UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Absent Member.
Absent Member.
1045 views

High level Partial matches per rule

Good time

I writing rule to collect to Active List IP of reporting devices (Device Address)

i use filter

event1 :
( Type = Base AND ( Agent Address = X.X.X.X OR Agent Address = Y.Y.Y.Y ) AND Device Address != 0.0.0.0 AND Category Significance = /Normal )


X.X.X.X,Y.Y.Y.Y - address of connectors servers

fore aggregation i use 1 matches per  1 second

Action - On first event

Partial matches per rule is more then 1 500 000 per 10 minute

may be i use wrong conditions?

Labels (2)
0 Likes
12 Replies
Commodore
Commodore

You might want to put a not InActiveList condition in there so the rule fires only when the IP is not on the list... This should decrease partial matches...

At least that's what we did...

Also this is a good candidate for a lightweight rule as one doesn't want correlation events here.

Joachim

0 Likes
Absent Member.
Absent Member.

fore not in Active List condition, i need Active List with all IP of reporting devices as etalon

or you mean recursive in rule?

when rule test IP of reporting device against Reportng_IP Active list, and if not present,add IP to Reportng_IP Active list?

0 Likes
Commodore
Commodore

You check in the condition tab wether the deviceAddress is already on the Active List you put it on in the Actions Tab. So an address has made it to the list, the rule will never fire again for events with that deviceAddress (unless the list is cleared).

Joachim

0 Likes
Absent Member.
Absent Member.

not working

Lightweight rulw

event1 :
NotInActiveList("Reporting_devices")


Action

on every Event

add to active list Reporting_devices


10 min - 1 033 124 partial matches

no firing

0 Likes
Absent Member.
Absent Member.

So I would do a few things with this rule-


**First- this will collect base and aggregated events

Type != Correlation

AND

**Second- use the In condition, it is less resource intensive

Agent Address In (xxx.xxx.xxx.xxx,yyy,yyy,yyy)

AND

**Third- I think this is what you were trying to do

Device Address Is NOT NULL

AND

Category Significance = /Normal


If you are trying to filter down based on which connector you checking IP's for then you can set a condition to look at only events coming from xyz connector. From the connectors screen, just right click > create active channel. You can then just copy and paste that condition into your rule to filter down to only events from that connector.


I always support lightweight rules, though I am hesitant to use inActiveList conditions bc they can quickly become a huge burden on the system. If you do choose to use this make sure your ActiveList is field based with only one key field (IP addresses) for this case


For aggregation what is your systems avg EPS?


0 Likes
Absent Member.
Absent Member.

thank you, i not very happy to like inActiveList condition< but i am not know another method to collect and control reporting devices

main task- message if one is it not send more then 15 min

and if i am have not documented reporting device (test against static active list, from csv)is firing another alarm

P.S.


event1 :
( Type != Correlation AND NotInActiveList("Reporting_devices") AND Category Significance = /Normal AND Device Address != NULL )


Device Address != NULL - is not working,

what the right syntax fore address is not free condition?

0 Likes
Absent Member.
Absent Member.

You need to use Device Address Is NOT NULL, there is an condition called "is" and NOT NULL is available in the drop down.

I originally thought you were trying to track only IP addresses. But if you are doing Device tracking that can be much trickier, and it involves some advance content which I recommend you request a PS engagement to get right.

You could do this use case several ways, such as looking at your Device Status Monitoring Events vs looking at all the events, look to match hostnames instead of IPs since servers can have multiple NICs installed.

Have an ActiveList of all known devices setting the TTL to 15min. When the event drops off you have a rule fire on activeList expire event, and add that device to a separate list of devices that are not reporting. You can have the contents of this list set as a dashboard or something to have a constant view on, or you can alert on it, but I don't recommend it, since you might get flooded with alerts for something like network maintenance. You then have a rule that checks incoming events and if the device that is in the "device not reporting AL" is seen again, which then removes it from the "device not reporting AL" and adds it back to "current devices AL"

Done correctly you shouldn't have more than say 20,000 partial matches. I am sure you can see from my description, that this content can get very very tricky fast, and I def recommend a short PS enangment to help you get this right, otherwise it can seriously bog down your system to a crawl. Which version of ESM are you on?

0 Likes
Absent Member.
Absent Member.

Thank you,

i use 5.2 ver

of course, i planning use not only IP to identification of device, i only testing rules syntax

next step will be more filds active list.

I think use 3 of them

1)static, imported from cvs - registering devices

2)dynamic by 30 min lifetime - reporting devices from rule

3)differential 1&2 - unknown reporting devices

and use list 3 fore search undocumented devices

IMHO it is fore short time, after i think use assets

0 Likes
Absent Member.
Absent Member.

asset modelling is another way to do it. The only downside is that it can be difficult to maintain your asset model over time. I still recommend a PS engagement to help figure out what is best for you and your environment.

0 Likes
Absent Member.
Absent Member.

Have you tried looking for Connector Device Status events (deviceEventClassId=agent:43)?

The frequency of reporting is configurable in the connector, you get the Total Events SLC (Since Last Count/Check/Connect?) and the Source or Target is the Device Itself.

You get to add a device to an AC for all reporting devices or just those where the count is 0 for non reporting devices.

0 Likes
Absent Member.
Absent Member.

not working

active channel with filter event1 :
Device Event Class ID = agent:43

time- 1d

no any data

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.