Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
Infosec Super Contributor.
Super Contributor.
416 views

ESM Rule multiple firing

Jump to solution

So I have a weird problem.

I have a standard rule that correlates 3 different events. It generally works fine, however for some events it starts firing multiple (2-4) times without a reason. 

I have checked and each rule event correlates same base events (same eventIDs, same endTime, etc). Each rule event has same time, same aggregation fields, and differ only in eventId

The rule is configured to run Set Event Field Action on every event and has matching time and aggregation time set for 30 secs. 

Does anyone now a way to troubleshoot this behavior. 

0 Likes
1 Solution

Accepted Solutions
Knowledge Partner
Knowledge Partner

Re: ESM Rule multiple firing

Jump to solution

I've attached a document regarding consume after match and other thing in rules. It'll help you to understand the mechanism.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
3 Replies
Knowledge Partner
Knowledge Partner

Re: ESM Rule multiple firing

Jump to solution

If you are using join condition on the rule, check "consume after match" option.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Infosec Super Contributor.
Super Contributor.

Re: ESM Rule multiple firing

Jump to solution

I indeed have a join condition.  Should I enable it for all the Event Definitions or only one?

I would still be interested to see which log can show me why the rule is fired multiple times even though base events are not repeated. 

So to say for each 2 event definitions there is a single base event that fits the conditions. Rule fires and matches 2 events in the first, then proceeds and fires again and matches same events again in another rule event. What is weird that it does not happen every time, but randomly.

0 Likes
Knowledge Partner
Knowledge Partner

Re: ESM Rule multiple firing

Jump to solution

I've attached a document regarding consume after match and other thing in rules. It'll help you to understand the mechanism.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.