Rule sets are collections of rules you want to enforce on a specific Agent computer or a group of Agent computers. You can create rule sets that are specific to the location, job, or sensitivity of a particular UNIX or Linux computer, or you can easily create a rule set to apply to all your servers such as, Apache web servers or Oracle database servers. You can enforce unique rule sets on each Agent or deploy a uniform rule set to multiple computers.
Rule set data is normally in a UAM server, and can be accessed by any UAM console that is connected to that server. However, you can export the data to a file that can be imported into another server. When you import a rule set, you have the opportunity to change the name of that rule set.
Before you start working with a rule set, determine which rule set you want to modify. Consider the following scenarios:
Consider reviewing and editing the default rule set provided with the UAM if this is an initial implementation of rule sets in your organization. The UAM displays the default rule set when you open Rules Manager and click Create Rule Set. If you modify the default rule set, save the new rule set with a unique name.
Open a saved rule set if you have already begun to edit a rule set. You might also need to open a saved rule set if you have template rule sets based on the job-related use of the Agent computer. For more information on selecting a rule set, see Understanding Rule Sets
When you open a rule set, the UAM provides both a tree pane and a list pane. The tree pane provides an easy way to navigate through specific event source and rule group information, while the list pane changes to provide detailed information about your tree selection.
At the second level of the tree, you can find the event sources and rule groups of the rule set. The following list provides a short description of the contents of this secondary tree level and references for more information:
Event sources provide the data on which to trigger your rules. For more information, see Understanding Event Sources.
Rule groups provide editable properties at the group level, and contain individual rules. For more information, see Understanding Rule Groups.
Expanding a rule group allows you to view and edit the rules associated with its common event source. For more information, see Understanding Rules
UAM displays disabled rules and event sources in a darker color.
The content pane allows you to view the configuration of any selected tree element. But, you cannot edit the properties in the content pane.
To edit the properties of a rule or rule group, perform the following steps:
Right-click the rule in the tree pane.
Select Edit on the menu.
On the Edit window, modify the appropriate properties.
Click OK to save the modifications and close the window.
Deploying a rule set to an Agent computer replaces the previous rule set. The event detection and alerting processes begin processing and initializing the new rule set immediately. However, it might take up to 30 seconds for the new rule set to take effect. Modifications to items in the filesystem rule group might cause the event detection and alerting process might take longer to initialize, because of the time it takes to create initial snapshots of the filesystem objects.
To deploy rule sets to Agent computers:
Start the UAM.
Click File > Rules Manager.
Click Manage Rule Sets > Create Rule Set, and then enter a name for rule set.
(Conditional) If you want to make changes to the default rule set displayed in the Rules Manager, customize the rule set as needed until the rule set is correctly configured for your environment.
Close the Rule Editor.
Click Back to return to the main Rules Management window.
In the Available Hosts list, select the Agent computers on which you want to use the rule set.
Click To Selected Hosts to deploy the rule set. The detectd process begins processing and initializing the new rule set immediately. However, it might take up to 30 seconds for the new rule set to take effect.
Verify that the rule set is active on the Agent computers. The Sentinel column shows green cells for all agents with an active rule set.