes to show
nDepth Explorer and Widget Icons

The following table briefly describes the function of each icon you will find on
nDepth explorer views and widgets.
Icon
Description
From a main nDepth view (such as Word Cloud, Tree View, or Result
Details), this button add the view to the nDepth Dashboard as a widget.
From the nDepth explorer toolbar, you can point to a chart view and then
click this button to add a specific chart widget to the nDepth Dashboard.
Adds a new widget to the current chart view.
This button adds the widget to the nDepth Dashboard. This button only
appears on widgets in their various chart views.
Refreshes the widget so it displays the latest data.
118
Icon
Description
This button is only enabled when the chart properties have changed. If you
edit a chart's configuration, the Console does not have the data to draw the
chart until you refresh its data.
Opens the nDepth Widget Builder so you can edit or reconfigure the
widget.
Minimizes the widget to it appears as a title bar at the bottom of the view.
To restore the widget, scroll down to the bottom of the view, and then click
the widget's title bar.
Toggles the widget between being its normal size and being maximized to
fill the current view.
Deletes the widget from the view. Once deleted, the widget cannot be
restored; you must re-create it.
To view a widget's details, just click or point to an item on the widget

nDepth widgets behave a lot like widgets in the Ops Center. To view a widget's
details, point to that widget, or click an item on that widget to view details and
statistics about that item, like in the pie chart widget show here.
119
Chapter 8: Explore
Creating a search string from a widget item

You can use items in widgets, or any of nDepth's graphical tools, to create new
search strings, or to append existing search strings.
To create a new search string from a widget:
to delete the existing search string.
2. Click an item on a widget. A new search string associated with the widget
item appears in search box.
To append an existing search string with an item from a widget:
l
Click an item on a widget.

In the search box, a new search string associated with the widget item is
appended to the existing search string.
Adding new nDepth Widgets

Use this procedure to add a new widgets to the nDepth explorer's Bar Charts,
Line Charts, Pie Charts, or Bubble Charts views.
To add new nDepth widgets:
1. Open the Explore >nDepth view.
2. Use the nDepth explorer toolbar to open the chart view you want to work
withBar Charts, Line Charts, Pie Charts, or Bubble Charts.
The corresponding view appears.
On the view's title bar, click the New Widget
icon.
The nDepth Widget Builder appears.

3. Complete the nDepth Widget Builder to configure the new widget.
4. The new widget appears at the bottom of the chart view. When configuring
the widget, if you chose the Save to Dashboard option, the new widget
also appears at the bottom of the nDepth Dashboard.
Editing nDepth Widgets

When needed, you can edit the configuration of any of the chart widgets. You can
120

edit widgets from the Dashboard or from any of the chart views.
To edit a chart widget:
2. Use the nDepth explorer toolbar to open the Dashboard or the chart view
you want to work with.
The corresponding view appears.
On the widget you want to edit, click the Edit
icon.
The nDepth Widget Builder appears.

3. Use the nDepth Widget Builder to reconfigure the widget.
4. The updated widget appears at the bottom of the view. When configuring
the widget, if you chose the Save to Dashboard option, the new widget
also appears at the bottom of the nDepth Dashboard.
5. Click to get the data for the widget's new configuration, so the Console
can draw the chart.

At any time, you can add a chart widget to the nDepth Dashboard.
To add a widget to the nDepth Dashboard from a chart view:
2. Use the nDepth explorer toolbar to open the chart view you want to work
with.
3. In the view, locate the chart widget you want to add to the Dashboard.
4. On the widget, click the Add to Dashboard
button.
The widget is copied to the bottom of the nDepth Dashboard.
Adding a main nDepth view to the nDepth Dashboard

Use this procedure to add a main nDepth view (such as Word Cloud, Tree View,
or Result Details) to the nDepth Dashboard. These views are there by default; but
121
Chapter 8: Explore
if you ever remove them from the Dashboard, you can use this procedure to
restore them.
To add a main nDepth view to the Dashboard:
2. On the nDepth explorer toolbar, click the view you want to add to the
Dashboard.
3. On the view's title bar, click the gear
Dashboard.
icon, and then click Add to
4. The view now appears as a widget at the bottom of the nDepth Dashboard.
Using Search Builder

Use Search Builder whenever you need to need to create complex search
queries.
Search Builder is a visual tool that is used in conjunction with the options in
nDepth's list pane. The list pane lets you choose which elements you want to
incorporate in your search, such as events, event fields, specific event values,
Tool Profiles, User-Defined Groups, constants, etc. You then create the search by
selecting the conditions you want to search for, and then dragging and dropping
those items into Search Builder's Conditions box.
For example, if you want to search for activity among your Admin Accounts, you
don't have to type a search with a long list of account names. Instead, you can just
drag the appropriate User-Defined Group or Directory Service Group into the
Conditions box.
Search Builder lets you group search items, show AND/OR relationships
between search items, select specific values for search items, and select the
appropriate operators for specific values.
122

2. On the nDepth explorer toolbar, click the Search Builder
icon.
Switching from the Search Bar to Search Builder

You can open Search Builder directly from the nDepth search bar by doubleclicking it. This is handy if you have a complex search and the search box shows
only a summary of the search, because it lets you open Search Builder to see the
search's complete configuration. Search Builder always shows the configuration
of the search that is currently in the search bar.
123
Chapter 8: Explore
The search bar and the Search Builder show different views of the same search
configuration
To switch from the search bar to Search Builder:
l
Double-click the search bar.

Search Builder appears, showing the configuration of the search that is in
the search bar.

This topic shows the main features of Search Builder.
124
Search Builder
The following table describes each main features of Search Builder.
Item
Name
Description
Undo/Redo Click the Undo button to undo your last action. You can
undo up to 50 steps.
Click the Redo button to redo a step that you have undone.
You can redo up to 50 steps.
Search bar The search box shows the current state of the search you are
building. If you have a complex search, the search box
shows its configuration as a "summary."If you want to view
the complete text of the search, switch the search bar to Text
125
Chapter 8: Explore
Item
Name
Description
Input Mode, which shows the current search configuration
as a search string.
List pane
This accordion pane is called the list pane. It contains

categorized lists of the events, event groups, event variables,
groups, profiles, and constants that you can use when
creating conditions for your filters.
Two of the lists apply only to nDepth:
l
Histogram
pane
The Refine Fields list summarizes all of the primary

event details from your search results. Rather than
typing this information as a search string, it is much
easier (and less prone to error) to drag this information
from the Refine Fields list into the search box.
The Managers list includes each Manager and
appliance that can be used with nDepth for searching
data.
Use the histogram to investigate a particular interval, to

move the period, to zoom in to a period to take a closer look,
or zoom out to see high-level activity.
After configuring the search, click
to begin the search.
Conditions Use this box to define the conditions for the data that is to be
box
reported by the filter. You configure conditions by dragging
items from the list pane into the Conditions box. For more
information,
This is the Add Group button. It appear at the top of every
group box. Click it to create a new group within the group
box. A group within a group is called a nested group.
Each group is subject to AND and OR relationships with the
groups around it and within it. By default, new groups appear
with AND comparisons.
This is the Delete button. It appears at the top of every
Group box. When you point to a condition, it also appears
126
Item
Name
Description
next to that condition. Click this button to delete a condition
or a group. Deleting a group also deletes any groups that are
nested within that group.
Group
Individual groups (and the entire Conditions box) can be

expanded or collapsed to show or hide their settings:
l
l
Click to >expand a collapsed group.

Click to collapse an expanded group. The number
that appears in parentheses indicates how many
conditions are contained in the group.
Once a group is properly configured, you may want to

collapse it to avoid accidentally changing it.
AND
OR
The Conditions box includes AND and OR operators, so

you can include AND and ORrelationships between your
search conditions.
Click the operator icon to toggle between ANDand OR
conditions.

Use this basic procedure whenever you need to configure a search with Search
Builder. The number of possibilities are endless. They they all follow this basic
procedure.
Feel free to experiment with these tools. Searches report information, so there is
no harm done if you create searches that are unusual or have logic problems.
With a little practice, you will be able to configure complex searches that report
exactly the data you want.
To configure a search with Search Builder:
1. Open Search Builder.
2. In the list pane, locate the item you want to search for.
127
Chapter 8: Explore

l
Drag the item from the list pane into the Conditions box.
Double-click the item to add it to the Conditions box.
Note: By default, the Conditions box includes a "this item exists" condition.
To use it, type or paste the search string you want to search for into the text
box. Or you can replace this condition by dragging an item from the list pane
on top of it.
4. If the list item contains a variable field (such as a field for an IP address, a
constant value, or an empty text box), type the specific value you want to
search for.
Note: Search Builder will show you if a particular configuration is invalid. If
a condition field is yellow (left), it means the search's current configuration is
invalid. If a condition field is red (right), it means the condition does not
apply to the type of data you are currently searching. For example, perhaps
you are trying to search log messages with conditions that are meant for
event data.
A yellow condition field means

the search configuration is
invalid.
5. Click
A red condition means the search

configuration does not apply to the type
of data you are searching.
to create new groups, as needed.
6. Repeat Steps 2 and 3, dragging new items into the appropriate group
boxes, as needed.
7. Select the appropriate AND and ORoperators for each group to configure
the search to your needs.
8. When you are satisfied with the search conditions, click
128
to run the
Utilities
search.
You can click
at any time to stop a search that is in progress.
After a few moments, nDepth returns the search results. To see the search
results, do one of the following:
l
Select an option from the nDepth explorer toolbar to view a graphical

version of the search results.
Open the Refine Fields list to see a categorized summary of the
search data.
Open the Result Details view to examine and explore the actual data.
Utilities
The following table describes the key features of the Explore >Utilities view.
Name
History pane
Description
The History pane displays a record of your explorer viewing
history. Selecting an item in the history list displays the
corresponding explorer event in the Explorer pane.
Click the History button to alternately show and hide the
History pane. When needed, you can delete individual history
items from the history list. The Reset button lets you remove all
items from the history list..
Utilities pane
The Utilities pane shows the explorers that are currently open.
You can have multiple explorers open at the same time.
Cascade
button
This button arranges the open explorer windows so they

appear in an organized cascade. Their title bars are all
visible, but the windows are all stacked, one on top of another.
The active explorer is at the front of the stack.
Respond
menu
This menu lets you take action to respond to the event or event
field that is the subject of the active explorer. You can also use
the Respond menu to take action even when no explorer
windows are open or active.
This menu behaves exactly as it does in the Monitor views
129
Chapter 8: Explore
Name
Description
event grid.
Explore menu This menu contains options to open the other explorers. You
can use it to further explore the event message or event field
that is the subject of the active explorer. Or you can open a
blank explorer to manually enter the item you want to explore.
Explorer
windows
The explorers you are working with appear as individual

windows within the Utilities pane. You can minimize, resize,
and close each explorer window, as needed.
Minimized
explorers
Any explorers that you have minimized appear at the bottom of

the Utilities pane as a title bar. Click a title bar to reopen that
explorer.
>buttons
Beginning from the active explorer window, you can use these
buttons to cycle through the other open explorer windows. Click
to go to the previous window. Click >to go to the next
window.
Explorer Types
The Console contains the following explorers.
Explorer
Description
Event
The Event explorer, which can only be opened from the Monitor
view, allows you to view all of the events that are related to the event
that is currently selected in the Console. The Event explorer
displays both sequential and concurrent events. That is, you can
view the events that occurred before, during, and after the event
occurred. You can also monitor events in real time, to see where
they came from and where they are going. Use this explorer when
you need to know what caused the rule to fire.
Whois
The Whois explorer identifies the source of an IP address or domain

name based on how it is registered with domain and network
authorities. It can tell you where something is located physically in
the world, and who actually owns the device you're searching for.
For example, use this explorer if you need to know who owns a
130
Explorer Types
Explorer
Description
domain that corresponds to the IP that caused that rule to fire.
NSLookup The NSLookup explorer resolves IP addresses to host names, and

host names to IP addresses. Use this explorer to determine more
information about a source or destination IP address. For example,
use this explorer when you need to know a name that corresponds
to that IP address that caused the rule to fire (it resolves a name like
SolarWinds.com to an IP address).
Traceroute The Traceroute explorer traces the network links from your host
computer to the destination you specify. That is, it shows you the
hops between your computer and the IP address of the destination.
For example, use this explorer to determine the network connections
between yourself and an IP that caused the rule to fire.
Flow
explorer
The Flow explorer lets you perform flow analysis to determine which
IP addresses or ports are generating or receiving the most network
traffic. You can also analyze the volume of data (in bytes or packets)
that is transferring to or from a given IP address or port number on
your network. The explorer reports this information in easy-to-read
graphs and tables.
For example, if you see a strange IP address at the top of the Flow
explorers activity list, you can select the desired bar on the graph or
a row in the table, and then choose the Whois explorer from the
Explore menu to find out what that the IP address is and why it is
transmitting so much data.
nDepth
nDepth is a powerful search engine that lets you search all of the
event data or the original log messages that pass through a particular Manager. The log data is stored in real time, as it originally
occurs from each host (network device) and source (application or
tool) that is monitored by the Manager.
Both Explore views have a Respond menu and an Explore menu that you can
use with any of the explorers:
l
The Respond menu lets you take corrective action on an event or other
information presented in an explorer, such as shutting down a workstation
when you see a problem reported in the Console.
131
Chapter 8: Explore
The Explore menu lets you explore use any of the other explorers to
investigate a particular event, event detail, nDepth search result, or other
explorer finding.
NSLookup Explorer
The NSLookup explorer is a network utility that is designed to resolve IP
addresses to host names, and host names to IP addresses. Use this explorer
whenever you need to know a name that corresponds to the IP address that
caused the rule to fire. For example, it resolves a name like SolarWinds.com to
an IP address.
In the example shown here, we opened the NSLookup explorer for an event field
that has an IP address of 192.168.168.10 (which appears in the Search field).
The explorer retrieved the corresponding host name, which is
grendel.corp.SolarWinds.com.
Opening the NSLookup explorer adds an item to the Explore views History
pane. The new item has a NSLookup explorer
icon.
Traceroute Explorer
The Traceroute explorer is a network utility that is designed to trace the network
links from your host computer to the destination you specify. Use this explorer
whenever you need to determine the network connections between yourself and
the IP address that caused the rule to fire.
132
Whois Explorer
In the example shown here, we used the Traceroute explorer on the IP address of
192.168.167.1. It shows you the hops between your computer and that IP
address. In this example, connecting to that IP address required two hops.
Opening the Traceroute Explorer adds an item to the Explore views History
pane. The new item has a Traceroute explorer
icon.
Whois Explorer
The Whois explorer is a network utility that is designed to identify the source of an
IP address or domain name based on how it is registered with domain and
network authorities. This explorer contacts the central databases for IP addresses
and domain names and returns the results of any of your searches. It can tell you
where something is located physically in the world, and who actually owns the
device youre searching for. For example, use this explorer if you need to know
who owns a domain that corresponds to the IP address that caused a rule to fire.
133
Chapter 8: Explore
The example on the left shows the results for an IP address. The example on the
right shows the results for the SolarWinds domain name, SolarWinds.com. From
these, you can find out who owns the IP address and where the server is hosted.
Opening the Whois Explorer adds an item to the Explore views History pane.
The new item has a Whois explorer
icon.
Manually Exploring an Item

At any time, you can manually explore an IP address, host name, or domain
name. To do this, open a new, empty explorer, or by typing directly into the
Search box of an explorer that is already open.
134
Chapter 9: Build
The Build menu contains three views: Groups, Rules, and Users. Use these
views to configure the related components on the LEM appliance. Since these
components reside on the appliance, they are universal and available to all
console users from any computer. The sections in this chapter address the
features of each Build view in detail.
Groups
The Build >Groups view is used to create, name, configure, and organize groups
of parameters. You may then choose from these Groups when configuring filters
(in Filter Creation) and rules (in Rule Creation) to include or exclude the specific
elements defined within each Group.
Each Group you create only applies to the Manager that is selected when you
create the Group. If you need a similar Group for another Manager, you must
create it separately with that other Manager; or you must export the Group, and
then import it from the other Managers Groups grid.
Group types
You can use the Build >Groups view to create any of the Groups listed in the
following table.
Group type
Description
EventGroups Event Groups are custom families of events that you can save as
a Group. You can then associate the Event Group with your rules
and filters. For example, you might create an Event Group made
up of similar events that all need to trigger the same response
from the Console. When you apply the Event Group to a rule, the
Console implements the same rule when any one of the events
in the Group occurs.
Directory
Service
If you use a directory service, such as Active Directory, you can

connect LEM to the server that stores your existing directory
135
Chapter 9: Build
Group type
Description
service (DS) Groups. Once connected, you can synchronize your
DS Groups with LEM and apply them to your rules and filters. DS
Groups allow you to match, include, or exclude events to specific
users or computers, based on their DS Group membership.
In most cases, DS Groups are used in rules and filters as a type
of white list or blacklist for choosing which users or computers to
include or to ignore. When used by a filter, a DS Group lets you
limit the scope of the events included in the filter to those users
or computers that have membership in a particular Group.
Email
Template
Email Templates allow you to create pre-formatted email

messages that your rules can use to notify you of an event.
State
Variables
State Variables are used in rules. They represent temporary or

transitional states. For example, you can create a State Variable
to track the state of a particular system, setting it to a different
value depending on whether the system comes online or goes
offline.
Time of Day
Sets
Time of Day Sets are specific groups of hours that you can
associate with rules and filters. Time of Day Sets allow them to
take different actions at different times of day.
For example, if you define two different Time of Day Sets for
Working Hours and Outside Working Hours, you can assign
different rules to each of these Time of Day Sets. For instance,
you may want a rule that automatically shuts down the offending
computer and events your system administrator via email.
Connector
Profiles
Connector Profiles are groups of Agents that have common

connector configurations. Most Agents in a network have only a
few different network security connector configurations.
Connector Profiles allow you to group Agents by their common
connector configurations. You can then have your rules and
filters include or exclude the Agents associated with a particular
profile.
User-Defined User-Defined Groups are groups of preferences that are used in

Groups
rules and filters. They allow you to match, include, or exclude
136
Group type
Description
events, information, or data fields based on their membership in
a particular Group. In most cases, User-Defined Groups are used
in rules and filters as a type of white list or blacklist for choosing
which events to include or to ignore.

The topics in this section describe the key features of the Groups view, including
its major sections, the meaning of its grid columns, and how to refine its grid.
The following table describes the meaning of each column in the Groups grid.
Column
Description
The gear button in each row opens a menu of commands that
you can perform on the item that is currently selected in the grid.
It has commands for editing, cloning, exporting, and deleting the
selected Group.
Type
Displays the type of the GroupConnector Profile, User-Defined

Group, Time of Day Set, etc.
Name
Displays the name of the Group.
Description
Displays a description of the Group. Pointing to this field displays

the complete description as a ToolTip.
Created By
Displays the name of the Console user who created the Group.
Created Date Displays the date the Group was created.

Modified By
Displays the name of the Console user who last modified the
Group.
Modified
Date
Displays the date on which the Groups was last modified.
Manager
Displays the name of the Manager the Group is associated with.
Refining the Groups Grid

By default, the Groups grid shows every Group associated with each Manager
the Console is connected to. If the same Group is configured for more than one
137
Chapter 9: Build
Manager, it appears in the grid multiple timesonce for each Manager it is

associated with. To help you work more efficiently with a long list of Groups, the
Refine Results pane lets you apply filters to the Groups grid to reduce the
number of Groups it shows.
When you select options in the Refine Results pane, the grid refreshes to show
only those items that match the refinement options you have selected. The other
items in the grid are still there; however, they are hidden. To restore them, click
the Reset button or select All in the refinement lists you are using.
The following table explains how to use the Refine Results form.
Field
Reset
Search
Description
Click Reset to return the form and the Groups grid to their
default settings.
Use this field to perform keyword searches for specific Groups.
To search, type the text you want to search for in the text box.
The grid displays only those Groups that match or include the
text you entered.
Type
Select the type of the Group you want to work with (Connector
Profile, User-Defined Group, Time of Day Set, etc.) to have the
grid display only Groups of that type.
Manager
Select a Manager to have the grid display only the Groups that
are associated with that Manager.
Created By
Select the name of the Console user who created the Group to
have the grid display only Groups from that user.
Created Date
Range
Type or select a date range to have the grid display only

Groups that were created on or within that date range.
Modified By
Select the name of the Console user who last modified the
Group to have the grid display only Groups modified by that
user.
Modified Date Type or select a date range to have the grid display only
Range
Groups that were modified on or within that date range.
138
Rules
Rules
The Consoles Build > Rules view is used to create, configure, and manage your
rules. Rules are used to monitor and respond to event traffic. They allow you to
automatically notify or respond to security events in real time, whether you are
monitoring the Console or not. When an event (or a series of events) meets a
rule's conditions, the rule automatically prompts the Manager to take action, such
as notifying the appropriate users, or performing a particular active response
(such as blocking the IP address or stopping a particular process).
The Console ships with a set of pre-configured rules that you can begin using
immediately. However, you can use the view's Rule Creation connector to create
your own custom rules and your own variations on any existing rules.
Rules View Features

This topic describes the key features of the Rules view and the Rules grid, and
explains how to refine the Rules grid.
Rules Grid Columns

The Rules grid contains all policy rules that are configured for all Managers that
are connected to the Console. The Manager column indicates which Manager
each rule applies to.
By default, the view shows the rules from the Custom Rules folder in the Folders
pane. If you do not have any custom rules, then click the Rules folder to list the
rules that the Console ships with.
The following table describes the meaning of each column in the Rules grid.
Columns are listed in their default order, from left to right.
Column
Description
The gear button in each row opens a menu of commands that you
can perform on the item that is currently selected in the grid.
These commands let you edit, enable, disable, test, clone, and
delete the selected rule.
Enabled
Indicates whether or not the rule is enabled and ready for use with
your policies.
means the rule is enabled and is in active use.
139
Chapter 9: Build
Column
Description
means the rule is disabled, and is not in use.
Test
Indicates whether or not the rule is in test mode. When a rule is in

test mode, it causes events to appear in the Console, but it cannot
perform any active responses. This lets you see how the rule
would behave when it is fully enabled, but without risking any
negative unintended consequences.
means the rule is in test mode.
means the rule is not in test mode.
Note: A rule must be Enabled before you can test it.
Name
The name of the rule.
Description A description of the rule. Pointing to this field displays the

complete description as a ToolTip.
Folder
The name of the folder (in the Folders pane) in which the rule is
stored.
Created By
The name of the Console user who created the rule.
Created
Date
The date the rule was created.
Modified By The name of the Console user who last modified the rule.
Modified
Date
The date and time on which the rule was last modified.
Manager
The Manager the rule is associated with.
Refine Results Form

You can use the Refine Results form to refine the Rules grid. The form behaves
like a search engine, letting you apply filters to the Rules grid to reduce the
number of rules it shows.
140
Refine Results Form

Field
Reset
Search
Description
Click Reset to clear the form. This returns the form and the Rules
grid to their default settings.
Use this Search field to perform keyword searches for specific
rules. To search, type the text you want to search for in the text box.
The grid displays only those rules whose Name fields match or
include the text you entered.
Enabled
Click this check box to show only those rules that are Enabled.
Clear this check box to show both Enabled and Disabled rules.
Test
Click this check box to show only those rules that are in test mode.
Clear this check box to show rules that are both in and out of test
mode.
Manager
Select a Manager to have the grid display only the rules that are
associated with that Manager.
Created
By
Select the name of the Console user who created the rule to have
the grid display only rules created by that user.
Created
Date
Range
Type or select a date range to have the grid display only rules that
were created within that date range.
Modified
By
Select the name of the Console user who last modified the rule to
have the grid display only rules modified by that user.
Modified
Date
Range
Type or select the begin and end date range to have the grid
display only rules that were modified on or within that date range.
The connectors in Rule Creation are very similar to those found in Filter
Creation. However, filters report event occurrences; rules act on them. There is
no harm if you create a filter that is unusual or has logic problems. But this is not
the always case with rules. Rules can have unexpected and sometimes
141
Chapter 9: Build
unpleasant consequences if they are not configured exactly as you intend them to
be.
Inexperienced users should use caution when creating rules. Creating filters is an
excellent way to familiarize yourself with the logic and connectors needed to
create well crafted rules. You should only begin configuring rules after you are at
ease with configuring filters. Even then, always test your rules before
implementing them.
Rule Categories and Tags

The Rule Categories & Tags is the list of default rules categories and tags. To
make it easier to find and categorize, rules that apply to multiple purposes appear
in more than one category and/or tags.
l
There are a default set of Rule Categories & Tags, and you can also create
your own customizable ones. New rule categories and tags that are created
can be added or removed from your list of categories/tags at any time.
Activity Types, Authentication, Change Management, Compliance, Devices,
Endpoint Monitoring, IT Operations and Security categories are available
pre-defined categories
Rule templates have been separated into their own view and categorized
into all of the appropriate categories and tags, making them much easier to
find and use
Rule Tagging
The Rule Tagging feature allows you to add, change, or remove tags from
existing or newly created rules. Rules may have several different categories and
tags.
If you have a rule that you want to appear in several different category locations,
you can use the tag feature to have it display in those locations.
To tag a rule:
1. Select an existing Rule Template or create a new Rule.
2. Click the Add Tags... link
3. Select the categories and tags.There are many default tags or you can
142
Users
create a custom tag to suit your needs.
4. Click OK.
Users
The Users view is used to manage the system users who are associated with
each Manager. By adding email addresses for each user, the Console can notify
users of event conditions by email.
This topics in this section describe the key features of the Users view, the
meaning of each column in the Users grid, and how to refine the Users grid.
Users View Features

The following table describes the key features of the Users view.
Name
Description
Refine
Results
This form behaves like a search engine. It lets you apply filters to
the Users grid to reduce the number of users it shows.
Users grid
The Users grid displays all of the system users who are
associated with each Manager throughout your network.
Click this button to add a new user.
User
This pane displays detailed information about the user who is
Information currently selected in the grid, including the users role, password
information, and contact information. When editing a user, the User
Information pane turns into an editable form.
Users Grid Columns

By default, the Users grid shows all users who are configured for all Managers
that are monitored by the Console. However, you can use the Refine Results
form to refine the grids contents.
Column
Description
l
Use the Edit command to edit the users settings and contact
information.
143
Chapter 9: Build
Column
Description
l
Status
Use the Delete command to delete the user.
Indicates if the user is currently logged on to the Console:

means the user is logged on.
means the user is not logged on.
User Name Displays the name the user uses to log on to the Manager.
First Name Displays the users first name.
Last Name Displays the users last name.
Role
Displays the user role that has been assigned to the user.
Description Displays a brief description of the users job function or

responsibility.
Manager
States which Manager the user is associated with.
Last Login States the date and time the user last logged on to the system.
Refining the Users Grid

By default, the Users grid shows all users for all Managers. The Refine Results
form behaves like a search engine, letting you apply filters to the grid to reduce
the number of users it shows.
Field
Description
Reset
Click Reset to return the form and the Users grid to their
default settings.
Manager
Select the Manager you want to work with. By default, the grid
displays All Managers.
Role
Select the user role you want to work with. By default, the grid
displays All roles.
Last Login
Date Range
Type or select the begin and end date range to display the
users who have logged in within that date range.
144

After selecting a user role, you can use the View Role button to view the system
privileges that are associated with the users assigned role.
To view a users system privileges:
1. Open the Build >Users view.
2. In the Users grid, double-click to user you want to work with. Below the grid,
the User Information pane displays the users current settings.
3. Click the View Role button. The Privileges form appears, showing the
users system privileges for his or her assigned role. This information is
provided here for reference purposes and cannot be changed.
4. When you are finished viewing the roles privileges, click Close to return to
the Console.
145
Chapter 10: Manage

The Manage > Appliances view (also called the Appliances view) is used to
add, configure, and maintain each virtual appliance that is associated with and
monitored by the LEM system. The term appliances is used here as a generic
term that includes:
l
Managers
Database servers
Logging servers
Network sensors
nDepth servers
The Appliances view is primarily concerned with Managers, even though other
appliances may appear in your appliance list. Once a Manager is in place, you
can use this view to do the following:
l
Use the Console to connect to and disconnect from a particular Manager.
Add a Managers agents.
Configure rules, policies, and network security connectors that apply to

each Manager.
Note: Commands in the Appliances view can take a while to execute,
because they must remotely access the Manager or network appliance.
When using multiple Managers, always use a unique hostname for
each Manager. Doing this helps ensure proper event flow and console
function. SolarWinds recommends giving each Manager its own unique
name before adding it to LEM.
146
Chapter 10: Manage
Appliances View Features

This topic describes the key features of the Appliances view, the Details pane,
the Appliances grid, and its Status icons.
The following table describes the key features of the Manage >Appliances view.
Name
Description
Appliances This grid lists all of the Managers and other network appliances
grid
LEM is monitoring. Use this grid to add, configure, or remove
appliances; to configure Manager connectors and Manager policy;
and to connect to and disconnect from Managers.
Click this button to add a new Manager or network appliance to the
Console.
Click the gear button at the top of the grid to access commands
applicable to multiple selections in the grid and other commands
not requiring a grid selection.
Click this button to copy the grid's information about your Managers
to the clipboard, so you can paste it elsewhere, such as Microsoft
Excel for analysis or the Remote Agent Installer for updates.

The following table briefly describes the meaning of each column in the Manage
>Appliances views Appliances grid.
Column
Description
Opens a menu of commands you can perform on the selected
appliance, such as: Login, Logout, Configure, Connectors (for
connecting products to the appliance), Policy (for assigning event
distribution policy), and Delete.
The Login, Logout, Connectors, and Policy options apply only
when you have a Manager selected. If you have a Manager
selected but are not connected, only the Login, Configure, and
Delete commands are available.
Status
Exhibits the appliances current connection status:
147
Column
Description
means Connected/Logged In.
means Disconnected/Logged Off.
Icon
Differentiates between multiple Managers in the nDepth view.
Name
Shows the name of the Manager or the appliance.
Type
Describes the type of appliance as one of the following:

l
Manager
Database
Logging Server
Network Sensor
Version
Provides the version of the LEM Manager software.
Platform
Displays the manager platform name. The platform is one of the

following: Trigeo SIM, VMware vSphere, or Microsoft HyperV.
IP Address States the Managers or the appliances IP address.

Port
Shows the port number the Console is using to communicate with

the Manager, the network appliance, or the database.
Connectors Indicates whether the appliance connectors have been configured

Update
for automatic updates. If the icon is green, LEM is already set up to
Enabled
automatically update whenever SolarWinds updates a connector.
If the icon is gray, automatic connector updates are inactive and
must be turned on for automatic connector updates.
User
For Managers, this column displays the user name that is currently
logged on to that Manager.
To automatically apply connector updates and manually apply

individual connector updates, use the Connector Updates menu at the
top right of the Appliance grid.
148
Chapter 10: Manage
Details Pane
The Details pane displays essential information about an appliance, such as its
name, connection status, and IP address.
To view an appliances details:
1. Open the Manage > Appliances view.
2. If needed, log into the Manager you want to work with.
3. In the Appliances grid, click to select the Manager or appliance you want to
work with.
4. If the Details/Properties pane is not already open, click the open pane
button at the bottom of the window.
The Details pane displays information about the Manager or appliance you have
selected.
Field
Description
Platform
Displays the name of the Manager platform, which can

be Trigeo SIM, VMware vSphere, or Microsoft HyperV.
CPU Reservation
Shows how much CPU space has been reserved.

Reserving CPU space ensures enough resources are
available for the allocated CPUs.
Number of CPUs
Exhibits the number of CPUs actually allocated to this

Manager.
Memory Allocation
Provides the amount of memory allocated to the Manager.
Memory Reservation
Indicates how much memory has been reserved for

this system. Reserving memory ensures enough system memory is available when it's needed.
Status
Shows the Managers or the appliances current

connection status.
Name
Displays the Managers or the appliances name.
Type
Indicates the appliance type, which is either Manager,
149
Field
Description
Database Server, nDepth, Logging Server, or
Network Sensor.
Version
Shows the version of the Manager software.
IP Address
Displays the Managers or the appliances IP address.
Port
Exibits the port number the Console uses to

communicate with the Manager or the appliance.

In the Properties pane, use the Properties form to configure Managers. It records
the Managers configuration settings, such as its login options, Agent licenses, its
password settings, its ability to automatically send software updates to Agents.
Note: LEM uses the Properties form only for Managers. The Properties pane is
disabled for other types of appliances.
To configure a Manager's properties:
1. At the top of the Console, click Manage > Appliances.
2. In the Appliances grid, click to select the Manager you want to work with.
3. If the Details/Properties pane is not already open, click the open pane
button at the bottom of the window.
4. Complete Properties form. The following sections describe how to
complete each tab.
The Properties form automatically refreshes to show changes
occurring to the Manager since you opened the form. This ensures that
you are looking at the most current information.
The Login Tab

The Login tab has two main uses:
l
If the Login on console startup option is checked, the system uses this
data to automatically connect to the Manager whenever the Console is
150
Chapter 10: Manage
opened.
l
If you manually log in to a Manager from the Appliances grid, the system
uses this data to connect the Manager so you dont have to complete the log
in dialog box.
Use the following table to complete the Properties panes Login tab.
Option
Description
Username
Type your user name for logging into LEM.
Password
Type your password for logging into the Manager.
Login on
console
startup
Select this check box to have LEM automatically log you into
the Manager upon opening the LEM Console. If you prefer to
manually log on, then clear this check box.
Save
Credentials
Select this check box to have the Console save the

Managers user name and password locally. The Console
can then automatically provide them whenever you log on to
a Manager.
l
If you also select the Login on console startup check

box, the Console will automatically log on to the
Manager whenever the Console is started.
If the Login on console startup check box is not
selected, then the Console automatically supplies the
user name and password whenever you manually log
on to the Manager.
Reconnect on
disconnection
Select this check box to have the Console automatically

attempt to reconnect with the Manager, if the Manager
becomes disconnected.
Try to
reconnect
every xx
seconds
Type the number of seconds the Console is to wait before

attempting a new connection with the Manager.
151
The License Tab
Option
Description
Timeout
reconnection
attempts after
xx tries
Select this check box to have the Console quit its

reconnection attempts with the Manager after a given number
of tries, if the previous connection attempts have been
unsuccessful.
Then type the number of tries the Console is to attempt to
reconnect with the Manager before giving up.
Save
Click Save to save the configuration settings.
Cancel
Click Cancel to discard any configuration settings you may

have entered since the last time you saved.
The License Tab

The License tab summarizes your available and allocated licenses.It is also used
to activate your SolarWinds LEMlicense.
The following table explains the License tab's remaining reference information.
Field
Description
Total Nodes
Displays the total number of nodes allowed by your

SolarWinds LEM license.
Total Unused
Nodes
Displays the number of nodes that have not yet been allocated.
Total Agent
Nodes
Displays the number of nodes that have been allocated to

LEM Agent devices such as workstations or servers.
Total NonAgent Nodes
Displays the number of nodes that have been allocated to

non-Agent devices such as firewalls or switches.
Maintenance
Displays the date your current maintenance contract with
Expiration Date SolarWinds Support expires.
For more information on activating your SolarWinds LEMlicense, see "Going
from evaluation to production" in the SolarWinds Log & Event Manager Quick
Start Guide..
152
Chapter 10: Manage
License Recycling
Each time a VM desktop is created, an agent connects to LEM and a license is
used. This continues to happen as desktops are created and destroyed,
eventually causing all licenses to be used up. License recycling allows you to
collect and reuse licenses from nodes that have not sent an event to the LEM
manager within a specified amount of time.
To enable license recycling:
1. Select the Enable license recycling checkbox.
2. Select a defined time frame from the options shown for when to recycle
license if a node has not sent an event.
3. Select when you would like the system to check for recyclable licenses.
4. Select the nodes to be checked.
The Settings Tab

The Settings tab defines the Managers password policy settings and global
automatic update settings. Global automatic updates allow the Manager to
automatically send software updates to Agents as new software becomes
available.
Use the following table to complete the Properties panes Settings tab.
Option
Description
Password Policy
Minimum
Password
Length
Type or select the minimum number of characters that must be

used on passwords for user account that are to connect to the
Console and its Managers. Passwords must have at least six
characters, but no more than 40 characters.
Must meet
complexity
requirements
Select this check box if passwords must meet the following

complexity requirements:
l
Passwords must not match or contain part of the users

user name.
153
The Settings Tab
Option
Description
l
l
Passwords must be at least six characters long.

Passwords must contain characters from three of the
following four categories:
n
English uppercase characters (A through Z).
English lowercase characters (a through z).
Base 10 digits (0 through 9).
Non-alphanumeric characters (!, $, #, %, ^, etc.).
Remote Updates
Enable Global This check box indicates whether or not the Manager can
Automatic
automatically update its Agents with new software.
Updates
l Select this check box to have the Manager automatically
issue the latest software updates to qualifying Agents as
they become available.
l
If this check box is not selected, then global automatic

updates for this Manager are Disabled. This means its
Agents will not automatically receive new software
updates from the Manager.
Note that each Agent is also controlled by its Automatic Update

settings on the Agents grid. The Agents Automatic Updates
setting will not work if you do not also select this Enable Global
Automatic Updates check box.
Here is how it works. If you do not select this check box, but you
have an Agent set to automatically receive updates, nothing will
happen. The Agent will not receive its updates. But if you do
select this check box and if you have an Agent set to
automatically update, the Agent will automatically receive
updates when they become available.
Maximum
Concurrent
Updates
Select how many Agents the Manager can update at one time.
The default value is 10.
If the number of Agents that require updates is greater than the
154
Chapter 10: Manage
Option
Description
value you have entered here, the remaining Agents will be
queued for updating as soon as an update slot becomes
available.
Explorer Command Agent

Current
Select the default Agent for performing SolarWinds explorer
Default Agent functions, such as NSLookup and Whois. For best results,
choose an Agent that is normally online and will return the
expected results.
Connection Requests
Minutes
Set the value for the amount of time before a timeout request is
initiated.
Seconds
Set the value for the amount of time before a timeout request is
initiated.
SolarWinds Improvement Program

Email
Address
Enter your email address.
Send usage
Select this checkbox to send statistics to SolarWinds.
statistics to
SolarWinds to
help us
improve our
products
Threat Intelligence
Allow LEM to
detect threats
based on list
of bad IP
addresses
This checkbox is active by default. Threat intelligence identifies

events as threats by matching events' IP information against a
list of known bad IP addresses..
Click the
video icon to view the corresponding tutorial, which
offers more information on threat intelligence feed functionality..
155
Only administrators have the permissions required to turn the threat

intelligence feed off and on. Disabling and reenabling the threat
intelligence feed forces a threat intelligence update and creates an
InternalAudit event. Restarting LEM also forces the threat intelligence
feed to update.

The topics in this section explain how to configure event distribution policy for
Managers. Event distribution policy lets you control how events are routed
through the LEM system. With the Event Distribution Policy window, you can
chooseat the event levelwhich events are to go to the LEM Console, and to
the local LEM database.
Practical Uses for Event Distribution Policy

Event distribution policy has several practical uses that are explained in the
following examples.
l
Many data sources generate events that are difficult to control at a granular
level; or, they generate events of little or no value. You are better off
removing these events from the system to reduce the volume and noise
being sent to your Console and database. By configuring event distribution
policy, you can disable (exclude) specific event types, at the event level,
from being sent to any or all of these destinations. The data sources will
continue to generate these events, so you can always enable them at any
time. Until then, the selected system destinations will ignore them.
There may be events that you want to monitor in the LEM Console, but do
not need for long-term storage and reporting. In this case, you can use event
distribution policy to disable database storage for certain events, while
enabling processing by the Console.
Opening the Event Distribution Policy Window

1. At the top of the LEM Console, click Manage >Appliances.
2. In the Appliances grid, click the gear
156
button for the Manager you want
Chapter 10: Manage
to work with, and then click Policy. The Event Distribution Policy for
[Manager] window appears.
If you open the Event Distribution Policy window while another user is
currently using it, a Policy Locked message appears. You can choose to
take over the window, or to view it in read-only mode. Any Full User can
unlock any other user.
About the Event Distribution Policy Window
The following table describes the key features of the Event Distribution Policy
window.
Item
Description
Event/Field The windows grid is a hierarchical node tree. The Event/Field

column lists event categories and event types. Opening an event
category node displays the lower-level event types that are
157
Item
Description
Check
Boxes
The check boxes in the grids Console, Database, Warehouse,

and Rules columns indicate whether or not a particular event type
(or entire event category) is to be sent to the LEM Console, or to
the local database. A check mark means the event type will be
routed to that particular destination. An empty check box means
the event type will not be routed to that destination.
Export
Button
The Export button exports a Managers event policy to a

spreadsheet file.
Click the gear
button to use the Apply State to Branch
command. This command pushes, or propagates, the selected
event nodes check box settings down to the related, lower-level
event types in the node tree hierarchy.
Description The Description box provides a description of the event type or

event category that is currently selected in the grid.

The Event Distribution Policy window makes configuring your event distribution
policy a straightforward matter. First, you find the event types you want to work
with, and then you select check boxes to determine whether or not those events
types are to be routed to a particular destination.
To configure event distribution policy:
1. Open the Event Distribution Policy window for the Manager you want to
work with.
2. In the Event/Fields grid, locate the event type you want to work with. You
can do this several different ways:
l
In the Event/Field list, click any node to show its lower-level event
type nodes.
In the Event/Field list, double-click any event type row to show its
lower-level event type nodes.
158
Chapter 10: Manage
3. Once you have found the event type you want, configure it as follows:
l
Select the rows Console check box to have that event type appear in
the LEM Console.
Select the rows Database check box to have that event type stored in
the local database.
Clear a check box to exclude the event type from that particular
destination.
4. To save or cancel your changes, do one of the following:

l
Click OK to save your event distribution policy changes, close the

window, and return to the Console.
Click Apply to save your changes, but keep the window open so you
can continue working.
Click Cancel to close the window without saving your changes and
return to the Console.
Upon saving, the Applying Changes status bar appears. Updating the
Manager with the new event policy configuration changes can take
anywhere from 30 seconds to several minutes.
Pushing event policy to lower-level event types

With the Apply State to Branch command, you can propagate or push event
distribution policy settings from a high-level event type to each of its lower-level
child event types in the event hierarchy.
For example, lets say you select the topmost Security Event row and then select
its Console and Warehouse check boxes. Clicking Apply State to Branch
assigns the same Console and Warehouse check box settings to every child
item that is associated with Security Event. Upon saving, this policy causes all
event types that are child items of Security Event to begin sending events to all
users Consoles and your data warehouse.
To push policy configure event distribution policy downward:
Open the Event Distribution Policy window for the Manager you want to work
with.
159
1. In the Event/Field grid, locate the event type that is a parent to the event
types you want to configure.
2. In the parent row, define the policy by selecting or clearing the Console,
Database, Warehouse, and Rules check boxes.
3. Click the rows gear
button and then click Apply State to Branch.
The Console pushes, or propagates, the parent rows check box settings
down to each of its lower-level event types in the node tree hierarchy.
l
If you select one or more of the parent rows check boxes, the Console
selects the same check box settings for each related lower-level event
type in the node tree. Upon saving, the policy begins sending the
child event types to the selected destinations.
If you clear any of the parent rows check boxes, the Console disables
the same check box settings from each related lower-level event type
in the node tree. Upon saving, the policy stops sending those event
types to those destinations.
4. Click OK to save your changes. The Console implements the new policy.

When needed, you can export a Managers event policy to a spreadsheet file.
You may want to do this for any of the following reasons:
l
You can view and manipulate the policy information in a spreadsheet

application, such as Microsoft Excel.
You can provide SolarWinds with a copy of your policy information for
technical support or troubleshooting purposes.
To export a Managers policy:

1. Open the Event Distribution Policy window for the Manager you want to
work with.
2. At the top of the window, click Export. The Save As form appears.
3. In the Save In box, select the folder you want to export to.
160
Chapter 10: Manage
4. In the File Name box, type a name and file type for the exported file. In the
file name, include a file type of .xls to save the file as a Microsoft Excel
spreadsheet.
5. Click Save to save the file. The Console saves the file to the folder and with
the file name you specified. You may now view the Managers policy
information in a spreadsheet file, such as Excel.
Improving performance with event filtering (Windows only)

The Windows Filtering Platform (WFP) application in Windows 7/8 and Windows
Server 2008/2012 logs firewall- and IPsec-related events to the System Security
Log.
The alerts generated represent background events using additional LEM
resources. These events. are not necessary for an optimized LEM deployment.
Modifying your LEM Manager's Event Distribution Policy to tune out the windows
noise reduces the space these events occupy in the Security Event log, reduces
network activity, and does not consume precious LEM resources, such as CPU,
memory, and disk space.
To modify your LEM Manager's Event Distribution Policy:
1. Open the LEM Console and log into the LEM Manager from the Manage >
Appliances view.
2. Click the gear icon next to your LEM Manager, and then select Policy.
3. Locate the alerts you want to disable by using the search box under Refine
Results.Locate all of the alerts listed below by typing Windows Security in
the search box
4. Check or uncheck the boxes in the Console, Database, Warehouse, or
Rules columns as follows:
l
Uncheck the Console box to prevent your LEM Manager from

showing the alert in your LEM Console.
Uncheck the Database box to prevent your LEM Manager from storing
the alert on your LEM database.
Uncheck the Warehouse box to prevent your LEM Manager from
sending the alert to an independent database warehouse.
161
Uncheck the Rules box to prevent your LEM Manager from

processing the alert against your LEM rules.
Check any box to enable processing for the alert at any of the four
levels listed above.
5. Click Apply to save your changes and keep working

6. Click Save to save your changes and exit the Alert Distribution Policy
window,
The alerts described in the tables below can be filtered out (dropped) using your
LEM Manager's Event Distribution Policy by unchecking their boxes in the
Console, Database, Warehouse, and Rules columns. LEM still must process
these events, and uses additional resources in the form of memory and CPU
reservations.
Alert name
Windows event ID
TCPTrafficAudit
5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit
5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit
5152, 5154, 5156, 5157, 5158, 5159
IMCPTrafficAudit
5152, 5156, 5157, 5158, 5159
ICMPTrafficAudit
5152, 5156
PPTPTrafficAudit
5152
The Provider SID value in these alerts match the format, Windows Security
Auditing Event ID, where Event ID is one of the Windows Event IDs listed below.
Event ID
Event description
5152
Windows Filtering Platform blocked a packet
5154
Windows Filtering Platform permitted an application or service

to listen on a port for incoming connections
5156
Windows Filtering Platform allowed a connection
5157
Windows Filtering Platform blocked a connection
162
Chapter 10: Manage
Event ID
Event description
5158
Windows Filtering Platform permitted a bind to a local port
5159
Windows Filtering Platform blocked a bind to a local port
Adding and Editing Nodes

The Manage >Nodes view displays the Agents that are monitored by each of
your Managers.
Once you have installed the Agents on your client PCs, you can use the Nodes
view to do the following:
l
l
l
l
Add a new Node or Scan for a New Node.

Integrate the Agents network security connectors with the LEM system. You
are actually integrating the Agents themselves, but the Agents forward
messages from the network security connectors to the Manager for event
processing.
Connect an Agent to a Manager.
View the name, connection status, event status, and IP address of each
Agent.
Determine whether or not the Agent is using USB-Defender.
View an Agents properties.
l
l
Control an Agents automatic update settings for installing new software

from the Manager.
Actively respond to events that affect Agents.
Copy Agent information to the clipboard for use with the Remote Agent
Installer, or for analysis with programs such as Microsoft Excel.
Remove an Agent from a Manager.
Nodes View Features

This topic describes the key features of the Nodes view and the Nodes grid, and
how to refine the Nodes grid.
The following table describes the key features of the Manage >Nodes view.
163
Nodes Grid Columns
Name
Description
Sidebar
Click the Sidebar button to alternately hide and open the Refine
Results pane.
Refine
Results
pane
By default, the Nodes grid shows all Nodes that are associated with
all of your Managers. The Refine Results pane lets you apply filters
to the Nodes grid to reduce the number of Nodes it shows. This way,
you can show only those Nodes that are associated with a particular
Manager, Connector Profile, status, etc.
Nodes
grid
The Nodes grid lists all of the Agent and Non-Agent nodes that are
associated with each Manager and appliance that is monitored by the
LEM Console. You can also Add a New Node and Scan for a New
Node with the buttons in the toolbar.
Respond Use the Respond menu to perform an action on a particular Agent.

menu
For example, you can send an Agent a pop-up message, or shut the
computer down.
This menu behaves exactly as it does in the Monitor views event
grid.
Remote This menu lets you control the Agents automatic update status.
Updates Remote updates are a way for the Agent to automatically accept
menu
updated Agent software from the Manager when new software
becomes available.
The gear button at the top of the grid opens commands that you can
perform on multiple selections in the grid, and commands that do not
require a grid selection. It includes commands for copying Agent
information and for deleting Agents.
Nodes Grid Columns

The following table briefly describes the meaning of each column of the Nodes
grid.
Column
Description
Add Node
Displays a wizard to assist you in adding Nodes.
Scan for New
Scans syslog data that has been sent to LEM.
164
Chapter 10: Manage
Column
Description
Nodes
The gear button in each row opens a menu of commands
that you can perform on the item that is currently selected in
the grid.
l
Status
The Connectors command lets you configure the

Agents connectors.
The Delete command lets you delete Agent licenses
from a Manager.
The Copy command lets you copy Agent information
to the clipboard for use with the Remote Agent
Installer, or for analysis in another program, such as
Microsoft Excel.
The Agents current connection status:

Icon Status
Enabled
Description
Agent is Connected to a Manager.
Disabled Agent is Not Connected to a Manager

(that is, it is an open license).
Node IP
The Nodes IP address.
Node Name
The name of the system where the Node is installed.

Typically, this is the computer name or host name assigned
to the Note.
Agent Node
The LEM Manager or Agent on which the node's logs are

stored.
Note: This column is blank for LEM Agents.
USB
The Nodess current USB-Defender status. An icon ( )

means USB-Defender is installed on the Node. If no icon
is present USBDefender is not installed on the Node.
Note: This column is blank for non-Agent nodes.
165
Nodes Grid Columns
Column
Version
Description
The version number of the Node software.
OS
The operating system of the computer where the Node is

installed.
Profile
The Connector Profile associated with the Node, if

applicable.
FIM
The Node's current FIM status.

Icon
Status
Description
Operational At least 1 FIM Connector for this Node

has been created and is running. Connector is configured and running.
Non-operational
No Not conicon figured
Updates Enabled
At least 1 FIM Connector or FIM Connector Profile configured for this Node
and driver disabled
Node is not assigned to a FIM Connector or FIM Connector Profile. Connector is not configured and running.
This field indicates whether or not the Node is enabled for

receiving remote updates.
Icon Status
Description
Enabled The Node is enabled for receiving remote

updates.
Disabled The Node is disabled from receiving
remote updates.
Update Status
This field indicates the Agents current software update

status.
166
Chapter 10: Manage
Column
Description
Icon
Status
Current
Description
The Agent's software is current.
Outdated The Manager has an update newer than

the version being used by this Agent.
Updating The Manager is currently sending an
update to this Agent.
Queued
The Agent is waiting to be updated while

other Agents get updated. The number of
Agents that can be updated at one time is
determined by the Maximum Concurrent Updates setting in the Appliances view's Settings tab.
Unknown The Manager does not yet know the

Agents software status.
Canceled The user canceled updating during
update process.
Error
An error has occurred while updating.
ID
The Agents unique identification number.
Manager
The Manager that this Agent is connected to. An Agent can

only be connected to one Manager.
Install Date
The time and date the Agents was first installed and connected to the Manager.
Last Connected
The time and date the Agent was last connected to the
Manager.
Adding a Syslog Node

The Add Node button displays a wizard that walks you through adding a Node to
monitor a network device. The wizard locates the new node and then
recommends an appropriate connector.
167
Scan for New Nodes
1. Click the Add Node button.

2. Select Syslog node.
3. Enter the IP Address of the node.
4. Select the Node Vendor from the list.
5. Configure the node so LEM can receive syslog messages. If you need help,
click the links provided for enabling specific vendor devices.
6. Select the I have configured this node so that LEM can receive its
Syslog messages check box.
7. Click Next and LEM then scans for new devices.
Scan for New Nodes

The Scan for New Nodes button scans the syslog data that has been sent to LEM
and detects new nodes. You can use this if you have enabled many devices to
send syslog to LEM and want to add and configure them all at once.
To scan for a new node:
1. Click the Scan for New Nodes button.
Note: Scanning for new nodes may take a few minutes. If it does, you'll get
a message that the scan is continuing in the background.
2. A New Connector(s) Found message displays as data is found from new
devices.
3. Click View Now to add the recommended connectors for these devices.
4. Click Next.
Note: Click the Summary tab to display a summary of the nodes and
connectors that will be added or updated to LEM as a result of the Scan for
New Nodes.
5. Click Finish. Events from the new nodes appear in the LEM console as they
are received from the devices.
168
Chapter 10: Manage
Adding Nodes Manually

1. To configure additional nodes, navigate to Manage > Nodes to see a listing
of all the nodes being monitored by LEM.
2. Select the desired node, then click the gear button next to it and select
Connectors. Here you can search agent nodes by category or use the
search box to find a node by keyword, such as DNS.
3. Click the gear
new node.
icon next to the search result and select New to create a
4. Configure the new node and select Start to start the node.

By default, the Agents grid shows every Agent that is associated with every
Manager that is monitored by the LEM Console. To help you work more efficiently
with a long list of Agents, the Refine Results pane lets you apply filters to the
Agents grid to reduce the number of Agents it shows.
Field
Description
Reset
Click Reset to clear the form. This returns the form and the Agents
grid to their default settings (showing all Agents for all Managers.)
Search
Use this field to perform a keyword search for a specific Agent in the
Name field. To search, type the text you want to search for in the text
box. The grid displays only those Agents that match or include the text
you entered.
Manager Select the Manager you want to work with. Select All to include
Agents from every Manager.
Profile
Select the Connector profile you want to work with. Select All to
include Agents from every Connector Profile.
169
Field
Description
Node
Select whether you want to view Agent or Non-Agent nodes.
Status
Select the connection status of the Agents you want to work with
(Connected or Not Connected). Select All to include both.
Version Select the version of the software on the Agent. Select All to include
Agents of every version.
OS
Select the operating system (OS) of the computer the Agent is

installed on. Select All to include all operating systems.
USB
Select the Agents USB-Defender status (Installed or Not Installed).

Select All to include both.
170
Chapter 11: Adding and controlling

users and groups
This chapter discusses procedures for working with users and managing
restrictions for LEMReports and the LEM desktop console.
Adding New Users

The following procedure explains how to add and configure new users. You add
each new user by opening and completing the User Information form. This form
records each users individual settings. It also allows you to record a users email
addresses, which the Manager can use to notify the user when an appropriate
alert event occurs.
Starting with LEM version 5.4, the Build > Users component of the LEM console
integrates with Microsoft Active Directory. Import domain users or groups to create
LEM console users with domain credentials.
Note: Before you import any user into LEM, be sure the account in Active
Directory includes a valid email address if you plan to send that user email
messages for LEM rules. After you import a user, you cannot change or add the
email address for the LEM user account.
To add a new user:
2. At the top of the Users grid, click Add User. Below the grid, a blank User
Information form appears. A completed form is shown here for reference
purposes.
171
3. Complete the User Information form, as described in the following table.

Field
Manager
list
Description
In the upper-right corner of the form, select the Manager this
user will be associated with.
User Name Type the users system user name. This is the name the user
will use when logging into the Manager.
Note: User names admin_role,audit_role, and reports_
role cannot be used.
First Name Type the users first name.
Last Name Type the users last name.
Password
Type the users system password. This is the password the

user will use when logging into the Manager. This can be an
initial system password or a temporary password that is
assigned to replace a forgotten password.
If you have the Must Meet Complexity Requirements
option checked in the Appliances view's Settings tab, the
Console enforces the following password policy:
l
Passwords must have a minimum of six characters.

Spaces are not allowed.
Passwords must have two of the following three
attributes:
172
Adding New Users
Field
Description
l
At least one special character
At least one number
A mix of lowercase and uppercase letters.
Confirm
Password
Type the password a second time to verify that you entered it

correctly.
Role
Select the appropriate role for this user:

l
View Role
Administrators are users who have full access to the

system, and can view and modify everything.
Auditors are users who have extensive view rights to
the system, but cannot modify anything other than their
own filters.
Monitors are users who can access the Console, but
cannot view or modify anything, and must be provided
a set of filters.
Contacts are users who cannot access the Console,
but do receive external notification.
Guests are users who have extensive view rights to
the system, but cannot modify anything other than their
own filters.
After selecting a user role, you can click the View Role
button to open the Privilegesform, which shows the system
privileges for that role. This information is provided here for
reference purposes and cannot be changed.
Description Type a brief description (up to 50 characters) of the users

title, position, or area of responsibility.
Contact
Use this section to record the users email addresses, so the
Information Manager can notify users of network security events by
email. You can add as many email addresses as you need
for each user.
173
Field
Description
It is always a good idea to test each email address to confirm
that it has been entered correctly and that it works properly.
To add the users email address:
1. Click the add button.
2. In the box that appears (shown here), type the users
email address and then click Save.
3. The email address appears in the Contact

Information section.
4. Repeat this procedure as needed, to record each email
address that applies to the user.
To test an email address:
In the User Information forms Contact Information area,
click the test
button for the email address you want to test.
Verify that the user has received the email test message. If
the message was not received, you may need to edit email
address.
Note: In order for the Managers notification system to work,
you must have the Managers Email Connector Settings set
up properly..
4. When you are finished, click Save to save the new user; otherwise, click
Cancel.
To create a user from an Active Directory user:
1. Open your LEM console and log in to your LEM appliance.
174
Adding New Users
2. Configure the Directory Service Query connector on your LEM appliance if

you haven't already. For additional information, see Configuring the
Directory Service Query Connector.
3. Click Build and then select Users.
4. Click the plus
button, and then select Directory Service User.
5. Select the Organizational Unit and Group where you want to add the user.
6. Select the user you want to add from the Available Users column, and then
click Select User.
7. Select a LEM Role in the User Information form. Click View Role to see
details about each role.
8. Enter a user description. If you change the Description field, your changes
only apply to the LEM user account, not the Active Directory account.
9. Click Save.
To create users from an Active Directory group:
1. Open your LEM console and authenticate to your LEM appliance.
2. Configure the Directory Service Query connector on your LEM appliance if
you haven't already. For additional information, see Configuring the
Directory Service Query Connector
3. Click Build , and then select Users.
4. Click the plus
button, and then select Directory Service Group.
5. Select the Organizational Unit to which the group you want to add belongs.
6. Select the group you want to add from the Available Groups column, and
then click Select Group.
7. Select a LEM Role in the User Information form. Click View Role to see
details about each role.
Note: If you want members of this group to have different LEM user roles, change
their roles individually after you complete this procedure.
8. Enter a description for these users if you want. If you change the Description
field, your changes only apply to the LEM user accounts, not the Active
Directory accounts.
9. Click Save.
175
Editing User Settings

Follow this procedure to edit an existing users configuration settings. You can
also edit the users email addresses to make corrections or keep them current. If
an email address becomes obsolete, you can also easily remove it.
Only the description and the role can be edited for Active Directory users.
To edit a users settings:
2. In the Users grid, do one of the following:
l
Double-click the user you want to work with.
Click to select the user you want to work with. Then click the rows
gear
button and click Edit.
Below the grid, the User Information pane displays the users current
settings and becomes an editable form.
3. Make the necessary changes to the User Information form.
4. Click Save.
To delete a users email address:
2. In the Users grid, click to select the user you want to work with.
button and then click Edit.
4. In the User Information forms Contact Information section, click the

delete button next to each email address you want to delete. The system
removes that particular contact information.
5. Click Save.
Deleting Users
Follow this procedure to delete a user from a Manager.
To delete a user:
176

2. In the Users grid, click to select the user you want to delete.
3. Click the gear
button and then click Delete.
Note: You cannot delete the admin user from the system.
4. At the Confirmation prompt, click Yes to delete the user; otherwise, click
No. The user is removed from the Users list. This user is no longer
authorized to use the Manager.

Access to LEM Reports is completely restricted by default. In order to run reports
in LEM Reports for the first time, complete one of the procedures to specify which
computers have access to your LEM database. Add the computer on which you
want to run reports to the list of "allowed" computers on your LEM Manager, or
remove all LEM Reports restrictions.
To configure your LEM Manager to allow specific computers to run LEM Reports:
1. Log in to your LEM virtual appliance using either the vSphere "console"
view, or an SSH client such as PuTTY.
3. At the cmc::scm# prompt, enter restrictreports.
4. Press Enter.
5. Separate each IP address of the computers you want to run LEM Reports
with a space.
Note: Your entry overrides any previous entries, so ensure the list you provide is
complete.
6. Enter y to confirm your entry.
To remove all LEM Reports restrictions:
1. Log in to your LEM virtual appliance using either the vSphere "console"
177
view, or an SSH client such as PuTTY.

3. At the cmc::scm# prompt, enter unrestrictreports.
4. Press Enter.
Note: Unrestricting LEM Reports make the LEM database accessible on any
computer on your network running LEM Reports.
178

The LEM console displays normalized information about the events on your
monitored devices in real time. The sections in this chapter address how to use
the LEM console to view, respond to, and search for these events on a day-to-day
basis. Unless otherwise stated, the functionality described in this chapter is
identical between the web and desktop consoles.

You can create custom filters from the Monitor view in your LEM Console to
display real-time traffic from your monitored computers and devices.
To create a filter in your LEM Console:
1. Open the LEM Console and log in to your LEM Manager as an administrator
or auditor.
2. Click the Monitor tab.
3. Click the
button at the top of the Filters pane, and then select New Filter
to open Filter Creation.
4. Enter a Name and Description (optional) at the top of the Filter Creation
view.
5. To modify the number of events your filter can store in memory, edit the
Lines Displayed value next to the Name field. The default value is 1000.
6. Drag one of the following elements into the Conditions box.
l
Events: Drag a single Event into your Conditions to filter for any
instance of the Event you specify. This type of Condition does not
require a value.The field at the top of the Events list is a search box.
Event fields: Drag an Event field into your Conditions to filter for any
Event that contains the value you specify.
Events: Drag a single Event into your Conditions to filter for any instance of
the Event you specify. This type of Condition does not require a value.The
field at the top of the Events list is a search box.
179
Event fields: Drag an Event field into your Conditions to filter for any Event
that contains the value you specify.
Features of the List Pane
l
The list pane is the accordion list on the left side of Filter Creation, Rule
Creation, and the nDepthexplorer.It contains categorized lists of events, Event
Groups, event fields, Groups (from the Groups grid), profiles, and constants that
you can use when creating conditions for your filters, rules, and search queries.
If more than one Manager is linked to the Console, each item in the list pane lists
the Manager it is associated with. Therefore, some list items may appear to be
listed multiple times. But in reality, they are listed once for each Manager. Events
are universal to all Managers, so they do not show a Manager association.
The following table describes the contents of each list in the list pane. They are
listed in the order in which they appear. If a list does not apply to a particular view,
then it will not appear in that view.
List
Refine
Fields
Description
This list only appears with nDepth. It categorizes and lists the top
100 data details for each listed field found within your nDepth
search results. The details change, depending on whether you
180
List
Description
are searching event data or log messages. You can use these
details to create, refine, or append nDepth search conditions.
l
l
l
Managers
The data categories are expanded by default.

o
Click All to collapse all of the category nodes.
Click >All to open all of the category nodes.
Click >next to a category to open that category.
Click next to a category to close that category.
The number in parentheses next to each category

indicates how many unique details are in that
category.
The number next to each detail indicates how many

times that detail is reported in the search result's data.
Click the ABC button to sort the details within each

category alphabetically.
Click the 321 button to sort the details within each category
by frequencythe items that occur most often appear first
within each category.
Double-click a detail to add that detail to the search string.
Drag a detail into the search bar to include that item in the
search string.
When using Search Builder, drag a detail into the
Conditions box to add that item to the search string.
This list only appears in nDepth. It includes the various

appliances that are being monitored by the Console.
Use this list to select the Manager on which you want to perform
an nDepth search. If you are storing the original event log data on
a separate nDepth appliance, then you would select that
appliance here when you want to search that data.
l
In Drag & Drop Mode, you can drag an item from this list
into the search box to include that item in the search string.
181
List
Description
l
Events
When using Search Builder, you can drag an item from this
list into the Conditions box.
The Events list includes all of the Consoles event types. You
can show the events either of two waysas a hierarchical node
tree, or as an alphabetized list. Both views contains the same
eventsthey are just presented differently.
You can search either view. To do so, begin typing a word or
phrase in the box at the top of the list. The Events list will refresh
to show any event types that include your word or phrase. Then
use the list to select each event type that you want to include as a
filter condition or a rule correlation.
In the Events list, click this button to display the list as a
hierarchical node tree. This is the Events list's default view. This
view also has the following attributes:
l
Lower-level event types are hidden by nodes in the event

tree. To open a node, click the >icon. This displays the
nodes next level of events.
Using the search box displays the event and its parent
event types, so you can see how the event appears in the
event hierarchy.
In the Events list, click this button to list event types alphabetically, regardless of their position in the hierarchy.
Event
Groups
The Event Groups list displays pre-configured groups of events

that can be used to initiate a particular event filter condition or
rule correlation. The top box lists the names of Event Groups.
The Fields list displays those fields that apply to the Event Group
that is currently selected.
Fields
The Fields list displays those data fields that apply to whichever
event is selected in the Events or Event Groups list.
UserDefined
This list displays the different preconfigured User-Defined

Groups that apply to the Managers. User-Defined Groups are
182
List
Groups
Description
groups of preferences used in rules and event filters that allow
you to match, include, or exclude events, information, or data
fields based on their membership with a particular Group. In most
cases, User-Defined Groups are used in rules as a type of white
list or blacklist for choosing which events to include or to ignore.
User-Defined Groups are created in the Group Builder.
Connector
Profiles
This list displays all the different Connector Profiles that apply to
the Managers. Connector Profiles are groups of Agents that have
common Connector configurations. You can use them to have
your rules and filters include or exclude the Agents associated
with a particular profile.
Connector Profiles are created in the Groups grid.
Directory
Service
Groups
This list displays the Directory Service Groups that are

synchronized with the Managers. Directory Service Groups are
preconfigured groups of network computers and system users
that you can use in rules and filters. They allow you to match,
include, or exclude events to specific users or computers based
on their Group membership.
Directory service groups are synchronized to LEM through the
Groups grid.
Time Of Day This list displays all of the different Time Of Day Sets that apply
Sets
to the Managers. Time Of Day Sets are specific groups of hours
that you can associate with rules and event filters. You can use
them to have your filters include or exclude messages that occur
during the hours associated with a particular Time of Day Set, or
to have your rules take different actions at different times of day.
Time of Day Sets are created in the Groups grid.
Note: This list does not appear in nDepth.
State
Variables
This list displays all of the different State Variables that apply to
this Manager. The upper box lists the names of State Variables.
The lower box lists the various fields that apply to whichever
State Variable is selected in the upper box.
183
List
Description
State Variables are created within the Groups grid.
Note: This list only applies to rules.
Subscription This list displays all of the Console user names, and the Manager
Groups
each user is currently associated with. Each name in the list
represents the list of rules that each individual user is subscribed
to. By adding a Subscription Group to a filter, you can build the
filter so that it only displays events messages that are related to
specific rules that a particular user is interested in (or subscribed
to).
Subscription groups are created in the Rules grid.
Note: This list only applies to filters and nDepth searches.
Constants
This list displays the three types of constants that rules and filters
can use for comparing event datatext, number, or time.
Actions
This list displays all of the active responses that a rule can
initiate, such as sending an email message, sending a pop-up
message, blocking an IP address, etc.
Note: This list only applies to rules.
Notifications This list includes the various notification methods the Console
can use to announce an event message for the filter. You can
have the Console display a pop-up message, display the new
event as unread, play a sound, or have the filter name blink. If
needed, you can configure multiple notification methods for the
same filter.
Note: This list only applies to filters.

Use the Conditions box to configure the conditions that determine which events
a filter is to report. Conditions are the various rules that state when the filter is to
display an event message.
To define conditions, you drag event variables from the Events, Event Groups,
and Fields lists into the Conditions box. Then use the Conditions connectors
(described below) to configure how these variables are to compare to other items,
184

such as Time Of Day sets, Connector Profiles, User-defined Groups, Constants,
and other event fields.
You can also compare groups with AND/OR conditions. AND conditions state
which events must all occur together before the filter shows an event. OR
conditions state that if any one of several conditions occur, the filter shows the
event.
The combined conditions dictate when the event filter is to display an event. The
filter ignores (and does not display)any events that do not meet these conditions.
The Conditions Connectors allow you to configure relationships between events
in the Conditions box, and to establish conditions for when the event filter is to
display the event message. The following table describes each item condition
connector.
The Conditions box

The following table describes each feature of the Conditions box.
Item
Name
Description
Individual groups (and the entire Conditions box) can be
expanded or collapsed to show or hide their settings:
l
l

Click to collapse an expanded group. The number that
appears in parentheses indicates how many conditions
are contained in the group.
185
Item
Name
Description
Once a group is properly configured, you may want to collapse
it to avoid accidentally changing it.
This is the Add Group button. It appear at the top of every
group box. Click it to create a new group within the group box. A
group within a group is called a nested group.
Each group is subject to AND and OR relationships with the
groups around it and within it. By default, new groups appear
with AND comparisons.
This is the Delete button. It appears at the top of every Group
box. When you point to a condition, it also appears next to that
condition. Click this button to delete a condition or a group.
Deleting a group also deletes any groups that are nested within
that group.
Event
variable
From the Events, Event Groups, or Fields list, drag an event,

Event Group, or event field into the Conditions box. This is
called the event variable.
You can think of an event variable as the subject of each group
of conditions. As event messages stream into the Console, the
filter analyzes the values associated with each event variable to
determine if the event message meets the filters conditions.
Operators Whenever you drag a list item or a field next to event variable,
an operator icon appears between them. The operator states
how the filter is to compare the event variable to the other item
to determine if the event meets the filters conditions.
l
List item
Click an operator to cycle through the various operators

that are available for that comparison. Just keep clicking
until you see the operator you want to use.
Ctrl+click an operator to view all of the operators that are
available for that comparison. Then click to select the
specific operator you want to use.
List items are the various non-event items from the list pane.
You drag and drop them into groups to define conditions based
186
Item
Name
Description
on your Time Of Day Sets, Connector Profiles, User-Defined
Groups, Constants, etc.
Some event variables automatically add a blank Constant as its
list item. You can overwrite the Constant with another list item,
or you can click the Constant to add a specific value for the
constant. For example, clicking a text Constant turns the field
into an editable text box so you can type specific text. The text
field also allows wildcard characters.
Note that each list item has an icon that corresponds to the list it
came from. These icons let you to quickly identify what kinds of
items are defining your filters conditions.
Nested
group
A group within a group is called a nested group. You may drag

event variables and other items from the list pane into the
nested group boxes. By using nested groups, you can refine
conditions by combining or comparing one group of conditions
to another. This allows you to create the logic for highly
complex and exact conditions.
This example above shows one nested group. It represents a
set of conditions within a higher-level group.
AND
Conditions (and groups of conditions) are subject to AND and

ORcomparisons. If you click an AND operator, it changes to an
OR, and vice versa.
OR

Use the following procedure whenever you need to create a new filter. Configure
the filter with the Filter Creation connector.
To create a new filter:
2. In the Filters pane, click the title bar of the filter group you want the new filter
to reside in. If you change your mind later, you can always move the filter to
187
a different group.
The filter group opens to list the filters that are available for that group.
3. On the Filters pane, click the plus
button and then click New Filter. The
Monitor view changes from showing the event grid to showing the Filter
Creation connector. The connector shows a new filter with the name of
[New Filter].
4. In the Name box, type a name for the filter. This is the name that will be
used to identify the filter in the Filters pane.
5. In the Lines Displayed box, type or select the total number of events that
are to be displayed in this filter. You can use the up and down arrow buttons
to the right of the box to select a value. The default value is 1000 lines. You
can select up to a maximum of 2000 lines.
6. In the Description box, type a brief description of what the filter does, or the
situation for which the filter is intended.
7. Use the list pane and the Conditions box to configure the conditions that
define the filter. These are conditions between events, Event Groups, event
fields, and other components.
8. If you want special notification whenever the filter captures an event event,
drag an option from the Notifications list to the Notification box. Then
configure the notification method.
9. Click Save to save the filters settings.
10. If applicable, use the Filter Status section to verify, troubleshoot, and
resolve any problems with the filters logic. When finished, the new filter
appears in the filter group you selected in Step 2.
Editing an Existing Filter

Use the following procedure whenever you need to edit or rename an existing
filter. Once the filter is open for editing, you can change its name, description,
configuration, or notification settings, as needed. Create filters in the Filter
Creation connector.
To edit an existing filter:
188

2. In the Filters pane, open the filter group that contains the filter you want to
edit.
3. Select the filter you want to edit.
4. On the Filters pane, click the gear
button and then click Edit. The
Monitor view changes from showing the event grid to showing the Filter
Creation connector.
5. Edit the filters configuration, as required.
6. Click Save to save the filters settings.
7. If applicable, use the Filter Status section to verify, troubleshoot, and
resolve any problems with the filters logic..

Cloning a filter lets you copy an existing filter, but save it with a new name.
Cloning allows you to quickly create variations on existing filters.
To clone a filter:
2. In the Filters pane, select the filter you want to clone.

button and then click Clone. The newly cloned
filter appears in the filter group, just below the original filter. A clone always
uses the same name as the filter it was cloned from, followed by the word
Clone. For example, a clone of the Virus Attacks filter would is called
Virus Attacks Clone. A second clone of the Virus Attacks filter is called
Virus Attacks Clone 2, and so on.
5. Edit the cloned Group, as needed, to give it its own name and to assign its
own specific settings.
189
Pausing Filters
At any time, you can pause a filter to stop the stream of event messages that are
appearing on that filter. This allows you to inspect a set of event messages
without being interrupted by new incoming messages. You can pause each filter
independently, or you can pause every filter on the Console.
To pause a filter:
2. In the Filters pane, click to select the filter you want to pause.
The event grid changes to display the filter you selected.
l
On the event grids title bar, click Pause.

On the Filters pane, click the gear
Pause/Resume.
button and then click
In the Filters pane, the word Paused appears next to the filter.
To pause all filters:
button and then click Pause All.
In the Filters pane, the word Paused appears next to every filter, except
those that have been turned off.
Resuming Paused Filters

When a filter is paused, it ceases to receive any event traffic. To begin receiving
event traffic again, you must resume the filter. You can resume each filter
independently, or you can resume every paused filter on the Console.
190

To resume running a filter:
2. In the Filters pane, click to select the filter you want to resume. The event
grid changes to display the filter you selected.
l
On the event grids title bar, click Resume.

On the Filters pane, click the gear
Pause/Resume.
In the Filters pane, the word Paused is replaced by the number of events
that are currently associated with the filter.
To resume running all filters:
button and then click Resume All.
In the Filters pane, the word Paused is replaced by the number of events
that are currently associated with each filter.

Perhaps you only use a few filters on a regular basis. If so, you can turn off any
unused filters. If you later decide you need the filter, you can easily turn it back on
again. This on/off feature lets you conserve resources and not monitor a filter
without taking the drastic measure of deleting the filter.
When you turn a filter back on, it starts from that moment in timeit does not pull
prior events from memory.
Filters are turned on and off from the Filters pane. Filters that are off appear in
italic type and show a status of Off. Filters that are on appear normal.
191
To turn a filter off:

2. In the Filters pane, select the filter you want to turn off.
button and then click Turn Off. In
the Filters pane, the filter title is now italicized and reads Off in its status
column. While the filter is no longer in use now, it remains available for later
use.
To turn on filter back on:
2. In the Filters pane, select the filter you want to turn on.
button and then click Turn On. The
filter appears in the event grid and begins processing data. In the Filters
pane, the filters status column changes from Off to showing the total
number of events associated with the filter.
Copying a Filter
You can copy a filter. This allows you to quickly create variations on existing
filters, or the same the same filter in multiple filter groups.
To copy a filter:
copy.
3. Now open the filter group that is to receive the copied filter.
4. In the first folder, click the filter you want to copy. Then press Ctrl while
dragging the filter to the group that is to receive the copy. A copy of the filter
appears in the new filter group.
192
Importing a Filter
To create a variation of the original filter:
1. In the Filters pane, click the select the newly copied filter.
2. Click the Filters pane gear
3. In Filter Creation, rename and reconfigure the filter, as desired.

4. Click Save.
Importing a Filter
Event filters are saved on the workstation that is running the Console. If you move
to another workstation, the filters will not follow. However, you can export the
filters from one workstation and import them into another workstation. This allows
you to move filters from one Console to another, so that another user can use the
same filters on their Console, too. It also allows you to import filters that are
provided by SolarWinds You may import more than one filter at a time.
To import a filter:
2. In the Filters pane, select the filter group that is receive the new filters.
button and then click Import
Filters.The Select Filter File(s) to Import form appears.
4. In the Look In box, browse to the folder that contains the filters you want to
import.
5. Select the filter files you want to import, and then click Open. To select
multiple files, press Ctrl key while clicking each file you want to import.
The imported filters appears in the filter group you selected in Step 2.
Exporting a Filter
When needed, you can export a filter. Exporting does not remove the filter; it
copies the filter to another location. Exporting filters is useful for the following
reasons:
193
You can move filters from one Console workstation to another, so that
another Console users can use the same filters.
You can save a export your filters to a computer folder or network folder for
archival purposes.
You can provide SolarWinds with a copy of a filter for technical support or
troubleshooting purposes.
Filters are exported from the Filters pane. You may export only one filter at a time.
To export a filter:
2. In the Filters pane, select the filter you want to export.
button and then click Export Filter.
4. In the Browse For Folder form, browse to the folder in which you want to
save the exported file. If needed, you can click Make New Folder to create
a new folder for the file.
5. Click OK. The system exports the folder file to the folder.
Deleting a Filter
When needed, you can delete a filter, which removes the filter from the both the
event grid and the Filters pane. Deleting a filter also deletes all of the widgets
associated with that filter.
Use caution when deleting a filter. The only way to restore it and its widgets is to
recreate them.
To delete a filter:
2. In the Filters pane, click to select the filter you want to delete.
l
Click the selected filters delete
Click the panes gear
button.
button, and then click Delete.
194
4. At the confirmation prompt, click Yes. The filter is deleted and no longer
appears in the Filters pane.

The topics in this section explain how to create and manage filter groups in the
Filters pane.
Adding a New Filter Group

2. Click the Filters pane plus
button and then click New Group.
3. A new filter group appears, and its title bar is an editable text box.
4. Type a name for the new group and then press Enter.
5. The new filter group appears in the Filters list. Filter groups are listed in the
order in which you create them. However, you can rearrange them, as
desired.
Renaming a Filter Group

2. In the Filters pane, do one of the following:
l
Double-click the title bar of the filter group you want to rename.
Click to select the title bar of the filter group you want to rename. Click
the Filters pane gear
The filter groups title bar changes to an editable text box.

3. Type a new name for the filter group and then press Enter.
Rearranging Filter Groups

By default, new filter groups appear at the bottom of the Filters pane. However,
you can rearrange your filter groups so they appear in the different order. For
example, you may want to put your most frequently used filter groups toward the
top of the pane, and your lesser used groups toward the bottom.
195
To move a filter group:

2. In the Filters pane, click the title bar of the filter group you move, and then
drag it to its new position.
Moving a Filter From One Group to Another

Once you have created your filter groups, you can organize your filters to them by
dragging them from one group to another.
To move a filter from one group to another:
move.

l
Click the filter you want to move; then drag and drop it just below the
title bar of the group that is to receive the filter.
Open the filter group that is to receive the filter. Then drag the filter
from its original group into position in the new group.
The filter appears in its new filter group.
196

When needed, you can delete an entire filter group. Deleting a filter group deletes
all of the filters that are stored within that group and all of the widgets that are
associated with those filters. Before deleting a filter group, be sure to move any
filters you want to save into another filter group.
To delete a filter group:
2. In the Filters pane, click to select the filter group you want to delete.
l
Click the filter groups delete
Click the panes gear
button.
button, and then click Delete.
4. At the confirmation prompt, click Yes. The filter group and all of its filters are
deleted and no longer appear in the Filters pane.
Responding to Events
The event grids Respond menu lets you take direct action on a particular event
message. Each Respond command opens the Respond form. The Respond
form includes data from the field you selected and options for customizing the
action, just as you would configure a rules active response in Rule Creation.
The Respond menu is context-sensitive. The event type or cell that is currently
selected in the event grid determines which responses you may choose from.
1. In the Monitor views event grid, click the specific cell of the event message
you want to respond to.
2. Click the event grids Respond menu, and then select the type of response
you want to make. You can choose between All Actions and a list of
commonly used actions. The Respond form appears, which has three main
sections:
3. In the middle of the form, complete the actions configuration fields. You can
do this by typing text into each field, by dragging and dropping information
197
from the forms event information section, or some combination of the two.
4. Click OK to execute the action. Otherwise, click Cancel.

In the Respond form, you can drag and drop information from the forms event
information section (at the bottom of the form) into its action configuration fields (in
the middle of the form). You can use this method to do any of the following:
l
add content to a blank field
replace the content of a field
add to the content that is already in a field.
You can also use a combination of typing and drag and drop to configure an
action.
To place event information into a field:
Follow this procedure to add content to a blank configuration field or to replace
the content of an existing configuration field.
1. In the Respond forms event information grid, scroll to locate the field that
contains the data element needed to configure the action.
2. Click the data and then drag it into the appropriate action configuration field
(in the middle of the Respond form). The the new data element appears in
198
the configuration field.
To add to the contents of a field from the event information:

Follow this procedure to add new field information to a configuration box, rather
than replace it. Typically, you will use this procedure to add multiple data
elements to the Message box.
1. In the Respond forms event information section, scroll to locate the field
that contains the data element you want to add to the configuration field.
2. Select the information fields contents by clicking its data in the Information
column.
3. Press Ctrl, then drag the data into the appropriate action configuration field
(in the middle of the form) to add the new data element to the configuration
field.
199
Review events with the Event explorer

The Event explorer, which can only be opened from the Monitor view, lets you
view all of the events that are related to the event message currently selected in
the Console. The Event explorer displays both sequential and concurrent events.
That is, you can view the events that occurred before, during, and after the event
message occurred. You can also monitor events in real time, to see where they
came from and where they are going.
You can explore events for any event in the Console. When you explore an event,
the Console makes a request to the Manager to determine which events are
related to that event. The Event explorer then displays a summary of events that
occurred before, during, and after the system issued the event. The Event
explorer shows only those events that relate to the event that you selected. That
is, it shows the event that triggered the event, and any events that occurred
because of that event (such as a response, notification, other event, etc.).
With its straightforward graphical display, the Event explorer can help you
visualize how an event occurred and the systems response to that event. You
can follow the chain of events that caused the event, and help determine its root
cause.
Opening the Event explorer

You can only open the Event explorer from the Monitor views event grid. You
may explore any event that appears in the grid.
To open the Event explorer:
1. In the Monitor views event grid, click to select the event you want to
explore.
2. In the event grids Explore menu, click Event. The Explore view opens,
showing the Event explorer. The Event explorer shows all of the events that
are associated with the event you are exploring. The event that you are
currently focusing on appears in the History pane. In this case, it is the
event itself.

The Event explorer has three main sections the information pane, the event
200

map, and the event grid. The following table describes the key features of each
section. The following topics explain how to use each feature in detail.
Name
Description
Event Details Click this button to alternately open and close the Event Details
pane.
Event Details The Event explorer's Event Details displays information about
pane
the event is currently selected in the event map or the event
grid.
l
It provides detailed information about the event.
It displays a written definition of the event.
It allows you to create a new filter based on the event.
You can also copy text from this pane and paste it into
explorers to explore specific data.
This pane works exactly like Event Details pane in the Monitor
view.
Event map
The event map displays a graphical view of the event you are
exploring, as well as the related events that came before and
after the central event. The event you are exploring appears in
the middle. Prior events appear to the left. Events that follow
appear to the right. You can double-click any event to move that
event to the middle, which allows you to view its relationship
with other events.
Stop
Click Stop to cancel an explorer lookup at any time.
Next/Previous You can step through the events in the map by clicking the Next
and Previous buttons.
Pane divider
Drag this bar up or down to resize the event map and event grid
panes.
Event grid
The event grid provides a tabular version of the event map. The
events are listed chronologically, from earliest to latest.
Clicking an event in the grid highlights the corresponding item
in the event map. The information pane also changes to show
201
Name
Description
information about the event you have selected.
You can sort the event grid by each of its columns, so long as
you click Pause first.
Scroll bars
The vertical and horizontal scroll bars let you quickly scroll
through the information pane, larger event maps, and the event
grid. For example, you can use the event grids scroll bars to
view the full range of events and all of the data associated with
each event.
Exploring events
The event grids Explore menu lets you use an explorer to investigate a particular
event or one of its data fields.For example, if you select an InsertionIP cell, your
explorer options include the Whois, Traceroute, and NSLookup explorers. If you
click the EventInfo cell, your only explorer options is nDepth, because only that
explorer can search the raw data for a random string.
To explore an event:
2. In the Filters pane, select the filter you want to work with. The event grid
displays the filter you have selected.
3. In the event grid, click the row (or cell) you want to explore.
4. In the filter's Explore menu, select the explorer you want to work with. The
Explore view appears, showing the explorer you selected. The explorer
contains the data for the cell you selected.
Using the Event Map

The top section of the Event explorer is called the event map. The event map
displays a graphical view of the event you are exploring, as well as related events
that came before and after the central event. Each event in the map can be
thought of as a node that links to other events.
When you first open an event in the Event explorer, that event is always the
central event in the event map. However, you can double-click any related event
202

to move that event to the center of the map. This lets you see the events that came
before and after that event. In this way, you can move through the entire chain of
events to analyze the relationships between them.
l
l
Read the map from left to right.

The Event explorer always places the event you are currently exploring in
the middle of the map.
Related events prior to the central event appear to the left. These events
caused the event you are exploring. If there are no prior events, this
appears as a box labeled None.
Related events that follow the central event appear to the right. These
events followed or were caused by the central event. These are the
various system responses (if any) that were triggered by the central event. If
there are no events that follow, this appears as a box labeled None.
If the same event occurs multiple times, they appear together in a box, like
the one shown above for the prior events. In this example, WebTrafficAudit
occurred 10 times before triggering the rule, so they are grouped together.
You can use the scroll bar to view each event. You can also select each
event in the box to view information about it in the information pane.
Double-click an event in the event map to move that event to the center
position. The map then displays the related events that came before and
after the new central event. As before, events prior to the central event
appear to the left; events that follow the central event appear to the right.
When you select a new central event, the information pane changes to
show information about that event. The event grid also refreshes to reflect
the new central event.
l
Click Prev (previous) to move the previous event in the map to the
center position.
Click Next to move the next event in the map to the center position.
Click Stop to cancel an explorer lookup at any time.
Click an event in the event map to highlight the corresponding item in

the event grid.
203
Event Map Legend

Events that appear in the event map can be events, rules, or commands (system
responses to an event). Each type of event in the map has its own icon. The
following table explains each icon.
Icon
Meaning
An event from the Audit Event tree.
An event from the Security Event treee.
An event from the Asset Event tree.
An event from the Incident Event tree.
An event from the Internal Event tree that is not related to rules or active
response activity.
An internal command that indicates the system has taken action to
respond to an event.
Rule activity, either from a rule in test mode, or from a rule that has initiated
an actual active response.
Using the Event Grid

The event grid lists all of the events that appear in the event map in a tabular form.
Events are listed chronologically, from the earliest event (top) to the latest event
(bottom). The grid is useful for comparing events and for exploring event data.
The event grids Order column icons indicate when each event occurred, as
described in the following table.
Icon
Meaning
The event occurred before the central event shown in the event map.
The event occurred during (as part of) the central event.
The event occurred after the central event shown in the event map.
204

The columns in the event grid show detailed information about the event. The
columns vary, depending on the event you are viewing.
l
l
l
l
l
Click an event in the grid to highlight the corresponding item in the event
map. The information pane also changes to show information about the
event you have selected.
When needed, you can use the vertical scroll bar to view all of the events.
Use the horizontal scroll bar to view all of the data fields associated with a
particular event. This same data also appears in the information pane, but
as text.
Click an individual cell in the grid to explore that field.
Point to an individual cell in the grid to see a ToolTip that displays the
complete contents of the cell.
Exploring From the Event Grid

1. In the event map or the event grid, select the event you want to explore.
2. In the event grid, select the specific field you want to explore.
3. In the Explore menu, select the explorer you want to work with. Only those
explorers that are valid for the selected fields are available.The explorer
appears, with the field data you selected appearing in the Search box.
4. If you are using the nDepth Explorer, click Search. The other explorers
begin searching automatically.
To respond from the event grid:
1. In the event map or the event grid, select the event you want to respond to.
2. In the event grid, select the specific field you want to respond to.
3. In the Respond menu, select the response you want.
4. Complete the Respond form.
Using the Event Details Pane

In the Event explorer, the upper-left pane is called the Event Details pane. It has
205
two different views to show the properties of the event that is currently selected in
the event map or the event grid:
l
The Event Details view displays detailed information about the event that is
currently selected in the grid. If more than one event is selected, it shows the
properties of the last event to be selected.
The Event Description view displays a written description of the last event
to be selected in the grid.
You can also use this pane to create a filter based on the selected event, to scroll
through the contents of the event grid, or to explore specific event data with other
explorers.
Opening and Closing the Event Details Pane

You can open and close the Event explorers Event Details pane of two ways:
l
Click the event maps Event Details button.

Position your pointer over two thin lines next to the Event Details pane (or if
the pane is closed, next to the left side of the event map). When the pointer
turns into a double-headed arrow, double-click to open or close the pane.
When the Event Details pane opens, it shows information about the event
that is currently selected in the event map or event grid.
Viewing an Events Event Details

To view details information about a particular event or event:
l
Click the event in the event map.
Click the event in the event grid.
The Event Details pane displays information about the event you selected.

1. The following table explains how to use the toolbar at the top of the Event
Details pane.
206
Button
Description
Click this button to create a new filter that captures the currently
selected event type. Upon doing so, the Monitor view opens, with
the new filter open in the event grid. The new filter appears in the
Filters pane, under the last selected filter. If needed, you can edit
the filter so it captures events of an even more specific nature.
Click these buttons to move up and down among the events in the
event event grid. The pane shows detailed technical information
about each event that is selected. This lets you view the technical
details and written descriptions of each event in the grid.
Remember, you can also use your keyboard's up () and down ()
arrow keys:
l
To cycle through the events in the event grid, click anywhere

in the event event grid. Then use your up and down arrow
keys.
To cycle through the fields in the Event Details pane, click
anywhere in the Event Details grid. Then use your up and
down arrow keys.
Click this button to open the panes Event Details view. This view
shows detailed information about each of the selected event's
data fields. The actual fields that appear here vary, according to
the event type that is currently selected. For example, networkoriented events show fields for IP addresses and ports. Accountoriented events show account names and domains.
Click this button to open the panes Event Description view,
which provides a detailed written description of the event type that
is currently selected.
2. In the event map or the event grid, select the event you want to explore.
3. In the Event Details pane's Information column, click the event field you
want to explore.
4. In the Explore list, select the explorer you want to work with. The explorer
207
appears, with the field data you selected appearing the Search box.
5. If you are using the nDepth Explorer, click Search. The other explorers
begin searching automatically.

Data searches are at the heart of nDepth. For that reason,SolarWinds has
invested a lot of effort to provide you with useful search results with the least
amount of effort. Mastering a few basic techniques can provide you with most of
the information you will ever need.
The topics in this section explain the most common procedures you need to get
the most out of your nDepth searches.
Data searches are at the heart of nDepth. For that reason,SolarWinds has
invested a lot of effort to provide you with useful search results with the least
amount of effort. Mastering a few basic techniques can provide you with most of
the information you will ever need.
The topics in this section explain the most common procedures you need to get
the most out of your nDepth searches.
Use the following procedure to perform an nDepth search. This method is the
same, regardless of which nDepth view you are using.
To perform a search:
2. Use the search bar's far-right toggle switch to choose the type of data you
want to explore:
l
Select Events (left position) to search the normalized event data that
appears in the Monitor view.
Select Log Messages (right position) to search the actual log entries
that are recorded on your network products' log files. If this position is
disabled, it means your equipment does not have the capacity to store
and search the original log messages.
3. Use the search bar's far-left toggle switch to select how you want to enter
the search string:
208
Select Drag & Drop Mode (upper position) to drag items from the list
pane or the Result Details view directly into the search box. This is
the recommended position, as it is it the easiest to use and the best
way to avoid mistakes.
Select Text Input Mode (lower position) to type search strings directly
in the search box.
4. In the search box, enter your search string. By default, the search box
includes a "this item exists" condition, so you can begin searching right
away, without having to drag and drop anything. To use this condition, click
an item on one of nDepth's graphical tools, or type or paste a search string
directly in the text box.
In Drag & Drop Mode, the search box indicates when a particular
configuration is invalid:
l
If a condition field is yellow, it means the search's configuration is

invalid.
If a condition field is red , it means the search conditions do not apply
to the type of data you are currently searching. For example, you are
searching log messages with conditions that are meant for event data.
5. If you select more than one condition, determine the AND/OR relationship
between each condition. Click the operator icon to toggle between ANDand
OR relationships.
By default, searches use AND operators for each condition in the search
string. But there is one exceptionif you are selecting multiple items from a
widget, it defaults to an ORrelationship for the group of items from that
widget.
6. In the time selector, select the time frame for which you want to search the
data. By default, nDepth reports your network event activity over the last 10
minutes (the end time is now, and the start time is 10 minutes ago).
See create your own custom time frame.Be aware that the longer the time
frame, the more numerous your search results will be.
7. Click the Search
button to run the search. If needed, you can stop a
209
search at any time by clicking

.After a moment, nDepth's graphical tools
summarize your search results. The Result Details view shows the actual
data.

nDepth lets you create search conditions many different ways. The following table
explains how to add search conditions, both in Drag & Drop Mode and in Text
Input Mode.
Mode
To
D&D Text
Do this
Clear a search from the On the search bar, click the round Delete
search box
button (next to the
button).
All
Add a new search
Add a search
Click an item in a graphical tool to add that
condition from a widget item to the search box.
or other graphical tool
Add a search
condition
from the list pane
In the Refine Fields list, double-click an

item.
Add a search from

Search Builder
Configure a search with Search Builder.
Search Builder automatically populates the

the search box.
to clear
2. Add new search conditions by using

any of the techniques in this table.
Add conditions to an
existing search
Use any of the techniques listed in this

table. nDepth automatically adds new
search conditions to the search string.
In any list, select the item you want to work

with, then drag that item directly into the
search box.
210
Mode
To
D&D Text
Do this
search bar with its search configuration.
This is because the search bar and the
Search Builder are different views of the
same search.
Add a search
Select a character string from the data.
condition from the Res- Then double-click the string to add it to the
ult Details view
search box.
Select a character string from the data, and

then drag it into the search box.
Select a character string from the data.
Then copy (Ctrl+C) the search string and
paste (Ctrl+V) it in the text box.
Type a search string
Type a search string directly in the search

box.
Perform the search
On the search bar, click

As with the Search Builder, you can use the search bar to delete search
conditions from a search string. There are buttons to delete individual conditions,
groups of conditions, or the entire string.
The following table explains how to delete search conditions directly from the
search bar. For the examples in this table, suppose you have a set of search
conditions that looks like this:
Severity = 4
AND
(InsertionIP = SolarWinds-demo50 OR
InsertionIP = intrepid )
211
To
Delete an individual
search condition
Do this
Click the
string.
button next to the condition in the search
Example:
Use this method to delete Severity = 4.
To delete a group of
conditions
Click the
button at the far right of the search box
Example:
Use this method to delete the OR group containing the
two Insertion IPs.
Delete the entire

search string
Click the round Delete All

button.
button (next to the Search)
Example:
Use this method when you want to delete the entire
search string to begin a new search.

Use the following procedure to create a custom time frame for your nDepth
queries.
To create a custom time frame:
1. In the search bar's time selector list, click Custom range. You can use the
calendars that appear to set your From and To date and time range. By
default, the custom time frame shows the time frame of your last search.
2. Use the two calendars to select the start (From) date and time, and the end
(To)date and time, as described in the following table.
To
Pick a date in
the month
shown
Do this
Click the date.
212
Saving a Search
To
Do this
Go to an earlier Click .
month
Go to a later
month
Click .
year
Go to a later
year
Click .
Select a
different time
Type a new time directly in the time box.

Or in the hour, minute, and second fields, click for an
earlier value, or click for a later value, respectively.
Note: You can use your keyboards up, down, right, and left arrows to move
within the calendar and to select a time.
3. To close the calendar, click anywhere outside of its boundary.
Saving a Search
You can save any search that you create so you can reuse it at any time. Saved
searches include your entire search string as well as the time frame you have
selected.
To save a search:
1. In nDepth, perform a search as described above, until your results are
satisfactory.
2. Click the gear
form appears.
button and then click Save As. The Save This Search
3. In the Search Name box, type a name that will easily help you remember
the focus of this search. You can type up to 200 characters.
4. Click OK. Your search appears in the Saved Searches pane. Saved
213
searches use the following icons:

represents a search for event data.
represents a search for original log messages.
Using a Saved Search

One of the great benefits of saving a search is that you can reuse it at any time.
Saved searches are stored in the Saved Searches pane. Saved searches are
listed alphabetically.
To use a saved search:
2. If the Saved Searches pane is not visible, click the History button to open
it.
3. On the search bar, select the type of data you want to search Events or
Log Messages.
4. In the Saved Searches pane, click the search you want run. After a
moment, nDepth shows the search results.
Pointing to a search in the Saved Searches pane displays a ToolTip with
the full name of the search.
Making Changes to a Saved Search

When needed, you can make changes to any of your saved searches, and then
save your changes as the search's new configuration.
To save your changes to a search:
it.
3. In the Saved Searches pane, click the name of the search you want to
perform.
4. Use the search bar to reconfigure the search, as needed.
214
5. Click the gear

button and then click Save. The search is now saved
with the new configuration. The next time you run it from the Saved
Searches pane, it will run with this configuration.

The results of any nDepth search can be exported to a full-color, printable report.
The report is exported as a PDF file for easy storage, printing, and e-mail
attachment.
Note: PDF reports are limited to 25,000 events or log messages. If you need a
larger report, you can use the Result Details view to export your search results to
a spreadsheet in CSV format.
To export nDepth search results to PDF:
1. In nDepth, perform a search so nDepth shows the information you want
reported.
2. Click the gear
button and then click Export.
3. Customize your report in the nDepth Export window using the following
options.
a. Use the navigation bar at the bottom to preview your search results in
the default format.
b. Use Insert Page Before Current Page on the navigation bar to add a
blank report page.
c. Use Toggleorientation on the navigation bar or on an individual
report page thumbnail to switch between portrait and landscape page
orientation.
d. Click Items on the left to open a list of report items that you can drag
into your report body.
e. Click Saved Layouts on the right to open a list of options related to
saving and applying report layouts.
f. Hover over report pages and other elements, such as titles, graphs,
and text, to access additional configuration options. Options to clear
215
all page contents, enter static text, and delete pages or other elements
appear as you hover over each element.
g. Drag charts and graphs to rearrange them in the report body.
4. Click Export to PDF to export the report in the Preview pane.
5. In the Save PDF As window, choose a destination and file name for your
report.
6. Click Save.
Exploring Search Results from Graphical Views

When using nDepth's graphical views, you can explore event details with other
explorers. This allows you to use other explorers to investigate specific event
details in your nDepth search results. For example, you could investigate a
suspicious IPaddress with the NSLookup, Traceroute, or Whois explorers to
figure out where that IP is.
Note: When using explorers with nDepth's graphical views, you must manually
type the event detail you want to explore. This information is not automatically
"fed" into the explorer, like it is with nDepth's Result Details view.
To explore details with other explorers:
1. From any of nDepth's graphical views, click the Explore menu. Then select
the explorer you want to use to explore the event detail.
The Explore >Utilities view appears.
2. Type the event detail into the appropriate explorer field.
3. Click Search or Analyze, as applicable to the explorer.
Taking Action on Event Details

When using nDepth's graphical views, you can respond to any item that is
reported in nDepth's search results. If you see something unusual, you may want
to take some kind of corrective action. For example, you could send a user
account a popup message, or block a hostile IP address. Use the following
procedure to initiate a response or corrective action to a particular event or event
detail.
216

To initiate a response:
1. From any of nDepth's graphical views, click the Respond menu. Then
select the response you want.
2. Complete the Respond form, as applicable for the response.

When needed, you can easily delete any unwanted searches from your Saved
Searches pane. Deleting a saved search is permanent. If you want to restore the
search, you will have to recreate it and save it.
To delete a saved search:
it.
3. In the Saved Searches pane, point to the search you want to delete; then
click the icon next to the search.
4. At the confirmation prompt, click Yes.

nDepth lets you create search conditions many different ways. The following table
explains how to add search conditions, both in Drag & Drop Mode and in Text
Input Mode.
Mode
To
D&D Text
Do this
Clear a search On the search bar, click the round Delete All
from the search ton (next to the
button).
box
Add a new
search

box.
but-
to clear the search
2. Add new search conditions by using any of

the techniques in this table.
217
Mode
To
Do this
D&D Text
Add conditions Use any of the techniques listed in this table.

to an existing
nDepth automatically adds new search conditions
search
to the search string.
Add a search
Click an item in a graphical tool to add that item to
condition from a the search box.
widget or other
graphical tool
Add a search
condition
from the list
pane
In the Refine Fields list, double-click an item.
In any list, select the item you want to work with,

then drag that item directly into the search box.
Add a search
Configure a search with Search Builder. Search
from
Builder automatically populates the search bar with
Search Builder its search configuration. This is because the
search bar and the Search Builder are different
views of the same search.
Add a search
condition from
the Result
Details view
Select a character string from the data. Then

double-click the string to add it to the search box.
Select a character string from the data, and then

drag it into the search box.
Select a character string from the data. Then copy

(Ctrl+C) the search string and paste (Ctrl+V) it in
the text box.
Type a search
string
Type a search string directly in the search box.
Perform the
search
On the search bar, click
218

As with the Search Builder, you can use the search bar to delete search
conditions from a search string. There are buttons to delete individual conditions,
groups of conditions, or the entire string.
The following table explains how to delete search conditions directly from the
search bar. For the examples in this table, suppose you have a set of search
conditions that looks like this:
Severity = 4
AND
(InsertionIP = SolarWinds-demo50 OR
InsertionIP = intrepid )
Item
To
Delete an individual
search condition
Do this
Click the button next to the condition in the
search string.
Example:
Use this method to delete Severity = 4.
To delete a group of
conditions
Click the
button at the far right of the search box
Example:
Use this method to delete the OR group containing
the two Insertion IPs.
Delete the entire

search string
Click the round Delete All

Search) button.
button (next to the
Example:
Use this method when you want to delete the entire
search string to begin a new search.
219

Use the following procedure to create a custom time frame for your nDepth
queries.
To create a custom time frame:
1. In the search bar's time selector list, click Custom range. You can use
these calendars to set your From and To date and time range. By default,
the custom time frame shows the time frame of your last search.
2. Use the two calendars to select the start (From) date and time, and the end
(To)date and time, as described in the following table.
To
Pick a date in
the month
shown
Do this
Click the date.
month
Go to a later
month
Click .
year
Go to a later
year
Click .
Select a
different time
Type a new time directly in the time box.

Or in the hour, minute, and second fields, click for an
earlier value, or click for a later value, respectively.
Note: You can use your keyboards up, down, right, and left arrows to move
within the calendar and to select a time.
3. To close the calendar, click anywhere outside of its boundary.
220
Managing Connectors
Managing Connectors
Use the following procedure whenever you need to open the Connector
Configuration form. This form is used for the following reasons:
l
To configure and manage a Managers sensor, actor, and notification

connectors.
To configure and manage an Agents sensor and actor connectors.
To change the connectors configured in an Agents Connectors Profile.

Note: To change a Connector Profile's membership and properties, edit the
Connector Profile in the Build >Groups view.
You must be logged on to a Manager before you can configure its
connectors or its Agents connectors.
To open a Managers Connector Configuration form:

1. On the LEM Console, click Manage >Appliances.
2. In the Appliances grid, click to select the Manager you want to work with.
3. If needed, log in to the Manager. To do so, click the gear
then click Login.
button and
4. Click the gear

button and then click Connectors. The Connector
Configuration for [Manager] form appears. You may now add the
connector instances for each network security product or device this
Manager is to monitor or interact with on the Manager computer.
To open an Agents Connector Configuration form:
1. If needed, log in to the Manager you want to work with.
2. On the LEM Console, click Manage >Agents.
3. In the Agents grid, click to select the Agent you want to work with.
221
4. Click the gear

l
button and then click Connectors.
If the Agent is not in a Connector Profile, the Connector

Configuration for [Agent] form appears. You may now add the
connector instances for each network security product or device this
Agent is to monitor or interact with on the Agents computer.
If the Agent is in a Connector Profile, the Agent Connector
Configuration prompt appears. A prompt warns you that the Agent
belongs to a Connector Profile.
You can choose to edit the Connector Profile, which affects every
Agent in that profile; or you can remove the Agent from the profile to
configure the Agent separately.

l
To edit the connector Profile, click Connector Profile.

The Connector Configuration for [Connector Profile] form appears.
You may now begin adding, editing, or deleting the connector
instances associated with that Connector Profile.
To remove the Agent from the Connector Profile and configure its
connectors separately, click Agent Connector Configuration.
The Connector Configuration for [Agent] form appears. You may
now add the connector instances for each network security product or
device this Agent is to monitor or interact with on the Agents
computer.

In this procedure, use the Connector Configuration form to do the following:
l
Configure the connector settings for each sensor that is to gather data from
a network security products event logs.
Configure the connector settings for each actor that is to initiate an active
response from a network security product or device.
Each configuration of a sensor or actor connector is called a connector instance.

Most products typically write to only one log source. For these products, a single
222

connector instance will suffice. However, some products write to more than one
log. For these products, create separate connector instancesone instance for
each log source. When a product requires more than one instance, you can
differentiate between them by assigning each instance a unique name, called an
alias.
To add a new connector instance:
1. Open the Connector Configuration form for the Manager or Agent you
want to work with.
2. If desired, use the Refine Results pane to select the connector Category
you want to work with.
3. In the Connectors grid, click to select the connector to be configured.
l
The
icon means the connector is for a sensor.
The
icon means the connector is for an actor.

l
At the top of the Connectors grid, click New.
Click the connectorrows gear
button and then click New.
The Properties pane opens as an editable form. The fields on the form vary
from one connector to another, in order to support the product or device you
are configuring. For new instances, the form displays the default connector
settings needed to configure the associated product or device. In most
cases, you can save the connector with its default settings; however, you
can change the settings, as needed.
5. Complete the Properties form, as needed. To assist you, we have prepared
some reference tables that explain the meaning of each field you may
encounter in the Properties form.
6. Click Save to save the connector configuration as a new connector
instance; otherwise, click Cancel. Upon saving, the following things happen
in the connectors grid:
l
If you configured a sensor, a sensor connector instance

appears below the connector you are working with.
223
icon
If you configured an actor, an actor connector instance

appears below the connector you are working with.
icon
The
icon in the Status column means the connector instance is
stopped. All new connector instances automatically have a status of
Stopped. To begin using the connector, you must start it.
7. To start the connector instance, click its gear

Start. After a moment, the system starts the connector instance. Upon
starting, the connectors Status icon changes to . The selected connector
instance is now running.
8. If needed, repeat Steps 37 for each additional connector instance that is
required to fully integrate this product or device with the LEM.
Starting a Connector Instance

Whenever you finish adding or reconfiguring a connector instance, you must start
it so it can begin running. Starting a connector instance enables that particular
connector configuration. If the connector instance is for a sensor, starting it
enables the sensor to begin monitoring the products event log. If the connector
instance is for an actor, starting it enables the actor to begin initiating active
responses on that product when requested to do so by policy.
To start a connector instance:
want to work with.
2. In the Connectors grid, click to select the connector instance you want to
start.
3. Click the connector instances gear
button and then click Start.
After a moment, the system starts the connector instance. Upon starting, the
connectors Status icon changes to . The selected connector instance is
now running.
224

Common problems with starting connector instances
If the connector fails to start, the Console will display a Warning or a Failure event
that states the problem. Normally, connectors fail to start for either of the following
reasons:
l
The network security devices log file does not exist.
The Agent does not have permission to access the file.

Use this procedure to stop a connector instance. You must always stop a
connector instance before you can edit or delete that connector instance.
However, you can also stop a connector instance to prevent the connector from
gathering data for the Console, or to prevent it from initiating active responses on
a network security product or notification system.
To stop a connector instance:
want to work with.
stop.
button and then click Stop.
After a moment, the system stops the connector instance. When the
connectors Status icon changes to , it means the connector has stopped.
Once a connector instance has been stopped, it can be edited, deleted, or
restarted, as needed. The connector instance will remain stopped until you
restart it.
Editing a Connector Instance

When needed, you can edit an existing connector instances configuration
settings. However, you cannot edit its name (alias). If you need to rename a
connector instance alias, you must delete the current connector instance and
create a new one with the new name. Also, you cannot edit the Log File value for
some Windows event log sensors.
225
Use this procedure whenever you need to correct or change a connectors

configuration.
To edit a connector instance:
want to work with.
edit.
button and then click Stop. After a
moment, the system stops the connector instance. When the connectors
Status icon changes to , it means the connector has stopped.
4. To edit the connector, click the gear
5. In the Properties form, update the connector settings, as needed:

To assist you, we have prepared some reference tables that explain the
meaning of each field you may encounter in the Properties form.
6. Click Save to save your changes.
7. When you are finished, restart the connector instance by clicking the gear
button and then clicking Start.
Deleting a Connector Instance

When needed, you can delete an obsolete or incorrect connector instance.
To delete a connector instance:
want to work with.
delete.
button and then click Stop.After a
moment, the system stops the connector instance. When the connectors
226
Status icon changes to
, it means the connector has stopped.
4. Click the connector instances
5. At the confirmation prompt, click Yes to delete the connector instance. After
a moment, the connector instance disappears from the Connectors grid.
Note: Do not recreate this connector until it has been completely removed. It
may take up to two minutes for the connector to be deleted from your
system.

Use Connector Profiles to manage and monitor similar LEM Agents across your
network. The following two use cases are the most common for this type of
component.
l
Configure and manage connectors at the profile level to reduce the amount
of work you have to do for large LEM Agent deployments.
Complete the two procedures below to create a Connector Profile using a single
LEM Agent as its template.
1. Configure the Connectors on the LEM Agent to be used as the template for
the new Connector Profile. These connectors are applied to any LEM
Agents that are later added to the Connector Profile.
2. Click Build , and then select Groups.
3. Click the
button, and then select Connector Profile.
4. Enter a name and description for the Connector Profile.

5. Select the desired LEM Agent template from the Template list next to the
Description field.
6. Click Save.
227
Click the gear button
next to your Connector Profile, and then select Edit.
1. Move LEM Agents from the Available Agents list to the Connector Profile by
clicking the arrow next to them.
2. If you are finished adding LEM Agents to your Connector Profile, click Save.
3. The connector configurations set for the template agent will be applied to
any agent added to the Connector Profile.
Using an Agent to edit a Connector Profile
You can use an Agent that is a member of a Connector Profile as a vehicle for
editing that profiles connector settings. You can add new connector instances to
the profile, or edit or delete its existing instances. Use caution when editing a
Connector Profile. The changes you make will apply to every Agent that is a
member of that profile.
You can also edit a ConnectorProfile's connector settings from the Manage >
Agents view.
To use an Agent to edit a Connector Profiles connector settings
1. Open the Manage >Agents view.
2. In the Agents grid, click to select the Agent that is in the Connector Profile
you want to edit.
3. Click the gear
button and then click Connectors. The Agent
Connector Configuration prompt appears to warn you that the Agent
belongs to a Connector Profile.
4. Click Connector Profile. The Connector Configuration for [Connector
Profile] form appears. You may now begin adding, editing, or deleting the
Connector instances that are associated with that Connector Profile.
File Integrity Monitoring Connectors

File Integrity Monitoring (FIM) provides the ability to monitor files of all types for
any unauthorized changes that may lead to a data breach by a malicious attack.
Using FIM, you can detect changes to critical files, both to ensure systems are
228
Features of FIM
free of compromise and to ensure critical data is not being changed by
unauthorized modifications of systems, configurations, executables, log and audit
files, content files, database files, and web files. If FIM detects a change in a file
you are monitoring, it is logged. LEM then takes those logs and performs the
configured action. Correlation rules can be built to act as a second-level filter to
only actively send an alert to certain patterns of activity (not just single instances),
and when an alert is triggered, the data is in context with your network and other
system log data With a SIEM like LEM, you can also respond with administrative
action.
Features of FIM
l
l
l
On Windows (XP, Vista, 7, 8, Server 2003, 2008, 2012), monitors for realtime access and changes to files and registry keys and WHO changed them
Allows you to configure the logic of files/directories and registry keys/values
to monitor for different types of access (create, write, delete, change
permissions/metadata)
Provides the ability to standardize configurations across many systems
Provides monitoring templates which can be used to monitor the basics.
Also allows the option of creating and customizing your own monitors.
Provides templates for rules, filters, and reports to assist in including FIM
events quickly
What can FIM detect?

l
Insider abuse by auditing files directly through intelligent correlation rules.

Active integration with active directory settings can disable accounts,
change user groups and rights.
If a critical registry key is changed (if registry is supported). For example, a
new service is installed, software is installed, a key gets added to "hide"
data in an unexpected area.
If a new driver or a similar device is installed. Adds a layer of defense to anti
virus software for detecting viruses that mask as "similarly" named files (like
ntkernl.sys vs. ntkernI.sys).
If critical business files are accessed and who is accessing them. Detects
potential abuse, unexpected access, or changes to sensitive data.
229
If files are moved. Usually when users move directories into other
directories.
Zero-day exploits, which is an attack that takes advantage of security
vulnerabilities the same day the vulnerability becomes known. FIM can
trigger an alert letting you know there has been a file change by a potential
malware or Trojan and can automatically stop the running malware process.
Advanced Persistent Threats by inserting a granular, file-based auditing into
the existing event stream to pinpoint attacks and help block them in
progress.
Adding a FIM Connector

To add a FIM connector:
1. Navigate to Manage > Nodes to see a listing of all the nodes being
monitored by LEM.
2. Select the desired node, then click the gear
Connectors.
icon next to it and select
3. Enter FIM in the Refine Results pane. The search results in FIMRegistry
and also FIM File and Directory.
4. Select either a FIM file and Directory or a FIM Registry.
5. Click the gear
icon next to the FIM Connector profile you want to work
with, then select New to create a new connector. The Connector
Configuration window displays.
6. Select a Monitor from the Monitor Templates pane, and then click the gear
icon and select Add to selected monitors. The Monitor Template then
moves to the Selected Monitor pane.
7. Click Save, or click Add Custom Monitor to modify the monitor to your
requirements.
230
Monitors
Monitors
Monitors allow you to configure rules for which files to watch, and which actions to
watch for those files. Different monitoring templates have been provided to use
right away, and to assist in creating custom templates or configurations.
Adding Custom Monitors
1. Click Add Custom Monitor in the Connector Configuration window.
2. Enter a Monitor Name.
3. Enter a Description for the monitor.
4. Click Add New. The Add Condition window displays. See See "Adding
Conditions " on page 232 for more information on how to add conditions to
monitors.
Editing Monitors
1. Select a Monitor from the Selected Monitors pane.
2. Click the gear
icon and select Edit monitor
Promoting a Monitor to a Template

1. Select the Monitor to be promoted.
2. Click the gear
icon and select Promote monitor to template.
3. Click Yes to promote this monitor to a template. The monitor is now

available in the Monitor Templates pane.
Deleting a Monitor
1. Select the monitor to be deleted.
2. Click the gear
icon and select Delete.
3. Click Remove. The monitor is then removed from the Selected Monitors
pane.
231
Adding Conditions
1. Click Add New in the Conditions window.
2. Click Browse to select a File and Directory or a Registry key to watch.
3. Click OK.
4. Select whether the files are recursive or non-recursive. Refer to the table
below for more information.
Recursive
The folder selected and all its sub-folders

which match the given mask will be
monitored for corresponding selected
operations.
Non-recursive
Only the files in the selected folders will be

monitored.
5. Enter a Mask. For example, *exe or directory*.

6. For a FIMFile and Directory, select Create, Read, Write, and Delete for
Directory, File, Permissions, and Other operations. For a FIM Registry,
select Create, Read, Write, and Delete for Key and Value operations. For
more information on Other, refer to the Microsoft MSDN information.
7. Click Save.
Editing Conditions
1. Select the condition to be edited in the Conditions window.
2. Click Edit.
3. Click Browse to select a File and Directory or a Registry key to watch.
4. Click OK.
5. Select whether the files are recursive or non-recursive. Refer to the table
below for more information.
Recursive
The folder selected and all its sub-folders

which match the given mask will be
232
Deleting Conditions
monitored for corresponding selected

operations.
Non-recursive
Only the files in the selected folders will be

monitored.
6. Enter a Mask. For example, *exe or directory*.

7. For a FIMFile/Directory, select Create, Read, Write, and Delete for
Directory, File, Permissions, and Other operations. For a FIM Registry,
select Create, Read, Write, and Delete for Key and Value operations. For
more information on Other, refer to the Microsoft MSDN information.
8. Click Save.
Deleting Conditions
1. Select the condition to be deleted in the Conditions window.
2. Click Delete.
3. Click Remove.
FIM Connector Advanced Settings

1. Complete the Advanced Connector Settings form according to the device
you're configuring. The following fields/descriptions are common for most
connectors:
Log Directory When you create a new alias for a connector, LEM automatically
places a default log file path in the Log Directory field. This
path tells the connector where the operating system stores the
products event log file.
In most cases, you should be able to use the default log file path
that is shown for the connector. These paths are based on the
default vendor settings and the product documentation for each
product. If a different log path is needed,
To manually change the log file location:
233
1. Enter or paste the correct path in the Log Directory field.

2. Stop the Agent.
3. Manually update the Agent's spop.conf property
o
com.solarwinds.lem.fim.minifilter.fsLogLocation for a
file and directory connector. This appears as
%SystemDrive%\\Mylocation\\FileSystem in the
config file.
com.solarwinds.lem.fim.minifilter.registryLogLocation
for a registry connector . This appears as C:\\My
other log location\\Registry in the config file.
4. Restart the Agent.

Log Data
Select either nDepth, Alert, or Alert, nDepth. To store a copy of
Type to Save the original log data in addition to normalized data, change the
Log Data Type to Save to Alert, nDepth. Storage for original log
data must also be enabled on the appliance.
nDepth Host If you are using a separate nDepth appliance (other than LEM),
type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if you are
advised to do so.
nDepth Port
If you are using a separate nDepth appliance (other than the

SolarWinds LEM), type the port number to which the connector
is to send nDepth data. Generally, the default setting is correct.
Only change it if you are advised to do so.
Sleep Time
Type or select the time (in seconds) the connector sensor is to

wait between event monitoring sessions. The default (and
minimum) value for all connectors is one (1) second. If you
experience adverse effects due to too many rapid readings of
log entries, increase the Sleep Time for the appropriate
connectors.
Windows NT-based connectors automatically notify Windows
Event Log sensors of new events that enter the log file. Should
automatic notification stop for any reason, the Sleep Time
234
Managing Widgets
dictates the interval the sensor is to use for monitoring new

events.
Wrapper
Name
This is an identification key that the SolarWinds LEM uses to

uniquely identify the properties that apply to this particular connector. This is read-only information for SolarWinds reference
purposes.
Tool Version This is the release version for this connector. This is read-only
information for reference purposes.
Enable Connector Upon
Save
When this option is selected, the connector starts when you click
Save.
7. After completing the form, click Sold.

8. If you did not select the Enable Connector Upon Save option, navigate to the
Connectors list and click the gear
button next to the new connector
(denoted by an icon in the Status column), and then select Start.
9. After starting the connector, verify that it is working by checking for events on
the Monitor tab.
Managing Widgets
The topics in this section explain how to use the Widget Manager to create and
manage your widgets.
Opening and Closing the Widget Manager

l
At the top of the Ops Manager view, click Widget Manager to alternately
open and close the Widget Manager.
The Widget Manager includes the Filters pane and the Widgets pane.
Creating New Master Widgets

In the Ops Center, you can use the Widget Manager to create a new master
widget for any of your filters. Widgets are created with a tool called the Widget
Builder, which allows you to define the new widgets foundational and aesthetic
235
settings. It also allows you to save a copy of the new widget to the Ops Center
dashboard.
To create a new master widget from the Ops Center:
2. If needed, click Widget Manager to open the Filters and Widgets panes.
3. Click the
button. The Widget Builder appears.
4. Complete the Widget Builder

5. Select the Save to Dashboard check box if you want to save a copy of the
new widget to the Ops Center dashboard.
6. When you are finished, click Save. Upon saving the new widget, several
things happen:
l
l
l
In the Filters pane, the Count value of the associated filter increases
by one to account for the new widget.
The new widget appears in the Widgets pane for the associated filter.
The next time you open the widgets source filter in the Monitor view,
the new widget will appear in the Widgets panes widget list.
If you selected the Save to Dashboard option, a copy of the widget
also appears in the Ops Center dashboard.
Editing Master Widgets

In the Ops Center, you can use the Widget Manager to edit any of the master
widgets that are associated with a filter. Typically, you will edit a master widget
when you want to change a master widgets name, behavior, or appearance, or
whenever you want to use the master widget as a template to create a new
dashboard widget based on the master widgets current configuration.
Once saved, an updated master widget appears with its new configuration in the
Ops Centers Widget Manager and in the Monitor views Widgets pane.
Once created, each dashboard widget operates independently of the master
widget it was created from. Therefore, editing a master widget does not affect any
previous copies (dashboard widgets) that were created from that master. This
236

independence lets you use a master widget as a template for creating variations
of the same widget for the Ops Center dashboard.
To edit a master widget in the Ops Center:
2. If needed, click Widget Manager to open the Filters and Widgets panes.
3. In the Filters pane, select the filter you want to work with.The widgets
associated with this filter appear in the Widgets pane.
4. Drag the panes scroll bar left or right to browse the filter's widgets.
5. When you find the widget you want to edit, click the Filters pane gear
button. The Widget Builder appears.
6. Use the Widget Builder to reconfigure the widget, as needed.
7. Select Save to Dashboard if you want to save a copy of the reconfigured
master widget to the Ops Center dashboard.
8. Click Save to save your changes to the widget. The master widgets new
configuration appears in the Widgets pane. If you selected the Save to
Dashboard option, a copy of the newly configured widget also appears in
the Ops Center dashboard.

Use either of the following procedures to add a copy of a master widget to the
Ops Center dashboard. The original remains with its filter. Once a copy is on the
dashboard, you may edit its graphical presentation, as needed.
To add a widget from the Widgets pane to the dashboard:
2. Click Widget Manager to open the Filters and Widgets panes.
3. In the Filters pane, select the filter you want to work with.The widgets
associated with this filter appear in the Widgets pane.
237
4. To preview the widgets in the Widgets pane, do one of the following:

l
Drag the panes scroll bar left or right to browse the filter's widgets.
Click any widget to move it to the front of the pane.
5. When you find the widget you want to add to the dashboard, do either of the
following:
l
Click Add to Dashboard.

Click anywhere on the widget. Drag it to the dashboard, and then drop
it in the position you want.
To add a widget to the dashboard from the Widget Builder:

1. When creating or editing a master widget with the Widget Builder,
configure the form so the widget appears the way you want it to on the
dashboard.
2. Select the Save to Dashboard check box.
3. Click Save. A copy of the widget appears at the bottom of the Ops Center
dashboard.
Deleting Master Widgets

Widgets can only be deleted from the Ops Center, and master widgets can only
be deleted from the Widget Manager. Deleting a master widget does not delete
any of the dashboard widgets that came from that master.
To delete a master widget:
2. If needed, click Widget Manager to open the Filters list and the Widgets
pane.
3. In the Filters list, select the filter that contains the widget you want to delete.
4. In the Widgets pane, use the scroll bar to select the widget you want to
delete.
5. Click Delete Widget.
238

In the Ops Center dashboard, you can edit any dashboard widget. Editing a
dashboard widget does not affect the master widget it came from, or any other
widget. You are editing only that particular widget.
When editing a dashboard widget, the Save to Dashboard option is disabled,
because dashboard widgets can only be created from a master widget.
To edit a dashboard widget:
1. In the Ops Center dashboard, locate the widget you want to work with.
2. Click the gear
button on the widget toolbar. The Widget Builder appears.
3. Make the necessary changes to the Widget Builder.

4. When you are finished, click Save. The widget appears in the dashboard
with its new configuration.
Deleting Dashboard Widgets

Widgets can only be deleted from the Ops Center. You can delete dashboard
widgets directly from the dashboard.
To delete a widget from the dashboard:
2. In the dashboard, locate the widget you want to delete.
3. Click the delete
button on the widget toolbar.
4. At the confirmation prompt, click Yes. The widget is deleted from the
dashboard.
Note: If needed, you can readily recreate the dashboard widget, so long as
you do not delete the master widget it came from.
239
Chapter 13: Advanced

Configurations
Setting up an Appliance
If you are setting up a Manager for the first time, you should follow this order of
events:
l
On the Console, open the Manage > Appliances view.
Add a Manager to the Console.
Log on to the Manager through the Console.
Configure the Managers properties with the Properties form.
Configure the Managers connectors with the Connector Configuration

window.
(Optional) Assign the Managers alert distribution policy with the Event
Distribution Policy window.
Adding Appliances to the Console

Use this procedure whenever you want to add a new Manager or other network
appliance to the LEM Console.
To add a new appliance:
1. At the top of the LEM Console, click Manage and then click Appliances.
2. At the top of the Appliances grid, click the
symbol.
3. Enter the IPAddress of the virtual appliance.

4. Click to display the Advance Properties form. The following table
describes the form fields:
240
Field
Description
Username
Enter the username used to connect to the virtual appliance.
Password
Enter the password for the virtual appliance.
Appliance
Type
Select the appliance type you are addingManager,

Database Server, nDepth, Logging Server, or Network
Sensor.
Connection Type the port number the Console must use to communicate
Port
with the Manager network appliance or the database. The
secure port number is 8443. This value will default to 8080
for virtual appliances in the evaluation phase.
Note: This field only applies when the Appliance Type field
is set to Manager.
Model
Select the appliance's appropriate model. If you are

uncertain which model you have, select Unknown. If you
know your model but it is not listed, select Other. Your
selection here has no affect on the Managers operation.
If you selected any of the specific models, a picture of the
appliance appears at the top of the Details pane.
Level
The appliances level. Its level is directly related to the

appliance's capacity and performance, ranging from Level 1
to Level 4. If you are uncertain which level the Manager
belongs to, select Unknown. If you are adding a Database
Server, Level 4 is automatically selected. This option is
disabled if you are using a virtual appliance.
Service
Tag
Type the Dell serial number or registration number found on

the appliance. It uniquely identifies this piece of equipment
and its specific configuration properties.
Icon Color
Select the desired color for your icon.
Reset
At any time, you can click Reset to reset the form to its
default settings.
241
5. Click Connect to add the appliance and close the form. Otherwise, click
Cancel to return to the Console without adding the appliance.
6. Enter the IP Address of the virtual appliance and then click Connect.
Note: The LEM desktop software requires that you change your LEM
password after installation. This password must be between 6 and 40
characters, and must contain at least one capital letter and one number. The
default username/password is Admin/Password.
7. Click OK.

If needed, you can copy your the data from the Appliances grid to your clipboard.
This allows you to page the data into another application, such as Microsoft Excel
for analysis or the Remote Agent Installer for updates. You can copy the data for a
single appliance, multiple appliances, or for every appliance in the grid.
To copy data for a single appliance:
1. Open the Manage >Appliances view.
2. In the Appliances grid, select the appliances you want to copy.
3. Click the
button, and then do one of the following:
Click Copy Selected to copy the data for the selected appliances.
Click Copy All to copy the data for every appliance in the grid.
The appliance data is now copied to your clipboard, where it can be pasted
into another application.
Removing an Appliance
When needed, you can remove a Manager or other network appliance from the
Console.
To remove an appliance:
242
1. At the top of the Console, click Manage, and then click Appliances.
2. In the Appliances grid, click to select the appliance you want to remove.
3. Click the gear
4. At the confirmation prompt, click Yes to remove the appliance. Otherwise,

click No to return to the Console without removing the appliance. The
appliance disappears from the Appliances grid.
Managing Connectors
Configuring Manager Connectors (general procedure)
Follow this procedure to configure a Managers connectors (sensors and actors).
It lets the Manager monitor and interact with the supported security products or
devices that are installed on or remotely logging to the Manager computer.
To configure a Managers connectors:
1. Start the LEM Console.
2. Open the Manage >Appliances view.
3. If you have not already done so, add and configure each Manager you will
be using with your network.
4. Log on to the Manager you want to work with.
5. Open the Connector Configuration for [Manager] form.
6. Add a connector instance for each of the products event log sources.
7. When you are finished, start the Connector instance.
8. Repeat Steps 6 and 7 for each product or device that is logging to the
Manager computer.
9. Repeat Steps 48 for each Manager, until you have configured Connectors
for each point on your network.
Configuring Agent Connectors (general procedure)

Follow this procedure to configure the connectors (sensors and actors) the Agent
uses to monitor and interact with each networks security product and device that
is running on the Agent computer.
243

To configure an Agents connectors:
1. Open the Manage > Agents view.
2. Open the Connector Configuration for [Agent] form.
3. Add a connector instance for each of the products event log sources.
4. When you are finished, start the connector instance.
5. Repeat Steps 3 and 4 for each product or device the Agent is monitoring on
the Agents computer.
6. If you are not using Connector Profiles, repeat Steps 25 for each Agent,
until you have configured the connectors for each point on your network. If
you are using Connector Profiles, you can use a configured Agent as a
template for a Connector Profile.

Most Agents in a network have only a few different connector configurations.
Therefore, you can greatly speed up the connector configuration process by
creating Connector Profiles. A Connector Profile is a group of Agents that share
the same connector configuration. It allows you to configure a set of standardized
connector settings, and then apply those settings to all of the Agents that are
assigned to that profile. Once applied, every Agent in the profile will then have the
exact same connector settings.
One of the great benefits of using Connector Profiles is that you can maintain all
of the Agents in a profile at once by updating only the Connector Profiles
connector configuration. The system then propagates your changes to all of the
Agents in the profile.
By using Connector Profiles, you can greatly speed up the process of connecting
your network security products to LEM. If you do not use Connector Profiles, you
will have to create at least one connector instance for every product that you
intend to integrate with LEM, and then repeat this process for every one of your
Agents.
A well-planned set of Connector Profiles provides you with a versatile and
efficient method for configuring and maintaining your Agents connector
configurations.
244
Configuring email active response connectors

Configure the Email Active Response connector on your LEM Manager to enable
the LEM Manager to send automated emails to Console users in response to
rules firing. This connector specifies the mail host that your Manager uses to send
emails and, when necessary, provides the requisite server credentials.
Requirements
l
An email server that allows the LEM Manager to relay email messages
through it
IP address or hostname of your email server
A return email address for bounced messages and replies
User credentials for your email server only if your email server requires
internal users to authenticate to send email
Configuring the email active response connector

1. Log into the LEM Manager on which you want to configure the connector
from the Manage > Appliance view of your LEM Console.
2. Click the gear icon next to your LEM Manager and select Connectors.
3. Enter Email Active Response in the search box on the Refine Results pane.
4. Click the gear icon next to the master connector on the right and select New.
5. Complete the Email Active Response connector form.Notes:
Note: If you use a hostname for the Mail Host value, your Manager must be
able to resolve it.
6. Enter a valid email address in the Test E-mail Address field. After the
connector is saved and started, your Manager sends a test email to the
email address.
7. Click Save.
8. Locate the new instance of the connector. It is a grey icon in the Status
column.
9. Select Start from the gear menu next to the new connector.
245

A green icon in the Status column indicates that the connector is running and you
can use the Test Email button to test your settings.
If the test email is successful, you receive it in the mailbox specified.
If the test email is unsuccessful, the LEM Internal Events filter presents the
following information:
l
Event Name: InternalInfo
Event Info: Email notification failed
Extraneous Info: Information about the failure. For example, server not
reachable, authentication issue, etc.
You can modify the configuration of the connector to make sure you are using the
correct information
Managing Groups
Adding a New Group
1. Open the Build >Groups view.
2. In the Groups grid, click
create
and then click the Group type you want to
The Group Details pane opens to show an editable form for the Group type
you have selected.
3. In the Name box, type a name for Group.
4. In the Description box, type a brief description of the Group and its
intended use.
5. In the Manager list, select the Manager on which the Group is to reside.
6. Complete the rest of the form to configure the Group.
7. When you are finished, click Save. The new Group appears in the Groups
grid.
246
Editing a Group
Editing a Group is very much like creating a new one. The only difference is that
you are reconfiguring an existing item.
To edit a Group:
2. In the Groups grid, do one of the following:
l
Double-click the Group you want to edit.
Click the gear
button for the Group you want to edit and click Edit.
The Edit pane opens as an editable form, showing the selected Groups
current configuration.
3. Make any necessary changes to the Edit form to reconfigure the Group.
4. When you are finished, click Save.
The revised Group is applied to the Manager and appears in the Groups
grid.
Cloning a Group
Cloning a Group lets you copy an existing Group, but save it with a new name.
Cloning allows you to quickly create variations on existing Groups for use with
your rules, filters, and Agents.
Cloned Groups must be for the same Manager as the original Group. That is, you
cannot clone a Group from one Manager for use with another Manager.
To clone a Group:
2. In the Groups grid, click to select the Group you want to clone.
button and then click Clone. The newly cloned
Group appears in the Groups grid in the row just below the original Group.
A clone always uses the same name as the Group it was cloned from,
followed by the word Clone. For example, a clone of the Disk Warning
247
Importing a Group
Group would be called Disk Warning Clone. A second clone of the Disk
Warning Group would be called Disk Warning Clone 2, and so on.
4. Edit the cloned Group, as needed, to give it its own name and to assign its
own specific settings.
Importing a Group
You can import Groups from a remote source into the Groups grid. You can
import a Group that you have exported from another Manager, or you can import
Groups that are provided by SolarWinds. You may import only one Group at a
time.
To import a Group:
2. On the Groups grid connector bar, click the gear
Import.The Open form appears.
3. In the Look In box, browse to the folder that contains the Group file you
want to import.
l
Double-click the file to open it.
Click to select the file you want to import, and then click Open.
The Group appears in the Groups grid and in the Group Details form for
editing.
5. In the Group Details form, select the Manager this Group is to be assigned
to.
6. Make any other desired changes in the GroupDetails form.
7. Click Save to send the Group to the Manager.
8. If you are working with Email Templates or State Variables, drag the new
Group from the Groups grid into the folder (in the Folders pane) that is to
store the Group.
248
Exporting a Group
When needed, you can export Groups. Exporting Groups is useful for three
reasons:
l
Once exported, you can import the Group into another Manager.
You can save a copy off of the Manager for any reason.
You can provide SolarWinds with a copy of your Group for technical support
or troubleshooting purposes.
You may export only one Group at a time.

To export a Group:
1. Open the Build > Groups view.
2. In the Groups grid, click to select the Group you want to export.
button and then click Export.
4. After a moment, the Save As form appears.

5. Use the Save As form to select the folder in which you want to save the
exported Group.
6. In the File name box, type a name for the exported Group.
7. Click Save to export and save the Group; otherwise, click Cancel. You can
now import the Group for use with another Manager.
Deleting a Group
When needed, you can delete any of your Groups.
To delete a Group:
1. Open the Build > Groups view.
2. In the Groups grid, select the Group you want to delete.
4. At the confirmation prompt, click Yes to delete the Group. The item
disappears from the Groups grid.
249

Whenever you create or edit an Event Group, the Build >Groups views Edit
pane opens and becomes the Event Group form. The Event Group form lets you
create custom families of alerts that you can save as a Group. You can then
associate the Event Group with your rules and filters.
For example, you might create an Event Group made up of similar alerts that all
need to trigger the same response from the Console. When you apply the Event
Group to a rule, the Console implements the rule when any one of the alerts in the
Group occurs.
Each Event Group you create only applies to the Manager that is selected when
you create the Group. If you need a similar Event Group for a different Manager,
you must create it separately for the other Manager.
To configure an event group:
2. On the Groups grid, click
and then click Event Group. The Edit pane
opens, showing the Event Group form.
3. In the Name box, type a name for the new Event Group.
4. In the Description box, type a brief description of the Event Groups
contents.
5. In the Manager list, select the Manager on which this Group is to reside. If
you are editing an existing Group, this field shows the Manager on which it
resides.
Now you will configure the Event Group by selecting the alerts you want in
the Group.
250
The Events box lists alerts in a hierarchical tree. You may need to open the
nodes in the alert tree to see the alert you are looking for.
6. In the Events list, select each alert that you want to include in this Group.
l
To choose an alert, click its check box.
To remove an alert, clear its check box.
Note: In the node-tree view, you can Ctrl+Click to select (or clear)an alert
and all of the alerts below that item (that is, its child alerts). For example,
press Ctrl and click Security Event to select Security Event and all of its
child alerts.
7. Click Save. The new Event Group appears in the Groups grid.
Event List Features
The following table explains how to use each feature of the Events list.
Icon
Description
Click this button to display the Events list as a hierarchical node tree.
Then use the list to select each alert type that you want to include in this
Group. This is the default view.
This view also has the following attributes:
l
Lower-level alert types are hidden by nodes in the alert tree. To open
a node, click the >icon. This displays the nodes next level of alerts.
251
Event List Features
Icon
Description
l
Using the search box displays the alert and its parent alert types, so
you can see how the alert appears in the alert hierarchy.
You can Ctrl+Click to select (or clear)an alert and all of the alerts
below that item (that is, its child alerts). For example, if you press Ctrl
and click Security Event, you will select Security Event and all of
its child alerts.
Click this button to list alert types alphabetically, regardless of their

position in the hierarchy. Then use the list to select each alert type that you
want to include in this Group.
You can use this box to search either view of the Events list. To do so, type
a word or phrase in the text box. The Events list will refresh to show any
alerts that include your word or phrase.
This icon represents a closed (or collapsed) alert node in the alert tree
hierarchy. Each time you see this icon, it means the alert node contains
lower-level alerts.
To open a node, click it. Opening the node expands the alert tree,
displaying the next level of related alerts.
This icon represents an open (or expanded) alert node in the alert tree
hierarchy. Each time you see this icon, the node is displaying its related
lower-level alerts.
To close (or collapse) the node, click it. This collapses the alert tree at that
level, hiding its lower-level alerts.
This item has not been selected; nor have any of its lower-level items.
This item has been selected; but not any of its lower-level items.
This item has not been selected, but one or more if its lower-level items
has been selected.
This item has been selected, and so have one or more of its lower-level
items.
252
Configuring Directory Services Groups

Many companies use a directory service, such as Active Directory, to organize
and administer their networks computers and system users. This computer and
user information is organized into Directory Service Groups (DS Groups) that are
managed with the directory service.
If you use such a directory service, you can connect LEM to the server that stores
your existing DS Groups, synchronize your Groups with LEM, and apply your
Groups to your rules and filters.
Once your directory service is connected, your DS Groups become seamlessly
integrated with the LEM. Whenever you make a change to a Group in the
directory service, LEM automatically updates your rules and filters to reflect the
change.
The topics in this section explain how to retrieve and synchronize information
from your directory service for use with LEM.
How to Use Directory Services Groups

DS Groups allow you to match, include, or exclude events to specific users or
computers based on their Group membership, to determine if a particular alert
event is relevant or not.
In most cases, DS Groups are used in rules and filters as a type of white list or
blacklist for choosing which users or computers to include or to ignore. When
used by a filter, a DS Group lets you limit the scope of the alerts included in the
filter to those users or computers that have membership in a particular Group.
For example, you may want to use a DS Group that you created in your directory
services that contains the names of high-risk network users. You can then refer to
this Group in a rule or filter. For instance, your rule may dictate to always disable
these users if you detect malicious activity.

This procedure explains how to retrieve Group data from your directory service
and select which DS Groups are to be synchronized with LEM. This procedure
ensures that you capture the most current information from any Groups that are
not currently synchronized with LEM.
253

You can also use this procedure to remove DS Groups that no longer require
synchronization.
Note: To use DSGroups, first make sure the Directory Service Query Connector
is configured and running on the LEM Manager for which you want to use DS
Groups.
DS Groups only apply to Managers that are connected to them. If you need a
similar DS Group for another Manager, you must connect to the directory service
with the other Manager.
To retrieve DS Group data from your directory service:
2. On the Groups grid, click
and then click Directory Services Group.
The Select Directory Services Group form appears. You will use this form
to select which directory service Groups you want to synchronize for use
with LEM.
3. In the Manager list (the upper-right drop-down list), select the Manager that
is going to use the DSGroups.
4. In the other drop-down list, select the directory services domain you want to
work with.
The form displays the actual contents (folders and Group categories) of your
directory service system:
l
Each folder to the left contains the Group categories that are
associated with that area of your directory service. You can click a
254
folder node () to display the Group categories contained within that

folder.
l
The Available Groups box lists a different set of Group categories

with each folder you select. For example, clicking the Users folder
shows a different set of Group categories than if you click the Laptops
folder.
5. In the folder list, click the Group category you want to work with.
6. In the Available Groups list, do the following:
l
l
Click the check box for each Group you want to synchronize with LEM.
Clear the check box for each Group you want to remove from
synchronization.
7. Repeat Steps 5 and 6 until you have selected all of the DS Groups you want
synchronized with LEM.
8. Click Save.
The system synchronizes the DS Groups to LEM and adds them to the
Groups grid. The DS Groups are now ready for use with your rules and
filters.
Viewing a Directory Services Group Members

The Groups grid shows each DS Group that is synchronized with LEM. When
you select a DS Group in the Groups grid, the Directory Service Groups pane
appears to show the members of that DS Group.
To view a DS Group:
2. In the Groups grid, select the DS Group you want to view. The Edit pane
opens, showing the Directory Services Group form. The form displays the
contents of the Group,.
Directory Services Group Grid Columns

The grid in the Directory Services Group form provides information on each
specific computer account and user account that is currently associated with the
255
Deleting DS Groups
DS Group. The following table describes the meaning of each grid column.
Column
Description
Type
Displays an icon that shows if the group member is a User or a

Computer. The computer icon represents a computer account. The
person icon represents a user account.
Name
Displays the display name of the group member.
Description Displays the description associated with the group member in

directory services.
SAM Name Displays the account name of the member.
Principal
Name
Displays the principal name of the member.
Distinguish Displays the complete distinguished name of the member.

Name Date
Email
Displays the email address of the member.
Deleting DS Groups
You can delete DS Groups from the Console, just as you would any other Group.
Deleting a DS Group does not remove the Group from your original directory
service. You can restore a DS Group at any time if you ever need to use it again.
Configuring Email Templates

Email templates allow you to create pre-formatted email messages that rules can
use to notify you of an alert event. These templates become available in the
Actions component list, whenever you drag Send Email Message or Send
Pager Message to the Actions box. You will then be prompted to fill in the
message variables from the Events or Event Groups lists.
You create and manage templates in the Build >Groups views Email Template
form. As with rules, you can add, edit, clone, and delete templates, and you can
organize them in folders.
256
Step 1: Creating the Email Template

This section describes how to create the actual email template. Email templates
allow you to report specific information about an alert event, because you can
include variables that capture specific parameters about that event. For example,
you can report which server is affected, what time the event occurred, or which
Agent was shut down. The possibilities for message templates are endless.
To create an email template:
l
Click
and then click Email Template to add a new email
template
Double-click the email template you want to edit.
The Email Template form appears. If you are editing an existing template,
the form shows any parameters that have already been configured for the
template.
3. In the Manager list, select the Manager on which this template resides. If
you are editing an existing template, this field shows the Manager this
template is associated with.
4. In the Name box, type a name for the template. This should be a name that
makes it easy to identify the type of event that has occurred, or where or to
whom the email message is going.
257
5. In the From box, type whom the message is from. Typically, this is
SolarWinds or Manager.
6. In the Subject line, type a subject for the message. Typically, you will want
a subject that indicates the nature of the alert event.
7. Click Save to save the template.

In the Parameters list, you will add variables that are placeholders for specific
items within the message text. When the Manager sends the message, it will
complete the message by filling in the variable parameters with the appropriate
text. You can add as many parameters as you like.
For example, you may want a message to tell you which Agent or server was
affected. Or you may want to know the time the event occurred. So you can create
a variables for Agents, servers, or time. In the previous example, there are
parameters for the server and for the destination computer.
If you add too many or unnecessary parameters, you can easily delete the ones
you dont need.
To add message parameters:
1. In the Name box, type the name of the parameter you want to capture in the
email message.
2. Click the Add
list.
button. The new parameter appears in the Parameters
3. Repeat Steps 1 and 2 for each parameter you want to capture in this
message.
4. Click Save so save your changes to the template.
To delete a parameter:
1. In the Parameters list, select the parameter you want to delete.
2. Click the Delete
button.
3. The parameter disappears from the Parameters list.

4. Click Save to permanently delete the parameter.
258
Step 3: Creating the message

Now, in the Message box, you will create the actual text of the email message.
To create an email template message:
1. In the Message box, type the email message that the Manager is to send
when an event occurs, like in the example shown here.
2. In the Parameters list, select a parameter. Then drag it to the appropriate

spot in the message text. The parameters serve as placeholders for
information that the Manager will fill in.
3. Repeat Step 2 for each parameter.
4. When you have finished with the template, click Save. The new template
appears in Groups grid.
Managing email template folders

As with rules and State Variables, you can use the Folders pane to organize your
email templates into folders and sub-folders. You can add, rename, move, and
delete template folders.
Configuring State Variables

You can use the Groups grid to add, edit, and delete State Variables and the
number, text, and time fields associated with each State Variable.
259

State Variables are used in rules. They represent temporary or transitional states.
For example, you can create a State Variable to track the state of a particular
system, setting it to a different value depending on whether the system comes
online or goes offline.
You can also configure rules to monitor the contents of a State Variable to
validate or invalidate a rule. For example, you can set a DEFCON value and
ensure that the DEFCON value is over 3 before notifying on-call staff.
Note: If you require permanent lists of data that can be preserved over long
periods of time, you can use User-Deined Groups in a similar manner.

l
To add a new State Variable, click
Double-click the State Variable you want to edit.
Click the gear

then click Edit.
and then click State Variable.
icon for the State Variable you want to edit, and
The State Variables pane opens as an editable form. If you are editing an
existing State Variable, the form shows any fields that have already been
configured.
260
3. In the Name box, type a name for the State Variable.

4. In the Manager list, select the Manager on which this State Variable is to
reside. If you are editing an existing Group, this field shows the Manager on
which it resides.
Now add the State Variable fields that make up the Group. Adding State
Variable fields is a straightforward process. You name the field, and then
select what the variable representstext, a number, or time.
5. Click the Add
button. The Add Variable Field form becomes active.
6. In the Name box, type a name for the State Variable field.
7. In the Type list, select the type of State Variable the field representsText,
Number, or Time.
8. Click the left Save button to save the field; otherwise, click Cancel. The new
State Variable field appears in the State Variables grid, showing the fields
name and comparison type.
9. Repeat Steps 58 for each field you want to add to the State Variable.
10. Click the rightmost Save button to save the State Variable settings.The new
261
State Variable appears in the Groups grid and the Rule Builders State
Variables list. You can now incorporate this State Variable whenever you
add or edit a rule.

2. In the Groups grid, do either of the following:
l

Click the gear
then click Edit.
The State Variables pane opens as an editable form.

3. In the fields grid, select the State Variable field you want to edit. The Add
Variable Field form becomes active, showing the fields current
configuration.
4. Make the necessary changes to the fields Name or Type.
5. Click the forms Save button to apply your changes to the field. The updated
field appears in the fields grid.
6. Click the rightmost Save button to save your changes to the State Variable.
Deleting State Variable fields

l

Click the gear
then click Edit.
The State Variables pane opens as an editable form.

3. In the fields grid, select the field you want to delete.
262
4. Click the Delete
button. The field disappears from the fields grid.
5. Click Save to save the changes to the State Variable.
Managing State Variable Folders

As with rules and email templates, you can use the Folders pane to organize
your State Variables into folders and sub-folders. You can add, rename, move,
and delete State Variable folders.
Configuring Time of Day Sets

Time of Day Sets are Groups of hours that you can associate with rules and
filters. Time of Day Sets allow your rules and filters to take different actions at
different times of day.
For example, if you define two different Time of Day Sets for Business Hours
and Outside Business Hours, you can assign different rules to each of these
Time of Day Sets. For instance, you may want your rules to alert your system
administrator via email and pager during working hours. Outside of business
hours, you may want your rules to alert your administrator by pager only, and
automatically shut down the offending PC.
You can easily create as many Time of Day Sets as you needed, to reflect all of
your business needs. A well-planned group of Time of Day Sets provides you
with versatile and responsive rules that perform the way you want, when you
want.
Each Time of Day Set you create only applies to the Manager that is selected
when you create it. If you need a similar Time of Day Set for another Manager,
then you must create it separately with that other Manager.

l
To add a new Time of Day Set, click

Set.
and then click Time of Day
Double-click the Time of Day Set you want to edit.
263
The Edit pane opens, showing the Time of Day Set form.
3. In the Name box, type a name for the new Time of Day Set.
4. In the Description box, type a brief description of the Time of Day Set and
its intended use.
5. In the Manager list, select the Manager on which this Time of Day Set is to
which it resides.
The form has a time grid that lets you define a Time of Day Set for the
Manager. The time grid is based on a one-week period, and is organized as
follows:
l
l
It has seven rows, where each row represents one day of the week.
It has 24 numbered columns, where each column represents one hour
of the day. The white column headers represent morning hours
(midnight to noon). The shaded column headers represent evening
hours (noon to midnight).
Each column has two check boxes that divide each hour into two halfhour (30-minute) periods.
Together, the rows, columns, and check boxes divide an entire week into
30-minute periods.
6. In the time grid, click to select the half-hour periods that are to define this
Time of Day Set. For assistance, see the table in the topic, below.
7. Click Save. The new Time of Day Set appears in the Groups grid.
264
Selecting periods in the time grid

delete.
2. Click the gear

l
Click Activate to apply your changes to every Agent associated with

the Connector Profile.
Click Discard to discard your changes and reload the previous
configuration.
5. Click Close to return to the Groups grid.
Configuring User-Defined Groups

User-Defined Groups are groups of preferences that are used in rules and filters.
User-Defined Groups allow you to match, include, or exclude events, information,
or data fields based on their membership in a particular Group.
Examples of User-Defined Groups

In most cases, User-Defined Groups are used as a type of white list or blacklist for
choosing which events to include or to ignore. When used by a filter, a UserDefined Group lets you limit the scope of the alerts included in the filter to those
items that have membership in a particular Group.
Each User-Defined Group is made up of one or more elements that define the
Group. The elements can be almost anything: IP addresses, user names, email
addresses, web site URLs, etc. Because of their versatility, the possibilities of
User-Defined Groups are almost endless.
For example, you may want to create a Group of trusted IP addresses that you
can use in rules and filters. You can then refer to this Group in a rule. For
instance, your rule may dictate to never block these IP addresses.
Or you may want to create a Group of trusted accounts for the local administrator.
You could then format your rules so that they never block these accounts. Or,
265

because these accounts are trusted, you may want to watch them more carefully
so that you are notified whenever they log on or make changes.
You can create as many User-Defined Groups as you need to reflect all of your
different rule and filtering needs. Well-planned User-Defined Groups can provide
you with the precise feedback active responses you need to manage and
maintain your network security.
Each User-Defined Group you create only applies to the Manager that is selected
when you create it. If you need a similar User-Defined Group for another
Manager, then you must create it separately with that other Manager.

l
To add a new User-Defined Group, click

Defined Group.
and then click User-
Double-click the User-Defined Group you want to edit.
The Edit pane opens, showing the User-Defined Group form. If you are
editing an existing User-Defined Group, the form shows any parameters that
have already been configured for the Group.
3. In the Name box, type a name for the Group.

4. In the Description box, type a brief description of the Group and its
intended use.
266
5. In the Manager list, select the Manager on which this Group resides. If you
are editing an existing Group, this field shows the Manager on which it
resides.
6. Make any necessary additions, changes, or deletions to the Groups
Element Details grid.
7. Click Save to save your changes to the User-Defined Group.
Adding data elements to a User-Defined Group

Once you have created a User-Defined Group, you can add the data elements
that make up the Group.
To add a User-Defined Groups data elements:
2. In the Groups grid, double-click the User-Defined Group you want to work
with.
The Edit pane opens, showing the Groups current configuration.
3. At the bottom of the Edit pane, click the Add
button.
The Element Details form becomes active.

4. Complete the Element Details form as described in the following table.
Field
Description
Name
Type a name for the data element.
Data
Type the specific data element that you want to include or

ignore in your rules and filters. You can use an asterisk (* )
as a wild card to include all similar data elements.
Description Type a detailed description of the data element and its

intended use, if appropriate.
In this example, the data elements are a list of anti-virus firewall processes.
5. Click Save.
267
The new element appears in the data element grid. Note that the table
displays each elements name, data element, and description.
6. Repeat Steps 35 for each data element you want to add to the Group.

with.The Edit pane opens, showing the Groups current configuration.
3. In the forms data element grid, select the data element you want to edit. The
Element Details form displays the data elements current configuration.
4. Make the necessary changes to the Element Details form.
5. Click Save to save your changes to the Group. The revised data element
appears in the data element grid.
268
Deleting a data element from a User-Defined Group

with.The Edit pane opens, showing the Groups current configuration.
3. In the forms data element grid, select the data element you want to delete.
4. Click the Delete
element grid.
button. The element is removed from the Groups data
5. Click Save to save the changes to the Group.

The following table explains how to select periods in the Time of Day Sets time
grid.
To
Do this
Select a
period
Click an individual check box to select that period.
Select a
group of
periods
Click and drag to select a range of periods. You can drag up, down,
or diagonally.
Move a
block of
selected
hours
Click the block of hours you want to move, holding down the mouse
button so the pointer turns into a grabbing hand. Then drag the
hour block into its new position.
Duplicating Press the Ctrl key. Then click the block of hours you want to copy,
a block of holding down the mouse button so the pointer turns into a
selected
grabbing hand. Then drag a copy of the hour block into position.
hours
Invert your Click the Invert button to select the opposite hours of the ones you
selection
have manually selected
This feature is useful when you want to select all but a few hours of
the day. You can select the hours that do not apply to the Time of
Day Set, and then click Invert to automatically select all of the
269
To
Do this
hours that do apply to the Time of Day Set. For example, if you have
your business hours selected, clicking Invert would select
everything outside of your business hours.
Delete a
selected
period
Click the check box to clear that selection. You can also click and
drag over a range of selected periods to clear those selections.

Most Agents in a network have only a few different connector configurations.
Because of this, the Group Builder lets you group Agents that share the same
configurations into Connector Profiles. Once you define a Connector Profile, your
rules and filters can use it to include or exclude the Agents associated with that
profile.
You can create as many Connector Profiles as you need to reflect each of your
common network security connector configurations. For example, you might set
up a standard user workstation profile, a web sever profile, etc. SolarWinds
provides several default Connector Profiles that address common configurations.
One of the great benefits of using Connector Profiles is that you can maintain all
of the Agents in a profile at once by updating only the Connector Profiles
connector configuration. The Group Builder then propagates your changes to all
of the Agents in the profile.
A well-planned set of Connector Profiles provides you with a versatile and
efficient method to update and maintain your Agents connector configurations.
Connector Profile Rules

l
An Agent can only be a member of one Connector Profile. It cannot be in

multiple profiles.
Each Connector Profile you create only applies to the Manager that is
selected when you create it. If you need a similar Connector Profile for
another Manager, you must create it separately for the other Manager.
270
Creating a Connector Profile (general procedure)

Connector Profiles are created in the Build >Groups view. Creating a Connector
Profile is a two-step process:
1. Select the Agent that is to act as a template for the profile.
2. Add the Agents that are to be members of the profile. Upon saving, the
system applies the template Agents connector configuration to every other
Agent that you added to the profile.
When you select an Agent for use as a template, select one that has a very similar
configuration to how you want profiles final connector configuration to look.
One trick is to prepare a template Agent in advance, by manually configuring an
Agent that you know will be a member of the new profile. Edit them exactly how
you want them. Then use the Agent as the template for the new profile. This
minimizes your need to edit the profiles connector configuration later on.
The complete procedure for creating at Connector Profile is given below.
Step 1: Selecting a template for the profile
In this procedure, you will create, name, describe, and select a template for the
new Connector Profile.
To create a Connector Profile:
2. On the Groups grid connector bar, click
and then click Connector
Profile. The Connector Profile form appears.
271
3. In the Name box, type a name for the Connector Profile.

4. In the Description box, type a brief description of the Connector Profile and
its intended use.
5. In the Manager list, select the Manager on which this Connector Profile is to
which its resides.
Note: If the Manager you want is not listed, go to Manage >Appliances and
log on to that Manager. You must be logged on to a Manager before you can
create Groups for it.
6. In the Template list, select the Agent with the connector configuration this
profile is to be based on. If you do not want to use a template, select None.
Note: For best results, always select a template when creating a new
Connector Profile. Otherwise, the profile will delete the connectors on every
Agent in the profile.
If you do not want to use a template, then be sure click Edit Connectors
and add connectors to the profile before you add Agents and save the
profile. If you do not, there will be no connectors in the profile; and upon
saving, any Agents in that profile will have theirs deleted.
7. Click Save. The new Connector Profile appears in the Groups grid.
Now you will select the Agents that are to be members of the Connector Profile.
These Agents are governed by the Connector Profiles connector configuration.
272
The Connector Profile form contains two list boxes. The Available Agents box
lists each Agent that is associated with the Manager but is not in the Connector
Profile. The Selected Agents box lists those Agents that are in the Connector
Profile.
To add Agents to a Connector Profile:
1. In the Groups grid, locate the new Connector Profile you just created.
2. Double-click the Connector Profile to re-open it. The profile appears in the
Connector Profile form. As you can see, the Agent you selected as a
template appears in the Selected Agents list, by default.
3. In the Available Agents list, select an Agent that you want to add to the
Connector Profile. Or, in the Selected Agents list, select an Agent that you
want to remove from the Connector Profile.
4. Use the appropriate arrow button to add or remove Agents to or from the
profile, as described in the following table.
Button
Function
Moves the selected Agent from the Available Agents list to the
Selected Agents list (and into the profile).
Moves all Agents from the Available Agents list to the Selected
Agents list (and into the profile).
Removes the selected Agent from the Selected Agents list to the
Available Agents list (and out of the profile).
Removes all Agents from the Selected Agents list to the
Available Agents list (and out of the profile).
5. Click Save to save the Connector Profile. Upon saving, the system applies
the template Agents connector configuration to every other Agent that you
added to the profile.
Note: If you remove an Agent from a Connector Profile (that was previously
saved with that profile), the Agent retains the profile's connector
configuration, but will no longer have membership in the profile.
Troubleshooting tip
273

At times, not all of the Agents in a Connector Profile will use the same logging
path for a particular connector. You can verify this by checking the Agents
configured connector status. If a connector has a status of
likely that connector has a different logging path.
(Not Running), it is
To correct this problem, you may want to add another connector instance to the
profiles connector catalog that points to the alternative logging path. Or, you can
create a new profile that has the alternative logging path.

When editing a Connector Profile, you can use the Connector Profile forms Edit
Connectors command to add, edit, or delete the connector instances associated
with the profile. When doing this, be aware that when you change a Connector
Profile, you change the connector configuration of every Agent that is associated
with that Connector Profile.
When editing an individual Agent, you have to stop and start each connector
instance, because you are making direct changes to the running configuration of
the Agent. But when editing a Connector Profiles configuration, you do not need
to stop or start each connector instances. However, you must still activate the
changes.
This difference is because any time you edit a Connector Profiles connector
configuration, you are working on the profiles configuration data, not an actual
Agent. When editing a Connector Profile, you do not actually change the Agents
that are members of the profile until you click Activate. Upon activating, the
system automatically sends the changes out to every Agent that is a member of
that profile, stops each connector instance, makes the changes, and then restarts
each connector instance.
Opening a Connector Profiles Settings

2. In the Groups grid, locate the Connector Profile you want to edit.
l
Double-click the Connector Profile you want to edit.
Click the gear
274
The Connector Profile pane opens, showing the Agents that are in the
profile.
4. At the bottom of the Connector Profile pane, form, click Edit
Connectors.The Connector Configuration for [Connector Profile] form
appears. The forms Connectors grid contains all of the connector
instances that define the Connector Profile.
Adding a New Connector Instance

1. On the Connectors grid, select the connector you want to configure.
2. Click New.
3. Update the connector settings using the Properties form:
4. Click Save.
l

Click Discard to discard your changes and reload the connectors
previous configuration.

1. In the Connectors grid, select the connector instance you want to edit.
3. In the Properties form, update the connector settings, as needed:

4. Click Save.
l

Click Discard to discard your changes and reload the previous
connectors configuration.
275
Managing Rules
At times, not all of the Agents in a profile will use the same logging path for
a particular connector. You can verify this by checking the Agents
configured connector status. If a connector has a status of
(Not
Running), it is likely that connector has a different logging path.
To correct this problem, you may want to add another instance to the
connector profiles connector catalog that points to the alternative logging
path. Or, you can create a new profile that has the alternative logging path.
6. Repeat this procedure for each connector instance you want to reconfigure.
Managing Rules
The topics in this section explain how to manage your rules. Many management
tasks can be done from the Rules grid, or in Rule Builder as you are configuring
a rule.
Creating Rules
In the Build > Rules view, the Rule Creation tool is used to configure new rules
and to edit existing rules.
Like filters, you create rules by configuring conditions between alert variables
other components, such as Time of Day Sets, User-Defined Groups, Constants,
etc. However, rules go a step further. They let you correlate alert variables with
other alerts and their alert variables.
By correlate, we mean you can specify how often and in what time frame the
correlations must be met before the rule is triggered. The combined correlations
dictate when the rule is to initiate an active response.
You can configure rules to fire after multiple alerts occur. The Manager will
remember alerts if they meet the rule's basic conditions. It waits for the other
conditions to be met, too. If they are, the Manager fires the rule. The rule does not
take action until the alerts meet all of the conditions and correlations defined for
that rule.
The possibilities for rules are endless. Therefore, this section describes how to
create rules only in very general terms. This section is not intended to be a
276
tutorial, but rather a reference for you to fall back on if you are unclear about how
any part of Rule Creation works. dea
Caution: Practice with filters before creating rules
The connectors in Rule Creation are very similar to those found in Filter
Creation. However, filters report event occurrences; rules act on them. There is
no harm if you create a filter that is unusual or has logic problems. But this is not
the always case with rules. Rules can have unexpected and sometimes
unpleasant consequences if they are not configured exactly as you intend them to
be.
Inexperienced users should use caution when creating rules. Creating filters is an
excellent way to familiarize yourself with the logic and connectors needed to
create well crafted rules. You should only begin configuring rules after you are at
ease with configuring filters. Even then, always test your rules before
implementing them.
Rule Creation Features

The topics in this section describe the key features of the Rule Creation view, the
rule window, and the Correlations box, which are all used to configure and edit
policy rules.
l
The Rule Creation view is a different view of the Rules view that allows
you to configure and edit policy rules.
The rule window is the window that you will use to view, configure, and edit
your policy rules.
The Correlations box is a component of the rule window that is used to
configure the specific correlations that define the rule.
The following table descries the key features of the Rule Creation connector. The
topics that follow discuss some of these features in greater detail.
Name
Back to
Rules
Listing
Description
Click this button to hide Rule Creation and return to the Rules grid.
Rule Creation remains open in the background, so you can return to
it to continue working on your rules.
In the Rules grid, clicking Back to Rule Creation will return you to
Rule Creation.
277
Advanced Thresholds
Name
Description
List pane The list pane is the accordion list to the left. It contains categorized
lists of the components you can use when configuring policy rules.
It behaves exactly like the list pane in Filter Creation. To view the
contents of a component list, click its title bar. To add a component to
a rule, select it from its list and then drag it into the appropriate
correlation box.
Rule
window
Each rule you create or edit appears in its own rule window. This is
where you configure name, describe, configure, edit, test, verify, and
enable each rule.
You can have multiple rule windows open at the same time. You can
also minimize, maximize, resize, and close each window, as
needed.
Minimized
rule
window
bar
Any minimized rule windows appear in the bar at the bottom of the
Rule Creation pane, behind the active rule window. Each minimized
window shows the name of its rule. Clicking a minimized rule opens
that rule in the Rule Creation pane.
Advanced Thresholds
Whenever a Group threshold or the Correlation Time forms Events within box
has a value greater than 1, the Set Advanced Thresholds button becomes
enabled. This button opens the Set Advanced Thresholds form, so you can
define an alert event threshold and the re-inference period for that threshold. The
threshold tells the Manager which specific alert fields to monitor to determine if a
valid alert event has occurred (i.e., when to count the alert).
For example:
l
Threshold event x must occur multiple times on the same destination

computer with the frequency defined in the Correlation Time box.
Or, threshold event y must occur on different destination computers with the
frequency defined in the Correlation Time box.
When the threshold event counter increases to the number shown in the Events
box, the threshold itself becomes true and triggers the next set of conditions in the
rule.
278
Opening the Set Advanced Threshold form

l
In the Correlations box, click the

work with.
button on the nested group you want to
In the Correlation Time box, click the
button.
Setting an advanced threshold

1. Open the Set Advanced Thresholds form.
2. Select the Re-Infer (TOT) check box if you want to define a second
threshold. Then use the adjacent fields to type or select the thresholds time
interval and unit of measure.
The Re-Infer (TOT) option defines the period in which an alert must remain
above the threshold before the system issues a new notification and/or
active response.
For example, suppose an alert has exceeded the threshold, and the alerts
Re-Infer (TOT) period is 1 Hour. If the alert stays above the threshold for
more than 1 hour, the system will issue an additional notification or active
response at the end of 1 hour.
To add a Threshold field:
1. Click
to open the Set Advanced Thresholds form.
2. At the bottom of the form, click Add.

The Available Fields pane has two boxes. The top box lists all of the alerts
that have been applied to the rules Correlations box. The bottom box lists
the alert fields associated with whichever alert is currently selected in the
top box.
3. In the top Available Fields box, select an alert. The fields associated with
that alert appear in the lower Available Fields box.
4. In the lower Available Fields box, select the alert field that is to help define
the alert threshold.
5. Below the Available Fields boxes, there is a drop-down list. It is called the
Select Modifier list. In the Select Modifier list, select the appropriate option:
279
6. Click
Select Same if the threshold is to be defined by the selected field

being the same multiple times.
Select Distinct if the threshold is to be defined by the selected field
being different each time.
.
The field and its modifier appear in the Selected Fields grid.
7. Repeat Steps 2 6 for any additional threshold fields.
8. Click OK to save the fields to the threshold and close the form; otherwise,
click Cancel.These fields now raise the threshold for the correlation event
and its active response to occur.

You cannot actually edit a threshold field. Instead, you must delete it, and then
replace it with a corrected field configuration.
To replace a threshold field:
1. Click
to open the advanced threshold you want to work with.
2. In the Selected Fields list, click
to remove the field you want to change.
3. In the Available Fields list, select the appropriate alert, and then the alert
field.
4. in the Select Modifier list, select the new modifier for the field (Same or
Distinct).
5. Click
The corrected field and its modifier appear in the Selected Fields box.
6. Click OK to close the form.
Deleting a threshold field
1. Click
to open the advanced threshold you want to work with.
2. In the Selected Fields list, select the field you want to delete.
280
3. Click the Delete
button.
The threshold field disappears from the Selected Fields list.

4. Click OK to close the form.
Using the Actions box

In Rule Creation, the Actions box defines which action response the Manager is
to take whenever the correlation events specified by the rule occurs. You can
assign more than one action to a rule. For example, you may want to shut down
an Agent, and then notify your system administrator of the event via email.
The fields in the Actions box indicate where the action is to be performed, what
the action is supposed to do, and to whom it is supposed to happen. For example,
if you want a rule to disable a user, you could select the action called Disable
Domain User Account. For the action to apply, you must specify which account
you want to disable, and where you want to disable it (that is, which Agent).
Using constants and fields to make actions flexible

When configuring an action, you can assign constants that define fixed
parameters for a rule. Or you can assign alert fields (from the alerts in the
Correlations box). Fields determine a rules parameters when some degree of
flexibility is required. Constants and fields both have their uses. But fields can
provide actions with a great deal of flexibility.
Say you have two network users: Bob and Jane. To disable Bobs user account,
you could assign a constant to the rule that explicitly represents Bobs account.
But doing so limits the rule to Bob's account.
Now if you assign a field to the rule, the rule can be interpreted as follows: When
user activity meets the conditions in the Correlations box to prompt the Disable
Domain User Account action, use the alert's UserDisable.SourceAccount field
to determine which user account to disable.
If Bob triggered the rule, the Manager disables Bobs account. But if Jane also
triggers the rule, the Manager can disable her account, too.
Configuring a Rules Actions

Use the following high-level procedure to configure a rules actions.
To configure a rule's actions:
281
Adding a New Rule
1. In the list pane, click the Actions list to open it.

2. Select the action you want, then drag it to the rule windows Actions box.
The top left of the Actions box shows the name the action that is to be
taken. In most cases, the Actions form will prompt you for specific
parameters about the computer, IP address, port, alert, user, etc., that is to
receive the action.
3. Use the list pane to assign the appropriate alert field or constant to each
parameter:
l
In the Events or Event Groups lists, select an appropriate alert field

for each parameter, and drag it to the appropriate parameter box in the
Actions form.
When needed, in the Constants list, select a constant for a parameter,
and then drag it to the appropriate parameter box in the Actions form.
Typically, you will select a text constant. Once the constant is in place,
double-click the parameter box to edit the constant.
4. Click Save to save your changes.
Adding a New Rule

Follow this general procedure whenever you want to create a new rule. Be sure to
test your rules before fully implementing them. Testing helps ensure that your
rules do not cause any unpleasant consequences.
To add a new rule:
1. Open the Build >Rules view.
2. On the Rule grid connector bar, click
282
. The Rule Creation connector appears.

Note: At any time while you are configuring a rule, you can click the Back
to Rules Listing button to return to the Rules grid. Rule Creation remains
open in the background.
3. In the Name box, type a name for the rule. Note that the name also appears
on the forms title bar.
4. In the on list, select the Manager on which this rule is to reside.
5. In the in list, select the folder and sub-folder in which this rule is to be stored
in the Folders pane.
6. In the Description box, type a complete description of the rule, such its use,
purpose, or behavior.
7. Configure the rule's correlations.
8. If needed, configure the rule's correlation time and advanced threshold.
9. Configure the rule's active response.
10. Apply the appropriate Enabled, Test, and Subscription settings.
l
To assign rule subscribers, click the Subscribe list, and then click the
check box for each user who is to subscribe to the rule.
If you want to use the rule immediately upon saving it, select the
Enabled check box.
If you want to operate the rule in test mode before fully activating it,
select the Test check box. It is highly recommended that you operate
each new rule in test mode to confirm that the rule behaves as
expected.
11. When you are satisfied with the rules configuration, click Save.
Note: You can also click Apply to save your changes without closing the
form.
The Rules grid appears. The new rule appears in the Rules grid and in the
Folders pane, in the folder you designated for the rule.
12. To begin using (or testing) the revised rule, click Activate Rules.
283

Each rule you create or edit appears in its own rule configuration window. You
will use these windows to design and edit custom policy rules. You can use the
rule window to name, describe, configure, edit, enable, and test your custom
rules.
The following table describes each key feature and field of a rule window.
Item
Name
Title bar
Description
Each rule you create or edit appears in its own
configuration window. Upon naming a rule, the windows
284
Item
Name
Description
title bar displays the name of the rule. You can also use
the title bar to minimize, maximize, and resize rule
window. Minimized rule windows appear at the bottom of
the Rule Creation pane.
Name
Type a name for the rule.
on
When creating a new rule, use this list to select which

Manager the rule is to be associated with. Otherwise,
when editing a rule, this field displays which Manager the
rule is associated with.
in
Select the folder (in the Folders pane) in which the rule is
to be stored.
Description
Type a description of what the rule does, or the situation

for which the rule is intended.
If the description extends beyond the visible area of the
text box, a larger text box appears, so you can type a
detailed description of the rule, its logic, its expected
behavior, and its active response. When you are done
typing, either press Tab or click anywhere outside the text
box to close it.
Enable
Select this check box to enable the rule. Clear this check
box to disable the rule.
Test
Select this check box to place the rule in test mode. Clear
this check box to take the rule out of test mode.
Note: You must enable a rule before you can test it.
Subscribe
Use this list to select which Console users are to

subscribe to the rule. This means the system will notify
the subscribing users Consoles each time one of the
subscribed-to rules triggers an alert. The alerts will
appear in their alert grid.
Rule Status
The Rule Status bar lists warnings and error messages

about your rule's current configuration logic.
285
Item
Name
Description
l
l
Correlations
Click >to view a list of warning and error messages.

Click a message flag to provide detailed information
about the nature of that problem.
Click a message to highlight the specific area or
field that is the source of that problem.
Use the Correlations box to configure correlations

between groups of alert events. You can coordinate
multiple alert events into a set of conditions that will
prompt the Manager to issue a particular active response.
You set up correlations by dragging items from the
Events and Event Groups lists into this box, and then
setting the specific conditions or for the alert that are to
prompt action.
The Correlations connector bar lets you group alert
conditions, and determine if they must all apply (an AND
correlation) or if any of them may apply (an OR
correlation) to prompt a response.
Correlation
Time
Use the Correlation Time box to establish the allowable

frequency and time span in which the correlation events
must occur before the rule applies.
The Advanced section lets you define an alert event
threshold, and to define the re-inference period for the
threshold. The threshold tells the Manager which specific
fields to monitor to determine if a valid alert event has
occurred (i.e., when to count the alert).
The boxs Advanced section lets you define a Response
Window that lets the rule ignore any events that occur
outside (past or future) of the established period.
Actions
Use the Actions box to dictate which actions the rule is to

execute when the events described in the Correlations
and Correlation Time boxes occur. Examples of actions
include sending an email message to your system
286
Item
Name
Description
administrator, or blocking an IP address.
Undo/Redo
Click the Undo button to undo your last desktop action.

You can click the Undo button repeatedly to undo up to
20 steps.
Click the Red button to redo a step that you have undone.
You can click the Redo button repeatedly to redo up to 20
steps.
You can only use Undo or Redo for any steps you made
since the last time you clicked Apply.
Save/Cancel/
Apply
Use these commands to save or cancel your work:

l
Click Save to save your changes to a rule and close

the rule window.
Click the Cancel button to cancel any changes you
have made to a rule since the last time you clicked
Save, and close the rule window. If you have any
unsaved changes, the system will prompt you to
save or discard them.
Click Apply to save your changes to a rule, but
keep the rule window open so you can continue
working. You can click Apply at any time.

To create a rule, you drag items from the list pane into the rule windows
Correlations box to configure the relationships (or correlations) that define the
rule. These correlations define the events that must occur for the rule to take
effect.
Creating rule correlations is a lot like configuring conditions for custom filters, so
the Correlations box in Rule Creation behaves a lot like the Conditions box in
Filter Creation. The following table describes each item shown in the
Correlations box, above.
287
Name
Description
Groups can be expanded or collapsed to show or hide their settings:
l
Click to collapse an expanded group.
Once a group is configured properly, you may want to collapse it to

avoid accidentally changing it.
This is the Group button. It appear at the top of every group box.
Click it to create a new group within the group box. A group within a
group is called a nested group. You may then drag alert variables
and other items from the list pane into the nested group box.
By using nested groups, you can refine correlations by combining or
comparing one group of correlations to another to create the logic for
complex correlations.
Each group is subject to AND and OR relationships with the groups
around it and within it. By default, new groups appear with AND
comparisons.
This is the Threshold button, which opens the Threshold form for a
group. The Threshold form is described below.
This is the Delete button. It appears at the top of every Group box
and every correlation. Click this button to delete a correlation or a
particular group. Deleting a group also deletes any groups that are
nested within that group.
Event
variable
From the Events, Event Groups, or Fields list, drag an alert, Event
Group, or alert field into the Correlations box. This is called the alert
variable. A rule can have multiple alerts and Event Groups in its
correlation configuration.
You can think of an alert variable as the subject of each group of
correlations. As alerts stream through the Manager, the rule analyzes
the values associated with each alert variable to determine if the alert
meets the rules conditions. If so, the Manager either initiates an
active response, or stores the alert for comparison with other alerts
that may occur within the rule's allotted time frame.
288
Name
Description
Operators Whenever you drag a list item or a field next to alert variable, an
operator icon appears between them. The operator states how the
filter is to compare the alert variable to the other item to determine if
the alert meets the rules conditions.
l
List item
Click an operator to cycle through the various operators that are

available for that comparison. Just keep clicking until you see
the operator you want to use.
Ctrl+click an operator to view all of the operators that are
available for that comparison. Then click to select the specific
operator you want to use.
List items are the various non-alert items from the list pane. You drag
and drop them into groups to define rule correlations based on your
Time Of Day Sets, Connector Profiles, User-Defined Groups,
Constants, etc.
Some alert variables automatically add a blank Constant as its list
item. You can overwrite the Constant with another list item, or you
can click the Constant to type or select a specific value for the
constant.
Note that each list item has an icon that corresponds to the list it
came from. These icons let you to quickly identify what kinds of items
are defining your ruless correlations.
Threshold The Threshold section lets you define a threshold for the
correlations in a Group box. You can think of a threshold as a
correlation frequency for the grouping; that is, the number of times the
events defined by the group must occur within a specified period
before the rule takes effect.
A group threshold behaves exactly like the threshold in the
Correlation Time box.
This is the Set Advanced Threshold button. Whenever a group
thresholds number of Events within [time] is greater than 1, this
button becomes enabled so you can open the Set Advanced
Thresholds form. This form lets you specify advanced threshold
289
Editing Rules
Name
Description
fields and define an advanced response window for the alert fields
within the grouping.
Rule correlations and groups of correlations are subject to AND and
OR comparisons. If you click an AND operator, it changes to an OR,
and vice versa.
AND
OR
Editing Rules
Whenever you need to edit a rules name or configuration, you use the Rule
Creation connector to make the necessary changes to the rule. When needed,
you can edit multiple rules at the same time.
It is not necessary to disable a rule before editing it. When you edit a rule, you are
editing a local copy until you save and activate it. If the rule was enabled when
you began editing it, it will continue to be enabled while you work on the new
version. When you save the new version and then click Activate Rules, the
Manager replaces the original rule with the new version.
To open rules for editing:
2. In the Folders pane, click the folder that contains the rules you want to edit.
The Rules grid displays the rules associated with the selected folder and its
sub-folders.
3. In the Rules grid, click to select the rule (or rules) you want to edit.
4. Open the rules for editing as follows:
l
To edit a single rule, either double-click the rule, or click the row's gear
To edit multiple rules, click the grid's gear

and then click Edit.
290
Rule Creation appears, showing the rules current configuration. If you

opened multiple rules, they all appear as "cascaded"windows. You may
now edit the rules.
Locked rules
If a prompt like the one shown here appears, it means another user is already
editing one of the selected rules and has those rules "locked."
In this case, you can do either of two things:
l
You can proceed in a read-only fashion, which allows you to see the details
of a rule.
You can break the lock and take control over the rule, which means the
other person will not be able to save any changes he or she makes to the
rule.
To edit the rule:

1. Use Rule Creation to make any necessary changes to the rules name,
Manager, folder, description, enabled status, test-mode state, correlations,
correlation time, or actions.
l
If you want to use the rule immediately upon saving it, select the
Enable check box.
If you want to try the rule in test mode, select the Test check box.
2. Click Save.
The Rules grid appears.
3. To begin using (or testing) the rules new configuration, click Activate
Rules.
You can assign rules to specific Console users, which means those users will
subscribe to those rules. This means the system will notify the subscribing users'
Consoles each time one of the subscribed-to rules triggers an alert. The alerts will
appear in their Monitor views alert grid.
291
Rule subscriptions can be used in conjunction with filters and reports to monitor
activity for specific rules. Each user can subscribe to as many different rules as
needed.
You can assign subscriptions in Rule Creation while you are creating the rule, or
anytime later directly from the Rules grid.
To manage rule subscribers from the Rules grid:
2. In the Folders pane, click the folder that contains the rule you want to work
with.
3. In the Rules grid, select the rules you want to work with.
4. On the Rules grid connectorbar, click Subscribe.
The Subscribe list opens. It only includes those Console uses who are
associated with the same Manager as the selected rule.
A check box with a gray background means the user already subscribes to
one or more of the selected rules, but not all of them.
5. Select the check box for each Console user who is to subscribe to the
selected rules:
l
Select an empty user's check box to have that user subscribe to all of
the selected rules.
Clear a gray user's check box to remove the user's subscription to all
of the selected rules.
Clear a gray user's check box and then select it again, to have that
user subscribe to all of the selected rules. Remember, these users are
already subscribed to some rules, but not all of them. This procedure
assigns all of the selected rules to that user.
As you can see, if you have multiple rules selected, each subscription
change affects every selected rule.
6. Click Subscribe again to close the list. The selected Console users now
subscribe to the selected rules.
To add rule subscribers from Rule Creation:
292
1. With a rule open in Rule Creation, click Subscribe.

The Subscribe list opens. It only includes those Console uses who are
associated with the same Manager as the selected rule.
2. Manage the rule's subscribers as follows:
l
Select the check box for each Console user who is to subscribe to this
rule.
Clear the check box for each subscriber who is no longer to subscribe
to this rule.
3. Click Subscribe again to close the list.

4. Click Save.
The selected Console users now subscribe to the rule.
Enabling a rule
The Manager only uses rules that are enabled. It ignores all other rules.
Therefore, the Manager cannot use rules until you enable them. You can enable
rules from the Rules grid, or directly from Rule Creation. In either case, the
Enable check box lets you turn a rule on and off.
Note: In the Rules grid, you can enable multiple rules at the same time. However,
this command acts as a toggle on each individual rule that is selected. For
example, if one rule is disabled and another is enabled, performing this command
on both rules at the same time will invert the settings of both rules. So the first rule
would become enabled, and the second would become disabled. Therefore,
when performing this command on multiple rules, you will typically want to select
only those rules that already have the same Enabled/Disabled state.
To enable rules from the Rules grid:
2. In the Folders pane, select the folder that contains the rules you want to
enable.
3. In the Rules grid, select the rule (or rules) you want to enable.
293
4. Enable the rules as follows:

l
To enable a single rule, click the row's gear

Enable.
To enable multiple rules, click the grid's gear

click Enable.
button and then
In the Rules grid, the rules Enabled

icons become active, which means
the rules are now enabled. However, the Manager cannot begin using these
rules until you activate them.
5. Click Activate Rules to begin using the rule.
To enable a rule from Rule Creation:
1. With a rule open in Rule Creation, select the Enable check box.
2. When you are finished configuring the rule, click Save.
The Rules grid appears, with the
icon appearing in the rule's Enabled
column. This icon means the rule is now enabled. However, the Manager
cannot begin using the rule until you activate it.
3. Click Activate Rules to begin using the rule.

Before fully enabling a rule, you can try it out in test mode. In test mode, the
Manager processes the rules alert messages as it normally would, but without
performing any of the rules actions. This lets you see how the rule will behave
when it is activated, without any possible disruption to your network.
Note: In the Rules grid, you can change the test mode of multiple rules at the
same time. However, this command acts as a toggle on each individual rule that
is selected. For example, if one rule is in test mode and another isn't, performing
this command on both rules at the same time will invert the settings of both rules.
So the first rule would move out of test mode, and the second would move into
test mode. Therefore, when performing this command on multiple rules, you will
294
typically want to select only those rules that already have the same Test On/Test
Off state.
To place rules in test mode in the Rules grid:
test.
3. Check the rules' Enabled status. If any of the rules you want to test show a
"disabled"
icon), then they need to be enabled. You can do this by
clicking the row's gear
button and then clicking Enable.
In the Rules grid, the

icon appears in the rules Enabled column to
indicate that the rule has been enabled.
4. In the Rules grid, select the rule (or rules)you want to test.
5. Place the rules in test mode as follows:
l
To put a single rule in test mode, click the row's gear

then click Test On.
button and
To put multiple rules in test mode, click the grid's gear

then click Test On.
button and
In the Rules grid, the

icon appears in the rules Test column to indicate
that the rules are in test mode.
6. Click Activate Rules.
The rules are now functional, but in test mode.
To remove a rule from test mode in the Rules grid:
work with.
3. In the Rules grid, select the rule (or rules)you want to work with.
295
4. Remove the rules from test mode as follows:

l
To remove a single rule from test mode, click the row's gear
button and then click Test Off.
To remove multiple rules from test mode, click the grid's gear
button and then click Test Off.
In the Rules grid, the "disabled"

icon appears in the rules Test column
to indicate that the rules are no longer in test mode.
5. Click Activate Rules. The rules are now fully functional.
To place a rule in test mode from Rule Creation:
2. In the Folders pane, click the folder that contains the rule you want to test.
3. In the Rules grid, click to select the rule you want to test.
4. On the Rules grid connectorbar, click Edit.Rule Creation appears, showing
the rules current configuration.
5. Select the Enable check box.
6. Select the Test check box.
Note: To test a rule, you must have both Enable and Test checked. If only
Enable is checked, the rule is completely enabled (that is, it is fully in use).
If only Test is checked, the rule will not be enabled, which means the
Manager will not be able to use it for testing.
7. Click Save. The Rules grid appears.
8. Click Activate Rules.The rule is now in test mode.
To fully activate a rule from in Rule Creation:
1. Open the rule in Rule Creation, as described above.
2. Clear the Test check box.
3. Click Save.
296
4. On the Rule Builder connectorbar, click Activate Rules. The rule is now
fully functional.
Activating rules
Whenever you create a new rule or change an existing rule, you are working on a
local copy of the rule. The Manager has no way of using the rule change until
you activate it. Activating a rule tells the Manager to reload the enabled rules it is
working on, which allows it to upload up the changes you just made. You must
activate rules whenever you create a new rule, edit an existing rule, or make
changes to a rules Enabled/Disabled or Test On/Test Off status. Otherwise, the
Manager will not recognize the change.
To activate rule changes, both the Rules grid and Rule Creation have an
Activate Rules command. This command sends any new rule changes to the
Manager for immediate use. In Rule Creation, the Activate Rules command
leaves Rule Creation open so you can continue working.
To activate rules from the Rules grid:
2. Many any necessary changes to your rules.
3. On the Rules grid connectorbar, click Activate Rules.
The Manager activates any new rule changes and begins processing all
enabled rules.
To activate rules from Rule Creation:
l
At any time, in Rule Creation, click Activate Rules.

The Manager activates any new rule changes and begins processing all
enabled rules. However, Rule Creation stays open so you can continue
working. The rule you are currently working on is not activated. It cannot be
activated until it is first saved.
Disabling a rule
The Manager will continue to use any active rules, so long as they are enabled. If
needed, you can easily turn off rules by disabling them. However, the Manager
297
Disabling a rule
will continue to use those rules until you activate their new disabled status with
the Activate Rules command.
Note: In the Rules grid, you can disable multiple rules at the same time.
However, this command acts as a toggle on each individual rule that is selected.
For example, if one rule is disabled and another is enabled, performing this
command on both rules at the same time will invert the settings of both rules. So
the first rule would become enabled, and the second would become disabled.
Therefore, when performing this command on multiple rules, you will typically
want to select only those rules that already have the same Enabled/Disabled
state.
To disable rules from the Rules grid:
disable.
3. In the Rules grid, select the rule (or rules)you want to disable.
4. Disable the rules as follows:
l
To disable a single rule, click the row's gear

Disable.
To disable multiple rules, click the grid's gear
click Disable.
button and then
In the Rules grid, the Enabled column for each rule shows a disabled
icon to indicate the rules are now inactive.
5. Click Activate Rules. The Manager stops processing the disabled rules.
To disable a rule from Rule Creation:
1. Open the rule you want to disable in Rule Creation.
2. Clear the Enable check box.
3. Click Save. The Rules grid appears.
4. Click Activate Rules. The Manager stops processing the disabled rule.
298
Cloning rules
The Clone command lets you copy any existing rule, make changes to the copy,
and then save the copy with a new name in one of your Custom Rules subfolders.
The benefit of cloning is that you can quickly create variations on existing rules.
You clone a preconfigured rule, such as a rule from the Rules or NATO5 Rules
folder, and then adjust the cloned copy to suit your specific needs.
Note: A cloned rule must be for the same Manager as the original rule. That is,
you cannot clone a rule from one Manager and save it for another Manager.
To clone rules:
2. In the Folders pane, click the folder that contains the rule you want to clone.
3. In the Rules grid, click to select the rule you want to clone.
4. Click the row's gear
appears.
button and then click Clone. The Clone Rule form
5. In the Clone Name box, type a name for the cloned rule.
6. In the Folders list, select which Custom Rules folder is to store the cloned
rule.
7. Click OK to save the cloned rule; otherwise, click Cancel.
The newly cloned copy of the rule automatically opens in Rule Creation so
you can begin making changes.
Importing a rule
You can import a rule from a remote source into a particular rule folder. For
example, you may want to import a rule from one Manager to another. Or you can
import a rule that is provided by SolarWinds. You may only import one rule at a
time.
To import a rule to a rule folder:
299
Exporting rules

2. On the Rules grid connectorbar, click
form appears.
and then click Import. The Open
3. In the Look In box, browse to and open the folder that contains the rule you
want to import.
4. Select the rule file you want to import.Rrule files are always .xml files.The
file you selected appears in the File Name box.
5. Click Open to import the file; otherwise, click Cancel. The Import Rules
form appears.
6. In the Manager list, select which Manager the imported rule is to be
associated with.
7. In the Folders list, click to select the rule folder that is to store the imported
rule. You will need to click a folders >icon to view its sub-folders.
8. Click Import. The system imports the rules into the designated rule folder.
Exporting rules
Exporting rules is useful for three reasons:
l
You can export a rule from one Manager and import it into another Manager.
You can export rules to save archived copies in a safe place.
You can export rules to provide SolarWinds with a copy of your rule for
technical support or troubleshooting purposes.
You can export multiple rules at the same time. The rules will be saved to a new
folder that contains each rule.
To export rules:
2. In the Folders pane, select the folder that contains the rule you want to
export. The Rules grid displays the rules in that folder.
300
3. In the Rules grid, select the rules you want to export.

4. On the Rules grid connectorbar, click
and then click Export.The
Select Directory to Export Rule to form appears.
5. In the Save in box, locate the general area in which you want to save the
exported rule folder.
6. In the File name box, type a name for the folder that is to contain the
exported rules.
Note: Rules are saved as .xml files.
7. Click Save.
The rules are exported and saved in the folder you specified. Each exported
rule retains its name and the date and time on which it was exported.
If an Export Error message appears, it means one or more of the rules
failed to export. If you are exporting multiple rules, the system exports as
many as it can, and the message lists which rules failed to export and which
ones succeeded. Click OK to close the form.
Deleting Rules
When needed, you can easily delete rules. You can delete one rule at a time, or
you can delete multiple rules. Deleting a rule is permanent. Once a rule is
deleted, it can only be restored by re-creating it or by importing a previously
exported rule.
To delete rules:
2. In the Folders pane, select the folder that contains the rule you want to
delete.The Rules grid displays the rules in that folder.
3. In the Rules grid, select the rule (or rules) you want to delete.
301
4. Delete the rules as follows:

l
To delete a single rule, click the row's gear

Delete.
To delete multiple rules, click the grid's gear
Delete.
5. At the Confirm Delete prompt, click Yes to delete the rules; otherwise, click
No. The rules disappear from the Rules grid.
6. Click Activate Rules to notify the Manager that the rules were deleted.

The topics in this section describe key features of the Connector Configuration
form, its grid columns, its icons, and how to use its Refine Results form.
After configuring a Managers connectors, you must configure the sensor and
actor connectors for each Agent that is associated with that Manager. The
Connector Configuration form lets you connect the Agents connectors to any
supported products that are installed on or remotely logging to the Agents
computer. After the Agent connectors are configured, the Manager can monitor
and interact with the products and devices on that computer.
Agents connectors run locally to monitor data on the Agents computer. An
Agents sensors generally monitor log files, as well as data that is logged to the
Agents computer from remove devices that cannot have their own Agents. An
Agents active response connectors (actors) allow the Agent to receive
instructions from the Manager and perform active responses locally, on the
Agents computer, such as sending pop-up messages or detaching USB devices.
Once you understand how the connectors work, the following procedures guides
you through the configuration process needed to integrate LEM with your network
security products and devices.
The Connector Configuration form has similar features, whether you are
configuring or editing a Manager, an Agent, or a Connector Profile.
The following table describes the key features of the Connector Configuration
form.
302
Name
Description
Sidebar
button
Click the Sidebar button to alternately hide and open the forms
Refine
Results
pane
By default, the Connectors grid shows all of the products that are
supported. The Refine Results pane lets you apply filters to the
grid to reduce the number of products it shows. This way, you can
show only those products that are configured for use with this
Agent, or that are associated with a particular product category or
status (Running or Stopped).
Connectors The Connectors grid lists all of the sensor and actor connectors
grid
that are available to each Agent. These connectors are what allow
LEM to monitor and interact with your network security products
and devices.
Connectors are organized by category and product name. Each
connector is named after the third-party product it is designed to
configure for use with LEM.
Click this button to create a new connector instance the sensor or
actor that is currently selected in the Connectors grid.
Properties
pane
This pane displays detailed information about the connector that is

currently selected in the Connectors grid.
l
If the connector is not configured, this pane displays a

description of the connector.
If the connector is configured, this pane displays the
configuration settings as read-only information.
Whenever you add or edit a connector , this pane turns into an

editable form for recording the configuration settings.
Connectors Grid Columns

The following table briefly describes the meaning of each column in the
Connector Configuration forms Connectors grid.
303
Column
Description
The gear button opens a menu of commands that apply to the
connector that is currently selected in the grid.
Status
Shows the connectors current connection status:

means the connector is connected and running.
means the connector is disconnected and not running.
Category The high-level connector category, such as anti-virus connectors,

firewall connectors, operating system connectors, etc.
Name
The name of the actor, sensor, or connector instance. Typically,

connectors are named after the third-party products they are
designed to configure for use with LEM.

The following table describes the icons used in the Connector Configuration
utilitys node tree.
Icon
Description
A blue connector icon represents a sensor for a particular product. The
sensor displays the name of the product it is designed to monitor.
Each connector instance (or alias) that is currently configured to monitor
that product is listed below the connector. If no connector instances are
listed, it means the product, on this Agent computer, has not been
configured for use with LEM.
Whenever you select a sensor in the grid, the lower pane displays the
connectors name and a description of the sensor, when available.
The orange connector icon represents an actor for a product that can
perform an active response. The actor displays the name of the product it
is designed to interact with.
Each connector instance (or alias) that is currently configured to initiate an
active response on that product is listed below the connector. If no
connector instances are listed, it means the product, on this Agent
computer, has not been configured for use with LEM.
304
Icon
Description
Whenever you select an actor in the grid, the lower pane displays the
connectors name and a description of the actor, when available.
This icon represents a configured instance of a sensor connector. Each
sensor can have more than one instance, where each configuration is
identified by a different name, called an alias. In the grid, each configured
connector instance appears below its connector.
Whenever you select a sensor connector instance in the grid, the lower
pane displays the sensor connectors name, and the connector instances
name (or alias) and configuration settings. The Status column displays
each instances current statusStopped ( ) or Running ( ).
This icon represents a configured instance of an actor connector. Each
actor can have more than one instance, where each configuration is
identified by a different name, called an alias. In the grid, each configured
connector instance appears below its connector.
Whenever you select an actor connector instance in the grid, the lower
pane displays the actor connectors name, and the connector instances
name (or alias) and configuration settings. The Status column displays
each instances current statusStopped ( ) or Running ( ).

By default, the Connectors grid shows every connector (sensor and actor) that
can be configured for use with a particular Agent or Manager. To help you work
more efficiently with a long list of connectors, the Refine Results pane lets you
apply filters to the Connectors grid to reduce the number of connectors it shows.
When you select options in the Refine Results pane, the Connectors grid
refreshes to show only those sensor and actors that match the options you have
selected. The other connectors are still there; however, they are hidden. To
restore them to the grid, click the Reset button or select All in the refinement lists
you are using.
The following table explains how to use the Refine Results pane.
305
Field
Reset
Search
Description
Click Reset to clear the form and return the Connectors grid to its
default state (showing all connectors).
Use this field to perform keyword searches for specific products,
such as Cisco or McAfee. To search, type the text you want to
search for in the text box. Then press Enter or click the magnifying
glass symbol. The grid displays only those products that match or
include the text you entered.
Configured Select this check box to have the Connectors grid show only
Connectors those connector instances that are currently configured for the
Manager or Agent you are working with.
Clear this check box to have the grid list both configured and
unconfigured connectors.
Category
Select a high-level category to list the connectors that are

available to support third-party products in that category. Each
connector is named after the product it is designed to configure for
use with LEM.
Note: If you cannot find a particular product, it is either not
supported, or it is in a different category.
Status
Select Running to list all of the connectors that are currently

running on the Manager or Agent you are working with.
Select Stopped to list all of the connectors that are currently
stopped on the Manager or Agent you are working with.
306
Chapter 14: Reports

Over time, databases accumulate a great deal of information. SolarWinds has
developed LEM Reports to provide a quick and easy way to extract data from
databases and present it in a useful form. Several standard reports that can be
modified are included in the Reports distribution, and you can create new reports
as necessary. Reports includes powerful tools to help format information and
easily preview reports before you display them. When you have finished editing
your reports, you can print them with the click of a button, and most reports are
enabled to be viewed through the Reports Console.
The following table describes the key features of Reports.
Name
Description
Menu
Button
Click the Menu Button to open, save, or print a report, and to see
everything else you can do with a report. This button has a similar
function to the File menu used by earlier Windows programs.
Quick
Access
Toolbar
The Quick Access Toolbar is a customizable toolbar. It contains a set

of commands that are independent of the tab that is currently
displayed. You can customize the toolbar by adding buttons for the
commands you use most often, and you can move the toolbar to two
different locations.
Ribbon
The Ribbon is designed to help you quickly find the commands that
you need to complete a task. Commands are organized in logical
groups that are collected together under tabs. Each tab relates to a
type of activity, such as running and scheduling reports, or viewing
and printing reports. To save space, you can minimize the Ribbon,
showing only the tabs.
Settings Use the commands on this tab to choose the reports you want to run,
tab
open, and schedule, and to configure reports and the reports data
source settings.
View tab Upon opening or running a report, the Ribbon automatically switches
to the View tab, which has a toolbar for printing, exporting, resizing,
307
Chapter 14: Reports
Name
Description
and viewing the report.
If you click the View tab without having opened a report, the Preview
pane shows a blank page. If you click the View tab and you have run
a report, the Preview pane displays the contents of the report.
Grouping You can use the yellow bar above the grid to group, sort, and
bar
organize the reports list.
Report
list/
Preview
pane
By default, this section is a grid that displays a list of SolarWindss

Standard Reports. Upon selecting a different report category, the grid
changes to list the reports that are in that category. You use this grid
to select report that you want to run or schedule.
You can also filter and sort the grid to quickly find the reports you want
to work with.
Upon opening or running a report, this section changes into a report
Preview pane that displays the report. In Ribbon also automatically
switches to the View tab, which has a toolbar for printing, exporting,
resizing, or viewing the report.
About Reports
Reports allows you to select which Manager or data warehouse you want to
report on, select the reports you want to run, and schedule when you want to run
the reports. The system then automatically generates the reports according to
your schedule and settings.
You can run reports two different ways:
l
Scheduled Reports are reports that you configure to automatically run on

their own, on a particular schedule, and without intervention.
On-demand reports are those reports that you run only when you need
them.
308
Opening Reports
Reports can take quite a bit of time to run. The larger the report, the
longer it takes. SolarWinds recommends that you schedule any reports
that you intend to run frequently.
Reports features
Configuring report preferences
Running and scheduling reports
Managing reports
Viewing reports
Printing reports
Opening Reports
1. Click the Start button and then click All Programs.
2. Point to the SolarWinds folder, click the Reports shortcut.
After a moment, Reports appears.
Using the Quick Access Toolbar

The Quick Access Toolbar is a customizable toolbar. It contains a set of
commands that are independent of the tab that is currently displayed. You can
customize the toolbar by adding buttons for the commands you use most often,
and you can move the toolbar to two different locations.
The Quick Access toolbar
309
Chapter 14: Reports
Default commands
By default, the Quick Access Toolbar shows the commands listed in the following
table.
Button Command Description
Open
Opens a report that has been saved in RPT format. The

report opens in the Reports Preview pane in the View
tab, where you can view, search, print, and export it.
See See "Opening your saved reports" on page 375
Run
Runs the report that is currently selected in the report

list. If the report requires any parameters, the Enter
Parameter Values form appears. For the procedure on
running reports, see See "Running Reports on
Demand" on page 351
Refresh
Report
List
This command refreshes the report list for each report

category. Use this command if you have added new
report filessuch as some new custom reportsand
they are not showing up in the report list. This command
accesses your computers Reports directory, retrieves
information about all of the reports, and rebuilds the lists
for each report category.
Exit
Exits the Reports application.
Customizing the Quick Access Toolbar
You are not limited to the Quick Access Toolbars default commands. You can
customize the toolbar by adding or removing any command shown on the Ribbon.
In this manner, you can customize the toolbar with the commands you use most
often.
310
To customize the toolbar:

1. Click the drop-down list next to the Quick Access Toolbar. The Customize
Quick Access Toolbar form appears.
2. Add and remove commands to the toolbar as follows:
l
To add a button to the toolbar, select the corresponding commands

check box.
To remove a button from the toolbar, clear the corresponding
commands check box.
To choose from a list of additional commands, click More
Commands. Then use the forms Customize view to add or remove
commands to the toolbar.
To add commands from the Ribbon:

1. On the Ribbon, click the appropriate tab or group to display the command
that you want to add to the Quick Access Toolbar.
2. Right-click the command, and then click Add to Quick Access Toolbar on
the shortcut menu.
The command appears on the Quick Access Toolbar.
The Quick Access Toolbar can be located in either of two placesin the upperleft corner of the window, next to the Reports Button (its default location), or below
the Ribbon. If you don't want the toolbar to be displayed in its current location, you
can move it to the other location.
To move the Quick Access Toolbar:
311
Chapter 14: Reports
1. Click the drop-down list next to the Quick Access Toolbar.

The Customize Quick Access Toolbar form appears.
l
To move the toolbar below the Ribbon, click Show Quick Access
Toolbar Below the Ribbon.
To move the toolbar above the Ribbon, click Show Quick Access
Toolbar Above the Ribbon.
Minimizing the Ribbon

You cannot delete or replace the Ribbon with the toolbars and menus from the
earlier versions of Reports. However, you can minimize the Ribbon to make more
space available on your screen. When the Ribbon is minimized, you see only the
tabs.
Full Ribbon
312

Minimized Ribbon
To always keep the Ribbon minimized:

2. In the list, click Minimize the Ribbon.
3. To use the Ribbon while it is minimized, click the tab you want to use, and
then click the option or command you want to use.
4. After clicking the command, the Ribbon goes back to being minimized.
To restore the Ribbon:
2. In the list, clear the Minimize the Ribbon check box.
To quickly minimize or restore the Ribbon:
To quickly toggle between minimizing and restoring the Ribbon, do one of the
following:
l
Double-click the name of the active tab.
Press Ctrl+F1.

Reports has a Preferences group that is used to set up database connections so
the Console knows which database to draw from when running reports.
Table of preferences
The following table briefly describes each option in the Preferences group.
Preference /
Option
Description
Configure
313
Chapter 14: Reports
Preference /
Option
Primary Data
Source
Description
Select this option to choose the default data source that is to
be used for running reports whenever the Reports window is
opened.
The option you select here becomes the default setting in
the Data Source list. At any time, you can select a different
data source and then run reports from that source. But
whenever you reopen the Reports window, it defaults to the
data source you have selected here.
Syslog Server
Select this option to have a Manager send report log

information to a syslog server. A syslog server logs basic
report activity, such as who is running reports, which reports
are being run, which database a report is drawing from,
when each report is run, when each report is complete, and
any error messages that occur if a report generates errors.
Data
Warehouse
Select this option to configure a new Database Warehouse

source so it appears in the Report Data Sources list.
Data Source
Data Source
Use this list to select the data source that you want to run
reports against. When you select a data source here, it
temporarily overrides the Primary Data Source (default) you
have selected as the Primary Data Source in the
Configure list. For more information, see See "Running
Reports on Demand" on page 351
The following topics explain how to configure each preference.

Selecting a (default) Primary Data Source
Use this procedure to select your Primary Data Source. This is the default data
source that is to be used for running reports whenever the Reports window is
opened. It will appear as the default setting in the Preferences groups Data
Source list.
314

At any time, you can select a different data source and run reports from that
source. But whenever you close and then reopen the Reports window, it defaults
to your Primary Data Source.
To run reports from a different data source, see See "Running Reports on
Demand" on page 351
To select a primary data source:
1. Open Reports.
2. On the Settings tab, in the Preferences group, click Configure and then
select Primary Data Source.
The Select Primary Data Source form appears.
3. In the Primary Data Source list, select the default data source.
4. Click Test Connection to have the system perform a ping test a to confirm
that a connection to the data source has been established. A test is not
required, but highly recommended.
During the test, the OK button will become disabled.
l
If the test succeeds, the OKbutton will become enabled, and the
status area below the Test Connection button will read: "Ping
Test...success."
If the test fails, an error message will occur. If the test fails, see See
"Troubleshooting Database Connections" on page 319
5. Click OK.
Use this procedure to have a Manager send report log information to a syslog
server. A syslog server records all report-related events and application
315
Chapter 14: Reports
messages. It logs basic report activity, such as who is running reports, which
reports are being run, which database a report is drawing from, when each report
is run, when each report is complete, and any error messages that occur if a
report generates errors.
By default, the syslog server is set to the Primary Manager, but it can be set to any
server running a standard syslog service. However, the server must have an
Agent installed so it can communicate with the Manager.
To configure a syslog server:
1. Open Reports.
select Syslog Server. The Set Syslog Server form appears.
3. In the Syslog Server (Host Name) box, type the servers host name.
4. Click Test.
The system performs a ping test to confirm that a connection has been
established. You must test the connection before the server can be
accepted. A successful test does not confirm if the host is actually a syslog
server.
l
If the ping test succeeds, it will retrieve and display the host IP
address and a message appears, stating: "The Ping Test succeeded."
If the ping test fails, a message appears to tell you so. In this case,
confirm that you have entered the correct host name and that it
matches a valid DNSentry.
5. Upon completing a successful test, click OK.
316

Use this procedure to configure a new database warehouse as a data source, so
you can report against it. Once configured, it appears in the Preferences groups
Data Source list under Warehouses.
This procedure also creates a matching ODBC DSN that is used by Reports to
communicate with the data warehouse server.
To configure a data warehouse:
1. Open Reports.
select Data Warehouse. The Configure Data Warehouse form appears.
3. Complete the form as described in the following table.

Field
Description
Warehouse
Name (Host
Name)
Type the data warehouse servers host name.
317
Chapter 14: Reports
Field
Description
Port
Number
Type the port number for connecting to the data

warehouse.
Database
Type
Select the type of database that is used by the data

warehouse.
Security
Click this button to create a password for reporting

against the data warehouse, if it is different than the
default password.
In the Specify Password box, type the new

password, and then click OK.
Click Reset to reset the password to its default
setting.
Timeout for
database
connection
test x sec.
Type how long (in seconds) the system is to wait for a

response when performing a ping test to test for a
connection to the database. If a connection cannot be
made within this period, the test automatically stops.
Set as
Primary
Data Source
Select this option to make the data warehouse the

Primary Data Source. This means it will become the
default data source for reporting.
Host IP
Address
If you perform a connection test and the test is successful,

this read-only field displays data warehouse servers IP
address.
Do not ping
Select this option if you do not intend to perform a ping

test to verify your connection to data warehouse server.
318
Field
Description
Connect
with
Warehouse
Name
Select this option to have the Reports window connect to

the data warehouse server with the Host Name setting.
Connect
with IP
Address
Select this option to have the Reports window connect to

the data warehouse server with the IP Address setting.
No
Warehouse
Click this button to clear the forms data warehouse

settings, delete any warehouse configuration details, and
close the Configure Data Warehouse form.
Test
Connection
Click this button to have the system perform a ping test

and a database connection test to confirm that a
connection to the data warehouse has been established.
l
If the test succeeds, a dialog box will displays the

Host IP Address.
If the test fails, see See "Troubleshooting Database
Connections" on page 319
If you do not perform a connection test, the system will

perform one automatically when you click OK.
4. Click OK.
Use the following table to troubleshoot error messages that may occur with the
ping test used to test the connection between Reports and the data warehouse or
the Primary Data Source.
Error message
Description
Correction
Manager ping
timed out.
Reports was unable to
319
Confirm that you have
Chapter 14: Reports
Error message
Description
Correction
connect to the Manager's

host name or IP address.
Confirm that the host name
(or IP address) you
specified is correct.
entered the
warehousess Host
Name properly. Make
sure it matches a valid
DNS entry.
l
Sending the
authentication
packet failed.
Could not flush
socket buffer.
Reports could resolve and

connect to the IP address,
but could not authenticate
to the database server at
that location.
Try entering the

warehouses actual IP
address in the Host
Name field.
Confirm that the Host Name

(or IP address) you specified
is correct and is allowing
connections from the location
on which you are running
Reports.
This error may also indicate a
need to modify report
restrictions. .
Server ping test

successful, but
database
connection test
failed.
Reports could resolve,

connect to the IP address,
and connect to SQL
Server, but could not log in
using the reports user.
Login incorrect.
Login failed for

user [user
name]
320
Confirm that the Host

Name (or IP address)
you specified contains
the SolarWinds
database.
The warehouse may
require a password for
reporting purposes. In
this case, click the
Security button and
then enter the
warehouses reporting
password.

SolarWinds provides a large variety of standard reports that cover the needs of a
several different industries. The Manage Categories form allows you to choose
reports for those industries, regulatory concerns, and auditing areas that concern
your company; to search for specific reports; and to add reports to your Favorite
Reports list.
Manage Categories form
The Manage Categories form

The Manage Categories form has three tabs that have the following functions:
l
The Industry Setup tab lets you select the industries and areas of
regulatory compliance that are of interest to your company. Reports that are
related to the options you select then appear in the Industry Reports list.
The Favorites Setup tabs Search view lets you list, sort, and group the
report list by industry and regulatory area. It highlights reports that are
321
Chapter 14: Reports

already listed in your Favorite Reports list, and allows you to add new
reports to the Favorite Reports list.
l
The Favorites Setup tabs Favorites view displays your current list of
favorite reports. You can use this view to sort and group your favorite reports
to locate a specific report. When needed, this view is also used to remove a
report from your list of favorites.
Selecting reports for specific industries

In the Manage Categories form, use the Industry Reports tab to select the
industries and areas of regulatory compliance that are of interest to your
company. By selecting only those reports that apply to your industry, you can
greatly reduce the number of reports that appear when you view the Industry
Reports list.
To select industry reports:
1. Open Reports.
2. On the Settings tab, in the Report Categories group, click the Manage
button and then click Manage Categories.
The Manage Categories form appears.
3. Click the Industry Setup tab, if it is not already shown.
The Classifications section lists those industries and regulatory areas that
are supported by standard Reports. The Reports for section displays all of
the standard Reports that support the classifications you select.
4. In the Classifications section, select the check box for each industry
(Education, Federal, Financial, Healthcare, etc.) that your company is
concerned with.
The Reports for section displays all of the standard reports that support the
industry or industries you have selected.
5. If you are only concerned with a few regulatory areas within these
industries, select the check box for each regulatory area your company is
concerned with (such as HIPAA or SOX). For a description of each
regulatory option, see See "Industry options" on page 323
322
Industry options
The Reports for section now lists only those standard reports that support
the regulatory areas you have selected.
6. To remove reports for any industry or regulatory area, simply click to clear
the corresponding check box.
7. Click OK to save your changes and close the window.
In the Category list, the Industry Reports option now lists the standard
Reports that support the industries and regulatory areas you have selected.
Industry options
Industry reports are standard reports that are designed to support the compliance
and auditing needs of certain industries. Currently, SolarWinds provides reports
that support the financial services industry, the health care industry, and the
accountability reporting needs of publicly traded companies. The following table
describes which compliance and auditing areas are specifically supported.
Supported
industry
Description
Education
FERPA
Reports in this category support compliance with the

Federal Educational Rights and Privacy Act (FERPA),
which gives parents and eligible students certain rights
with respect to their children's education records.
Federal
CoCo
Reports in this category support compliance with the UK

Code of Connection regulations.
DISA STIG

Defense Information Systems Agency's (DISA) Security
Technical Implementation Guide (STIG).
FISMA

Federal Information Security Management Act (FISMA).
323
Chapter 14: Reports
Supported
industry
NERC-CIP
Description
Reports in this category support compliance with the North
American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) reliability standards.
Finance
CISP

Cardholder Information Security Program, which helps
safeguard credit card and bank card transactions at the
point of sale, over the Internet, on the phone, or through the
mail. CISP helps protect cardholder data for cardholders,
merchants, and service providers.
COBIT
Reports in this category support compliance with Control

Objectives for Information and related Technology
(COBIT). COBIT is an open standard for IT security and
control practices. It includes more than 320 control
objectives and includes audit guides for more than 30 IT
processes.
GLBA

Gramm Leach Bliley Act (GLBA).
GLBA requires financial institutions to protect the security,
integrity, and confidentiality of consumer information. It
affects banking institutions, insurance companies,
securities firms, tax preparation services, all credit card
companies, and all federally insured financial institutions.
Security information and event management (SIEM) plays
a vital role in GLBA.
NCUA

National Credit Union Administration (NCUA).
NCUA is the federal agency that charters and supervises
federal credit unions and insures savings in federal and
most state-chartered credit unions across the country
324
Industry options
Supported
industry
Description
through the National Credit Union Share Insurance Fund
(NCUSIF), a federal fund backed by the United States
government.
PCI

Payment Card Industry (PCI) Data Security Standard
requirements of VISA CISP and AIS, MasterCard SDP,
American Express and DiscoverCard.
SOX

Sarbanes-Oxley (SOX) Act of 2002. Sarbanes-Oxley
protects a companys investors by improving the accuracy
and reliability of corporate disclosures made pursuant to
securities laws. Provisions within Sarbanes-Oxley hold
executive management and the board of directors liable for
criminal and civil penalties. Specifically, under Section 404
of the Sarbanes-Oxley Act, executives must certify and
demonstrate that they have established and are
maintaining an adequate internal control structure and
procedures for financial reporting.
General
GPG13
Reports in this category support compliance with the Good

Practice Guide 13 (GPG13), a mandatory aspect of CoCo
compliance.
ISO 17799/
27001/27002
Reports in this category support compliance with the ISO

17799, ISO 27001, and ISO 27002 international security
standards.
Healthcare
HIPAA

Health Insurance Portability and Accountability Act
(HIPAA), which requires national standards for electronic
health care transactions.
325
Chapter 14: Reports

In the Manage Categories form, the Favorites Setup tab has a Search view. It is
similar to the Industry Setup tab in that it lets you view a list of reports by industry
and regulatory area. It highlights reports that are already in your Favorite
Reports list and allows you to add new reports to the Favorite Reports list.
Step 1:Searching the reports
1. Open Reports.
3. Click the Favorites Setup tab.
4. Click the Search button near the top of the form.
326
As you can see, the Search view looks just like the Industry Setup tab.
The Classifications area lists those industries and regulatory areas that are
supported by standard Reports. The Reports Matching Search Criteria
box lists every standard SolarWinds report. If a report appears highlighted in
green, it means the report is in your Favorite Reports tab.
5. In the Classifications area, select the check box for each industry or
regulatory area your company is concerned with.
6. Click the Search button below the left frame.
The Reports Matching Search Criteria box displays all of the standard
reports that support the options you have selected. For example, if you
selected Finance, it lists only those reports that are associated with
Finance. If you selected Finance and PCI, it lists every report that is
associated with either Finance or PCI.
If needed, you can also organize the report list by sorting, filtering, and
grouping the report list.
Step 2: Adding a report to your list of favorites
1. In the report list, locate the report you want to add to the Favorite Reports
list.
l
Click to select the report. Then click Add To Favorites.
Right-click the report, and then click Add To Favorites.
The Favorite Reports list now includes the report as one of your favorites.
When needed, you can use the Manage Categories form to remove a report from
the Favorite Reports list. This does not delete the report; the report remains in its
original category. For example, if you remove a favorite report that originally came
from the Standard Reports list, it remains listed in the Standard Reports list.
This means you can restore the report as a favorite at any time.
To remove a report from the Favorite Reports list:
327
Chapter 14: Reports
1. Open Reports.
3. Click the Favorites Setup tab.
4. Click the Favorites button.
The window displays your current list of favorite reports. If there are a lot of
reports, you can sort, filter, and group the report list to locate the specific
report you want to remove.
5. In the report list, select the report you want to remove from the Favorite
Reports list. Then do either of the following:
l
Click Remove From Favorites.
Right-click the report and then select Remove From Favorites.
6. Click Apply to save the change.
328
7. Repeat Steps 5 and 6 for each report you want to remove.

8. Click OK to save your changes and close the window.
The reports no longer appear in your Favorite Reports list.
On rare occasion, typically during after taking an upgrade, you may encounter a
report that can only be run against the earlier version. These legacy reports are
called Historical Reports. In these cases, the View Historical Reports option lets
you view, schedule, and run these reports. By default, this option is disabled, as it
is only used to for viewing legacy reports.
To view historical reports:
1. Open Reports.
button and then click View Historical Reports.
A Historical Reports option appears in the Category list.
3. In the Category list, select Historical Reports to display the list of
Historical Reports.
4. You may now view, schedule, or run a Historical Report.

Reports ships with a wide range of reports. To keep them organized, they are
arranged and listed into different categories. This topic explains how to locate
reports, view report properties, and create a list of your favorite reports.
Viewing lists of reports by category

Reportsships with a wide range of reports. To keep them organized, they are
arranged into categories. You can use report categories to select the type of
reports you want to work withstandard reports or your own custom reports. Each
option in the Category list displays the reports that are assigned to that category.
To view a list of reports by category:
329
Chapter 14: Reports
On the Settings tab, in the Report Categories group, click the Category
list and then select a report category.
The window displays the list of reports in that category. If you select a
different category, the reports list changes to display the reports that are in
the new category.
The following table describes each option in the Category list.
Tab
Description
Standard This list displays the standard set of reports that ship with the
Reports
SolarWinds system and are supported by SolarWinds
technical support. Most standard reports capture specific
event data that occurs during a particular period.
Industry
Reports
This list displays the standard reports that are designed to

support the compliance and auditing needs of certain
industries, such as the financial services industry, health care
industry, and the accountability requirements of publicly
traded companies. For more information, see See "Selecting
reports for specific industries" on page 322
Custom
Reports
This list displays any custom reports that you created, or that
SolarWinds created for your company, to meet a specific
need.
Standard and custom reports are essentially the same thing.
They are run and scheduled in the same manner. The only
difference is that custom reports are undocumented, as they
are created specifically by you or for you.
While SolarWinds supports any custom reports they make for
your company, SolarWinds does not support any custom
reports that you make yourself.
Favorite
Reports
This list displays the standard, industry, and custom reports

that you use most often. You can add and remove reports to
this category as needed.
Locating a report by title

If you know a reports title, you can quickly locate it in the Reports window by
330

typing its name in the appropriate report category list.
To locate a report by title:
1. Open Reports.
2. On the Settings tab, in the Report Categories groups Category list, select
the category that contains the report.
3. Click any row in the report list.
4. In the Report Title column, begin typing the report name.
The system takes you to the first report title that matches the letters you have
typed. For example, if you clicked Standard Reports and began typing
even, the system takes you to Event Summary, which is the first matching
report title.
5. From here, you can scroll down to the exact report you are looking for.

In Reports, many reports have similar titles. Therefore, you can use the
Properties feature to view a written description of each report.
To view a reports properties:
331
Chapter 14: Reports
1. In the reports list, click to select the report you want to work with.
l
In the report grid, position the mouse pointer over the report you have
selected.
On the Settings tab, in the Report Selection group, click Report
Properties.
In either case, an Information box appears, showing a description of the

report.
3. Click OK to close the Information box.

The reports you use most often are obviously your favorite reports. To easily
access these reports, you can add them in the Favorite Reports list. This list
contains only your favorite reports. It can include any of SolarWindss standard
reports, as well as any custom reports you may have.
332

To designate a report as a favorite, you must copy it to the Favorite Reports list.
Each Console user can set up his or her own list of favorite reports. The Console
displays the favorites of the user who is currently logged on.
Note: A Console user is determined by the users Windows account. If two
users on the same computer log into the same account, they will share a list of
favorites.
To create a list of favorite reports:
1. Open Reports.
2. On the Settings tab, in the Report Categories group, click the Category
list. Then select the category that contains the report you want to add to your
list of favorites.
3. Locate the report in the report list.
4. Right-click the favorite report and then select Add Report to Favorites.
The system copies the report to your Favorite Reports list. The next time
you open the Favorite Reports list, the report will be there.
Note: Usually, reports are added to the Favorite Reports list through the
Report View Preferences window. See See "Creating a list of favorite
reports" on page 326 for more information.

In most cases, the standard column filters should meet your day-to-day needs. But
if the filters are insufficient, you can create your own customized multi-column
filters. You can also choose to save your custom filters. This allows you to save
them for later use, or to pass them on to other users.
Creating a custom report filter
1. On the Reports window, click the report filter you want to use as a starting
point.
2. At the bottom of the filter, click the Customize button.
The Filter Builder form appears.
333
Chapter 14: Reports
3. Use the forms buttons to select the column, column option, and specific
conditions that define the filter.
In the example shown above, the filter displays only those reports where the
Category column equals Audit, and the Type column equals
Authentication.
4. Click OK or Apply to apply the filter. Otherwise, click Cancel.
Saving a custom report filter
1. Create the custom filter, as explained above.

2. Click Save As.
The Save the active filter to file form appears.
334
3. Use the Save in list to locate and select the folder you want to store the filter
in.
4. In the File name box, type a name for the filter.
5. Click Save.
The filter is now saved and available for later use.
1. Click the Customize button.

The Filter Builder form appears.
2. Click Open.
The Open an existing filter form appears.
335
Chapter 14: Reports
3. Use the Look in list to locate and open the folder that contains the custom
filter. Then click to select the filter.
4. Click Open.
5. The custom filters configuration appears in the Filter Builder form.
6. On the Filter Builder form, click OK or Apply.
The custom filter is applied to the report list.
Exporting a report
Use this procedure to export the report shown in the Reports windows Preview
pane. You can choose to export the report as a Adobe Portable Document File
(.PDF), a Crystal Reports RPT file, as HTML, as a Microsoft Excel file, or as
several other common file formats. SolarWinds officially supports PDF and RPT
formats.
To export a report:
1. In the Reports window, open or run the report you want to export.
The report appears in the Preview pane.
336
Reports features
2. On the View tab, in the Output group, click Export.

The Export form appears.
3. In the Format list, select the fine type in which you want to save the report.
The Description box at the bottom of the form describes each file format
that you choose.
4. Use the Destination list to browse to the folder in which you want to save
the file.
5. Click OK.
The system save the file to the folder and in the format that you selected.
Reports features
The topics in this section describe the key features of the Reports window, its
Menu Button, its Quick Access Toolbar, and its Ribbon.
337
Chapter 14: Reports
The following table describes the key features of Reports.

Item Name
Description
Menu
Button
Click the Menu Button to open, save, or print a report, and

to see everything else you can do with a report. This
button has a similar function to the File menu used by
earlier Windows programs.
Quick
Access
Toolbar
The Quick Access Toolbar is a customizable toolbar. It

contains a set of commands that are independent of the
tab that is currently displayed. You can customize the
toolbar by adding buttons for the commands you use most
often, and you can move the toolbar to two different
338
Item Name
Description
locations. For more information, see See "Using the Quick
Access Toolbar" on page 309
Ribbon
The Ribbon is designed to help you quickly find the

commands that you need to complete a task. Commands
are organized in logical groups that are collected together
under tabs. Each tab relates to a type of activity, such as
running and scheduling reports, or viewing and printing
reports. To save space, you can minimize the Ribbon,
showing only the tabs. For more information, see See
"Minimizing the Ribbon" on page 312
Settings
tab
Use the commands on this tab to choose the reports you

want to run, open, and schedule, and to configure reports
and the reports data source settings.
View tab
Upon opening or running a report, the Ribbon

automatically switches to the View tab, which has a
toolbar for printing, exporting, resizing, and viewing the
report.
If you click the View tab without having opened a report,
the Preview pane shows a blank page. If you click the
View tab and you have run a report, the Preview pane
displays the contents of the report.
Grouping
bar
You can use the yellow bar above the grid to group, sort,
and organize the reports list. For more information, see
See "Grouping reports" on page 341
Report list/
Preview
pane
By default, this section is a grid that displays a list of

SolarWindss Standard Reports. Upon selecting a
different report category, the grid changes to list the
reports that are in that category. You use this grid to select
report that you want to run or schedule.
You can also filter and sort the grid to quickly find the
reports you want to work with. See See "Sorting, filtering,
and grouping report lists" on page 374
339
Chapter 14: Reports
Item Name
Description
Upon opening or running a report, this section changes
into a report Preview pane that displays the report. In
Ribbon also automatically switches to the View tab, which
has a toolbar for printing, exporting, resizing, or viewing
the report.
Using the Menu Button
In Reports, the Menu Button opens a menu that lets you execute the most
common report commands. The following table describes each command in the
Menu Button menu.
Menu option
Description
Open Report
Opens a report that has been saved in RPT format. The

report opens in the Reports Preview pane in the View tab,
where you can view, search, print, and export it.
The Recent Reports list to the right shows a list of recently
opened reports.
Export Report
Use this command to export the report you are currently

viewing.
Schedule
Use this command to configure a schedule for automatically
340
Grouping reports
Menu option
Description
running the selected report in the Report list.
Print Report
This command prints the report you are viewing to your

default printer, with its default settings.
Printer Setup
This command opens a Print Setup dialog box, which you

can use to select a printer and customize its print settings.
Refresh
Report List
This command refreshes the report list for each report

category. Use this command if you have added new report
filessuch as some new custom reportsand they are not
showing up in the report list. This command accesses your
computers Reports directory, retrieves information about all
of the reports, and rebuilds the lists for each report category.
Exit
Exits the Reports application.
Grouping reports
You can sort the Reports windows report list into groups of reports by dragging
one or more column headers into grouping box above the report list. This feature
allows you to quickly organize and display groups of reports that fall into very
specific categories.
For example, suppose you want to group the reports by Category. By simply
dragging the Category column header from the report list into the grouping box,
you can rearrange the report list into groups that are defined by items from the
Category column, as shown here.
341
Chapter 14: Reports
The tools for grouping reports

Groups change the report list into a series of nodes. There is a separate node for
each unique item or category from the column that defines the grouping. The
nodes are alphabetized, and each node is named by the column and category
that defines the grouping.
For example, the Category column that defines the grouping in the example
above has three unique categoriesAudit, Security, and Support. So grouping
by the Category column creates three nodesCategory: Audit, Category:
Security, and Category: Support.
Opening a particular node displays only the reports that are associated with that
particular grouping configuration.
You can group reports by any column header in the report list (Title, Category,
Level, Type, etc.). You can also create sub-groups to create parent-child
hierarchies. For example, you could create a Category group and a Type subgroup, or vice versa.
Creating a report group
l
Decide which column is to define the report groupings. Then drag that
column header into the Drag a column header here to group by that
column area above the report list.
Before
342
After
In the example shown above, we have dragged the Category header to

group the report list by Category.
The report list now displays a separate node for each unique item that is in
the column that is defining the grouping. The nodes are alphabetized and
labeled for easy reference.
l
Click a node to display a list of reports that fall within that grouping. To close
the node, simply click it again.
Creating a sub-group
1. Drag another column header into the Drag a column header here to
group by that column area.
343
Chapter 14: Reports

l
Place the new column header above the existing header to have the
new header act as the primary grouping. In the example shown above,
the report list would be grouped by Level and then Type.
Place the new column header below the existing header to have the
new header act as the secondary grouping. In the example shown
above, the report list would be grouped by Type and then Level.
The report list refreshes to display two levels of nodesone level of nodes
for the primary group, and one set of nodes for the secondary group.
3. To view the reports within a particular grouping, click a higher-level group

node, and then a sub-group node.
The report list displays only those reports that apply to both groupings.
4. Repeat Steps 1 and 2 for each additional grouping you require.
344
Managing reports
Managing reports
The following topics explain how to edit a scheduled report task, how to delete a
schedule from a task, and how to delete a scheduled report task.
Editing a scheduled report task

When needed, you can easily make changes to a scheduled report task, or to a
specific task schedule, by editing its settings.
To edit a schedule report task:
1. Open Reports.
list and then select either Standard Reports or Custom Reports.
The grid displays all of the reports in the category you have selected.
3. In the grids Report Title column, click the name of the report that needs the
schedule change.
4. On the Settings tab, in the Report Selection group, click Schedule.
The Report Scheduler Tasks window appears.
5. In the Task Description list, select the report schedule you want to edit.
6. Click Modify.
The scheduler form appears.
7. Make your report schedule changes to the Task, Schedule, and Settings
tabs, as needed.
8. To change the settings for a particular schedule, click the Schedule tab. In
the tabs schedule list, select the schedule you want to change. Use the
boxes to change the settings, then click Apply.
9. When you are finished making all of your changes, click OK to close the
form.
You return to the Report Scheduler Tasks form.
10. If needed, make any changes to the Report Settings.
345
Chapter 14: Reports
11. Click Save.

12. Click Close to close the Report Scheduler Tasks form.
Deleting a schedule from a task

If a particular task schedule is incorrect or no longer needed, you can easily
delete it from a tasks list of schedules.
To delete a task schedule:
1. Open Reports.
3. In the grids Report Title column, click the name of the report for which you
want to delete a task schedule.
5. In the Task Description list, select the scheduled report that has a
schedule you want to delete.
6. Click Modify.
The task schedule form appears.
7. Click the Schedule tab and select the Show Multiple Schedules check
box if it has not been selected.
8. In the schedule list box, select the schedule you want to delete.
9. Click Delete.
Deleting a scheduled report task

If a scheduled report task is incorrect or no longer needed, you can easily delete it
from your task list.
To delete a scheduled report task:
346
Printing reports
1. Open Reports.
3. In the grids Report Title column, click the name of the scheduled report that
has a task you want to delete.
5. In the Task Description list, select the scheduled report task you want to
delete.
6. Click Delete.
7. At the confirmation prompt, click Yes. Otherwise, click No to keep the
scheduled report task.
Printing reports
You can print any report shown in the Reports windows Preview pane.
Printing a report
1. In the Reports window, open or run the report you want to print.
2. On the View tab, in the Output group, click Print.
The Print form appears.
3. Select the printer and any print options you want.
4. Click Print.
The report is printed according to the print options you selected.
347
Chapter 14: Reports
Setting up printer preferences

Use the Printer Setup command to define the default print settings the Print
command is to use when printing Reports. For example, if you usually print in
landscape, you can select that preference here. The Print command will then
print in landscape, by default. Whenever you need to override a default setting,
you can always do so with the normal Print dialog box.
To set up printer preferences:
1. In the Reports window, open or run the report you want to print.
2. On the View tab, in the Preferences group, click Printer Setup.
The Page Setup form appears.
3. Select the Paper, Orientation, Margin, and Printer options you want.
348
A preview section at the top of the form displays a thumbnail version of the
report with the options you have selected.
4. Click OK.
The report is printed according to the print options you selected.

The Reports window lets you filter the report list. This means you can have the list
display only those reports that are associated with a particular report title,
category, level, or type. You can also apply more than one filter at a time to
display a very small subset of the report list. If needed, you can also create your
own custom filters, and then save them for later use.
Each column header in the report list has a drop-down button. Clicking the button
displays a list of filter options that are available for that column, as shown here.

For example, the Category column has several options. Selecting Audit reduces
the list to show only the reports associated with the Audit category.
When you apply a filter, a yellow status bar appears below the reports list. The
status bar lists which filters are currently applied. You can use this list to remove
each filter individually, or to remove them all at once.
349
Chapter 14: Reports
1. Decide which column you want to use for the filter.

2. Click a column header's drop-down list and select a filter option.
3. The report list refreshes to display the filtered list.
4. Repeat Step 2 for each additional filter you want to apply.
Changing a filter setting
Do either of the following:

l
Click a filtered column header's drop-down list and select a different filter
option.
In the status bar below the report list, click the filters drop-down arrow .
Then select a different filter option from your list of most commonly used
filters.
The report list refreshes to display the list with the new filter.
Turning off report filters
In the Reports window, when you are finished with a report filter, you can turn it
off. Turning off a filter refreshes the report list so that it displays the list without that
column filter. You can turn off a single filter or all of the filters at once.
350

To turn off a filter:
l
In the appropriate column header drop-down list, select (All).
Clear the check box next to the filter in the status bar.
The report list refreshes to display the list without that column filter.
To turn off all of the filters:
l
Click the
icon in the status bar.
The report list refreshes to display the list without any filters.

This section explains how to run reports. You can run reports two different ways:
l
On-demand reports are those reports that you run only when you need
them.
Scheduled Reports are reports that you configure to automatically run on
their own, on a particular schedule, and without intervention.
All Reports are scheduled and run in the same manner. The following procedures
explain the methods for running on-demand reports and scheduled reports.
Reports can take quite a bit of time to run. The larger the report, the longer it takes
to run. For that reason, it is recommended you schedule any reports you intend to
run frequently.
1. Open Reports.
2. On the Settings tab, in the Preferences group, click the Data Source list
and then select the Manager that is to be the data source for the report. This
step is only needed if you are selecting a data source that is different from
the Primary (default) Data Source.
351
Chapter 14: Reports
3. In the Report Categories group, click the Category list and select the
report category you want to work with.
The report list displays all of the reports in the category you have selected.
4. In the report list, locate the report you want to run. Then do any of the
following:
l
Double-click the report.
Right-click the report and then click Run Report.
Click to select the report. Then on the Settings tab, in the Report
Selection group, click Run.
Click to select the report. Then on the Quick Access Toolbar, click the
Run button.
Depending on the report you selected, you may be prompted to enter certain
report parameters, such as a start date/time, an end date/time, and a range.
In this case, the Enter Parameter Values form appears.
352
5. To complete the Enter Parameter Values form, select an item in the

Parameter Fields box. Then, in the lower half of the form, type or select the
appropriate value for that parameter. The following table explains how to
complete each parameter field.
Parameter
field
Description
Start
Date/Time
Type or select the reports start date and time. The time
is optional. Click the Now button to populate these fields
with the current date and time.
End
Date/Time
Type or select the reports ending date and time. The

time is optional. Click the Now button to populate these
fields with the current date and time.
Top N
Type the number of items you want reported, such as

the top 5 or the top 10.
6. Click OK. The report appears in the Preview pane and the Ribbon changes
to the View tab. You can use the View tab to print, export, view, resize, and
353
Chapter 14: Reports
search the various pages of the report.

Report Errors
If you receive the following error, it is possible that your database server for your
data warehouse or your SolarWinds appliance is offline, or that you need to run
the restrictreports CMC command.
1. First, check to make sure that your servers are online.

2. Then check your restrictreports settings.
If you receive any other errors, or if you are uncertain about how to properly
perform these procedures, please refer to the SolarWinds Knowledgebase or
contact SolarWinds Technical Support.
Scheduling Reports (process overview)
Scheduling a report requires several steps. But once you configure a report
schedule, SolarWinds does the rest. You can create more than one schedule for
the same report. This allows you to run the same report on different Managers,
and to run the same report in different intervals (daily, weekly, monthly, etc.), each
with a different scope.
Scheduling a report is basically a seven-step process:
1. First, select the report you want to schedule and then click Schedule.
2. Name the scheduled task. You need to name the scheduled task to
distinguish it from other similar tasks. For example, the same scheduled
report needs to be configured separately for each data source (Manager).
Therefore, you will name each task to readily distinguish between the
scheduled tasks for each data source.
354
3. Set the schedule parameters. This states when the scheduled report is to
run.
4. Apply any advanced scheduling options, if desired.
5. Select settings that define when the SolarWinds system can and cannot run
the task.
6. Apply the scheduled report to the data source (Manager) for which you want
a report. Then define the scope, which is the period you want to the report to
cover. When the system runs the report, it retrieves any pertinent events that
occurred within the period defined by the scope.
7. Finally, select any export options for the report. This allows you to export to
the folder of your choice, and in a format that is easy to read and print. If you
do not export the report, it will automatically print to your default printer.
Each step of this process is fully explained in the following numbered topics. You
must repeat this process for each report you want to schedule.
In this step, you will select the report you want to schedule, then open the Report
Scheduler Tasks window.
To begin scheduling:
1. Open Reports.
list and select the report category you want to work with.
The report list displays all of the reports in the category you have selected.
3. In the Report Title column, locate the report you want to schedule. Then do
any one of the following:
l
Click the report and then click the Schedule button.
Right-click the report and then select Schedule Report.
Click the report you want to schedule. Then on the Menu Button
menu, select Schedule Report.
The Report Scheduler Tasks window appears. Use this window to add,
edit, and delete your scheduled report tasks.
355
Chapter 14: Reports
Note that the Event Summary box shows only the tasks that apply to the
report you selected in Step 3.
Here, you will name and configure the new scheduled task that is associated with
this report.
To create a scheduled task:
1. To add a new report schedule, click the Add button.
The Enter Scheduler Task Description form appears.
2. In the Task Description box, type a name for the report, then click OK.
At this point, the task scheduler form appears. The form takes the name of
the report to indicate which report you are scheduling.
356
3. Complete the Task tab as described in the following table.

Field
Description
Run
Normally, you will not change the default setting. But if you
do, use this box to type the path to the argument that
initiates the task settings for this report. If needed, click the
Browse button to locate the correct folder and file.
Start in
Normally, you will not change the default setting. But if you
do, use this box to type the path to the Reports executable
file (.exe).
Comments
Type a description of the report schedule you are

configuring, such as Monthly SolarWinds Event Summary
Graphs.
Run as
By default, this box displays the current user. To change

the user, type the domain and user name as follows:
[Domain]\[UserName].
357
Chapter 14: Reports
Field
Description
Then click the Set password button to set up a password
for the current user to run the report. This step is required
for the scheduler to work properly.
Enabled
(scheduled
task runs
at specified
time)
Select this check box to run the scheduled task to the

schedule you will specify in the Schedule tab. If you clear
this check box, the report will not run on that schedule.
4. Click Apply to save your changes to the tab.

Now you will create the actual report schedule. The settings on the Schedule tab
tell the system when to run the report.
If needed, you can create multiple schedules for each report that are within the
same scope. For example, perhaps you would like to run an event summary
report for the current week and have it display the running total for the week at
each hour. You could set the report to Week: Current and have multiple
schedules that run on an hourly schedule and on a twice-daily schedule.
To schedule a report:
1. Click the Schedule tab. For new tasks, the tab states that the task is not
scheduled.
2. Click the New button to create a new schedule for the report.
The schedule shown above appears by default. You will create a new
schedule by modifying this default schedule with the various boxes in the
Schedule tab.
358
3. Complete the Schedule tab as described in the following table.

Field
Description
Schedule
Task
Select how often the system is to run the reportdaily,

weekly, etc.
Start time
Type or select the time the system is to run the report.

For more detailed scheduling, click the Advanced
button. See See "Step 4: Selecting Advanced
Scheduling Options" on page 360 for more information.
Every
Type or select how often you want to run the task based
on your selection in the Schedule Task box above. For
example, for a daily report, you can run the report every
day, every 2 days, every 3 days, etc. For a weekly
report, you can run the report every week, every 2
weeks, etc.
Show
Select this check box if you will have more than one
359
Chapter 14: Reports
Field
Description
multiple
schedules
schedule for this task, where each schedule has the

same scope.
If you are going to create more than one schedule with
different scopes, then you will need to create a different
task for each schedule.
If the report is to have only one schedule, then clear this
check box.
4. Click Apply to save your changes.

The new report schedule appears in the list box near the top of the tab.
5. If desired, repeat Steps 2 4 to set up each new schedule for this task.
If you clicked the Schedule tabs Advanced button, then the Advanced
Schedule Options form appears (shown here). This form provides you with
complete control over your report schedules. For example, you can schedule start
and end dates for the report, or set a task to repeat for a set period of time.
To select advanced scheduling options:
360
1. Click the Advanced button on the Schedule tab.

The Advanced Schedule Options form appears.
2. Complete the Advanced Schedule Options form as described in the
following table.
Field
Description
Start Date
Type or select the date you want the system to begin

running the report.
End Date
Select this check box if there is a date on which you want

the system to stop running the report. Then type or select
the end date.
If there is no end date, then leave this check box blank.
Repeat task
Select this check box if you want the system to repeat

running the scheduled report at regular intervals.
Every
Type or select the interval. In the example shown above,

this task will run every 4 hours.
Time
Type or select the time you want the system to stop

running the repeated task.
Duration
Type or select how long you want the task to run. By

limiting the time the task can run, you can prevent the
task from running forever, should a problem occur.
Reports can be very time consuming; therefore, use this
configuration option with caution.
If the task is
still running,
stop it at this
time.
Select this check box to have the system stop running a

report that is running when the Time or Duration setting
occurs.
Keep the check box clear to have the system finish
running a report that overlaps the Time or Duration
setting.
361
Chapter 14: Reports
Note: The following image displays the valid and invalid date formats for
reports.
In the example shown above, the configured report will run every four hours,
starting on Monday, August 18, and running through Sunday, August 30.
Each time the task runs, the system will stop it if it continues to run for more
than one hour.
3. Click OK to save your changes and exit the form; otherwise, click Cancel.
You return to the task scheduler form.
In this topic, you will use the Settings tab to select options that state when the
362
system can and cannot run the task.
To define when the system can or cannot run the task:
1. Click the Settings tab to fine tune the options for this task.
2. Complete the Settings tab as described in the following table.

Field
Description
Scheduled
Task
Completed
Select Delete the task if it is not scheduled to run

again to have the system delete a task that has run its
course. For example, you may want the system to
delete a task that has a definite end date. Leave this
check box clear to keep the task.
Select Stop the task if it runs for [xxx] hour(s) [xxx]
minute(s) to specify a maximum allowable time limit
for the system to accomplish a task. Use the hour(s)
and minute(s) boxes to specify a maximum allowable
time. In the example shown, the system will stop the
363
Chapter 14: Reports
Field
Description
task if it exceeds 72 hours. If you leave this check box
clear, then the system continues running the task until
it is complete.
Idle Time
These options allow you to run tasks when the

computer is idle.
Select Only start the task if the computer has been
idle for at least [xxx] minute(s) to begin running a
task only if the computer is idle for the specified time.
Use the minute(s) box to specify a minimum idle time.
If you leave this check box clear, then the system will
run the task when the computer is in use.
In the If the computer has not been idle for that
long, retry for up to [xxx] minute(s) box, use the
minutes(s) box to specify how often you want the
system to check to see if the computer has reached its
minimum idle time requirement for beginning the task.
Select Stop the task if the computer ceases to be
idle to have the system stop running a task when the
computer is once again in use. If you leave this check
box clear, then the system will continue running the
task until it is complete.
Power
Management
Select Dont start the task if the computer is

running on batteries to prevent the system from
running the task when the computer is running with a
battery as its power source. If you leave this check box
clear, then the system will run the task even when the
computer is on batteries.
Select Stop the task if battery mode begins to have
the system stop the task when the computer switches
to a battery as its power source. If you leave this check
box clear, then the system will continue running the
report even when the computer switches to battery
364
Field
Description
power.
Select Wake the computer to run this task to have
the system run the computer at normal power to run the
scheduled report task. If you leave this check box clear
(not checked), then the report will not run until the next
scheduled time after the computer is removed from
sleep.
3. Click Apply to save your changes.

4. Click OK to close the task scheduler form and return to the Report
Scheduler Tasks window.
Once you have added your scheduled report tasks, you can assign the task to a
particular data source (a Manager) and define the tasks scope. The scope is the
event period you want the report to cover. When the system runs the report, it
retrieves any pertinent events (that the report covers) that occurred within the
period defined by the scope.
To assign the tasks data source:
1. In to the Report Scheduler Tasks windows Task Description list, select
the report schedule you want to assign.
365
Chapter 14: Reports
2. Click the Load to View or Edit button.

The windows Report Execution Settings For Selected Task section
becomes enabled. You will use this section to configure the report
execution settings for the task (report schedule) you selected above.
3. Use the Select the report data source list to select the Manager or to
which you want to assign this task.
Note: You can only assign a task to a single Manager. If you need to assign
a similar or identical task to another Manager, then you must create a new
task for that other Manager.
To assign the tasks scope:
In the Report Scope area, you will set up the tasks scope for this data source.
The scope is the event period, or time frame, for the events you want the report to
cover.
366
1. In the Date Range list, select the date range you want the report to cover for
this task and this data source.
In the example shown above, the date range is Day: Today. This means
the report will cover the period from 12:00:00 AM to 11:59:59 PM of the
current date.
For a more complex example, suppose you chose Week: Previous as the
date range. The scheduled report would contain information from the last full
week, from 12:00:00 AM the last Monday to 11:59:59 PM the last Sunday.
For example, if today is Wednesday the 11th, the task runs from 12:00:00
AM on the 2nd to 11:59:59 PM on the 8th.
The following table describes each option in the Date Range list.
Date range
Description
Day: Today
Run for the specified timeframe on the current (todays)

date.
Day:
Yesterday
Run for the specified timeframe on the previous

(yesterdays) date.
Week: Current Run from one week ago to the current time.
Week:
Previous
Run from 12:00:00 AM last Monday to at most 11:59:59

Sunday. This report will capture the last full week of
data.
Month:
Current
Run from one month ago to the current time.
Month:
Run from 12:00:00 AM on the first of the month until
367
Chapter 14: Reports
Date range
Description
Previous
11:59:59 PM on the last day of the month. This will

report will capture the last full month of data.
User Defined
Use this option to run any other report scopes. You can
use this option to schedule reports for arbitrary periods,
or for periods that are outside of the conventional scope
of a day, week, or month.
2. In the Start Time and End Time boxes, type or select a start time and end
time for reporting events that occurred on this Manager. The report will only
show those events that occurred on the Manager within this period.
Note: If you select a Week or a Month scope, you cannot edit the Start
Date/Time and End Date/Time.
3. The Count Settings area only applies to count-based reports, such as Top
20 reports. In the Number of Items box, type or select the number of items
you want the report to track.
4. To configure the report so that it automatically exports to a file, continue to
See "Step 7: Exporting a scheduled report" on page 368 below. Otherwise,
click Save.
Finally, you can have the report utility automatically export a scheduled report in
Adobes Portable Document Format (.PDF) to the folder of your choice. If you do
not choose to export a scheduled report, then the system will print the report to
your default printer each time it runs.
To export a scheduled report to a file:
1. Open the Report Scheduler Tasks window, if you have not already done
so.
2. In the Task Description box, select the scheduled report task you want to
export.
3. On the Report Settings tab, select the Export check box. This enables the
368
other fields in this section. This section allows you to name and export this
report in the format and folder of your choice when the task scheduler runs
this report.
4. In the Format list, select the file format in which you want to export the
report.
5. Click the folder icon next to the File Name box. Browse to the folder where
you want to save the report, then type a unique file name for the report.
If the report has multiple schedules, then give each schedules exported
report a different name. Otherwise, the exported filenames files will
overwrite each other, or they will increment according to the If File Exists
setting, causing it to be difficult to readily identify the different schedules
reports.
6. In the If File Exists list, choose one of the following options:
l
Select Increment to store the new report along with any previous
versions of the report in the folder. The Report Console increments
each report by appending the report filename with an underscore and
a digit. For example, the first increment is [FileName]_1.pdf, the
second is [FileName]_2.pdf, and so on.
Select Overwrite to have each new version of the report overwrite the
previous version of the report in the folder.
7. Click Save.
8. Click Close to close the Report Scheduler Tasks window and return to the
Reports window.
9. Repeat sections See "Step 2: Adding a new scheduled report task" on page
356 through See "Step 7: Exporting a scheduled report" on page 368 for
each report you want to schedule and assign to a particular data source.
369
Chapter 14: Reports
In the Reports window has a Search tool that you can use to search for key words
or phrases in text-based reports.
This tool only works when you are viewing a text-based view of a report in the
Preview pane. You cannot use this tool with graphical-only reports, or the default
graphical view that is displayed when you first run the report.
Viewing the text-based details of a report
l
Open a page that is past the graphical section of the report, into the report
content pages.
On the View tab, click the Tree button to open the reports list of sub-topics.
Then click the content-based sub-topic to jump to that section of the report.
For more information, see See "Viewing reports" on page 375
Using the Search tool

1. In the Reports window, open or run the report you want to view.
2. Display the text-based details you want to search in the Preview pane.
3. On the View tab, in the Navigate group, click Search.
The Find form appears.
370
4. In the Find what box, type the text you want to search for.
5. Select Match whole word only to search for entire words that match,
omitting matching letters within words.
6. Select Match case to make the search sensitive to uppercase or lowercase
letters.
7. In the Direction area, click Up to search from where you are now to the start
of the document, or click Down to search from where you are now to the end
of the document.
8. Click Find Next.
The tool locates the next instance of the text in the report and highlights it for
easy viewing.
9. Continue clicking Find Next for each remaining instance of the text you
want to find.
10. When you are finished, click Cancel to close the Search form.

The Select Expert tool lets you use queries to create a smaller, more focused
report from a larger text-based report. In this manner, you can create reports with
very focused information.
This tool only works when you are viewing a text-based view of a report in the
Preview frame. You cannot use this tool with the default graphical view that is
displayed when you first run the report.
Note: Using the Select Expert to filter report data by date or time fields (such as
InsertionTime or DetectionTime) will result in an error. If you receive this error,
371
Chapter 14: Reports
clear the error prompt, return to the Select Expert, and delete the time-based
filter. To filter by time and date, you must run the report with the specified range.
(missing or bad snippet)
1. In Reports, open or run the report you want to work with.
2. On the View tab, in the View group, click Select Expert.
The Select Expert form appears.
3. Click either the New button or the <New> tab.

The Fields form appears. This form displays all of the various report fields
that you can query on this report.
372
You can click the Browse button to bring up a list of available fields that you
can select with the tool.
4. Select the field you want to query, then click OK.
The Select Expert form appears. The first tab displays the field name you
have selected. It lists the query options for that field and has an adjacent list
where you can select a specific value.
5. In the tabs left-hand list box (or boxes), select a query option for the field.
Then, in the adjacent right-hand list box, select a specific value for the field.
If needed, you can click the Browse Data button to see a complete list of
values that are present in the report for that field. From the Browse Data
box, you can select a value; then click Close to apply that value to the
query.
6. Repeat Steps 3 5 for each field you want to add to the query.
7. Click OK to close the form and apply the query; otherwise, click Cancel.
373
Chapter 14: Reports
The new report appears in Preview frame. If needed, you can use the
Preview frames toolbar to save or export the report.
Restoring the original report
When you are through querying a report with the Select Expert tool, you can
restore the report to its original state.
To turn off the Select Expert settings:
1. On the View tab, in the View group, click Select Expert.
The Select Expert form appears.
2. Click Delete to remove the query options.

3. Click OK.
The original report appears in the Preview frame.
Sorting, filtering, and grouping report lists

Sorting the report list
You can sort the report list by the clicking its column headers. This sorts the entire
report list by the contents of the column you have selected. You can sort each
column in either ascending order (alphabetical) or descending order (reverse
alphabetical).
374
Viewing reports
To sort the report list:

l
Click a column header once to sort the report list by that column in
ascending (alphabetical) order.
The column header shows an upward arrow. This arrow means the report
list is sorted by this column in ascending order.
Click the column header again to sort the report list by that column in
descending (reverse alphabetical) order.
The column header shows a downward arrow. This arrow means the
report list is sorted by this column in descending order.
Viewing reports
The topics in this section explain how to open, view, and manipulate a report
image shown in the Reports Preview pane.
Opening your saved reports
Whenever a report is saved or exported to .rpt format, you can use the Open
command to reopen and view the reports contents. This applies to scheduled
reports that the system has run and saved, as well as on-demand reports that you
have run and exported for later viewing.
To open a saved report:
1. Open Reports.
l
Click the Menu Button and then click Open Report.
On the Quick Access Toolbar, click Open Report.
On the Settings tab, in the Report Selection group, click Open.
375
Chapter 14: Reports
The Open Report File form appears.
3. Use the Open Report File form to explore to the report file you want to view.
Note: If the report cannot be found where it is expected, be sure you have
selected Crystal Reports (*.rpt) in the File type list.
4. Select the file and then click Open.
The report opens in the Reports Preview pane. You may now view, search,
resize, print, or export the report, as needed.
Viewing the sections of a master report
Some of SolarWindss standard reports are master reports. A master report is a
report made up by a series of sub-topics, where each sub-topic contains a
specific set of details about the higher-level master topic. Together, these topics
make up the whole report, just like individual chapters make up a book.
When a report has more than one sub-topic, a sub-topic pane appears on to the
left of the Reports windows Preview pane. The sub-topic pane lists the subtopics that are found in the report. If you click a sub-topic, the Preview pane
displays the first page of that section of the report.
To view a section of a master report:
l
In the sub-topic pane, select the sub-topic you want to see.

The Preview pane displays the first page of that section of the report.
376
In this example, the Preview pane is showing the Authentication report. The
sub-topic pane shows this report has sub-topics on suspicious
authentications, authentication failures, user logons, user logoffs, user logon
failures, etc. Clicking a sub-topic displays that section of the report.
Whenever you are previewing a master report (that is, a report that has lowerlevel topics), the View tabs Tree
button becomes enabled. You can use this
button to toggle between hiding and revealing the reports sub-topic pane.
To hide the sub-topic pane:
l
On the View tab, in the View group, click the Tree

The sub-topic pane becomes hidden, as shown here.
377
button.
Chapter 14: Reports
To restore the sub-topic pane:

l
On the View tab, in the View group, click the Tree

The sub-topic pane appears again.
378
button again.

In the Reports window, the View tabs Navigate group has a toolbar that you can
use to browse through the pages of a multi-page report. If the report has only one
page, then this toolbar is disabled.
To view the pages of a report:

1. In the Reports window, open or run the report you want to view.
2. Click the View tab.
379
Chapter 14: Reports
3. In the Navigate group, use the toolbar to view the report, as described in the
following table.
Button
Function
Displays the first page of the report.
Displays the previous page of the report.
Displays the next page of the report.
Displays the last page of the report.
Displays the page number that is currently shown in
the Preview frame, as well as the total number of
pages in the report. If the Console has not yet tallied
the total number of pages, you will see how ever many
pages it is certain of and a + to indicate that there are
more pages.
To determine how many pages are in the report, click
the
button. This takes you to the last page of the
report, forcing the Console to determine how many
pages there are. It also causes the 1+ to display the
actual number of pages.
You can also use this feature to display a particular
page of the report. In the Page box, type a page
number you want to see and then press Enter. The
Preview frame then displays that page.
Magnifying and reducing report pages

You can use the Reports Zoom feature to resize a report by typing or selecting a
percentage of the reports actual size. You can magnify (zoom in) or reduce (zoom
out) on a report, or have the report expand or reduce to fit the Preview pane.
380
To zoom in or out on a report:

1. In Reports, open or run the report you want to view.
2. On the View tab, in the View group, click the Zoom list and then select the
option you want.
l
l
l
Select Page Width to have the width of the report page match that of
the Preview pane.
Select Whole Page to display the entire report page within the
Preview pane.
Select anything less than 100% to reduce the report accordingly. For
example, 50% displays the report at have its normal size.
Select 100% to display the report in its actual size.
Select anything greater than 100% to magnify the page accordingly.
For example, 200% displays the report at twice its normal size.
In the Zoom box, type a [number]% for the magnification you want,
and then press Enter. For example, type 33% to reduce the image to
one-third of its actual size. Or type 175% to magnify the report so it is
three-quarters larger than its normal size.

l
To stop running or loading a report that is progress, click the Stop button on
the status bar, in the lower-right corner of the Reports window.
381
Chapter 14: Reports
382
Chapter 15: Setting up an nDepth

Appliance
The topics in this section are about configuring nDepth to store and access your
original log messages:
l
Setting up the nDepth Appliance (if you are using a separate nDepth
Appliance to store original log messages).
Configuring your network connectors (sensors)for use with nDepth to store
original log messages.
Using a separate nDepth appliance

If needed, you can use a separate nDepth appliance for long-term storage and
retrieval of your network's original event log messages. In this configuration, each
Manager has its own dedicated nDepth appliance. The appliance stores all of the
original log file source data that passes through a particular Manager. The log
data is stored in its entirety, in real time, as it originally occurs from each host
(network device) and source (application or connector) that is monitored by the
Manager.
Even when you use a separate appliance, you can still access and explore this
information from the Console's nDepth view.
The primary advantage of using a separate nDepth appliance is that it provides
you with the capacity for long-term storage and retrieval of the original log
messages. If long-term storage of this information is a high priority, then you will
want to consider a separate appliance; otherwise, a separate appliance is
probably unnecessary. If you have questions, contact your SolarWinds sales
representative or SolarWinds Technical Support.
Installing a Separate nDepth Appliance

If you would like to use a separate nDepth appliance for long-term storage and
retrieval of the original log messages, then you must install that appliance before
383
you begin using nDepth. Contact SolarWinds Technical Support for instructions
on installing a separate appliance.
If you are not using a separate appliance, this procedure is not required, because
short-term log messages are stored directly on LEM.
Configuring Network Connectors for Use with nDepth

To use nDepth to explore your network's original log messages, you must
configure each connector (sensor) for use with nDepth with the Console's
Connector Configuration form.
First, decide which network devices, applications, and connectors that are
monitored by the Manager are to also send their log messages to nDepth. Then
configure each of these connectors for use with nDepth. You can choose to route
a connectors log messages to LEM, directly to nDepth, or to both.
SolarWinds recommends that you configure each connector so it routes its log
messages to both nDepth and LEM. This allows you to receive events on these
connectors, and to search log messages stored on the separate nDepth
appliance.
l
l
How many days of live data will the LEM database store?
The number of days' worth of live data that the LEM database will store
varies for every implementation. The information below should help you
determine this number for your environment, while also promoting a more
detailed understanding of how the database works in general.
This article contains the following sections.
What the LEM Database Stores

By default, the LEM database is allowed 230 GB of the 250 GB allocated to the
LEM virtual appliance. This partition consists of three data stores:
l
Syslog/SNMP data from devices logging to the LEM appliance;
Normalized Event data; and
Original, or "raw," log data, if enabled.
384

For the sake of this article, we'll call #1 the Syslog store. The Syslog store
consists of all Syslog/SNMP log data that is sent to the LEM appliance. The LEM
appliance reads and processes the data in real time, and then sends it to the
Event store for long-term storage. The LEM appliance stores the original data for
50 days in its original format, just in case you need to review it, and compresses
and rotates the data in the Syslog store daily, maintaining a consistent 50 days'
worth of data. The amount of data being stored here should level off at around the
50-day mark.
The Event store, #2 above, consists of all of the normalized Events generated by
the LEM Manager and LEM Agents. Data in this store is compressed at a ratio of
40:1 to 60:1, which equates to an average compression rate of about 95-98%.
LEM Reports and nDepth query this store for Event data whenever they're run.
Finally, the original log store, #3 above, is an optional store for original, or "raw,"
log messages, which is searchable using Log Message queries in nDepth. The
data in this store can come from LEM Agents or other devices that are logging to
the LEM appliance. You can define whether data is sent to this store at the
connector level, so not all devices have to log in this manner. For more
information, see Configuring Your LEM Appliance for Log Message Storage and
nDepth Search in the SolarWinds Knowledge Base.

There are three primary sources for statistics related to how your LEM database is
being used: the Disk Usage summary in the CMC, the Database Maintenance
Report, and the Log Storage Maintenance Report.
Disk Usage Summary

When you initially log into your LEM virtual appliance using the vSphere
"console" view or an SSH client such as PuTTY, the LEM appliance
automatically generates a Disk Usage summary. You can also generate an ad
hoc Disk Usage summary by running the diskusage command from the
cmc::acm# (cmc > appliance) prompt. The two lines to note here are:
Logs/Data: This figure represents the total space being utilized by your LEM
database. This value is presented in the percent% (usedG/allocatedG) format,
where percent is the percent of the allocated space that is currently being used,
used is the actual amount of space that is currently being used, and allocated is
the total amount of space that is currently allocated to the LEM database.
385
Logs: This figure represents the amount of space being utilized by the Syslog
store. This figure is included in the used figure noted above.
To figure out how much space is currently being utilized by your Event store,
subtract the Logs value from the used value.
Note: If you are storing original log messages in your LEM database, the
calculation above will show you the combined space being utilized by both your
Event and original log stores.
Database Maintenance Report
Run the Database Maintenance Report in LEM Reports to see a snapshot of your
current database utilization. For the sake of this discussion, note the following
sections:
Disk Usage Summary: This section provides disk usage figures as percentages
of the space allocated to the LEM database.
Disk Usage Details: This section provides the actual amounts related to the
percentages in the Disk Usage Summary section.
Database Time Span (days): Note the Event DB value in this section. This value
tells you how many days' worth of live Event data is currently stored on your LEM
database. For detailed information about this value, see the second page of the
Database Maintenance Report.
Note: The Other Files figure in the Database Maintenance Report consists
primarily of the data in the Syslog store noted above.
Log Storage Maintenance Report

Run the Log Storage Maintenance Report in LEM Reports to get detailed
information about the original log store noted above. If you have not enabled your
LEM appliance and connectors to store original log messages, this report will be
blank.

Depending on the needs of your environment, you might want to utilize one or
more of the alternate storage methods listed below. For more details or
assistance with any of these methods, please open a ticket with Support.
l
Backup your LEM virtual appliance on a regular basis. This will give you
"offline" storage for all of your LEM data stores and configuration settings.
386

For instructions and recommendations, see the Log & Event Manager >
Backup section of the SolarWinds Knowledge Base.
l
Decrease the number of days for which Syslog/SNMP data is stored on your
LEM virtual appliance.
Deploy another LEM virtual appliance to be used as a Syslog server.
Deploy another LEM virtual appliance to be used as a database server.
Increase the space allocated to your LEM virtual appliance.
387
Chapter 16: Enabling Transport

Layer Security
The Transport Layer Security (TLS) option introduces an extra level of security for
data transfers between a LEM database and the Reports application. By default,
TLS is disabled on both newly deployed 6.0.1 and LEM appliances updated from
previous versions. The enabling procedure differs depending on your LEM
configuration (standalone or with dedicated database appliance).
Note: During the process, the LEM certificate for accessing the Web or AIR
Console needs to be rebuilt. This means that machines used to access LEM Web
or AIR Console need to have the certificate re-imported.
Enabling Standalone LEM Appliance

1. Access the cmc prompt, either from the vSphere/Hyper-V Client console or
via the SSH client.
Note: The following steps are mandatory for upgraded LEM Appliances. If
you have a freshly deployed 6.0.1 appliance, proceed to step 7, the default
hostname is swi-lem.
2. At the cmc> prompt, enter appliance.
3. At the cmc::acm# prompt, enter hostname.
4. Enter the name of your manager at the prompt Please enter the new
hostname
Note: Enter the currently used hostname if you do not want the LEM
manager name to change
5. At the cmc::acm# prompt, enter exit.
6. At the cmc> prompt, enter manager.
7. At the cmc::cmm# prompt, enter exportcert.
8. Follow the prompts to export LEM Manager CA certificate.
388
Note: An accessible network share is required. Once the export is

successful, you will see the following message: Exporting CA Cert to
\\server\share\SWICAer-hostname.crt ... Success.
9. At the cmc::cmm# prompt, enter enabletls.
11. At the cmc::cmm# prompt, enter restart.
This concludes the TLS configuration of standalone LEM Manager. Follow See
"Setting up a Dedicated LEM User for Reports Accessing" on page 389 to set up
a user for accessing Reports and See "Configuring Reports Application" on page
390 to configure the Reports application itself.
Setting up a Dedicated LEM User for Reports

Accessing
Note: LEM 6.0.1 requires authorization to access LEM from the Reports
application. This means that a user with Reports role has to be created in the
LEM Console. If you already have a suitable user, proceed to See "Configuring
Reports Application" on page 390
1. Login to the LEM Web or AIR Console as a user with Administrator rights.
2. Navigate to Build > Users page.
3. Click + to create new LEM User.
4. Fill in the text fields. Username and Password are mandatory.
5. Select the Reports option form the LEM Role dropdown.
Note: Other roles that cay query LEM via Reports are Administrator and
Auditor.
6. Save the new user.
Note: If you have an Active Directory Connector configured, you can utilize a
directory Service user as a Reports user instead of in-built LEM one.
389

1. Start the LEM Reports 6.0.1 application.
2. Select Managers Credentials and Certificates option under the Configure
button.
3. Click the green button.
4. Specify the manager IP or hostname.
5. Fill in the credentials of the user created previously in Web Console.
6. Check the Use TLS connection? box.
Note: You can also ping the address you specified by pressing Test Connection
button. This option does not perform credentials validation or TLS availability
check.
7. Click the green button again to add a new Manager.
8. Select the Certificates tab.
9. Click the Import Certificate button.
10. Browse and Open LEM certificate (e.g. the network share folder specified
during certificate export).
11. Use the certificate from the Database Appliance in case you have LEM
configured with a dedicated Database.
12. Close the Manager Configuration window.
Note: There is no need to import the LEM CA certificate again if the LEM
changed its hostname.
Enabling TLS on a LEM Manager with a Dedicated

Database Appliance
1. Access the cmc prompt (either from vSphere/Hyper-V Client console or via
SSH client).
390
4. At the prompt Please enter the new hostname specify desired name of
your manager.
Note: If you dont want your LEM manager name to change, enter the
currently used hostname.
8. Follow the prompts to export LEM CA certificate.
\\server\share\SWICAert-hostname.crt ... Success.
Enabling TLS on LEM Database

1. Access the cmc prompt (either from vSphere/Hyper-V Client console or via
SSH client).
4. At the prompt Please enter the new hostname specify desired name of
your manager.
Note: If you dont want your LEM manager name to change, enter the
currently used hostname.
8. Follow the prompts to export LEM CA certificate.
391
Importing Certificates into the Manager and Database

\\server\share\SWICAert-hostname.crt ... Success.
Note: To use the custom CA to sign Database or Manager certificate, it is
necessary to generate and sign the certificate after changing the hostname.
This is used
Importing Certificates into the Manager and

Database
Manager and Database nodes need to trust each others certificates. This can be
done by importing certificates from both sides.
Note: It is not required to perform steps of this chapter on any appliance in these
two cases:
l
l
You have upgraded from 6.0.0 or earlier.

A clean 6.0.1 or newer was deployed and CA used to sign both LEM
certificates.
1. Access the cmc prompt of LEM Manager.

3. At the cmc::cmm# prompt, enter importl4ca.
4. Choose the network share location specified during certificate export of
Database.
5. When prompted for a file name, specify the name of Database certificate.
6. Enter the full filename required including the file extension.
7. Access the cmc prompt of LEM Database.
9. At the cmc::cmm# prompt, enter importl4ca.
10. Choose the network share location specified during certificate export of
Manager.
11. When prompted for a file name, specify the name of Manager certificate.
392
Note: Full filename required including the file extension.

This concludes the TLS configuration of a LEMManager with a dedicated
database appliance. Follow the instructions for See "Setting up a Dedicated LEM
User for Reports Accessing" on page 389 to set up a user for accessing reports,
and See "Configuring Reports Application" on page 390 to configure the Reports
application.
393

If you do not see the events you expected to see in the LEM Console, use the
following procedures to troubleshoot your LEM Agents and network devices.
Troubleshooting the LEM Agent
Start by determining whether the LEM Agent is connected to the LEM appliance:
1. Open the LEM Console and log in to your LEM appliance.
2. Click the Manage tab, and then select Nodes.
3. To filter this list to show just LEM Agents, select Agent from the Nodes menu
on the Refine Results pane.
Note: Refer to the icon in the Status column to determine which procedures to
use.
Troubleshooting Disconnected or Missing LEM

Agents
Complete these procedures for LEM Agents that show in the LEM Console as
"Disconnected," or do not show in the LEM Console at all.
To troubleshoot LEM Agents that you cannot see in the LEM Console:
1. Verify you have installed the LEM Agent on the host computer.
2. If you have installed the LEM Agent, complete the procedure for how to
troubleshoot LEM Agents that show as "Disconnected" in the LEM Console.
To troubleshoot LEM Agents that show as "Disconnected" in the LEM Console:
1. Verify the LEM Agent service is running on the host computer.
2. Verify you can ping the LEM appliance by hostname from the LEM Agent
computer.
3. If you can ping the appliance by hostname, clear the LEM Agent certificate.
4. If you cannot ping the appliance by hostname, try pinging the appliance by IP
address.
394
5. If you can ping the appliance by IP address, do one of the following:

l
Edit spop.conf so the LEM Agent calls the LEM appliance by its IP address
instead of its hostname. For instructions, see the spop.conf procedure later
in this section.
Change your DNS settings so the LEM Agent computer can resolve the
LEM appliance's hostname (recommended).
6. If you cannot ping the appliance by IP address, resolve any network or firewall
issues between the LEM Agent and appliance.
To edit spop.conf so the LEM Agent calls the LEM appliance by its IP address
(Windows):
1. Stop the SolarWinds Log and Event Manager Agentservice.
2. Delete thespopfolder(do not delete theContegoSPOPfolder):
l
32-bit computers:C:\Windows\System32\ContegoSPOP\spop
64-bit computers:C:\Windows\SysWOW64\ContegoSPOP\spop
3. In the ContegoSPOPfolder, open and modify thespop.conffile by replacing

theManagerAddressvalue with the LEM appliance's IP address.
4. Save and close the file.
5. Start the>SolarWinds Log and Event Manager Agentservice.
Troubleshooting Connected LEM Agents

Complete the following procedures for LEM Agents that show in the LEM Console
as Connected.
To troubleshoot LEM Agents that show as "Connected" in the LEM Console:
1. Verify you have configured the appropriate connectors on the LEM Agent. For
example, the LEM Agent for Windows runs the connectors for the Windows
Application and Security Logs by default, but you must configure the
connector for the DNS server role.
2. Verify the connectors you have configured are running.
3. If the necessary connectors are configured and running, delete and recreate
the connectors that are not working.
Contacting Support
395
Troubleshooting Network Devices Logging to LEM

If you still do not see events from your LEM Agents after completing these
procedures, send the following files to SolarWinds Support (default paths):
32-bit Windows OS:
l
C:\Windows\System32\ContegoSPOP\spoplog.txt (the most recent

version)
C:\Windows\ System32\ContegoSPOP\tools\readerState.xml
64-bit Windows OS:

l
C:\Windows\SysWOW64\ContegoSPOP\spoplog.txt (the most

recent version)
C:\Windows\SysWOW64\ContegoSPOP\tools\readerState.xml
Troubleshooting Network Devices
l
Start by determining whether the device is sending data to the LEM appliance:
1. Connect to your LEM appliance using the VMware "console" view, or an
SSH client such as PuTTY.
2. If you're connecting to your appliance through SSH,log in as the CMC user,
and provide the appropriate password.
3. If you're connecting to your appliance using VMware,selectAdvanced
Configuration on the main console screen, and then press<Enter>to get
to the command prompt.
4. At thecmc>prompt, enterappliance.
5. At thecmc::acm#prompt, enterchecklogs.
6. Enter an item number to select a log file to view.
7. Check each log file that is not empty for evidence that the device is logging
to the appliance, such as the device's product name, device name, or IP
address.
Troubleshooting Network Devices Logging to

LEM
To monitor a network device with LEM, you must first configure the device to send
its log messages to the LEM appliance. Determine whether or not the device you
396
are troubleshooting is logging to LEM prior to completing the following

troubleshooting procedures.
To determine whether the LEM appliance is receiving data from the device:
1. Connect to your LEM appliance using a virtual console or SSH client.
2. Access the CMC prompt:
l
Virtual Console: Arrow down to Advanced Configuration, and then press

Enter.
SSH Client: Log in using your CMC credentials.

4. At the cmc::acm# prompt, enter checklogs.
5. Enter an item number to select a log file to view.
6. Check each log file that is not empty for evidence that the device is logging
to the appliance, such as the device's product name, device name, or IP
address.
Devices Not Logging to a Log File on the Appliance
1. Complete the following procedures for network devices that do not show
data on the LEM appliance.
2. To troubleshoot network devices that have not sent logs to the LEM
appliance:
3. Verify you have configured the device to log to the LEM appliance.
4. Verify the device is logging to the correct IP address for the LEM appliance.
5. If the device is sending SNMP traps to the LEM appliance, verify you have
configured the LEM appliance to accept SNMP traps.
6. Verify a firewall is not blocking communication between the device and the
LEM appliance.
To configure your LEM Manager to accept SNMP traps:
1. Connect to your LEM appliance using a virtual console or SSH client.
l
Virtual Console: Arrow down to Advanced Configuration, and then

press Enter.
397
Troubleshooting Devices Logging to a Log File on the Appliance
SSH Client: Log in using your CMC credentials.

4. At the cmc::scm# prompt, enter enablesnmp.
5. Press Enter to confirm your entry.
6. After you see the message, Done starting the SNMP service, enter exit to
return to the cmc> prompt.
Troubleshooting Devices Logging to a Log File

on the Appliance
Complete the following procedure for network devices that show data on the LEM
appliance.
To troubleshoot network devices that have sent logs to the LEM appliance:
1. Verify you have configured the appropriate connector on the LEM
appliance. For information about how to troubleshoot connectors that are
out of date, see Troubleshooting "Unmatched Data" or "Internal New Tool
Data" events in your LEM Console.
2. Verify the connector you have configured is running.
3. If the necessary connector is configured and running, delete and recreate
the connector instance.
Contacting Support
If you still do not see events from your network device after completing these
procedures, send a screenshot of your device's logging configuration screens to
SolarWinds Support.
398

The following table briefly describes the widgets that ship with the LEM Console.
Widget name/Filter
Description
All Events
Displays all events from all filters.
Events by Event
Type
Displays a count of the top 10 events by event type (event

name).
Events by Connector Displays the number of events being captured by each

Name
configured connector, over time.
Events per Minute
Displays the total count of events per minute for the last 15
minutes.
Change Management
Displays events related to changes occurring on the network.
Change Management Events by

Agent
Displays the top 10 Agents generating change management events
Change Management Events by

Type
Displays the top 10 change management events by event

type.
Failed Logons
Displays all user account failed logon attempts.
Failed Logons by
User Account
Displays the top 5 Failed Logons by User Account name.
File Audit Failures
Displays FileAuditFailure events, which show failed

attempts to access audited files.
File Audit Failures

by File Name
Displays the top 10 file names generating file audit failures.
File Audit Failures

by Source Account
Displays the top 10 source accounts generating file audit

failures.
399
Widget name/Filter
Description
Firewall
Displays all events from firewall devices.
Firewall Events by
Firewall
Displays the top 5 firewalls generating firewall events
Firewall Events by
Type
Displays the top 5 firewall events by event type.
Incidents
Displays all Incident events.
Incidents by Rule
Name
Displays the top 5 incidents by the name of the rule that

generated the Incident.
Interactive Logons
by User Account
Displays the top 10 user logons by user account name.
My Rules Fired by
Rule Name
Displays the top 5 subscribed events by the name of the

rule that generated them.
Network Events
Displays all Network events.
Network Events by
Source Machine
Displays the top 10 machines generating network events.
Network Event
Trends
Displays the top 10 network-related events by event type.
Rule Activity
Shows all of the rules that have fired.
Rules Fired by Rule Displays the top 5 rules fired by rule name.
Name
Security Processes
Displays process launches and exits from processes in

the "Security Processes" User-Defined Group, which is
used to monitor critical security-related processes.
Security Processes
by Agent
Displays the top 10 Agents generating security process

events.
Subscriptions
Displays events created by rules you are "Subscribed" to

in the Rules area.
SolarWinds Events
Displays all Internal events (events generated during operation of the LEM).
400
Widget name/Filter
Description
Unusual Network
Traffic
Displays events that indicate unusual or suspicious network traffic.
Unusual Network
Traffic by Destination
Displays the top 5 destinations for unusual network traffic.
Unusual Network
Traffic by Source
Displays the top 10 sources of unusual network traffic.
USD Defender
Displays all USB-Defender events.
USB-Defender Activ- Displays the top 5 Agents with the most USB-Defender
ity by Detection IP
events.
USB File Auditing
Displays USB-Defender's File Auditing events.
USB File Auditing

by Detection IP
Displays the top 5 Agents with the most USB file auditing
events.
User Logons
Displays all user account logons
User Logons by
Agent
Displays the top 5 Agents reporting user logons.
User Logons by
Source Machine
Displays the top 5 user logons by source machine.
User Logons by
User Account
Displays the top 10 user logons by user account name.
User Logons (Interactive)
Displays interactive user account logons.
Virus Attacks
Displays all virus attack events.
Virus Attacks by
Source Machine
Displays the top 5 sources of virus attacks or infections.
401
Appendix B: Events
This appendix describes every event type that is displayed in the Events Panel
and that can be configured with the Policy commands.
Note: LEM reports events in a hierarchical node tree, shown here. When you
click a node to open it, you will see that most nodes also have lower-level nodes.
Each node that has lower-level nodes is called a parent node. Similarly, all lowerlevel nodes below a particular parent node can be thought of as child nodes or
children to that parent node. Naturally, the term parent and child applies to the
node, relative to its position and role on the node tree. That is, a node can be a
child to one node, and a parent to others.
LEM automatically assigns alerts to the nodes of the alert tree based on the
specific nature of the alert and its severity.
402
Appendix B: Events
Event types
There are five types of events:
l
Asset Events relate to the changing state of different types of enterprise

assets, including software, hardware, and users. These alerts can indicate
changes made to system configurations, software updates, patch
applications, vulnerability information, and other system events.
Audit Events are generally related to normal network activity that would not
be considered an attack, compromise, or misuse of resources. Many of the
audit alerts have rules that can be used to threshold and escalate normal
behavior into something which may be considered a security event.
Incident Events Events are used to raise global enterprise-wide visibility
in response to any issue detected by Rules. Incidents generally reflect
serious issues that should be addressed. Since Incidents are created by
Rules, any combination of malicious or suspicious traffic from any other
single alert or combination of alerts can create an Incident.
Internal Events are related to the operation of the LEM system. Any events
generated by LEM relating to Active Response, LEM users, or LEM errors
will appear under one of the many children. These alerts are for
informational purposes. They do not necessarily reflect conditions that
should cause alarm. Events that may reflect potential issues within LEM are
specifically marked for forwarding to SolarWinds.
Security Events are generally related to network activity that is consistent
with an internal or external attack, a misuse or abuse of resources, a
resource compromise, resource probing, or other abnormal traffic that is
noteworthy. Security Events indicate aggressive behavior that may lead to
an attack or resource compromise, or suspicious behavior that may indicate
unauthorized information gathering.LEM infers some Security Events from
what is normally considered audit traffic, but it escalates the events to alert
status based on thresholds that are defined by Rules.
Asset Events
Asset Events deal with assets and asset scan results. They relate to the changing
state of different types of enterprise assets, including software, hardware, and
users. Asset information can come from centralized directory service connectors,
or it can be scan information from security scan connectors, including
403
Asset Events
Vulnerability Assessment and Patch Management connectors. Therefore, these
alerts indicate changes made to system configurations, software updates, patch
applications, vulnerability information, and other system events.
Each Asset Event is described below. For your convenience, they are listed
alphabetically.
AssetManagement
AssetManagement alerts are for gathering non-realtime data about system assets
(computer, software, users). The data will come from various sources, including
Directory Service connectors.
AssetManagement > MachineAsset
MachineAsset is a specific type of AssetManagement alert that indicates
additions, removals, and updates (including software installation) of specific
nodes that exist in the enterprise.
AssetManagement > MachineAsset > MachineAssetAdded
MachineAssetAdded alerts indicate a new presence of a node (host or network
device) in the enterprise.
AssetManagement > MachineAsset > MachineAssetRemoved
MachineAssetRemoved alerts indicate the removal of a node (host or network
device) from the enterprise.
AssetManagement > MachineAsset > MachineAssetUpdated
MachineAssetUpdated alerts indicate a change to an existing node (host or
network device) in the enterprise, including new software and software patch
installations on the node.
AssetManagement > MachineAsset > MachineAssetUpdated >
SoftwareAssetUpdated
SoftwareAssetUpdated alerts indicate an attempted software change (including
application of a software patch) to an existing node (host or network device) in the
enterprise, successful or failed.
SoftwareAssetUpdated > SoftwareAssetPatched
SoftwareAssetPatched alerts indicate a successful application of a software patch
to an existing node (host or network device) in the enterprise.
404
Appendix B: Events

SoftwareAssetUpdated > SoftwareAssetPatchFailed
SoftwareAssetPatchFailed alerts indicate a failed application of a software patch
to an existing node (host or network device) in the enterprise.
AssetManagement > SoftwareAsset
SoftwareAsset is a specific type of AssetManagement alert that indicates
additions, removals, and updates of specific software and software versions that
exist in the enterprise.
AssetManagement > SoftwareAsset > SoftwareAssetAdded
SoftwareAssetAdded alerts indicate a new presence of an installation of specific
software applications or operating systems in the enterprise.
AssetManagement > SoftwareAsset > SoftwareAssetAdded >
SoftwareAssetVersionAdded
SoftwareAssetVersionAdded alerts indicate a new version installation of specific
known software applications or operating systems in the enterprise.
AssetManagement > SoftwareAsset > SoftwareAssetRemoved
SoftwareAssetRemoved alerts indicate removals of specific software applications
or operating systems from the enterprise.
AssetManagement > UserAsset
UserAsset is a specific type of AssetManagement alert that indicates additions,
removals, and updates to users and user groups that exist in the enterprise.
AssetManagement > UserAsset > GroupAssetAdded
GroupAssetAdded alerts indicate a new presence of a user group in the
enterprise.
AssetManagement > UserAsset > GroupAssetRemoved
GroupAssetRemoved alerts indicate the removal of a user group from the
enterprise.
AssetManagement > UserAsset > GroupAssetUpdated
GroupAssetUpdated alerts indicate a change to a user group that exists in the
enterprise, including group member additions and deletions.
AssetManagement > UserAsset > GroupAssetUpdated >
GroupAssetMemberAdded
405
Asset Events
GroupAssetMemberAdded alerts indicate an addition of a user member to a user
group that exists in the enterprise.
AssetManagement > UserAsset > GroupAssetUpdated >
GroupAssetMemberRemoved
GroupAssetMemberRemoved alerts indicate a removal of a user member from a
user group that exists in the enterprise.
AssetManagement > UserAsset > UserAssetAdded
UserAssetAdded alerts indicate a new presence of a user in the enterprise.
AssetManagement > UserAsset > UserAssetRemoved
UserAssetRemoved alerts indicate the removal of a user from the enterprise.
AssetManagement > UserAsset > UserAssetUpdated
UserAssetUpdated alerts indicate a change to a user that exists in the enterprise.
AssetScanResult
AssetScanResult contains alerts useful for data gathered from security scan
results (reports). These alerts are commonly gathered from Vulnerability
Assessment and Patch Management connectors.
AssetScanResult > ExposureFound
ExposureFound alerts indicate scan results that are not high risk but demonstrate
configuration issues or potential risks. These alerts may indicate exposures that
can potentially cause future exploits or have been common sources of exploits in
the past, such as common open ports or host configuration issues.
AssetScanResult > VulnerabilityFound
VulnerabilityFound alerts indicate scan results that demonstrate high risk
vulnerabilities. These alerts can indicate the presence of serious exposures that
should be addressed and can represent significant risk of exploit or infection of
enterprise assets.
GeneralAsset
GeneralAsset alerts are generated when a supported product outputs data that
has not yet been normalized into a specific alert, but is known to be asset issuerelated.
406
Appendix B: Events
Audit Events
Events that are children of AuditEvent node are generally related to normal
network activity that would not be considered an attack, compromise, or misuse of
resources. Many of the audit alerts have rules that can be used to threshold and
escalate normal behavior into something which may be considered a security
event.
Each Audit Event is described below. For your convenience, they are listed
alphabetically.
AuthAudit
Events that are part of the AuthAudit tree are related to authentication and
authorization of accounts and account ''containers'' such as groups or domains.
These alerts can be produced from any network node including firewalls, routers,
servers, and clients.
AuthAudit > DomainAuthAudit
DomainAuthAudit events are authentication, authorization, and modification
events related only to domains, subdomains, and account containers. These
alerts are normally operating system related, however could be produced by any
network device.
AuthAudit > DomainAuthAudit > NewDomainMember
NewDomainMember events occur when an account or account container has
been added to a domain. Usually, these additions are made by a user account
with administrative privileges, but occasionally a NewDomainMember alert will
also happen when local system maintenance activity takes place.
AuthAudit > DomainAuthAudit > DeleteDomainMember
DeleteDomainMember events occur when an account or account container has
been removed from a domain. Usually, these changes are made by a user
account with administrative privileges, but occasionally a DeleteDomainMember
alert will also happen when local system maintenance activity takes place.
AuthAudit > DomainAuthAudit > ChangeDomainMember
A ChangeDomainMember alert occurs when an account or account container
within a domain is modified. Usually, these changes are made by a user account
with administrative privileges, but occasionally a ChangeDomainMember alert
will also happen when local system maintenance activity takes place.
407
Audit Events
AuthAudit > DomainAuthAudit > ChangeDomainMember > DomainMemberAlias
DomainMemberAlias events happen when an account or account container
within a domain has an alias created, deleted, or otherwise modified. This event
is uncommon and is used to track links between domain members and other
locations in the domain where the member may appear.
The alias for a domain member has been changed.
AuthAudit > DomainAuthAudit > NewDomain
NewDomain events occur upon creation of a new trust relationship between
domains, creation of a new subdomain, or creation of new account containers
within a domain. Usually, these creations are done by a user account with
administrative privileges.
AuthAudit > DomainAuthAudit > ChangeDomainAttribute
ChangeDomainAttribute events occur when a domain type is changed. These
events are uncommon and usually provided by the operating system. Usually,
these changes are made by a user account with administrative privileges, but
occasionally a ChangeDomainAttribute alert will also happen when local system
maintenance activity takes place.
AuthAudit > DomainAuthAudit > DeleteDomain
DeleteDomain events occur upon removal of a trust relationship between
domains, deletion of a subdomain, or deletion of account containers within a
domain. Usually, these changes are made by a user account with administrative
privileges.
AuthAudit > GroupAudit
GroupAudit events are authentication, authorization, and modification events
related only to account groups. These alerts are normally operating system
related, however could be produced by any network device.
AuthAudit > GroupAudit > ChangeGroupAttribute
ChangeGroupAttribute events occur when a group type is modified. Usually,
these changes are made by a user account with administrative privileges, but
occasionally a ChangeGroupAttribute alert will also happen when local system
AuthAudit > GroupAudit > DeleteGroup
408
Appendix B: Events
DeleteGroup events occur upon deletion of a new group of any type. Usually,
these deletions are made by a user account with administrative privileges.
AuthAudit > GroupAudit > DeleteGroupMember
DeleteGroupMember events occur when an account or group has been removed
from a group. Usually, these changes are made by a user account with
administrative privileges, but occasionally a DeleteGroupMember alert will also
happen when local system maintenance activity takes place.
AuthAudit > GroupAudit > NewGroup
NewGroup events occur upon creation of a new group of any type. Usually, these
additions are made by a user account with administrative privileges.
AuthAudit > GroupAudit > NewGroupMember
NewGroupMember events occur when an account (or other group) has been
added to a group. Usually, these additions are made by a user account with
administrative privileges, but occasionally a NewGroupMember alert will also
happen when local system maintenance activity takes place.
A new user, machine, or service account has been added to the group.
AuthAudit > MachineAuthAudit
MachineAuthAudit events are authentication, authorization, and modification
events related only to computer or machine accounts. These alerts can be
produced from any network node including firewalls, routers, servers, and clients,
but are normally operating system related.
AuthAudit > MachineAuthAudit > MachineAuthTicketFailure
MachineAuthTicketFailure alerts reflect failed computer or machine account ticket
events from network devices that use a ticket-based single-sign-on system (such
as Kerberos or Windows domains). Each alert will reflect the point on the network
where the computer or machine was attempting logon. In larger quantities, these
alerts may reflect a potential issue with a computer or set of computers, but as
individual events they are generally not a problem.
AuthAudit > MachineAuthAudit > MachineAuthTicket
MachineAuthTicket alerts reflect computer or machine account ticket events from
network devices monitored by Contego that use a ticket-based single-sign-on
system (such as Kerberos or Windows domains). Each alert will reflect the type of
device the logon was intended for along with all other relevant fields.
AuthAudit > MachineAuthAudit > MachineDisable
409
Audit Events
MachineDisable events occur when a machine account is actively disabled
and/or when an account is forcibly locked out by the operating system or other
authentication connector. These events are usually operating system related and
could reflect a potential issue with a computer or set of computers.
AuthAudit > MachineAuthAudit > MachineEnable
MachineEnable alerts reflect the action of enabling a computer or machine
account. These events are normally OS-related and will trigger when a machine
is 'enabled', normally by a user with administrative privileges.
AuthAudit > MachineAuthAudit > MachineLogoff
MachineLogoff alerts reflect computer or machine account logoff events from
network devices (including network infrastructure devices, where appropriate).
Each alert will reflect the type of device from which the user was logging off.
These alerts are usually normal events but are tracked for consistency and
auditing purposes.
AuthAudit > MachineAuthAudit > MachineLogonFailure
MachineLogonFailure alerts reflect failed computer or machine account logon
events from network devices (including network infrastructure devices, when
appropriate). Each alert will reflect the point on the network where the computer or
machine was attempting logon. In larger quantities, these alerts may reflect a
potential issue with a computer or set of computers, but as individual events they
are generally not a problem.
AuthAudit > MachineAuthAudit > MachineLogon
MachineLogon events reflect computer or machine account logon events from
network devices monitored by Contego (including network infrastructure devices,
when appropriate). Each alert will reflect the type of device that the logon was
intended for along with all other relevant fields. These events are normally
operating system related.
AuthAudit > MachineAuthAudit > MachineModifyAttribute
MachineModifyAttribute events occur when a computer or machine type is
changed. These events are uncommon and usually provided by the operating
system.
AuthAudit > MachineAuthAudit > MachineModifyPrivileges
410
Appendix B: Events
MachineModifyPrivileges events are created when a computer or machine's

privileges are elevated or demoted based on their logon or activities they are
performing. These events are uncommon.
AuthAudit > UserAuthAudit
UserAuthAudit events are authentication, authorization, and modification events
related only to user accounts. These alerts can be produced from any network
node including firewalls, routers, servers, and clients.
AuthAudit > UserAuthAudit > UserAuthTicketFailure
UserAuthTicketFailure alerts reflect failed user account ticket events from network
devices that use a ticket-based single-sign-on system (such as Kerberos or
Windows domains). Each alert will reflect the point on the network where the user
was attempting logon. In larger quantities, these alerts may reflect a potential
issue with a user or set of users, but as individual events they are generally not a
problem.
AuthAudit > UserAuthAudit > UserAuthTicket
UserAuthTicket alerts reflect user account ticket events from network devices
monitored by Contego that use a ticket-based single-sign-on system (such as
Kerberos or Windows domains). Each alert will reflect the type of device that the
logon was intended for along with all other relevant fields.
AuthAudit > UserAuthAudit > UserDisable
UserDisable events occur when a user account is actively disabled and/or when
a user is forcibly locked out by the operating system or other authentication
connector. These events are usually operating system related and could reflect a
potential issue with a user or set of users.
AuthAudit > UserAuthAudit > UserEnable
UserEnable alerts reflect the action of enabling a user account. These events are
normally OS-related and will trigger both when an account is ''unlocked'' after
lockout due to unsuccessful logons and 'enabled' in the traditional sense.
AuthAudit > UserAuthAudit > UserLogoff
UserLogoff alerts reflect account logoff events from network devices (including
network infrastructure devices). Each alert will reflect the type of device from
which the user was logging off. These alerts are usually normal events but are
tracked for consistency and auditing purposes.
AuthAudit > UserAuthAudit > UserLogon
411
Audit Events
UserLogon alerts reflect user account logon events from network devices
monitored by Contego (including network infrastructure devices). Each alert will
reflect the type of device that the logon was intended for along with all other
relevant fields.
AuthAudit > UserAuthAudit > UserLogonFailure
UserLogonFailure alerts reflect failed account logon events from network devices
(including network infrastructure devices). Each alert will reflect the point on the
network where the user was attempting logon. In larger quantities, these alerts
may reflect a potential issue with a user or set of users, but as individual events
they are generally not a problem.
With SolarWinds policy, you can configure combinations of this event to escalate
to FailedAuthentication in the Security tree, reflecting the increase in severity of
the event over several occurrences.
AuthAudit > UserAuthAudit > UserModifyAttribute
UserModifyAttribute events occur when a user type is changed. These events are
uncommon and usually provided by the operating system.
AuthAudit > UserAuthAudit > UserModifyPrivileges
UserModifyPrivileges events are created when a user's privileges are elevated or
demoted based on their logon or activities they are performing. These events are
uncommon.
GeneralAudit
GeneralAudit alerts are generated when a supported product outputs data that
has not yet been normalized into a specific alert, but is known to be audit-related.
MachineAudit
MachineAudit alerts are used to track hardware or software status and
modifications. These events are generally acceptable, but do indicate
modifications to the client system that may be noteworthy.
MachineAudit > SoftwareInstall
SoftwareInstall alerts reflect modifications to the system at a software level,
generally an OS level (or equivalent, in the case of a network infrastructure
device). These alerts are generated when a user updates a system or launches
system-native methods to install third party applications.
MachineAudit > SoftwareInstall > SoftwareUpdate
412
Appendix B: Events
SoftwareUpdate is a specific type of SoftwareInstall that reflects a more current

version of software being installed to replace an older version.
MachineAudit > SystemScan
SystemScan alerts reflect information related to scheduled or on-demand scans
of systems. These alerts are generally produced by Anti-Virus, Patch
Management, and Vulnerability Assessment connectors, and indicate the start,
finish, and information related to a scan.
MachineAudit > SystemScanInfo
SystemScanInfo is a specific type of SystemScan alert that reflects information
related to a system scan. Most of these events can safely be ignored, as they are
generally normal activity that does not reflect a failure or abnormal state.
MachineAudit > SystemScanStart
SystemScanStart is a specific type of SystemScan alert that indicates initiation of
a system scan.
MachineAudit > SystemScanStop
SystemScanStop is a specific type of SystemScan alert that indicates completion
of a system scan. This activity is generally normal, however, in the error or failure
state a specific alert will be generated.
MachineAudit > SystemScanWarning
SystemScanWarning is a specific type of SystemScan alert that indicates a scan
has returned a 'Warning' message indicating an issue. These alerts may indicate
scan issues that should be corrected for future scans.
MachineAudit > SystemStatus
SystemStatus alerts reflect general system state events. These events are
generally normal and informational, however, they could potentially reflect a
failure or issue which should be addressed.
MachineAudit > SystemStatus > SystemReboot
SystemReboot is a specific type of SystemStatus alert that is used to audit system
restarts. This alert will only be generated if the system restart was normal and not
a result of a crash or other failure condition.
MachineAudit > SystemStatus > SystemReboot > SystemShutdown
SystemShutdown is a specific type of SystemStatus alert that is used to audit
system shutdowns, including both expected and unexpected shutdowns. In the
413
Audit Events
event the shutdown was unexpected, the event detail will note the information
provided by the connector related to the abnormality.
PolicyAudit
PolicyAudit events are used to track access, modification, scope change, and
creation of authentication, domain, account, and account container policies. Many
of these alerts reflect normal system traffic. Most PolicyAudit alerts are provided
by the Operating System.
PolicyAudit > NewAuthPolicy
NewAuthPolicy alerts occur when a new authorization or authentication package,
process, or logon handler is applied to an item (usually an account or domain). In
the operating system context, these events will often occur on boot as the system
initializes the appropriate authentication policies for itself.
PolicyAudit > PolicyAccess
PolicyAccess alerts reflect all levels of access to policy, mostly targeting domain,
account, access, and logon policy modifications.
PolicyAudit > PolicyAccess > PolicyModify
PolicyModify alerts reflect all types of modifications to contained policies, both at
a local and domain/account container level. In the context of a network
infrastructure device, this would be a modification to access control lists or other
similar policies on the device.
PolicyAudit > PolicyAccess > PolicyModify > DomainPolicyModify
DomainPolicyModify alerts are a specific type of PolicyModify alerts that reflect
changes to domain and account container level policies. These types of policies
are generally related to the operating system. Usually these modifications are
made by a user with administrative privileges, but occasionally these changes
can also be triggered by the local system.
PolicyAudit > PolicyAccess > PolicyScopeChange
PolicyScopeChange alerts are a specific type of PolicyAccess alert that reflect a
new scope or assignment of policy to users, groups, domains, interfaces, or other
items.
In the context of the operating system, these events are usually describing
elevation of user privileges according to predefined policies. The process of this
elevation is considered a scope change as the user is being brought under a new
scope of privileges appropriate to the type of access they are requesting (and
414
Appendix B: Events
being granted). These events may accompany or precede object or file opens,
including other policies.
PolicyAudit > PolicyAccess > GroupPolicyModify
GroupPolicyModify alerts are specific PolicyAccess alerts used to describe
modifications to account group policies. Usually these modifications are made by
a user with administrative privileges, but occasionally these changes can also be
triggered by the local system.
ResourceAudit
Members of the ResourceAudit tree are used to define different types of access to
network resources. These resources may be network bandwidth/traffic, files, client
processes or services, or other types of shared security-related 'commodities'.
ResourceAudit > FileAudit
FileAudit alerts are used to track file activity on monitored network devices,
usually through the Operating System or a Host-Based IDS. These events will
note success or failure of the requested operation.
ResourceAudit > FileAudit > FileAuditFailure
FileAuditFailure alerts are used to track failed file activity on monitored network
devices, usually through the Operating System or a Host-Based IDS. These
events will note what requested operation failed.
ResourceAudit > FileAudit > FileRead
FileRead is a specific FileAudit alert generated for the operation of reading files
(including reading properties of a file or the status of a file). These alerts may be
produced by any connector that is used to monitor the activity of file usage,
including a Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileRead > FileExecute
FileExecute is a specific FileRead alert generated for the operation of executing
files. These alerts may be produced by any connector that is used to monitor the
activity of file usage, including a Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileRead > FileDataRead
FileDataRead is a specific FileRead alert generated for the operation of reading
data from a file (not just properties or status of a file). These alerts may be
ResourceAudit > FileAudit > FileWrite
415
Audit Events
FileWrite is a specific FileAudit alert generated for the operation of writing to a file
(including writing properties of a file or changing the status of a file). These alerts
may be produced by any connector that is used to monitor the activity of file
usage, including a Host-Based IDS and some operating systems.
ResourceAudit > FileAudit > FileWrite > FileDataWrite
FileDataWrite is a specific FileWrite alert generated for the operation of writing
data to a file (not just properties or status of a file). These alerts may be produced
by any connector that is used to monitor the activity of file usage, including a
Host-Based IDS and some Operating Systems.
ResourceAudit > FileAudit > FileWrite > FileCreate
FileCreate is a specific FileWrite alert generated for the initial creation of a file.
These alerts may be produced by any connector that is used to monitor the
ResourceAudit > FileAudit > FileWrite > FileMove
FileMove is a specific FileWrite alert generated for the operation of moving a file
that already exists. These alerts may be produced by any connector that is used
to monitor the activity of file usage, including a Host-Based IDS and some
Operating Systems.
ResourceAudit > FileAudit > FileWrite > FileDelete
FileDelete is a specific FileWrite alert generated for the deletion of an existing file.
These alerts may be produced by any connector that is used to monitor the
ResourceAudit > FileAudit > FileWrite > FileAttributeChange
FileAttributeChange is a specific FileWrite alert generated for the modification of
file attributes (including properties such as read-only status). These alerts may be
ResourceAudit > FileAudit > FileWrite > FileLink
FileLink is a specific FileWrite alert generated for the creation, deletion, or
modification of links to other files. These alerts may be produced by any
connector that is used to monitor the activity of file usage, including a Host-Based
IDS and some Operating Systems.
ResourceAudit > FileHandleAudit
416
Appendix B: Events
FileHandleAudit alerts are used to track file handle activity on monitored network
devices, usually through low level access to the Operating System, either natively
or with or a Host-Based IDS. These events will note success or failure of the
requested operation.
ResourceAudit > FileHandleAudit > FileHandleClose
FileHandleClose is a specific FileHandleAudit alert generated for the closing of
file handles. These alerts may be generated by a connector that has low-level file
access, such as an Operating System or some Host-Based IDS'.
ResourceAudit > FileHandleAudit > FileHandleCopy
FileHandleCopy is a specific FileHandleAudit alert generated for the copying of
ResourceAudit > FileHandleAudit > FileHandleOpen
FileHandleOpen is a specific FileHandleAudit alert generated for the opening of
ResourceAudit > FileSystemAudit
FileSystemAudit alerts reflect hardware to filesystem mapping events and usage
of filesystem resources. These events are generally normal system activity,
especially during system boot.
ResourceAudit > FileSystemAudit > MountFileSystem
MountFileSystem alerts are a specific type of FileSystemAudit that reflect the
action of creating an active translation between hardware to a usable filesystem.
These events are generally normal during system boot.
ResourceAudit > FileSystemAudit > UnmountFileSystem
UnmountFileSystem alerts are a specific type of FileSystemAudit that reflect the
action of removing a translation between hardware and a usable filesystem.
These events are generally normal during system shutdown.
ResourceAudit > NetworkAudit
Members of the NetworkAudit tree are used to define events centered on usage of
network resources/bandwidth.
ResourceAudit > NetworkAudit > ConfigurationTrafficAudit
417
Audit Events
ConfigurationTrafficAudit alerts reflect application-layer data related to
configuration of network resources. Included in ConfigurationTrafficAudit are
protocols such as DHCP, BootP, and SNMP.
ConfigurationTrafficAudit alerts generally indicate normal traffic, however, alerts
of this type could also be symptoms of misconfiguration, inappropriate usage,
attempts to enumerate or access network devices or services, attempts to access
devices that are configured via these services, or other abnormal traffic.
ResourceAudit > NetworkAudit > CoreTrafficAudit
CoreTrafficAudit alerts reflect network traffic sent over core protocols. Events that
are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP
protocols. Events of this type and its children do not have any application-layer
data.
Events placed in the parent CoreTrafficAudit alert itself are known to be a core
protocol, but are not able to be further categorized based on the message
provided by the connector.
ResourceAudit > NetworkAudit > CoreTrafficAudit > TCPTrafficAudit
TCPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the
protocol is known to be TCP.
TCPTrafficAudit alerts may indicate normal traffic inside the network, normal
traffic pass-through, denied traffic, or other non-application TCP traffic that is not
known to have any immediate attack basis.
ResourceAudit > NetworkAudit > CoreTrafficAudit > IPTrafficAudit
IPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the
protocol is known to be IP.
IPTrafficAudit alerts generally indicate normal traffic, however, alerts of this type
could also be symptoms of spoofs, routing issues, or other abnormal traffic.
Generally, for the abnormal traffic that is appropriate to escalate, a Contego Policy
has been defined to escalate this to an alert in the Security tree based on a
threshold.
ResourceAudit > NetworkAudit > CoreTrafficAudit > UDPTrafficAudit
UDPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the
protocol is known to be UDP.
418
Appendix B: Events
UDPTrafficAuditEvents may indicate normal traffic inside the network, normal

traffic pass-through, denied traffic, or other non-application UDP traffic that is not
known to have any immediate attack basis.
ResourceAudit > NetworkAudit > CoreTrafficAudit > ICMPTrafficAudit
ICMPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the
protocol is known to be ICMP.
ICMPTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of scans, floods, or other abnormal traffic. Generally,
for the abnormal traffic that is appropriate to escalate, a Contego Policy has been
defined to escalate this to an alert in the Security tree based on a threshold.
ResourceAudit > NetworkAudit > CoreTrafficAudit > IPSecTrafficAudit
IPSecTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the
traffic is known to be related to non-application layer IPSec events (such as key
exchanges).
IPSecTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of misconfigured IPSec peers, problems with IPSec
communication, or other abnormal traffic.
ResourceAudit > NetworkAudit > LinkControlTrafficAudit
LinkControlTrafficAudit alerts are generated for network events related to link
level configuration.
LinkControlTrafficAudit alerts generally indicate normal traffic, however, alerts of
this type could also be symptoms of misconfiguration at the link level,
inappropriate usage, or other abnormal traffic.
ResourceAudit > NetworkAudit > RoutingTrafficAudit
RoutingTrafficAudit alerts are generated for network events related to
configuration of network routes, using protocols such as IGMP, IGRP, and RIP.
RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of misconfigured routing, unintended route
configuration, or other abnormal traffic.
ResourceAudit > NetworkAudit > RoutingTrafficAudit > RIPTrafficAudit
RIPTrafficAudit alerts are a specific subset of RoutingTrafficAudit alerts where the
protocol is known to be RIP.
419
Audit Events
RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of misconfigured routing, unintended route
configuration, or other abnormal traffic.
ResourceAudit > NetworkAudit > NamingTrafficAudit
NamingTrafficAudit alerts are generated for network events related to the naming
of network resources and nodes, using protocols such as WINS and DNS.
NamingTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of inappropriate DNS authority attempts,
misconfiguration of naming services, and other abnormal traffic. In several cases,
for traffic that is appropriate to escalate, a Contego Policy has been defined to
escalate this to an alert in the Security tree based on a threshold.
ResourceAudit > NetworkAudit > FileSystemTrafficAudit
FileSystemTrafficAudit alerts are generated for network events related to requests
for remote filesystems, using protocols such as SMB and NFS.
FileSystemTrafficAudit alerts generally indicate normal traffic for networks that
have remote filesystem resources such as SMB and NFS shares; however, alerts
of this type could also be symptoms of attempts to enumerate shares or services,
misconfiguration of such resources, or other abnormal traffic. For networks that do
not have remote filesystem resources, these alerts will generally indicate
abnormal traffic.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit
ApplicationTrafficAudit alerts reflect network traffic that is mostly or all applicationlayer data. Events that are children of ApplicationTrafficAudit are also related to
application-layer resources.
Events placed in the parent ApplicationTrafficAudit alert itself are known to be
application-related, but are not able to be further categorized based on the
message provided by the connector or because they are uncommon and rarely, if
ever, imply network attack potential.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic
EncryptedTraffic alerts reflect application-layer traffic that has been encrypted and
is intended for a secure host. Included in EncryptedTraffic alerts are client and
server side application events, such as key exchanges, that normally occur after
the low-level session creation and handshaking have completed.
420
Appendix B: Events
ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic >

EncryptedTrafficError
EncryptedTrafficError alerts are a specific subnet of EncryptedTraffic alerts that
reflect problems while exchanging keys or data.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit > MailTrafficAudit
MailTrafficAudit alerts reflect application-layer data related to mail services.
Included in MailTrafficAudit are client and server mail events from protocols such
as IMAP, POP3, and SMTP.
MailTrafficAudit alerts generally indicate normal traffic, however, alerts of this type
could also be symptoms of excessive mail usage, unintended mail traffic,
abnormal command exchanges to a server, or generally abnormal traffic.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit > WebTrafficAudit
WebTrafficAudit alerts reflect application-layer data related to web services.
Included in WebTrafficAudit are client and server web events from web servers,
web applications, content filter related events, and other web services.
WebTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of inappropriate web usage, potential abuse of web
services, or other abnormal traffic.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit > TimeTrafficAudit
TimeTrafficAudit alerts reflect application-layer data related to network time
configuration. Included in TimeTrafficAudit are protocols such as NTP and
activities, such as detection of client-side network time updates.
TimeTrafficAudit alerts generally indicate normal traffic, however, alerts of this
type could also be symptoms of misconfiguration, inappropriate usage, or other
abnormal traffic.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit > TimeTrafficAudit >
NTPTrafficAudit
NTPTrafficAudit alerts are a specific type of TimeTrafficAudit related to the
Network Time Protocol.
ResourceAudit > NetworkAudit > ApplicationTrafficAudit >
FileTransferTrafficAudit
421
Audit Events
FileTransferTrafficAudit alerts reflect application-layer data related to file retrieval
and send to/from remote hosts. Included in FileTransferTrafficAudit are protocols
such as TFTP and FTP.
FileTransferTrafficAudit alerts generally indicate normal traffic, however, alerts of
this type could also be symptoms of misconfiguration, inappropriate usage,
attempts to enumerate or access file transfer services, attempts to access devices
that require file transfer services for configuration, or other abnormal traffic.
ResourceAudit > NetworkAudit > PointToPointTrafficAudit
PointToPointTrafficAudit alerts reflect application-layer data related to point-topoint connections between hosts. Included in PointToPointTrafficAudit are
encrypted and unencrypted point-to-point traffic.
ResourceAudit > NetworkAudit > PointToPointTrafficAudit > PPTPTrafficAudit
PPTPTrafficAudit alerts are a specific type of PointToPointTrafficAudit alerts that
reflect application-layer encrypted Peer-to-Peer Tunneling Protocol activities.
Included in PPTPTrafficAudit alerts are tunnel creation, tunnel deletion, session
creation, and session deletion, among other PPTP-related events.
PPTPTrafficAudit alerts generally indicate normal traffic for networks that have
PPTP-accessible devices on the network; however, alerts of this type could also
be symptoms of inappropriate access, misconfiguration of the PPTP server or
clients, other communications errors, or other abnormal traffic. For networks that
do not have remote filesystem resources, these alerts will generally indicate
abnormal traffic.
ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit
RemoteProcedureTrafficAudit alerts reflect application-layer data related to
remote procedure services. Included in RemoteProcedureTrafficAudit are the
traditional RPC services used to service remote logons and file shares, and other
services which require remote procedure access to complete authentication, pass
data, or otherwise communicate.
RemoteProcedureTrafficAudit alerts generally indicate normal traffic for networks
that have remote procedure services on their network; however, alerts of this type
could also be symptoms of inappropriate access, misconfiguration of the remote
procedure services, errors in the remote procedure calls, or other abnormal traffic.
ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit >
RPCTrafficAudit
422
Appendix B: Events
RPCTrafficAudit is a specific subset of RemoteProcedureTrafficAudit related to

traditional RPC services, including portmapper.
ResourceAudit > NetworkConnectionAudit
NetworkConnectionAudit alerts are generated when a connection is initiated on a
network client.
ResourceAudit > NetworkConnectionAudit > LANConnection
LANConnection is a specific type of NetworkConnectionAudit that reflects a
successful connection on a physical network interface such as an Ethernet card.
ResourceAudit > NetworkConnectionAudit > VPNConnection
VPNConnection is a specific type of NetworkConnectionAudit that reflects a
successful connection to a remote VPN.
ResourceAudit > NetworkConnectionAudit > DialupConnection
DialupConnection is a specific type of NetworkConnectionAudit that reflects a
successful connection through a traditional modem.
ResourceAudit > ObjectAudit
ObjectAudit alerts are used to track special object activity on monitored network
devices, usually through the Operating System or a Host-Based IDS. Generally,
Objects are special types of system resources, such as registry items or user
account databases. These objects may be actual 'files' on the system, but are not
necessarily human readable. These events will note success or failure of the
ResourceAudit > ObjectAudit > ObjectAuditFailure
ObjectAuditFailure alerts are used to track special object activity on monitored
network devices, usually through the Operating System or a Host-Based IDS.
Generally, Objects are special types of system resources, such as registry items
or user account databases. These objects may be actual 'files' on the system, but
are not necessarily human readable. These events will note a failure of the
ResourceAudit > ObjectAudit > ObjectDelete
ObjectDelete is a specific ObjectAudit alert generated for the deletion of an
existing object. These alerts may be produced by any connector that is used to
monitor the activity of file and object usage, including a Host-Based IDS and
some Operating Systems.
ResourceAudit > ObjectAudit > ObjectLink
423
Audit Events
ObjectLink is a specific ObjectAudit alert generated for the creation, deletion, or
modification of links to other objects. These alerts may be produced by any
connector that is used to monitor the activity of file and object usage, including a
Host-Based IDS and some Operating Systems.
ResourceAudit > ProcessAudit
ProcessAudit alerts are generated to track launch, exit, status, and other events
related to system processes. Usually, these events reflect normal system activity.
Process-related activity that may indicate a failure will be noted separately from
normal activity in the alert detail.
ResourceAudit > ProcessAudit > ProcessStop
ProcessStop is a specific type of ProcessAudit alert that indicates a process has
exited. Usually, ProcessStop reflects normal application exit, however in the
event of an unexpected error the abnormal state will be noted.
ResourceAudit > ProcessAudit > ProcessStart
ProcessStart is a specific type of ProcessAudit alert that indicates a new process
has been launched. Usually, ProcessStart reflects normal system activity
ResourceAudit > ProcessAudit > ProcessWarning
ProcessWarning is a specific type of ProcessAudit alert that indicates a process
has returned a 'Warning' message that is not a fatal error and may not have
triggered an exit of the process.
ResourceAudit > ProcessAudit > ProcessInfo
ProcessInfo is a specific type of ProcessAudit alert that reflects information
related to a process. Most of these events can safely be ignored, as they are
generally normal activity that does not reflect a failure or abnormal state.
ResourceAudit > ServiceAudit
ServiceAudit alerts are generated to track information and other events related to
system components. Usually, these events reflect normal system activity. System
service-related activity that may indicate a failure will be noted separately from
normal activity in the alert detail.
ResourceAudit > ServiceAudit > ServiceInfo
ServiceInfo is a specific type of ServiceAudit alert that reflects information related
to a service. Most of these events can safely be ignored, as they are generally
normal activity that does not reflect a failure or abnormal state.
ResourceAudit > ServiceAudit > ServiceStart
424
Appendix B: Events
ServiceStart events are a specific type of ServiceAudit alert that indicates a new
system service is starting.
ResourceAudit > ServiceAudit > ServiceStop
ServiceStop events are a specific type of ServiceAudit alert that indicates a
system service is stopping. This activity is generally normal, however, in the event
of an unexpected stop the abnormal state will be noted.
ResourceAudit > ServiceAudit > ServiceWarning
ServiceWarning is a specific type of ServiceAudit alert that indicates a service
has returned a 'Warning' message that is not a fatal error and may not have
triggered an exit of the service.
Incident Events
Incident Events reflect global enterprise-wide issues that should be raised for
system-wide visibility. These alerts generally reflect serious issues that should be
monitored and addressed. They are sub-categorized into different types of
Incidents Events that can provide more detailed information.
Because Incident Events are created by Rules, any combination of malicious or
suspicious traffic from any other single alert or combination of alerts can create an
Incident Event.
Each Incident alert is described below. For your convenience, they are listed
alphabetically.
HostIncident
HostIncident alerts reflect global enterprise-wide host system issues that should
be raised for system-wide visibility. These alerts are used to indicate issues on
hosts that should be tracked and addressed, including security and administrative
issues that apply specifically to host-based information.
HybridIncident
HybridIncident alerts reflect global enterprise-wide combined network and host
system issues that should be raised for system-wide visibility. These alerts are
used to indicate the combination of network and host-based issues that should be
tracked and addressed, including security and administrative issues that span
both network and host-based information.
NetworkIncident
425
Internal Events
NetworkIncident alerts reflect global enterprise-wide network system issues that
should be raised for system-wide visibility. These alerts are used to indicate
network-based issues that should be tracked and addressed, including security
and administrative issues that apply specifically to network-based information.
Internal Events
Events that are a part of the InternalEvent node are related to the operation of the
LEM system. Any events generated by the system relating to Active Response,
Internal users, or Internal errors will appear under one of the many children.
These alerts are for informational purposes and do not necessarily reflect
conditions that should cause alarm. Events that may reflect potential issues within
the system are specifically marked for forwarding to SolarWinds.
Each Internal Event is described below. For your convenience, they are listed
alphabetically.
InternalAudit
InternalAudit alerts reflect attempted accesses and changes to components of the
LEM system by existing SolarWinds users. Both successful and failed attempts
will generate alerts in this part of the tree.
InternalAudit > InternalAuditFailure
InternalAuditFailure is a specific type of InternalAudit alert that indicates failed
audit information. These alerts are generated when a user fails to view or modify
(including creation, update, and deletion) anything within the SolarWinds system.
The alert will include the user, type of access, and item being accessed.
InternalAuditFailure events are uncommon and can indicate an attempted
privilege escalation within the LEM system by unprivileged users.
InternalAudit > InternalAuditSuccess
InternalAuditSuccess is a specific type of InternalAudit alert that indicates
successful audit information. These alerts are generated when a user
successfully views or modifies (including creation, update, and deletion) anything
within the LEM system. The alert will include the user, type of access, and item
being accessed.
InternalCommands
InternalCommands alerts are only used internally with few exceptions. These
alerts are used for sending Commands through the system to complete active
responses.
426
Appendix B: Events
InternalCommands > InternalAgentToolCommand

InternalAgentToolCommand alerts are internal only. They are fired between
Managers and Agents to manage connector settings.
InternalCommands > InternalAgentFastPack
InternalAgentFastPack alerts are internal only. They are fired between Managers
and Agents to configure updated connector signatures.
InternalFailure
Events that are a part of the InternalFailure tree reflect potential issues within the
system. These alerts could reflect configuration issues, issues that cannot be
resolved without contacting SolarWinds, and potential serious issues which also
merit contacting SolarWinds.
InternalFailure > InternalError
InternalError alerts reflect configuration or install issues that should be reported to
SolarWinds. These are generally internal errors related to connectors that may be
producing unexpected log entries or conditions that were not expected. These
issues generally cannot be solved without contacting SolarWinds, however they
should not be fatal errors.
InternalFailure > InternalException
InternalException alerts reflect more serious problems within the system. These
problems generally lie within the product implementation and may require a
software update to eliminate. These alerts and their surrounding conditions
should be reported to SolarWinds.
InternalFailure > InternalWarning
InternalWarning alerts are generally problems which can be solved by the user.
Usually, these alerts are configuration related and may assist in debugging the
underlying issue.
InternalWarning alerts do not reflect internal problems within the system and thus
should not be immediately reported to SolarWinds, however they may assist with
solving a technical support issue should the need arise.
InternalGeneralEvent
InternalGeneralEvent events are uncommon events used to track Internal
information that has not yet been placed into a more specific InternalEvent.
427
Internal Events
Events of the InternalFailure family providing more information will be generated
in addition to this event if the event is serious.
InternalInfo
Events within the InternalInfo family are related to events that are happening
within the system. Generally, these informational alerts are confirming or reporting
normal activity such as user updates, user logons, policy updates, and Agent
connection-related events.
InternalInfo > InternalAgentOffline
InternalAgentOffline alerts reflect detection of disconnection of an Agent to its
Manager. These alerts will happen when the Manager has detected that the
Agent closed the connection, whether that be due to network down time of the
Agent or due to a shut down of the Agent service.
InternalInfo > InternalAgentOnline
InternalAgentOnline alerts reflect successful connection of Agents to their
respective Managers. These alerts will happen when an Agent initiates
successful communication with the Manager, whether that be due to network
down time of the Manager or Agent or due to an update of the Agent in question.
InternalInfo > InternalDuplicateConnection
InternalDuplicateConnection alerts occur when an Agent has attempted to
connect to their given Manager more than once. Usually these alerts are triggered
by network issues on the Agent end, due to a possible asynchronous
disconnection detection (for example, the Manager was not able to detect the
Agent went offline, but the Agent service was restarted).
Usually this issue can be resolved by stopping the Agent service, waiting for the
InternalAgentOffline alert, and then restarting the Agent service.
InternalInfo > InternalInvalidConnection
InternalInvalidConnection alerts occur when an Agent that the Manager
recognizes, but cannot communicate with, attempts to connect. These alerts
usually reflect Agents that are missing an update that has already been applied to
the Manager.
Please ensure that the indicated Agent has been upgraded to the same release
version of the system that is installed on your Manager. If this alert persists:
uninstall and reinstall the Agent triggering the alert. This will force the Agent to reinitialize connection to the Manager.
428
Appendix B: Events
InternalInfo > InternalInvalidInstallation

InternalInvalidInstallation alerts occur in the unlikely case that the Manager can
communicate with the Agent but there are errors detected in the Manager-toAgent relationship. These alerts are very uncommon, but may be triggered during
an upgrade process.
Please ensure that the indicated Agent has been upgraded to the same release
version of the system that is installed on your Manager. If this alert persists:
uninstall and reinstall the Agent triggering the alert. This will force the Agent to reinitialize connection to the Manager.
InternalInfo > InternalLicenseMaximum
InternalLicenseMaximum alerts reflect an attempt to add more Agents to a
Manager than that Manager is licensed for. The number of Agents that can be
added is a hard limit that the Manager stores and this limit is also enforced by the
Console.
If more licenses are needed, this issue can be resolved by contacting SolarWinds
Sales for an update.
InternalInfo > InternalNewToolData
InternalNewToolData alerts generally reflect issues related to connectors with
unexpected log entries or other conditions that were not expected. These issues
generally cannot be solved without contacting SolarWinds, however they are not
fatal.
InternalInfo > InternalPolicyConfiguration
InternalPolicyConfiguration alerts reflect successful or unsuccessful attempts to
update Policy on a given Manager. These alerts are generated after Policy has
been successfully installed to the Manager or after an error has been detected.
Generally, an error in updating Policy will also produce an alert from the
InternalFailure family, providing more information.
InternalInfo > InternalToolOffline
InternalToolOffline alerts reflect successful stop of an Internal Tool. These alerts
are generated after a connector has stopped the log file reader that was created
when the connector was brought online. Generally, an error in an attempt to stop
a connector will produce an alert from the InternalFailure family providing more
information.
InternalInfo > InternalToolOnline
429
Internal Events
InternalToolOnline alerts reflect successful startup of an Internal Tool. These
alerts are generated after a connector has successfully created a log file reader
and has begun the reading process. Generally, an error in an attempt to start a
connector will produce an alert from the InternalFailure family providing more
information.
InternalInfo > InternalUnknownAgent
InternalUnknownAgent alerts occur when an Agent that the Manager does not
recognize has attempted to connect. Commonly, this alert is caused by removing
the Agent from the Console before removing the Agent service on the client.
These alerts may also be triggered during an upgrade process; in that case, they
may reflect Agents that have not yet been brought up to date.
Usually this issue can be resolved by Uninstalling and Reinstalling the Agent
triggering the alert. This will force the Agent to re-initialize connection to the
Manager.
InternalInfo > InternalUnsupportedAgent
InternalUnsupportedAgent alerts are generated when a valid Agent connects and
has not been upgraded to the same release version as the Manager. The Agent in
question failed to properly negotiate its connection or respond to a query and has
been assumed to be missing a feature required of it. Please ensure that the
indicated Agent has been upgraded to the same release version of SolarWinds
that is installed on your Manager. If this alert persists: uninstall and reinstall the
Agent triggering the alert, this will force the Agent to re-initialize connection to the
Manager.
InternalInfo > InternalUserLogoff
InternalUserLogoff alerts are generated when a user logs off or is disconnected
from the Console.
InternalInfo > InternalUserLogon
InternalUserLogon alerts are generated when a user successfully completes the
logon process to a Manager via the Console. Failed log-on attempts are produced
in a separate alert, InternalUserLogonFailure.
InternalInfo > InternalUserLogonFailure
InternalUserLogonFailure alerts are generated when a user has completed
initialization of a connection to the Console, but enters an incorrect user name
and/or password.
InternalInfo > InternalUserUpdate
430
Appendix B: Events
InternalUserUpdate alerts are generated when a user is modified and the update
has successfully been sent to the Manager, or when the update has failed to
apply. These updates include change or addition of an email address, change or
addition of a pager, and change or addition of blocked alerts from selected
Agents. Generally, an error in updating a user will also produce an alert from the
InternalFailure family.
InternalPolicy
InternalPolicy alerts reflect information related to correlation rules. These alerts
are used to indicate that a rule has been triggered, either in test mode or in normal
operating conditions.
InternalPolicy > InternalTestRule
InternalTestRule alerts reflect rule activity where a correlation rule has triggered
and is set in Test mode. It indicates the trigger of the rule and includes an
enumeration of what actions would take place, if any, if the rule were fully
enabled. To remove a rule from Test mode, clear the Test checkbox for the Rule
in the Rule Builder.
InternalPolicy > InternalRuleFired
InternalRuleFired alerts reflect rule activity, specifically where a correlation rule
has triggered. It indicates the trigger of the rule and includes an enumeration of
what actions were triggered in response to the correlation.
Security Events
Events that are a part of the SecurityEvent node are generally related to network
activity that is consistent with an internal or external attack, a misuse or abuse of
resources, a resource compromise, resource probing, or other abnormal traffic
that is noteworthy.
Security Event events indicate aggressive behavior that may lead to an attack or
resource compromise, or suspicious behavior that may indicate unauthorized
information gathering. LEM infers some Security Events from what is normally
considered audit traffic, but it escalates the events to alert status based on
thresholds that are defined by Rules.
Each Security Event is described below. For your convenience, they are listed
alphabetically.
AttackBehavior
431
Security Events
Events that are children of AttackBehavior are generally related to network activity
that may be consistent of an attack, misuse or abuse of resources, a resource
compromise, or other abnormal behavior that should be considered indicative of a
serious security event.
AttackBehavior > InferredAttack
InferredAttack alerts are reserved AttackBehavior alerts used for describing
attacks that are a composite of different types of alerts. These events will be
defined and inferred by Contego Policy.
AttackBehavior > ResourceAttack
Members of the ResourceAttack tree are used to define different types of
malicious or abusive access to network resources, where these resources may be
network bandwidth/traffic, files, client processes or services, or other types of
shared security-related 'commodities'.
AttackBehavior > ResourceAttack > NetworkAttack
Members of the NetworkAttack tree are used to define events centered on
malicious or abusive usage of network bandwidth/traffic. These events include
access to network resources, relaying attacks via network resources, or denial of
service behavior on network resources.
AttackBehavior > ResourceAttack > NetworkAttack > Access
Children of the Access tree define events centered on malicious or abusive usage
of network bandwidth/traffic where the intention, or the result, is inappropriate or
abusive access to network resources.
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess
ApplicationAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources where the related
data is mostly or all application-layer. Generally, ApplicationAccess alerts will
reflect attempted exploitation of weaknesses in server or client software, or
information that is restricted/prohibited by device access control or policy.
These alerts are generally provided by network-based intrusion detection
systems; in some cases, network infrastructure devices such as firewalls or proxy
servers may also provide them.
Events placed in the parent ApplicationAccess alert itself are known to be
application-related, but not able to be further categorized based on the message
provided by the connector or because they are uncommon.
432
Appendix B: Events

> DataBaseAccess
DataBaseAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer database traffic. Generally, these alerts will reflect attempted exploitation of
weaknesses in database server or client software.
systems, the database server, or the client software itself. Appropriate response to
these alerts may entail better access control of database servers (e.g. restriction
by IP address and/or user name to ensure only trusted clients are connecting),
applying updates or patches to database servers and/or clients, or the possible
removal of the database service or client application related to this event.
> FileTransferAccess
FileTransferAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources via
application-layer file transfer traffic. Generally, these alerts will reflect attempted
exploitation of weaknesses in file transfer server or client software.
systems, the file transfer server, or the client software itself. Appropriate response
to these alerts may entail better access control of file transfer servers (e.g.
restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to file transfer servers and/or clients, or
the possible removal of the file transfer service or client application related to this
event.
> FileTransferAccess > FTPFileAccess
FTPFileAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to filesystems of resources via
exploitation of weaknesses in file transfer server or client software with the intent
of information gathering or low-level filesystem access of the server or client.
433
Security Events
event.
> FileTransferAccess > FTPInvalidFormatAccess
FTPInvalidFormatAccess alerts reflect malicious or abusive usage of network
exploitation of weaknesses in file transfer server or client software with the intent
of information gathering or low-level access to the server or client. These attacks
are always abnormal traffic that the file transfer server or client is not prepared to
respond to; attacks, such as buffer overflows, may also result in the server or
client software or system being halted.
event.
> FileTransferAccess > FTPCommandAccess
FTPCommandAccess alerts reflect malicious or abusive usage of network
exploitation of weaknesses in file transfer server software with the intent of
information gathering or low-level access to the server or client. These attacks are
always abnormal command traffic that the file transfer server is not prepared to
respond to, but may provide access to (e.g. debug or legacy commands).
connecting), applying updates or patches to file transfer servers and/or clients,
restriction of allowed commands, or the possible removal of the file transfer
service or client application related to this event.
434
Appendix B: Events

> MailAccess
MailAccess alerts reflect malicious or abusive usage of network resources where
the intention, or the result, is gaining access to resources via application-layer
mail transfer, retrieval, or service traffic. Generally, these alerts will reflect
attempted exploitation of weaknesses in mail-related server or client software.
systems or the mail server, service, or client software itself. Appropriate response
to these alerts may entail better access control of mail servers (e.g. restriction by
IP address and/or user name to ensure only trusted clients are connecting),
applying updates or patches to mail servers and/or clients, or possible removal of
the mail server, service, or client application related to this event.
> MailAccess > MailTransferAccess
MailTransferAccess alerts reflect malicious or abusive usage of network
application-layer mail transfer traffic. Generally, these alerts will reflect attempted
exploitation of weaknesses in SMTP server software.
systems, or the SMTP server software itself. Appropriate response to these alerts
may entail better access control of the SMTP server (e.g. restriction by IP address
and/or user name to ensure only trusted clients are connecting, especially for
SMTP servers that relay mail for external/remote entities), applying updates or
patches to SMTP servers, or the possible removal of the SMTP server related to
this event.
> MailAccess > MailTransferAccess > SMTPInvalidFormatAccess
SMTPInvalidFormatAccess alerts reflect malicious or abusive usage of network
exploitation of weaknesses in SMTP server software with the intent of information
gathering or low-level access to the server. These attacks are always abnormal
traffic that the SMTP server is not prepared to respond to; attacks, such as buffer
overflows, may also result in the server software or system being halted.
435
Security Events
this event.
> MailAccess > MailTransferAccess > SMTPInvalidFormatAccess > SmailAccess
SmailAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer mail transfer traffic. Generally, these alerts will reflect attempted exploitation
of weaknesses in SMTP server software with the intent of information gathering or
low-level access to the server. These attacks are always abnormal traffic that the
SMTP server is not prepared to respond to; they may also result in the server
software or system being halted. The smail attack specifically attempts to execute
applications resulting in compromise of the SMTP server system.
this event.
> MailAccess > MailTransferAccess > SMTPCommandAccess
SMTPCommandAccess alerts reflect malicious or abusive usage of network
exploitation of weaknesses in SMTP server software with the intent of information
gathering or low-level access to the server. These attacks are always abnormal
command traffic that the SMTP server is not prepared to respond to, but may
provide access to (e.g. debug or legacy commands).
436
Appendix B: Events
patches to SMTP servers, restriction of allowed commands, or the possible

removal of the SMTP server related to this event.
> MailAccess > MailDeliveryAccess
MailDeliveryAccess alerts reflect malicious or abusive usage of network
application-layer mail retrieval traffic. Generally, these alerts will reflect attempted
exploitation of weaknesses in mail retrieval related server or client software - the
MDA (mail delivery Agent) or MUA (mail user Agent).
systems, or the mail server, service, or client software itself. Appropriate response
to these alerts may entail better access control of mail servers (e.g. restriction by
IP address and/or user name to ensure only trusted clients are connecting),
applying updates or patches to mail servers and/or clients, or the possible
removal of the mail server, service, or client application related to this event.
> MailAccess > MailServiceAccess
MailServiceAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer mail service traffic. Generally, these alerts will reflect attempted exploitation
of weaknesses in mail service-related server or client software, including services
such as mailing list software, spam filters, email redirection software, and other
mail filtering software.
systems, the mail service, or the client software itself. Appropriate response to
these alerts may entail better access control of mail services or servers (e.g.
connecting), applying updates or patches to mail services and/or clients, or the
possible removal of the mail service or client application related to this event.
> MailAccess > MailServiceAccess > MajordomoAccess
MailServiceAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer mail service traffic. Generally, these alerts will reflect attempted exploitation
of weaknesses in Majordomo, a specific type of mailing list software.
437
Security Events
systems, or the mail service itself. Appropriate response to these alerts may entail
better access control of mail services or servers (e.g. restriction by IP address
and/or user name to ensure only trusted clients are connecting), applying updates
or patches to the mail service, or the possible removal of the mail service related
to this event. Generally, the most appropriate response will be updates or patches
that can be retrieved from the Majordomo web site
(http://www.greatcircle.com/majordomo) or your operating system vendor.
> NewsAccess
NewsAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer news traffic (over protocols such as NNTP). Generally, these alerts will
reflect attempted exploitation of weaknesses in the news server or client software.
systems, the news server, or the client software itself. Appropriate response to
these alerts may entail better access control of news servers (e.g. restriction by IP
address and/or user name to ensure only trusted clients are connecting), applying
updates or patches to news servers and/or clients, or the possible removal of the
news service or client application related to this event.
> PrinterAccess
PrinterAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer remote printer traffic. Generally, these alerts will reflect attempted
exploitation of weaknesses in the remote printer server or client software.
systems, the remote printer server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote printer servers
(e.g. restriction by IP address and/or user name to ensure only trusted clients are
connecting), applying updates or patches to remote printer servers and/or clients,
or the possible removal of the remote printer service or client application related
to this event.
> WebAccess
438
Appendix B: Events
WebAccess alerts reflect malicious or abusive usage of network resources where

WWW traffic. Generally, these alerts will reflect attempted exploitation of
weaknesses in the web server or client software.
systems, the web server, or client software itself. Appropriate response to these
alerts may entail better access control of web servers (e.g. restriction by IP
updates or patches to web servers and/or clients, or the possible removal of the
web service or client application related to this event.
> WebAccess > HTTPClientAccess
HTTPClientAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer WWW traffic where the information flow is from server to client. Generally,
these alerts will reflect attempted exploitation of weaknesses in the client software
or abuse and/or misuse of resources from clients.
systems, the web client software itself, proxy servers, content filters, and/or
firewalls with capability to monitor incoming web traffic. Appropriate response to
these alerts may entail applying updates or patches to web client software, or
restriction of incoming/outgoing web requests/responses to reflect inappropriate
or abusive access.
> WebAccess > HTTPClientAccess > FraudulentCertificateAccess
FraudulentCertificateAccess alerts reflect malicious or abusive usage of network
application-layer WWW traffic in which the information flow is from server to client.
Generally, these alerts will reflect attempted exploitation of weaknesses in the
client software through fraudulent certificates. The intent of these attacks may be
to forge certificates that convince the client that the site is trusted, when in fact it is
not, passing data along with those certificates that may be inappropriate and/or
contain exploits.
439
Security Events
restriction of incoming/outgoing web requests/responses to reflect the abusive
access.
> WebAccess > HTTPClientAccess > ProhibitedHTTPControlAccess
ProhibitedHTTPControlAccess alerts reflect malicious or abusive usage of
network resources where the intention, or the result, is gaining access to
resources via application-layer WWW traffic in which the information flow is from
server to client. Generally, these alerts will reflect attempted exploitation of
weaknesses in the client software or abuse and/or misuse of resources from
clients through client controls such as ActiveX and Java.
restriction of incoming/outgoing web requests/responses to reflect inappropriate
or abusive access.
> WebAccess > HTTPServerAccess
HTTPServerAccess alerts reflect malicious or abusive usage of network
application-layer WWW traffic where the information flow is from client to server.
server software or abuse and/or misuse of server resources.
systems, the web server or service software itself, and/or firewalls with the
capability to monitor incoming/outgoing web traffic. Appropriate response to these
alerts may entail better access control of web servers (e.g. restriction by IP
updates or patches to web servers, services, and/or clients, or the possible
removal of the web service or client application related to this event.
> WebAccess > HTTPServerAccess > HTTPApplicationAccess
HTTPApplicationAccess alerts reflect malicious or abusive usage of network
application-layer WWW traffic in which the information flow is from client to server.
440
Appendix B: Events
Generally, these alerts will reflect attempted exploitation of weaknesses in

applications running on top of the server software, such as PHP, CGI,
administrative sites, and other application services.
systems, the web server, the service software itself, and/or firewalls with
alerts may entail better access control of web servers or the service itself (e.g.
connecting), applying updates or patches to web servers, services, and/or clients,
or the possible removal of the web service application related to this event.
> WebAccess > HTTPServerAccess > HTTPApplicationAccess >
HTTPAdministrationAccess
HTTPAdministrationAccess alerts reflect malicious or abusive usage of network
applications run on top of server software that are related to remote administration
of sites, services, and/or systems.
connecting), applying updates or patches to web servers, services, administrative
sites, and/or clients, or the possible removal of the web service application or
administrative site related to this event.
HTTPDynamicContentAccess
HTTPDynamicContentAccess alerts reflect malicious or abusive usage of
network resources where the intention, or the result, is gaining access to
resources via application-layer WWW traffic in which the information flow is from
client to server. Generally, these alerts will reflect attempted exploitation of
weaknesses in applications, running on top of the server software, that generate
dynamic content such as PHP, CGI, and ASP.
441
Security Events
connecting), applying updates or patches to web servers, services, dynamic
content, and/or clients, or the possible removal of the web service application or
dynamic content related to this event.
HTTPFileRequestAccess
HTTPFileRequestAccess alerts reflect malicious or abusive usage of network
applications running on top of server software that are related to remote
administration of sites, services, and/or systems with the intent of information
gathering or low-level filesystem access of the server or client.
or the possible removal of the web service application related to this event.
HTTPServiceAccess
HTTPServiceAccess alerts reflect malicious or abusive usage of network
applications running on top of server software that are related to remote services
such as printing or console access.
442
Appendix B: Events

or the possible removal of the web service application or site related to this event.
> WebAccess > HTTPServerAccess > HTTPInvalidFormatAccess
HTTPInvalidFormatAccess alerts reflect malicious or abusive usage of network
application-layer web traffic in which the information flow is from client to server.
Generally, these alerts will reflect attempted exploitation of weaknesses in web
server software with the intent of information gathering or low-level access to the
server. These attacks are always abnormal traffic that the web server is not
prepared to respond to; attacks, such as buffer overflows, may also result in the
server software or system being halted.
alerts may entail better access control of the web server (e.g. restriction by IP
updates or patches to web servers or services, or the possible removal of the web
server related to this event.
> NamingAccess
NamingAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via applicationlayer naming service traffic (using protocols such as DNS and WINS). Generally,
these alerts will reflect attempted exploitation of weaknesses in the naming server
or client software.
systems, the naming server, or the client software itself. Appropriate response to
these alerts may entail better access control of name servers (e.g. restriction by IP
updates or patches to naming servers and/or clients, or the possible removal of
the naming service or client application related to this event.
443
Security Events
> RemoteConsoleAccess
RemoteConsoleAccess alerts reflect malicious or abusive usage of network
application-layer remote console service traffic (services such as telnet, SSH, and
terminal services). Generally, these alerts will reflect attempted exploitation of
weaknesses in the remote console server or client software.
systems, the remote console server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote console
servers (e.g. restriction by IP address and/or user name to ensure only trusted
clients are connecting), applying updates or patches to remote console servers
and/or clients, or the possible removal of the remote console service or client
application related to this event.
> TimeAccess
TimeAccess alerts reflect malicious or abusive usage of network resources where
remote time service traffic (using protocols such as NTP). Generally, these alerts
will reflect attempted exploitation of weaknesses in the remote time server or
client software.
systems, the time server, or client software itself. Appropriate response to these
alerts may entail better access control of remote time servers (e.g. restriction by IP
updates or patches to remote time servers and/or clients, or the possible removal
of the remote time service or client application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access >
ConfigurationAccess
ConfigurationAccess alerts reflect malicious or abusive usage of network
resource configuration traffic (using protocols such as DHCP, BootP, and SNMP).
configuration server or client software or attempts to gain system-level access to
configuration servers themselves. In the case of SNMP and similar configuration
444
Appendix B: Events
protocols, it could reflect an attempt to enumerate a device or devices on the

same network for further attack.
systems, the configuration server, or the client software itself. Appropriate
response to these alerts may entail better access control of configuration servers
and services (e.g. restriction by IP address and/or user name to ensure only
trusted clients are connecting), applying updates or patches to configuration
servers and/or clients, or the possible removal of the configuration service or
client application related to this event.
AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess
CoreAccess alerts reflect malicious or abusive usage of network resources where
the intention, or the result, is gaining access to resources where the related data
is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess
alerts will reflect attempted exploitation of weaknesses in network protocols or
devices with intent to gain access to servers, clients, or network infrastructure
devices.
systems; in some cases, network infrastructure devices such as firewalls or
routers may also provide them. In some cases, these events are escalated from
the Audit tree via Contego Policy.
Events placed in the parent CoreAccess alert itself are known to be a core
protocol-related but not able to be further categorized based on the message
provided by the connector or because they are uncommon.
AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess >
ICMPRedirectAccess
ICMPRedirectAccess alerts reflect a specific type of CoreAccess alert where the
attack traffic is all ICMP Redirects (ICMP type 5) and the intent is to redirect traffic
to either enumerate devices or client machines, or to gather information on
devices or client traffic to further attack those or other resources. ICMP Redirects
are generally benign ICMP messages sent to hosts to redirect traffic intended for
a network that another gateway can control. In the cases where ICMP Redirects
are used for attacking, a host will generally feign themselves as a router, pass a
redirect to a client machine to modify it's routing table to send traffic to the false
router instead of their normal network gateway, and proceed to enumerate, gather
information, or attack the redirected host. The false router will then send the traffic
on to the correct gateway, and the host has no idea of what has occurred (unless
445
Security Events
another device or connector detects it). This is one type of what is commonly
referred to as a man-in-the-middle attack.
systems and network infrastructure devices such as firewalls or routers.
Appropriate response to these alerts may entail blocking or resetting the local or
remote user's connection/IP address, updates to network infrastructure devices, or
restriction of incoming/outgoing ICMP redirect requests/responses to reflect
inappropriate or abusive access. Appropriate methods of prevention of ICMP
redirect attacks would be to limit hosts who can broadcast ICMP Redirects across
network devices to correct routers and gateways, limit ingress and egress ICMP
traffic, and to make sure clients, servers, and network infrastructure devices are
current with regards to operating system or other networking software to ensure
that other attacks related to ICMP Redirect attacks of this type (such as denial of
service attacks) do not occur.
IPFragmentationAccess
IPFragmentationAccess alerts reflect a specific type of CoreAccess alert where
the attack traffic is all IP and the intent is to mask possible malicious or abusive
data past an IDS or other detection device by using many IP fragments (usually
either much larger or smaller than normal fragments). The network infrastructure
devices handling the traffic will reassemble and pass on the traffic correctly,
however, an IDS on the network may not be able to detect the malicious traffic,
only the presence of fragments (if even that). The attack may be allowed to pass
through the network either incoming or outgoing, thereby eliminating one line of
defense. Normal IP fragmentation (data that has been taken apart because it is
too large based on network parameters) should not trigger an
IPFragmentationAccess alert.
Fragmentation alerts themselves are generally provided by network-based
intrusion detection systems and network infrastructure devices such as firewalls
or routers. Appropriate response to these alerts may entail blocking or resetting
the local or remote user's connection/IP address, applying updates or patches to
server and/or client software (especially the IDS), updates to network
infrastructure devices, or restriction of incoming/outgoing network
requests/responses to reflect inappropriate or abusive access.
IPSourceRouteAccess
446
Appendix B: Events
IPSourceRouteAccess alerts reflect a specific type of CoreAccess alert where the

attack traffic is all IP and the intent is generally to misrepresent the originating
address to bypass detection. IPSourceRouteAccess is a type of IP Spoofing
where an attacker falsifies network information to convince the destination that the
given source is something other than the actual source, directing the destination
to return the traffic through an IP Source Route option that traces the traffic to the
trusted host and then on to the untrusted attacker. The trusted host receives the
traffic from the destination and because of the IP Source Route, it passes the
traffic on to the untrusted attacker. The data is not modified and the attacker has
'tricked' the network into passing the traffic on. Generally, while spoofed, clients
will attempt to gather information, perform actual attacks on internal or external
devices, or perform denial of service attacks.
Response to IP Spoofing itself is difficult as the originating host may be
alternating spoofed hostnames or IP addresses in order to continually circumvent
detection; however, response to IP spoofing which utilizes the IP source route
could entail removing the ability to pass traffic through routers or gateways that
contains an IP Source Route option. Initial appropriate response to these alerts
may entail blocking or resetting the local or remote user's connection/IP address,
however this may prove ineffective or unrealistic. Other responses may include
applying updates or patches to server and/or client software, updates to network
requests/responses to reflect inappropriate or abusive access. Unfortunately, it
may prove difficult to derail an attempted attack through IP Spoofing, however,
routing and firewalling policies (including disallowing traffic with the IP Source
Route option) should prevent further access through spoofed addresses.
IPSpoofAccess
IPSpoofAccess alerts reflect a specific type of CoreAccess alert where the attack
traffic is all IP and the intent is to misrepresent the originating address to either
bypass detection or misdirect response to attack activity. IP Spoofing is done by
falsifying network information to convince the destination (and any network hops
in between) that the given source is something other than the actual source.
Generally, while spoofed, clients will attempt to gather information, perform actual
attacks on internal or external devices, or perform denial of service attacks.
447
Security Events
Response to IP Spoofing is difficult as the originating host may be alternating
spoofed hostnames or IP addresses in order to continually circumvent detection.
Initial appropriate response to these alerts may entail blocking or resetting the
local or remote user's connection/IP address, however this may prove ineffective
or unrealistic. Other responses may include applying updates or patches to server
and/or client software, updates to network infrastructure devices, or restriction of
incoming/outgoing network requests/responses to reflect inappropriate or abusive
access. Unfortunately, it may prove difficult to derail an attempted attack through
IP Spoofing, however, routing and firewalling policies should prevent further
access through spoofed addresses.
TCPHijackAccess
TCPHijackAccess alerts reflect a specific type of CoreAccess alert where the
attack traffic is all TCP and the intent is to hijack a user's connection. TCP
Hijacking is done with the intent to take over another network user's connection
by sending malformed packets to 'confuse' the server into thinking that the new
user is the original user. In doing so, the original user gets removed from his
connection to the server and the new user has injected himself, taking over all
attributes the server assumed from the original - including levels of security and/or
trust. TCP Hijacking can be used to place future attack connectors on client
systems, gather information about networks and/or client systems, immediately
attack internal networks, or other malicious and/or abusive behavior.
routers may also provide them. Appropriate response to these alerts may entail
blocking or resetting the remote hijacker's connection/IP address, applying
updates or patches to server and/or client software, updates to network
TCPTunnelingAccess
TCPTunnelingAccess alerts reflect a specific type of CoreAccess alert where the
attack traffic is all TCP and the intent is to tunnel a possible malicious or abusive
connection through other TCP traffic. TCP tunneling uses permitted TCP traffic to
bypass access policies on network devices, content filtering, monitoring, and
448
Appendix B: Events
other traffic shaping or behavior policies. TCP tunneling is done by initiating a

known 'acceptable' TCP connection through allowed policies and piggybacking
an unacceptable connection atop the granted one. On the new 'tunnel' that the
user has built, they are allowed to pass any traffic through that does not match
other policies - often after the connection has been initiated, it may be difficult to
detect and prevent further malicious or abusive activity.
routers may also provide them. Appropriate response to these alerts may entail
blocking or resetting the local or remote user's connection/IP address, applying
updates or patches to server and/or client software, updates to network
AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess
FileSystemAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources via remote
filesystem traffic (using protocols such as SMB and NFS). Generally, these alerts
will reflect attempted exploitation of weaknesses in the remote filesystem server
or client software or attempts to gain system-level access to remote filesystem
servers themselves.
systems, the remote filesystem server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote filesystems
connecting), applying updates or patches to remote filesystem servers and/or
clients, or the possible removal of the remote filesystem service or client
application related to this event
> NFSAccess
NFSAccess alerts are a specific type of FileSystemAccess alert that reflects
malicious or abusive usage of network resources where the intention, or the
result, is gaining access to resources via NFS (network file share) remote
filesystem traffic. Generally, these alerts will reflect attempted exploitation of
weaknesses in the NFS server or client software or attempts to gain system-level
access to NFS servers themselves.
449
Security Events
> SMBAccess
SMBAccess alerts are a specific type of FileSystemAccess alert that reflects
malicious or abusive usage of network resources where the intention, or the
result, is gaining access to resources via SMB (server message block) remote
filesystem traffic. Generally, these alerts will reflect attempted exploitation of
weaknesses in the SMB server or client software or attempts to gain system-level
access to SMB servers themselves.
LinkControlAccess
LinkControlAccess alerts reflect malicious or abusive usage of network resources
data is low-level link control (using protocols such as ARP). Generally,
LinkControlAccess alerts will reflect attempted exploitation of weaknesses in
switching devices by usage of malformed incoming or outgoing data, with intent to
enumerate or gain access to or through switching devices, clients that are also on
the switching device, and entire networks attached to the switching device. In
some cases, a managed switch with restrictions on port analyzing activity may be
forced into an unmanaged switch with no restrictions - allowing a malicious client
to sniff traffic and enumerate or attack.
systems and network infrastructure devices with link level control (such as
450
Appendix B: Events
switches). Appropriate response to LinkControlAccess events may be to clear the

link-level control mechanisms of the switching device (things such as flushing the
ARP cache), applying updates or patches to switching devices, or better
segmentation of networks to prevent information disclosure if an attack occurs.
PointToPointAccess
PointToPointAccess alerts reflect malicious or abusive usage of network
point to point traffic (using protocols such as PPTP). Generally, these alerts will
reflect attempted exploitation of weaknesses in point to point server or client
software, attempts to enumerate networks, or attempts to further attack devices on
trusted networks.
systems; in some cases, network infrastructure devices such as firewalls, routers,
or VPN servers may also provide them. Appropriate response to these alerts may
entail better access control of remote access services (e.g. restriction by IP
updates or patches to remote access servers and/or clients, or the possible
removal of the remote point to point service or client application related to this
event.
PointToPointAccess > PPTPSpoof
PPTPSpoof alerts reflect a specific type of PointToPointAccess alert where the
attack traffic is all PPTP and the intent is to misrepresent the originating address
to either bypass detection or misdirect response to attack activity; often times the
target of these attacks are internal trusted networks that allow remote access
through PPTP tunneling. PPTP Spoofing is done by falsifying network
information to convince the destination (and any network hops in between) that
the given source is something other than the actual source. Generally, while
spoofed, clients will attempt to gather information, perform actual attacks on
internal devices, or perform denial of service attacks.
Response to PPTP Spoofing is difficult, as the originating host appears to be
coming from a 'trusted' address that has already completed initial handshaking
and key sharing. Initial appropriate response to these alerts may entail blocking or
451
Security Events
resetting the local or remote user's connection/IP address, applying updates or
patches to server and/or client software, updates to network infrastructure
devices, or restriction of incoming/outgoing PPTP traffic requests/responses to
reflect inappropriate or abusive access.
RemoteProcedureAccess
RemoteProcedureAccess alerts reflect malicious or abusive usage of network
remote procedure call traffic (using protocols such as the traditional RPC
services, RMI, and CORBA). Generally, these alerts will reflect attempted
exploitation of weaknesses in the remote procedure server or client software or
attempts to gain system-level access to remote procedure servers themselves.
systems, the remote procedure server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote procedure
connecting), applying updates or patches to remote procedure servers and/or
clients, or the possible removal of the remote procedure service or client
RemoteProcedureAccess > RPCPortmapperAccess
RPCPortmapperAccess alerts reflect malicious or abusive usage of network
remote procedure call traffic using the traditional RPC portmapper service.
remote procedure server or client software or attempts to gain system-level
access to remote procedure servers themselves.
systems, the remote procedure server, or the client software itself. Appropriate
response to these alerts may entail better access control of remote procedure
connecting), applying updates or patches to remote procedure servers and/or
clients, or the possible removal of the remote procedure service or client
AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess
452
Appendix B: Events
RoutingAccess alerts reflect malicious or abusive usage of network resources

data is routing-related protocols (RIP, IGMP, etc.). Generally, RoutingAccess
alerts will reflect attempted exploitation of weaknesses in routing protocols or
devices with intent to enumerate or gain access to or through routers, servers,
clients, or other network infrastructure devices. These routing protocols are used
to automate the routing process between multiple devices that share or span
networks.
systems and network infrastructure devices that utilize routing protocols such as
firewalls and routers. Appropriate response to RoutingAccess events may be
better access control of routing devices (e.g. restriction of what devices are
allowed to update routing by IP address to ensure only trusted devices are
passing data), applying updates or patches to routing servers and/or devices, or
the possible removal of the automated routing protocols from servers and/or
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess >
MalformedRIPAccess
MalformedRIPAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources where
the related data is all RIP (Routing Information Protocol). Generally,
MalformedRIPAccess alerts will reflect attempted exploitation of weaknesses in
RIP by usage of malformed incoming or outgoing data, with the intent to
enumerate or gain access to or through routers, servers, clients, or other network
infrastructure devices. RIP is used to automate the routing process between
multiple devices that share or span networks.
systems and network infrastructure devices that utilize routing protocols such as
firewalls and routers. Appropriate response to RIP Access events may be better
access control of routing devices (e.g. restriction of what devices are allowed to
update routing by IP address to ensure only trusted devices are passing data),
applying updates or patches to routing servers and/or devices, or the possible
removal of the automated routing protocols from servers and/or devices.
TrojanTrafficAccess
453
Security Events
TrojanTrafficAccess alerts reflect malicious or abusive usage of network
resources where the intention, or the result, is gaining access to resources
through malicious code commonly known as a Trojan Horse. This alert detects
the communication related to Trojans over the network (generally, 'trojaned'
clients calling home to the originator). Trojans are generally executables that
generally require no user intervention to spread and contain malicious code that
is placed on the client system and used to exploit the client (and return access to
the originator of the attack) or exploit other clients (used in attacks such as
distributed denial of service attacks).
These alerts are generally provided by a virus scanner, a network-based intrusion
detection system, or in some cases, the operating system or network infrastructure
devices such as firewalls and routers. Appropriate response to these alerts may
entail a quarantine of the node from the network to prevent internal attacks and
further compromise of the client system, updates of virus scanner pattern files on
this and other network nodes to prevent future or further infection, virus scans on
this and other network nodes to detect further infection if any has taken place, and
research into the offending Trojan to find out methods of removal (if necessary).
TrojanTrafficAccess > TrojanCommandAccess
TrojanCommandAccess alerts reflect malicious or abusive usage of network
through malicious code commonly known as Trojan Horses. This alert detects the
communication related to Trojans sending commands over the network (infecting
other clients, participating in a denial of service activity, being controlled remotely
by the originator, etc.). Trojans are generally executables that generally require
no user intervention to spread and contain malicious code that is placed on the
client system and used to exploit the client (and return access to the originator of
the attack) or exploit other clients (used in attacks such as distributed denial of
service attacks).
454
Appendix B: Events

TrojanTrafficAccess > TrojanInfectionAccess
TrojanInfectionAccess alerts reflect malicious or abusive usage of network
through malicious code commonly known as a Trojan Horse. This alert detects
the infection traffic related to a Trojan entering the network (generally with intent
to infect a client). Trojans are generally executables that generally require no user
intervention to spread and contain malicious code that is placed on the client
system and used to exploit the client (and return access to the originator of the
attack) or exploit other clients (used in attacks such as distributed denial of
service attacks).
VirusTrafficAccess
VirusTrafficAccess alerts reflect malicious or abusive usage of network resources
where the intention, or the result, is gaining access to resources through
malicious code commonly known as viruses. This alert detects the
communication related to viruses over the network (generally, the spread of a
virus infection or an incoming virus infection). Viruses are generally executables
that require user intervention to spread, contain malicious code that is placed on
the client system, and are used to exploit the client and possibly spread itself to
other clients.
research into the offending virus to find out methods of removal (if necessary).
455
Security Events
AttackBehavior > ResourceAttack > NetworkAttack > Denial
Children of the Denial tree define events centered on malicious or abusive usage
of network bandwidth/traffic where the intention, or the result, is inappropriate or
abusive access to network resources through a denial of service attack.
systems, but may also be provided by firewalls or other network infrastructure
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial
ApplicationDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is application-layer protocols. The intent, or the
result, of this activity is inappropriate or abusive access to network resources
through a denial of service attack. ApplicationDenial events may be attempts to
exploit weaknesses in software to gain access to a host system, attempts to
exploit weaknesses in network infrastructure equipment to enumerate or
reconfigure devices, or other denial of service activities.
devices.
> FileTransferDenial
FileTransferDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is application-layer file transfer-related
protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is
inappropriate or abusive access to network resources through a denial of service
attack. FileTransferDenial events may be attempts to exploit weaknesses in file
transfer-related software to gain access to a host system, attempts to exploit
weaknesses in the software to enumerate or reconfigure, or other denial of
service activities.
devices.
> MailDenial
MailDenial events are a specific type of Denial event where the transport of the
malicious or abusive usage is application-layer mail-related protocols (SMTP,
456
Appendix B: Events
IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the
result, of this activity is inappropriate or abusive access to network resources
through a denial of service attack. MailDenial events may be attempts to exploit
weaknesses in mail-related software to gain access to a host system, attempts to
exploit weaknesses in the software to enumerate or reconfigure, or other denial of
service activities.
devices.
> MailDenial > MailServiceDenial
MailServiceDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is application-layer mail-related services
(majordomo, spam filters, etc.). The intent, or the result, of this activity is
attack. MailServiceDenial events may be attempts to exploit weaknesses in mailrelated software to gain access to a host system, attempts to exploit weaknesses
in the software to enumerate or reconfigure, or other denial of service activities.
devices.
> MailDenial > MailServiceDenial > MailSpamDenial
MailSpamDenial events are a specific type of Denial event where the transport of
the malicious or abusive usage is application-layer mail-related services (usually
SMTP). The intent, or the result, of this activity is inappropriate or abusive access
to network resources through a denial of service attack through excessive mail
relaying. MailSpamDenial events reflect excessive attempts to relay mail through
an SMTP server from remote sites that should not typically be relaying mail
through the server, let alone excessive quantities of mail. The goal of these
attacks may not be to enumerate or exploit weaknesses in the mail server, but to
relay as much mail through an open relay mail server as quickly as possible,
resulting in a denial of service attack.
systems, but may also be provided by the mail server itself, firewalls, or other
network infrastructure devices. These alerts may indicate an open relay on the
457
Security Events
network or an attempt to find an open relay; appropriate response may be to close
access to SMTP servers to only internal and necessary external IP addresses.
> WebDenial
WebDenial events are a specific type of Denial event where the transport of the
malicious or abusive usage is application-layer web-related protocols (HTTP,
HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity
is inappropriate or abusive access to network resources through a denial of
service attack. WebDenial events may be attempts to exploit weaknesses in webrelated software to gain access to a host system, attempts to exploit weaknesses
in the software to enumerate or reconfigure, or other denial of service activities.
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial
CoreDenial events are a specific type of Denial event where the transport of the
malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or
the result, of this activity is inappropriate or abusive access to network resources
through a denial of service attack. CoreDenial events may be attempts to exploit
weaknesses in software to gain access to a host system, attempts to exploit
weaknesses in network infrastructure equipment to enumerate or reconfigure
devices, or other denial of service activities.
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial >
ChargenDenial
ChargenDenial alerts reflect a specific type of CoreDenial alert where the intent,
or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service via UDP chargen or echo services. This
attack attempts to exploit network infrastructure devices and hosts by pointing two
chargen or echo hosts at each other and forcing so many responses that the
network and hosts are flooded. In response to a request to the echo or chargen
port, the second device will send a response, which will trigger another request,
which will trigger a response, etc. The source of the initial request is a spoofed IP
address, which appears as one of the hosts which will be a party in the attack
458
Appendix B: Events
(sent to the second host). This will render both devices and possibly the network
they are on useless either temporarily or for a significant amount of time by the
sheer amount of traffic that is created.
ChargenDenial alerts are generally provided by network-based intrusion
detection systems and network infrastructure devices such as firewalls or routers.
ICMPFloodDenial
ICMPFloodDenial alerts reflect a specific type of CoreDenial alert where the
intent, or the result, of this activity is inappropriate or abusive access to network
resources through a denial of service by an ICMP-based 'flood' attack (which
uses many very large ICMP packets). The network infrastructure devices handling
the traffic may pass on the traffic correctly, however, any vulnerable client or
device on the network may not be able to process the incoming traffic (it may use
up system resources to the point where the device is rendered useless and
cannot accept network connections). Normal ICMP Traffic should not trigger an
ICMPFloodDenial alert.
ICMPFloodDenial alerts are generally provided by network-based intrusion
ICMPFragmentationDenial
ICMPFragmentationDenial alerts reflect a specific type of CoreDenial alert where
the intent, or the result, of this activity is inappropriate or abusive access to
network resources through a denial of service attack by using many ICMP
fragments (usually either much larger or smaller than normal fragments). The
network infrastructure devices handling the traffic will reassemble and pass on
the traffic correctly, however, any vulnerable client on the network may not be
able to reassemble the fragmented traffic (it may overflow the stack, triggering a
host or service crash). Normal ICMP fragmentation (data that has been taken
apart because it is too large based on network parameters) should not trigger an
ICMPFragmentationDenial alert.
or routers.
ICMPSourceQuenchDenial
459
Security Events
ICMPSourceQuenchDenial alerts reflect a specific type of CoreDenial alert where
the intent, or the result, of this activity is inappropriate or abusive access to
network resources through a denial of service by an ICMP-based attack (which
uses many ICMP packets set to type 4 - Source Quench). The network
infrastructure devices handling the traffic may pass on the traffic correctly,
however, any client listening and responding to source quench traffic may be
slowed down to the point where rendered useless by way of correct response to
the quench request. Normal ICMP traffic (including single, normal, source quench
packets) should not trigger an ICMPSourceQuenchDenial alert.
ICMPSourceQuenchDenial alerts are generally provided by network-based
or routers.
IPFloodDenial
IPFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or
through a denial of service by an IP-based 'flood' attack (which uses many very
large IP packets). The network infrastructure devices handling the traffic may pass
on the traffic correctly, however, any vulnerable client or device on the network
may not be able to process the incoming traffic (it may use up system resources to
the point where the device is rendered useless and cannot accept network
connections). Normal IP Traffic should not trigger an IPFloodDenial alert.
IPFloodDenial alerts are generally provided by network-based intrusion detection
IPFragmentationDenial
IPFragmentationDenial alerts reflect a specific type of CoreDenial alert where the
resources through a denial of service attack by using many IP fragments (usually
either much larger or smaller than normal fragments). The network infrastructure
devices handling the traffic will reassemble and pass on the traffic correctly,
however, any vulnerable client on the network may not be able to reassemble the
fragmented traffic (it may overflow the stack, triggering a host or service crash).
Normal IP fragmentation (data that has been taken apart because it is too large
based on network parameters) should not trigger an IPFragmentationDenial alert.
460
Appendix B: Events

or routers.
IPFragmentationDenial > PingOfDeathDenial
PingOfDeathDenial alerts reflect a specific type of CoreDenial alert where the
resources through a denial of service by a 'ping of death' attack (which uses many
large ICMP Echo Request packets). The network infrastructure devices handling
the traffic will pass on the traffic correctly, however, any vulnerable client on the
network may not be able to process the incoming traffic (it may be processed in
such a way that triggers a host or service crash). Unpatched Windows NT and
95/98 clients are especially vulnerable to this type of attack. Normal ICMP Echo
Traffic should not trigger a PingOfDeathDenial alert.
PingOfDeathDenial alerts are generally provided by network-based intrusion
LandAttackDenial
LandAttackDenial alerts reflect a specific type of CoreDenial alert where the
resources through a denial of service by a 'land' attack (which uses TCP traffic
with the SYN bit set and the same source IP and port as the destination). The
network infrastructure devices handling the traffic will pass on the traffic correctly,
however, any vulnerable client on the network may not be able to process the
incoming traffic (it may be processed in such a way that triggers a host or service
crash). Unpatched Windows 3.11, NT, and 95 clients are especially vulnerable to
this type of attack. Normal TCP traffic (with or without the SYN bit) should not
trigger a LandAttackDenial alert.
LandAttackDenial alerts are generally provided by network-based intrusion
SmurfDenial
SmurfDenial alerts reflect a specific type of CoreDenial alert where the intent, or
through a denial of service by a 'Smurf' attack. A Smurf attack attempts to exploit a
vulnerability in some network infrastructure devices by sending ICMP Echo
461
Security Events
Requests to devices that will re-broadcast the traffic to internal devices. In
response to the broadcast Echo Request, all of the devices will send an ICMP
Echo Reply, which will effectively overflow the device. The destination of the
ICMP Echo Reply is a spoofed 'victim' IP address which will also be overflowed
by the actual replies sent to their host. This will render both devices useless either
temporarily or for a significant amount of time.
SmurfDenial alerts are generally provided by network-based intrusion detection
SnorkDenial
SnorkDenial alerts reflect a specific type of CoreDenial alert where the intent, or
through a denial of service by a 'Snork' attack. A Snork attack attempts to exploit a
vulnerability in Windows NT devices by using the Windows RPC service and
sending packets to devices that will broadcast the traffic to other internal Windows
NT devices using RPC. In response to the broadcast, all of the Windows NT
devices will send another packet, and this process will continue until it effectively
overflows the device and possibly the network. The destination or source of the
initial packet is a spoofed 'victim' IP address which will create the illusion of
internal activity. This will render both devices useless either temporarily or for a
significant amount of time.
SnorkDenial alerts are generally provided by network-based intrusion detection
SynFloodDenial
SYNFloodDenial alerts reflect a specific type of CoreDenial alert where the intent,
resources through a denial of service by a TCP-based 'flood' attack (which uses
many very large TCP packets with the SYN bit set). The network infrastructure
devices handling the traffic may pass on the traffic correctly, however, any
vulnerable client or device on the network may not be able to process the
incoming traffic (it may use up system resources to the point where the device is
rendered useless and cannot accept network connections). Normal TCP Traffic
(with or without the SYN flag) should not trigger a SYNFloodDenial alert.
SYNFloodDenial alerts are generally provided by network-based intrusion
462
Appendix B: Events
TeardropDenial
TeardropDenial alerts reflect a specific type of CoreDenial alert where the intent,
resources through a denial of service by a teardrop attack (which uses many
overlapping IP fragments, usually either much larger or smaller than normal
fragments). The network infrastructure devices handling the traffic will reassemble
and pass on the traffic correctly, however, any vulnerable client on the network
may not be able to reassemble the fragmented traffic (it may be reassembled in
such a way that triggers a host or service crash). Unpatched Windows NT and
95/98 clients are especially vulnerable to this type of attack. Normal IP
fragmentation (data that has been taken apart because it is too large based on
network parameters) should not trigger a TeardropDenial alert.
TeardropDenial alerts are generally provided by network-based intrusion
UDPBombDenial
UDPBombDenial alerts reflect a specific type of CoreDenial alert where the
resources through a denial of service by a UDP-based 'bomb' attack (which uses
many large UDP packets). The network infrastructure devices handling the traffic
may pass on the traffic correctly, however, any vulnerable client or device on the
network may not be able to process the incoming traffic (it may be processed in
such a way that triggers a host or service crash). Normal UDP Traffic should not
trigger a UDPBombDenial alert.
UDPBombDenial alerts are generally provided by network-based intrusion
AttackBehavior > ResourceAttack > NetworkAttack > Denial >
ConfigurationDenial
ConfigurationDenial events are a specific type of Denial event where the
transport of the malicious or abusive usage is protocols related to configuration of
resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is
attack. ConfigurationDenial events may be attempts to exploit weaknesses in
configuration-related software to gain access to a host system, attempts to exploit
463
Security Events
weaknesses in network infrastructure equipment to enumerate or reconfigure
devices, or other denial of service activities.
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > FileSystemDenial
FileSystemDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is remote filesystem-related protocols (NFS,
SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive
access to network resources through a denial of service attack. FileSystemDenial
events may be attempts to exploit weaknesses in remote filesystem services or
software to gain access to a host system, attempts to exploit weaknesses in
network infrastructure equipment to enumerate or reconfigure devices, or other
denial of service activities.
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > LinkControlDenial
LinkControlDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage is link level protocols (such as ARP). The
resources through a denial of service attack. LinkControlDenial events may be
attempts to exploit weaknesses in link-level control software to gain access to a
host system, attempts to exploit weaknesses in network infrastructure equipment
to enumerate or reconfigure devices, or other denial of service activities.
devices.
RemoteProcedureDenial
RemoteProcedureDenial events are a specific type of Denial event where the
transport of the malicious or abusive usage is remote procedure-related protocols
(traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or
through a denial of service attack. RemoteProcedureDenial events may be
464
Appendix B: Events
attempts to exploit weaknesses in remote procedure services or software to gain

access to a host system, attempts to exploit weaknesses in the software to
enumerate or reconfigure, or other denial of service activities.
devices.
RemoteProcedureDenial > RPCPortmapperDenial
RPCPortmapperDenial events are a specific type of Denial event where the
transport of the malicious or abusive usage is remote procedure-related protocols,
specifically related to the RPC portmapper service. The intent, or the result, of this
activity is inappropriate or abusive access to network resources through a denial
of service attack. RPCPortmapperDenial events may be attempts to exploit
weaknesses the remote procedure service or software to gain access to a host
system, attempts to exploit weaknesses in the software to enumerate or
reconfigure, or other denial of service activities.
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > RoutingDenial
RoutingDenial events are a specific type of Denial event where the transport of
the malicious or abusive usage is routing-related protocols (RIP, IGMP, etc.). The
resources through a denial of service attack. RoutingDenial events may be
attempts to exploit weaknesses in routers or routing software to gain access to a
host system, attempts to exploit weaknesses in the routing software or service to
enumerate or reconfigure, or other denial of service activities.
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Denial > TrojanTrafficDenial
TrojanTrafficDenial events are a specific type of Denial event where the transport
of the malicious or abusive usage originates with malicious code on a client
system known as a Trojan. The intent, or the result, of this activity is inappropriate
or abusive access to network resources through a denial of service attack.
465
Security Events
TrojanTrafficDenial events may be attempts to exploit weaknesses in software to
gain access to a host system, attempts to exploit weaknesses in network
infrastructure equipment to enumerate or reconfigure devices, attempts to spread
the Trojan to other hosts, or other denial of service activities.
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Relay
Children of the Relay tree define events centered on malicious or abusive usage
of network bandwidth/traffic where the intention, or the result, is relaying
inappropriate or abusive access to other network resources (either internal or
external). Generally, these attacks will have the perimeter or an internal host as
their point of origin. When sourced from remote hosts, they may indicate a
successful exploit of an internal or perimeter host.
devices.
AttackBehavior > ResourceAttack > NetworkAttack > Relay > DDOSToolRelay
DDOSToolRelay events reflect potential network traffic related to known
Distributed Denial of Service connectors. These connectors are used to relay
attacks to new remote (and possibly local) hosts to exploit or inundate the remote
host with data in an attempt to cripple it. Generally, these attacks will have a
perimeter or an internal host as their point of origin. When sourced from remote
hosts, they may indicate a successful exploit of an internal or perimeter host.
devices.
Appropriate response to these events may be to restrict the source from
accessing any external network, running a virus scanner or other detection utility
to detect and remove the presence of any relay connector (in some cases known
as a 'zombie'), and if necessary, to quarantine the source node from the network
to further isolate the issue. If these events are sourced from a completely external
network, blocking the remote host, better access control of clients, servers, and
services (e.g. restriction by IP address and/or user name to ensure only trusted
clients are connecting), application of updates or patches to servers and/or
466
Appendix B: Events
clients, or the possible removal of the service related to this event may also be
appropriate actions.
AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay
FileTransferRelay events reflect potential network traffic related to known attack
connectors that operate over file transfer protocols. These connectors are used to
relay attacks to new remote (and possibly local) hosts to exploit or abuse
services. Generally, these attacks will have a perimeter or an internal host as their
point of origin. When sourced from remote hosts, they may indicate a successful
exploit of an internal or perimeter host.
systems, but may also be provided by the file transfer software itself, and firewalls
or other network infrastructure devices.
to detect and remove the presence of any relay connector, and if necessary, to
quarantine the source node from the network to further isolate the issue. If these
events are sourced from a completely external network, blocking the remote host,
better access control of file transfer servers (e.g. restriction by IP address and/or
user name to ensure only trusted clients are connecting), application of updates
or patches to file transfer servers and/or clients, or the possible removal of the file
transfer service or client application related to this event may also be appropriate
actions.
AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay >
FTPBounce
FTPBounce events are a specific type of FileTransferRelay related to known
attack connectors using file transfer protocols that are used to launder
connections to other services, redirect attacks to other hosts or services, or to
redirect connections to other hosts or services. Generally, these attacks will have
a perimeter or an internal host as their point of origin. When sourced from remote
hosts, they may indicate a successful exploit of an internal or perimeter host.
systems, but may also be provided by the file transfer software or service itself,
and firewalls or other network infrastructure devices.
to detect and remove the presence of any relay connector, and if necessary, to
467
Security Events
quarantine the source node from the network to further isolate the issue. If these
events are sourced from a completely external network, blocking the remote host,
better access control of file transfer servers (e.g. restriction by IP address and/or
user name to ensure only trusted clients are connecting), application of updates
or patches to file transfer servers and/or clients, or the possible removal of the file
transfer service or client application related to this event may also be appropriate
actions.
AttackBehavior > ResourceAttack > ServiceProcessAttack
Members of the ServiceProcessAttack tree are used to define events centered on
malicious or abusive usage of services or user processes. These events include
abuse or misuse of resources from malicious code placed on the client system.
AttackBehavior > ResourceAttack > ServiceProcessAttack > VirusAttack
VirusAttack alerts reflect malicious code placed on a client or server system,
which may lead to system or other resource compromise and may lead to further
attack. The severity of this alert will depend on the ActionTaken field, which
reflects whether the virus or other malicious code was successfully removed.
These alerts are usually provided by a virus scanner running on the client system.
Appropriate response to these alerts may entail a quarantine of the node from the
network to prevent further outbreak, updates of virus scanner pattern files on other
network nodes to prevent further outbreak, virus scans on other network nodes to
detect further outbreak if any has taken place, and research into the offending
virus to find out methods of removal.
AttackBehavior > ResourceAttack > ServiceProcessAttack >
VirusSummaryAttack
VirusSummaryAttack alerts reflect malicious code placed on a client or server
system, which may lead to system or other resource compromise and may lead to
further attack. The severity of this alert will depend on the ActionTaken field which
reflects whether the virus or other malicious code was successfully removed.
These alerts differ from VirusAttack in that they may be a composite of virus
events normally due to a scheduled scan on the client system as opposed to a
real-time scan.
These alerts are usually provided by a virus scanner running on the client system.
Appropriate response to these alerts may entail a quarantine of the node from the
network to prevent further outbreak, updates of virus scanner pattern files on other
network nodes to prevent further outbreak, virus scans on other network nodes to
468
Appendix B: Events
detect further outbreak if any has taken place, and research into the offending
virus to find out methods of removal.
GeneralSecurity
GeneralSecurity alerts are generated when a supported product outputs data that
has not yet been normalized into a specific alert, but is known to be security
issue-related.
SuspiciousBehavior
Events that are children of SuspiciousBehavior are generally related to network
activity that may be consistent of enumeration of resources, unexpected traffic,
abnormal authentication events, or other abnormal behavior that should be
considered indicative of a serious security event.
SuspiciousBehavior > AuthSuspicious
Members of the AuthSuspicious tree are used to define events regarding
suspicious authentication and authorization events. These events include
excessive failed authentication or authorization attempts, suspicious access to
unauthenticated users, and suspicious access to unauthorized services or
information.
SuspiciousBehavior > AuthSuspicious > FailedAuthentication
FailedAuthentication events occur when a user has made several attempts to
authenticate themselves which has continuously failed, or when a logon failure is
serious enough to merit a security event on a single failure.
SuspiciousBehavior > AuthSuspicious > GuestLogin
GuestLogin events describe user authentication events where an attempt was
made successfully or unsuccessfully granting access to a user that generally has
no password assigned (such as anonymous, guest, or default) and no special
privileges. Access of a user with this level of privileges may be granted access to
enough of the client system to begin exploitation.
These events are usually produced by a client or server operating system,
however may also be produced by a network-based IDS or network infrastructure
device when it is possible or appropriate.
SuspiciousBehavior > AuthSuspicious > RestrictedInformationAttempt
RestrictedInformationAttempt events describe a user attempt to access local or
remote information that their level of authorization does not allow. These events
469
Security Events
may indicate user attempts to exploit services which they are denied access to or
inappropriate access attempts to information.
SuspiciousBehavior > AuthSuspicious > RestrictedServiceAttempt
RestrictedServiceAttempt events describe a user attempt to access a local or
remote service that their level of authorization does not allow. These events may
indicate user attempts to exploit services which they are denied access to or
inappropriate access attempts to services.
SuspiciousBehavior > InferredSuspicious
InferredSuspicious alerts are reserved SuspiciousBehavior alerts used for
describing suspicious behavior that is a composite of different types of alerts.
These events will be defined and inferred by Contego Policy.
SuspiciousBehavior > ResourceSuspicious
Members of the ResourceSuspicious tree are used to define different types of
suspicious access to network resources, where these resources may be network
bandwidth/traffic, files, client processes or services, or other types of shared
security-related 'commodities'.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious
Members of the NetworkSuspicious tree are used to define events regarding
suspicious usage of network bandwidth/traffic. These events include unusual
traffic and reconnaissance behavior detected on network resources.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon
Children of the Recon tree reflect suspicious network behavior with intent of
gathering information about target clients, networks, or hosts. Reconnaissance
behavior may be valid behavior on a network, however, only as a controlled
behavior in small quantities. Invalid reconnaissance behavior may reflect
attempts to determine security flaws on remote hosts, missing access control
policies that allow external hosts to penetrate networks, or other suspicious
behavior that results in general information gathering without actively attacking.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon >
Enumerate
Enumerate alerts reflect attempts to gather information about target networks, or
specific target hosts, by sending active data which will elicit responses that reveal
information about clients, servers, or other network infrastructure devices. The
470
Appendix B: Events
originating source of the enumeration is generally attempting to acquire

information that may reveal more than normal traffic to the target would.
Enumerate > ApplicationEnumerate
ApplicationEnumerate alerts reflect attempts to gather information about target
hosts, or services on target hosts, by sending active application-layer data which
will elicit responses that reveal information about the application or host. This
enumeration may be a LEMple command sent to the application to attempt to
fingerprint what is allowed or denied by the service, requests to the application
which may enable an attacker to surmise the version and specific application
running, and other information gathering tactics. These enumerations may result
in information being provided that can allow an attacker to craft a specific attack
against the host or application that may work correctly the first time - enabling
them to modify their methodology to go on relatively undetected.
Enumerate > ApplicationEnumerate > FileTransferEnumerate
FileTransferEnumerate alerts reflect attempts to gather information about target
hosts, or services on target hosts, by sending active application-layer data to file
transfer services which will elicit responses that reveal information about the
application or host. This enumeration may be a LEMple command sent to the file
transfer service to attempt to fingerprint what is allowed or denied by the service,
requests to the file transfer service that may enable an attacker to surmise the
version and specific service running, and other information gathering tactics.
These enumerations may result in information being provided that can allow an
attacker to craft a specific attack against the file transfer service or application that
may work correctly the first time - enabling them to modify their methodology to go
on relatively undetected.
Enumerate > ApplicationEnumerate > FileTransferEnumerate >
FTPCommandEnumerate
FTPCommandEnumerate alerts reflect attempts to gather information about target
hosts, or services on target hosts, by sending active application-layer data to file
transfer services which will elicit responses that reveal information about the
application. This enumeration specifically entails commands sent to the FTP
service to attempt to fingerprint what is allowed or denied by the service, requests
to the FTP service that may enable an attacker to surmise the version and specific
471
Security Events
service running, and other information gathering tactics that use FTP commands
to query. These enumerations may result in information being provided that can
allow an attacker to craft a specific attack against the FTP service that may work
correctly the first time - enabling them to modify their methodology to go on
relatively undetected.
Enumerate > ApplicationEnumerate > MailEnumerate
MailEnumerate alerts reflect attempts to gather information about target hosts, or
services on target hosts, by sending active application-layer data to mail-related
services which will elicit responses that reveal information about the application
or host. This enumeration may be a LEMple command sent to the mail service to
attempt to fingerprint what is allowed or denied by the service, requests to the
mail service that may enable an attacker to surmise the version and specific
service running, and other information gathering tactics. These enumerations may
result in information being provided that can allow an attacker to craft a specific
attack against the mail service or application that may work correctly the first time
- enabling them to modify their methodology to go on relatively undetected.
Enumerate > ApplicationEnumerate > MailEnumerate >
SMTPCommandEnumerate
SMTPCommandEnumerate alerts reflect attempts to gather information about
target hosts, or services on target hosts, by sending active application-layer data
to mail-related services which will elicit responses that reveal information about
the application. This enumeration specifically entails commands sent to the
SMTP service to attempt to fingerprint what is allowed or denied by the service,
requests to the mail service that may enable an attacker to surmise the version
and specific service running, and other information gathering tactics that use
SMTP commands to query. These enumerations may result in information being
provided that can allow an attacker to craft a specific attack against the mail
service that may work correctly the first time - enabling them to modify their
methodology to go on relatively undetected.
Enumerate > ApplicationEnumerate > WebEnumerate
WebEnumerate alerts reflect attempts to gather information about target hosts, or
services on target hosts, by sending active application-layer data to web-related
services which will elicit responses that reveal information about the application
472
Appendix B: Events
or host. This enumeration may be a LEMple command sent to the web service to
web service that may enable an attacker to surmise the version and specific
service running, and other information gathering tactics. These enumerations may
result in information being provided that can allow an attacker to craft a specific
attack against the web service or application that may work correctly the first time
- enabling them to modify their methodology to go on relatively undetected.
Enumerate > BannerGrabbingEnumerate
BannerGrabbingEnumerate alerts reflect attempts to gather information about
target hosts, or services on target hosts, by sending a request which will elicit a
response containing the host or service's 'banner'. This 'banner' contains
information that may provide a potential attacker with such details as the exact
application and version running behind a port. These details could be used to
craft specific attacks against hosts or services that an attacker may know will work
correctly the first time - enabling them to modify their methodology go on relatively
undetected.
Enumerate > MSNetworkingEnumerate
MSNetworkingEnumerate alerts reflect attempts to gather information about target
hosts, or services on target hosts, by sending active data to Microsoft networking
services (using protocols such as NetBIOS and SMB/CIFS) that will illicit
responses that reveal information about the application, host, or target network.
This enumeration may be a LEMple command sent to the networking service to
attempt to fingerprint what is allowed or denied by a service, requests to a service
that may enable an attacker to surmise the version and specific service running,
requests to a service that may enable an attacker to fingerprint the target network,
and other information gathering tactics. These enumerations may result in
information being provided that can allow an attacker to craft a specific attack
against the networking service, host, or application that may work correctly the
first time - enabling them to modify their methodology to go on relatively
undetected.
Enumerate > RemoteProcedureEnumerate
RemoteProcedureEnumerate alerts reflect attempts to gather information about
target hosts, or services on target hosts, by sending active data to Remote
473
Security Events
Procedure services (using protocols such as RMI, CORBA, and traditional RPC)
that will elicit responses that reveal information about the application or host. This
enumeration may be a LEMple command sent to the remote procedure service to
remote procedure service that may enable an attacker to surmise the version and
specific service running, and other information gathering tactics. These
enumerations may result in information being provided that can allow an attacker
to craft a specific attack against the remote procedure service or application that
may work correctly the first time - enabling them to modify their methodology to go
on relatively undetected.
Enumerate > RemoteProcedureEnumerate > RPCPortmapperEnumerate
RPCPortmapperEnumerate alerts reflect attempts to gather information about
target hosts, or services on target hosts, by sending active data to the Portmapper
Remote Procedure service that will illicit responses that reveal information about
the application or host. This enumeration may be a LEMple command sent to the
portmapper service to attempt to fingerprint what is allowed or denied by the
service, requests to the portmapper service that may enable an attacker to
surmise the version and specific service running, and other information gathering
tactics. These enumerations may result in information being provided that can
allow an attacker to craft a specific attack against the portmapper service or client
application that may work correctly the first time - enabling them to modify their
methodology to go on relatively undetected.
Enumerate > RemoteProcedureEnumerate > RPCPortScanEnumerate
RPCPortScanEnumerate alerts reflect attempts to gather information about target
hosts, or services on target hosts, by sending active data to Remote Procedure
services (using protocols such as RMI, CORBA, and traditional RPC) that will
elicit responses that reveal information about the application or host. This specific
type of enumeration is done by sending queries to RPC related ports to attempt to
fingerprint the types and specific services running, and may involve other
information gathering tactics. These enumerations may result in information being
provided that can allow an attacker to craft a specific attack against the remote
procedure service or application that may work correctly the first time - enabling
them to modify their methodology to go on relatively undetected.
Footprint
474
Appendix B: Events
Footprint alerts reflect attempts to gather information about target networks by

tracing the network through routers, clients, servers, or other network
infrastructure devices. The originating source of the footprint is generally
attempting to acquire information that may reveal more about network behavior
than normal traffic to the target would.
Footprint > DNSRequestFootprint
DNSRequestFootprint alerts are a specific type of Footprint alert that reflects a
DNS record request that may serve to reveal DNS configuration. Contained within
this DNS configuration may be information that reveals internal networks,
protected devices, or IP addresses of potential targets.
Footprint > FirewalkingFootprint
FirewalkingFootprint alerts are a specific type of Footprint alert that reflects the
usage of a connector that attempts to gather information about network
infrastructure device access control and filtering lists. Firewalking works by
passing TCP and UDP packets to determine what packets a given device will
forward. This activity may reflect attempts to enumerate devices beyond the
perimeter of a network, gathering information about activity that is allowed or
denied past given gateways.
Footprint > TraceRouteFootprint
TraceRouteFootprint alerts are a specific type of Footprint alert that reflects an IP
packet route trace from source to destination. Generally, this route will not reveal
specific information about device types or hosts on a network, but will trace the
path of IP traffic across routing devices. This traffic may be an attempt to discover
routing devices that are misconfigured (which may be vulnerable to attacks such
as IP spoofing or IP fragmentation).
Scan
Scan alerts reflect attempts to gather information about target networks, or specific
target hosts, by sending scans which will elicit responses that reveal information
about clients, servers, or other network infrastructure devices. The originating
source of the scan is generally attempting to acquire information that may reveal
more than normal traffic to the target would, information such as a list of
applications listening on ports, operating system information, and other
475
Security Events
information that a probe may discover without enumeration of the specific
services or performing attack attempts.
Scan > CoreScan
CoreScan alerts reflect attempts to gather information about target networks, or
specific target hosts, by sending scans over core network protocols (TCP, IP,
ICMP, UDP) which will elicit responses that reveal information about clients,
servers, or other network infrastructure devices. The originating source of the
scan is generally attempting to acquire information that may reveal more than
normal traffic to the target would, information such as a list of applications
listening on ports, operating system information, and other information that a
probe may discover without enumeration of the specific services or performing
attack attempts.
Scan > CoreScan > HostScan
HostScan alerts reflect attempts to gather information about specific target hosts
by sending scans which will elicit responses that reveal information about clients,
normal traffic to the target would, such as a list of applications on the host,
operating system information, and other information that a probe may discover
without enumeration of the specific services or performing attack attempts. These
scans generally do not occur across entire networks and generally have the intent
of discovering operating system and application information which may be used
for further attack preparation.
Scan > CoreScan > ICMPQuery
ICMPQuery alerts reflect attempts to gather information about specific target
hosts, or networks, by sending ICMP-based queries that will elicit responses that
reveal information about clients, servers, or other network infrastructure devices.
The originating source of the scan is generally attempting to acquire information
that may reveal more than normal traffic to the target would, such as operating
system information and other information that a probe may discover without
enumeration of the specific services or performing attack attempts. These scans
generally do not occur across entire networks, contain many sequential ICMP
476
Appendix B: Events
packets, and generally have the intent of discovering operating system and
application information which may be used for further attack preparation.
Scan > CoreScan > PingSweep
PingSweep alerts reflect a specific type of CoreScan alert that describe an
attempt to gather information about target networks, and hosts on those networks,
by sending ICMP or TCP ping packets to test whether hosts are alive. The
originating source of the scan is generally attempting to acquire information about
network topology or groups of specific hosts on the network and may have the
intent of gathering information for future attack attempts.
Scan > CoreScan > PingSweep > ICMPPingSweep
ICMPPingSweep alerts reflect a specific type of CoreScan alert that describe an
by sending ICMP ping packets to test whether hosts are alive. The originating
source of the scan is generally attempting to acquire information about network
topology or groups of specific hosts on the network and may have the intent of
gathering information for future attack attempts.
Scan > CoreScan > PingSweep > TCPPingSweep
TCPPingSweep alerts reflect a specific type of CoreScan alert that describe an
by sending TCP ping packets to test whether hosts are alive. The originating
source of the scan is generally attempting to acquire information about network
topology or groups of specific hosts on the network and may have the intent of
gathering information for future attack attempts.
Scan > CoreScan > PortScan
PortScan alerts reflect attempts to gather information about target networks, or
specific target hosts, by sending scans over core network protocols (TCP, IP,
ICMP, UDP) that will elicit responses that reveal information about clients,
normal traffic to the target would, such as a list of applications listening on ports,
operating system information, and other information that a probe may discover
without enumeration of the specific services or performing attack attempts.
477
Security Events
Portscans specifically operate by sending probes to every port within a range,
attempting to identify open ports that may use applications or services that are
easy to enumerate and attack.
Scan > CoreScan > PortScan > TCPPortScan
TCPPortScan alerts reflect attempts to gather information about target networks,
or specific target hosts, by sending scans over TCP that will elicit responses that
that may reveal more than normal traffic to the target would, such as a list of
services or performing attack attempts. TCP portscans specifically operate by
sending TCP probes to every port within a range, attempting to identify open ports
that may use applications or services that are easy to enumerate and attack.
Scan > CoreScan > PortScan > UDPPortScan
UDPPortScan alerts reflect attempts to gather information about target networks,
or specific target hosts, by sending scans over UDP that will elicit responses that
that may reveal more than normal traffic to the target would, such as a list of
services or performing attack attempts. UDP portscans specifically operate by
sending UDP probes to every port within a range, attempting to identify open
ports that may use applications or services that are easy to enumerate and attack.
Scan > CoreScan > StackFingerprint
StackFingerprint alerts reflect attempts to gather information about specific target
hosts by sending a certain set of packets to probe a device's network stack, which
will elicit responses that reveal information about clients, servers, or other network
infrastructure devices. The originating source of the scan is generally attempting
to acquire information that may reveal more than normal traffic to the target would,
such as operating system information (including type and version) and other
478
Appendix B: Events
services or performing attack attempts. These scans generally do not occur

across entire networks and generally have the intent of discovering operating
system information which may be used for further attack preparation.
Scan > CoreScan > StackFingerprint > ICMPStackFingerprint
ICMPStackFingerprint alerts reflect attempts to gather information about specific
target hosts by sending a certain set of ICMP packets to probe a device's ICMP
stack, which will elicit responses that reveal information about clients, servers, or
other network infrastructure devices. The originating source of the scan is
generally attempting to acquire information that may reveal more than normal
traffic to the target would, such as operating system information (including type
and version) and other information that a probe may discover without enumeration
of the specific services or performing attack attempts. These scans generally do
not occur across entire networks and generally have the intent of discovering
operating system information which may be used for further attack preparation.
Scan > CoreScan > StackFingerprint > TCPStackFingerprint
TCPStackFingerprint alerts reflect attempts to gather information about specific
target hosts by sending a certain set of TCP packets to probe a device's TCP/IP
stack, which will elicit responses that reveal information about clients, servers, or
other network infrastructure devices. The originating source of the scan is
generally attempting to acquire information that may reveal more than normal
traffic to the target would, such as operating system information (including type
and version) and other information that a probe may discover without enumeration
of the specific services or performing attack attempts. These scans generally do
not occur across entire networks and generally have the intent of discovering
operating system information which may be used for further attack preparation.
Scan > TrojanScanner
TrojanScanner alerts reflect attempts of Trojans on the network to gather
information about target networks, or specific target hosts, by sending scans
which will elicit responses that reveal information about the host. The originating
Trojan source of the scan is generally attempting to acquire information that will
reveal whether a target host or network has open and available services for
further exploitation, whether the target host or network is alive, and how much of
479
Security Events
the target network is visible. A Trojan may run a scan before attempting an attack
operation to test potential effectiveness or targeting information.
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious >
UnusualTraffic
UnusualTraffic alerts reflect suspicious behavior on network devices where the
traffic may have no known exploit, but is unusual and could be potential
enumerations, probes, fingerprints, attempts to confuse devices, or other
abnormal traffic. UnusualTraffic may have no impending response, however, it
could reflect a suspicious host that should be monitored closely.
UnusualTraffic > UnusualICMPTraffic
UnusualICMPTraffic alerts reflect ICMP-based suspicious behavior on network
devices where the traffic may have no known exploit, but is unusual and could be
potential enumerations, probes, fingerprints, attempts to confuse devices, or other
abnormal traffic. UnusualICMPTraffic may have no impending response,
however, it could reflect a suspicious host that should be monitored closely.
UnusualTraffic > UnusualIPTraffic
UnusualIPTraffic alerts reflect IP-based suspicious behavior on network devices
where the traffic may have no known exploit, but is unusual and could be
abnormal traffic. UnusualIPTraffic may have no impending response, however, it
UnusualTraffic > UnusualProtocol
UnusualProtocol alerts reflect suspicious behavior on network devices where the
traffic is targeted at unknown, unassigned, or uncommonly used protocols. This
traffic may have no known exploit, but is unusual and should be considered
abnormal traffic. UnusualProtocol may have no impending response, however, it
UnusualTraffic > UnusualTCPTraffic
UnusualTCPTraffic alerts reflect TCP-based suspicious behavior on network
480
Appendix B: Events

abnormal traffic. UnusualTCPTraffic may have no impending response, however,
it could reflect a suspicious host that should be monitored closely.
UnusualTraffic > UnusualUDPTraffic
UnusualUDPTraffic alerts reflect UDP-based suspicious behavior on network
abnormal traffic. UnusualUDPTraffic may have no impending response, however,
it could reflect a suspicious host that should be monitored closely.
481

The following table explains the meaning of each grid column or data field that
can appear in various alert grids, event grids, and information panes throughout
the Console. The actual columns and fields that are shown vary according to the
alert, view, or grid you are working with. But the meaning of these fields remains
the same, regardless of where you see them.
For convenience, the fields are listed in alphabetical order.
Grid column or field
Description
EventName
The name of the alert.
ConnectionName
The name of the dial-up or VPN connection.
ConnectionStatus
The current status of the dial-up or VPN connection.
DestinationMachine The IP address the network traffic is going to.

DestinationPort
The port number the network traffic is going to.
DetectionIP
The network node that is the originating source of the

alert data. This is usually a Manager or an Agent and is
the same as the InsertionIP field, but can also be a
network device such as firewall or an intrusion detection
system that may be sending log files over a remote
logging protocol.
DetectionTime
The time the network node generated the data. This is

usually the same as the InsertionTime field, but they can
differ when the Agent or Manager is reading historical
data, or if a network device has an incorrect time setting.
EventInfo
A short summary of the alert details. Additional details

appear in the following fields, but EventInfo provides
enough information to view a snapshot of the alert
information.
ExtraneousInfo
Extra information that is relevant to the alert, but may not

be reflected in other fields. This can include information
482
Description
useful for correlating or summarizing alert information in
addition to the EventInfo field.
Host
The node the log message came from (that is, the LEM or
Agent that collected the message for forwarding to
nDepth).
HostFromData
The originating network device (if different than the node)

that the message came from. Normally, Host and
HostFromData are the same, but in the case of a remote
logging device (such as a firewall) this field reports the original remote device's address.
InferenceRule
The name of the correlation that caused this alert. The

InferenceRule field will generally be blank, but in cases
where the alert was related to a rule, it displays the rule
name.
InsertionIP
The Manager or Agent that first created the alert. This is

the source that first read the log data from a file or other
source.
InsertionTime
The time the Manager or Agent first created the alert. This
time indicates when the data was read from a log file or
other source.
IPAddress
The IP address associated with the alert. This is a

composite field, drawn from several different alert fields. It
shows all the IPaddresses that appear in alert data.
Manager
The name of the Manager that received the alert. For data
generated from an Agent, this is the Manager the Agent is
connected to.
Order
In the Event explorers event grid, the Order field

indicates when each event occurred:
means the event occurred before the central event
shown in the event map.
means the event occurred during (as part of) the
483
Description
central event shown in the event map.
means the event occurred after the central event
shown in the event map.
Protocol
Displays the protocol associated with this alert (TCP or

UDP).
ProviderSID
A unique identifier for the original data. Generally, the

ProviderSID field includes information that can be used
in researching information on the alert in the originating
network device vendor's documentation.
SourceMachine
The IP address the network traffic is coming from.
SourcePort
The port number the network traffic is coming from.
ConnectorAlias
The Alias Name entered when configuring the connector

on the Manager or Agent.
ConnectorId
The actual connector that generated the log message.
ConnectorType
Connector category for the connector that generated the

log message.
Username
The user name associated with the alert. This is a

composite field, drawn from several different alert fields. It
shows all the places that user names appear in alert data.
484

FileName
Description
Version
3comswitch.xml
3Com Switch
7374
actianceusg.xml
Actiance Unified Secur- 7374

ity Gateway
activescout.xml
ActiveScout
7374
AIXauditlog.xml
AIX Audit
7405
AIXsyslog.xml
AIX Syslog
7426
AlliedTelesis.xml
Allied Telesis Routers

and Switches
7374
amavis.xml
AMaViS
7374
ApacheAccessLog.xml
Apache Access
7374
ApacheErrorLog.xml
Apache Error
7374
apcinfrastruxure.xml
APC InfraStruXure
7374
arraynetworksspx.xml
Array Networks SPX
7374
aruba.xml
Aruba Wireless
Access Point
7374
aruba3x.xml
Aruba Wireless
Access Point 3x
7374
as400.xml
Legacy TriGeo Agent

AS400 Tool
7453
astarosg.xml
Astaro Security Gate-
7374
485
FileName
Description
Version
way
atlas.xml
Adtran Atlas Switch
7374
aventail.xml
SonicWALL Aventail
SSL VPN E-Class
7374
avgnetworkserver.xml
AVG DataCenter 7.5
7374
avgnetworkserver.xml
AVG DataCenter 8.0
7374
avgworkstation.xml
AVG 7.5 Network
7374
AxcientUMC.xml
Axcient Unified Management Console

(UMC)
7380
BackupExecSR.xml
Symantec Backup
Exec System Recovery
7374
barracudaadmin.xml
Barracuda Admin
7374
barracudaNG.xml
Barracuda NG Firewall
(Phion Netfence)
7374
barracudaweb.xml
Barracuda Web Filter
7374
BarracudaWebAppFW.xml
Barracuda Web Applic- 7374

ation Firewall
bind.xml
Bind
7374
biopassword.xml
BioPassword
7374
Bit9Parity.xml
Bit9 Parity v5+ Syslog
7492
bladerackswitch.xml
Blade RackSwitch
7374
bluecoatproxySG.xml
Blue Coat ProxySG
7399
486
FileName
Description
Version
bluecoatproxysgwa.xml
Blue Coat Proxy SG

web access
7379
bordermanager.xml
Novell BorderManager
7374
bordermanagerwebproxy.xml
Novell BorderManager
Web Proxy
7374
Borderware.xml
Borderware Firewall
7374
brightstor.xml
CA's BrightStor v11.5
7374
checkpointedgex.xml
Checkpoint Edge X
Firewall
7374
ciscoacsadminaudit.xml
Cisco ACS Admin

Audit 4.1+
7387
ciscoacsadminaudit.xml
Cisco ACS Admin

Audit
7387
ciscoacsbackup.xml
Cisco ACS Backup

and Restore
7374
ciscoacsdbr.xml
Cisco ACS Database

Replication
7374
ciscoacsdbs.xml
Cisco ACS Database

Sync
7374
ciscoacsexpress.xml
Cisco ACS Express
7374
ciscoacsfailed.xml
Cisco ACS Failed

Attempts
7374
ciscoacspassauth.xml
Cisco ACS Passed

Authentications
7374
ciscoacspassword.xml
Cisco ACS User Password Changes
7374
487
FileName
Description
Version
ciscoacsradius.xml
Cisco ACS RADIUS

Accounting
7374
ciscoacsservmon.xml
Cisco ACS Service

Monitoring
7374
ciscoacssyslog.xml
Cisco Secure ACS 4.1

Syslog
7374
ciscoacssyslog5.xml
Cisco Secure ACS 5+

Syslog
7374
ciscoacstacacc.xml
Cisco ACS TACACS+

Accounting
7374
ciscoacstacadmin.xml
Cisco ACS TACACS+

Administration
7374
ciscoacsvoip.xml
Cisco ACS VoIP
7374
ciscocatos.xml
Cisco CatOS
7374
CiscoCSCSSM.xml
Cisco Content Security

and Control Security
Services Module 6.16.2
7374
CiscoCSCSSM63.xml
Cisco Content Security

and Control Security
Services Module 6.3+
7374
ciscocss.xml
Cisco Content Services Switch
7374
CiscoFirewalls.xml
Cisco PIX and IOS
7443
CiscoIDS.xml
Cisco IDS/IPS v4/5.x
7374
CiscoIPSsdee.xml
Cisco IPS 5+ (SDEE)
7374
488
FileName
Description
CiscoNAC_CA.xml
Cisco (NAC) Network

7422
Access Control Appliance with Clean
Access Manager
(CAM) or Server (CAS)
Software
cisconetworkregistrar.xml
Cisco Network Registrar for Windows
7374
CiscoNXOS.xml
Cisco Nexus NX-OS
7395
CiscoVPN.xml
Cisco VPN
7374
ciscowlc.xml
Cisco Wireless LAN

Controller and IOS-XE
Software
7388
citrixnetscaler.xml
Citrix Secure Access

Gateway Enterprise
Appliance / Netscaler
7374
CitrixSAG.xml
Citrix Secure Access

Gateway
7374
CitrixXD.xml
Citrix XenDesktop
7374
CitrixXS_auth.xml
Citrix XenServer auth

log
7374
CitrixXS_daemon.xml
Citrix XenServer daemon log
7374
ClamAV.xml
ClamAV
7374
codegreenci.xml
CodeGreen Content
Inspection
7374
codegreenciuser.xml
CodeGreen Content
7374
489
Version
FileName
Description
Version
Inspection user
commandavwindows.xml
Command Antivirus for

Windows
7374
CommandES.xml
Command for
Exchange Server
7374
consentrycontroller.xml
ConSentry Controller
7374
ContegoManagerMonitor.xml
Manager Monitor
7374
ContegoReports.xml
SWLEM Reports
7374
corenteawb.xml
Corente AWB
7374
cyberarkvault.xml
Cyber-Ark Vault
7374
cyberguard.xml
Cyberguard
7374
CyberoamUTM.xml
Cyberoam UTM
7374
dellPowerConnect.xml
Dell PowerConnect
Switches
7374
devicelockevents.xml
DeviceLock Audit
7374
devicelockevents.xml
DeviceLock Events
7374
digitalpersona.xml
DigitalPersona Pro
7374
dlinkdfl.xml
D-Link DFL firewall
7374
dragonids.xml
Dragon IDS
7374
edmzpar.xml
eDMZ Password Auto

Repository
7374
eeyeblinkep.xml
eEye Blink Pro7380

fessional Endpoint Protection
490
FileName
Description
Version
EFTServer.xml
EFT Server Enterprise

Windows Application
Log
7374
emcrecoverpoint.xml
EMC RecoverPoint
7374
enterasysswitch.xml
Enterasys C-Series
and N-Series Switches
7374
epo.xml
ePolicy Orchestrator
(ePO)
7380
epo45.xml
ePolicy Orchestrator
(ePO) 4.5+
7467
esafe.xml
eSafe
7374
esoft.xml
eSoft
7374
esxcfgfirewall.xml
VMWare ESX esxcfgfirewall log
7374
esxhostd.xml
VMWare ESX hostd

log
7483
esxihostd.xml
VMWare ESXi Hostd

log
7397
esxmessages.xml
VMWare ESXi messages log
7406
esxmessages.xml
VMWare ESX messages log
7406
esxsecure.xml
VMWare ESX secure

log
7429
esxvmkernel.xml
VMWare ESXi vmkernel log
7392
491
FileName
Description
Version
esxvmkernel.xml
VMWare ESX vmkernel log
7392
esxvmkwarning.xml
VMWare ESX vmkwarning log
7374
extremeswitch.xml
Extreme Switch
7452
F5BigIPdaemon.xml
F5 BigIP BSD daemon

messages
7374
F5BigIPhttpd.xml
F5 BigIP HTTPD specific
7374
F5BigIPLTMgeneral.xml
F5 General BIG-IP spe- 7454

cific messages
F5BigIPmessages.xml
F5 BigIP messages
7374
FileSure.xml
FileSure
7374
FirePass.xml
FirePass SSL VPN
7374
fireproof.xml
FireProof
7374
flexteller.xml
Flex Teller
7374
forefrontapp.xml
Forefront Security
Application Log (Client
Security, Exchange
and Sharepoint)
7374
forefrontEPAV.xml
Forefront Endpoint Pro- 7374

tection - AV
forefrontSQLDB.xml
Forefront Security SQL

Database
7374
forefrontsys.xml
Forefront Security System Log (Client Secur-
7374
492
FileName
Description
Version
ity)
forescoutcounteractnac.xml
ForeScout CounterACT NAC
7374
fortigate25.xml
FortiGate 2.5
7374
fortigate28.xml
FortiGate 2.8+
7448
foundry.xml
Foundry
7374
freebsdauth.xml
FreeBSD Authentication
7374
freeradius.xml
FreeRADIUS
7374
freshclam.xml
FreshClam
7374
fsecureav.xml
F-Secure Anti-Virus 7
7374
GFIsim.xml
GFI LANguard System

Integrity Monitor 3
7374
globalscapeeftclient.xml
Globalscape EFT client
7374
globalscapeftp.xml
Globalscape Secure
FTP (W3C Extended
file format)
7407
GnatBox.xml
GNAT Box System

Software v.3.3
7415
GroupShield.xml
Group Shield/Outbreak
for Exchange Server
7374
hp_procurve.xml
HP ProCurve Switches 7374

Firmware F.05.65+ Zl
Series
493
FileName
Description
Version
hp_procurve_msm700_series.xml
HP MSM700 Series
Controller
7436
hpbladesystemenclosure.xml
HP BladeSystem
Enclosure local log
7374
hpbladesystemenclosure.xml
HP BladeSystem
Enclosure auth log
7374
hpstorwksmsa.xml
HP StorageWorks Mod- 7374

ular Smart Array
hpuxsyslog.xml
HP-ux Syslog
7374
HuaweiSwitches.xml
Huawei Switches
7374
iasradius.xml
IAS RADIUS Rotating

File
7374
iasradius.xml
IAS RADIUS NonRotating File
7374
IASsystem.xml
Windows IAS System

Log
7374
IIS.xml
Microsoft IIS Web

7374
Server 7.0 (W3C Extended file format)
IIS.xml
Microsoft IIS Web

7374
IIS.xml
Microsoft IIS Web

7374
iisftp.xml
Microsoft IIS FTP

7374
Server 7.0 (W3C Exten-
494
FileName
Description
Version
ded file format)

iisftp.xml
Microsoft IIS FTP

7374
Server 5+ (W3C Extended file format)
ingatesipfw.xml
Ingate Firewall
7374
InoculateIT60.xml
InoculateIT 6.0
7374
InoculateIT70plus.xml
InoculateIT 7.0+
7374
intrushield.xml
IntruShield
7490
ipfilter.xml
IP Filter
7374
iprism.xml
St. Bernard iPrism
7374
ironportemailsecurity.xml
IronPort Email Security

Appliance
7374
ironportwebsecurity.xml
IronPort Web Security
7374
ISA2004FirewallLog.xml
Microsoft ISA
2004/2006 Firewall
(ISA Server file format)
7374
ISA2004ProxyLog.xml
Microsoft ISA 2004

7374
Web Proxy (ISA Server
file format)
ISA2004W3CFirewall.xml
Microsoft ISA
2004/2006 Firewall
(W3C Server file
format)
7374
ISA2004W3CWebProxy.xml
Microsoft ISA 2004

Web Proxy (W3C
Server file format)
7374
495
FileName
Description
ISA2006ProxyLog.xml
Microsoft ISA 2006

7374
Web Proxy (ISA Server
file format)
ISA2006W3CWebProxy.xml
Microsoft ISA 2006

Web Proxy (W3C
Server file format)
7374
ISAApplication.xml
Microsoft ISA Server

Application Log
7374
ISAFirewallLog.xml
Microsoft ISA 2000

Firewall (ISA Server
file format)
7374
ISAPackertFilterLog.xml
Microsoft ISA Packet

Filter (ISA Server file
format)
7374
isapi_redirect.xml
Apache Tomcat isapi_

redirect
7374
ISAProxyLog.xml
Microsoft ISA Web

Proxy (ISA Server file
format)
7374
ISAW3CFirewallLog.xml
Microsoft ISA Firewall

(W3C Extended file
format)
7374
ISAW3CPackertFilterLog.xml
Microsoft ISA Packet

Filter (W3C Extended
file format)
7374
ISAW3CProxyLog.xml
Microsoft ISA Web

Proxy (W3C Extended
file format)
7374
496
Version
FileName
Description
Version
issproventia.xml
ISS Proventia IPS
7380
issrealsecure.xml
ISS RealSecure IDS
7380
jacocartcare.xml
JACO CartCare
7374
juniperidp30.xml
Juniper IDP 3.x
7374
juniperidp40.xml
Juniper IDP 4.0+
7374
junipernsm.xml
Juniper NSM
7374
junipersbr_authaccepts.xml
Juniper SBR authentication accepts report

log
7374
junipersbr_authaccepts.xml
Juniper SBR authentication accepts report

log
7374
junipersbr_authrejects.xml
Juniper SBR authentication rejects report

log
7374
junipersbr_authrejects.xml
Juniper SBR authentication rejects report

log
7374
junipervgw.xml
Juniper Virtual Gateway
7374
junos.xml
Juniper JUNOS
7455
KasperskyAdminKitDB.xml
Kaspersky Security
Center
7417
KasperskyAdminKitDB.xml
Kaspersky Administration Kit 8
7417
497
FileName
Description
Version
kasperskyav.xml
Kaspersky Anti-Virus 6
7374
lancopestealthwatch.xml
Lancope StealthWatch
7374
linkproof.xml
LinkProof
7374
linuxauditd.xml
Linux Auditd
7374
linuxdhcpd.xml
DHCPd
7374
LogAgent.xml
LogAgent for OS400

(Patrick Townsend
Security Solutions)
7410
LOGbinderSP.xml
LOGbinder for Sharepoint: Security Log
7374
LOGbinderSP.xml
LOGbinder for Sharepoint: LOGbinder SP

log
7374
lotus8.xml
Lotus Notes and

Domino Server 8
7374
MacOSXcrash.xml
Mac OS X
(crashreporter)
7374
MacOSXinstall.xml
Mac OS X (install)
7374
MacOSXmail.xml
Mac OS X (mail)
7374
MacOSXppp.xml
Mac OS X (ppp)
7374
MacOSXsecure.xml
Mac OS X (secure)
7374
MacOSXsystem.xml
Mac OS X (system)
7374
Made2Manage.xml
Made2Manage
7374
McAfeeAccessProtection.xml
McAfee Access Pro-
7374
498
FileName
Description
Version
tection
McafeeAccessScanLogReader.xml
McAfee On Access
Scan v7.0
7374
McafeeActivityLog.xml
McAfee Activity Log

(4.5 DAT file update)
7374
mcafeeemailgateway.xml
McAfee Email Gateway
7374
McAfeeMailScan.xml
McAfee Mail Scan
7374
McAfeeNetShield.xml
McAfee NetShield
7374
McAfeeTotalProtection.xml
McAfee Total Protection
7374
McAfeeUpdateLogReader.xml
McAfee Update v7.0
7374
McAfeeVSCLogReader.xml
McAfee VSC
7374
McafeeVSHHomeReader.xml
McAfee VSH Home
7374
McAfeeVSHLogReader.xml
McAfee VSH 5.0/7.0
7374
McAfeeVSHOnDemandReader.xml
McAfee VSH 85i
7374
McAfeeVSHOnDemandReader.xml
McAfee VSH 80i
7374
McAfeeWebEmail.xml
McAfee Web Email

Scan
7374
mcafeewebgateway6x.xml
McAfee Web Gateway

v6.x
7374
meditech.xml
Meditech
7374
meditechemraccess.xml
Meditech EMR Access

Log
7374
499
FileName
Description
Version
motorola_wlancontroller.xml
Motorola WLAN Controller
7374
moveit.xml
MOVEit Log
7444
moveit.xml
MOVEit Windows
Application Log
7444
msexchange.xml
Microsoft Exchange
Event Log
7411
msexchange.xml
Microsoft Exchange
Application Log
7411
msrras.xml
Microsoft RRAS
7374
mssecessentials.xml
Microsoft Security
Essentials
7374
mssqlapplicationlog.xml
MSSQL 2000 Application Log
7442
mssqlauditor.xml
SolarWinds Log and

Event Manager
MSSQL Auditor
7475
nagios.xml
Nagios
7374
nDepthLogMessage.xml
nDepth Log Storage

Message
7374
neoaccelvpn.xml
Neo Accel SSL VPN
7374
NeoterisVPN.xml
Neoteris VPN/Juniper
SA series
7374
NessusdMsgLog.xml
Nessus Message
7374
NessusdReport.xml
Nessus XML Report
7374
500
FileName
Description
Version
NessusdReport.xml
Nessus Report
7374
nessusnbe.xml
Nessus Security Scanner NBE Report
7374
netaccess.xml
Net Access
7374
netfilter.xml
iptables / netfilter
7374
netgearFV.xml
Netgear FV Series
7374
netgearsslvpn.xml
Netgear SSL VPN Con- 7374

centrator SSL312
netgearswitch.xml
Netgear Switch
7374
netilla.xml
Netilla VPN
7419
netiqdra.xml
NetIQ Directory and

Resource Administrator
7374
Netscreen.xml
Netscreen
7374
netscreen5.xml
Juniper/NetScreen 5
7491
netvanta.xml
Adtran NetVanta
Router
7374
netware65.xml
Novell Netware 6.5
7374
netware65.xml
Novell Netware 6.5

File
7374
netware4153.xml
Novell Netware 4.1 5.3
7374
NetwareDB.xml
Novell Netware 6.5

(Database)
7374
501
FileName
Description
Version
networkbox.xml
Network Box RM300

and ITPE1000
7374
nitroips.xml
NitroSecurity IPS
7374
NitroIPSsnort.xml
NitroGuard IPS - Snort

Format
7374
NOD32DB.xml
NOD32 Antivirus 4
Access Threat
7374
NOD32DB.xml
NOD32 Antivirus 4
Access Scan
7374
NOD32DB.xml
NOD32 Antivirus 4
Access Event
7374
NOD32DB.xml
NOD32 Antivirus 4
SQL Threat
7374
NOD32DB.xml
NOD32 Antivirus 4
SQL Scan
7374
NOD32DB.xml
NOD32 Antivirus 4
SQL Event
7374
nortel200series.xml
Nortel Contivity 200

Series
7374
nortelalteon.xml
Nortel Alteon
7374
nortelbaystack.xml
Nortel Baystack
7374
nortelcontivity.xml
Nortel Contivity
7374
nortelroutingswitch.xml
Nortel Ethernet Routing Switch
7374
nortelswitch4500.xml
Nortel Ethernet Rout7374

ing Switch 4500 Series
502
FileName
Description
Version
nortelwss.xml
Nortel WLAN Security

Switch
7374
norton.xml
Symantec Corp
Antivirus
7374
novellidentityauditDB.xml
Novell Identity Audit

DB
7374
ntapplication.xml
Windows Application
Log
7423
ntdns.xml
Windows DNS Server

Log
7374
ntds.xml
Windows Directory Ser- 7428

vice Log
ntfrs.xml
Windows File Replication Service
7374
ntsecurity.xml
Windows NT/2000/XP
Security Log
7374
ntsystem.xml
Windows System Log
7446
nubridgesprotect.xml
NuBridges Protect
Token Manager
Engine
7374
NuBridges Protect
Resource Service
7374
NuBridges Protect Key

Manager
7374
openbsdftpd.xml
OpenBSD FTPd
7374
OpenEdgeAudit.xml
OpenEdge Audit
7374
503
FileName
Description
Version
openldap.xml
OpenLDAP
7374
OpenSSH.xml
Open SSH
7374
OpenVMS.xml
HP OpenVMS 8+
7374
Opsec.xml
OPSEC(TM) / Check
Point(TM) NG LEA Client
7374
oracledatabase.xml
Oracle Auditor - Database
7374
oraclesyslog.xml
Oracle Auditor - Syslog 7374
oraclewindows.xml
Oracle Auditor - Windows
7441
OsirisHIMS.xml
Osiris Host Integrity

Monitoring System
7374
paloaltofirewall.xml
Palo Alto Networks

PA-2000 Series and
PA-4000 Series Firewall
7463
PAM.xml
Linux PAM
7418
PandaSecurityForDesktopsDB.xml
Panda Security for

Desktops 4.02
7374
PassManPro.xml
ManageEngine Password Manager Pro

SNMP
7413
PatchLinkVulnDB.xml
PatchLink Vulnerability 7374
pcanywhere.xml
pcAnywhere
504
7374
FileName
Description
Version
permeo.xml
Permeo VPN
7374
pointsecpc.xml
PointSec PC
7374
postfix.xml
Postfix
7374
proftpdaccess.xml
ProFTPD Access
7374
proftpdauth.xml
ProFTPD Auth
7374
proximorinoco.xml
Proxim Orinoco WAP
7374
ptechinteract.xml
PowerTech Interact
7374
pureftpd.xml
Pure-FTPd
7374
qualysguard.xml
QualysGuard Scan
Report
7374
radwareappdirector.xml
Radware AppDirector
7374
RaritanDominion.xml
Raritan Dominion
Switch
7374
refleximc.xml
Reflex IMC
7374
RemotelyAnywhere.xml
RemotelyAnywhere /
LogMeIn
7374
RetinaStatusLog.xml
Retina
7374
rsaauthmanager71.xml
RSA Authentication
Manager 7.1
7374
safeatoffice.xml
Checkpoint Safe@Office Firewall
7374
safeword.xml
SafeNet SafeWord
7374
samba.xml
Samba
7374
505
FileName
Description
Version
SanDiskCMC.xml
SanDisk CMC
7374
savantprotection.xml
Savant Protection
7374
SecureNet.xml
SecureNet IDS
7380
securespheredb.xml
SecureSphere Database Gateway 6.0
7374
securespheresystem.xml
SecureSphere System
and Firewall Events
6.0
7374
securesphereweb.xml
SecureSphere Web
Application Firewall
6.0
7374
securid.xml
SecurID
7374
securidsyslog.xml
SecurID Syslog
7374
selinux.xml
SELinux
7374
sendmail.xml
Linux Sendmail
7374
sentriant.xml
Extreme Sentriant
7374
servuftp.xml
Serv-U FTP Server

(Never Rotate)
7374
servuftp.xml
Serv-U FTP Server
7374
Sidewinder.xml
Sidewinder Firewall
7374
sidewinder61.xml
Sidewinder 6.1+ Firewall
7401
SmoothWallUTM.xml
SmoothWall Unified
Threat Manager
7433
506
FileName
Description
Version
snmpdmessages.xml
smnpd daemon messages
7374
snort.xml
FortiSnort
7440
snort.xml
Snort
7440
snort.xml
SyslogSnort
7440
solarisbsm.xml
Solaris 10 BSM Auditing
7374
solarissnare.xml
Solaris 8 and 9 Snare

Auditing
7374
solarissnare.xml
Solaris 10 Snare Audit- 7374

ing
sonicsslvpn.xml
SonicWALL SSL VPN
7391
sonicwall.xml
SonicWall
7465
sonicwalles.xml
Sonicwall Email Secur- 7374

ity
sonicwallgmsdb.xml
SonicWall GMS
7374
Sophos.xml
Sophos Anti-Virus for

Win2k
7374
SophosDB.xml
Sophos Enterprise 3.0

Database
7374
SophosDB.xml
Sophos Enterprise 2.0

Database
7374
sophoses.xml
Sophos ES appliance
auth
7374
sophoses.xml
Sophos ES appliance
7374
507
FileName
Description
Version
SophosSNMP.xml
Sophos Anti-Virus
SNMP
7439
sophosws.xml
Sophos WS appliance
7374
SquidAccessLog.xml
Squid Access Log
7374
SquidGuardAccessBlock.xml
SquidGuard Access
Block Log
7374
stonegatefirewall.xml
StoneGate Firewall
v5.3 CEF
7374
sudolog.xml
sudo syslog
7374
sudolog.xml
sudo
7374
SW_Orion.xml
SolarWinds Orion and

Virtualization Manager
7380
sybari.xml
Sybari's Antigen 7.0 for 7374

Exchange Server 2000
symantecep.xml
Symantec Endpoint
Protection 11
7445
SymantecGatewayIDS.xml
Symantec Gateway
IDS
7374
symantecwebsec.xml
Symantec Web Security for Windows
7374
symmetricomsyncserver.xml
Symmetricom SyncServer
7419
thycoticsecretserver.xml
Thycotic Secret Server
7374
timirror.xml
Titanium Mirror Firewall
7374
508
FileName
Description
Version
tippingpoint.xml
Tippingpoint IPS 1.4
7374
tippingpoint.xml
Tippingpoint IPS 2.1
7374
tippingpoint.xml
Tippingpoint SMS
7374
tippingpoint_audit_system.xml
TippingPoint Audit and

System
7374
tippingpointxseries.xml
Tippingpoint X505
7374
toplayer.xml
TopLayer Attack Mitigator
7374
trendDeepSecurity.xml
Trend Deep Security
7374
trendimss.xml
Trend IMSS
7374
trendimssemgr.xml
Trend IMSS Policy
7374
trendimssvirus.xml
Trend IMSS Virus
7374
trendInterScan.xml
Trend InterScan
7374
trendmicroigsa.xml
Trend Micro Interscan

Gateway Security
Appliance
7374
trendOfficeScan.xml
Trend Office Scan
7374
trendScanMail.xml
Trend ScanMail
7374
trendServerProtect.xml
Trend Server Protect
7374
tricipher.xml
TriCipher
7374
tw_enterprise.xml
Tripwire Enterprise
7374
ultravnc.xml
Ultra VNC
7374
Velociraptor.xml
Symantec Velociraptor
7374
509
FileName
Description
Version
1.5
velociraptor20.xml
2.0
7374
velociraptor30.xml
3.0
7374
vericeptmonitor.xml
Vericept Monitor
7374
VIPREBusiness.xml
VIPRE 5.0
7374
VIPREBusiness.xml
VIPRE Business - Sys- 7374

tem Events 4.0
VIPREBusiness.xml
VIPRE Business 4.0
7374
VIPREEnterpriseDB.xml
VIPRE Enterprise 3.1
7374
visneticfirewall.xml
VisNetic Firewall
7374
vistasecurity.xml
Windows 7/2008/Vista
Security Log
7449
vormetric.xml
Vormetric
7374
vsftpxfer.xml
vsftpd xferlog
7374
WatchguardFirewalls.xml
WatchGuard firewalls
7420
WebrootAntispywareCorpEdDB.xml Webroot Antispyware

Corporate Edition 3.5
7374
websense.xml
Websense Web Filter

and Websense Web
Security
7434
websenseDB.xml
Websense Web Filter

and Websense Web
Security Database
7435
510
FileName
Description
websenseds.xml
Websense Data Secur- 7435

ity
WgFirebox.xml
WatchGuard Firebox
7429
WgSoho.xml
WatchGuard SOHO
7429
WgVclass.xml
WatchGuard Vclass
7374
WgVclassAlarm.xml
WatchGuard Vclass
(Alarm)
7374
WgVclassVpn.xml
WatchGuard Vclass
(VPN)
7374
WgXcore.xml
WatchGuard Xcore
7429
WgXCSauth.xml
WatchGuard Extensible Content Security

(XCS) auth log
7374
WgXCSsyslog.xml
WatchGuard Extensible Content Security

(XCS) syslog
7374
WgXedge.xml
WatchGuard Firebox X
Edge E-Series
7429
WindowsDHCPServer.xml
Windows DHCP
Server 2003
7374
WindowsDHCPServer.xml
Windows DHCP
Server 2000
7374
WindowsDHCPSystem.xml
Windows DHCP
Server
2000/2003/2008 System Log
7374
511
Version
FileName
Description
Version
WindowsDNSTraffic.xml
Windows DNS Traffic

Log
7374
windowsfirewall.xml
Windows Firewall
7374
WRGHostGateway.xml
Wescom Resources
Group's Host Gateway
Windows Log
7374
wsftpserver.xml
WS_FTP Server Corporate
7374
xirruswifiarray.xml
Xirrus WiFi Array
7374
512

CMC commands are the only means to access LEM and nDepth Appliances. Use
CMC to upgrade and maintain the appliances.
You can use the CMC commands for such tasks as:
l
Upgrading the Manager software
Deploying new connector infrastructure to the Managers and Agents
Rebooting or shutting down the network appliance
Configuring trusted reporting hosts
Configuring supplemental services on the Manager appliance
Controlling your nDepth appliances
Manually applying connector updates
Logging on to CMC
To log on to CMC:
1. Connect to the Network Appliance either of two ways:
l
Connect directly to the Network Appliance with a keyboard and

monitor. If you connect in this manner, skip to Step 7.
Connect using SSH on port 32022.
SSH stands for Secure Shell, which is a remote administration connector.

To connect to the network appliance using SSH, you can use PuTTY, which
is a free SSH tool. For more information on this tool, refer to the SolarWinds
knowledge base..
The following example shows the PuTTY Configuration form with the
default Manager settings.
513
2. In the Host Name (or IP address) box, type the IP address of your Manager
(in this example, the IP address is 10.1.1.200).
3. Under Protocol, click SSH.
4. In the Port box, type 32022.
5. So you dont have to do this again, type Manager into the Saved Sessions
box, and then click Save.
6. Click Open.
Note: To reopen this connection for future sessions, double-click Manager
in the Saved Session box. The connection will reopen
7. Whether you connect remotely or physically, the system will prompt you for
your CMC user name and password.
514

After typing the appliance command, the cmc::acm# prompt appears. You may
then use any of the commands listed in the following table.
The commands are listed in alphabetical order. Command descriptions with an
asterisk (*) mean the command requires an automatic restart of the Manager
service.
Command
Description
activate
Activates appliance features after activating LEM.
checklogs
Shows the contents of the virtual appliances log files from

sources such as syslog and SNMP.
cleantemp
Removes temporary files created by the virtual appliance during

normal operation. You may run this command to recover used
disk space, or at the suggestion of SolarWinds Support.
clearsyslog
Removes all rotated and compressed localN files.
dateconfig
Sets/shows the virtual appliances date and time.
demote
Demotes the appliance to a secondary appliance in a high availability or disaster recovery configuration. The demoted appliance will disable running LEM services and resume replicating
its configuration information from the configured primary appliance.
diskusage
Checks and provides a summary of disk usage for your virtual

appliance and several of the internal components (such as the
database or log files). This information is included when you
send SolarWinds Support information using the support command.
editbanner
Edits the SSH login banner.
exit
Exits the Appliance menu and returns to the main menu.
exportsyslog Exports the System Logs.
515
Command
Description
help
Shows the Help menu
hostname
Changes the virtual appliances hostname.
limitsyslog
Interrogates and/or changes the number of rotated log files to be

kept.
netconfig
Configures network parameters for the appliance, such as the IP

address, subnet mask and DNS server(s).
ntpconfig
Configures the Network Time Protocol (NTP) service on the virtual appliance for synchronization with a time server.
password
Changes the CMC user password.
ping
Pings other IP addresses or host names from the virtual appliance to verify network connectivity.
promote
Promotes the appliance to the primary appliance in a high availability or disaster recovery configuration. The promoted appliance will take over LEM services until it is demoted with the
demote command.
reboot
Reboots the virtual appliance.
setlogrotate
Defines the syslog rotation frequency (hourly, daily
shutdown
Shuts down the virtual appliance.
top
Displays and monitors CPU and memory usage, as well as per

process information for the Manager Network Appliance.
tzconfig
Configure the virtual appliance's time zone information.
viewnetconfig Displays the current network configuration parameters for the

appliance such as the IP address, subnet mask and DNS server
(s).

After typing the manager command, the cmc::cmm# prompt appears. You may
then use any of the commands listed in the following table. The commands are
516

listed in alphabetical order. Command descriptions with an asterisk (*) mean the
command requires an automatic restart of the Manager service.
Command
Description
actortoolupgrade
* Upgrades the Managers Actor Tools from CD or floppy

disk.
archiveconfig
Configures the Manager appliance database archives to a

remote file share on a daily, weekly, or monthly schedule.
backupconfig
Configures the Manager appliance software and

configuration backups to a remote file share on a daily,
weekly, or monthly schedule.
cleanagentconfig
Reconfigures the Agent on this Manager to a new

Manager.
configurendepth
Configures the virtual appliance to use an nDepth server
dbquery
Queries the Manager appliance database directly.
debug
Emails the Manager debugging information to any given

email address. The email message contains a collection
of data that can be useful in diagnosing problems.
exit
Return to main CMC menu.
exportcert
Exports the CA certificate for Console.
exportcertrequest
Exports a certificate request for signing by CA.
help
Displays a brief description of each command.
importcenter
* Imports a certificate used for Console communication.
logbackupconfig
Configures the Manager appliance remote log backups to

a remote file share on a daily, weekly, or monthly
schedule.
resetadmin
* Resets the admin password to "password". This

command does not affect other users on the system and
all settings are preserved.
restart
* Restarts the Manager service. This will take the Manager

offline for 13 minutes.
517
Command
Description
sensortoolupgrade Upgrades the Managers Sensor Tools from a CD or

floppy disk.
showlog
Allows you to page through the Managers log file.
showmanagermem Displays the Manager's configured memory utilization

settings.
start
Starts the Manager service. If the Manager is already

started, then nothing will happen.
stop
* Stops the Manager service. This makes the Manager

inactive until it is started again.
support
Sends debugging information via email to

support@SolarWinds.com. This command prompts you for
your name and email address. It then sends SolarWinds a
collection of data that can be useful in diagnosing
problems.
togglehttp
* Enables or disables HTTP on port 80.
viewsysinfo
Displays appliance settings and information, useful for

support and troubleshooting.
watchlog
Displays 20 lines of the current Manager log file and

monitors the log for further updates. Any new log entries
appear as they are written to the log.
Using the CMC 'ndepth' menu

If you have one or more nDepth appliances, CMC has an ind menu that lets you
control these appliances. After typing the ind command, the cmc::ind# prompt
appears. You may then use any of the commands listed in the following table.
service.
518
Command
Description
exit
Exits the nDepth menu and returns to the main menu.
help
Shows the help menu.
logmarchiveconfig
Sets Log Message archive share settings.
logmbackupconfig
Sets Log Message backup share settings.
restart
* Restarts the Log Message search/storage service.
start
Starts the Log Message search/storage service.
stop
Stops the Log Message search/storage service.

After typing the service command, the cmc::scm# prompt appears. You may
then use any of the commands listed in the following table.
service.
Command
Description
copysnortrules
Copy the existing Snort rules from the Manager onto a

floppy disk or network file share. This allows you to retrieve
the Snort rules from the Managers hard drive and make any
rule updates or modifications. This requires a formatted
floppy disk or a network file share.
disableflow
Disables NetFlow/sFlow collection on the SolarWinds

Appliance (and in the SolarWinds Explorer).
disablesnmp
Disables SNMP trap logging to the Manager. The SNMP

trap logging service will be permanently disabled until the
enablesnmp command is issued.
enableflow
* Enables NetFlow/sFlow collection on the SolarWinds

Appliance (and in the Explorer).
enablesnmp
Enables SNMP trap logging to the Manager. By default,
519
Command
Description
SNMP is disabled on the Manager. This command enables
SNMP to allow integration with some security tools that can
only log using SNMP.
exit
Returns to the main CMC menu.
getflowdbsize
Checks the size of the Flow database.
help
Displays a brief description of each command within the

service menu.
loadsnortbackup Loads Snort rules from factory default on the Manager.

This allows you to revert to the Snort rules original default
settings in case of an error. This command overwrites any
changes that were made to the main set of rules with the
original rules that were installed with the SolarWinds
system.
loadsnortrules
Loads Snort rules from a floppy disk or a network file share

to the Manager. This allows you to update the Snort rules on
the Manager. The floppy disk must be in the same format
(i.e., the same names and directories) that the
copysnortrules command uses to issue the original rules;
otherwise, the rules will not be updated.
restartsnort
Restarts the Snort service.
restartssh
Restarts the SSH service. If the SSH service is running, this

command stops and then restarts the service.
restrictconsole
Restricts access to the Consoles graphical user interface to

only certain IP addresses or hostnames. This command
prompts you to provide the allowable IP addresses or
hostnames. Once the restriction is in place, only the given IP
addresses/hostnames are able to connect to the Console.
Users are still required to log in with a password to fully
access the Console.
restrictreports
Restricts access to reports to only certain IP addresses or

hostnames. This command prompts you to provide the
520
Command
Description
allowable IP addresses or hostnames. Once the restriction
is in place, only the given IP addresses/hostnames are able
to create and view reports.
restrictssh
Restrict the SSH service to only certain IP addresses. This

command prompts you to provide the allowable IP
addresses. Once the restriction is done, only the given IP
address/user combinations will be able to connect to the
Manager using the SSH service.
startssh
Start running the SSH service.
stopopsec
Terminate any connections from the Manager Appliance to

Check Point OPSEC hosts.
stopssh
Stops running the SSH service. If you issue this command,

you can only access the Manager with a keyboard and
monitor until you issue a reboot command.
To restrict access to the SSH service (outside of the user
name and password requirements), see the restrictssh
command.
unrestrictconsole Removes restrictions to the Consoles graphical user

interface. This command removes all restrictions and allows
any valid system user to connect to the Console. The only
protection at this point is the user name and password
combination.
unrestrictreports Removes restrictions on access to reports. This command
removes all restrictions and allows anyone with the Reports
Console, or any alternative database connection software,
with the proper username and password, to create and view
reports and browse the database.
unrestrictssh
Removes restrictions to the SSH service. Any connection

attempts will still require a user name and password.
521
Upgrading LEM Connectors

Upgrading connectors through the LEM Console is a new feature in LEM 6.2. For
pre-6.2 versions, update connectors using the CMC command interface.
Updating connectors using the LEM Console

1. Navigate to the Appliance grid on the Manage tab.
2. Select Update from the Connector Updates pull-down menu at the top right
of the Appliances pane.
A message displays, letting you know whether the update was applied or
not.

1. Download the current Connector Update package here:
http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEMConnectors.zip.
2. Prepare the update package:
a. Download the Connector Update package using the link above, or from
the Additional Components page for LEM on the SolarWinds Customer
Portal. The download is approximately 3.6 MB.
b. Unzip the file. The directory structure created uses approximately 100 MB
of space.
c. Open the SolarWinds-LEM-Connectors folder.
d. Copy the LEM folder to the root of a network share. For example, the
network share might be: \\<server-IP>\<share-name>. The connector
upgrade finds the LEM directory under the root of the share
3. Connect to the LEM Virtual Appliance using a virtual console or SSH client.
l
Virtual Console: Arrow down to Advanced Configuration, and then press

Enter.
SSH Client: Log in using CMC credentials.
522

6. At the cmc::cmm# prompt, enter sensortoolupgrade.
7. Press Enter to validate the entry.
8. Enter n to indicate that the update is on the network.
9. Press Enter to validate your entry.
10. Enter the server and share the name for the location where the update
package was saved in \\server\share format. The connector upgrade locates
the LEM directory under the root of the share.
11. Enter y to confirm the entry.
12. Enter the domain and user name for a user that can access the share in
domain\user format.
13. Enter y to confirm the entry.
14. Enter the password for the user.
15. Re-enter the password to confirm the entry.
16. Enter 1 to start the update. The update takes several minutes.
17. Verify that the configured connectors restart after they are updated by
watching for InternalToolOnline events in the default SolarWinds events filter
in the LEM Console.
16. After the update is finished, enter exit twice to exit the CMC interface.
523

The following tables list all of LEMs reports, provide descriptions of their
contents, and suggest schedules for running each report.

The following table lists and describes each audit reports. For your convenience,
the reports are listed alphabetically by title.
Title
Description
File name Schedule
Authentication
Report
This report lists all authentications

tracked by the SolarWinds system,
including user logon, logoff, failed
logon attempts, guest logons, etc.
Authentication
Report Authentication
Audit
This report lists event events that are RPT2003- As

related to authentication and
02-10.rpt needed
authorization of accounts and account
'containers' such as groups or
domains. These events can be
produced from any network node
including firewalls, routers, servers,
and clients.
Authentication
Report Suspicious
Authentication
This report lists event events that are RPT2003- As

related to suspicious authentication
02-9.rpt
Needed
and authorization events. These
events include excessive failed
authentication or authorization
attempts, suspicious access to
unauthenticated users, and suspicious
access to unauthorized services or
information.
Authentication
Report - Top
This report lists the Top User Log On

events grouped by user name.
524
RPT2003- Weekly
02.rpt
RPT2003- As
02-6-2.rpt needed
Title
Description
File name Schedule
User Log On by
User
Authentication
Report - Top
User Log On
Failure by User
This report lists the Top User Log On RPT2003- As

Failure events grouped by user name. 02-7-2.rpt needed
Authentication
Report SolarWinds
Authentication
This report shows logon, logoff, and

RPT2003- As
logon failure activity to the SolarWinds 02-8.rpt
needed
Console.
Authentication
User Logoff events reflect account
RPT2003- As
Report - User Log logoff events from network devices
02-5.rpt
needed
Off
(including network infrastructure
devices). Each event will reflect the
type of device from which the user was
logging off. These events are usually
normal events but are tracked for
consistency and auditing purposes.
Authentication
User Logon events reflect user
Report - User Log account logon events from network
On
devices monitored by SolarWinds
(including network infrastructure
devices). Each event will reflect the
type of device that the logon was
intended for along with all other
relevant fields.
RPT2003- As
02-6.rpt
needed
Authentication
This report lists all account logon
Report - User Log events, grouped by user name.
On by User
RPT2003- As
02-6-1.rpt needed
Authentication
User Logon Failure events reflect
RPT2003- As
Report - User Log failed account logon events from
02-7.rpt
needed
On Failure
network devices (including network
infrastructure devices). Each event will
525
Title
Description
File name Schedule
reflect the point on the network where

the user was attempting logon. In
larger quantities, these events may
reflect a potential issue with a user or
set of users, but as individual events
they are generally not a problem.
Authentication
This report lists all account logon
RPT2003- As
Report - User Log failure events, grouped by user name. 02-7-1.rpt needed
On Failure by
User
Change
Management General
Authentication
Related Events
This report includes changes to

domains, groups, machine accounts,
and user accounts.
Change
Management General
Authentication:
Domain Events

RPT2006- As
domains, including new domains, new 20-01.rpt needed
members, and modifications to domain
settings.
Change
Management General
Authentication:
Domain Events Change Domain
Attribute
This report lists changes to domain

RPT2006- As
type. These events are uncommon
20-01needed
and usually provided by the operating 7.rpt
system. Usually, these changes are
made by a user account with
administrative privileges, but
occasionally a change will happen
when local system maintenance
activity takes place.
Change
Management General
Authentication:
This report lists event events that

RPT2006- As
occur when an account or account
20-01needed
container within a domain is modified. 4.rpt
Usually, these changes are made by a
526
RPT2006- As
20.rp
needed
Title
Description
File name Schedule
Domain Events - user account with administrative

Change Domain privileges, but occasionally an event
Member
occurs when local system
Events of this nature mean a user,
machine, or service account within the
domain has been modified.
Change
Management General
Authentication:
Domain Events Delete Domain

RPT2006- As
occur upon removal of a trust
20-01needed
relationship between domains,
8.rpt
deletion of a subdomain, or deletion of
account containers within a domain.
Usually, these changes are made by a
user account with administrative
privileges.
Change
Management General
Authentication:
Domain Events Delete Domain
Member

occur when an account or account
container has been removed from a
domain. Usually, these changes are
occasionally they occur when local
system maintenance activity takes
place.
Change
Management General
Authentication:
Domain Events Domain Member
Alias

RPT2006- As
happen when the alias for a domain
20-01needed
member has been changed. This
5.rpt
means an account or account
container within a domain has an alias
created, deleted, or otherwise
modified. This event is uncommon and
is used to track links between domain
members and other locations in the
domain where the member may
appear.
527
RPT2006- As
20-01needed
3.rpt
Title
Description
File name Schedule
Change
Management General
Authentication:
Domain Events DomainAuthAudit
This report lists authentication,

RPT2006- As
authorization, and modification events 20-01needed
that are related only to domains,
1.rpt
subdomains, and account containers.
These events are normally related to
operating systems. However, they can
be produced by any network device.
Change
Management General
Authentication:
Domain Events New Domain

occur upon creation of a new trust
relationship between domains,
creation of a new subdomain, or
creation of new account containers
within a domain. Usually, these
creations are done by a user account
with administrative privileges.
Change
Management General
Authentication:
Domain Events New Domain
Member

RPT2006- As
occur when an account or an account 20-01needed
container (a new user, machine, or
2.rpt
service account) has been added to
the domain. Usually, these additions
are made by a user account with
occasionally they occur when local
place.
Change
Management General
Authentication:
Group Events
This report lists changes to groups,

including new groups, members
added/removed to/from groups, and
modifications to group settings.
Change
Management General
Authentication:

RPT2006- As
occur when a group type is modified. 20-02needed
Usually, these changes are made by a 6.rpt
user account with administrative
528
RPT2006- As
20-01needed
6.rpt
RPT2006- As
20-02.rpt needed
Title
Description
File name Schedule
Group Events Change Group

Attribute
privileges, but occasionally a they

occur when local system maintenance
activity takes place.
Change
Management General
Authentication:
Group Events Delete Group

RPT2006- As
occur upon deletion of a new group of 20-02needed
any type. Usually, these additions are 5.rpt
Change
Management General
Authentication:
Group Events Delete Group
Member

RPT2006- As
occur when an account or group has 20-02needed
been removed from a group. Usually, 3.rpt
these changes are made by a user
account with administrative privileges,
but occasionally they occur when local
place.
Change
Management General
Authentication:
Group Events Group Audit
This report lists authentication,

RPT2006- As
authorization, and modification events 20-02needed
related only to account groups. These 1.rpt
events are normally operating system
related, however could be produced
by any network device.
Change
Management General
Authentication:
Group Events New Group
This report lists NewGroup events.

RPT2006- As
These events occur upon creation of a 20-02needed
new group of any type. Usually, these 4.rpt
additions are made by a user account
with administrative privileges.
Change
Management General
Authentication:
This report lists NewGroupMember

events. These events occur when an
account (or other group) has been
added to a group. Usually, these
529
RPT2006- As
20-02needed
2.rpt
Title
Description
File name Schedule
Group Events New Group

Member
additions are made by a user account

with administrative privileges, but
occasionally an event will occur when
local system maintenance activity
takes place. A new user, machine, or
service account has been added to the
group.
Change
Management General
Authentication:
Machine Account
Events

RPT2006- As
machine accounts, including
20-03.rpt needed
enabling/disabling machine accounts
and modifications to machine account
settings.
Change
Management General
Authentication:
Machine Account
Events - Machine
Disabled
This report lists MachineDisable

events. These events occur when a
machine account is actively disabled
and/or when an account is forcibly
locked out by the operating system or
other authentication tool. These
events are usually operating system
related and could reflect a potential
issue with a computer or set of
computers.
RPT2006- As
20-03needed
3.rpt
Change
Management General
Authentication:
Machine Account
Events - Machine
Enabled
This report lists MachineEnable

events, which reflect the action of
enabling a computer or machine
account. These events are normally
related to the operating system, and
will trigger when a machine is
enabled, normally by a user with
RPT2006- As
20-03needed
1.rpt
Change
Management General
This report lists

RPT2006- As
MachineModifyAttribute events, which 20-03needed
occur when a computer or machine
2.rpt
530
Title
Description
File name Schedule
Authentication:
type is changed. These events are
Machine Account uncommon and usually provided by
Events - Machine the operating system.
Modify Attribute
Change
Management General
Authentication:
User Account
Events
This report includes changes to user RPT2006- As

accounts, including enabling/disabling 20-04.rpt needed
user accounts and modifications to
user account settings.
Change
Management General
Authentication:
User Account
Events - User
Disabled
This report lists UserDisable events. RPT2006- As

These events occur when a user
20-04needed
account is actively disabled and/or
3.rpt
when a user is forcibly locked out by
the operating system or other
authentication tool. These events are
usually related to the operating system
and can reflect a potential issue with a
user or set of users.
Change
Management General
Authentication:
User Account
Events - User
Enabled
This report lists UserEnable events,

RPT2006- As
which reflect the action of enabling a 20-04needed
user account. These events are
1.rpt
normally related to the operating
system . They occur both when an
account is 'unlocked' after lockout
due to unsuccessful logons, and when
an account is enabled in the
traditional sense.
Change
Management General
Authentication:
User Account
Events - User
This report lists UserModifyAttribute

events that occur when a user type is
changed. These events are
uncommon and usually provided by
the operating system.
531
RPT2006- As
20-04needed
2.rpt
Title
Description
File name Schedule
Modify Attributes
Change
Management Network
Infrastructure:
Policy/View
Change
This report includes accesses to

network infrastructure device policy,
including viewing or changing device
policy.
RPT2006- As
21.rpt
needed
Change
Management Windows/Active
Directory
Domains: Group
Created
This report includes creations of

Windows/Active Directory groups.
RPT2006- As
22-01.rpt needed
Change
Directory
Domains: Group
Deleted
This report includes deletions of

Windows/Active Directory groups.
RPT2006- As
22-02.rpt needed
Change
Directory
Domains: Group
Events
This report includes Windows/Active

Directory group-related events.
RPT2006- As
22.rpt
needed
Change
Management Windows/Active Directory group
Windows/Active properties, such as the display name.
Directory
Domains: Group
Property Updated
RPT2006- As
22-03.rpt needed
Change
Management -
RPT2006- As
23.rpt
needed

Directory machine-related events.
532
Title
Description
File name Schedule
Windows/Active
Directory
Domains:
Machine Events
Change
Management Windows/Active Directory machine
Windows/Active accounts.
Directory
Domains:
Machine Events Account Created
RPT2006- As
23-01.rpt needed
Change
Directory
Domains:
Machine Events Account Deleted
RPT2006- As
23-02.rpt needed
Change
This report includes disables of
Directory
Domains:
Machine Events Account Disabled
RPT2006- As
23-03.rpt needed
Change
This report includes enables of
Directory
Domains:
Machine Events Account Enabled
RPT2006- As
23-04.rpt needed
Change
RPT2006- As
23-05.rpt needed
533
Title
Description
File name Schedule

Windows/Active account properties, such as the
Directory
display name.
Domains:
Machine Events Account
Properties
Update
Change
This report includes additions of
Windows/Active accounts to groups.
Directory
Domains:
Machine Events Added To Group
RPT2006- As
23-06.rpt needed
Change
Windows/Active accounts to Organizational Units.
Directory
Domains:
Machine Events Added To OU
RPT2006- As
23-07.rpt needed
Change
This report includes removals of
Windows/Active accounts from groups.
Directory
Domains:
Machine Events Removed From
Group
RPT2006- As
23-08.rpt needed
Change
Directory
RPT2006- As
23-09.rpt needed

Windows/Active Directory machine
accounts from Organizational Units.
534
Title
Description
File name Schedule
Domains:
Machine Events Removed From
OU
Change
Directory
Domains: New
Critical Group
Members

Windows/Active Directory user
accounts to critical groups, such as
Domain or Enterprise Admins.
RPT2006- As
22-04.rpt needed
Change
Directory
Domains: OU
Events

Directory Organizational Unit-related
events.
RPT2006- As
24.rpt
needed
Change
Directory
Domains: OU
Events - OU
Created
This report includes creation of

Windows/Active Directory
Organizational Units.
RPT2006- As
24-01.rpt needed
Change
Directory
Domains: OU
Events - OU
Deleted
This report includes deletion of

Organizational Units.
RPT2006- As
24-02.rpt needed
Change
Management -
This report includes updates to

RPT2006- As
24-03.rpt needed
535
Title
Description
Windows/Active
Directory
Domains: OU
Events - OU
Properties
Update
Organizational Unit properties, such

as the display name.
Change
Directory
Domains: User
Events

Directory user-related events.
File name Schedule
RPT2006- As
25.rpt
needed
Change
Management Windows/Active Directory user
Directory
Domains: User
Events - Account
Created
RPT2006- As
25-01.rpt needed
Change
Directory
Domains: User
Events - Account
Deleted
RPT2006- As
25-02.rpt needed
Change
This report includes disables of
Directory
Domains: User
Events - Account
Disabled
RPT2006- As
25-03.rpt needed
536
Title
Description
File name Schedule
Change
This report includes enables of
Directory
Domains: User
Events - Account
Enabled
RPT2006- As
25-04.rpt needed
Change
Directory
Domains: User
Events - Account
Lockout
This report includes user-driven

disables of Windows/Active Directory
user accounts, such as a user
triggering an excessive failed
password limit.
RPT2006- As
25-05.rpt needed
Change
Directory
Domains: User
Events - Account
Properties
Updated

account properties, such as the
display name.
RPT2006- As
25-06.rpt needed
Change
Directory
Domains: User
Events - Added
To Group

accounts to groups.
RPT2006- As
25-07.rpt needed
Change
Directory
Domains: User

accounts to Organizational Units.
RPT2006- As
25-08.rpt needed
537
Title
Description
File name Schedule
Events - Added
To OU
Change
Directory
Domains: User
Events Removed From
Group

accounts from groups.
RPT2006- As
25-09.rpt needed
Change
Directory
Domains: User
Events Removed From
OU

accounts from Organizational Units.
RPT2006- As
25-10.rpt needed
File Audit Events This report tracks file system activity

associated with audited files and
system objects, such as file access
successes and failures.
RPT2003- Weekly
05.rpt
File Audit Events File Attribute Change is a specific File RPT2003- As

- File Attribute
Write event generated for the
05-41.rpt needed
Change
modification of file attributes (including
properties such as read-only status).
These events may be produced by
any tool that is used to monitor the
activity of file usage, including a HostBased IDS and some Operating
Systems.
File Audit Events File Audit events are used to track file RPT2003- As
activity on monitored network devices, 05-11.rpt needed
File Audit
538
Title
Description
File name Schedule
usually through the Operating System

or a Host-Based IDS. These events
will note success or failure of the
File Audit Events File Audit Failure events are used to
track failed file activity on monitored
File Audit Failure network devices, usually through the
Operating System or a Host-Based
IDS. These events will note what
requested operation failed.
RPT2003- As
05-12.rpt needed
File Audit Events File Create is a specific File Write

RPT2003- As
event generated for the initial creation 05-42.rpt needed
File Create
of a file. These events may be
produced by any tool that is used to
monitor the activity of file usage,
including a Host-Based IDS and some
Operating Systems.
File Audit Events File Data Read is a specific File Read RPT2003- As
event generated for the operation of
05-31.rpt needed
File Data Read
reading data from a file (not just
properties or status of a file). These
events may be produced by any tool
that is used to monitor the activity of
file usage, including a Host-Based
File Audit Events File Data Write is a specific File Write RPT2003- As
05-43.rpt needed
File Data Write
writing data to a file (not just properties
or status of a file). These events may
be produced by any tool that is used to
Operating Systems.
539
Title
Description
File name Schedule
File Audit Events File Delete is a specific File Write

RPT2003- As
event generated for the deletion of an 05-44.rpt needed
File Delete
existing file. These events may be
Operating Systems.
File Audit Events File Execute is a specific File Read
RPT2003- As
05-32.rpt needed
File Execute
executing files. These events may be
Operating Systems.
File Audit Events File Handle Audit events are used to RPT2003- As
track file handle activity on monitored 05-21.rpt needed
File Handle Audit network devices, usually through low
level access to the Operating System,
either natively or with or a Host-Based
IDS. These events will note success
or failure of the requested operation.
File Audit Events
File Handle
Close
File Handle Close is a specific File

Handle Audit event generated for the
closing of file handles. These events
may be generated by a tool that has
low-level file access, such as an
Operating System or some HostBased IDS'.
RPT2003- As
05-22.rpt needed
File Audit Events File Handle Copy is a specific File

Handle Audit event generated for the
File Handle Copy copying of file handles. These events
Operating System or some Host-
RPT2003- As
05-23.rpt needed
540
Title
Description
File name Schedule
Based IDS'.
File Audit Events File Handle Open is a specific File
RPT2003- As
Handle Audit event generated for the 05-24.rpt needed
File Handle Open opening of file handles. These events
Operating System or some HostBased IDS'.
File Audit Events File Link is a specific File Write event RPT2003- As
generated for the creation, deletion, or 05-45.rpt needed
File Link
modification of links to other files.
activity of file usage, including a HostBased IDS and some Operating
Systems.
File Audit Events File Move is a specific File Write event RPT2003- As
generated for the operation of moving 05-46.rpt needed
File Move
a file that already exists. These events
may be produced by any tool that is
used to monitor the activity of file
usage, including a Host-Based IDS
and some Operating Systems.
File Audit Events File Read is a specific File Audit event RPT2003- As
generated for the operation of reading 05-33.rpt needed
File Read
files (including reading properties of a
file or the status of a file). These
events may be produced by any tool
that is used to monitor the activity of
file usage, including a Host-Based
File Audit Events File Write is a specific File Audit event RPT2003- As
generated for the operation of writing 05-47.rpt needed
File Write
541
Title
Description
File name Schedule
to a file (including writing properties of

a file or changing the status of a file).
activity of file usage, including a HostBased IDS and some operating
systems.
File Audit Events Object Audit events are used to track RPT2003- As
special object activity on monitored
05-51.rpt needed
Object Audit
network devices, usually through the
Operating System or a Host-Based
IDS. Generally, Objects are special
types of system resources, such as
registry items or user account
databases. These objects may be
actual 'files' on the system, but are not
necessarily human readable. These
events will note success or failure of
the requested operation.
File Audit Events
Object Audit
Failure
Object Audit Failure events are used RPT2003- As

to track special object activity on
05-52.rpt needed
monitored network devices, usually
through the Operating System or a
Host-Based IDS. Generally, Objects
are special types of system resources,
such as registry items or user account
databases. These objects may be
actual 'files' on the system, but are not
necessarily human readable. These
events will note a failure of the
File Audit Events Object Delete is a specific Object

RPT2003- As
Audit event generated for the deletion 05-53.rpt needed
Object Delete
of an existing object. These events
542
Title
Description
File name Schedule
may be produced by any tool that is

used to monitor the activity of file and
object usage, including a Host-Based
File Audit Events Object Link is a specific Object Audit
event generated for the creation,
Object Link
deletion, or modification of links to
other objects. These events may be
monitor the activity of file and object
usage, including a Host-Based IDS
and some Operating Systems.
RPT2003- As
05-54.rpt needed
Incident Events
This report tracks the Incident,

HostIncident, HybridIncident and
NetworkIncident events that have
been generated to reflect enterprisewide issues.
RPT2006- Daily
19.rpt
Inferred Events
This report tracks events that are

triggered by correlations built in the
SolarWinds Rule Builder.
RPT2006- As
27.rpt
needed
Inferred Events
This report tracks events that are
by Inference Rule triggered by correlations, and orders
them by the correlation rule name.
RPT2006- As
27-01.rpt needed
Log
On/Off/Failure
Track activity associated with account RPT2003- Weekly

events such as log on, log off and log 03.rpt
on failures. This is a refined version of
the Authentication Report that does
not include SolarWinds authentication
events. It is more appropriate for
management reports or audit reviews
than regular use.
Network Traffic
Audit
Track activity associated with network RPT2003- Daily, if

traffic audit events such as TCP, IP
06.rpt
needed
543
Title
Description
File name Schedule
and UDP events. Specifically, this

report tracks regular network traffic
activity, such as encrypted traffic, web
traffic, and other forms of UDP, TCP
and ICMP traffic. It gives you both an
overview and some details of exactly
what is flowing through your network.
This report can be quite large.
Network Traffic
Audit Application
Traffic
ApplicationTrafficAudit events reflect RPT2003- As

network traffic that is mostly or all
06-11.rpt needed
application-layer data. Events that are
children of ApplicationTrafficAudit are
also related to application-layer
resources. Events placed in the parent
ApplicationTrafficAudit event itself are
known to be application-related, but
are not able to be further categorized
based on the message provided by
the tool or because they are
uncommon and rarely, if ever, imply
network attack potential.
Network Traffic
Audit Application
Traffic by
Destination
Machine
This report lists all Application Traffic

events (such as WebTrafficAudit),
grouped by destination machine/IP.
RPT2003- As
06-11needed
2.rpt
Network Traffic
Audit Application
Traffic by
Provider SID

grouped by provider SID.
RPT2033- As
06-11needed
3.rpt
Network Traffic
Audit -

RPT2003- As
06-11needed
544
Title
Description
File name Schedule
Application
grouped by source machine/IP.
Traffic by Source
Machine
1.rpt
Network Traffic
Audit Application
Traffic by Tool
Alias

grouped by the SolarWinds sensor
tool alias that reported each event.
RPT2003- As
06-11needed
0.rpt
Network Traffic
Audit Configuration
Traffic
Configuration Traffic Audit events

RPT2003- As
reflect application-layer data related to 06-02.rpt needed
configuration of network resources.
Included in ConfigurationTrafficAudit
are protocols such as DHCP, BootP,
and SNMP. ConfigurationTrafficAudit
events generally indicate normal
traffic, however, events of this type
could also be symptoms of
misconfiguration, inappropriate usage,
attempts to enumerate or access
network devices or services, attempts
to access devices that are configured
via these services, or other abnormal
traffic.
Network Traffic
Audit Core Traffic
CoreTrafficAudit events reflect

network traffic sent over core
protocols. Events that are children of
CoreTrafficAudit are all related to the
TCP, IP, UDP, and ICMP protocols.
Events of this type and its children do
not have any application-layer data.
Events placed in the parent
CoreTrafficAudit event itself are
known to be a core protocol, but are
not able to be further categorized
545
RPT2003- As
06-03.rpt needed
Title
Description
File name Schedule
based on the message provided by

the tool.
Network Traffic
Audit - Core
Traffic by
Destination
Machine
This report lists all Core Traffic events RPT2003- As

(such as TCPTrafficAudit), grouped by 06-03needed
destination machine/IP.
2.rpt
Network Traffic
Audit - Core
Traffic by
Provider SID

provider SID.
3.rpt
Network Traffic
Audit - Core
Traffic by Source source machine/IP.
1.rpt
Network Traffic
Audit - Core
Traffic by Tool
Alias

the SolarWinds tool sensor alias that 0.rpt
reported the event.
Network Traffic
Encrypted Traffic Audit events reflect RPT2003- As
Audit - Encrypted application-layer traffic that has been 06-04.rpt needed
Traffic
encrypted and is intended for a secure
host. Included in Encrypted Traffic
Audit are client and server side
application events, such as key
exchanges, that normally occur after
the low-level session creation and
handshaking have completed.
Network Traffic
Audit Link Control
Traffic
Link Control Traffic Audit events are

RPT2003- As
generated for network events related 06-05.rpt needed
to link level configuration. Link Control
Traffic Audit events generally indicate
normal traffic, however, events of this
type could also be symptoms of
546
Title
Description
File name Schedule
misconfiguration at the link level,

inappropriate usage, or other
abnormal traffic.
Network Traffic
Audit - Network
Traffic
Members of the Network Audit tree are RPT2003- As

used to define events centered on
06-06.rpt needed
usage of network
resources/bandwidth.
Network Traffic
Audit Point to Point
Traffic
Point To Point Traffic Audit events

RPT2003- As
reflect application-layer data related to 06-07.rpt needed
point-to-point connections between
hosts. Included in Point To Point
Traffic Audit are encrypted and
unencrypted point-to-point traffic.
Network Traffic
Remote Procedure Traffic Audit
RPT2003- As
Audit - Remote
events reflect application-layer data
06-08.rpt needed
Procedure Traffic related to remote procedure services.
Included in Remote Procedure Traffic
Audit are the traditional RPC services
used to service remote logons and file
shares, and other services which
require remote procedure access to
complete authentication, pass data, or
otherwise communicate.
RemoteProcedureTrafficAudit events
generally indicate normal traffic for
networks that have remote procedure
services on their network; however,
events of this type could also be
symptoms of inappropriate access,
misconfiguration of the remote
procedure services, errors in the
remote procedure calls, or other
abnormal traffic.
Network Traffic
Routing Traffic Audit events are
547
RPT2003- As
Title
Description
File name Schedule
Audit - Routing
Traffic
generated for network events related 06-09.rpt

to configuration of network routes,
using protocols such as IGMP, IGRP,
and RIP. RoutingTrafficAudit events
generally indicate normal traffic,
however, events of this type could also
be symptoms of misconfigured routing,
unintended route configuration, or
other abnormal traffic.
Network Traffic
Audit Time Traffic
Time Traffic Audit events reflect

RPT2003- As
application-layer data related to
06-10.rpt needed
network time configuration. Included in
TimeTrafficAudit are protocols such as
NTP and activities, such as detection
of client-side network time updates.
Network Traffic
Audit Top Application
Traffic by Source
This report lists the Top Application

Traffic events (such as
WebTrafficAudit), grouped by source
machine/IP.
RPT2003- As
06-01needed
2.rpt
Network Traffic
Audit Top Core Traffic
by Source
This report lists the Top Core Traffic

events (such as TCPTrafficAudit),
grouped by source machine/IP.
RPT2003- As
06-03needed
2.rpt
Network Traffic
Audit Web Traffic
WebTrafficAudit events reflect

RPT2003- As
application-layer data related to web 06-01.rpt needed
services. Included in WebTrafficAudit
are client and server web events from
web servers, web applications,
content filter related events, and other
web services. WebTrafficAudit events
generally indicate normal traffic,
however, events of this type could also
be symptoms of inappropriate web
usage, potential abuse of web
548
needed
Title
Description
File name Schedule
services, or other abnormal traffic.

Network Traffic
Audit - Web
Traffic by
Destination
Machine
This report lists all WebTrafficAudit

events grouped by destination
machine/IP.
RPT2003- As
06-01needed
2.rpt
Network Traffic
Audit Web Traffic by
Provider SID
This report lists Web Traffic Audit

events grouped by provider SID.
RPT2003- As
06-01needed
3.rpt
Network Traffic
This report lists all WebTrafficAudit
RPT2003- As
Audit - Web
events grouped by source machine/IP. 06-01needed
Traffic by Source
1.rpt
Machine
Network Traffic
Audit Web Traffic by
Tool Alias
This report lists Web Traffic Audit

events grouped by tool alias.
RPT2003- As
06-01needed
0.rpt
Network Traffic
Audit Web URL
Requests by
Source Machine
This report lists the most frequently

visited URLs grouped by the
requesting client source machine.
RPT2003- As
06-01needed
5.rpt
Network Traffic
This report shows graphs of the most RPT2003- As
Audit frequently visited URLs for each client 06-01needed
Web URL
source machine.
4.rpt
Requests by
Source Machine Graphs
Resource
Configuration
The Resource Configuration report

details events that relate to
configuration of user accounts,
549
RPT2003- Weekly
08.rpt
Title
Description
File name Schedule
machine accounts, groups, policies

and their relationships. Items such as
domain or group modification, policy
changes, and creation of new network
resources.
Resource
Configuration Authorization
Audit
Events that are part of the Auth Audit RPT2003- As

tree are related to authentication and 08-01.rpt needed
authorization of accounts and account
''containers'' such as groups or
domains. These events can be
and clients.
Resource
Configuration Domain
Authorization
Audit
Domain Auth Audit events are

RPT2003- As
authentication, authorization, and
08-02.rpt needed
modification events related only to
domains, subdomains, and account
containers. These events are normally
operating system related, however
could be produced by any network
device.
Resource
Configuration Group Audit
Group Audit events are authentication, RPT2003- As

authorization, and modification events 08-03.rpt needed
related only to account groups. These
events are normally operating system
related, however could be produced
by any network device.
Resource
Configuration Machine
Authorization
Audit
Machine Auth Audit events are

RPT2003- As
08-04.rpt needed
computer or machine accounts. These
events can be produced from any
network node including firewalls,
routers, servers, and clients, but are
550
Title
Description
File name Schedule
normally operating system related.

Resource
Configuration Policy Audit
Policy Audit events are used to track

access, modification, scope change,
and creation of authentication,
domain, account, and account
container policies. Many of these
events reflect normal system traffic.
Most PolicyAudit events are provided
by the Operating System.
RPT2003- As
08-06.rpt needed
Resource
Configuration User
Authorization
Audit
User Auth Audit events are

user accounts. These events can be
and clients.
RPT2003- As
08-05.rpt needed

The following table lists and describes each of the security reports. For your
convenience, the reports are listed alphabetically by title.
Title
Description
Authentication
Report Failed
Authentication
Failed Authentication events occur when

a user has made several attempts to
authenticate themselves which has
continuously failed, or when a logon
failure is serious enough to merit a
security event on a single failure.
File name Schedule

RPT2003- As
02-1.rpt
needed
Authentication This report shows logins to various Guest RPT2003- As

Report accounts.
02-2.rpt
needed
Guest Login
Authentication Restricted Information Attempt events
Report -
551
RPT2003- As
02-3.rpt
needed
Title
Description
File name Schedule
Restricted
Information
Attempt
describe a user attempt to access local or

remote information that their level of
authorization does not allow. These
events may indicate user attempts to
exploit services which they are denied
access to or inappropriate access
attempts to information.
Authentication
Report Restricted
Service
Attempt
Restricted Service Attempt events

describe a user attempt to access a local
or remote service that their level of
authorization does not allow. These
events may indicate user attempts to
exploit services which they are denied
access to or inappropriate access
attempts to services.
Console
The Console report shows every event

RPT2003- As
that passes through the system in the
10.rpt
needed
given time interval. It mimics the basic
management console view. It does not
contain the same level of field detail, but it
is useful to get a quick snapshot of activity
for a period, a lunch hour, for
example.This report can be very large, so
you will only want to run for small time
intervals, such as hours.
Console Overview
An overview of all events during the

RPT2003- As
specified time range. Shows graphs of the 10-00.rpt needed
most common generic event field data
from the console report.
Event
Summary Attack
Behavior
Statistics
Event Summary Sub Report - Attack

Behavior Statistics
552
RPT2003- As
02-4.rpt
needed
RPT2003- As
01-02.rpt needed
Title
Description
Event
Event Summary Sub Report Summary Authorization Audit Statistics
Authorization
Audit
Statistics
Event
Summary Graphs
File name Schedule

RPT2003- As
01-03.rpt needed
The event summary report gathers

RPT2003- Daily
statistical data from all major event
01.rpt
categories, summarizes it with a one-hour
resolution, and presents a quick,
graphical overview of activity on your
network.
Event
Event Summary Sub Report - Machine
Summary Audit Statistics
Machine Audit
Statistics
RPT2003- As
01-05.rpt needed
Event
Summary Policy Audit
Statistics
Event Summary Sub Report - Policy Audit RPT2003- As

Statistics
01-06.rpt needed
Event
Summary Resource
Audit
Statistics
Event Summary Sub Report - Resource

Audit Statistics
Event
Summary Suspicious
Behavior
Statistics
Event Summary Sub Report - Suspicious RPT2003- As

Behavior Statistics
01-08.rpt needed
Event
Summary Top Level
Statistics
Event Summary Sub Report - Top Level

Statistics
553
RPT2003- As
01-07.rpt needed
RPT2003- As
01-01.rpt needed
Title
Description
File name Schedule
Machine Audit Track activity associated with machine

RPT2003- Weekly
process and service audit events. This
09.rpt
report shows machine-level events such
as software installs, patches, system
shutdowns, and reboots. It can be used to
assist in software license compliance
auditing by providing records of installs.
Machine Audit
File System
Audit
This report tracks activity associated with RPT2003- As

file system audit events including mount 09-010.rpt needed
file system and unmount file system
events. These events are generally
normal system activity, especially during
system boot.
Machine Audit
- File System
Audit - Mount
File System
Mount File System events are a specific RPT2003- As

type of File System Audit that reflect the
09-012.rpt needed
action of creating an active translation
between hardware to a usable files ystem.
These events are generally normal during
system boot.
Machine Audit
- File System
Audit Unmount File
System
Unmount File System events are a

RPT2003- As
specific type of File System Audit that
09-013.rpt needed
reflect the action of removing a translation
between hardware and a usable files
ystem. These events are generally normal
during system shutdown.
Machine Audit This report tracks activity related to

RPT2003- As
- Process
processes, including processes that have 09-030.rpt needed
Audit
started, stopped, or reported useful
process-related information.
Machine Audit
- Process
Audit Process Audit
This report lists Process Audit events that RPT2003- As

are generated to track launch, exit, status, 09-031.rpt needed
and other events related to system
processes. Usually, these events reflect
554
Title
Description
File name Schedule
normal system activity. Process-related

activity that may indicate a failure will be
noted separately from normal activity in
the event detail.
Machine Audit
- Process
Audit Process Info
Process Info is a specific type of Process RPT2003- As

Audit event that reflects information
09-032.rpt needed
related to a process. Most of these events
can safely be ignored, as they are
generally normal activity that does not
reflect a failure or abnormal state.
Machine Audit
- Process
Audit Process Start
Process Start is a specific type of Process RPT2003- As

Audit event that indicates a new process 09-033.rpt needed
has been launched. Usually, Process
Start reflects normal system activity.
Machine Audit
- Process
Audit Process Stop
Process Stop is a specific type of Process RPT2003- As

Audit event that indicates a process has 09-034.rpt needed
exited. Usually, Process Stop reflects
normal application exit, however in the
event of an unexpected error the
abnormal state will be noted.
Machine Audit
- Process
Audit Process
Warning
Process Warning is a specific type of

Process Audit event that indicates a
process has returned a 'Warning'
message that is not a fatal error and may
not have triggered an exit of the process.
RPT2003- As
09-035.rpt needed
Machine Audit This report tracks activity related to

- Service
services, including services that have
Audit
started, stopped, or reported useful
service-related information or warnings.
RPT2003- As
09-040.rpt needed
Machine Audit
- Service
Audit Service Info
RPT2003- As
09-041.rpt needed
This report tracks ServiceInfo events,

which reflect information related to a
particular service. Most of these events
can safely be ignored, as they are
555
Title
Description
File name Schedule
generally normal activity that does not

reflect a failure or abnormal state.
Machine Audit This report tracks ServiceStart events,
- Service
which indicate that a new system service
Audit is starting.
Service Start
RPT2003- As
09-042.rpt needed
Machine Audit
- Service
Audit Service Stop
This report tracks ServiceStop events,

RPT2003- As
which indicate that a system service is
09-043.rpt needed
stopping. This activity is generally normal,
however, in the event of an unexpected
stop the abnormal state will be noted.
Machine Audit
- Service
Audit Service
Warning
This report lists ServiceWarning events. RPT2003- As

These events indicate a service has
09-044.rpt needed
returned a 'Warning message that is not
a fatal error and may not have triggered
an exit of the service.
Machine Audit This report tracks activity associated with RPT2003- As

- System
system status and modifications,
09-020.rpt needed
Audit
including software changes, system
reboots, and system shutdowns.
Machine Audit
- System
Audit Machine Audit
Machine Audit events are used to track

RPT2003- As
hardware or software status and
09-021.rpt needed
modifications. These events are generally
acceptable, but do indicate modifications
to the client system that may be
noteworthy.
Machine Audit
- System
Audit Software
Install
SoftwareInstall events reflect

modifications to the system at a software
level, generally at the operating system
level (or equivalent, in the case of a
network infrastructure device). These
events are generated when a user
updates a system or launches system-
556
RPT2003- As
09-025.rpt needed
Title
Description
File name Schedule
native methods to install third party

applications.
Machine Audit
- System
Audit Software
Update
SoftwareUpdate is a specific type of

RPT2003- As
SoftwareInstall that reflects a more current 09-026.rpt needed
version of software being installed to
replace an older version.
Machine Audit
- System
Audit System
Reboot
System Reboot events occur on

monitored network devices (servers,
routers, etc.) and indicate that a system
has restarted.
RPT2003- As
09-022.rpt needed
Machine Audit
- System
Audit System
Shutdown
System shutdown events occur on

monitored network devices (servers,
routers, etc.) and indicate that a system
has been shutdown.
RPT2003- As
09-023.rpt needed
Machine Audit
- System
Audit System Status
SystemStatus events reflect general

system state events. These events are
generally normal and informational,
however, they could potentially reflect a
failure or issue which should be
addressed.
RPT2003- As
09-024.rpt needed
Machine Audit
USBDefender

USB-Defender, including insertion and
09-050.rpt needed
removal events related to USB Mass
Storage devices.
Malicious
Code
This report tracks event activity

associated with malicious code such as
virus, Trojans, and worms, both on the
network and on local machines, as
detected by anti-virus software.
557
RPT2003- Weekly
04.rpt
Title
Description
File name Schedule
Malicious
Code Service
Process
Attack
Members of the Service Process Attack

RPT2003- As
tree are used to define events centered on 04-01.rpt needed
malicious or abusive usage of services or
user processes. These events include
abuse or misuse of resources from
malicious code placed on the client
system.
Malicious
Code - Trojan
Command
Access
Trojan Command Access events reflect

RPT2003- As
malicious or abusive usage of network
04-05.rpt needed
resources where the intention, or the
result, is gaining access to resources
through malicious code commonly known
as Trojan Horses. This event detects the
communication related to Trojans sending
commands over the network (infecting
other clients, participating in a denial of
service activity, being controlled remotely
by the originator, etc.). Trojans are
generally executables that generally
require no user intervention to spread and
contain malicious code that is placed on
the client system and used to exploit the
client (and return access to the originator
of the attack) or exploit other clients (used
in attacks such as distributed denial of
service attacks).
Malicious
Code - Trojan
Infection
Access
Trojan Infection Access events reflect

RPT2003- As
04-04.rpt needed
as a Trojan Horse. This event detects the
infection traffic related to a Trojan entering
the network (generally with intent to infect
a client). Trojans are generally
558
Title
Description
File name Schedule
executables that generally require no user

intervention to spread and contain
malicious code that is placed on the client
system and used to exploit the client (and
return access to the originator of the
attack) or exploit other clients (used in
attacks such as distributed denial of
service attacks).
Malicious
Trojan Traffic Access events reflect
RPT2003- As
Code - Trojan malicious or abusive usage of network
04-02.rpt needed
Traffic Access resources where the intention, or the
as a Trojan Horse. This event detects the
communication related to Trojans over the
network (generally, 'trojaned' clients
calling home to the originator). Trojans
are generally executables that generally
require no user intervention to spread and
the client system and used to exploit the
client (and return access to the originator
of the attack) or exploit other clients (used
in attacks such as distributed denial of
service attacks).
Malicious
Code Report Trojan Traffic
Denial
Trojan Traffic Denial events are a specific RPT2003- As

type of Denial event where the transport 04-03.rpt needed
of the malicious or abusive usage
originates with malicious code on a client
system known as a Trojan. The intent, or
the result, of this activity is inappropriate
or abusive access to network resources
through a denial of service attack. Trojan
Traffic Denial events may be attempts to
exploit weaknesses in software to gain
559
Title
Description
File name Schedule
access to a host system, attempts to

exploit weaknesses in network
infrastructure equipment to enumerate or
reconfigure devices, attempts to spread
the Trojan to other hosts, or other denial
of service activities.
Malicious
Virus Attack events reflect malicious code RPT2003- As
Code Report - placed on a client or server system, which 04-06.rpt needed
Virus Attack may lead to system or other resource
compromise and may lead to further
attack. The severity of this event will
depend on the ActionTaken field, which
reflects whether the virus or other
malicious code was successfully
removed.
Malicious
Code Report Virus
Summary
Attack
Virus Summary Attack events reflect

RPT2003- As
malicious code placed on a client or
04-07.rpt needed
server system, which may lead to system
or other resource compromise and may
lead to further attack. The severity of this
event will depend on the Action Taken
field which reflects whether the virus or
other malicious code was successfully
removed. These events differ from Virus
Attack in that they may be a composite of
virus events normally due to a scheduled
scan on the client system as opposed to a
real-time scan
Malicious
Code Report Virus Traffic
Access
Virus Traffic Access events reflect

RPT2003- As
04-08.rpt needed
as viruses. This event detects the
560
Title
Description
File name Schedule
communication related to viruses over the

network (generally, the spread of a virus
infection or an incoming virus infection).
Viruses are generally executables that
require user intervention to spread,
the client system, and are used to exploit
the client and possibly spread itself to
other clients.
Network
Events: Attack top-level NetworkAttack events.
11-00.rpt needed
Behavior
Network
Events: Attack
Behavior Access
This report shows malicious asset access RPT2003- Weekly

via the network. For example, attacks on 11.rpt
FTP or Windows Network servers,
malicious network database access,
abuses of services, or attempted
unauthorized entry.
Network
Events: Attack
Behavior Access Access
Children of the Access tree define events RPT2003- As

centered on malicious or abusive usage 11-01.rpt needed
of network bandwidth/traffic where the
intention, or the result, is inappropriate or
abusive access to network resources.
Network
Events: Attack
Behavior Access Application
Access
Application Access events reflect

where the related data is mostly or all
application-layer. Generally,
ApplicationAccess events will reflect
attempted exploitation of weaknesses in
server or client software, or information
that is restricted/prohibited by device
access control or policy.
561
RPT2003- As
11-02.rpt needed
Title
Description
File name Schedule
Network
Events: Attack
Behavior Access Configuration
Access
Configuration Access events reflect

RPT2003- As
11-03.rpt needed
result, is gaining access to resources via
resource configuration traffic (using
protocols such as DHCP, BootP, and
SNMP). Generally, these events will
reflect attempted exploitation of
weaknesses in the configuration server or
client software or attempts to gain systemlevel access to configuration servers
themselves. In the case of SNMP and
similar configuration protocols, it could
reflect an attempt to enumerate a device
or devices on the same network for further
attack.
Network
Events: Attack
Behavior Access - Core
Access
Core Access events reflect malicious or

RPT2003- As
abusive usage of network resources
11-04.rpt needed
where the intention, or the result, is
gaining access to resources where the
related data is mostly or all core protocols
(TCP, UDP, IP, ICMP). Generally,
CoreAccess events will reflect attempted
exploitation of weaknesses in network
protocols or devices with intent to gain
access to servers, clients, or network
infrastructure devices.
Network
Events: Attack
Behavior Access Database
Access
Database Access events reflect malicious RPT2003- As

or abusive usage of network resources
11-05.rpt needed
gaining access to resources via
application-layer database traffic.
Generally, these events will reflect
database server or client software.
562
Title
Description
File name Schedule
Network
Events: Attack
Behavior Access - File
System
Access
File System Access events reflect

RPT2003- As
11-06.rpt needed
remote filesystem traffic (using protocols
such as SMB and NFS). Generally, these
events will reflect attempted exploitation
of weaknesses in the remote filesystem
server or client software or attempts to
gain system-level access to remote
filesystem servers themselves.
Network
Events: Attack
Behavior Access - File
Transfer
File Transfer Access events reflect

application-layer file transfer traffic.
file transfer server or client software.
Network
Events: Attack
Behavior Access - Link
Control
Access
Link Control Access events reflect

RPT2003- As
11-08.rpt needed
where the related data is low-level link
control (using protocols such as ARP).
Generally, Link Control Access events
will reflect attempted exploitation of
weaknesses in switching devices by
usage of malformed incoming or outgoing
data, with intent to enumerate or gain
access to or through switching devices,
clients that are also on the switching
device, and entire networks attached to
the switching device. In some cases, a
managed switch with restrictions on port
563
RPT2003- As
11-07.rpt needed
Title
Description
File name Schedule
analyzing activity may be forced into an

unmanaged switch with no restrictions allowing a malicious client to sniff traffic
and enumerate or attack.
Network
Events: Attack
Behavior Access - Mail
Access
Mail Access events reflect malicious or

RPT2003- As
11-09.rpt needed
application-layer mail transfer, retrieval, or
service traffic. Generally, these events will
weaknesses in mail-related server or
client software.
Network
Events: Attack
Behavior Access Naming
Access
Naming Access events reflect malicious RPT2003- As

11-10.rpt needed
application-layer naming service traffic
(using protocols such as DNS and WINS).
the naming server or client software.
Network
Events: Attack
Behavior Access News Access
News Access events reflect malicious or

application-layer news traffic (over
protocols such as NNTP). Generally,
these events will reflect attempted
exploitation of weaknesses in the news
server or client software.
Network
Point To Point Access events reflect
Events: Attack malicious or abusive usage of network
Behavior resources where the intention, or the
564
RPT2003- As
11-11.rpt needed
RPT2003- As
11-12.rpt needed
Title
Description
File name Schedule
Access - Point result, is gaining access to resources via

to Point
point to point traffic (using protocols such
Access
as PPTP). Generally, these events will
weaknesses in point to point server or
client software, attempts to enumerate
networks, or attempts to further attack
devices on trusted networks.
Network
Events: Attack
Behavior Access Printer
Access
Printer Access events reflect malicious or RPT2003- As

11-13.rpt needed
application-layer remote printer traffic.
the remote printer server or client
software.
Network
Events: Attack
Behavior Access Remote
Console
Access
Remote Console Access events reflect

application-layer remote console service
traffic (services such as telnet, SSH, and
terminal services). Generally, these
events will reflect attempted exploitation
of weaknesses in the remote console
Network
Events: Attack
Behavior Access Remote
Procedure
Access
Remote Procedure Access events reflect RPT2003- As

11-15.rpt needed
remote procedure call traffic (using
protocols such as the traditional RPC
services, RMI, and CORBA). Generally,
565
RPT2003- As
11-14.rpt needed
Title
Description
File name Schedule

exploitation of weaknesses in the remote
procedure server or client software or
attempts to gain system-level access to
remote procedure servers themselves.
Network
Events: Attack
Behavior Access Routing
Access
Routing Access events reflect malicious RPT2003- As

11-16.rpt needed
gaining access to resources where the
related data is routing-related protocols
(RIP, IGMP, etc.). Generally, Routing
Access events will reflect attempted
exploitation of weaknesses in routing
protocols or devices with intent to
enumerate or gain access to or through
routers, servers, clients, or other network
infrastructure devices. These routing
protocols are used to automate the routing
process between multiple devices that
share or span networks.
Network
Events: Attack
Behavior Access - Time
Access
Time Access events reflect malicious or

application-layer remote time service
traffic (using protocols such as NTP).
the remote time server or client software.
Network
Events: Attack
Behavior Access - Virus
Traffic Access
Virus Traffic Access events reflect

RPT2003- As
11-19.rpt needed
566
RPT2003- As
11-17.rpt needed
Title
Description
File name Schedule
as viruses. Generally, these events will

weaknesses in the web server or client
software.
Network
Events: Attack
Behavior Access - Web
Access
Web Access events reflect malicious or

RPT2003- As
11-18.rpt needed
application-layer WWW traffic. Generally,
exploitation of weaknesses in the web
Network
Events: Attack
Behavior Denial / Relay
Track activity associated with network

RPT2003- Weekly
denial or relay attack behaviors. This
12.rpt
report shows malicious asset relay
attempts and denials of service via the
network. For example, FTP bouncing,
Distributed Denial of Service events, and
many protocol abuses.
Network
Events: Attack
- Application
Denial
Application Denial events are a specific RPT2003- As

of the malicious or abusive usage is
application-layer protocols. The intent, or
through a denial of service attack.
Application Denial events may be
attempts to exploit weaknesses in
software to gain access to a host system,
network infrastructure equipment to
enumerate or reconfigure devices, or
other denial of service activities.
567
Title
Description
File name Schedule
Network
Events: Attack
Configuration
Denial
Configuration Denial events are a specific RPT2003- As

protocols related to configuration of
resources (DHCP, BootP, SNMP, etc.).
The intent, or the result, of this activity is
inappropriate or abusive access to
network resources through a denial of
service attack. ConfigurationDenial
events may be attempts to exploit
weaknesses in configuration-related
Network
Events: Attack
- Core Denial
Core Denial events are a specific type of RPT2003- As

Denial event where the transport of the
12-03.rpt needed
malicious or abusive usage is core
protocols (TCP, IP, ICMP, UDP). The
intent, or the result, of this activity is
service attack. Core Denial events may
be attempts to exploit weaknesses in
Network
Events: Attack
- Denial
Children of the Denial tree define events RPT2003- As

centered on malicious or abusive usage 12-04.rpt needed
intention, or the result, is inappropriate or
abusive access to network resources
568
Title
Description
File name Schedule

Network
Events: Attack
- File System
Denial
File System Denial events are a specific RPT2003- As

remote filesystem-related protocols (NFS,
SMB, etc.). The intent, or the result, of this
activity is inappropriate or abusive access
to network resources through a denial of
service attack. File System Denial events
may be attempts to exploit weaknesses in
remote filesystem services or software to
gain access to a host system, attempts to
exploit weaknesses in network
infrastructure equipment to enumerate or
reconfigure devices, or other denial of
service activities.
Network
Events: Attack
- File Transfer
Denial
File Transfer Denial events are a specific RPT2003- As

application-layer file transfer-related
protocols (FTP, TFTP, etc.). The intent, or
FileTransferDenial events may be
attempts to exploit weaknesses in file
transfer-related software to gain access to
a host system, attempts to exploit
weaknesses in the software to enumerate
or reconfigure, or other denial of service
activities.
Network
Link Control Denial events are a specific
Events: Attack type of Denial event where the transport
Behavior of the malicious or abusive usage is link
569
RPT2003- As
12-07.rpt needed
Title
Description
File name Schedule
Denial / Relay level protocols (such as ARP). The intent,

- Link Control or the result, of this activity is
Denial
service attack. LinkControlDenial events
may be attempts to exploit weaknesses in
link-level control software to gain access
to a host system, attempts to exploit
weaknesses in network infrastructure
equipment to enumerate or reconfigure
devices, or other denial of service
activities.
Network
Events: Attack
- Mail Denial
MailDenial events are a specific type of

RPT2003- As
12-08.rpt needed
malicious or abusive usage is applicationlayer mail-related protocols (SMTP, IMAP,
POP3, etc.) or services (majordomo,
spam filters, etc.). The intent, or the result,
of this activity is inappropriate or abusive
access to network resources through a
denial of service attack. MailDenial
weaknesses in mail-related software to
gain access to a host system, attempts to
exploit weaknesses in the software to
enumerate or reconfigure, or other denial
of service activities.
Network
Events: Attack
- Relay
Children of the Relay tree define events

centered on malicious or abusive usage
intention, or the result, is relaying
inappropriate or abusive access to other
network resources (either internal or
external). Generally, these attacks will
have the perimeter or an internal host as
570
RPT2003- As
12-09.rpt needed
Title
Description
File name Schedule
their point of origin. When sourced from

remote hosts, they may indicate a
successful exploit of an internal or
perimeter host.
Network
Events: Attack
- Remote
Procedure
Denial
Remote Procedure Denial events are a

RPT2003- As
specific type of Denial event where the
12-10.rpt needed
transport of the malicious or abusive
usage is remote procedure-related
protocols (traditional RPC, RMI, CORBA,
etc.) or service (portmapper, etc.). The
service attack. RemoteProcedureDenial
weaknesses in remote procedure
services or software to gain access to a
host system, attempts to exploit
weaknesses in the software to enumerate
or reconfigure, or other denial of service
activities.
Network
Events: Attack
- Routing
Denial
Routing Denial events are a specific type RPT2003- As

of Denial event where the transport of the 12-11.rpt needed
malicious or abusive usage is routingrelated protocols (RIP, IGMP, etc.). The
service attack. Routing Denial events may
be attempts to exploit weaknesses in
routers or routing software to gain access
to a host system, attempts to exploit
weaknesses in the routing software or
service to enumerate or reconfigure, or
571
Title
Description
File name Schedule
Network
Events: Attack
- Web Denial
Web Denial events are a specific type of RPT2003- As

12-12.rpt needed
malicious or abusive usage is applicationlayer web-related protocols (HTTP,
HTTPS, etc.) or services (CGI, ASP, etc.).
The intent, or the result, of this activity is
service attack. Web Denial events may be
attempts to exploit weaknesses in webrelated software to gain access to a host
system, attempts to exploit weaknesses in
the software to enumerate or reconfigure,
or other denial of service activities.
Network
Events:
Suspicious
Behavior
Track activity associated with suspicious RPT2003- Weekly

network behaviors such as
07.rpt
reconnaissance or unusual traffic.
Specifically, this report shows potentially
dangerous activity, such as excessive
authentication failures, port scans, stack
fingerprinting, and network enumerations.
Network
Events:
Suspicious
Behavior Application
Enumerate
Application Enumerate events reflect

RPT2003- As
attempts to gather information about target 07-01.rpt needed
hosts, or services on target hosts, by
sending active application-layer data
which will elicit responses that reveal
information about the application or host.
This enumeration may be a LEMple
command sent to the application to
attempt to fingerprint what is allowed or
denied by the service, requests to the
application which may enable an attacker
to surmise the version and specific
application running, and other information
gathering tactics. These enumerations
572
Title
Description
File name Schedule
may result in information being provided

that can allow an attacker to craft a
specific attack against the host or
application that may work correctly the
first time - enabling them to modify their
methodology to go on relatively
undetected.
Network
Events:
Suspicious
Behavior Banner
Grabbing
Enumerate
Banner Grabbing Enumerate events

RPT2003- As
reflect attempts to gather information
07-02.rpt needed
about target hosts, or services on target
hosts, by sending a request which will
elicit a response containing the host or
service's 'banner'. This 'banner' contains
information that may provide a potential
attacker with such details as the exact
application and version running behind a
port. These details could be used to craft
specific attacks against hosts or services
that an attacker may know will work
correctly the first time - enabling them to
modify their methodology go on relatively
undetected.
Network
Events:
Suspicious
Behavior Core Scan
Core Scan events reflect attempts to

RPT2003- As
gather information about target networks, 07-03.rpt needed
or specific target hosts, by sending scans
over core network protocols (TCP, IP,
ICMP, UDP) which will elicit responses
that reveal information about clients,
servers, or other network infrastructure
devices. The originating source of the
scan is generally attempting to acquire
information that may reveal more than
normal traffic to the target would,
information such as a list of applications
listening on ports, operating system
573
Title
Description
File name Schedule
information, and other information that a

probe may discover without enumeration
of the specific services or performing
attack attempts.
Network
Events:
Suspicious
Behavior Enumerate
Enumerate events reflect attempts to

RPT2003- As
or specific target hosts, by sending active
data which will elicit responses that
reveal information about clients, servers,
The originating source of the enumeration
is generally attempting to acquire
normal traffic to the target would.
Network
Events:
Suspicious
Behavior Footprint
Footprint events reflect attempts to gather RPT2003- As

information about target networks by
07-05.rpt needed
tracing the network through routers,
clients, servers, or other network
infrastructure devices. The originating
source of the footprint is generally
attempting to acquire information that may
reveal more about network behavior than
normal traffic to the target would.
Network
Events:
Suspicious
Behavior General
Security
General Security events are generated

RPT2003- As
when a supported product outputs data
07-17.rpt needed
that has not yet been normalized into a
specific event, but is known to be security
issue-related.
Network
Events:
Suspicious
Behavior Host Scan
Host Scan events reflect attempts to

gather information about specific target
hosts by sending scans which will elicit
responses that reveal information about
574
RPT2003- As
07-06.rpt needed
Title
Description
File name Schedule
clients, servers, or other network

infrastructure devices. The originating
source of the scan is generally attempting
to acquire information that may reveal
more than normal traffic to the target
would, such as a list of applications on
the host, operating system information,
and other information that a probe may
discover without enumeration of the
specific services or performing attack
attempts. These scans generally do not
occur across entire networks and
generally have the intent of discovering
operating system and application
information which may be used for further
attack preparation.
Network
Events:
Suspicious
Behavior ICMP Query
ICMP Query events reflect attempts to

RPT2003- As
gather information about specific target
07-07.rpt needed
hosts, or networks, by sending ICMPbased queries that will elicit responses
that reveal information about clients,
servers, or other network infrastructure
devices. The originating source of the
scan is generally attempting to acquire
normal traffic to the target would, such as
operating system information and other
information that a probe may discover
without enumeration of the specific
These scans generally do not occur
across entire networks, contain many
sequential ICMP packets, and generally
have the intent of discovering operating
system and application information which
may be used for further attack preparation.
575
Title
Description
File name Schedule
Network
Events:
Suspicious
Behavior - MS
Network
Enumerate
MS Networking Enumerate events reflect RPT2003- As

attempts to gather information about target 07-08.rpt needed
hosts, or services on target hosts, by
sending active data to Microsoft
networking services (using protocols such
as NetBIOS and SMB/CIFS) that will illicit
responses that reveal information about
the application, host, or target network.
command sent to the networking service
to attempt to fingerprint what is allowed or
denied by a service, requests to a service
that may enable an attacker to surmise
the version and specific service running,
requests to a service that may enable an
attacker to fingerprint the target network,
and other information gathering tactics.
These enumerations may result in
information being provided that can allow
an attacker to craft a specific attack
against the networking service, host, or
undetected.
Network
Events:
Suspicious
Behavior Network
Suspicious
Members of the NetworkSuspicious tree

are used to define events regarding
suspicious usage of network
bandwidth/traffic. These events include
unusual traffic and reconnaissance
behavior detected on network resources.
Network
Events:
Suspicious
Behavior -
Port Scan events reflect attempts to

RPT2003- As
or specific target hosts, by sending scans
576
RPT2003- As
07-09.rpt needed
Title
Description
File name Schedule
Port Scan
over core network protocols (TCP, IP,

ICMP, UDP) that will elicit responses that
reveal information about clients, servers,
The originating source of the scan is
generally attempting to acquire
normal traffic to the target would, such as
a list of applications listening on ports,
operating system information, and other
information that a probe may discover
without enumeration of the specific
Port Scans specifically operate by
sending probes to every port within a
range, attempting to identify open ports
that may use applications or services that
are easy to enumerate and attack.
Network
Events:
Suspicious
Behavior Recon
Children of the Recon tree reflect

RPT2003- As
suspicious network behavior with intent of 07-11.rpt needed
gathering information about target clients,
networks, or hosts. Reconnaissance
behavior may be valid behavior on a
network, however, only as a controlled
behavior in small quantities. Invalid
reconnaissance behavior may reflect
attempts to determine security flaws on
remote hosts, missing access control
policies that allow external hosts to
penetrate networks, or other suspicious
behavior that results in general
information gathering without actively
attacking.
Network
Events:
Remote Procedure Enumerate events
577
RPT2003- As
07-12.rpt needed
Title
Description
File name Schedule
Suspicious
Behavior Remote
Procedure
Enumerate
reflect attempts to gather information

about target hosts, or services on target
hosts, by sending active data to Remote
Procedure services (using protocols such
as RMI, CORBA, and traditional RPC)
that will elicit responses that reveal
information about the application or host.
command sent to the remote procedure
service to attempt to fingerprint what is
allowed or denied by the service,
requests to the remote procedure service
that may enable an attacker to surmise
the version and specific service running,
and other information gathering tactics.
These enumerations may result in
information being provided that can allow
an attacker to craft a specific attack
against the remote procedure service or
undetected.
Network
Events:
Suspicious
Behavior Scan
Scan events reflect attempts to gather

RPT2003- As
information about target networks, or
07-13.rpt needed
specific target hosts, by sending scans
information about clients, servers, or other
network infrastructure devices. The
originating source of the scan is generally
reveal more than normal traffic to the
target would, information such as a list of
applications listening on ports, operating
system information, and other information
578
Title
Description
File name Schedule
that a probe may discover without

enumeration of the specific services or
performing attack attempts.
Network
Events:
Suspicious
Behavior Stack
Fingerprint
Stack Fingerprint events reflect attempts RPT2003- As

to gather information about specific target 07-14.rpt needed
hosts by sending a certain set of packets
to probe a device's network stack, which
will elicit responses that reveal
information about clients, servers, or other
network infrastructure devices. The
originating source of the scan is generally
reveal more than normal traffic to the
target would, such as operating system
information (including type and version)
and other information that a probe may
discover without enumeration of the
specific services or performing attack
attempts. These scans generally do not
occur across entire networks and
generally have the intent of discovering
operating system information which may
be used for further attack preparation.
Network
Events:
Suspicious
Behavior Trojan
Scanner
Trojan Scanner events reflect attempts of RPT2003- As

Trojans on the network to gather
07-15.rpt needed
information about target networks, or
specific target hosts, by sending scans
information about the host. The
originating Trojan source of the scan is
generally attempting to acquire
information that will reveal whether a
target host or network has open and
available services for further exploitation,
whether the target host or network is alive,
579
Title
Description
File name Schedule
and how much of the target network is

visible. A Trojan may run a scan before
attempting an attack operation to test
potential effectiveness or targeting
information.
Network
Events:
Suspicious
Behavior Unusual
Traffic
Unusual Traffic events reflect suspicious RPT2003- As

behavior on network devices where the
07-16.rpt needed
traffic may have no known exploit, but is
unusual and could be potential
enumerations, probes, fingerprints,
attempts to confuse devices, or other
abnormal traffic. Unusual Traffic may
have no impending response, however, it
could reflect a suspicious host that should
be monitored closely.
Priority Event This report is no longer in use. The

RPT2003- As
(reference)
Priority Event report tracks those events 16.rpt
needed
that the user has identified as a priority
event. These events appear in the Priority
filter of the Console.
Priority Event This report is no longer in use.This report RPT2003- As
By User
mirrors the standard Priority Event report 17.rpt
needed
(reference)
but groups the events received by
Console User account. The same event
may be seen by many users, so this report
tends to be much larger than the standard
Priority Event report.
Rule
The Rule Subscriptions report tracks
RPT2006- Daily
Subscriptions those events that the user has subscribed 28-01.rpt
by User
to monitor.
SolarWinds
Actions
The SolarWinds Action Report lists all

commands or actions initiated by
SolarWinds Network Security.
580
RPT2003- As
18.rpt
needed

Support Reports are diagnostic tools used by SolarWinds Customer Support. You
will normally only run these reports at SolarWindss request. For your
convenience, the reports are listed alphabetically by title.
Title
Description
File name Schedule
Agent
Connection
Status
This report is a diagnostic tool used by

RPT2009- As
Customer Support, and generally run only 33-1.rpt
requested
at their request. This report tracks internal
agent online and offline events.
Agent
Connection
Status by
Agent

RPT2009- As
Customer Support, and generally run only 33-2.rpt
requested
at their request. This report tracks internal
agent online and offline events grouped by
agent.
Agent
Connection
Summary

RPT2009- As
Customer Support, and generally run only 33.rpt
requested
at their request. This report shows high
level summary information for when
agents go online and offline.
Audit Audit - Internal Audit Report

Internal Audit
Report
RPT2006- As
31-01.rpt requested
Audit Internal Audit Report grouped by User

Internal Audit
Report by
User
RPT2006- As
31-02.rpt requested
Agent
RPT2007- As
Maintenance Customer Support, and generally run only 32.rpt
requested
Report
at their request. This report displays
internal event data for possible
misconfigured agents.
Database
581
RPT2006- As
Title
Description
File name Schedule

Report
at their request.
requested
List of Rules This report lists available rules for the Rule RPT2006- As
for Rule
Subscriptions.
29-02.rpt needed
Subscriptions
List of
This report lists the rules that users have
Subscription subscribed to.
Rules by
User
RPT2006- As
29-03.rpt needed
List of Users This report lists each user entered.

RPT2006- As
Currently, the users are only used for Rule 29-01.rpt needed
Subscriptions.
Tool
RPT2003- As
needed
by Alias
at their request. List of New Tool Data
events based on Tool Alias.
Tool
Maintenance
by Insertion
Point

RPT2003- As
Customer Support, and generally run only 15.rpt
needed
at their request. List of New Tool Data
events based on Agent InsertionIP.
Tool
RPT2003- As
needed
by Provider at their request. List of New Tool Data
events based on ProviderSID.
Tool
RPT2003- As
requested
Detail Report at their request. The report displays a
summary of all SolarWinds error
messages received from various tools.
Tool
RPT2003- As
requested
Report
at their request. The report displays a
582
Title
Description
File name Schedule
summary of unique SolarWinds error

messages received from various tools.
Report schedule definitions

The following table describes each recommended report schedule.
Schedule
Description
Daily
Run and review this report once each day.
Weekly
Run and review this report once each week.
As
needed
SolarWinds suggests that you run these reports only when needed
for specific auditing purposes, or when you need the details
surrounding a Priority event or a suspicious event.
As
These reports are diagnostic tools and should only be run at the
requested request of SolarWinds's technical support personnel.
583

The tables in this section describe the various categories of network security
products that can be connected to LEM, and explain the fields for configuring
sensors, actors, and notification systems.
The following table describes the various categories of network security products
that can be connected to LEM. The Description column describes how the
connectors (sensors and actors) typically work with each type of product or
device. The Use with columns indicate if each product type requires Manager
connectors, Agent connectors, or both.
Use with
Category
Anti-Virus
Description
Managers Agents
This category lets you configure
sensors for use with common anti-virus

products. These products protect
against, isolate, and remove viruses,
worms, and Trojan programs from
computer systems.
To configure an anti-virus connector,
the anti-virus software must already be
installed on the Agent computer.
Some anti-virus connectors can also be
run on the Manager by remotely logging
from an Anti-Virus server.
Due to software conflicts, it is
recommended that you run only one
brand of anti-virus software per
computer.
Application
584
Use with
Category
Description
Managers Agents
sensors for use with application

switches. Application-Layer switches
transmit and monitor data at the
application layer.
Database

sensors for use with database auditing
products. These products monitor
databases for potential database
intrusions, changes, and database
system events.
File Transfer and This category lets you configure

Sharing
sensors for use with file transfer and file
sharing products. These products are
used to share files over the local
network and/or Internet. Monitoring
these products provides information
about what files are being transferred,
by whom, and system events.
Firewalls

sensors and actors for use with
applications and devices that are used
to protect and isolate networks from
other networks and the Internet.
Firewall sensors connect to, read, and
retrieve firewall logs. Most firewalls also
have an active response connector.
These connectors configure actors that
interface with routers and firewalls to
perform block commands. Actors can
perform active responses either via
telnet or serial/console cable. Normally,
you will configure these connectors on
the Manager.
585
Use with
Category
Description
Managers Agents
To configure a firewall connector, the

firewall product must already be
installed on the Agent computer, or it
must be remotely logging to an Agent or
a Manager. Normally, you will configure
these connectors on the Manager.
You must also configure each firewalls
data gathering and active response
capabilities separately. For example,
configuring a firewalls data gathering
capabilities does not configure the
firewalls active response settings.
Identity and
Access
Management

sensors for use with identity access,
identity management, and other singlesign on connectors. These products
provide authentication and single-sign
on capabilities, account management,
and other user access features.
Monitoring these products provides
information about authentication and
management of accounts.
IDS and IPS
sensors and actors for use with

network-based and host-based
intrusion detection systems. These
products provide information about
potential threats on the network or host,
and can be used to raise alarms about
possible intrusions, misconfigurations,
or network issues.
Generally, network-based IDS and IPS
586
Use with
Category
Description
Managers Agents
connectors are configured to log

remotely, while host-based IDS and
IPS systems log locally on an agent
system. Some network-based IPS
systems provide the capability to
perform an active response via their
actor connector, allowing you to block
an IP address at the IPS device.
Manager
sensors for use with the Manager and

other Appliances. These connectors
monitor for conditions on the Manager
that may be informational or display
potential problems with the appliances.
Network
Management
sensors for use with network

management connectors. These
connectors monitor for different types of
network activity from users on the
network, such as workstation-level
process and application monitoring.
Generally, these systems are
configured to log remotely from a
central monitoring server.
Network Services This category lets you configure

sensors for use with different network
services. These connectors monitor
service-level activity for different
network services, including DNS and
DHCP. Most network services are
configured to log locally on an agent's
system, however, some are configured
to log remotely.
587
Use with
Category
Operating
Systems
Description
Managers Agents

sensors for use with utilities in the
Microsoft Windows operating system
that monitor system events.
This category includes a Windows

Active Response connector. This
connector configures an actor that
enables Windows active response
capabilities on Agents using Windows
operating systems. This allows LEM to
perform operating system-level
responses, such as rebooting
computers, shutting down computers,
disabling networking, and disabling
accounts.
To configure an operating system
connector, the operating system
software must already be installed on
the Agent computer.
If you perform the remote Agent
installation, the Windows NT/2000/XP
Event Application Logs and System
Logs connectors are configured by
default.
Proxy Servers
and Content
Filters
sensors for use with different content

monitoring connectors. These
connectors monitor user network
activity for such activities as web
surfing, IM/chat, and file downloads,
and events related to administering the
monitoring systems themselves.
Generally, these connectors are
588
Use with
Category
Description
Managers Agents
configured to log remotely from the

monitoring system.
Routers/Switches This category lets you configure
sensors, and in some cases actors, for

use with different routers and switches.
These connectors monitor activity from
routers and switches such as
connected/disconnected devices,
misconfigurations or system
problems/events, detailed access-list
information, and other related
messages. Some routers/switches have
the capability to configure an actor
connector to block an IP address at the
device. Generally, these connectors are
configured to log remotely from the
router/switch.
System Scan
Reporters

sensors for use with different asset
scanning connectors, such as
vulnerability scanners. These
connectors provide information about
potential vulnerabilities, exposures, and
misconfigurations with different devices
on the network. Generally, these
connectors create events in the 'Asset'
categories in the event tree.
System
Connectors
This category lets you configure the
Manager with an external notification

system, so LEM can transmit event
messages to LEM users via email or
pager. For details, see See "Setting up
a Notification System" on page 596
589
Configuring Sensors
Use with
Category
Description
Managers Agents
VPN and Remote This category lets you configure
Access
sensors and actors for use with Virtual
Private Network (VPN) server products
that provide secure remote access to
networks. Normally, you will configure
these connectors on the Manager.
Web Server

sensors for use with Web server
products. To configure a web server
connector, the web server software
must already be installed on the Agent
or Manager computer.
Configuring Sensors
The following table describes each field youll find on the Connector
Configuration form when configuring sensors for data gathering connectors. The
actual fields that appear depend on the connector you are configuring. Not every
field appears with every connector. For convenience, the table is sorted
alphabetically by field name.
Field
Alias
Description
Type a name that easily identifies the application or
appliance event log file that is being monitored.
For active response connectors, we recommend you end the
alias with AR. For example, an alias for the Cisco PIX
Active Response connector might be Cisco PIX AR. This
allows you to differentiate the active response connector from
the data gathering connector.
Log File /
Log Directory
When you create a new alias for a connector, LEM

automatically places a default log file path in the Log File
box. This path tells the connector where the operating system
stores the products event log file.
590
Field
Description
For most connectors, you can change the log file path, as
needed. However, some products write events to the
Windows Application Log or the Windows System Log. In
these cases, you are actually configuring the sensor that
monitors events that are written to that log file. For these
connectors, the Log File setting is disabled, and the system
automatically populates the Log File field with the name of
the Windows event log the sensor is monitoring.
In most cases, you should be able to use the default log file
path that is shown for the connector. These paths are based
on the default vendor settings and the product documentation
for each product. If a different log path is needed, type or
paste the correct path in the Log File box, or use the Browse
button to explore to correct folder or file.
If you are uncertain about which file path to use, either refer to
your original product documentation, or contact SolarWinds
Technical Support.
Note: If the product creates separate log files based on the
current date or some other fixed interval, you can either select
the log directory or any log file in that directory. If you select a
log file, LEM reads through the directorys log files in order,
from the file you selected to the most current file. The LEM
then reads new files as they are added.
nDepth Host
If you are using a separate nDepth appliance (other than

LEM), type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if
you are advised to do so.
nDepth Port
If you are using a separate nDepth appliance (other than the

SolarWinds LEM), type the port number to which the
connector is to send nDepth data. Generally, the default
setting is correct. Only change it if you are advised to do so.
New File Name

Interval
Select the interval in which the connector posts and names

each new log file. The interval tells the SolarWinds LEM
when to begin reading the next log file. The default setting is
591
Configuring Sensors
Field
Description
Daily: yymmdd.
Output
Select the appropriate data output option:

Event - This is the default option. It sends the connectors log
file data as events to the SolarWinds LEM for processing by
your correlation rules, associated active responses,
SolarWinds Consoles, and databases.
nDepth - This option sends the connectors log file data to a
separate nDepth appliance for archiving. The data does not
go to the SolarWinds LEM, so any potential event activity
does not appear in the Event Panel. However, you can still
use the Console's nDepth explorer to search the data on this
appliance.
Event, nDepth - SolarWinds recommends that you choose
this option if you want to use nDepth to search log messages
in addition to events. This option sends the connectors log
file data to the SolarWinds LEM for event processing and to
SolarWinds nDepth for data archiving. This means the LEM
reports potential event activity in the Event Panel, and nDepth
archives the connectors output data for later reference.
Furthermore, you can use the Console's nDepth explorer to
search either type of data.
Server IP
Address/
[Product] IP
Address/
[Product]
Server
Type the IP address of the router or firewall. Use the following

IP address format: 192.123.123.123.
Sleep Time
Type or select the time (in seconds) the connector sensor is

to wait between event monitoring sessions. The default (and
minimum) value for all connectors is one (1) second. If you
experience adverse effects due to too many rapid readings of
log entries, increase the Sleep Time for the appropriate
connectors.
592
Field
Description
Windows NT-based connectors automatically notify Windows
Event Log sensors of new events that enter the log file.
Should automatic notification stop for any reason, the Sleep
Time dictates the interval the sensor is to use for monitoring
new events.
Connector
Version
This is SolarWindss release version for this connector. This

is read-only information for reference purposes.
Wrapper Name
This is an identification key that the SolarWinds LEM uses to

uniquely identify the properties that apply to this particular
connector. This is read-only information for SolarWinds
reference purposes.
If the connector settings you need are not shown here, you are probably
configuring an active response connector. See "connector configuration tables,"
below. When you have finished configuring the connector settings, dont forget to
start the connector.
Configuring Actors
The following table describes each field you will find on the Connector
Configuration form when configuring actors for active response connectors.
Because each connector is product-based, the fields that appear depend on the
connector you are currently configuring. Not every field appears with every
connector. For convenience, the table is sorted alphabetically by field name.
Field
Recommended field settings
Advanced
These settings are no longer applicable.
Auth Port
For CheckPoint OPSEC firewalls, select the port used to

connect to the CheckPoint server via the LEA/OPSEC interface.
Base URL
Type the URL to connect to the SonicWALL firewall and perform

the login. Include http:// at the beginning of the URL.
Note: SolarWinds does not support HTTPS. Only use this
connector for older SonicWALL firmware version.
Block
For CheckPoint OPSEC firewalls, type the timeout in seconds
593
Configuring Actors
Field
Timeout
for the blocks to expire from the firewall. A value of zero (0)
means never expire.
Client DN
For CheckPoint OPSEC firewalls, type the client DN string. The

CN and O must be uppercase.
Configuration Select either telnet or SerialPort.

Mode
Enable
Password
Type the connectors password for entering Enable mode.
Enable
Windows
Active
Response
For the Windows Active Response connector, select this check

box to enable active response settings.
From Zone
Type the external zone used for configuring restrictions on

firewall connections.
Incoming
Interface
Type the Interface for which the block is to be made effective;

that is, the Interface for which incoming traffic will be filtered to
prevent traffic from the blocked IP address.
Password /
Login
Password
Type the connectors login password. For some products, the

password name must be the same one that was used when the
firewall was installed.
Port Name /
Serial Port
Name
Select a serial port for performing active response via console

cable, if applicable. The port name represents the physical
communication port on the computer. The port name is only
relevant if the Configuration Mode (below) is set to SerialPort.
/dev/ttyS0 = serial port 1, and
/dev/ttyS1 = serial port 2.
If the Configuration Mode is set to telnet, then this field is
disabled and the Port Name box reads: There are no ports
available.
Remote
Connection
Type the firewall port used for connecting to and configuring the
firewall.
594
Field
Port
Server DN
For CheckPoint OPSEC firewalls, type the server DN string. The

cn and o must be lowercase.
Server Port
For CheckPoint OPSEC firewalls, select the port used to

connect to the CheckPoint server via the SAM/OPSEC interface.
Server /
Server
Address /
IP Address /
[Product] IP
Address
Type the IP address of the router or firewall. This address allows

LEM to perform active responses to events on that particular
router or firewall. Use the following IP address format:
192.123.123.123.
SSLCA
For CheckPoint OPSEC firewalls, click the Browse button to

locate the SSL certificate file to upload to the server. If the
connector is already configured, then use the existing certificate
on the server. You can use the same path for both the LEA (log
reading) and SAM (active response) certificates.
Take Admin
Control
Only one person can configure the firewall at one time.

Selecting this check box allows LEMs active response to take
administrative control over the firewall when a user is logged
into the WatchGuard Management Console. That is, LEM
disconnects the user and takes control over the firewall.
To Zone
Type the internal zone used for configuring restrictions on

firewall connections.
connector
Configuration
Instance
(Alias)
Type a name that easily identifies the product that LEM is to act
on. For active response connectors, we recommend you end the
alias with AR. For example, an alias for the Cisco PIX Active
Response connector might be Cisco PIX AR. This allows you
to differentiate the active response connector from the data
gathering connector.
User Name /
Login User
Name
Type the user name needed to log onto and configure the
firewall. For some products, the user name must be the same
one that was used when the firewall was installed.
595

If the connector settings you need are not shown here, you are probably
configuring a connector (data gathering) connector.When you have finished
configuring the connector settings, dont forget to start the connector.

The Connector Configuration form has a category called System connectors
that you can use to set up an external notification system. This allows the
Manager to transmit messages to SolarWinds users via e-mail or pager, to record
pertinent event data or text to a specified file, or to synchronize your existing
Directory Service Groups with your existing network directory services.
The following table explains how to configure each option in the System
connectors category.
Field
Append Text to File Active Response

Description
Use this connector to have the Agent write the specified event
data or text to the specified file.
How to
append
Select Newline to write the event data to the file so that each
event is on a distinct line (that is, one event per line), by
inserting a return or newline character.
Select No Newline to stream the event data to the file by
appending the new data immediately following any existing
data in the file.
Maximum file
size (MB)
Type the allowable maximum file size for the text file, in
Megabytes.
Directory Service Query

Description
Use this connector to have the Manager communicate with

existing directory services on the network to retrieve and
update group information. This allows you to synchronize your
existing Directory Service Groups for use with rules and filters.
User Name
Type a user name that is valid on the configured domain and

server for authenticating to the domain and retrieving group
information.
596
Field
Directory
Type the IP address or host name of your directory services
Service Server server (commonly, this is a domain controller).
Domain Name Type the fully-qualified domain name of your directory services
domain.
Password
Type the password for the above user name that is valid on the
configured domain and server for authenticating to the domain
and retrieving group information.
Directory
Service
Servers Port
Type the port used to communicate with the directory service

server.
Email Active Response

Description
Use this connector to have a Manager automatically notify

users of event events when configured to do so by event policy.
Return
Type the name that you want to appear in the From field of
Display Name active response e-mail messages.
Port
Type the port used to communicate with the internal email

server.
Return
Address
Type the email address that you want to appear in the From
field of active response email messages.
Mail Host
Type the IP address or host name of an internal SMTP server

that the Manager can use to send email messages through
without authentication.
Authentication Type the user name needed to access the internal email
Server
server, if required.
Username
Authentication Type the password needed to access the internal email server,
Server
if required.
Password
Test E-mail
Address
Type the e-mail address you want to use to test the Mail Host
assignment. When you click the Test Email button, a test
597
Field

message should appear at this email address.
Test Email
button
This button tests your email notification settings to ensure that

you entered the correct e-mail host.
Click the Test Email button. Then check the email addresss
in-box. If you entered the correct address, the in-box should
receive the test message.
598

The following table is for use with Filter Creation. It lists the possible filter
combinations that you can create in the Conditions box for each type of field.
l
The Left field column lists each type of field you can drag into the
Conditions boxs left field.
The Right field column lists the corresponding field types that you can drag
into the Conditions boxs right field.
The Operators columns list the types of comparisons you can make
between left and right fields.
Operators
Left field
not
exists in in = > >= < <=
event
event group
text event field
Right field
text event field
text event group field
text constant
directory service group
subscription group
connector profile
user-defined group
time event field
599
time event field
time event group field
time constant
Operators
Left field
not
number event field
time of day

number event field
number event field

group
number constant
text event field
text constant
subscription group
connector profile
user-defined group
time event field
time constant
number event group

field
text constant
Right field
time of day

number event field
number event group

field
number constant
connector profile
600
Operators
Left field
number constant
time constant
not
Right field
user-defined group
connector profile
user-defined group
connector profile
user-defined group

When configuring a rule or a filter, whenever you drag an item from the list pane
and position it next to event variable, an operator icon appears between them.
The operator states how the event variable must compare with the other item to
be subject to rule's or filters conditions.
For example, an operator might state whether or not an event should be
contained within or outside of an Time of Day Set; or it may state whether or not
an event applies to a particular Connector Profile.
The operators that appear between two elements vary, depending on your
selections. The form only allows comparisons that are logical for the elements
you have selected. For more information on which operators are available for a
particular field, see the following reference tables:
Each of these tables provides a matrix of valid operators for comparing an event
variable to other elements.
Selecting a new operator
l
Click an operator to cycle through the various operators that are acceptable
for the current condition.
Ctrl+click an operator to show a list of operators you can choose from. Then
click to select the operator you want to use.
601
Operator tips
The following tips apply to operators:

l
When comparing two numeric values, the full range of mathematical

operator options is available.
An IP address is treated as a string (or text) value. Therefore, operators are
limited to equal and not equal.
DateTime fields have a default value of > Time Now, which means,
greater than the current date and time.
Table of operators
The following table describes each operator and how it should be interpreted
when used as a filter condition.
Operator Meaning
Exists
Not exist
Description
Use these operators to specify if a particular event or Event
Group exists. Read conditions with these operators as
follows: This [event/Event Group] must [exist/not exist].
Note: "Not exist" is only used in rules.
is in
Use these operators when comparing event fields with

groups (such as Event Groups, User-Defined Groups, etc.).
They determine the filters behavior, based on whether or
not the field is contained a specific Group.
is not in
Read conditions with these operators as follows:
Equals
This [event field] must be in this [Group].
This [event field] must not be in this [Group].

l
This [event variable] must equal this [list item*].
l This [event variable] must not equal this [list item*].

Does not
equal
Text comparisons (for IP addresses, host names, etc.) are
limited to equal or not equal operators.
602
Operator Meaning
Greater
than
Description
l
Greater
than OR
equal to
Less
than
l
l
Less
than OR
equal to
AND
This [event variable] must be greater than or equal to

this [list item*].
This [event variable] must be less than this [list item*].
This [event variable] must be less than or equal to this
[list item*].
Conditions and groups of conditions are subject to AND

and OR comparisons.
l
OR
This [event variable] must be greater than this [list

item*].
The AND symbol means two or more conditions (or

groups) must occur together for the filter to apply. This
is the default comparison for new groups.
The OR symbol means any one of several conditions
(or groups) may occur for the filter to apply. When
comparing groups of distinct events, you must use the
OR symbol.
If you click an AND operator, it changes to an OR, and vice

versa.
*A list item can be another event variable, such as an event field. For example,
you may want to compare that an event's source is equal to a destination. In this
case, you would compare two event fields, such as SourceMachine =
DestinationMachine.
Filter groups and conditions, and rule groups and correlations, are all subject to
AND and OR conditions. By default, new groups, conditions, and correlations
appear with an AND condition. AND and OR conditions can surround nested
groups, and they can be used between groups on the same level to create
603
complex filter conditions or rule correlations.

Example
If x AND y AND z occur, report
the event.
Description
If all of the conditions apply, report the event.
If x OR y OR z occurs, report the If any of the conditions apply, report the event.
event.
If (x AND y) OR z occurs, report
the event.
If conditions x and y occur, or if condition z

occurs, report the event.
If (a AND b) OR (x AND y) OR
(z), occurs, report the event.
In this case, you would create three groups,

two nested within the third:
l
Condition1 AND
Condition2 AND Condition3
OR
Condition4 AND Condition5.
The nested groups are configured as (a

AND b) and
(x AND y), joined with an OR.
The outer group is configured as (z),
surrounding the nested groups with an
OR.
In this example, the filter reports the event

when it meets the following conditions:
Condition1 and Condition2 and Condition3,
or
Condition1 and Condition4 and Condition5.
Configuring event filter notifications

In Filter Creation, the Notifications box lets you to define how the Console is to
notify a user when the filter receives an event. Each notification option instructs
the Console to announce the event in a particular way. You can have the filter
display a pop-up message, display the event in bold text, play a warning sound,
have the filter name blink, or configure a combination of these methods.
Selecting the notification method

1. In the list pane, click the Notifications list.
604
Notifications table
2. Drag one or more notification option from the Notifications list to the
Notifications box.
3. Configure each option, as described in the Notifications table, below.
Notifications table
The following table lists the various notification methods that can be employed to
notify a user that a filters event threshold has been met.
l
l
l
The Notification column lists each options that is available in the list panes
Notifications list. They are alphabetized for easy reference.
The Description column briefly states how each option behaves.
The Fields column explains the data fields that can be configured for each
option.
Notification
Display
Popup
Message
Description
Fields
This option causes

the filter to display
the Popup
Notification form
when receiving an
event.
Notify on x events received
This form states the

name of the filter
that is receiving the
events, and that the
filters event
threshold has been
met.
If you want the pop-up form to appear

again after receiving repeated events,
select the Repeat on check box.
Type the number of events the filter

must receive before displaying the
Popup Notification form.
Repeat on x events received
Then in the events received box, type

how many more events the filter should
receive before issuing the pop-up form
another time.
From the form, the

message recipient
can choose to view
the filter, to turn off
the pop-up form for
that filter, or to turn
off the pop-up form
605
Notification
Description
Fields
for all filters.

Display
New
Events As
Unread
This option
displays new
events in the filter
with bold text.
Not applicable
They remain bold

until you
acknowledge them
by clicking them or
by opening them in
the Event
Explorer.
Enable
This option causes
Blinking
the filter name to
Filter Name blink in the Filters
pane.
Color
Click the Color button to open the Blink
Color form. Choose a color from one of
the three color palettes. Then click OK.
The filter name will blink in this color.
Time (ms)
Move the slider to select the amount of
time between blinks, in milliseconds.
must receive before the filter tab begins
blinking.
The filter tab stops blinking once you
acknowledge it by selecting it. If you
want the tab to begin blinking again
after receiving repeated events, select
the Repeat on check box. Then in the
events received box, type how many
more events the filter should receive
606
Notifications table
Notification
Description
Fields
before it starts blinking again.
Play
Sound
This option causes

the filter to play a
sound upon
receiving an event.
Sound/Browse
To select a sound, click the Browse
button. Then use the Open form to
locate and select the sound file that you
want to use. Sound files must be of the
.wav file type.
When you are done, the name of the file
should appear in the Sound box. To
test the sound, click the play button.
must receive before displaying the
sound.
If you want the sound to play again after
receiving repeated events, select the
Repeat on check box.
Then in the events received box, type
how many more events the filter should
receive before the filter plays the sound
another time.
607

Rule Correlation Table
The following table is for use with Rule Creation. It lists the possible rule
configurations you can create in the rule windows Correlations box for each type
of field.
l
The Left field column lists each type of field you can drag into the
Correlations boxs left field.
The Right field column lists the corresponding field types that you can drag
into the Correlations boxs right field.
The Operators columns list the types of comparisons you can make
between left and right fields.
Operators
Left field
not
not
exists exists in in = > >= < <=
event
event group
text event field
Right field
text event field
text event group

field
text state variable

field
text constant
directory service
group
connector profile
user-defined group
608
Operators
Left field
not
not
time event field
time event field
time event group

field
time state variable

field
time constant

number event field
text event group

field
Right field
time of day

number event field
number event group

field
number state
variable field
number constant
text event field
text event group

field
text state variable

field
text constant
directory service
group
connector profile
user-defined group
time event group

field
609
time event field
Operators
Left field
not
not

time event group

field
time state variable

field
time constant

number event group
field
text state variable
Right field
time of day

number event field
number event group

field
number state
variable field
number constant
text event field
text event group

field
text state variable

field
text constant
directory service
group
connector profile
user-defined group
time state variable
610
time event field
time event group

field
Operators
Left field
not
not

time state variable

field
time constant

number state
variable
text constant
number constant
time constant
Right field
time of day

number event field
number event group

field
number state
variable field
number constant
directory service
group
connector profile
user-defined group
directory service
group
connector profile
user-defined group
directory service
group
connector profile
user-defined group

611

For example, an operator might state whether or not an event should be
contained within or outside of an Time of Day Set; or it may state whether or not
an event applies to a particular connector Profile.
Selecting a New Operator
l
Click an operator to cycle through the various operators that are acceptable
for the current condition.
Ctrl+click an operator to show a list of operators you can choose from. Then
click to select the operator you want to use.
Operator Tips
The following tips apply to operators:
l
When comparing two numeric values, the full range of mathematical

operator options is available.
An IP address is treated as a string (or text) value. Therefore, operators are
limited to equal and not equal.
DateTime fields have a default value of > Time Now, which means,
greater than the current date and time.
612
Example
Description
If x AND y AND z occur, report

the event.
If all of the conditions apply, report the event.
If x OR y OR z occurs, report the If any of the conditions apply, report the event.
event.
If (x AND y) OR z occurs, report
the event.
If conditions x and y occur, or if condition z

occurs, report the event.
If (a AND b) OR (x AND y) OR
(z), occurs, report the event.
In this case, you would create three groups,

two nested within the third:
l
Condition1 AND
Condition2 AND Condition3
OR
Condition4 AND Condition5.
The nested groups are configured as (a

AND b) and
(x AND y), joined with an OR.
The outer group is configured as (z),
surrounding the nested groups with an
OR.
In this example, the filter reports the event

when it meets the following conditions:
Condition1 and Condition2 and Condition3,
or
Condition1 and Condition4 and Condition5.
Accountable
The following table lists the various actions a Manager can take to respond to
event events. These actions are configured in Respond form when you are
initiating an active response, and in the rules windows Actions box when you
are configuring a rule's automatic response.
The tables Action column lists the actions that are available. They are
alphabetized for easy reference. The Description column briefly states how the
action behaves. The Fields column lists the primary data fields that apply with
each action. Some data fields will vary, depending on the options you select.
Action
Add Domain
Description
Fields
This action adds a
Domain Controller Agent
613
Action
User To Group
Description
Fields
domain user to a specified user group that

resides on a particular
Agent.
Select the event field or constant that

defines the Agent on which the group
to be modified resides.
To modify a group at the domain
level, specify a domain controller as
the Agent.
Group Name
defines the group that is to be
modified.
Username
defines the user who is to be added
to the group.
Add Local User This action adds a local

To Group
user to a specified user
group that resides on a
particular Agent.
Agent
To modify a group at the domain
the Agent.
Group Name
modified.
Username
defines the user who is to be added
to the group.
Add UserDefined Group

Element
This action adds a new User-Defined Group Element

data element to a
From the User-Defined Groups list,
particular user-defined
614
Action
Description
Fields
group.
select the User-Defined Group that is

to receive the new data Element.
Value
defines the data element that is to be
added to the specified User-Defined
Group. The fields will vary according
to which User-Defined Group you
select.
Append Text To This action appends

File
text to a file. This allows
you to data from an
event and put it in a text
file.
Agent
defines the Agent on which the file to
be appended is located.
File Path
defines the path to the Agent file that
is to be appended with text.
Text
defines the text to be appended to
file.
Block IP
This action blocks an IP IP Address

address.
identifies the devices IP address.
Create User
Account
This action creates a

Agent
new user account on an Select the event field or constant that
Agent.
defines the Agent on which the new
user account is to be added.
To create a user account at the
domain level, specify a domain
controller as the Agent.
615
Action
Description
Fields
Account Name
names the account that is to be
created.
Account Password
defines the password that is to be
assigned to the new account.
Create User
Group
This action creates a

Agent
specified user group on Select the event field or constant that
an Agent.
defines the Agent on which the new
A user group is a new
user group is to reside.
group of Windows users To create a user group at the domain
on a Windows PC,
server, or network who the Agent.
are external to the LEM
Group Name
system.
defines which user group is to be
created.
Delete User
Account
This action deletes a

user account from an
Agent.
Agent
defines the Agent on which the user
account is to be deleted.
To delete a user account at the
domain level, specify a domain
controller as the Agent.
Account Name
names the account that is to be
deleted.
Delete User
This action deletes a
616
Agent
Action
Group
Description
Fields
user group from a

particular Agent.

defines the Agent on which the user
group to be deleted resides.
To delete a user group at the domain
the Agent.
Group Name
defines the user group that is to be
deleted.
Detach USB
Device
This action detaches a

USB mass storage
device that is connected
to an Agent.
Agent
defines the Agent from which the
USB device is to be detached.
Device
defines the device ID of the USB
device that is to be detached.
Disable Domain This action disables a

User Account
Domain User Account
on a Domain Controller
Agent.

defines the Domain Controller Agent
on which the domain user is to be
disabled.
Destination Account
defines the account that is to be
disabled.
Disable Local
User Account
This action disables a

local user account on
an Agent.
617
Agent
defines the Agent on which the local
user is to be disabled.
Action
Description
Fields
Destination Account
disabled.
Disable
Networking
This action disables an Agent

Agents network
access.
defines the Agent that is to be
The result is that the
disabled from the network.
specified Agent will be Message
unable to connect to the
Type the message that is to appear
network.
on the Agent.
Disable
Windows
Machine
Account
This action disables a

Windows machine
account that resides on
a Domain Controller
Agent.

on which the account is to be
disabled.
Destination Account
specifies which Windows account is
to be disabled.
Enable Domain This action enables a

User Account
Domain User Account
on a Domain Controller
Agent.

on which the domain user is to be
enabled.
Destination Account
enabled.
Enable Local
User Account
This action enables a

local user account on
618
Agent
Action
Description
Fields
an Agent.
defines the Agent on which the local

user is to be enabled.
Destination Account
enabled.
Enable
Windows
Machine
Account
This action enables a

Windows machine
account that resides on
a Domain Controller
Agent.

on which the account is to be
enabled.
Destination Account
specifies which Windows account is
to be enabled.
Incident Event
This action escalates

potential issues by
creating an Incident
Event.
Event
Select which Incident Event the rule
is to create.
Event Fields
From the list pane, select the events
and constants that define the
appropriate data elements for each
event fields The fields vary,
depending on which Incident Event
event is selected.
Infer Event
This action escalates

potentially irregular
audit traffic into security
events by creating (or
inferring) a new event
with a higher severity.
619
Event
Select which Event the rule is to
infer.
Event Fields
From the list pane, select the events
and constants that define the
Action
Description
Fields
appropriate data elements for each
event field. The fields vary,
depending on the which event is
selected.
Kill Process by
ID
This action terminates

the specified process
on an Agent by using its
process ID value.
Agent
defines the Agent on which the
process is to be terminated.
Process ID
identifies the ID number of the
process that is to be terminated.
Kill Process by
Name
This action terminates

the specified process
on an Agent by referring
to the process name.
Agent
defines the Agent on which the
process is to be terminated.
Process Name
identifies the name of the process
that is to be terminated.
Account Name
identifies the name of the account
that is running the process to be
terminated.
Log Off User
This action logs the

user off of an Agent.
Agent
defines the Agent from which the
user is to be logged off.
Account Name
620
Action
Description
Fields
identifies the specific account name
that is to be logged off.
Modify State
Variable
This action modifies a

state variable.
State Variable
From the State Variables list, drag
the state variable that the rule is to
modify.
State Variable Fields
From the appropriate component list,
type or drag the data element that is
to be modified in the state variable.
The fields vary, depending on the
which state variable is selected.
Remove
Domain User
From Group
This action removes a

domain user from a specified user group that
Agent.

defines the domain controller Agent
on which the group to be modified
resides.
Group Name
modified.
User Name
defines the user who is to be
removed from the group.
Remove Local
User From
Group

local user from a specified user group that
Agent.
Agent
Group Name
621
Action
Description
Fields
modified.
User Name
defines the user who is to be
removed from the group.
Remove UserDefined Group

Element

data element from a
particular user-defined
group.
User-Defined Group
From the User-Defined Groups list,
select the user-defined group from
which the specified data element is
to be removed.
Value
defines the data element that is to be
removed from the specified userdefined group. The fields will vary
according to which user-defined
group you select.
Reset User
Account
Password
This action resets a

Agent
user account password Select the event field or constant that
on a particular Agent.
identifies the Agent on which the
user password is to be reset.
To reset an account at the domain
the Agent.
Account Name
identifies the user account that is to
be reset.
New Password
defines the users new password.
622
Action
Description
Fields
Restart Machine This action reboots an

Agent.
Agent
identifies the Agent that is to be
rebooted.
Delay (sec)
Type the time (in seconds) after the
event occurs that the Manager is to
wait before rebooting the Agent.
Restart
Windows
Service
This action restarts the

specified Windows
service on an Agent.
Agent
Windows service will be restarted.
Service Name
identifies the name of the service that
is to be restarted.
Send Email
Message
This action sends a

preconfigured email
message to a
predetermined email
distribution list.
Email Template
Select the template that the email
message is to use.
Recipients
Click the check boxes to select which
users are to receive the email
message.
Email Fields
Either drag a field from the
components list, or select a constant
from the components list to select the
appropriate data elements that are to
appear in each email template field.
The fields vary, depending on which
email template is selected.
623
Action
Send Popup
Message
Description
Fields
This action displays a

pop-up message to an
Agent.
Agent
identifies the Agent that is to receive
the pop-up message.
Account Name
identifies the user account to receive
the message.
Message
defines the message that is to appear
on the Agents monitor.
Shutdown
Machine
This action shuts down Agent

an Agent.
identifies the Agent that is to be shut
down.
Delay (sec)
Type the time (in seconds) after the
event occurs that the Manager is to
wait before shutting down the Agent.
Start Windows
Service
This action starts the

specified Windows
Agent
Windows service is to be started.
Service Name
defines the Windows service that is
to be started.
Stop Windows
Service
This action stops the

specified Windows
624
Agent
Action
Description
Fields
Windows service is to be stopped.
Service Name
defines the Windows service that is
to be stopped.
625
Appendix J: Additional Configuration and

Troubleshooting Information
1. Auto-populating User-defined Groups Using a LEM Rule
2. Configuring Default Batch Reports on Vista/7/2008 Computers
3. Configuring LEM Reports on Computers Without the LEM Console
4. Configuring Report Restrictions
5. Configuring your LEM Appliance Log Message Storage and nDepth Search
6. Creating a Custom Filtered Report
7. Creating a Filter for a Specific Event Type
8. Creating Connector Profiles to Manage and Monitor LEM Agents
9. Creating Email Templates in the LEM Console
10. Creating Rules from Your LEM Console to Take Automated Action
11. Creating Users in the LEM Console
12. Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy
13. Do not modify the Output, nDepth Host, or nDepth Port fields when
configuring LEM connectors unless your appliance is set up to store original
log data
14. Enabling file auditing in Windows
15. Enabling LEM to Track Events
16. Filtering and Exporting LEM Reports
17. Getting Started with User-Defined Group
18. Modifying Filters for Users with the Monitor Role
19. Output, nDepth Host, nDepth Port Fields
20. Report Formats and their corresponding numbers listed in a LEM scheduled
report ini file
21. Troubleshooting LEM Agent Connections
22. Troubleshooting LEM Rules and Email Responses
23. Troubleshooting 'Unmatched Data' or 'Internal New Tool Data' events in
your LEM Console
626
24. Using the Append Text To File Active Response

25. Using the Block IP Active Response
26. Using the Computer-based Active Response
27. Using the Detach USB Device Active Response
28. Using the Disable Networking Active Response
29. Using the Kill Process Active Response
30. Using the SolarWinds LEM Local Agent Installer Non-interactively
31. Using the SolarWinds LEM Remote Agent Installer
32. Using Time of Day Sets to Pinpoint Specific Time Frames in Filters and
Rules
33. Using the User-based Active Response
34. Viewing All Traffic from a Specific Device in the LEM Console
35. Windows Audit Policy and best practice
627
Auto-populating User-Defined Groups Using a LEMRule
Auto-populating User-Defined Groups Using a

LEMRule
Automate how you populate User-Defined Groups using the Add User-Defined
Group Element active response in a LEM Rule. The Add User-Defined Group
Element active response populates a pre-defined User-Defined Group with static
or dynamic values, as defined by that rule.
Complete the following procedure to populate a User-Defined Group based on a
specific type of event, such as when you attach a USB device you want to tag as
authorized, or when a user attempts to visit a prohibited website.
To create a LEM rule to automatically populate a User-Defined Group:
1. Open your LEM Console, and then log in to your LEM Manager as an
administrator.
2. Click the Build tab, and then select Rules.
3. Click the + button in the upper-right corner of the Rules view.
4. Name your rule, and give it a description if you want.
5. Populate the Correlations box with conditions that represent the event you
want to trigger your rule. For the USB example:
a. Click Events on the components pane on the left, and then enter
SystemStatus without any spaces in the search box.
b. Click SystemStatus, and then locate EventInfo from the Fields:
SystemStatus list.
c. Drag EventInfo into the Correlations box. The left side of your new
condition should read, SystemStatus.EventInfo.
d. Enter *Attached* into the Text Constant field, denoted by the pencil
icon, on the left side of your new condition.
e. If you want to specify a computer for this procedure
(recommended), create a second condition that looks like
SystemStatus.DetectionIP = *computerName*, where
computerName is the hostname of the computer you want to specify.
Note: In this example, the computer you attach your authorized
devices to must have a LEM Agent with USB Defender installed,
whether you specify it in your rule or not.
628
6. Click Actions on the components pane, and then locate Add User-Defined
Group Element.
7. Drag Add User-Defined Group Element into the Actions box.
8. Within the Add User-Defined Group Element, select the appropriate UserDefined Group, such as Authorized USBDevices. If you do not find the
User-Defined Group, perform the following:
a. Close the action and select Build > Groups.
b. Select the + button on the top right and to create your own UserDefined Group, or clone an existing group.
9. Populate the action using the alerts present in your Correlations. For the
USB example:
a. Select Authorized USB Devices from the User Defined Group menu.
b. Click Alerts on the components pane, and then verify that
SystemStatus is still selected.
c. Drag ExtraneousInfo from the Fields: SystemStatus list into the
blank Value field in the action.
10. Select Enable at the top of the Rule Creation window, and then modify the
Test and Subscribe settings if you want.
Putting a rule into Test allows the rule to function as needed, but the rule
will not perform any of the actions listed. In this example, it will not add any
information to the User-Defined Group.
11. Click Save at the bottom of the Rule Creation window.
12. Click Activate Rules at the top of the main Rules view.
Any time the event you defined in your rule occurs, the value you defined in the
Value field of the action gets added to the User-Defined Group you specified. In
the USB example, the attached device is added to the Authorized USB Devices
group.
For additional information about working with LEM rules, see Creating Rules from
your LEMConsole to Take Automated Action.
629
Configuring Default Batch Reports on Windows 7, 8 and Windows Server 2008,
Configuring Default Batch Reports on Windows 7,

8 and Windows Server 2008, 2012 Computers
Installation of LEM Reports include a default batch set of INI files used to
schedule reports. These files contain the configurations necessary to schedule
several best practice reports on either a daily or weekly basis, depending on their
scope.
Choosing a Reports Computer

l
Reports is supported on Windows workstation 7/8 or server

2003/2008/2012.
Choose a computer that is on overnight because the daily and weekly start
time for these reports is 1:00 AM and 3:00 AM, respectively.
Choose a computer with at least 512 MB of RAM. SolarWinds recommends
to use a computer with 1 GB of RAM or more for optimal reports
performance.
Include the computer in the list of IP addresses defined by the
restrictreports command in the CMC. For more information, see
Configuring Report Restrictions.
INI File Preparation

Modify the default INI files in the LEM Reports installation directory to specify the
hostname of the LEM manager or database in your environment and the export
destination for your scheduled reports.
To modify the default INI files:
1. Navigate to the LEM Reports installation directory and open the SchedINI
folder:
l
On 32 bit computers: C:\Program Files\SolarWinds Log and Event

Manager Reports
On 64 bit computers: C:\Program Files (x86)\SolarWinds Log and
Event Manager Reports
2. Open each of the BRPT*.ini files and make the following changes in a text
editor:
630
Replace the default value next to Manager1 with the hostname of the
LEM Manager or database appliance in your environment. Use the
hostname of your LEM database appliance if you have a dedicated
appliance to store your normalized LEM alert data.
Modify the ExportDest file path if you want to customize the location
to which LEM Reports saves the exported reports. The default file path
is %ProgramFiles%\SolarWinds Log and Event Manager
Reports\Export.
3. Save your changes and close the files.
Scheduling the Reports to Run

Schedule your batch reports to run using Windows Task Scheduler. Complete
the following procedure twice: once for the daily reports and once for the weekly
reports.
To schedule reports using Windows Task Scheduler:
1. Create a new scheduled task by opening Control Panel > Administrative
Tools > Task Scheduler.
2. Select Task Scheduler Library.
3. Click Create Basic Task in the Actions pane.
4. Enter a name for your task that reflects the frequency of the scheduled task.
For example, enter LEM Reports - Weekly for the weekly task, and then
click Next.
5. Select Daily or Weekly, depending on what batch of reports you are
scheduling, and then click Next.
6. Set the start time and frequency for your scheduled reports, and then click
Next.
l
For the daily task: 1 AM, Recur every 1 Day
For the weekly task: 3 AM, Recur every 1 week, Monday
7. Select Start a program, and then click Next.

8. For the Program/script field, click Browse to browse for SWLEMReports.exe.
See Step 1 in See "INI File Preparation" on page 630 for the default
installation paths.
631
9. In the Add arguments (optional) field, enter the following, according to the
task being created:
Notes:
l
Use the %ProgramFiles(x86)% environment variable on 64-bit

computers.
The /l at the beginning of the additional argument is optional. This
generates a log file called SWLEMReports.log when Task Scheduler
runs your task. The file is saved in %ProgramFiles%\SolarWinds Log
and Event Manager Reports.
10. For the daily task: /l "%ProgramFiles%\SchedINI\BATCHDay.ini"

11. For the weekly task: /l "%ProgramFiles%\SchedINI\BATCHWeek.ini"
12. Click Next.
13. Verify the task details on the Summary dialog, select Open the Properties
dialog for this task when I click Finish, and then click Finish.
14. Click Change User or Group to change the user account task scheduler
should use to complete the task.
Notes:
l
l
Provide a user with administrator level permissions.

If you specified a network location in Step 2 in See "INI File
Preparation" on page 630, provide a user with write permissions to
that folder.
Use a service account to avoid having to maintain the task according
to your password change policy.
15. On the Properties window, select Run whether user is logged on or not.
16. Select Run with highest privileges.
17. Select the appropriate operating systems in the Configure fo menu, and
then click OK to save your changes and exit the Properties window.
18. Enter the Windows password for the user specified for this task, and then
click OK.

Once configured, the scheduled tasks run and export the following reports:
632
Daily Reports
l
EventSummary.pdf
SubscriptionsByUser.pdf
Incidents.pdf
NetworkTrafficAudit.rpt
Weekly Reports
l
MaliciousCode.rpt
NetSuspicious.rpt
NetAttackAccess.rpt
NetAttackDenial.rpt
Authentication.rpt
FileAudit.rpt
MachineAudit.rpt
ResourceConfiguration.rpt
Notes:
l
You can open reports with the .rpt extension in LEM Reports for filtering and
exporting. If you have another program, like Crystal Reports, associated
with this file format, you can access these reports with LEM Reports by
opening the Reports console first and then clicking Open on the Settings
tab.
If you create a scheduled report, you can remove the task from Windows
task scheduler, and the ini file will still be under the SchedINI directory. You
can change the name of the RPTxxxxx-x.ini to BRPTxxxxx-x.ini, and add
the file to the BatchDay.INI or the BatchWeek.INI.
633
Configuring LEMReports on Computers without the LEMConsole
Configuring LEMReports on Computers without

the LEMConsole
To add a manager to LEM Reports on computers without the LEM desktop
console:
1. Open the LEM Reports application.
2. If the Manager List form does not open automatically, click Configure on the
Settings tab, and then select Managers - Credentials and Certificates.
3. On the Manager Configuration pop-up window:
a. Enter the hostname for your LEM appliance in the Manager Name
field.
b. Enter the admin user in the User name field.
c. Enter the password for the admin user.
d. Select the green + to save the credentials
e. Close the window.
f. Open an SSH/PuTTY connection, enter the Manager menu, enter the
enabletls command and follow the prompts.
Note: If you would like to enable TLS communications. perform the
following:
i. Open the LEM Console, select Build >Users, and create a local
user, assigning the reports role to this user, and then save.
ii. Perform Step 3 but use the report user, password, and select the
TLS Connection before saving with the green + button.
4. Click Add Manager.
5. Click OK.
634
Configuring Report Restrictions

The LEM appliance allows unrestricted access to LEM Reports by default. To run
LEM Reports, either modify this restriction to allow specific computers to use LEM
Reports, or remove the restriction entirely.
LEM Reports restriction access (port 9001) can be restricted in the same way that
SSH access (port 32022) and console access (port 8443/8080) can be restricted
to the LEM. The LEMReports can also be configured with a user/password,
similar to SSH and console access.
To configure your LEM Manager to allow specific computers to run LEM
Reports:
1. Connect to your LEM virtual appliance using the vSphere console view, or
an SSH client such as PuTTY.
3. At the cmc::scm# prompt, enter restrictreports.
4. When prompted, press Enter.
5. Enter the IP addresses of the computers you want to allow to run LEM
Reports, separated by spaces.
Note: Ensure the list you provide is complete. Your entry will override any
previous entries.
6. Enter y to confirm your entry.
To remove all LEM Reports restrictions:
1. Connect to your LEM virtual appliance using the vSphere console view, or
an SSH client such as PuTTY.
3. At the cmc::scm# prompt, enter unrestrictreports.
4. When prompted, press Enter.
Note: Unrestricting LEM Reports will make the LEM database accessible
on any computer on your network running LEM Reports.
635
Configuring the USB Defender Local Policy Connector

Configuring the USB Defender Local Policy

Connector
This document describes how to create and configure the USB Defender Local
Policy connector on an Agent.
The USB Defender Local Policy connector allows an Agent to enforce restrictions
on USB devices even while the Agent is not connected to the manager. Rather
than using rules when disconnected, the connector uses a list of permitted users
or devices. To do this, the Agent compares the fields in all USB device Attached
events to a locally stored whitelist of users or devices. If none of the fields match
an entry on the list, the Agent detaches the device.
When the Agent is connected to the manager via the network, the manager rule
also applies. So any devices listed in the local whitelist must also be in the User
Defined Group for authorized devices or the rule takes effect and the device
detaches even though it was allowed by the whitelist in the USB Defender local
policy. When the Agent is connected, both USB Defender Local Policy and the
LEM rule are active.
To configure the USB Defender Local Policy connector:
1. Create a text file with one entry per line. This file serves as the local policy.
Each entry can be a user name or a USB device ID, from the
ExtraneousInfo field of an Attached alert.
2. In the LEM Console, click Nodes from the Manage menu.
3. Click the gear icon next to the node to be configured and select
Connectors.
4. Enter USB defender in the Refine Results window.
5. In the Nodes window, select the USB Defender Local Policy connector.
Click its gear icon and click New.
6. Click the button next to the Policy field to browse to the text file you
created above and upload your list to the connector.
7. Click the Save in the UDLP details pane to complete the setup.
636
8. When the new connector appears in the Connectors list, click the gear
next to it and click Start.
Note: The authorized devices in the local whitelist must also be in the UDG for
managers Detach Unauthorized USB rule or the rule on the manager enforces
detachment when the laptop is connected to the network. In reverse, if you are
using a blacklist and the device is in the USB Local Policy and not in the User
Defined Group of the rule, the device still detaches.
Having a device or user in one whitelist or blacklist and not in the other is not
recommended and yields inconsistent results.
637
Configuring your LEM Appliance Log Message Storage and nDepth Search
Configuring your LEM Appliance Log Message

Storage and nDepth Search
The LEM appliance has the ability to store the original logs that are normalized by
the LEM Manager and Agents for retention and search purposes. To do this, both
the LEM Manager and the applicable connectors must be configured accordingly.
Complete the procedures below to configure both of these elements.
Notes:
l
nDepth in this section refers to RAW data (original log), and is different from
the nDepth Search performed under Explore > nDepth in the Console.
If you enable original log storage (RAWdatabase storage) and enable
connectors to send data to both databases, LEM storage requirements may
double for the same retention period and extra resource reservations of at
least two additional CPUs and 8-16GB of RAM may be required.
Original log (RAW log storage) will not appear in the Monitor tab in the
Console. Rules can only fire on normalized data and not on RAW log data
being received.
To configure your LEM Manager to store original log files in their own
database:
Note: The following procedure must be completed prior to configuring any
connector to send log messages to your LEM appliance.
1. Log in to your LEM appliance using CMC credentials.
3. At the cmc::cmm# prompt, enter configurendepth and follow the prompts to
configure your LEM Manager to use an nDepth server:
a. Enter y at the Enable nDepth? prompt.
b. If you are prompted with Run nDepth locally? (Recommended),
enter y. This will configure a separate database on your LEM
appliance to store original log files.
c. If your LEM implementation consists of several appliances, follow
the prompts to complete the process for your dedicated database or
638
nDepth appliance. For additional information about this process,

contact Support.
4. Back at the cmc::cmm# prompt, enter exit to return to the previous prompt.
5. At the cmc> prompt, enter ndepth.
6. At the cmc::nDepth# prompt, enter start. This command will start the Log
Message search/storage service.
7. Enter exit to return to the previous prompt.
8. Enter exit to log out of your LEM appliance.
To configure your connectors to send original log data to your LEM
appliance:
1. Open the connector for editing in the Connector Configuration window for
the LEM Manager or LEM Agent, as applicable:
l
If the connector has already been configured, stop the connector

by clicking gear > Stop, and then click gear > Edit.
If the connector has not been configured, create a new instance of
the connector by clicking gear > New next to the connector you want
to configure.
2. In the Connector Details pane, change the Output value to Alert, nDepth.
Leave the nDepth Host and nDepth Port values alone unless otherwise
instructed by Support. The Output values are defined as:
l
Alert: Sending
data to the alert database
nDepth: Sending
data to the RAW (original log) database
3. If you are finished configuring the connector, click Save.

4. Start the connector by clicking gear > Start.
6. Repeat these steps for each connector you want to send original log data to
your LEM appliance.
639

This procedure describes how to save and configure the properties of a filtered
report so that it can be used as a custom report.
1. Open the LEM reports application and launch a preferred report.
2. Enter a desired time frame.
3. Click Select Expert.
4. Change the desired fields if a more refined report is desired.
To save the filtered report:
1. Use Select Expert to filter the report to show only the type of data you want
to see in your custom report.
2. Once the report has been filtered, click the Export button.
3. From the Format list, select Crystal Reports (RPT).
4. Leave Destination set to Disk file and click OK.
5. Within the Save File window, navigate to the following folder:
C:\Program Files (x86)\SolarWinds Log and Event Manager
Reports\CustomReports
Note: This is the default location for 64-bit operating systems. If you are
utilizing a 32-bit operating system, the default folder would be
C:\Program Files\SolarWinds Log and Event Manager
Reports\CustomReports
6. In the File name field, type a name for your filtered report that will allow you
to identify the report by the filename under Custom Reports, and click Save.
To see your new report in the Reports console:
1. On the Reports window, click the Settings tab.
2. From the Category list, select Custom Reports.
3. On the Quick Access Toolbar, click the Refresh Report List icon or press
F5. When the refresh completes, the new custom report will appear in the
list, displaying any changes made to its Properties.
You may now launch your custom report for any time frame.
640
Creating a Filter for a Specific Event Type

You can use the Create a Filter From This Event button at the top of the Event
Details pane to create a new filter for the selected event .
To create a new filter for a specific event type:
1. Open your LEM Console and log in to your LEM Manager as an
administrator or auditor.
2. Navigate to the Monitor view.
3. Select the event you want to create a filter for in the Event Grid.
4. With the event selected above displayed in the Event Details pane, click the
Create a Filter From This Event button.
Notice the new filter in your Filters pane.
5. (Optional) Modify the new filter to show more specific data.
a. Select the filter in the Filters pane.
b. Click the gear icon at the top of the Filters pane, and then select Edit.
c. Edit the filter by selecting the Events tab in Filter Creation, and select
the fields below to look at more specific details of this event type, and
then click Save.
Video
Click the
video icon to view the corresponding tutorial, which shows how to
create a filter from an event.
641
Creating Connector Profiles to Manage and Monitor LEMAgents
Creating Connector Profiles to Manage and

Monitor LEMAgents
Use Connector Profiles to manage and monitor similar LEM Agents across your
network. The following two use cases are the most common for this type of
component.
l
Configure and manage connectors at the connector profile level to reduce

the amount of work you have to do for large LEM Agent deployments.
Complete the following procedures to create a Connector Profile using a single

LEM Agent as its template:
1. Configure the connectors on the LEM Agent to be used as the template for
your new Connector Profile. These connectors are to be applied to any LEM
Agents that are later added to the Connectors Profile.
2. Click the Build menu, and then select Groups.
3. Click the + menu, and then select Connector Profile.
4. Give your new Connector Profile a Name, and enter a Description if you
wish.
5. Select the LEM Agent you want to use as your template from the Template
list next to the Description field.
6. Click Save.
Notes:
l
An agent can only have one profile at a time.
Any profile change will be applied to all members of that profile.
Agents that are members of a profile cannot have single-use connectors

applied to individual members.
642
2. Click the gear icon next to your Connector Profile, and then select Edit.
3. Move LEM Agents from the Available Agents list to the Connector Profile
by clicking the arrow next to them.
4. If you are finished adding LEM Agents to your Connector Profile, click Save.
The connector configurations set for the template agent will be applied to any
agent added to the Connector Profile.
643

Email templates allow customization of the appearance of email notifications
when triggered as responses in your rules. An email template has two
components:
l
l
Static text that lets you customize the appearance of the email
Dynamic text (parameters) that is filled in from the original event that
triggered the rule to fire
For example, when creating an Account Lockout template that will notify you
when an account is locked out, or automatically file a trouble ticket, fill in some
static text that describes the event and then use the dynamic text to describe the
account that was filled out from the original event, such as the username and
computer or domain controller they were locked out on.
Create templates that are specific to a type of event you are looking for to help
avoid creating one email template per rule. For example, you can have one
template for Account Modification that can be used to tell you when a user is
added/removed from a group, their password is reset, or other details are
changed. There is no limit to the number of templates.
To keep rules, events, and emails simple to manage, SolarWinds
recommends the following:
l
Create the rule with a name that describes the event.
Create the email template with a name that describes the event.
In the email template subject and/or message, enter the event/rule name to
describe the event/alert.
When receiving the email, you can easily identify the email template used, the
rule that fired, and the event that caused the rule to fire.
To create a new email template:
1. Go to Build > Groups.
2. Click the + button at the top, and choose Email Template, or select one of
the existing Email Templates and clone the template, then modify the name
and parameters of the template.
644
3. In the Details pane, provide a name for your template. This will be used in
rules to reference the template.
4. To create dynamic text (parameters) for your rule:
a. Type a name in the Name field under the Parameters list and click
the + button. For example, DetectionIP, DestinationAccount,
EventInfo, and so on. This name is a reference to the actual event
data.
b. Repeat this for all the parameters you want to add.
Note: Each one of these is a variable that holds your data and places
it in the right location in the email. For example, for an Account
Lockout template, consider using the following parameters:
l
Time
Account
DC
Machine
5. Fill out the Subject box.

l
l
Specify static text (optional).

To use a Parameter, either type in the name as it appears in the
parameters list, including the dollar sign, or drag it from the
Parameters list into where you want it to appear in the subject.
Note: Using a dynamic Parameter in the Subject provides a subject
that includes the user account name, source, or any other text from the
originating event.
6. Enter the body of the message in the Message box.

l
l
Specify static text (optional).

To use a Parameter, either type in the name as it appears in the
parameters list, including the dollar sign, or drag it from the
Parameters list into where you want it to appear in the message body.
Note: Oftentimes you will use a combination of static and dynamic
text, such as:
Account $Account locked out at $Time on DC $DC from computer
$Machine.
This would display the following:
645
Account testuser locked out at 7/21/2016 8:05am on DC DC1 from

computer PC1
7. Click the Save at the bottom.
646
Creating Rules from your LEMConsole to Take

Automated Action
You can create custom Rules from the Build > Rules view in your LEM Console
to monitor and respond to traffic from your monitored computers and devices. One
of the common uses for rules is to use them to generate email notifications. For
more details about using email templates in rules, see Using the Send Email
Message Action in Rule Creation.
To create a rule from your LEM Console:
administrator.
2. Click the Build menu and select Rules.
3. Click the + button in the upper-right corner to open Rule Creation.
Note: In the Rules view, you may also edit a disabled rule or clone a rule
from the rule templates.
4. Enter a Name and Description (optional) at the top of the Rule Creation
view.
5. If you want to save the rule in a folder other than All Rules, select the
folder from the list on the far right. The default value is All Rules.
6. Drag one of the following elements into the Correlations box.
l
Events: Drag a single Event into your Correlations to address any

instance of the Event you specify. This type of parameter does not
require a value.
Note: The field at the top of the Events list is a search box.
Event fields: Drag an Event field into your Correlations to address
any Event that contains the value you specify.
Note: The same principles apply to Event Groups and their fields.
7. If your Correlations defined above require a value, populate the value in

one of the following ways.
l
Enter a static text value in the Text Constant field, denoted by a

pencil icon.
Note: Use asterisks (*) as wildcard characters to account for any
647
Creating Rules from your LEMConsole to Take Automated Action
number of characters before, within, or after your text value.

l
Drag a Group from the list pane on the left over to replace the Text
Constant field. The most commonly used Groups include User
Defined Groups, Connector Profiles, Directory Service Groups, and
Time Of Day Sets.
Drag an Event field from an Event already present in your
Correlations over to replace the Text Constant field. This will result
in a parameter that states whether values from different Events in your
Correlations should match.
8. If you want to change the operators in your Conditions, click the

operator until you find the one you want.
Note: There are two types of operators.
l
Condition operators: These are found between your Events and

their values. Examples include Equals, Does Not Equal, Contains,
and Does Not Contain. Rule Creation only displays the operators
that are available for the values in your Correlations.
Group operators: These are found on the outside (right) of your
Correlation Groups. The two options are And (blue) and Or (orange).
9. Repeat Steps 6, 7, and 8 for any additional Correlations you want to

configure for your rule.
10. If you only want your rule to fire after several instances of the event(s)
in your Correlations, modify the Correlation Time as appropriate.
11. Add an Action to your rule using the Actions list on the left.
Notes:
l
l
l
All rules require at least one action, though they can contain several if
you want.
Populate your action with Constants or Event fields as appropriate.
When you use Event fields in your Actions, follow the procedure
above for populating your Correlations, and be sure to use the same
Event or Event Group as is present in your Correlations.
For example: Since the Correlations in the rule illustrated above are
based on the UserLogon Event, the fields used in its Actions must
come from the UserLogon Event.
648
12. If the Rule Status below the Description field contains an error or
warning, click the status indicator to view additional details and address the
issue.
13. If you want your rule to be fully functional once it's on your LEM
Manager, select the Enable checkbox next to the Description field.
14. If you want to disable your rule's Actions to test its configurations,
select the Test checkbox.
Note: Rules must also be enabled for them to work in Test mode.
15. If you want your rule to generate a local notification for any LEM
Console user, select the user from the Subscribe list.
Note: This option also tracks the rule's activity in the Subscriptions report
in LEM Reports.
16. Click Save.
17. Once your rule is in your Custom Rules folder, click Activate Rules to sync
your local changes with the rules folders on your LEM Manager and allow
the new/changed rules to function properly.
Important:When enabling or disabling rules, no changes will take effect
until the Active Rules button is clicked.
Video
Click the
video icon to view the corresponding tutorial, which offers more
information on creating rules in the LEMConsole.
649

Users can be created in the LEM Console for the following reasons:
l
To allow logging into the Console for configuring LEM. A local user can be
created for login, or an Active Director user can be added for login. Adding
an AD user requires the Directory Service Query connector to have been
configured to access AD.
To allow rules to send an email when a particular event or alert happens.
SolarWinds recommends that you create distinct users for anyone who needs to
receive email notifications from the LEM manager. There is a number of common
ways this can be done:
l
If there are users who need to access the Log & Event Manager
Console, you can create an admin, auditor, or monitor user. Be sure to
associate an email address with each user.
l
l
l
Admin: Default user that cannot be deleted and has full access to
everything in the Console.
Note: SolarWinds does not recommend multiple users sharing the
Admin account for auditing purposes.
Auditor: User with read/write access to Monitor (filters) and read-only
access to rules
Monitor: User with read-only access to everything in the Console
Contact: User without access to everything in the Console. They are
unable to log in to the Console. This type of user is added for
purposes of sending emails to the user's email address and bringing
in distribution lists or cellular email-to-SMS addressees for texts.
Reports: Created to allow the SolarWinds Reports application secure
application to the LEM database when TLS authentication is enabled.
This type of user is unable to log in to and has no access to the
Console.
If you have an external system, that is for trouble ticketing/incident

handling, or person who doesn't need to access the console, you can
create a contact user. Be sure to associate an email address with the user.
650
If you want to notify everyone in your IT organization of the same thing

at the same time, you can associate a distribution list email address with
any of the above types of users.
To set up users:
1. Go to Build > Users.
2. Click the + button on the top right, and select LEM User, or Directory
Service User.
3. Fill in the information at the bottom, which includes selecting the role for this
user.
Note: If you're creating a Contact user, you do not need to enter a password.
4. Add email addresses to the user by clicking + under Contact Information
and clicking Save.
Note: When adding an Active Directory user, most deployments of AD will
auto-populate the user's email address. You may not be able to
add/modify/delete the pre-populated email address. You will need to create
a new local user or use an existing user to add the email address to.
5. Click Save at the bottom once done.
651
Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy
Disabling Windows Filtering Platform Alerts

Using Alert Distribution Policy
Windows Filtering Platform (WFP) is a new application in Windows 7/8 and
Windows Server 2008/2012 that logs firewall and IPsec related events to the
System Security Log. We recommend tuning WFP in your Active Directory group
policies to decrease the load it would otherwise create on your LEM Manager.
These alerts represent background events which can consume additional
resources on the LEM to process these events, and are not necessary for an
optimized LEM deployment. Tuning out the Windows noise in the group policies
will reduce the space these events occupy in the Security Event log, will reduce
network activity, and will not consume precious resources on the LEM (CPU,
memory, disk space).
The alerts described in the following tables can be filtered out (dropped) using
your LEM Manager's Event Distribution Policy by unchecking their boxes in the
Console, Database, Warehouse, and Rules columns. Its important to note that
the LEM still must process these events, thereby taking additional resources in
the form of memory and CPU reservations.
Note: SolarWinds recommends that you disable WFP Alerts using Group or Local
Policy instead of on LEM. Disabling the WFPAlerts on LEM prevents you from
receiving useful data and may impact performance.
For information about disabling these alerts on the computer running WFP, see
LEMManager Crashes after Receiving a High Number of Alerts from Windows 7
or Windows Server 2008 and its related articles.
652
To modify your LEM Manager's Alert Distribution Policy:

1. Open your LEM Console and log into your LEM Manager from the Manage
> Appliances view.
2. Click the gear icon next to your LEM Manager, and then select Policy.
3. Locate the alerts you want to disable by either browsing the alert taxonomy
or using the search box under Refine Results.
Note: You can locate all of the alerts listed below by typing Windows
Security in the search box.
4. Check or uncheck the boxes in the Console, Database, Warehouse, or
Rules columns as appropriate.
Notes:
l
Uncheck the Console box to prevent your LEM Manager from

showing the alert in your LEM Console.
Uncheck the Database box to prevent your LEM Manager from storing
the alert on your LEM database.
Uncheck the Warehouse box to prevent your LEM Manager from
sending the alert to an independent database warehouse.
Uncheck the Rules box to prevent your LEM Manager from
processing the alert against your LEM rules.
Check any box to enable processing for the alert at any of the four
levels listed above.
5. To save your changes and keep working, click Apply.

6. To save your changes and exit the Alert Distribution Policy window, click
Save.
Note: The ProviderSID value in the following alerts match the format, Windows
Security Auditing Event ID, where Event ID is one of the Windows Event IDs
listed in the following table:
Alert Name
TCPTrafficAudit
IPTrafficAudit
UDPTrafficAudit
Windows Event ID
5152, 5154, 5156, 5157, 5158, 5159
5152, 5154, 5156, 5157, 5158, 5159
5152, 5154, 5156, 5157, 5158, 5159
653

Alert Name
ICMPTrafficAudit
RoutingTrafficAudit
PPTPTrafficAudit
Windows Event ID
5152, 5156, 5157, 5158, 5159
5152, 5156
5152

Event ID
5152
5154
5156
5157
5158
5159
Brief Description
Windows Filtering Platform blocked a packet
Windows Filtering Platform permitted an application or service to listen on a port for incoming
connections
Windows Filtering Platform allowed a connection
Windows Filtering Platform blocked a connection
Windows Filtering Platform permitted a bind to
a local port
Windows Filtering Platform blocked a bind to a
local port
654
Do not modify the Output, nDepth Host, or

nDepth Port fields when configuring LEM
connectors unless your appliance is set up to
store original log data
Do not modify the Output, nDepth Host, or nDepth Port fields unless your LEM
appliance has been configured to receive and store original log data in its own
database.
Storing information
Your SolarWinds LEM appliance can store 100% of the original log data read by
any SolarWinds LEM connector in addition to the data normalized and presented
in your LEM Console. Original log data is stored in a separate database from the
normalized data, and is searchable seperately. This database typically resides on
the same appliance as the LEM Manager and alert database, but it can also
reside on a dedicated LEM database or nDepth appliance.
The Output, nDepth Host, and nDepth Port fields in the tool configuration forms on
your LEM Manager and Agents are reserved for implementations in which the
LEM appliance has been configured to receive and store original log messages. If
your LEM appliance is not configured appropriately, modifying these settings will
cause all alert data to queue indefinitely, rather than being sent to the appropriate
database.
655

Enable file auditing in Windows to monitor events related to users accessing,
modifying, and deleting sensitive files and folders on your network. To maximize
the value of this type of auditing, enable auditing on a file server on which you
have installed a LEM Agent, and only for the specific files and folders you want to
monitor. If you enable auditing on all files or folders, or even a large number of
them, you will create an unnecessary burden on your LEM appliance by telling
Windows to log events you don't want or need to see.
Complete the two-part process below to first enable object auditing on your
server, and then enable file auditing on the files and folders you want to audit.
Provided Windows is logging the events and your server has a LEM Agent
installed on it, your LEM Console will begin displaying the new file auditing alerts
immediately.
To enable object auditing in Windows:
1. Open Administrative Tools > Local Security Policy.
2. Expand Local Policies and click Audit Policy in the left pane.
3. Select Audit object access in the right pane, and then click Action >
Properties.
4. Select Success and Failure.
5. Click OK.
6. Close the Local Security Policy window.
To enable file auditing on a file or folder in Windows, perform either one of
the following procedures:
Note: Do not perform both of the following options.
Option 1
1. Locate the file or folder you want to audit in Windows Explorer.
2. Right-click the file or folder and then click Properties.
3. Click the Security tab.
4. Click Advanced.
5. Click the Auditing tab.
656
6. If you are using Windows Server 2008, click Edit.

7. Click Add.
8. Enter the name of a user or group you want to audit for the selected file or
folder, and click Check Names to validate your entry. For example, enter
Everyone.
9. Click OK.
10. Select Success and Failure next to full control to audit everything for the
selected file or folder.
11. Optionally, clear Success and Failure for unwanted events, such as:
l
Read attributes
Read extended attributes
Write extended attributes
Read permissions
12. Click OK in each window until you are back at the Windows Explorer
window.
13. Repeat these steps for all files or folders you want to audit.
Option 2
1. Open the LEMConsole and go to Manage >Appliances.
2. Select the gear on the left of a specific agent whose files you want to
monitor.
3. Search for File Integrity Monitoring (FIM) and select the gear on the left to
create a new FIM connector for this agent.
4. You may choose a pre-defined template from the Monitor Templates pane
or create a custom monitor by performing the following steps:
a. Click Add Custom Monitor in the Selected Monitors pane.
b. Assign a name and description (optional).
c. Click Add New Button.
d. Click Browse to search for the directory that you want to monitor, and
then click OK.
e. Specify which kind of files you want to monitor in the with mask field.
657
f. Select the boxes for which kind of operations you want to monitor in
the for these actions field, and click Save.
Note: You may repeat these steps for every directory or file type that
you want to monitor.
g. When the custom monitor is created, click Save and the new monitor
will appear in the Selected Monitors pane.
Note: You have the option to promote this custom monitor to a
template.
5. You can create a Connector Profile under Build > Groups to allow a
common group of connector configurations for agents that will be placed
under this profile.
658

Tracking Buildup Events
Out of the box, LEM captures Cisco events 302003, 302009, and 603108.
LEM can be configured to capture Cisco firewall buildup events, too. The primary
buildup event to use for TCP tracking is 302013. Other buildup events include
302015, 302017, 302020, 302303, 305009, 305011, and 609011. Check the
description of these events in the Cisco System Log Messages Guide to make
sure those are events you want to capture.
Tracking Teardown Events
Out of the box, LEM captures Cisco event 603019.
You can also enable LEM to capture Cisco firewall teardown NAT events. The
teardown sibling to buildup even 302013 is 302014. Other events include
302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. You
can see description of these events in the Cisco System Log Messages Guide to
make sure they are ones you want to capture.
Enabling LEM to Track Buildup/Teardown Events
To enable the latest LEM connector to capture buildup/teardown NAT
events:
1. Ensure your firewalls are configured to log to LEM and that the appropriate
LEM connector is configured to monitor for your firewall data.
2. Access the firewalls you will monitor buildup/teardown messages from and
adjust the severity level of those events from 6 (the default) to 0. For more
information, refer to the Changing the Severity Level of a Syslog Message
section in the Monitoring the Security Appliance page in the Cisco site.
Considerations
A few things to consider include:
l
To monitor accepted traffic, use the log target in your accept ACLs instead
of the buildup logging. This lets you control what accepted traffic you are
made aware of.
To monitor the information about the actual NAT, consider the event load
this will create. Plan a test phase where you turn it on, determine if it is
valuable to you for investigating.
659
Consider the nDepth original log message store, if you are interested in
unmodified log data (versus the normalized data). Note that this consumes
additional disk space.
Consider whether you need both buildups and teardowns, or just buildup
messages. The teardown NAT messages include the same info as the built
messages, along with some duration and size info that may or may not be
useful. A lot of colleges & universities that are using the built messages do
not rely on the teardown messages, they only need to know a connection
was established for verification/analysis/correlation.
Check your syslog data to determine and enable only those buildup and/or
teardown events are of use.
660

You can use Select Expert to filter pre-configured reports in LEM Reports to
quickly find events of interest. You can also export filtered reports to share, save,
or run later.
To filter a report in LEM Reports:
1. Open LEM Reports on a computer that is allowed to run reports. For more
information, see LEM Reports Error: Logon failed. Database Vendor Code
210.
2. If you want to filter a report that has already been run, for example, a
scheduled report, click Open and open the report using the Open Report
File window.
3. If you want to run a new report, select the report on the Settings tab, and
then click Run to set the Start and End times for the report.
4. On the View tab, examine the report to identify the value you want to use in
your filter.
Note: Hover over any value in the report to view a tooltip that contains its
complete field name as it is used in Select Expert.
5. Click Select Expert to create your filter, and then click New.
6. Select the field name noted above, and click OK.
7. Select an operator from the list on the left, and complete filling out the rest of
the form.
8. Repeat these steps for each of the fields you want to use in your filter.
9. If you are finished creating your filter, click OK.
10. Examine your results and modify your Select Expert filter if necessary.
To export and save a report in LEM Reports:
1. Open the report and filter it if you want.
2. On the View tab, click Export.
3. Select a format from the Format list.
Note: Select Crystal Reports (RPT) if you want to be able to filter the
exported report further in the future. For more information, see Creating a
Custom Filtered Report.
661
4. Select Disk file from the Destination list, and click OK.
5. If you want to set a page range for the exported report, select Page
Range and enter a From and To value.
6. Click OK.
7. Specify a folder and file name for the exported report.
8. Click Save.
Video
Click the
video icon to view the corresponding tutorial, which offers more
information on filtering and exporting LEM Reports.
662

Customize the blank and sample User-Defined Groups in your LEM Console for
use with the default filters and rules they are associated with as well as your
customer filters and rules.
Blank and Sample User-Defined Groups to Customize
The following is a list of blank or sample User-Defined Groups that SolarWinds
recommends you customize for your environment.
l
Admin Accounts
Admin Groups
Approved DNS Servers
Authorized USB Devices
Authorized VPN Users
Sensitive Files
Service Accounts
Suspicious External Machines
Suspicious Local Machines
Trusted IPs
Trusted Server Sites
Vendor / Contractor Accounts
Vendor Authorized Servers
Note: The Admin Accounts group is used in several template rules as a

placeholder for a custom list of administrative users, and represent the default
administrative accounts in Windows and Unix/Linux environments. SolarWinds
recommends you to clone this group before you customize it so you can use it in
both of its capacities.
Customizing User-Defined Groups - Typical
Complete the following procedure to customize any or all of the User-Defined
Groups listed above. The procedure to create your own User-Defined Groups is
practically the same, the difference is clicking plus icon > User Defined Group
instead of editing an existing group.
663

Note: If you choose to alter any group that contains a default/suggested value,
SolarWinds recommends that you clone the group first so you always have a
backup of the default group. Cloning an existing group creates a duplicate group
with the same name, but having a 2 at the end of the name.
To customize a User-Defined Group:
1. Open your LEM Console, and then log into your LEM Manager as an
administrator.
2. Click the Build tab, and then select Groups.
3. Locate the group you want to edit. Use the search box or Type menu on the
Refine Results pane if necessary.
4. Click the gear icon next to the group, and then select Edit.
Note: If you want to clone the group, select Clone instead, and then repeat
this step for the cloned group.
5. To add an element to the group:
a. Click Add Element, denoted by a + button, at the bottom of the details
pane.
b. Enter a nickname for the element in the Name field. This value is for
reference only.
c. Enter a value to define the element in the Data field (required).
Consider using wildcard characters, such as asterisks (*), to
abbreviate these entries as illustrated in the example at the end of this
procedure.
d. Enter a description in the Description field. This value is optional.
e. Click Save on the bottom-left, under the Element Details form.
6. To modify an element, click the element in the details grid, and then modify
it in the Element Details form just as you would when adding a new
element.
7. To remove an element, click the element in the details grid, and then click
Remove Element, denoted by a - icon at the bottom of the details pane.
8. If you are finished editing the group, click Save on the bottom-right of the
details pane.
664
Use the pre-populated User-Defined Groups as examples of what your custom

groups might look like. The Data field is used for the correlation, while the Name
field is for reference and the Description is optional.The following is an excerpt
from the default Admin Groups User-Defined Group:
Group Name: Admin Groups
Name
Administrators
Backup Operators
DNSAdmins
Data
*Administrators*
*backup oper*
DNSAdmin*
Customizing User-Defined Groups - Variations

The following are two variations you might want to use when setting up your
filters, rules, and groups.
Using Directory Service Groups to account for Windows users, groups, and
computer accounts.
Directory Service Groups are groups that LEM pulls from Active Directory. Use
these groups instead of User-Defined Groups in your filters and rules to reduce
the need for ongoing maintenance. For additional information, see Configuring
the Directory Service Query Connector.
Automating how you populate User-Defined Groups using the Add UserDefined Group Element active response.
The Add User-Defined Group Element active response populates a pre-defined
User-Defined Group with static or dynamic values, as defined by a LEM rule. Use
this active response to populate a User-Defined Group based on a specific type of
event, such as when you attach a USB device you want to tag as authorized, or
when a user attempts to visit a prohibited website. For additional information, see
Auto-populating User-Defined Groups Using a LEMRule.
Extended Description
Log & Event Manager comes with several default filters, rules, and groups that
you can use to monitor and respond to events on your network. Given the variable
nature of the IT environments into which LEM is deployed, many of the UserDefined Groups are blank or contain suggested values by default.
665
Uses
Uses
The following are examples of default filters and rules that use the blank and
sample groups.
Filters
l
Admin Account Authentication
Domain Controllers (all)
Note: The Domain Controllers (all) filter uses a Connector Profile in the constant
position by default, but you can replace it with a User-Defined Group or Directory
Service Group if the Tool Profile is not sufficient for your environment. For
additional information about Connector Profiles, see Creating Connector Profiles
to Manage and Monitor LEMAgents.
Rules
l
Authentication - Unknown User
Critical Account Logon Failures
Detach Unauthorized USB Devices
File Audit - Delete Sensitive Files
Non-Admin Server Logon
Vendor - Unauthorized Server Logon
666
Modifying Filters for Users with the Monitor Role

LEM Console users in the Monitor role have read-only access to the LEM
Console. By default, their Filters list on the Monitor tab contains the same
default/standard filters as any other user. However, you can modify their Filters.
To modify the filters for a LEM Console user with the Monitor role:
1. Open the LEM Console, log in as admin or under another user name with
an admin role, and edit the user role to temporarily assign an admin role.
2. Instruct the user to log in using their Windows profile.
3. Change the filters as desired, deleting unnecessary filters.
4. Log out of the user Console window.
5. From the user computer, log in with the user credentials.
6. From your admin login, change the user role back to monitor.
7. Click the Monitor tab.
Note: You may also perform the following to achieve the same results, but
you would have to have previously created and exported the filters:
l
If you want to add new filters to the users Filters list, create or
import the filters as appropriate.
If you want to remove a filter from the users Filters list, point to the
filter and click the x that appears to the right.
8. Log out of your LEM Manager.

When the user logs on to your LEM Manager with the same computer and
Windows profile using their LEM user account, they will only see the filters you
specified above.
667

Note: Do not modify the Output, nDepth Host, or nDepth Port fields unless your
LEM appliance has been configured to receive and store original log data in its
own database, the RAW database, also called the nDepth database.
Your SolarWinds LEM appliance can store 100% of the original log data read by
any SolarWinds LEM connector in addition to the data normalized and presented
in your LEM Console. Original log data is stored in a separate database from the
normalized data, and is can be separately searched. This database typically
resides on the same appliance as the LEM Manager and alert database, but it can
also reside on a dedicated LEM database or nDepth appliance.
The Output, nDepth Host, and nDepth Port fields in the tool configuration forms on
your LEM Manager and Agents are reserved for implementations in which the
LEM appliance has been configured to receive and store original log messages. If
your LEM appliance is not configured appropriately, modifying these settings will
cause all alert data to queue indefinitely, rather than being sent to the appropriate
database.
For additional information about configuring your LEM appliance and tools to
handle original log data, refer to Configuring your LEM Appliance Log Message
Storage and nDepth Search.
668
Report Formats and their Corresponding

Numbers Listed in a LEM Scheduled Report INI
File
This section describes how to edit a scheduled report that is already in the Task
Scheduler of the machine running these reports.
Note: As with custom reports and scheduled reports, SolarWinds recommends
that report creation be documented for disaster recovery.
l
Scheduled Report INI files are located in: Program Files\SolarWinds Log
and Event Manager Reports\SchedINI
Schedule Report INI files generate automatically when scheduling a report

using the LEM Reports console.
If you need to hand edit a scheduled report ini file, or if you are changing the
format of the report, you must add the corresponding number report format
after the equal sign to the line: "ExportFormat= "
The following list identifies the number assigned to each possible format for a
LEM report:
Number
1
2
3
4
5
6
7
8
9
10
11
12
Report Format
Excel: MS Excel 97-2000, with headings format
Exceldata: MS Excel 97-2000, data only format
HTML32: HTML version 3.2 format
HTML40: HTML version 4.0 format
PDF: Adobe Portable Document format
RTF: Rich Text Format
CSV: Separated Values Text format
TAB: Tab Separated text format
Text: Text based report format
Word: MS Word Document format
XML: XML Document format
RPT: Crystal RPT w/ Data format
The following is an example of a LEM Scheduled Report INI file:

[TaskSetup]
669
Report Formats and their Corresponding Numbers Listed in a LEM Scheduled
Keyword=2009331
Filename=C:\Program Files\SolarWinds Log and Event Manager Reports\Reports\RPT2009-33-1.rpt
[DSNManager]
Manager1=sherman
[RptParams]
RptDateRangeDesc=DAY_P
RptDateRange=2
RptStartTime=12:00:00 AM
RptStopTime=11:59:59 PM
TopN=20
[Export]
DoExport=T
ExportDesc=EXCEL
ExportFormat=1
ExportDest=C:\Program Files\SolarWinds Log and Event Manager Reports\Export
ExportFileName=format1.xls
ExportOverWrite=INCREMENT
670

There are a number of reasons why a LEM Agent might not connect to your LEM
appliance. The following troubleshooting procedures can help you work around
the most common causes:
l
Verify the computer is still in your environment.
Verify the computer is turned on.
Verify the LEM Agent service is running.

The LEM Agent runs as a service on the host operating system. Ensure the
service is running on the host using one of the following (or similar)
procedures.
l
On Windows hosts:
1. Open Control Panel > Administrative Tools > Services.
2. Navigate to SolarWinds Log and Event Manager Agent.
3. Click Start (green Play button) if the LEM Agent is not running.
On Linux hosts:
1. Run ps ax | grep contego in a CLI terminal.
2. Look for ContegoSPOP.
3. If the LEM Agent is not running, run sudo /etc/init.d/swlemagent start.
4. Enter the root password if necessary.
On Mac hosts:
1. Run ps ax | grep -i trigeo in a CLI terminal.
2. Look for SWLEMAgent.
3. Run launchctl load
/Library/LaunchDaemons/com.trigeo.trigeoagent.plist.
if the
LEM Agent is not loaded.

l
Verify a firewall is not blocking the connection.

The LEM Agent relies on the following ports to communicate with the LEM
appliance. Ensure you have the proper exceptions in place for any firewall
between a LEM Agent and the LEM appliance.
671
37890-37892: Traffic from LEM Agents to the LEM appliance

Note: SolarWinds recommends disabling all three profiles:
domain/public/private even though IP subnets may be fully
configured in AD sites. There are instances when Windows firewall
blocks agent communications even when the port connection is
tested.
37893-37896: Traffic from the LEM appliance to LEM Agents
Check the LEM Agent is running the current version of the software.
The following are steps to check the version of a LEM Agent:
1. Open the most recent copy of spoplog.txt in a text editor from the
installation folder.
l
Windows: C:\Windows\system32\ContegoSPOP\
Linux: /usr/local/contego/ContegoSPOP/
Mac: /Applications/TriGeoAgent/
2. Search for Release in the text editor.

3. The most recent entry reflects the current version running on your
system.
For example, SolarWinds Log and Event Manager Agent (Release
x.x.x).
l
Reset the LEM Agent's certificate.

The following steps can correct the connection issues. Symptoms include:
l
Intermittent connectivity
Inability to upgrade the LEM Agent software.
General failure to connect.
Contact Support if all conditions have been verified, and symptoms still
continue.
l
On Windows hosts:
1. Stop the SolarWinds Log and Event Manager Agent service
in Control Panel > Administrative Tools > Services.
2. Delete only the six (6) files *.xml and *.trigeo under the spop
folder in C:\Windows\system32\ContegoSPOP\
672
3. Delete the entry for the affected LEM Agent in the Manage >
Nodes pane in the LEM Console by clicking the gear icon next
to the entry, and then clicking Delete.
4. Restart the LEM Agent service.
If resetting fails, perform the following steps:
1. Stop the SolarWinds Log and Event Manager Agent service
in Control Panel > Administrative Tools > Services.
2. Delete the spop folder in C:\Windows\system32\ContegoSPOP\.
Important: Do not delete the ContegoSPOP folder.
4. Restart the LEM Agent service.
l
On Linux hosts:
1. Stop the swlem-agent service: /etc/init.d/swlem-agent stop
2. Delete the spop folder: rm -Rf
/usr/local/contego/ContegoSPOP/spop
4. Restart the swlem-agent service: /etc/init.d/swlem-agent
start
l
On Mac hosts:
1. Unload swlemagent.plist: launchctl unload
/Library/LaunchDaemons/com.swlem.swlemagent.plist
2. Delete the spop folder: rm -Rf

/Applications/TriGeoAgent/spop
673
4. Reload swlemagent.plist: launchctl load

/Library/LaunchDaemons/com.swlem.swlemagent.plist
l
Check LEM Agent ports.

Having the Manager ports (37890-37892) open on the FW, and Agent ports
(37893-37896) closed could result to Telnet being able to connect and
Agent not being able to connect.
Do the following to determine that your firewall is set up correctly:
1. From a command line, telnet from the Agent to port 37892 on LEM.
2. Run a netstat command.
3. Stop the LEM Agent.
4. Modify the LEM Agents spop.conf file by adding the following 4 lines.
Note: This process works best if you open Wordpad and run as an
administrator. The process also assumes ports 65320-65323 are
available for use.
l
AgentLowPort=65320
AgentHighPort=65321
com.solarwinds.lem.communication.agentLowPort=65322
com.solarwinds.lem.communication.agentHighPort=65323
5. Restart the LEM agent.

l
Re-install Agent
1. Either download the Remote Agent Uninstaller to uninstall an agent,
or use Programs & Features in the Windows control panel.
Notes:
l
The remote installer must be run using runas administrator

with the file on the local hard drive, even if you are an admin.
Do not use this on Windows 2012-R2 or 8.1.
2. Remove the agent directory c:\windows\syswow64\ContegoSPOP\

3. Re-install the agent. Use the local agent installer on computers in a
DMZ and Windows 8.1/2012-R2, select runas-administrator and
674
Windows-7 compatibility. If using the remote agent installer, select

runas-administrator. Have the installer file on the local hard drive.
4. If there is a network resolution problem looking up the hostname,
use the LEM IP address for the Manager Name while installing the
agent.
5. If the agent is not showing up in the console Node list, be sure you
have enough available licenses under Manage > Appliances on the
License tab.
The LEM will respond to an icmp ping, a traceroute from Windows/Linux,
and accept telnet on agent ports or putty-port 32022.
Other software, such as an anti-virus, can prevent proper agent installs or
other software could control the ports used by the agent.
Support may increase the logging level for agents, or may ask for a debug
from the LEM appliance.
l
Contact Support.
If this article does not resolve the issue, open a ticket with SolarWinds
Support for further assistance. Please be prepared with the the following
information:
l
The exact operating system the host computer is running
The version of your LEM components:
Agent installer
LEM appliance
LEM Console
The most recent copy of spoplog.txt and the spop.conf file from the
Agent installation folder.
675
Troubleshooting LEMRules and Email

Responses
Consult the following scenarios to troubleshoot LEM rules that are not firing as
expected or sending the expected notifications. For additional information about
any of the procedures referenced in these scenarios, see the associated
footnotes.
My rule fires, but I don't get an email.
Problem:
You see the expected InternalRuleFired alerts in the default SolarWinds Alerts
and Rule Activity filters in the LEM Console, but are not getting the expected
email notification.
Steps to resolve:
1. Verify that the ExtraneousInfo field of the InternalRuleFired alert shows
the associated email action in Email [recipient] format.
2. If that action is not present, add the Send Email Message action to the
rule.See "1 For additional information about using email notifications in
LEM rules, see Using the Send Email Message Action in Rule Creation." on
page 681
3. Verify that the intended recipient has an email address associated with his
LEM user account:
a. Click the Build tab, and then select Users.
b. Click the LEM user account associated with the intended recipient.
4. If the Contact Information box is blank in the User Information pane, edit the
user to add an email address.See "2 For additional information about
creating LEM user accounts, see Creating Users in the LEMConsole." on
page 681
Note: If you are unable to add an email address to an AD user, you may
need to create a separate user and add the email to that user account, and
then select that user in the email template.
5. Verify that the Email Active Response connector is configured on your
LEM Manager:
676
a. Click the Manage tab, and then select Appliances.

b. Click the gear icon next to your LEM Manager, and then select
Connectors.
c. On the Connector Configuration window, select Configured on the
6. If Email Active Response is not in the list, clear the Configured check box,
and then configure the missing connector.See "3 For additional information
about configuring the Email Active Response connector, see Configuring
the Email Active Response Connector." on page 681
My rule doesn't fire, and I don't see the expected alerts.
Problem:
You do not see the expected InternalRuleFired alerts in the default SolarWinds
Alerts or Rule Activity filters in the LEM Console, nor do you see the alerts
needed to fire your rule anywhere in your LEM Console.
Steps to resolve:
To determine whether the requisite alerts are in your LEM Console, create a filter
or nDepth search that matches the correlations in your rule. If the alerts are not
present, complete the following procedure:
1. Review the network devices that are sending syslog data to the LEM, and
validate the configurations on that network device to send data. Verify that
one of your devices is logging the events you want to capture. For example:
l
Remote logging devices, such as firewalls and web filters, should be

logging your web traffic events.
Domain controllers and end-user computers should be logging
domain-level and local authentication and change management
events.
Note: If you have multiple domain controllers, they will not all replicate
every domain event. Each server only logs the events they execute.
Other servers, such as database servers and web servers, should be
logging events associated with their particular functions.
677
2. Validate if data is received by the LEM.

l
Validate if the LEM icons show syslog/agent connection:

a. Syslog device IPs will appear in the GUI-console Manage
>Nodes list as a pipe-Y symbol.
b. Agent host names and IP addresses will appear in the GUIconsole Manage >Nodes list as a green plug icon.
Validate if data is being received by syslog facility or by the agent.

a. If a network syslog device is sending syslog data to the LEM,
you should be able to view the LEM syslog files for that data.
b. Perform the following:
i. Open the vSphere/Hyper-V console to access the LEM.
Note: You may also use a PuTTY session, port 32022,
cmc user.
ii. Enter the appliance menu, and enter the checklogs
command.
iii. View the syslog that was chosen by the network device. All
of the data received in this area is UDP traffic received on
port 514.
c. Agent data is encrypted and more difficult to tell if it is received
by the LEM.
3. If your device is not in the Nodes list, configure computers by installing a

LEM AgentSee "4 For additional information about installing LEM Agents
on Windows computers, see Using the SolarWinds LEM Remote Agent
Installer. For articles related to installing LEM Agents on other operating
systems, browse or search the Agents category of the LEM knowledge
base." on page 681, or configure other devices, such as firewalls, to log to
your LEM appliance.See "5 For additional information about configuring
remote logging devices to log to your LEM appliance, search the
Connectors category of the LEM knowledge base." on page 682 After your
device is in the list, continue to the next step.
678
4. If your device is in the Nodes list, configure the appropriate connectors:

a. To configure syslog connectors (manager connectors) on your LEM
Manager for remote logging devices, click the Manage tab, and then
click Appliances.
b. Click the gear icon next to the Agent or Manager on which you want to
configure the new connectors, and then select Connectors.
c. Use the Search box at the top of the Refine Results pane to locate the
appropriate connectors.
d. Configure the connector according to your needs.
e. To configure agent connectors, go to Manage > Nodes, select the
gear icon next to the agent and edit the connectors.
I see the alerts, but my rule doesn't fire.
Problem:
You see the alerts required to fire your rule in the LEM Console, but your rule still
doesn't fire.
Steps to resolve:
1. Verify that all of your rules have been activated in all open LEM Consoles:
a. Click the Build tab, and then select Rules.
b. If the Activate Rules button is not greyed out, click it. This
synchronizes all of the changes you have made to your rules in the
Console with your LEM Manager.
c. Repeat these steps for all open LEM Consoles in your environment.
2. Compare the InsertionTime and DetectionTime values in the alerts you
expected to fire your rule.
3. If the time is off by more than five minutes, verify and correct the time
settings on your LEM appliance and any remote logging devices as
necessary. See To view and modify the time on your LEM appliance.
4. If none of the previous troubleshooting steps help, restart the Manager
service on your LEM appliance. In general, consider doing this once every
six months:
679
a. Connect to your LEM virtual appliance using either the vSphere

console view, or an SSH client like PuTTY.
b. If you are using an SSH client, log in to your LEM virtual appliance
using your CMC credentials.
c. At the cmc> prompt, enter manager.
d. At the cmc::cmm prompt, enter restart.
e. Press Enter to confirm your entry.
Note: Restarting the Manager service will make your LEM Manager
unavailable for about one minute. However, no data is lost during this
process.
f. Enter exit twice to leave the CMC interface.
My rule fires, but the email is blank.
Problem:
You receive an email notification for the alert, but the fields in the custom email
template are blank.
Steps to resolve:
1. Click the Build tab, and then select Rules.
2. Locate your rule, click the gear icon on the left and select Edit. You will
notice that the fields in the Actions box are blank.
3. Copy the event assigned to this rule. This is the string before the dot in the
Correlation box.
4. Click Events on the left pane and type the event in the search field.
5. Drag the fields required in your rule from the Fields pane to populate the
blank fields in the Actions box.
6. Click Save to close the Rule Creation window.
7. Click Activate Rules on the Rules window.
To view and modify the time on your LEM appliance:
1. Connect to your LEM virtual appliance using either the vSphere console
view, or an SSH client like PuTTY.
680
2. If you are using an SSH client, log in to your LEM virtual appliance using
your CMC credentials.
4. At the cmc::acm prompt, enter dateconfig.
5. Press Enter through all of the prompts to view the current date and time
settings on your LEM applaince.
6. By default, the LEM receives a time synchronization from the VM host
computer. Without this, time on the LEM wil be off and rules may not fire.
You will need to disable the time sync on the VM host computer, and enable
the LEM to get time from an NTP server:
a. At the cmc::acm prompt, enter ntpconfig.
b. Press Enter to start the configuration script.
c. Enter the IP addresses of your NTP servers separated by spaces.
d. Enter y to verify your entry.
7. Enter exit twice to leave the CMC interface.
For general instructions for working with LEM Rules, see Creating Rules from
your LEMConsole to Take Automated Action. For additional information about
the specific procedures discussed in this article, see the following related articles
according to your need.
1 For additional
information about using email notifications in LEM rules, see

Using the Send Email Message Action in Rule Creation.
2 For additional
information about creating LEM user accounts, see Creating

Users in the LEMConsole.
3 For additional
information about configuring the Email Active Response

connector, see Configuring the Email Active Response Connector.
4 For additional
information about installing LEM Agents on Windows computers,

see Using the SolarWinds LEM Remote Agent Installer. For articles related to
installing LEM Agents on other operating systems, browse or search the Agents
category of the LEM knowledge base.
681
5 For additional
information about configuring remote logging devices to log to

your LEM appliance, search the Connectors category of the LEM knowledge
base.
682
Troubleshooting Unmatched Data or Internal New

Connector Data Alerts in the LEMConsole
Periodically, you might see Unmatched Data or Internal New Connector Data
alerts in your LEM Console, which indicate one or more of the connectors on your
appliance cannot properly normalize the log data they are associated with. This
article contains troubleshooting procedures for syslog and Agent devices.

Complete the following troubleshooting procedures for devices that send logs to a
syslog facility on your LEM appliance.
Verify the connector and device are pointed at the same local facility
1. Check the configuration on your device to determine what local facility it's
logging to on your LEM appliance. In some cases, you cannot modify this
setting. For additional information, search for your device in the Connectors
section of the LEM Knowledgebase. Except for CheckPoint firewall, the
LEM receives UDPsyslog data on port 514.
2. Verify that the connector is pointed to the same logging facility as the
device:
a. Open your LEM Console and log in to your LEM appliance as an
administrator.
b. Click the Manage tab, and then select Appliances.
c. Click the gear icon next to your LEM appliance, and then select
Connectors.
d. Locate the connector in the list. Use the search box at the top of the
Refine Results pane, or select Configured if necessary.
e. Select the configured connector to view its details. Verify the Log File
value matches the output value in your device's configuration.
3. If the device and connector configurations do not match, point the connector
to the appropriate location:
683
a. Stop the connector: gear icon > Stop

b. Open the connector for editing: gear icon > Edit
c. Change the Log File value so it matches your device.
d. Click Save.
e. Start the connector: gear icon > Start
Verify that certain devices are not logging to the same local facility
Certain devices, mainly Cisco, have similar enough logging formats that they
cause connector conflicts when they're logging to the same facility on your LEM
appliance. Use the following procedure and table to determine what devices are
logging to each facility, and whether those devices conflict with one another:
1. Connect to your LEM appliance using a VMware console view, or an SSH
2. If you're connecting to your appliance through SSH, log in as the CMC user,
and provide the appropriate password.
3. If you're connecting to your appliance using VMware, select Advanced
Configuration on the main Console screen, and then press Enter to get to
the command prompt.
5. At the cmc::acm# prompt, enter checklogs.
6. Enter an item number to select a local facility to view.
7. To view the device sending the event, open the log facility. The EPOCH
timestamp (1427722392000) starts each event, which is the date/time in
Unix numeric format. The device sending the event follows (192.168.2.251).
Then you will typically see the ProviderSID (ASA-1-106021) which is
similar to an Event ID.
8. If you see that two or more devices are logging to the same facility, consult
the following table to determine whether those devices conflict with one
another.
684
Table of Conflicting Devices

Different types of firewalls should log to different facilities. For example, Cisco
firewalls and Palo Alto, or others, should log to different facilities. However, all
Cisco should be the same local facility, and all Palo Alto should be the same
facility. In addition, ensure the devices in each of these groups are logging to
distinct local facilities on your LEM appliance. For example, if a device in Group 1
is logging to local1, make sure a device in Group 2 is not also logging to that
facility.
Note: SolarWinds recommends you to split the devices/vendors to different
facilities as having all devices pointed at one facility with multiple connectors
reading that facility will have a performance impact on LEM.
Group
Group 1
Group 2
Group 3
Group 4
Group 5
Group 6
Devices
Cisco ASA
Cisco IOS
Cisco PIX
Cisco Catalyst (CatOS)
Cisco Wireless LANController (WLC)
Cisco Nexus
Cisco VPN
Dell PowerConnect
Troubleshooting Agent Devices/Connectors

Complete the following troubleshooting procedures for LEM Agent connectors,
such as Windows-based and database connectors.
Verify the connector is pointing to the appropriate folder/event log.
1. Check the configuration on the host computer to determine what
folder/event log it's logging in to. In some cases, you cannot modify this
setting. For additional information, search for your device in the Connectors
section of the LEM Knowledgebase.
2. Verify that the connector is pointed to the same folder/event log as the
device:
a. Open your LEM Console and log in to your LEM appliance as an
administrator.
685
Contacting Support
b. Click the Manage tab, and then select Nodes.

c. Click the gear icon next to the LEM Agent for the host computer, and
then select Connectors.
d. Locate the connector in the list. Use the search box at the top of the
Refine Results pane, or select Configured if necessary.
e. Select the configured connector to view its details. Verify the Log File
value matches the output value in the host computer's configuration.
3. If the the host computer and connector configurations do not match,
point the connector to the appropriate location:
a. Stop the connector: gear icon > Stop
b. Open the connector for editing: gear icon > Edit
c. Change the Log File value so it matches the host computer.
d. Click Save.
e. Start the connector: gear icon > Start
Apply the latest connector update package
If you completed the other procedure in this section and you still see the
Unmatched Data or Internal New Connector Data alerts, apply the latest
connector package before calling Support. For instructions on how to apply the
latest connector update package, see Applying a LEMConnector Update
Package.
Contacting Support
If you are unable to resolve your issue using this article, open a ticket with
SolarWinds Support for further assistance. Please be prepared to provide the
following once you are in touch with a representative:
l
A copy of the LEM Report, Tool Maintenance by Alias, for the last 24 hours,
or the period during which the unmatched data was detected, and export in
Crystal Reports format (rpt).
For syslog devices: A sample of the logs currently being sent to LEM for
the affected connectorSee "1To generate a syslog sample from the LEM
appliance:" on page 687
686
1To
For Windows connectors: A copy of the entire event log in .evtx format,
and specify English when requested for the language option.
For database connectors (required): A sample of the event table
containing the events not being read, along with details about those events
For database connectors (optional): If possible, the schema for the
database
generate a syslog sample from the LEM appliance:
1. Connect to your LEM appliance using a VMware console view, or an SSH

2. If you're connecting to your appliance through SSH, log in as the CMC
user, and provide the appropriate password.
3. If you're connecting to your appliance using VMware, select Advanced
Configuration on the main Console screen, and then press Enter to get to
the command prompt.
5. At the cmc::acm# prompt, enter exportsyslog.
6. Enter an item number to select a local facility to export.
7. Repeat the previous step to specify more than one facility.
8. Enter q to proceed.
9. Follow the on-screen instructions to complete the export.
687

Use the Append Text To File Active Response to append static or dynamic text
to a flat text file on your network. This action is useful for keeping a running list of
deployed LEM Agents or tracking certain types of activity across several users
and computers, and can be automated in a LEM rule, or executed manually from
the Respond menu in the LEM Console.
Requirements
To use this active response, ensure the file you want to append already exists.
Follow these guidelines when creating the file:
l
Use .txt, or a similar flat text file format.
Avoid using spaces in the file path or name.
Note the complete file path and name, as it is required to use the active
response.
Configure the Append Text to File Active Response and Windows Active
Response connectors on each LEM agent on which you want to be able to use
this active response.
To configure the Append Text to File action in the rule:
1. Open your LEM console and log in to your LEMManager as an
administrator.
2. Create a new rule or edit an existing rule that triggers on a specific event.
3. Open the rule to edit, and select the actions in the left column.
4. Drag the Append Text to File action from the left to the Actions box under
the rule.
5. Open the Constants on the left, and then drag the Text field to the empty
box next to File Path under the Append Text to File action.
6. Using the same event stated in the Correlations, select the event from the
Events list on the left and drag the DetectionIP field from the Fields list to
the Agent under this action.
7. Fill in the directory structure in the File Path under this action, indicating the
name of the file.
688
8. The Test field under the Append Text to File will contain the text that you
are inserting into the file. If using plain text, drag the Text constant from the
left to the empty box in the Text field.
9. Save the rule.
To configure the Append Text to File Active Response connector on a LEM
Agent:
administrator.
3. Locate the LEM agent on which you want to enable the connector.
4. Click the gear icon to the left of the LEM agent, and then select
Connectors.
5. Enter Append Text to File in the Search box at the top of the Refine
Results pane.
6. Click the gear icon next to the connector, and then select New.
7. Enter a custom Alias for the new connector, or accept the default.
8. Specify whether you want the connector to append data to a new line in the
How to append menu.
9. Specify a Maximum file size(MB) or accept the default.
10. Click Save.
11. Click the gear icon next to the new connector, denoted by an icon in the
Status column, and then select Start.
12. Click Close to exit the Connector Configuration window.
To configure the Windows Active Response connector on a LEM Agent:
administrator.
3. Locate the LEM agent on which you want to enable the connector.
4. Click the gear icon to the left of the LEM agent, and then select Connector.
689
5. Enter Windows Active Response in the Search box at the top of the Refine
Results pane.
6. Click the gear icon next to the connector and then select New.
8. Click Save.
690
Using the Block IPActive Response

Use the Block IP active response to block an IP address at your firewall using
your LEM Manager. This action is useful for blocking port scanners, and can be
automated in a LEM rule, or executed manually from the Respond menu in the
LEM Console.
Requirements
You can use the Block IP active response with the following firewalls/modules.
l
Cisco PIX
Cisco ASA
Cisco Firewall Services Module
Fortigate Firwalls
Juniper NetScreen
Check Point OPSEC
SonicWALL
WatchGuard Firebox (including Vclass)
Configure the Active Response tool for one of the firewalls listed above on your
LEM Manager.
To configure the Active Response connector for your firewall:
administrator.
2. Click the Manage tab, and then select Appliances.
3. Click the gear icon to the left of your LEM Manager, and then select
Connectors.
4. Select Firewalls from the Category list, and enter Active Response in the
Search box at the top of the Refine Results pane.
5. Click the gear icon next to the connector for your firewall, and then select
New.
6. Complete the Connector Configuration form according to your firewall's
specifications.
Note: Generally, all you will have to enter is your firewall address and
691
credentials. Some connectors, however, require more information. For

additional assistance, see the Connectors category of the SolarWinds
Knowledge Base for LEM, or open a Support ticket.
7. Click Save.
To configure the Rule:
1. Identify the type of data that would trigger the rule. If needed, perform an
nDepth search or view the real-time data being received under Monitor in
the Console (filters).
2. In the Console, go to Build >Rules, click the + button at the top right to
create a new rule, and enter a descriptive name.
3. Locate the event type in the Events tab, the desired fields from the Field tab
and drag to the Correlations box.
4. Click the Actions tab on the left and drag Block IP to the Actions box under
the rule being created.
5. Enter the IP address to be blocked and save the rule.
6. Click Activate Rules.
The Block IP active response creates a rule on your firewall to block the IP
addresses you specify. To allow an IP address through your firewall, delete or
modify the rule on your firewall as appropriate.
692

Use the following Computer-based Active Responses to perform Windowsbased actions related to computers and computer services on your LEM Agents.
These actions are useful to respond to insider abuse, computer infections, and
other suspicious activity. They can be automated in a LEM rule, or executed
manually from the Respond menu in the LEM Console.
l
Disable Windows Machine Account1
Enable Windows Machine Account1
Disable Networking
Detach USB Device
Restart Machine
Restart Windows Service
Send Popup Message
Shutdown Machine
Start Windows Service
Stop Windows Service
Requirements
Configure the Windows Active Response connector on each LEM Agent on
which you want to be able to use these active responses.
administrator.
3. Locate the LEM Agent on which you want to enable the connector.
4. Click the gear icon to the left of the LEM Agent, and then select
Connectors.
Results pane.
693
8. Click Save.
Create or clone rules to perform the action:
1. When creating or cloning a rule, locate the action in the lower left part of the
Rule Creation screen.
2. Drag the action under the rule Actions.
3. Fill in the appropriate fields.
Deploy your LEM Agents and configure the Windows Active Response
connector based on where you want to perform these actions. To perform actions
at the domain level, deploy a LEM Agent to at least one domain controller. To
perform actions at the local level, deploy a LEM Agent to each computer you want
to be able to respond to.
694

Use the Windows active response to detach a USB device from a LEM Agent
running USB Defender. This action is useful for allowing only specific devices to
be attached to your Windows computers or detaching any device exhibiting
suspicious behavior, and can be automated in a LEM rule, or executed manually
from the Respond menu in LEM Console > Node List.
Requirements
USB Defender is an option when the agent is originally installed. If not installed
at the time of agent install, re-install the agent with USB Defender. In addition to
USBDefender being installed on the agent, configure the Windows Active
Response tool on each LEM Agent on which you want to be able to use this
active response.
To verify that USB Defender has been installed on a LEM Agent:
administrator.
Notes:
l
The icon in the USB column for your connected LEM Agents. A green
icon indicates USB Defender is installed.
If you have a long list of Nodes, filter your list using either the Node,
OS, or USB menu on the Refine Results pane. USB Defender can
only be installed on Windows Agents.
3. If USB Defender is not installed on one or more of your LEM Agents,

reinstall the LEM Agent and ensure Install USB-Defender is selected after
confirming the Manager Communication Settings.
administrator.
695
Connectors.
Results pane.
8. Click Save.
Detach USBDevices
By default, USB devices are audited and the USBFile Audit Activity filter will
display those events. The filter is set for FileAuditAlerts.ProviderSID=*USB*
To monitor all USBdevice activity, create a filter for
AnyAlert.ProviderSID=*USB*
USB devices are not detached by default, so a rule must be configured to preform
the detach. There are several templates available under Build > Rules, Rule
Templates that can be cloned and modified as needed.
You can also enforce USB Defender policy locally using the USB Defender Local
Policy Connector. For more information, see Configuring the USB Defender Local
Policy Connector.
696

Use the Disable Networking Active Response to disable networking on a LEM
Agent at the Windows Device Manager level. This action is useful for isolating
network infections and attacks, and can be automated in a LEM rule, or executed
manually from the Respond menu in the LEM Console.
Requirements
which you want to be able to use this active response.
administrator.
Connectors.
Results pane.
8. Click Save.
Use caution with this active response, since it responds to the LEM Agent at the
Device Manager level. To avoid disabling networking unintentionally, consider
placing new rules with this action in Test mode until you are sure your
Correlations are configured appropriately.
697

To re-enable networking on a computer affected by this active response:
1. Log in to the computer locally with administrative privileges.
2. Open Device Manager in Control Panel > Administrative Tools >
Computer Management.
3. Expand the Network adapters group.
4. Select the network adapter and click Action > Enable.
698

Use the Kill Process Active Response to end processes in Windows on your
LEM Agents. These actions are useful for stopping suspicious or unauthorized
processes, and can be automated in a LEM rule, or executed manually from the
Respond menu in the LEM Console.
Requirements
administrator.
Connectors.
Results pane.
7. Enter a custom Alias for the new connector or accept the default.
8. Click Save.
Rule Configuration
Configure the rule as Kill Process by ID or Kill Process by Name. Determine
the type of event you want to trigger the rule on, which is typically an event like
ProcessAudit.
1. Open the LEM Console and select Build > Rules.
2. Select a rule template in the lower section of the window, or select an
existing rule, or click the + button at the top right to create a new rule.
699
3. If you are selecting Kill Process by ID, populate two fields under the rule
action:
a. Select the processAudit event from the category on the left, and drag
the DetectionIP field on the left to the Agent Action field.
b. Drag the Event field or Constant and drop into the Process ID field
under the rule action.
4. If you are selecting Kill Process by Name, populate three fields under the
rule action:
a. Select the processAudit event from the category on the left, and drag
the DetectionIP field on the left to the Agent Action field.
b. Drag the Event field or Constant and drop into the Process Name
field under the rule action.
c. Drag the Event field that displays the SourceAccount, and drop into
the Account Name field under the rule action.
5. Save the rule, and then click Activate Rules.
The Kill Process Active Response functions according to the value in the
ProcessID field of the corresponding LEM alert. Use Kill Process By ID when
the ProcessID value is a number, and use Kill Process By Name when the
ProcessID value is a name.
Note: When you create LEM rules that utilize these actions, consider using both
to account for variations in Windows logging.
700
Using the SolarWinds LEM Local Agent Installer

Non-interactively
Use the following procedure to run the LEM Agent installer non-interactively in
software distribution policies or local logon scripts. This method is also an
alternative to the Remote Agent Installer in large deployment scenarios.
Requirements
The following files are required to install the LEM Agent non-interactively:
l
The setup.* installer file for the operating system on which you are
installing the LEM Agent. The file extension for the installer differs by OS.
A custom installer.properties file that contains your environmental variables.
Note: The remote agent installer does not work for this procedure. If you are
installing the agent on a system running Windows, use the local installer.
For more information about the requirements for installing and running the
SolarWinds LEM Agent, see Using the SolarWinds LEM Remote Agent Installer.
To obtain the setup.* file for the LEM Agent installer:
1. Download the installer from the SolarWinds Customer Portal:
a. Browse to
http://www.solarwinds.com/customerportal/LicenseManagement.aspx.
b. Log in with your SWID if necessary.
c. Find LEM in the product list, and then click Choose Download.
d. Find the appropriate installer on the list.
Note: The remote agent installer does not work for this procedure. If
you are installing the agent on a system running Windows, use the
local installer.
2. Extract the contents of the installer ZIP file to a local or network location.
3. Copy setup.* to a known location.
701
Using the SolarWinds LEM Local Agent Installer Non-interactively

To prepare the installer.properties file, do one of the following:
1. Download and edit the installer.properties file attached to this article:
a. Open the file in a text editor.
b. Replace LEMManagerHostname with the hostname of your LEM
appliance.
c. If you are installing the LEM Agent on a Windows computer, but
you do not want to install USB Defender, Replace 1 next to
INSTALL_USB_DEFENDER with 0.
Note: Do not clear the blank line under this entry. It is necessary for
the file to work correctly.
d. Save the file in the same location where you saved the setup.* file.
e. If your text editor appended a TXT file extension, remove the file
extension, so the file name is installer.properties.
2. Create your own installer.properties file:
a. Open a text editor.
b. Enter MANAGER_IP=LEMManagerHostname, where LEMManagerHostname is
the hostname of your LEM appliance.
c. If you are installing the LEM Agent on a Windows computer and
you also want to install USB Defender, enter INSTALL_USB_
DEFENDER=1 on a new line, and then press Enter. This puts a carriage
return after this entry, which is necessary for the properties file to work
correctly.
d. Save the file as installer.properties in the same location where
you saved the setup.* file.
e. If your text editor automatically saved your file with a TXT file
extension, remove the file extension, so the file name is literally,
installer.properties.
Procedure
To run the LEM Agent installer non-interactively:
1. Save setup.* and installer.properties in the same folder.
Note: UNC paths should not be used during this installation.
702
2. Run the command, setup -i silent using the active resource directory that
matches the folder that contains the two installer files. The command
immediately returns to the command prompt.
Notes:
l
For Windows, right-click the installer file and select Run as

administrator. Linux will require a root user for the agent install.
Append the file extension to the setup command in operating systems
other than Windows. For example, use setup.bin -i silent for Linux
installations.
The LEM Agent starts automatically and continues running until you uninstall or
manually stop it. It begins sending alerts to your LEM Manager immediately. For
LEM Agents on computers running Windows, the LEM Agent also appears in
Add/Remove Programs.
703

The LEM Remote Agent Installer allows you to push SolarWinds Log & Event
Manager Agents to Microsoft Windows hosts across your network. The installer
unzips the installation files to a temporary folder of your choice, searches for
Windows systems across your network, and installs the LEM Agents, one at a
time, to the systems of your choice. The installed LEM Agents then automatically
start up and connect to your LEM Manager.
Installer Requirements
l
l
A reboot is not required

XP SP3 Compatibility Mode is required when running the LEM Agent
installer on a Windows Vista, Windows 7 or Windows Server 2008 system
A user account with privileges to write to Windows administrative shares
such as C$:\ or D$:\
Agent Hardware Specifications

Hardware Requirement
RAM
64 MB
Disk Space130 MB
Installation Folders
LEM Agents are installed to the following folders, according to the bitness of their
host operating systems:
BitnessInstallation Folder
32-bit C:\Windows\system32\ContegoSPOP
64-bit C:\Windows\sysWOW64\contegoSPOP
Antivirus Recommendations
l
Set an exception in your antivirus or anti-malware scanning software for the

ContegoSPOP folder where the LEM Agents will be installed. The alerts
are kept in queue files, which change constantly as they are normalized and
encrypted.
Turn off any anti-malware or endpoint protection applications on host
systems during the installation process, as they can affect the process by
which installation files are transferred to the hosts.
704
Installing LEM Agents Across Your WAN

If you are installing LEM Agents on the far end of a WAN link, copy the Remote
Agent Installer executable to the end of the WAN link and run it there. This will
avoid using your WAN bandwidth to copy LEM Agents multiple times.
Running the LEM Agent Installer
To run the Remote Agent installer, complete the following procedure:
1. If you are a licensed LEM customer, download the installer from the
SolarWinds Customer Portal:
a. Browse to
http://www.solarwinds.com/customerportal/LicenseManagement.aspx.
b. Log in with your SWID if necessary.
c. Find LEM in the product list, and then click Choose Download.
d. Find the Remote Agent Installer on the list.
2. If you are an evaluation LEM customer, see Additional LEM downloads for
version 6.2 for the available LEM Agent installers.
3. Extract the contents of the installer ZIP file to the local hard drive (C:) of the
Windows computer attempting to run the installer.
4. Run inremagent.exe.
l
If you are running the installer from Windows XP/ 2003 and are
installing the agent on Windows XP/2003, it is not necessary to run as
administrator.
SolarWinds does not advise installing the agent on a Windows
7/8/2008/2012 from a Windows XP/2003 computer.
If you are installing version 6.1 or earlier versions of the agent on a
Windows 7/8 or 2008/2008 R2/2012, right-click on the installer file and
select Run as administrator.
If you are installing version 6.1 or earlier versions of the agent on a
Windows 8.1 or 2012-R2, perform the following:
a. Copy the local agent installer to the Windows computer hard
drive.
705
b. Right-click the installer file, select Compatibility > Run this

program using Windows 7 compatibility > Run this program
as an administrator and click OK.
c. Double-click the installer file or right-click and select Run to
launch the installer.
5. Click Next to start the installation wizard.
6. Accept the End User License Agreement and click Next.
7. Specify a temporary folder on your computer to use for the installation
process and click Next. The default is C:\SolarWindsLEMMultiInstall.
Note: This temporary folder will be automatically deleted after the
installation is complete.
8. Enter the hostname of your LEM Manager in the Manager Name field and
click Next. Do not change the default port values.
Note: Use the fully qualified domain name for your LEM Manager when
you deploy LEM Agents on a different domain. For example, enter
LEMhostname.SolarWinds.com.
9. Select Get hosts automatically or Get hosts from file (One host per line)
and click OK.
l
Get hosts automatically uses a NetBIOS broadcast to identify hosts

on the same subnet and domain as the computer running the installer.
Get hosts from file (One host per line) prompts you to browse for a
text file that includes the hosts on which you want to install LEM
Agents. Use this option for any of the following reasons:
l
You are deploying LEM Agents to computers on a different

subnet than that on which the computer running the installer
resides. Your computer may be able to access these subnets,
but their hosts will not be recognized by the NetBIOS broadcast
used to get hosts automatically.
You are deploying LEM Agents to a small segment of a large
network, which could make choosing them from a list time
prohibitive.
You are deploying LEM Agents in a network with a complex
naming scheme, which could make choosing hosts from a list
706
time prohibitive.
Note: The text file used for this option can contain hostnames,
fully qualified domain names or IP addresses, each on their own
lines. If DNS names are used, the computer running the installer
must be able to resolve them.
10. Select the checkboxes next to the computers on which you want to install a
LEM Agent.
11. Click Next.
12. Confirm the list provided is correct and click Next again.
13. Specify the Windows destination for the remote installation.
l
The default paths are provided for all supported Windows systems.
We strongly recommend using the default paths, as the LEM Agent
may not be recognized as a service by Windows if it is not installed in
a system folder.
The installer is set to automatically detect host operating systems by
default, but you can also specify an operating system if all of the target
hosts are running the same one.
14. Click Next.

15. Specify whether or not you want to install USB-Defender with the LEM
Agent and click Next. The installer will include USB-Defender by default.
To omit this from the installation, clear the Install USB-Defender checkbox.
Note: We recommend installing USB-Defender on every system. USBDefender will never detach a USB device unless you have explicitly
enabled a rule to do so. By default, USB-Defender simply generates alerts
for USB mass storage devices attached to your LEM Agents.
16. Confirm the settings on the Pre-Installation Summary and click Install.
17. After the installer extracts the installation files to the temporary directory
defined for your computer in Step 7, click Next to proceed.
At this point, the installer will copy the extracted files to the installation directory
defined for the target hosts in Step 13, and notify you of any failures during the
process.
After it's installed, the Agent starts automatically on each host and the installer
removes the temporary installation directory from your computer.
707
When the agent starts, it will communicate to the LEM on an unsecure port 37890
to attempt to get a certificate. After obtaining the certificate, it will start
communicating to the LEM on secure port 37891 and/or port 37892.
If you encounter any issues with agent communications, SolarWinds suggests the
following:
l
l
Disable the anti-virus.

Disable the Windows firewall (on all three Windows profiles), or exclude
ports 37890->37892 (on all three Windows profiles). If you are using a
network firewall, the agent may need all seven firewall ports excluded:
37890 through 37896.
Re-install the agent. There is a remote agent un-installer, or you can remove
the agent and delete the ContegoSPOP directory before the re-install.
If agent communications uses the LEM hostname, ensure that the agent can
resolve the LEM host.
In the command line, type telnet LEM-IP-hostname 37890, and then do the
same for ports 37891-37892.
Note: Telnet is a basic test and does not necessarily confirm
communications on that port.
Restart the agent service. If this does not stop the agent, delete the
(c:\windows\syswow64\ContegoSPOP\spop\) sub-directory, and restart the
agent service.
Using Time of Day Sets to Pinpoint Specific Time

Frames in Filters and Rules
Create and modify Time of Day Sets in the Build > Groups view of the LEM
Console. Use Time of Day Sets in filters and rules to pinpoint specific time
frames, such as business hours, off hours, or specific shifts.
Your LEM Manager includes the following Time of Day Sets by default.
Name
Business Hours
Early Shift
Graveyard Shift
Description
6:30 AM to 12:00 PM and 1:00 PM to 4:30 PM, Monday
through Friday
3:30 AM to 1:30 PM, 7 days a week
9:00 PM to 4:30 AM, 7 days a week
708
Name
Late Shift
Normal Shift
Reboot Cycle
Description
3:00 PM to 12:00 AM, 7 days a week
7:30 AM to 5:30 PM, 7 days a week
2:00 AM to 3:00 AM, Sunday only
To create a custom Time of Day Set:

1. Open your LEM Console and log into your LEM Manager as an
administrator.
2. Click the Build tab, and then click Groups.
3. Click the Add button in the upper-right corner, and then click Time of Day
Set.
4. Enter a Name and Description for the new Group.
5. Select the check boxes for the half-hour increments you want to include in
your Time of Day Set.
6. Click Save.
To modify an existing Time of Day Set:
administrator.
2. Click the Build tab, and then click Groups.
3. Select Time of Day Set from the Type menu on the Refine Results pane,
and then locate the Group you want to modify.
4. If you want to modify a default Group, clone it first by clicking the gear
icon next to it, and then click Clone.
5. Click the gear icon next to the Group you want to modify, and then click
Edit.
6. Edit the Name and Description if necessary.
7. Select the check boxes for the half-hour increments you want to include in
your Time of Day Set.
8. Clear the check boxes for the half-hour increments you do not want to
include in your Time of Day Set.
9. Click Save.
709
To use a Time of Day Set in a filter or rule:
1. Locate the Alert or Alert Group you want to use in your filter or rule, and
then click it.
2. From the Fields list, locate DetectionTime and drag it into the conditions
area.
3. Click Time of Day Sets on the Components pane.
4. Locate the Time of Day Set you want to use and drag it into the conditions
area to replace the Text Constant field, which is denoted by a pencil icon.
5. If you want to see everything outside of the selected period, click the
operator between the field and your Time of Day Set in the conditions area.
The operator changes to Does Not Contain.
6. If you are finished creating or editing your filter or rule, click Save.
7. If you modified a rule, click Activate Rules on the main Rules view.
710

Use the following User-based Active Responses to perform Windows-based
actions related to users, groups, and domains on your LEM Agents. These
actions are useful to respond to unauthorized change management activity and
automate user-related maintenance. They can be automated in a LEM rule, or
executed manually from the Respond menu in the LEM Console.
l
Add Domain User To Group
Add Local User To Group
Create User Account
Create User Group
Delete User Account
Delete User Group
Disable Domain User Account
Disable Local User Account
Enable Domain User Account
Enable Local User Account
Log Off User
Remove Domain User From Group
Remove Local User From Group
Reset User Account Password
Requirements
administrator.
711
Connectors.
Results pane.
8. Click Save.
Deploy your LEM Agents and configure the Windows Active Response
connector based on where you want to perform these actions. To perform actions
at the domain level, deploy a LEM Agent to at least one domain controller. To
perform actions at the local level, deploy a LEM Agent to each computer you want
to be able to respond to.
712
Viewing All Traffic from a Specific Device in the

LEMConsole
Every device configured to send log data to the SolarWinds LEM uses a field
called Tool Alias. Use this field in filters, rules and searches to monitor specific
type of traffic from a specific network device. You can also use the DetectionIP to
monitor any kind of data from a specific device. For example,
AnyAlert.DetectionIP=10.1.1.1.
To create a filter for traffic from a specific device:
Note: Use the same principles to create rules and searches with a similar
purpose.
1. Navigate to the Monitor view in your LEM Console.
2. Click the gear icon on the Filters pane, and select New Filter.
3. Select the Events or Event Group you want to use in your filter. For
example:
l
If you want to see all traffic from your device, select Any Alert from
the Event Groups list.
If you want to see all network traffic from your device, select
Network Audit Alerts from the Event Groups list.
If you want to see only Web traffic from your device, select
WebTrafficAudit from the Events list.
4. In the Fields list under where you just made your selection, locate
ToolAlias and drag it into the Conditions box.
5. In the text constant field, enter the Tool Alias related to the device you
want to track. Use asterisks (*) as wildcard characters to avoid having to
enter the entire value.
For example: The default Firewall filter uses similar logic. Its Conditions
read, Any Alert.ToolAlias = *firewall*. This assumes that the firewall
connector was configured with a ToolAlias that has firewall in the name.
6. Click Save.
7. If your filter doesn't work as expected, verify that the Tool Alias value
you used matches the Tool Alias for your device.
713
Viewing All Traffic from a Specific Device in the LEMConsole

To verify the ToolAlias value associated with a LEM Connector:
Note: The following procedure applies to devices that are set to log to your LEM
Manager. Use a similar procedure to verify Agent connectors when appropriate,
only perform it on the LEM Agent associated with the connector instead.
1. Navigate to the Manage > Appliances view in your LEM Console.
2. Click the gear button next to your LEM Manager, and then select
Connectors.
3. Check the Configured box on the Refine Results pane.
4. Select the instance of the connector you want to verify.
Note: Configured tool instances are the ones with an icon in the Status
column.
5. Verify the value in the Alias field in the bottom pane.
6. If you want to change the Tool Alias:
a. Click the gear button next to the Connector, and then select Stop.
b. Click the gear button next to theConnector, and then select Edit.
c. Edit the value in the Alias field in the bottom pane.
d. Click Save.
e. Click the gear button next to the Connector, and then select Start.
7. Click Close.
714

Windows Audit Policy is used to determine the amount of data Windows Security
Logs on domain controllers and other computers on the domain support.
The amount of data is known as verbosity.
See Microsoft's TechNet knowledge base for details on Windows Audit Policy
Definitions.have been found to be most effective from both a best practice and
compliance standpoint and are based on customer experience and
recommendations from Microsoft.
Requirements
Setting Windows Audit Policy for use with the LEM requires the following.
l
l
Windows Server 2003 or higher

Permissions to change Windows Audit Policy at the domain controller and
domain level
An installation of the SolarWinds LEM
Windows Audit Policy Definitions

The following information has been adapted from information available on
Microsoft's TechNet knowlege base. Query relevant articles on TechNet by
searching for audit policy best practice.
Logon events represent instances of users logging on to or logging off from
a computer that is logging those events. Account logon events are
specifically related to domain logon events and are logged in the security
log for the related domain controller.
Account management events are the change management events on a
computer. These events include all changes made to users, groups and
machines.
715

Audit logon events
Logon events represent instances of users logging on to or logging off from
a computer that is logging those events. Events in this category are logged
in the security log of the local computer onto which the user is logging, even
when the user is actually logging onto the domain using their local
computer.
Audit object access
Object access events track users accessing objects that have their own
system access control lists. Such objects include files, folders and printers.
Audit policy change
Policy change events represent instances in which local or group policy is
changed. These changes include changes to user rights assignments, audit
policies and trust policies.
Audit privilege use
Privilege use events track users accessing objects based on their level of
privilege to do so. Such objects include files, folders and printers, or any
object that has its own system access control list defined.
Process tracking logs all instances of process, service and program starts
and stops. This can be useful to track both wanted and unwanted processes
such as AV services and malicious programs, respectively.
Audit system events
System events include start up and shut down events on the computer logging
them, along with events that affect the systems security. These are operating
system events and are only logged locally.
Windows Audit Policy Best Practice
Windows Audit Policy is defined locally for each computer, but we recommend
using Group Policy to manage the Audit Policy at both the domain controller and
domain levels.
716
To set Windows Audit Policy using Group Policy Object Editor:

1. Expand Computer Configuration > Windows Settings > Security
Settings > Local Policies > Security Options > Audit > Force Audit
Policy Subcategory Settings and select enabled.
2. Change or set the policies in Computer Configuration > Windows
Settings > Security Settings > Advanced Audit Policy Configuration >
Audit Policies.
Note: When enabling the Force Audit Policy Sub-category, set the subcategory auditing to be enabled and the category-level auditing will be
disabled.
Default Domain Controllers Policy
Select Success and Failure for all policies except:
l
Audit object access
Audit privilege use
For these, only select Failure.

Default Domain Policy
Default Domain Policy applies to all computers on your domain except your
domain controllers.
For this policy, select Success and Failure for the following:
l
Audit logon events
Audit policy change
Audit system events
You may also select Success and Failure for Audit process tracking to monitor
critical processes such as the AV service or unauthorized programs such as
games or malicious executable files.
Note: Enabling auditing at the level of Audit process tracking will significantly
increase the number of events in the system logs. Therefore, Your LEM database
717

will grow more quickly as it collects these logs. Similarly, there could be
bandwidth implications as well. This is dependent upon your networks traffic
volume and bandwidth capacity. Since agent traffic is transmitted to the manager
as a real time trickle of data, bandwidth impact is typically minimal.
SolarWinds recommends meeting PCI Auditing. However, this may be applicable
to other auditing as well. For more information, refer to PCIDSSCompliance
Made Easy with SolarWinds LEM.
Category/Sub-category
Setting
System
Security System Extension
No Auditing
System Integrity
Success and Failure
IPsec Driver
No Auditing
Other System Events
No Auditing
Security State Change
Success and Failure
Logon/Logoff
Logon
Success and Failure
Logoff
Success and Failure
Account Lockout
Success and Failure
IPsec Main Mode
No Auditing
IPsec Quick Mode
No Auditing
IPsec Extended Mode
No Auditing
Special Logon
Success and Failure
Other Logon/Logoff Events
Success and Failure
Network Policy Server
No Auditing
Object Access
718
File System
Success and Failure
Registry
Success and Failure
Kernel Object
No Auditing
SAM
No Auditing
Certification Services
No Auditing
Application Generated
No Auditing
Handle Manipulation
No Auditing
File Share
Success and Failure
Filtering Platform Packet Drop
No Auditing
Filtering Platform Connection
No Auditing
Other Object Access Events
No Auditing
Detailed File Share
No Auditing
Privilege Use
Sensitive Privilege Use
Failure
Non Sensitive Privilege Use
No Auditing
Other Privilege Use Events
No Auditing
Detailed Tracking
Process Termination
No Auditing
DPAPI Activity
No Auditing
RPC Events
No Auditing
Process Creation
No Auditing
Policy Change
719
Audit Policy Change
Success and Failure
Authentication Policy Change
Success and Failure
Authorization Policy Change
Success and Failure
MPSSVC Rule-Level Policy Change
No Auditing
Filtering Platform Policy Change
No Auditing
Other Policy Change Events
Success and Failure
Account Management
User Account Management
Success and Failure
Computer Account Management
Success and Failure
Security Group Management
Success and Failure
Distribution Group Management
Success and Failure
Application Group Management
Success and Failure
Other Account Management Events
Success and Failure
DS Access
Directory Service Changes
No Auditing
Directory Service Replication
No Auditing
Detailed Directory Service Replication
No Auditing
Directory Service Access
Failure
Account Logon
Kerberos Service Ticket Operations
Success and Failure
Other Account Logon Events
Success and Failure
Kerberos Authentication Service
Success and Failure
Credential Validation
Success and Failure
720
721

LEM6 2UserGuide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

LEM6 2UserGuide

Hochgeladen von

Copyright:

Verfügbare Formate

Copyright 2015 SolarWinds Worldwide, LLC. All rights reserved worldwide.

No part of this document may be reproduced by any means nor modified,

How LEM Works

Protocols and Communication Direction

What is New in LEM 6.2.0

Virtual appliance minimum resource requirements

Desktop and reports consoles software requirements

Web console software requirements

Chapter 3: Introduction to the Console

Opening Views in the Console

Working with Grids

Rearranging Grid Columns

Sorting a Grid by its Columns

Logging In and Out of Managers

Logging Into a Manager

Logging Out of a Manager

Logging Out of the LEM Console

Chapter 4: Basic LEM Procedures

Collecting and displaying flow data

Rules Additional Details

Configuring Non-Agent Devices

LEM User Guide

Configuring Connectors for Agent and Non-Agent Devices

Creating Connector Profiles to manage LEM Agents:

nDepth: A Fully Integrated IT Search Solution

LEM Reports: For Compliance and Historical Reporting Needs

Use the Default Filters as Examples

Other Filter Scenarios

Example: Change Management

Use Pre-configured Rules to Get Started

Example: Change Management

Other Rule Scenarios

nDepth: A Fully Integrated IT Search Solution

Additional Information nDepth

LEM Reports: For Compliance and Historical Reporting Needs

Additional Information LEM Reports

Chapter 5: Leveraging LEM

Monitoring Windows Domain Controllers for Brute Force Hacking Attempts

Configuring the SolarWinds LEM Agent

Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts

Monitoring Firewalls for Port Scans and Malformed Packets

Setting a Firewall to Log to a LEM Appliance

Configuring a Firewall Connector on a LEM Manager

Viewing Network Traffic from Specific Computers

Creating a LEM Rule to Notify of Potential Port Scanning Traffic

Monitoring Antivirus Software for Viruses that are Not Cleaned

Setting Antivirus Software to Log to a LEM Appliance

Configuring the Antivirus Connector on a LEM Manager

Creating a LEM Rule to Track When Viruses Are Not Cleaned

Monitoring Proxy Servers for Suspicious URL Access

Setting Proxy Server to Log to a SolarWinds LEM Virtual Appliance

Configuring a Proxy Server Connector on a SolarWinds LEM Manager

Monitoring Microsoft SQL Databases for Changes to Tables and Schema

Leveraging the Incidents Report in Security Audits

Chapter 6: Ops Center

User: Details Widget

User: All Events Widget

Node: Details Widget

Node:Connectors Applied Widget

Node: All Events Widget

LEM User Guide

Viewing specific widget data

Refreshing widget data