My company just purchased LEM. While learning how to use use it and getting it set up, I had some initial trouble learning how to perform some tasks that may not be terribly basic, but also are not advanced either. I found the user guide (http://www.solarwinds.com/documentation/LEM/Docs/LEMUserGuide.pdf) among others, but I didn't find all of them up to snuff for what it was I was trying to accomplish. Some of this may be duplicate of the guide linked above or available elsewhere, but in either case may be useful for new users of the product, which is the purpose of this post. I originally wrote this in onenote as a guide for my coworkers, so apologies if the formatting is a bit off. I'll try to correct it as best as I can.
Adding sources for logging
There are two ways to add a source (node) into LEM. The first is using Syslogs and connectors, typically from network switches or appliances. To do so, forward Syslogs to the LEM appliance on port 514. Look up how to do this online if necessary. You then will need to enable the relevant connector(s) on the appliance. Go to Manage > Appliances and select the gear icon > connectors. Search for the relevant connector, then select the gear icon > New. You can typically leave all fields as default (with a few exceptions) and hit Save. It will create a new connector below it with a gray icon in the status column. Select the gear icon > Start and it should eventually turn green. This indicates that the connector is active.
Note: there is a progress/status message and progress bar at the bottom near the bottom right when activity is occuring; on the main window and may be in the grayed out section if there is a box in the forefront.
You should see a yellow message at the top indicating that a new node has been found, and sometimes that connectors are enabled. This typically means that you are now receiving syslog events, but you may want to go to Explore > nDepth to find out for sure and what kind. It is possible there may be no relevant connector. In that case, you are likely SOL, but maybe google/thwack will be able to save you.
For Windows/Linux hosts, there exists an installable agent which you can download from the LEM appliance webconsole. To download it, go to Manage > Nodes and select Add Node near the top of the page. Select Agent Node and download the relevant installer. Copy it and run it on the needed host(s), using the Appliance IP when requested by the installer. Once the installation completes, you should see a yellow message at the top indicating a new node is found and the node should be listed under Manage > Nodes. Now you need to add relevant connectors. Do so by selecting the gear icon that matches the node and selecting Connectors. On the connector configuration screen that appears, find the relevant connector(s) and select the gear icon > New. Typically this can be left to the defaults, so click Save. On the new connector that is created, there should be a gray status icon. Click the gear icon > Start. The icon should eventually turn green indicating the connector is active and events should begin coming in.
Creating/Editing Email Alerts (as of LEM v6.2)
To actually create or edit the alert, you will need to go to the Build > Rules section. Typically you want to clone from a template. Once you are editing your action there are two main parts -- The correlations and the actions. The correlation portion is the most difficult to set up, especially the first time you create one. Typically you want to go back to Explore > nDepth,or possibly look at an event in the Monitor section. You will probably need to come up with a search to try to isolate a relevant event and look at the Event Fields that are important for discerning your desired alert. Once you figure out a relevant event that you want to correlate to an alert, the first and most relevant part is to look at the Event Name as most correlations start with EventName.SubEventField. You can typically swap back and forth between the explore tab and build tab without losing your place, so that's a helpful way to go about it. From the Build > Rule > RuleBuilder screen , you would want to drag an event type from the left menu panel to the correlations section on the right. Typically you want to first select an Event correlating to the EventName mentioned earlier, then select and drag the relevant sub field from below to the correlations tab. The specific parent EventName is important, because if you use the wrong one, your rule might never match, and thus be triggered. On the right side the equals/does not equal and correlation info should be fairly self-explanatory, but keep in mind you can a wildcards (*) or multiple throughout your statement to generate a precise statement (ex: User * has performed * ). Again, you will want to reference an actual event for the structure. Build these with and/or statement chains to narrow down only the specific events you want to trigger your rules. Reference other rules if you need examples.
Correlation Time can help to reduce multiple emails/rule triggers when you typically see multiple events for the same type of event.
To send an email as an action, you can clear any other actions from the rule (or leave them if desired), and select Actions / Send Email Message from the right side and drag to the Actions section. You will need to use an Email Template, which is explained how to be created/edited below. The variables from the Email Template need to be linked to either text that will be static/constant (dragged from the constants menu on the left), or from variables derived from the Events/EventsGroup menu on the left and is used similarly to the way they are used in the Correlation section above. Another reminder that the parent EventName is also very important here when using their child Event Fields. The other part to note is the Recipients, which determines who the email alerts will be going to.
The last thing to do is to Save and then make sure to hit Activate Rules on the base Build > Rules page, otherwise your rule will never go into effect.
Creating an Email Template
Go to Build > Groupsto begin. To create a new Email Template, select the + button in the top right and select Email Template, or find a similar one and click the gear to its left and select Clone. Alternatively you could just edit an existing one, but keep in mind this will affect any existing rules that reference that template. Most of these fields are pretty self-explanatory. The main thing to note is that you need to create parameters on the left and use them in the Message field or even the subject. Each parameter will need to be linked to and Event Field or a Constant in the Rule builder. An Email Template can be used for multiple rules or can be customized for each rule.
Hopefully this is helpful to someone starting out with LEM. Since I already went through the effort of typing it up, I figured I'd also post it here so it might be helpful to anyone. If you have suggestions, comments, or perhaps other written guides of your own you could post them in the comments. Perhaps if I ever get to it, or if this is well received, I could type up other sections.