Rules contain all of the information the event detection and alerting process needs to evaluate event source output parameters and trigger actions. Expanding a rule group displays the rules contained in the rule group. Rules that appear in the same group have common event sources and schedules, if applicable.
A rule is defined and governed by one or more of the following properties:
|
Properties |
For more information, see |
|---|---|
|
Actions |
|
|
Initialization code |
|
|
Main code |
|
|
Conditionals (And and Or objects) |
|
|
Comparisons |
|
|
Time conditions |
|
|
Templates |
Templates contain information for the Rule wizard. Template nodes do not require user maintenance. |
The UAM displays these properties as child objects of the rule in the tree.
Actions are the responses available for a detected event. The following definitions provide more information about your options:
E-mail: Specifies the name, e-mail address, and message content you want sent when the rule triggers. Specify these fields with the appropriate information. Separate multiple e-mail addresses with a comma. You must have Agent configured correctly on the Agent computer to send e-mail.
SNMP: Specifies the SNMP message you want sent when the rule triggers. Select the appropriate notification for this field.
Log: Specifies the name of the log file and the message written in the log file when the rule triggers. Provide the appropriate information in these fields.
Command: Specifies a Bourne shell command to execute on the Agent computer when the rule triggers. Provide an appropriate command in this field.
Sentinel Event: Specifies the NetIQ classification attribute used to classify events for Sentinel.
Clicking a rule displays the properties, configuration, actions, conditions, and advanced settings of the rule in the content pane. The rule attributes tab identifies and describes the rule, the configuration tab displays the rule configuration, the actions tab specifies the actions to perform when the rule triggers, the conditions tab displays the conditions that must be met for the rule to trigger, and the advanced tab displays the rule debug level.
Expanding an action node displays a sub-node that is labeled with the action that will occur if the rule triggers. For example, an element that is labeled Alert: $user logged in at $time describes the alert message that displays when the rule triggers.
To edit rule properties, right-click the rule in the Edit Rules window.
NOTE:Use only Bourne shell commands when specifying Command rule properties.
Creating new rules can be a time consuming task. Before creating new rules, ensure that you have investigated that the following statements are true:
You cannot use the Rules wizard.
You cannot find an existing rule to modify.
To create new rules and actions in a rule group:
Right-click a rule group that is associated with the event source that you want to use, and then click Add Rule.
On the Add Rule window, configure the appropriate rule group properties and actions, then click OK.
NOTE:Use only Bourne shell commands in the Command attribute.