Highlighted
Absent Member.
Absent Member.
534 views

Rule Question

Greetings all, need some education here if someone can help out. Let me begin by setting up the scenario. I have a filter set up that looks for any traffic in our firewall logs going to a specific port number, on a specific target IP. When this SINGLE event happens, I want to be notified. However, I only want to know about the first event that occurs in an 8 hour window. So when that 8 hour window expires, if there is still traffic going to that target host and the specific target port, I want to get notified again. Is it as simple as modifying the settings under the Aggregation tab of my rule? Setting # of matches = 1 and my Time Frame = 8 hours? Then I set my SendtoNotify to trigger only on FirstEvent? I still have trouble sometimes trying to make sense of the Aggregation tab and what all it will do. Hope I've explained this well enough, thanks for any help..
0 Likes
Reply
6 Replies
Highlighted
Not applicable

RE: Rule Question

I would recomend that you set your aggregation time window to 8 hours then put your actions on first event and on time unit. Setting the time unit to 8 hours as well. This will notify you the first time you recieve an event and every 8 hours after where you still recieve events. Typically 8 hours is a long time window but it sounds like this event doesnt occur to often so you shouldnt be holding on to very many events in memory. Hope this helps -colby
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

RE: Rule Question

So what exactly does the aggregation time frame do then?? I'm so confused as to what exactly "aggregation" means. Maybe I'm just missing something...
0 Likes
Reply
Highlighted
Not applicable

RE: Rule Question

think of the aggregation time as a sliding window. When you havnt recieved a matching event for that amount of time the window expires.
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

RE: Rule Question

So what happens if an event is received 3 hours later, after the first event? Does the "sliding" aggregation time window (8 hours), reset and start counting the 8 hours from the latest event? ie. Receive first event at 2:00pm. 8 hour time window starts. Receive next event at 5:00pm. Is my aggregate at 5 hours or reset to 8? Thx!
0 Likes
Reply
Highlighted
Not applicable

RE: Rule Question

I suppose you could say reset so if you recieve the first event at 2pm your sliding time window starts. at 10pm if you DIDNT recieve another event the one from 2 would fall off the back end of the window and the Time Window would expire. If you recieved another event at 5 the time window would not expire until 1am provided you didnt recieve another matching event with in that time range. does that help? -colby
0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

RE: Rule Question

Crystal clear. Thanks so much for the clarification. I hope it served some of the others as well. Thanks again!
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.