Testing Rules
This information applies to standard rules.
You can test standard rules against copies of active channels for valid conditions logic, verify that rules are triggered by the events they are supposed to capture, and that they generate correlated events as expected.
The ArcSight Console provides two different ways of getting to tools for testing and verifying rules against events before deploying the rules in real time:
-
Test a single rule from within the rule editor by clicking the Test button.
-
Test rules and rule groups from the navigation tree with the Verify Rules with Events option.
These options are somewhat similar. They differ in the navigation paths to select or set up the channels, and more importantly in that from the rule editor you can test only the selected rule but from the navigation tree you can test several selected rules or rule groups.
Note: Only rules deployed in Real-time Rules act on live events and show up in a live channel when they are triggered. For more information, see Deploying Real-time Rules.
Where: Navigator > Resources > Rules
To test a rule from the rule editor:
-
Right-click the rule and select Edit Rule to open the Rule editor for that rule in the Inspect/Edit panel.
-
Click Test.
This opens the Test Rule dialog where you can choose an existing active channel or create a new channel in which to verify the rule.
-
Select either New Active Channel or Select an Active Channel depending on whether you want to test the rule in a new or existing channel. If you need more help on setting up channels, see Creating or Editing an Active Channel.
You can set override channel filters on either a new or existing active channel.
If you choose Select an Active Channel (which means you are opting to use an existing channel rather than create a new one), a browser displays the Active Channels resource tree for you to select the active channel.
-
Click OK.
The channel is displayed in the Viewer panel.
To show rule errors:
If rules have errors, the rule icon (
) on the Navigator changes to indicate the error.
In the Rules resource tree, right-click the rule-error icon and select Show Error. The error is described in a dialog box.