Negating Event Conditions

This topic applies to standard rules.

Purpose: To catch events that you expect to happen in a sequence of events, but events do not happen after all. You do this by negating the expected event in the rule's Conditions tab.

Negated events depend upon other events that have happened. For purposes of discussion, let us refer to these events that happen as positive events.

Where: Navigator > Resources > Rules

Prerequisite:

The rule must have two or more event conditions, so that you can negate at least one. To create event conditions, see Creating or Editing Rules.

Scenario 1: Monitoring past events to catch a non-occurring event

This scenario shows two expected events that must appear in sequence.

Someone physically accesses a system (in the rule, call it BadgeScan event).
Someone accesses an application (in the rule, call it Login event).

Your rule conditions specify that BadgeScan must occur first before Login. You want the rule to trigger if these events are not received in that sequence. In this case, you negate the BadgeScan event. Both events must have occurred (they are past events) before the rule triggers.

Scenario 2: Monitoring a future non-occurring event

In this scenario, you negate a future event condition. For example, consider this sequence of events you want to monitor:

A server reboots (ServerReboot event).
The server successfully comes up and is available again (ServerUp event).
If the server does not come up, you want to be notified.

In this case, you will negate the ServerUp event condition so that the rule is triggered if that event is not received (the server does not come up from a reboot) on the same device.

A time out property is used in conjunction with negating an event condition. If the negated event is not received within the specified timeout, then the rule is triggered. For example, you can configure your rule to notify you if a server that reboots does not start up successfully.

To negate event conditions:

Right-click a standard rule and select Edit Rule.
In the Rules Editor, select the Conditions tab.
Right-click the event alias of interest and select Negated.
Right-click the negated event alias and select Set Negated Alias Timeout.
In the popup, enter a time out value in seconds, minutes, or hours.

Time Out is the amount of time to wait between the occurrence of the positive event and the non-occurrence of the negated event, after which the rule is triggered. This value is required.
Use these important guidelines for setting the time out value:
- The Alias Expiration time for all positive event conditions must be greater than the negated event condition’s time out value.
- Time out values are cumulative. The rule will wait for the sum of all event timeouts before firing, therefore, the aggregated time must be greater than the negated event condition’s time out value. See the description of the Time out setting in Aggregation Time Criteria.
- If a rule has multiple negated event aliases, set the timeout of one negated alias to three minutes, then set the remaining timeout values to zero. For example, consider a rule with three event aliases: event1 is positive, event2 is negated with timeout = 1 minute, and event3 is negated with timeout = 2 minutes. The rule will not trigger until at least 3 minutes after event1 has been matched. Moreover, if the event expiration time (by default the aggregation time window) is only 2 minutes, the rule will not trigger at all because event1 will be removed from memory prior to the cumulative timeout.
On the Conditions tab, the negated event is preceded by an exclamation point (!) and the time out period appears next to the event. The following example shows a five-minute time out period.
```
!<EventAliasName> (Time Out: 5m)
```
Click OK to save the time out value.
To remove the Negated flag, right-click the negated event and select Negated again.