To create or edit a summarization rule, enter general information, and set summarization thresholds. Thresholds are either a number of events, a frequency of occurrence, or a combination of the two, that trigger the creation of a summarized event.
To set summarization thresholds
Controls whether or not the rule uses an event threshold. The event threshold must be greater than one. Selecting this box sets a maximum events value. If this box is cleared, and the event timeout period is enabled, only the time period is considered in summarizing events. If both are enabled, a summarized event is created at every specified time period, as long as at least one qualified raw event occurs.
Defines the number of native events that trigger a summarized event. When the number of native events you specify occurs, a summarized event is created.
Minimum: 2
Maximum: 5000
Controls whether or not the rule uses a time period threshold. Selecting this box sets a time period value. If this box is cleared, a summarized event occurs only when the event count threshold is reached.
Defines the time, in seconds, that elapses to trigger a summarized event, if any events of the specified type have occurred. When this threshold is reached, a summarized event is created, as long as at least one qualified native event has occurred. You can set the Time Period to zero, which will result in a summarized event only when the maximum events threshold is reached.
Minimum: 0
Maximum: 86400
For example, in the case of a rule summarizing failed login attempts, selecting 3 in the Maximum Events menu and 10 in the Time Period menu results in a summarized event after three failed login attempts, or every 10 seconds as long as at least 1 failed login occurs.
If you click Save and Close, the new rule appears in the list, otherwise the step you choose appears.
|
Copyright © 2013 CA.
All rights reserved.
|
|