Highlighted
Absent Member.
Absent Member.
880 views

Why is my rule looping?

Jump to solution

So I'm learning how to create rules and lists. I've been reading about both and learning how to create them. I am running ESM 4.0 sp3 and the help file that comes with ArcSight has a sample to create under the heading "Session Correlation". I've created the rule and the session list and it works. It's correlating. However, it is looping and eventually stopping. I don't see where I can fix it.

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
Highlighted
Established Member..
Established Member..

Ahh i see the problem - it's firing off itself.  It's aggregating the 3 fields it's triggering on and creating it's own events.

Add this in to the rule:

Type != Correlation

Is this what you're looking at?

session_example_login_rule_conditions.gif

Message was edited by: chrisb

View solution in original post

0 Likes
Reply
14 Replies
Highlighted
Established Member..
Established Member..

Your rule should lay off the drugs then!

Can you post a screenshot of your rule?  We don't have a lot to work with

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Can't provide screenshots due to the nature of our system. The rule and session list I created is exactly like the one in the Help File for ESM 4,0 sp3. Not sure if you have access to that help file. You may or may not be running that version. Your help file may have the same set of instructions.

0 Likes
Reply
Highlighted
Established Member..
Established Member..

Ahh i see the problem - it's firing off itself.  It's aggregating the 3 fields it's triggering on and creating it's own events.

Add this in to the rule:

Type != Correlation

Is this what you're looking at?

session_example_login_rule_conditions.gif

Message was edited by: chrisb

View solution in original post

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I haven't looked up the help file but try adding something like

Agent Name !=  Manager Internal Agent

What might be happening is you rule is firing on the event generated by the rule because of the fields you have set in your aggregation. For example if your rule is looking for just sourceAddress = 1.2.3.4 and you are aggregating on sourceAddress, the event created will have sourceAddress = 1.2.3.4. Not knowing any better your rule fires again. If that ultimately is the issue there are a couple ways around this. What I have done is create a filter called "ArcSight Events" that is just agentName = Manager Internal Agent. Then in just about all my rules I have the following conditions:

And

  <detect badness>

  !=

     matchesFilter = ArcSight Events

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I am looking into my crystal ball and suspect your next major issue will be you are trying to create custom email notifications and you are getting your ArcSight server information in the event vs the "correct" source or destination info. This issue is tied to your looping problem in that notifications are based on the rule fired event vs the base event. You will need to aggregate the fields you want to show up in the notification. Many rules that start out good can get into a looping state when you go down this path if you haven't taken steps to avoid recursion. 

Don't worry - we've all been there. Well, at least I have lol.

0 Likes
Reply
Highlighted
Established Member..
Established Member..

Anyone here who says he/she hasn't either hasn't developed a rule or is lying .

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

It seems to be working. I'll check again tomorrow morning first thing and post the results.

I want to see if I'm getting this right. By adding Type =! Correlation the rule is now skipping over correlated events. If I understand this correctly, the rule was correlating correlated events creating a loop?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Yep. Remember the rule looks for anything that meets the criteria you specify.

0 Likes
Reply
Highlighted
Established Member..
Established Member..

Yep, that's exactly it.  The rule would fire after seeing the three fields and create an event that popuplated those three fields so then the rule would fire again, and so on.  So each time a REAL event occurred, it just added one more into the loop.

I add that to all my rules unless for some reason I want to look at the correlated events.  Luckily AS is smart enough to kill the rule when it sees that happen.

Another tip when building a new rule is to create an active channel looking for events named "Excessive Rule Recursion" or "Rule Matching Too Many Events".  The recursion one is what you would see from the loop, and the too many events explains itself

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

It was definitely the answer. The rule is running smoothly. Now to start creating some that pertain to our environment. Thanks again.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

something you might want to try; instead of using "type != correlation" you could use "generator name != (your rules name)".

When doing this you rule would no longer trigger on itself, but would still be able to trigger off the output of other rules. Some people need thier rules to process other correlated events, this is how you might address that. If that is the case for you, you could either specify that it not trigger on itself, or you would specify only the generators that it is allowed to trigger off of.

Either way, it will stop looping.

**Be aware that using the above will stop your rule from triggering on itself, it has a distant possibility that it could still cause a loop if you have multiple rules watching for the identical conditions and aggregating the same way** (i.e. rule A will trigger, rule B will trigger off of A, rule A will trigger off of B, rule B will trigger off of rule A...)

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.