I did some testing with Log Analyzer both with receiving syslog messages and reading log events from the Application logs.
In both cases if you have a single rule it will trigger once and then never trigger again until it is acknowledged or reset by a rule event.
So if you have an event called Door Alarm - Door 1710, and each time a badge reader is scanned it sends a syslog to NPM.
If Fred, Barney, and Dino all scan their badge to get in the alerts would look something like this:
11:08:14 AM 5/15/19 Door Alarm - Door 1710 - Fred has scanned in
11:08:22 AM 5/15/19 Door Alarm - Door 1710 - Barney has scanned in
11:08:31 AM 5/15/19 Door Alarm - Door 1710 - Dino has scanned in
In the old Orion Syslog I would get an event to trigger a alert every time and I could have an email or other alert trigger sent every time.
In the new Log Analyzer for the same Fred, Barney, Dino event I would get:
11:08:14 AM 5/15/19 Door Alarm - Door 1710 - Fred has scanned in
In the new Log Analyzer I would get an email or other trigger event for Fred only. No alert for Barney or Dino.
Seems like it runs on a one minute cycle and only gets the first record of that minute. If the message is acknowledged by an operator or if there is a reset condition met
the alarm will re trigger on the next one minute cycle but in either event you are only getting a single event per minute.
I would like for EVERY event to trigger an alert action. Seems like that is what the product should do but is doesn't seem to work.
Support Case #00309262
Here is a detailed post on how I was doing the testing: