Michel Beaudry Outstanding Contributor.
Outstanding Contributor.
2389 views

ESM 6.91c automatically disables rules

Since we've upgraded to ESM 6.91c we have noticed a strange behaviour with rules that were perfectly working under 6.8c. It seems to happen mostly on "joint rules" given that ESM has a feature to automatically disable rules that it deems "unsafe".

A rule that has been disabled can be recognized fy the following icondiabled rule.JPG in the navigator panel.

An audit event rule:701 is also generated rule.JPG

We have filed a bug report with HPE and are wondering if anyone is also experiencing the same behaviour in their environment?

 

Labels (1)
16 Replies
Answer Honored Contributor.
Honored Contributor.

Re: ESM 6.91c automatically disables rules

Yes, I experienced the same thing. Seems like the "partial matches" limit is now being enforced, so if the rule as too many partial matches, it will disable the rule.
0 Likes
Answer Honored Contributor.
Honored Contributor.

Re: ESM 6.91c automatically disables rules

You can modify this limit by adding this line in server.properties: rules.max.partial.matches=10000 and use a higher number than 10000
0 Likes
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: ESM 6.91c automatically disables rules

That was tried too, even bumped up to 100,000 but it only delays the moment at which it happens.
0 Likes
Answer Honored Contributor.
Honored Contributor.

Re: ESM 6.91c automatically disables rules

Is the rule correctly built? Maybe some filtering could be added. I guess you could probably try with a -1 value as it should disable the limit. If not, keep us posted on the support reply please!
0 Likes
Answer Honored Contributor.
Honored Contributor.

Re: ESM 6.91c automatically disables rules

You had me wondering here Michel... We have multiple join rules and only one of them gets disabled... (the other ones have way more multiple matches). The only difference I see on the one that gets disabled, is that the conditions are "consume after match", where as the other rules don't have this option. Wondering if it's the same on your side?
0 Likes
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: ESM 6.91c automatically disables rules

HPE support confirmed the problem and opened bug NGS-24187 but they say they will only fix it in ESM 6.11 as we are the only one that reported it. I would suggest that anyone who has the same problem files a similar problem report. Maybe we'll get some traction thereafter.
Answer Honored Contributor.
Honored Contributor.

Re: ESM 6.91c automatically disables rules

Thanks Michel, I added our company to the bug report.
0 Likes
Trusted Contributor.. arturp1 Trusted Contributor..
Trusted Contributor..

Re: ESM 6.91c automatically disables rules

Did you receive any help from HPE? We are facing the same issue. When number of matching events for rule exceeds max partial matches treshold it is disabled for a minute and then enabled. 

But the problem is that after it is enabled it is disabled after few seconds with counter of partial maches incremented by few, just like the counter is not cleared every time there is this error. So the rule stops working till next ESM restart.

Wed Aug 23 12:05:32 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18119, above threshold 18000 /Rule/Error/Deactivate/Unsafe
Wed Aug 23 12:05:31 CEST 2017 Activating the rule Rule_1: The rule is under control /Rule/Activate
Wed Aug 23 12:04:31 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18114, above threshold 18000 /Rule/Error/Deactivate/Unsafe
Wed Aug 23 12:04:31 CEST 2017 Activating the rule Rule_1: The rule is under control /Rule/Activate
Wed Aug 23 12:03:31 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18111, above threshold 18000 /Rule/Error/Deactivate/Unsafe
Wed Aug 23 12:03:31 CEST 2017 Activating the rule Rule_1: The rule is under control /Rule/Activate
Wed Aug 23 12:02:30 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18105, above threshold 18000 /Rule/Error/Deactivate/Unsafe
Wed Aug 23 12:02:30 CEST 2017 Activating the rule Rule_1: The rule is under control /Rule/Activate
Wed Aug 23 12:01:30 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18101, above threshold 18000 /Rule/Error/Deactivate/Unsafe
Wed Aug 23 12:01:28 CEST 2017 Activating the rule Rule_1: The rule is under control /Rule/Activate
Wed Aug 23 12:00:28 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18100, above threshold 18000 /Rule/Error/Deactivate/Unsafe
Wed Aug 23 12:00:27 CEST 2017 Activating the rule Rule_1: The rule is under control /Rule/Activate
Wed Aug 23 11:59:27 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18099, above threshold 18000 /Rule/Error/Deactivate/Unsafe
Wed Aug 23 11:59:21 CEST 2017 Activating the rule Rule_1: The rule is under control /Rule/Activate
Wed Aug 23 11:58:20 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18096, above threshold 18000 /Rule/Error/Deactivate/Unsafe
Wed Aug 23 11:58:19 CEST 2017 Activating the rule Rule_1: The rule is under control /Rule/Activate
Wed Aug 23 11:57:19 CEST 2017 Deactivating the rule Rule_1: Number of partial matches = 18095, above threshold 18000 /Rule/Error/Deactivate/Unsafe

 

0 Likes
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: ESM 6.91c automatically disables rules

Hi arturp1,
0 Likes
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: ESM 6.91c automatically disables rules

After spending numerous hours provifging info to HPE support they finally agreed that it was a bug and opened ticket with HPE Development, number of the bug is NGS-24187 and you can tag along on this one as HPE was claiming we were the only one with this problem. I simply believe that most people using joint rules don't realize that their rules gets auto-disabled. Your analysis is right as far as I am concerned as I came to the same conclusion, they simply don't reset some of the counters when they disable the rule and as soon as it is re-enabled it gets knocked off again. We have tried to change numerous parameters like rules.max.fan-out.time-unit.ratio in server.properties but it would only delay the time it tooks to disable. Again, I suggest you open a ticket with HPE and quote bug number NGS-24187. I have asked to have this bug fix in ESM 6.91 but they said they would only make it in 6.11 patch 2
0 Likes
zwikholm1 Respected Contributor.
Respected Contributor.

Re: ESM 6.91c automatically disables rules

Has anyone been able to verify if this was fixed in patch 2? We're currently having this happen with four rules that adds login information, but has been pretty unreliable due to this bug.

0 Likes
Frequent Contributor.. mbeaudry1 Frequent Contributor..
Frequent Contributor..

Re: ESM 6.91c automatically disables rules

Hi,

 

Finally after a very long wait, MicroFocus said that they would NOT fix this issue. They have suggested to simply disable this feature by setting the following property in server.properties:

rules.max.partial.matches=-1 

We have implemented this suggestion and it solved the issue without any side effects.

 

Regards,

Michel Beaudry

0 Likes
zwikholm1 Respected Contributor.
Respected Contributor.

Re: ESM 6.91c automatically disables rules

Thank you for responding and letting me know what MicroFocus said. It looks like we will be trying this as well and hopefully we will not see any problems as well.

0 Likes
Oliver843 Honored Contributor.
Honored Contributor.

Re: ESM 6.91c automatically disables rules

Hello,

Just to throw my two cents in here.

I know it is listed as a bug and I too have had this problem however there is a work around.

This may not be possible all the time given the complexity of some of the rules you can create but attempt to make the rule which keeps getting disabled a little more explicit.

  • Such as set the type of event if its base set it to base
    • If there is a host name field and your infrastructure as a set naming convention try adding (contains "a") for example to the host name field.

Bassically anything you can do to limit the partial matches from occuring.

This worked for me so hopefully this could help.

Regards

Oliver

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.