When you create a data collection rule, you specify a variety of information including the data source (data provider) and the response to take when a rule match occurs.
Finding the data collection rule you want to modify or review can be a challenge if you do not know where it is stored in the data collection policy hierarchy. You can search data collection policies to locate the data collection rule you want.
Agent Manager allows you to specify detailed search criteria for each data collection rule type. The following examples demonstrate criteria you can specify for data collection rules:
Find a data collection rule based on a specified event ID number.
Find an alert data collection rule based on the Windows security log that generates a warning.
Find a performance data collection rule that samples data from a specified counter.
The available criteria change based on the data collection rule type you specify for your search. For best results, carefully examine search criteria and specify only the criteria that apply to your search.
To find a specific rule or set of data collection rules:
Log on to the Agent Manager Console computer using an account that is a member of the OnePointOp ConfgAdms group.
Start the Agent Manager Console in the NetIQ Sentinel Agent Manager program group.
In the left pane, expand Agent Manager Console > Data Collection Policies.
Select any data collection rule folder.
On the Action menu, click Find data collection rules.
Specify the search criteria to locate the data collection rule you want. You can broaden or narrow the criteria to help you find the rules you want.
Click Next until you have finished specifying the search criteria.
Click Finish. Agent Manager displays the results of the rule search in a new window.
Agent Manager saves rule search results. Access previous search results using the Agent Manager Console.
To review results of a previous rule search:
Log on to the Agent Manager Console computer using an account that is a member of the OnePointOp ConfgAdms group.
Start the Agent Manager Console in the NetIQ Sentinel Agent Manager program group.
In the left pane, expand Agent Manager Console > Search Results > Data Collection Rule Search Results.
Select a Rule Search results folder. Agent Manager displays the search results in the right pane.
You can force Agent Manager to update Windows agents with new or modified data collection rules, or you can wait for Agent Manager to automatically update the Windows agents. By default, the central computer checks for new data collection rules every 5 minutes. Windows agents contact the central computer every 5 minutes (300 seconds), by default, which is called the agent heartbeat. After the central computer discovers new data collection rules and the Windows agent heartbeat occurs, the central computer sends the new data collection rules to the Windows agent computer. This process can take up to 10 minutes.
While you are developing data collection rules, you may want to frequently update the Windows agents with the new rules. You can modify how often the central computer checks for new data collection rules and how often the Windows agent sends a heartbeat using Global Settings in the Configuration snap‑in. For more information about configuring Global Settings, see the NetIQ Agent Manager Installation Guide.
You can also force the central computer to update the Windows agents with rule changes. The central computer sends the new or modified data collection rules at the next heartbeat, shortening the overall length of time this process occurs to no more than 5 minutes.
To force data collection rule changes:
Log on to the Agent Manager Console computer using an account that is a member of the OnePointOp ConfgAdms group.
Start the Agent Manager Console in the NetIQ Sentinel Agent Manager program group.
In the left pane, select Agent Manager Console.
On the Action menu, click Force Configuration Changes Now.
Select the central computer with agents you want to update, and then click OK.
If Agent Manager displays a confirmation window, click Close.
NOTE:Forcing configuration changes distributes data collection rules changes only to Windows computers with agents already installed. For more information about installing agents, see the Help.