Open topic with navigation

Creating Rule Conditions

Purpose: To continue the process of creating or editing a rule.

The rule's Conditions tab provides a default event alias, event1, which you edit and to which you add condition statements for evaluation.

Note: Standard rules can have multiple event conditions. Lightweight and pre-persistence rules are limited to only one condition.

Where: Navigator > Resources > Rules

To specify rule conditions:

  1. In the Rules Editor, select the Conditions tab.

  2. To edit the event alias (change its default name), right-click event1 and select Edit. Enter a new name for the event alias in the text field and click OK.

    Because rules can monitor numerous events, aliases should be unique and descriptive. For example, if monitoring Cisco Router denied events, Cisco Router denied could be the alias name. The name appears as a branch under the Event conditions tree.

  3. To add a condition statement to the event alias using the Common Conditions Editor table (usage rules and features of this editor are described in Common Conditions Editor (CCE)):

    1. Locate the event name you want to use in the condition statement.

    2. Select the logical operator (for example, =) to be used for comparing values. If you need help, see Logical Operators for descriptions.

    3. Select the value from the drop-down list under the Condition column to use as the basis for comparison.

      Note: If you want to use a global variable to set a value for the condition statement, click the +/- Global Variables button and then choose the global variable from the resource selector popup. The selected global variable will be added to the Common Conditions Editor table at the bottom of the Edit panel. See Global Variables for more information.

  4. To add resource-specific condition statements, see:

  5. For standard rules only: To add more event aliases, select Event conditions and click the New Event Definition button; or right-click Event conditions and select New Event Definition. Enter an event name in the Alias text field and click OK.

    If you have more than one event alias, a Matching Event branch appears. This enables you to define a join relationship on the multiple event aliases. For more information on joining two events, see Creating Matching or Join Conditions.

    If you are working on a non-standard rule, you will not be able to save the rule if you have more than one event condition.

  6. On the Conditions tab, click Apply.

    The rule with the default threshold and action is created and listed in the Rules resource tree.

    Note: The rule conditions are shown on the rule's Notes tab for historical purposes. For imported rules or rules created in previous versions, the Notes tab is updated only when the conditions are edited after the import or after the upgrade.

For standard rules only, see Specifying Rule Thresholds and Aggregation for aggregation time-frame options.