10 Replies Latest reply on Nov 1, 2012 12:57 PM by dann

    Filters For LEM (is there a list somewhere?)

    dann

      Good Afternoon,

       

      I am searching for Filters For LEM.

      I am looking at creating filter for out VMware ESXi servers. I get a lot of great data and it is easier to look in LEM then in notepad. But is there a list of popular filters somewhere? I would also like a list of AD filters (but there are already a few built in to LEM. I would like to alert 24 hr for critical errors and alert during office hours for everything else. Even just a shove, in the right direction to look, would help a lot.

       

      Thanks,

      Dan

        • Re: Filters For LEM (is there a list somewhere?)
          nicole pauls

          Hey Dan,

           

          For looking at stuff in a device or app-centric view, you could create a filter for the IP and see everything, or for the app based on the connector. Filters let you monitor the data in real-time in the console, so you can see it as it comes in. Something like:

          Any Alert.DetectionIP = <ip of ESX server>

          will show anything from that IP (if you've got more than one, use an OR). Or,

          Any Alert.ToolAlias = *ESX*

          will show anything that matches the connector named with "ESX" in it (all the default names have ESX in them, so unless you tweaked them, that should work).

           

          Then, what you'd want to do would be to identify any events that you think are worth notifying you on and create rules specifically for them. In filters you can do basic stuff like popup notifications and sounds that play as long as the console's running, with rules you can configure notifications, responses, etc.

           

          As far as AD goes, there's some filters already, like "Change Management" and "Logon Failures", that show you some of this activity in real-time. With rules, there's a lot of stuff in the NATO5 library under Authentication and Change Management > Active Directory-related that are specific to AD. With the library rules, you'll want to clone a copy into your Custom Rules (gear > clone) then tweak them if necessary (to email the right people or have the right action).

           

          If there's anything specific you're looking for, let us know and we can help.

            • Re: Filters For LEM (is there a list somewhere?)
              dann

              Like I stated in my post.

              I like the detailed view and I really think that the browse of data helps a lot.

              Oh because I have several ESXi servers I use ESX as a filter to get everything about all the ESX servers.

               

              BUT….

               

              What I really wanted is a list of rules, on ESXi servers, to alert on.

              Filters to find errors or alerts that are critical for the VM environment. Because I have not yet received any of them (and I hope never to receive any) I can’t just copy them to build my filter.

               

              Thanks,

              Dan

                • Re: Filters For LEM (is there a list somewhere?)
                  nicole pauls

                  I had a feeling that's where you were going, let me see what I can find from our connectors team.

                    • Re: Filters For LEM (is there a list somewhere?)
                      dann

                      Did the connector team have a response? Do you have any other ideas of where to search.

                        • Re: Filters For LEM (is there a list somewhere?)
                          nicole pauls

                          They did, I'll collect it up and post some thoughts.

                            • Re: Filters For LEM (is there a list somewhere?)
                              nicole pauls

                              Broken down by type of event to look for...

                               

                              The ESX/ESXi host integration generates these types of events:

                              • Traffic to/from the host - TCP Traffic, Web Traffic, Configuration Traffic (usually stuff like DHCP requests/responses)
                              • Network connections configured on the host - LAN Connection
                              • File access on the host - File Audit, Read, Write, Data Read/Write, Move, Link, File System Audit
                              • System shutdown/reboot/status information - System Shutdown, System Reboot, System Status
                              • Updates - Software Update
                              • Authentication - User Auth, User Logon, Guest Login, User Logon Failure, Machine Logon Failure, Group Audit

                               

                              ESX messages generates these types of events:

                              • Traffic to/from the host - TCP traffic, Web Traffic, Configuration Traffic, File Transfer Traffic, Remote Console Access
                              • File/filesystem access on the host - File Audit, Read, Write, Data Read/Write, Move, Link, Unmount Filesystem, Mount Filesystem
                              • Authentication - Auth Suspicious, Machine Logon, Machine Logon Failure, User Logon, User Logon Failure, User Modify Attribute
                              • Updates/Installs - Software Update, Software Install
                              • System shutdown/reboot/status information - System Shutdown, System Reboot, System Status
                              • Process/daemon status information - Process Info, Process Warning

                               

                              ESX vmkernel messages is generally low level stuff, generates these types of events:

                              • File-related: File Execute, File System Audit, Mount Filesystem
                              • Process/daemon status information - Process Info, Process Start, Process Warning, Service Info, Service Stop, Service Warning
                              • General system info - System Status
                              • Generic VMware object access - Object Audit

                               

                              I would definitely track the system/service warning and change info, authentication failures, updates/installs. The rest - traffic, file access, normal authentication - you might want to build filters for and start tracking what the exception cases look like.

                                • Re: Filters For LEM (is there a list somewhere?)
                                  dann

                                  Good morning,

                                   

                                  This is the same info I have from google and VMWARE sites. I had hoped for filters to alert on that I could copy to an alert. LEM syntax including the exact error message is hard to guess at in advance.

                                   

                                  If I wait until something goes wrong, I can then copy the event to a filter and build an alert.

                                                  But that feels a little like waiting until after a fire before I install a fire alarm.

                                   

                                  But if that is all you have that is all there is.

                                   

                                  Thank you for your follow up. I appreciate the time you spent.

                                   

                                  Sincerely,

                                  Dan

                                    • Re: Filters For LEM (is there a list somewhere?)
                                      nicole pauls

                                      These are the actual alert types in LEM that correspond to those types of events, though. For example, if you wanted this:

                                      • System shutdown/reboot/status information - System Shutdown, System Reboot, System Status

                                       

                                      You would build a rule/filter for

                                      SystemShutdown.DetectionIP = <vmware server(s)>

                                      OR

                                      SystemReboot.DetectionIP = <vmware server(s)>

                                      OR

                                      System Status.DetectionIP = <vmware server(s)>

                                       

                                      (or you could build an alert group that had those things in it).

                                       

                                      Similarly

                                      • Updates/Installs - Software Update, Software Install

                                       

                                      SoftwareUpdate.DetectionIP = <vmware servers>

                                      OR

                                      SoftwareInstall.DetectionIP = <vmware servers>

                                       

                                      You could either use DetectionIP = <vmware servers> or use something like ToolAlias = *vm* (assuming they all have default names that contain VM).