Do you have feedback on our new interface?
Do you have feedback on our new interface? Let us know HERE
Highlighted
Infosec Respected Contributor.
Respected Contributor.
239 views

ESM Rule multiple firing

Jump to solution

So I have a weird problem.

I have a standard rule that correlates 3 different events. It generally works fine, however for some events it starts firing multiple (2-4) times without a reason. 

I have checked and each rule event correlates same base events (same eventIDs, same endTime, etc). Each rule event has same time, same aggregation fields, and differ only in eventId

The rule is configured to run Set Event Field Action on every event and has matching time and aggregation time set for 30 secs. 

Does anyone now a way to troubleshoot this behavior. 

0 Likes
1 Solution

Accepted Solutions
Knowledge Partner
Knowledge Partner

Re: ESM Rule multiple firing

Jump to solution

I've attached a document regarding consume after match and other thing in rules. It'll help you to understand the mechanism.

3 Replies
Knowledge Partner
Knowledge Partner

Re: ESM Rule multiple firing

Jump to solution

If you are using join condition on the rule, check "consume after match" option.

0 Likes
Infosec Respected Contributor.
Respected Contributor.

Re: ESM Rule multiple firing

Jump to solution

I indeed have a join condition.  Should I enable it for all the Event Definitions or only one?

I would still be interested to see which log can show me why the rule is fired multiple times even though base events are not repeated. 

So to say for each 2 event definitions there is a single base event that fits the conditions. Rule fires and matches 2 events in the first, then proceeds and fires again and matches same events again in another rule event. What is weird that it does not happen every time, but randomly.

0 Likes
Knowledge Partner
Knowledge Partner

Re: ESM Rule multiple firing

Jump to solution

I've attached a document regarding consume after match and other thing in rules. It'll help you to understand the mechanism.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.