Vice Admiral
Vice Admiral

Join Rule Partial Matches Issue

I seems to need help in regards to a new rule we created "Juniper -

VPN Logon". It joins 2 login events from Juniper (Pulse Secure) together to record all of

the useful fields we need for a session list. The problem is that it doesn't

seem to release previous matches and builds up to over 10k partial matches

every 48 hours.

Disabling the rule and then enabling temporarily corrects that problem for

another 48 hours when partial matches once again exceed the threshold.

The very odd part is that this rule doesn't show up as matching 10k times on

the Partial Matches Per Rule data monitor, however it writes the threshold

into rule error logs.

I have played with the join rule conditions, expiration and  "consume after

match" according to the documentation these should all release matches out

of the rule engine but it doesn't seem to be working.

Anyone have similar issues before?

Labels (4)
1 Reply
Fleet Admiral
Fleet Admiral

Ideally combining the multiple Pulse events which provide information for a single logon would be done at the connector level using multi-line parsing. Unfortunately the ArcSight smart connector does not do that…. Time for a flex?

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.