Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM: Common issues with Rules

LEM: Common issues with Rules

Updated 12/7/2017

Overview

Learn more about common issues with Rules in Log and Event Manager (LEM).

Environment

  • All versions of LEM

Detail

Common issues with Rules

  • Rules trigger or fire excessively. If any rule triggers more than 200 or 300 times per day, it is considered to be excessive, and can be an issue because each time it consumes CPU, Memory, and Disk resources.
  • Rules that are misconfigured and capture incorrect data or no data at all when tested. This is logic based and needs to be reviewed very closely by running the query from the rule to review the event data that triggers the rule to commit the action.
  • Rules that are set to incorrect timing can use too many resources or fail to trigger. If you have settings in the Correlation Time, they need to be checked to make sure they would actually trigger and do the expected action on time without causing a performance issue. For more information, see the explanations below.

Rules settings

  • Number of Events

    If the number of events set within the time frame is incorrect, it can prevent the rule from triggering and will only commit an action on the last received event. This means that if you set the number of events to 2 instead of 1 and the 2 events do not occur within 30 seconds, the rule would not commit the action, and only the second event within 30 seconds would be recorded and processed from the events triggering the rule. All events before the final event work as a counter, but their information does not get passed over to emails, Incident Alerts, or Inferred Alert actions.

  • Events Within

    If the timing on the Events Within is changed, it expands or contracts the time frame that the events can occur within to trigger the rule. Setting these to too wide or too narrow can cause the rule not to trigger, or to stay open, consuming resources. It is recommended not to go below 10 seconds and in almost 100% of  your rules, they should not go above 1-2 minutes. Some of our template rules do not follow this advice, but those are special situations that require lots of testing to make sure they would work correctly in the right circumstance, otherwise, our advice is to stick to the time frames mentioned above.

  • Response Window

    This setting tells LEM how long to wait for the event to cross the network from your devices before it fails to trigger the rule.

    It is recommended never to change this setting unless you have a known network transfer timing issues. Most customers do not need to change this setting.

  • Other Correlation Time information

    Whenever a rule is set to correlate with more than 1 event, there is an option made available to Set Advanced Thresholds. This option allows the rule to isolate the incoming event correlations further by subfields, such as EventName.Subfield. For example, if your rule is based on UserLogonFailure events, and you are basing the rule trigger on two Events Within 30 seconds with a Response Window of 5 minutes, by clicking the gear icon on the top right of the Correlation Time box in the rule, you can select UserLogonFailure, and in the subfields, select DestinationAccount. Then in the dropdown options below, you select either Same or Distinct. In this example, if you select Same, the rule will only trigger if the same username fails to log in 2 times within 30 seconds. If you choose Distinct, every username must be a different one in order to trigger this rule. The first option (Same) might be a better pick for setting the advanced thresholds. For more information on this topic, see Manage Rules.

 

 

Last modified

Tags

Classifications

Public