Monitoring policies rule order
I am currently making my own monitoring policies and I just ran into a question. I have a policy which monitors the system eventlog in a Windows 2003 server. I have created some rules. Specific rules and generic rules. The specific rules trigger an action when a rule is matched (source, severity, text, eventid all matching exactly). The generic rules match e.g. the source (disk) and the severity (error).
What I want is that when a specific rule is matched, the policy to stop processing the other rules. Otherwise there will be multiple alerts in the console. I HP Openview Operations I used to be able to create my own rule processing order and there was the ability to stop processing after a rule matched.
so 2 questions....
1: Can I set an order in which rules are processed?
2: It it possible to stop processing rules, after a previous rule has matched?
Comments
Monitoring policies rule order
Hi EjTjE,
Currently this is not possible in the current release. I am looking into two related feature items which is to Stop processing and/or When two rules are triggered that they would create a higher escalation/Severity. It maybe possible to use Workflow in the interim to be able to combine Rule Triggers to create a higher level Severity so for example if Rule 1 Triggers do Task A but if Rules 1 and Rule 2 both Trigger do Task A and Task B.
Last feature is the ability to do Rule Escalation, so for example if the Rule triggers and the value does not change in x time or is not resolved in x time then increase the Severity.
These are currently features that i am looking into further though i would like to hear feedback from any User who is interested in these items and maybe able to provide further scenarios or comments that would be helpful.
Best Regards,
Would you like to reply?
Login or Register to post your comment.