2 Replies Latest reply on Jun 26, 2014 7:56 AM by evileyes07

    Monitor Simultaneous Logins on LEM


      Hi All,


      Is there a way on LEM wherein I can configure the appliance to monitor simultaneous logins on our system? I plan to create a rule that whenever LEM received a logon events, it will automatically create a login file or sheet where the login accounts will be registered and then delete the accounts whenever LEM received a logoff events. LEM will then send an alert whenever it receives another login events for a certain account/s that are still on the login file/sheet. When I checked on LEM rule actions, the option that I think I can use is append to a text file. But I cant seem to find a way to make a rule that will remove the account on the text file. I can't also seem to find the option to have a rule that will match the account involve to a file. I'm not sure if this is the correct approach but if anyone can recommend a similar thing that would be nice.


      Any help would be very much appreciated.




        • Re: Monitor Simultaneous Logins on LEM

          Here's what I would use:


          First, create a User Defined Group like this one:

          2014-06-23 13_58_25-SolarWinds Log and Event Manager Console.png

          Then, in your rule for logins, make is something like this:

          2014-06-23 14_04_58-SolarWinds Log and Event Manager Console.png

          (This is an awful rule, you'd probably want some NOT statements to trim out the Windows NTSYSTEM accounts and other corporate accounts that legitimately are going to login to lots of machines at once)


          Then your LogOff Rule would look like:


          2014-06-23 14_07_04-SolarWinds Log and Event Manager Console.png

          (Again, awful for [see previous reasons])


          And the rule in the middle would be something like:


          2014-06-23 14_08_36-SolarWinds Log and Event Manager Console.png