1 Reply Latest reply on Jun 18, 2014 8:49 AM by curtisi

    how many conditions can be placed on a rule?

    boconnor@henryscheinvet.com

      So I have LEM monitoring logs for a host of systems.  I recently started to look at a selection of workstations I wish to monitor a bit more closely and placed a rule to alert me when software was installed.  I let it run over a weekend to see how many false positive it would generate, then went back and adjusted the rules with a bunch of 'not equal' statements.  Guess what happened today?  Windows Updates were rolled out!  So now I received a whole host of new email alerts off of the rule.  I do not particularly mind the cut-and-paste of adjusting the rule, but it made me wonder: how many conditions can a rule handle, and perhaps more importantly how many should it handle?

       

      Also, I apologize ahead of time if this is in the forums - I did a search before posting but did not find anything.

        • Re: how many conditions can be placed on a rule?
          curtisi

          I think this is interesting, and I'll have to ask my devs if they know of a limit, but...I think it all comes down to how you're achieving it.

           

          For example, let's say that you want a rule to capture anything BUT certain events from a certain IP.  You might make a rule like this:

           

          2014-06-18 06_26_20-SolarWinds Log and Event Manager Console.png

          Now, this is a terrible rule, because it uses "Any Alert" and your LEM will certainly be unhappy with it.  A better plan would be to make a custom Event Group that had all the things you care about:

           

          2014-06-18 06_29_57-SolarWinds Log and Event Manager Console.png  2014-06-18 06_31_42-SolarWinds Log and Event Manager Console.png

          So I've "nested" a lot of conditions into one correlation instead of having multiple correlations.  I can apply this same logic to rules using User Defined Groups, Connector Profiles and Directory Service Groups.  So instead of this:

          2014-06-18 06_35_10-SolarWinds Log and Event Manager Console.png

          (And I have no idea what those event IDs actually are, they're made up for this example...)

           

          I could make a UDG like this:

          2014-06-18 07_19_59-SolarWinds Log and Event Manager Console.png

          And then use that in the rule instead:

          2014-06-18 07_21_03-SolarWinds Log and Event Manager Console.png

          And then I can combine them for utter madness!

          2014-06-18 07_21_49-SolarWinds Log and Event Manager Console.png

          If you want an example of nesting groups and conditions to the nth degree, there is a template in LEM I like to show people called "Worm Activity with Response," and it looks like this:

          2014-06-18 07_23_22-SolarWinds Log and Event Manager Console.png

          It's only a couple layers deep, but it's looking for 3 different thresholds (1 event of some type with 5 events of another with 10 of a third) and it's comparing and contrasting 3 different events with each other at the same time.

           

          Update: I asked a dev, and the answer is basically, "The more correlations you want to add, the more memory the rules engine needs.  How much memory do you want to throw at the LEM?"

           

          Using groups as described will reduce the resource requirements, so it's worth it to try being clever with rule design.