Join Rule Partial Matches Issue
I seems to need help in regards to a new rule we created "Juniper -
VPN Logon". It joins 2 login events from Juniper (Pulse Secure) together to record all of
the useful fields we need for a session list. The problem is that it doesn't
seem to release previous matches and builds up to over 10k partial matches
every 48 hours.
Disabling the rule and then enabling temporarily corrects that problem for
another 48 hours when partial matches once again exceed the threshold.
The very odd part is that this rule doesn't show up as matching 10k times on
the Partial Matches Per Rule data monitor, however it writes the threshold
into rule error logs.
I have played with the join rule conditions, expiration and "consume after
match" according to the documentation these should all release matches out
of the rule engine but it doesn't seem to be working.
Anyone have similar issues before?
Ideally combining the multiple Pulse events which provide information for a single logon would be done at the connector level using multi-line parsing. Unfortunately the ArcSight smart connector does not do that…. Time for a flex?