Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
manuel.g Contributor.
Contributor.
887 views

Both events from a join rule in one active list

Jump to solution

Hello guys,

I have a join rule which fires if an event goes unblocked through IPS and firewall outside of DMZ. I want to write an email and an entry in an active list. When the rule fires, only the event of the firewall ($FW.deviceHostName) is written to the active list, of the IPS ($IPS.deviceHostName) not. Please take a look on the attachments.

Thanks.

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
dkeller Outstanding Contributor.
Outstanding Contributor.

Re: Both events from a join rule in one active list

Jump to solution

Since the correlation rule has only one deviceHostName field, you will have to split the deviceHostName filed of one of the base events to another field and write that to the AL.

The way to do that is to crate a velocity template variable (myVar) with the value $deviceHostName, and assign this variable to a string field. e.g. deviceCustomString1=$myVar.

Aggregate on the deviceHostName field of one of the base events e.g. FW.deviceHostName and on the variable of the other base event, e.g. IPS.myVar and on the field you are assigning the variable to e.g. IPS.deviceCustomString1

The FW event deviceHostName will be in the deviceHostName field of the correlation event and the IPS device HostName will be in deviceCustomString1 of the correlation event. Use these fields to write to the AL.

HTH,

Doron

Message was edited by: Doron Keller

View solution in original post

2 Replies
dkeller Outstanding Contributor.
Outstanding Contributor.

Re: Both events from a join rule in one active list

Jump to solution

Since the correlation rule has only one deviceHostName field, you will have to split the deviceHostName filed of one of the base events to another field and write that to the AL.

The way to do that is to crate a velocity template variable (myVar) with the value $deviceHostName, and assign this variable to a string field. e.g. deviceCustomString1=$myVar.

Aggregate on the deviceHostName field of one of the base events e.g. FW.deviceHostName and on the variable of the other base event, e.g. IPS.myVar and on the field you are assigning the variable to e.g. IPS.deviceCustomString1

The FW event deviceHostName will be in the deviceHostName field of the correlation event and the IPS device HostName will be in deviceCustomString1 of the correlation event. Use these fields to write to the AL.

HTH,

Doron

Message was edited by: Doron Keller

View solution in original post

manuel.g Contributor.
Contributor.

Re: Both events from a join rule in one active list

Jump to solution
Thank you, it works
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.