The Rules interface provides the ability to define rules to evaluate all incoming events and deliver selected events to designated output channels.For example, each severity 5 event can be e-mailed to a security analysts distribution list or an administrator.
NOTE:All events are also delivered to the database.
An incoming event is evaluated against each filtering rule in order until a match is found, and then the delivery actions associated with that rule are executed:
Send to e-mail: Send the event to a user or users by using a configured SMTP relay
Write to File: Write the event to a specified file on the Identity Audit server
Send to Syslog: Forward the event to a configured syslog server
HINT:Events are processed by the associated actions one at a time. You should therefore consider performance implications when selecting which output channel to which events are sent. For example, the Write to File action is the least resource-intensive, so it can be used to test rule criteria to determine the data volume before sending a flood of events to e-mail or syslog.
Also, when you set up the
action, you should consider how many events the recipient can effectively handle and adjust the filtering on the rule accordingly.Event output is in JavaScript* Object Notation (JSON) which is a lightweight data exchange format. Events consist of field names (such as “evt” for Event Name) followed by a colon and a value (such as “Start”), separated by commas.
{"st":"I","evt":"Start","sev":"1","sres":"Collector","res":"CollectorManager","rv99":"0","rv1":"0","repassetid":"0","rv77":"0","agent":"Novell SecureLogin","obsassetid":"0","vul":"0","port":"Novell SecureLogin","msg":"Processing started for Collector Novell SecureLogin (ID D892E9F0-3CA7-102B-B5A1-005056C00005).","dt":"1224204655689","id":"751D97B0-7E13-112B-B933-000C29E8CEDE","src":"D892E9F0-3CA7-102B-B5A2-005056C00004"}