Hi there,
I've noted that since enabling "Trust Event Source Time" for my
eDirectory collector that my very simple correlation rule for Intruder
Detection no longer fires (though it does properly detect when using the
"Test Rule" feature) . The correlation rule does work after disabling
the setting but all servers are using same NTP and we do prefer to have
this enabled so that events are using the Observer Event Time stamp.

My Correlation rule is: filter(((e.EventName = "Intruder Detected")))



kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46397