[ Bottom of Page | Previous Page | Next Page | Contents | Index ]

General structure of a correlation rule

The following example shows the general structure of a correlation rule:

correlation_rule: rule_name: 
  description: 'description_text'
  
  directive: directives

  event_relation: event_class1 operator event_class2
  within: integer minutes

  when: [
    event_class1.attribute1 equals
    event_class2.attribute2
  ]

Usage notes

• The operators for the event_relation clause are as follows:

  cancelled by

  The reception of the event specified on the right of the cancelled by operator closes the event specified on the left.

  cancels

  The reception of the event specified on the left of the cancels operator closes the event specified on the right.

  caused by

  Links the event on the left (the effect event) of the caused by operator to the event on the right (the cause event). The values of the date_reception and event_handle attributes from the cause event are written to the cause_date_reception and cause_event_handle attributes of the effect event. The value of the status attribute of the cause event is written to the status attribute of the effect event. Any changes to the status of the cause event are automatically propagated to the status attribute of the effect event.

  causes

  Links the event on the right (the effect event) to the event on the left (the cause event). The values of the date_reception and event_handle attributes from the cause event are written to the cause_date_reception and cause_event_handle attributes of the effect event. Any change to the status of either event is automatically propagated to the status attribute of the other event.

• The conditions in the when clause are of the form event_class_name.attribute, where attribute is a valid attribute for the event_class_name event class.
• The equals operator is the only valid operator for a correlation rule.
• For a correlation rule, names of event classes and attributes do not require single quotation mark delimiters unless they have embedded spaces.

Example

The following two correlation rules examples can be used together to set up a simple correlation event sequence that links a fan failure event to a temperature warning event, and a temperature warning event to a temperature shutdown event.

correlation_rule: fan_fail_causes_temp_warn:

  description: 'This rule links a fan failure event and a
    temperature warning event on the same computer.'

  event_relation: Fan_Failure_Notification causes Temperature_Warning

  within: 10 minutes

  when: [
    Fan_Failure_Notification.hostname equals
      Temperature_Warning.hostname 
  ]


correlation_rule: temp_warning_causes_temp_shutdown:

  description: 'This rule links a temperature warning event and a
    temperature shutdown event on the same computer.'

  event_relation: Temperature_Warning causes Temperature_Shutdown

  within: 15 minutes

  when: [
    Temperature_Warning.hostname equals Temperature_Shutdown.hostname
  ]

[ Top of Page | Previous Page | Next Page | Contents | Index ]