You might want to put a not InActiveList condition in there so the rule fires only when the IP is not on the list... This should decrease partial matches...

At least that's what we did...

Also this is a good candidate for a lightweight rule as one doesn't want correlation events here.

Joachim

fore not in Active List condition, i need Active List with all IP of reporting devices as etalon

or you mean recursive in rule?

when rule test IP of reporting device against Reportng_IP Active list, and if not present,add IP to Reportng_IP Active list?

You check in the condition tab wether the deviceAddress is already on the Active List you put it on in the Actions Tab. So an address has made it to the list, the rule will never fire again for events with that deviceAddress (unless the list is cleared).

Joachim

not working

Lightweight rulw

event1 :
NotInActiveList("Reporting_devices")

Action

on every Event

add to active list Reporting_devices

10 min - 1 033 124 partial matches

no firing

So I would do a few things with this rule-

**First- this will collect base and aggregated events

Type != Correlation

AND

**Second- use the In condition, it is less resource intensive

Agent Address In (xxx.xxx.xxx.xxx,yyy,yyy,yyy)

AND

**Third- I think this is what you were trying to do

Device Address Is NOT NULL

AND

Category Significance = /Normal

If you are trying to filter down based on which connector you checking IP's for then you can set a condition to look at only events coming from xyz connector. From the connectors screen, just right click > create active channel. You can then just copy and paste that condition into your rule to filter down to only events from that connector.

I always support lightweight rules, though I am hesitant to use inActiveList conditions bc they can quickly become a huge burden on the system. If you do choose to use this make sure your ActiveList is field based with only one key field (IP addresses) for this case

For aggregation what is your systems avg EPS?

thank you, i not very happy to like inActiveList condition< but i am not know another method to collect and control reporting devices

main task- message if one is it not send more then 15 min

and if i am have not documented reporting device (test against static active list, from csv)is firing another alarm

P.S.

event1 :
( Type != Correlation AND NotInActiveList("Reporting_devices") AND Category Significance = /Normal AND Device Address != NULL )

Device Address != NULL - is not working,

what the right syntax fore address is not free condition?

You need to use Device Address Is NOT NULL, there is an condition called "is" and NOT NULL is available in the drop down.

I originally thought you were trying to track only IP addresses. But if you are doing Device tracking that can be much trickier, and it involves some advance content which I recommend you request a PS engagement to get right.

You could do this use case several ways, such as looking at your Device Status Monitoring Events vs looking at all the events, look to match hostnames instead of IPs since servers can have multiple NICs installed.

Have an ActiveList of all known devices setting the TTL to 15min. When the event drops off you have a rule fire on activeList expire event, and add that device to a separate list of devices that are not reporting. You can have the contents of this list set as a dashboard or something to have a constant view on, or you can alert on it, but I don't recommend it, since you might get flooded with alerts for something like network maintenance. You then have a rule that checks incoming events and if the device that is in the "device not reporting AL" is seen again, which then removes it from the "device not reporting AL" and adds it back to "current devices AL"

Done correctly you shouldn't have more than say 20,000 partial matches. I am sure you can see from my description, that this content can get very very tricky fast, and I def recommend a short PS enangment to help you get this right, otherwise it can seriously bog down your system to a crawl. Which version of ESM are you on?

Thank you,

i use 5.2 ver

of course, i planning use not only IP to identification of device, i only testing rules syntax

next step will be more filds active list.

I think use 3 of them

1)static, imported from cvs - registering devices

2)dynamic by 30 min lifetime - reporting devices from rule

3)differential 1&2 - unknown reporting devices

and use list 3 fore search undocumented devices

IMHO it is fore short time, after i think use assets

asset modelling is another way to do it. The only downside is that it can be difficult to maintain your asset model over time. I still recommend a PS engagement to help figure out what is best for you and your environment.

Have you tried looking for Connector Device Status events (deviceEventClassId=agent:43)?

The frequency of reporting is configurable in the connector, you get the Total Events SLC (Since Last Count/Check/Connect?) and the Source or Target is the Device Itself.

You get to add a device to an AC for all reporting devices or just those where the count is 0 for non reporting devices.

not working

active channel with filter event1 :
Device Event Class ID = agent:43

time- 1d

no any data