There are a couple of ways to monitor administrator activity.
First I would caution on configuring a rule for all administrator activity. With everything an administrator "touches" day in and day out the types and amount of alerts you receive would result in a lot of noise. Instead we recommend setting up rules for specific activity such as logon failures, changes made by administrator accounts and changes made to those administrator accounts. LEM provides a number of rules (Build->Rules) for this type of activity out of the box. I would recommend taking a look at the rules within the Activity Type-> Administrative Monitoring section of the Rule Categories and Tags dropdown to determine if those will fit your needs. From there you can view the rules details, clone individual rules or enable them in bulk.
Creating Rules for Real-time Correlation and Response with Log & Event Manager - Videos | SolarWinds
Several of these rules look for the default administrator account and admin groups via pre-built User Defined Groups. You can edit these groups to include any additional administrator accounts/groups that you would like through the Build->Groups section of the LEM web console. The other option would be to include your existing AD groups by configuring the Directory Service Query connector.
From a reporting perspective you have a couple of options.
- nDepth searches - You can search for user activity through the Explore->nDepth section of the LEM web console and turn those results into saved queries or ad-hoc reports.
- SolarWinds LEM Reports - A number of the Change Management and Authentication reports will track administrator activity. You can filter these reports down to just administrator activity and/or save the filtered report as a custom report so it can be scheduled and run on a regular basis.
Thanks,
Chris