Overview
When a custom rule is not being applied to events, there are two possible scenarios to this issue:
- A custom rule was created, however, this is not being triggered and events might not be collected.
- A custom noise rule was created, and the events are being collected.
This article provides information on the cause and the steps to troubleshoot this issue.
Environment
- GFI EventsManager
- All Supported Environments
Root Cause
This issue often results from a misconfiguration of the custom rule.
Resolution
There are 3 options available to troubleshoot the issue:
Solution 1
- Go to Configuration > Events Sources.
- Right-click on the group or computer and select Properties.
- Go to the tab according to the event log type the rule applies to (e.g. Windows Event Log for Windows events).
- Under Process the logs with the rules selected below, make sure that the folder and rule set which the custom rule belongs to is enabled.
Solution 2
- Go to Configuration > Event Processing Rules.
- Double-click on the custom rule to open its Properties.
- Go to the Conditions tab and click Advanced.
- Verify that the advanced conditions specified apply to the event being collected.
Solution 3
Verify that there is no noise rule blocking an event to be archived by doing the steps below:
- Go to Configuration > Event Processing Rules.
- Double-click each Noise Reduction rule to open its Properties.
- Go to the Conditions tab and check that no condition matches the information of the event you want to archive.