What are “Rules” in Log & Event Manager?

 

Rules, in SolarWinds Log & Event Manager (LEM), are customizable event correlation algorithms that correlate events sent by LEM Agents and remote logging devices. Whether you are monitoring the LEM console or not, LEM rules track events in real time allowing you to

  • Correlate multiple events from different sources
  • Automatically trigger alerts or email notifications
  • Respond to security events in real time

 

When a single event or a series of events meet a rule's correlation conditions, the rule automatically prompts the LEM Manager to take action, such as notifying the appropriate users, or performing an active response (blocking the IP address or stopping a particular process). LEM rules offer the ability to use simple and advanced thresholds such as time/frequency and same/distinct to add complexity and significantly reduce false positives.

 

 

Correlation Rule Builder

 

SolarWinds LEM has a built-in Rule Builder that employs an intuitive graphical interface with easy-to-use techniques such as drag and drop options, an icon-based tool panel, and a graphical object selection panel to:

  • Build new rules easily
  • Clone existing rules
  • Customize and edit existing rules

 

The rule builder interface incorporates familiar easy-to-use techniques such as drag and drop, an icon-based tool panel, and a graphical object selection panel. To further help rule creation, there are additional events and fields on the left-side of the rule builder window that you can to add to the correlation rule. The rule builder uses a logical ‘AND’ or ‘OR’ Boolean logic for rule creation.

 

In addition to the ease with which new rules can be created, SolarWinds LEM offers more than 700 pre-built correlation rules that cover critical network infrastructure, change management and network security functions.

LEM1.png

 

LEM2.png LEM3.png

 

Rule Categories & Tags (New in version 5.6)

 

LEM rules are organized into pre-built categories to better pinpoint use cases like security, IT operations, compliance and change management. There are also sub-categories under each of the categories these to display rules for specific uses.

 

SolarWinds LEM also allows you to add tags to categorize a rule to make rule search easier. Tagging the rule will associate it with existing rule categories or you can also create a custom categories for new rule that will be displayed the Rule Categories menu. The rules “tagging” feature makes it much easier to pinpoint rules that meet specific needs like compliance, security etc.

 

 

Download SolarWinds Log & Event Manager today and easily build correlation rules to alert on and respond to security events happening in your network and enhance IT security.

 

Watch this short video to learn how to easily create and customize correlation rules using SolarWinds LEM.

 

 

Read this blog to understand how LEM performs even log correlation.