1262 views

Advanced Rule - using Local Variables and the NOT IN Active List condition

So I have a Rule the rule reads IIS logs ---

The Log is Parsed with a Local Variable that runs in the Rule -------

This Variable splits out the USER NAME from the IIS server Log ----  and the Request Client Application

The Variable than uses a Velocity Template to create a field called EMP_IDs ------ this field and Request Client Application ------ are than placed into a New Active List for Unapproved Users as long as the Fields are not already found in the Active List embedded in the Rule.

These two fields should than be matched against the NOT IN Active List Condition ---- which is an Active List of those same verified fields that have been approved for using this application ---

Currently the Rule is functioning however it is not appearing to check the catch the names or devices in the NOT in Active List condition

Labels (2)
0 Likes
7 Replies
Absent Member.
Absent Member.

Chris
Did you try adding the fields that needs to be checked in the Aggregation panel ?

0 Likes
Absent Member.
Absent Member.

Hello Christopher,

Can you verify that unmatched entries are being added to the active list via the rule actions?

You should also verify that the variables are declared in the rule aggregation tab. (If the add to active list action fails, missing aggregation may be why). Lookup issues may also arise if you try to do the inActiveList lookup on a variable that is not aggregated.

Another thing to try is a local variable 'get active list value' and put in a rule condition of "[activelist-key-field].[local-variable] IS NULL". This condition will be null if the value is not in the activelist, and will return the value itself if it is in the list (which is a NOT IS NULL condition as well). Of course the inActiveList condition is more efficient than a local variable for your production content, but this may help you troubleshoot. You can also take the lookup value and alias it into a flex field and look at the correlated event to see what is returned. To do this, add a 'set event field action' in the actions tab, select an unused field (like flexString1) as $variablename, and then see what is populated into that field in your correlated event. There may be a syntax error in the active list (like leading spaces or case sensitivity).

Good Luck and post/reply if this does not get you the desired result; we will find a fix for you.

/r

Alan

0 Likes
Absent Member.
Absent Member.

Can you post your variables please? If you are using a split function in a velocity template you may have a type mismatch between the array value and the value in the active list... If you post the variables I can see if this is a problem that I have seen in the past and can hopefully help out.

0 Likes

So the hang up was in the Coding of the In Active List Rule  --- on the Old Express 4 patch 1 Express it would match based on the ending Variable condition from the evaluate Velocity Template and save the -- evaluated Variable EMP_IDs as the original Alias  - sourceUN.

On the new Express 6.9.1 box the In Active List Condition sets the Variable field to match condition - initially from the older appliance we saved

sourceUN in the Active List along with Request Client Application -  as Device-------

Since I had all the variable aggregating correctly I examined the Active List Condition statement - I set that to the Evaluate template variable of (EMP_IDs) instead of sourceUN and the rule is not correctly firing per device per user.

0 Likes

So now the next step is to Evaluate and rewrite the Request Client Application field to just track the Device and not the Device/(Version or Build of the OS on the Device) as some of them can get updated too often and will lead to false-negative hits.

I am going to create a new local variable to run on that field using the same criteria as the reparse for the Source User name field as the delimiter is the same either a / or a \.

Once I get this all ironed out I will detail out the Use Case scenario - filtering, rule, lists, alerting and reporting aspects

This is a monitor use case for Outlook Mobile Access - by user and device, and also device breakdown - Apple, Android, Windows Mobile.

0 Likes

Yes this was completed they are being aggregated on for a 23 hour period.

0 Likes

See below this was corrected by matching the Active List field values in the main filter area to the evaluated EMP_IDs and not the post processing sourceUN.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.