Creating new rules from existing events
GFI EventsManager enables you to create new rules based on the information of existing events.
To create a new rule from an existing event:
1. From Events Browser, locate the event log that you want to base the rule upon.
Creating a rule from an existing event
2. Right-click the event and select Create rule from event.
New rule from event - General settings
3. Specify a unique name and an optional description for the new rule.
4. From The rule applies if the event happens drop-down menu, select the time when the rule is applicable. Select from:
- At any time of the day
- During Normal Operational Time
- Outside the Normal Operational Time.
Note
For more information refer to Configuring event source operational time.
5. From the Classify the event as drop-down menu, select the classification level you want to assign to the event when it is generated.
New rule from event - Select logs to collect
6. From the Event Logs tab, select the logs you want to collect. To add custom logs, click Add custom log..., specify the custom log name and click OK.
Note
For more information refer to Collecting custom logs.
New rule from event - Add conditions
7. Click the Conditions tab.Click Add to select a field on which to base the query condition. For the selected field, specify the Field Operator and Field Value. Click OK.
Note
Repeat this step until all the required fields are selected.
8. Click ActionsThe activity that will be carried out as a result of events matching specific conditions. For example you can trigger actions whenever an event is classified as critical. Actions supported by GFI EventsManager include Email alerts, event archiving and execution of scripts. tab and select what action is performed when the rule is triggered. Available options are described below:
| Option | Description |
|---|---|
| Ignore the event | Ignores the event until a new instance of the event is generated. |
| Use the default classification actions |
Use the actions configured in Default Classification Actions. For more information refer to Configuring Default Classification Actions. |
| Use the following actions profile | From the drop-down menu, select a profile or <New action profile...> and click Edit to configure the action profile. |
9. Click Threshold tab and configure the event threshold value. I.e. the number of times that an event must be detected prior to triggering alerts and remedial actions. This helps reducing false positives triggered by noise (repeated events) in your event logs.
10. Click Apply and OK.