Anyone able to help me find out why?
The rule in question is "Privileged Group Modified".
I created a filter looking for 4 specific event ids within Windows Events. Verified said filter with an open channel for entries. I then created a rule that matches this filter and filters even further for specific entries. If a specific entry is found the action is to send a notification to me. Pretty simple but for some reason I always get 2.
All my other rules/notifications work without issue so I'm baffled why this one is acting this way. Any help would be greatly appreciated.
Leprechauns!!!!! it has to be.
I hadn't received a notification for quite some time. And after going through a bajillion things and verifying every known setting, even the kitchen sink, I decided to give the rule another test. Would you believe I'm now receiving just a single email.
I got nothing. Maybe it fixed itself. Maybe something wasn't committed/applied and now is. ?!?!?!
But since it's working this case is now closed.
We had similar situation in the past. Usually it happens when a rule is modified and it was triggered shortly after it.
The ESM keeps the cached original rule and the new version of the rule for sometime, HP support confirmed it. The old version of rule will be collected by a "garbage collector" later.
Solutions are pretty simple (sorted in order of increased complexity):
1. Disable/enable rule OR
2. Remove rule from the "real-time" folder and then redeploy as real-time rule OR
3. Completely delete and re-create it (you can use a package to simplify your life) OR
4. Shut down the ESM Manager, clear rules' cache (documented procedure) and start the ESM Manager, it will recreate real-time rules.