7.6 Validating Rulesets

Rule validation automatically occurs upon importing or adding rules to the Event Manager. It is also possible to validate a ruleset using a manual process.

7.6.1 Validating a Ruleset Manually for Correct Syntax

To validate if the ruleset has correct syntax:

  1. Execute the following command:

    mosjava com.mosol.Eve.Rule.RuleSet ‑import test.rs test.exp

    This example validates an exported ruleset named test.exp. If successfully validated, it creates the compiled ruleset named test.rs:

  2. After compiling the ruleset, send input (raw text) to the ruleset and examine the result to see if the ruleset performs as expected.

7.6.2 Sending Input to the Ruleset

To send input tot he ruleset, execute the following command:

mosjava com.mosol.Eve.Rule.RuleSet ‑test test.rs test.dat

In this example, the input is contained in the test.dat file.

This input consists of a file containing event data that the test.rs ruleset can process. For example, this event data could be the raw log of events from a device.