Using the Rule Manager

This section details the Rule Manager interface and configuration procedures for adding rules, selecting the alert destination and schedule, and modifying the rules status.

Selecting Rule Settings

To add a new rule in the Rule Manager, complete the following:

1	In the GMS management interface, go to Monitor > Tools > Live Monitor.

 

2	Click Manage Rules in the Control bar.

The Rule Manger > Rule List pop-up window displays:

 

3	To add a new rule, click the Add New Rule icon.

 

The Rule Manager > Rule Settings panel displays:

 

4	Fill in the Name text-field to utilize a more descriptive name for this new rule.

5	If you wish to build a rule without immediately enabling it, click Disable. Leaving this check box blank sets the rule as enabled in the Rule List, after it is built.

The Severity drop-down menu allows you to set a different severity level tag for each syslog that meets the conditions of this rule.

6	Click the Severity drop-down menu, and then select the desired severity level:

•	Information

•

Warning

•

Critical

 

7	Created a rule using the available templates. Under the Group heading, you will find the available templates.

 

•	Under the Generic rules group, a listing of rule templates display. Clicking on one of these types allows the full rule to display below in the Rule Editor box.

•	The Computational rules group provides average-based statistical alerts on syslogs received, further broken down by number received for appliances, or the number of syslogs received grouped by appliance.

•	The Attack rules group offers rules to understand the number of appliances under attack from security threats, and for identifying specific appliances under attack.

•	The Advanced rules group is a flexible template that allows syslogs to be filtered based on one or two conditions.

For each Rule Type selected the Rule Editor allows you to define conditions for that rule, if available. Keep in mind that the specificity with which these conditions are set controls how many alerts are received in the Live Monitoring user interface.

8	To edit the rule conditions, click on the Rule Editor (pencil) icon.

A series of open fields and drop-down menus are now available, adjusted them to specify the desired conditions, including various parameters, if desired. Rule types allowing you to set one condition, also let you specify the name of the syslog tag you want to see, along with the operator to use in filtering those tags. You gain further granularity control on rule types allowing filtering based on two conditions.

For a list of the current SonicOS Log Events, click the Event Log Reference Guide link.

 

NOTE: Multiple rules with the same Rule Type are allowed, as long as the values are different in the rule condition(s). Creating different severity tags for the same rule type, with the same conditions, is not possible.

9	If you are done with the Rule Settings configuration, click Finish. If you wish to configure the alert destination and schedule, click Next and refer to Setting Alert Destination and Schedule .

Setting Alert Destination and Schedule

After rule editing is complete, configure the alert destination and schedule:

1	To set the destination and schedule for alerts based on a created rule, click the Add Destination link.

 

The Destination and Schedule drop-down menus display.:

 

To open additional destination fields, up to the maximum of five, you might click again on Add Destination.

2	Click the Destination drop-down menu and select a destination:

•	Email - Admin

•	Email - Adhoc

•	Email - User

•	Trap listener - Adhoc

•	Trap listener - Registered

The Live Monitoring user interface will not appear as a destination, as it is auto-determined, based on whether the interface is currently running. This means that if at least one user is live monitoring the interface, the engine automatically detects this and continues forwarding alerts. If no one is currently monitoring, no alerts are sent to the Live Monitor interface, but they will continue to be sent to defined destinations, such as email and traps.

CAUTION: If you have Email as a destination, and the condition defined is very lenient, your email could easily be flooded with alerts.

3	Click the Schedule drop-down menu, and then select the frequency this destination receives alerts based on this rule:

Scheduled Groups

•

24x7

•	Weekdays 24 Hours

•

8x5

•

Weekend

Schedule

•	Schedule: Admin

•	Database: Backup

•	Monday 24 Hours

•	Monday Business Hours

•	Tuesday 24 Hours

•	Tuesday Business Hours

•	Wednesday 24 Hours

•	Wednesday Business Hours

•	Thursday 24 Hours

•	Thursday Business Hours

•	Friday 24 Hours

•	Friday Business Hours

•	Saturday 24 Hours

•	Saturday Business Hours

•	Schedule: (user)

4	After the destination(s) and schedule(s) are set for alerts based on this rule, click Finish.

5	Click OK to close the dialog box and to return to the Rule Manager > Rule List panel. The newly created rule displays in the list:

 

Modifying Rule Status

From this screen, you can enable (green circle with check), disable (red circle with ‘X’), or delete (blue wastebasket) the selected rules. These icons are in the section header.

To change a rule’s status, select it by clicking on the check box to the left of the rule name, then click the desired status icon from the section header.

For example, if you chose to disable a rule, here is how it would appear with the ‘X’ icon now showing the rule’s current status as disabled.

After you have built and enabled the rules you want the event correlation engine to apply against the syslogs, click Close to return to the Live Monitoring user interface.