8.5 Understanding Event Sources

Event sources extract a particular type or class of events from one of the following providers:

Typically, event sources extract the required information by parsing and filtering log entries. Once extracted, the log entry is considered an event. All events must be composed of output parameters that can be evaluated by the event detection and alerting daemon.

When an event source detects an event and assigns output parameter values, the event detection and alerting daemon uses the values to trigger the appropriate rule response in the associated rule group. For example, you can configure a rule in an agent computer rule set that alerts you when an FTP event associated with a particular user account is detected. To successfully trigger your FTP rule, you must have an event source that can do the following:

UNIX Agent Manager provides a wtmp event source with the default rule set. This event source scans the wtmp log and generates output about each entry in the log. The wtmp event source extracts a number of properties, including the event type and user login name, and provides them to the event detection and alerting daemon. Specifically, the event type and user login are defined as the $id and $user output parameters. If the value of an output parameter matches criteria you configure in a rule, the actions you specify in the rule properties trigger.

You can use a single event source for multiple rule groups, but consider configuring each event source to monitor unique log files. Configuring multiple rule groups to use identical event sources and setting configuration parameters to the same values, is undesirable. You duplicate the monitoring, parsing, and output parameter generation between instances of the event source. You specify the event source of a rule group by editing the properties of its corresponding rule group.

To add an event source to a rule set, right-click Rule Set in the Edit Rules window.