Hi,

I like to write a correlation rule with the following parameters:
e.CollectorNodeName = "Cisco Switch and Router"

First trigger should be: e.EventName = "Interface is down"
if within the next 2 minutes a (e.EventName = "Interface is up") is
received an alert could be send.
But only if the above scenario is observed 15 times in 30 min = every 2
minutes

Each event I triggert with
filter(((e.CollectorNodeName = "Cisco Switch and Router")) AND
((e.EventName = "Interface is up")))flow
trigger(14,1860,discriminator(e.ReporterIP))
or
filter(((e.CollectorNodeName = "Cisco Switch and Router")) AND
((e.EventName = "Interface is down")))flow
trigger(14,1860,discriminator(e.ReporterIP))

(14 times in 31 minutes to be save to be triggered)

Should it be a subrule as sequence or an OR rule?
I tried but did not work:
sequence(filter(((e.CollectorNodeName = "Cisco Switch and Router")) AND
((e.EventName = "Interface is up")))flow
trigger(14,1860,discriminator(e.ReporterIP)),filte r(((e.CollectorNodeName
= "Cisco Switch and Router")) AND ((e.EventName = "Interface is
up")))flow trigger(14,1860,discriminator(e.ReporterIP))
,1920,discriminator(e.ReporterIP))


What is the best way to do this?


Torsten


--
tfechner
------------------------------------------------------------------------
tfechner's Profile: https://forums.netiq.com/member.php?userid=8929
View this thread: https://forums.netiq.com/showthread.php?t=54233