Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

I see the alerts, but my rule doesn't fire

hi i enable the PortScans Rule and its firing but when i enable the other like Attach USB Device rule its shows in the monitor but the rule can't fire.

please help me on this.

Find more posts tagged with

Accepted answers

All comments

FormerMember

This KB might help you troubleshoot: SolarWinds Knowledge Base :: Troubleshooting LEM Rules and Email Responses

HolyGuacamole

Also make sure the 'Activate Rules' (Build > Rules) button has been clicked after you created your new Rules

harora27

Hi,

Thanks for your help, i do all configuration, and check the link also but after that i can see the LEM Internal Events.

But the rules are still not firing.

Please advises me

Event Name EventInfo InsertionIP Manager DetectionIP InsertionTime DetectionTime Severity ToolAlias InferenceRule ProviderSID ExtraneousInfo

InternalAuditSuccess admin - View User swi-lem swi-lem 192.168.0.123 5:18:31 Wed Nov 25 2015 5:18:31 Wed Nov 25 2015 2 auditing yXE07428l7cKXEXDwGiS6UEAF0k=

SolarWinds Knowledge Base :: Troubleshooting LEM Rules and Email Responses

HolyGuacamole

is the Activate Rules button grayed out?

The only other common reason why rules don't fire is because the LEM Manager time is not synchronized. So, the event timestamps would fall outside the 'Response window' of your rule definition, and hence wouldn't fire.

You can infer time mismatch issues from the timestamps of the internal audit events that you see under the LEM Internal Events filter and the events for which you are trying to correlate

jhynds

When you connect a USB Device to one of the LEM agent nodes - can you see that event within the LEM Console?

The event should appear in the Monitor section under IT Operations > System Events:

If the event is not appearing - that would be the cause of the rule not triggering & it could be an issue with the USB Defender.

harora27

When I connect a USB Device to one of the LEM agent nodes, i see that event within the LEM Console.

But i don't see the email event or rule fired or not received any email.

curtisi

SSH into your LEM: SolarWinds Knowledge Base :: Use an SSH client to connect to your LEM appliance
Enter APPLIANCE
Run DATECONFIG
Press ENTER through the prompts without typing anything in

Is the timezone and date/time correct?

If not, use TZCONFIG in that context to fix the time zone, or use DATECONFIG to fix the time.

erikbo

could you send me screenshot of the rules you created to catch user modifications/updates/adds

i am having a terrible time getting my filters/rules to catch any user modifications/updates/adds within AD

thank you in advance!