High level Partial matches per rule
I writing rule to collect to Active List IP of reporting devices (Device Address)
i use filter
( Type = Base AND ( Agent Address = X.X.X.X OR Agent Address = Y.Y.Y.Y ) AND Device Address != 0.0.0.0 AND Category Significance = /Normal )
X.X.X.X,Y.Y.Y.Y - address of connectors servers
fore aggregation i use 1 matches per 1 second
Action - On first event
Partial matches per rule is more then 1 500 000 per 10 minute
may be i use wrong conditions?
You might want to put a not InActiveList condition in there so the rule fires only when the IP is not on the list... This should decrease partial matches...
At least that's what we did...
Also this is a good candidate for a lightweight rule as one doesn't want correlation events here.
fore not in Active List condition, i need Active List with all IP of reporting devices as etalon
or you mean recursive in rule?
when rule test IP of reporting device against Reportng_IP Active list, and if not present,add IP to Reportng_IP Active list?
You check in the condition tab wether the deviceAddress is already on the Active List you put it on in the Actions Tab. So an address has made it to the list, the rule will never fire again for events with that deviceAddress (unless the list is cleared).
So I would do a few things with this rule-
**First- this will collect base and aggregated events
Type != Correlation
**Second- use the In condition, it is less resource intensive
Agent Address In (xxx.xxx.xxx.xxx,yyy,yyy,yyy)
**Third- I think this is what you were trying to do
Device Address Is NOT NULL
Category Significance = /Normal
If you are trying to filter down based on which connector you checking IP's for then you can set a condition to look at only events coming from xyz connector. From the connectors screen, just right click > create active channel. You can then just copy and paste that condition into your rule to filter down to only events from that connector.
I always support lightweight rules, though I am hesitant to use inActiveList conditions bc they can quickly become a huge burden on the system. If you do choose to use this make sure your ActiveList is field based with only one key field (IP addresses) for this case
For aggregation what is your systems avg EPS?
thank you, i not very happy to like inActiveList condition< but i am not know another method to collect and control reporting devices
main task- message if one is it not send more then 15 min
and if i am have not documented reporting device (test against static active list, from csv)is firing another alarm
( Type != Correlation AND NotInActiveList("Reporting_devices") AND Category Significance = /Normal AND Device Address != NULL )
Device Address != NULL - is not working,
what the right syntax fore address is not free condition?
You need to use Device Address Is NOT NULL, there is an condition called "is" and NOT NULL is available in the drop down.
I originally thought you were trying to track only IP addresses. But if you are doing Device tracking that can be much trickier, and it involves some advance content which I recommend you request a PS engagement to get right.
You could do this use case several ways, such as looking at your Device Status Monitoring Events vs looking at all the events, look to match hostnames instead of IPs since servers can have multiple NICs installed.
Have an ActiveList of all known devices setting the TTL to 15min. When the event drops off you have a rule fire on activeList expire event, and add that device to a separate list of devices that are not reporting. You can have the contents of this list set as a dashboard or something to have a constant view on, or you can alert on it, but I don't recommend it, since you might get flooded with alerts for something like network maintenance. You then have a rule that checks incoming events and if the device that is in the "device not reporting AL" is seen again, which then removes it from the "device not reporting AL" and adds it back to "current devices AL"
Done correctly you shouldn't have more than say 20,000 partial matches. I am sure you can see from my description, that this content can get very very tricky fast, and I def recommend a short PS enangment to help you get this right, otherwise it can seriously bog down your system to a crawl. Which version of ESM are you on?
i use 5.2 ver
of course, i planning use not only IP to identification of device, i only testing rules syntax
next step will be more filds active list.
I think use 3 of them
1)static, imported from cvs - registering devices
2)dynamic by 30 min lifetime - reporting devices from rule
3)differential 1&2 - unknown reporting devices
and use list 3 fore search undocumented devices
IMHO it is fore short time, after i think use assets
asset modelling is another way to do it. The only downside is that it can be difficult to maintain your asset model over time. I still recommend a PS engagement to help figure out what is best for you and your environment.
Have you tried looking for Connector Device Status events (deviceEventClassId=agent:43)?
The frequency of reporting is configurable in the connector, you get the Total Events SLC (Since Last Count/Check/Connect?) and the Source or Target is the Device Itself.
You get to add a device to an AC for all reporting devices or just those where the count is 0 for non reporting devices.