Environment
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows 2000 Server
RedHat Linux
Solaris 9
Sentinel 5.1.x
Sentinel 5.1.x
Situation
Why are correlation rules not being triggered?
Resolution
Scenario:
A Sentinel + Correlation Engine on one Windows 2003 machine. It has plenty of memory, disk, etc...
Correlation rules only trigger on internal events. When a watchlist is set on (e.Severity > 1), nothing happens, although there are a few severity 2 and 3 events every second. When another rule is deployed, the first rule triggers on the Start of Deployment event.
Solution:
There may be a time skew issue. Sunchronize the time between the Agent Manager and Correlation Server. The few seconds difference between AM and CE may cause this.
A Sentinel + Correlation Engine on one Windows 2003 machine. It has plenty of memory, disk, etc...
Correlation rules only trigger on internal events. When a watchlist is set on (e.Severity > 1), nothing happens, although there are a few severity 2 and 3 events every second. When another rule is deployed, the first rule triggers on the Start of Deployment event.
Solution:
There may be a time skew issue. Sunchronize the time between the Agent Manager and Correlation Server. The few seconds difference between AM and CE may cause this.