Correlation time questions

I seem to be having some issues with understanding the correlation time in LEM's rule creation.  I have a rule set up to monitor when a certain event is logged in Windows application monitor.  You can see its set to trigger if 5 of those events occur within 60 seconds. 

Capture.JPG

However I seem to be getting an email alert whenever that event is seen even though I only need it to trigger when the event appears 5 times in the span of 60 seconds?  Is this not the correct setup for something like this?

  • If there are queued events still in memory, the new rule won't take effect until those events are pushed through, so it's possible they are just old events.

    Also possible there's two rules enabled doing the same thing - if you check out the InternalRuleFired event that comes through (or whatever else you've got set up) and see what rule it's referring to, make sure it's the one you're editing.

    Lastly, could be that the count hit 5 a while ago, and it's just still firing. You could try setting the re-infer/time over threshold in the advanced correlation and set the re-fire interval to something like 30 seconds, so it'll only fire once in 30 seconds if the condition persists.

    (Or, could be the logic, but I'd guess it's something less obvious. emoticons_wink.png)

  • It definitely could be.  Here is my rule.

    Capture.JPG

    I also set the following:

    Capture.JPG

    Not sure if I need the Modifier or not?

  • The advanced correlation you have there means that the 5 events that trigger the rule have to have the SAME value in the WarningMessage field.  You may want to make that something like ServiceWarning.DetectionIP so that the 5 events have to come from the SAME system to fire the rule, otherwise 5 different systems getting the same alert would fire this rule.

  • That's what I need to happen though.  The group of systems receive the same message.  So even if I receive the message only twice on one server and three times on another server.  I want the rule to fire.  Thanks for the explanation it is starting to sink in a bit more emoticons_happy.png

  • I notice that the rule includes an AnyAlert.ToolAlias.  Since all the other correlation fields are ServiceWarning, why not set this to ServiceWarning.ToolAlias?  The AnyAlert would cause a lot of memory utilization and might be causing false positives on the rule.

  • Thanks curtisi I set it to ServiceWarning.ToolAlias = Windows Application and will wait and see.

  • Another note - when you use two different event types/groups in the correlation rule, it's trying to correlate them WITH each other - looking for one of one and one of another. Best bet is to use the same type of event unless that's what you meant - everything "left of dot" should likely be the same event type/group.

    So, I think that fix will fix it, too.