Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..
727 views

Join rule with negated event

Jump to solution

Hello,

I want to deploy a rule to catch all system who shutdown the eventlogger and the system will not reboot. 

My approach:

I am looking for Windows events with ID 1100, 1108 and 4608.

I have a joined rule. The rule is looking for two events.

The first event is looking for the Windows event with the ID 1100 or 1108. It comes up when the event logger shutdown.

The second event is looking for the Windows event with the ID 4608. Windows is starting up.

The second event is negated and has set up a negated time out expiration value of 20 minutes.

But the rule never triggers.

Labels (2)
Tags (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Re: Join rule with negated event

Jump to solution

Thank you for the reply.

I think I have found a solution. At least it is working in a test environment.

Bildschirmfoto 2015-11-10 um 15.40.20.png

View solution in original post

0 Likes
5 Replies
Highlighted
Absent Member.
Absent Member.

Re: Join rule with negated event

Jump to solution

Can you provide a screenshot showing what your Conditions tab looks like?

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Re: Join rule with negated event

Jump to solution

Thank you for the reply.

I think I have found a solution. At least it is working in a test environment.

Bildschirmfoto 2015-11-10 um 15.40.20.png

View solution in original post

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Join rule with negated event

Jump to solution

Hi, May I know what are your parameters for "Aggregation" tab ? I have similar situation but what I want to know is how to set event1 will stay in memory until event2 happen.

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Re: Join rule with negated event

Jump to solution

Rule_TC_OS_Windows_Start-Stop_Aggregation2.PNGRule_TC_OS_Windows_Start-Stop_Aggregation1.PNG

In productive environment it is working.


Now I tested it in test environment again and it's not working because of an error message.

Bildschirmfoto 2015-12-02 um 17.25.38.png

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Join rule with negated event

Jump to solution

My comment will be instead of setting event1.External ID at unique, you can set at the "Conditions" tabs :-

Capture.JPG

By the way, do you have any idea can make the event1 stay in buffer as long as it meet event2 ? I'm struggling with this lol.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.