Resolution
What mechanism is used by Operations Manager and Security Manager to evaluate and process rules?
fact
Operations Manager 3.X
fact
Security Manager 3.X
fact
Security Manager 4.X
fix
Rules are deployed by the Consolidator to the agent and configured as in-memory trees (one per rule type) sorted by provider ID and rule criteria. The trees are organized so that less expensive comparisons (e.g. comparing event IDs for equality) happen first, allowing the engine to avoid evaluating expensive comparisons unless absolutely necessary.
The service activates all its providers, which use various mechanisms to determine when to process new data. The NT Event Log provider, for example, registers an event (an NT notification object) with the NT Event Log Service. The event gets signaled whenever there are new events in the event log, and the provider submits the events for processing immediately. The notification mechanism occasionally fails, so the provider also checks the log periodically for new activity, even if it didn't get signaled to do so.
The service applies the rules to the event using the trees built in step one. Within a given rule type tree, the behavior is as if all rules were applied, even though no event will ever trigger more than a small subset of the criteria comparisons. Rules are checked in the following order:
- Collection rules
Identify events with specific criteria to be collected from specific sources. Collection rules do not generate alerts or provide responses. For more information about collection rules, see 'Collecting Specific Events' in the Operations Manager Concepts Guide page 62.
- Missing event rules
Specify that Operations Manager generates an alert or provides responses when a defined event does not occur during a specified time. Operations Manager stores missing event alerts in the database. For more information about missing event rules, see 'Detecting Missing Events' on the Operations Manager Concepts Guide page 69.
- Consolidation rules
Specify that Operations Manager groups multiple similar events on an agent computer into a single summary event. Operations Manager stores summary events in the database. For more information about consolidation rules, see 'Consolidating Similar Events' in the Operations Manager Concepts Guide page 70.
- Filtering rules
Specify whether you want Operations Manager to ignore the specified events. Filtering rules typically identify events that you do not consider significant. For more information about filtering rules, see 'Filtering Events' in the Operations Manager Concepts Guide page 70.
- Event rules
Specify that you want Operations Manager to generate an alert or run responses when specific events occur. You can create event rules when certain events are not covered in other processing rules. Operations Manager stores the events and alerts in the database. For more information about alerting, see 'Generating Alerts' in the Operations Manager Concepts Guide page 63.
An Event Consolidation Rule or Filter Rule can prevent the evaluation of subsequent rule types. Based on the type of rules detected, the agent will determine if the event needs to be sent to the consolidator, an alert raised, or a response performed.
The service raises alerts and performs responses by generating new objects sent through the system separately from the event. Multiple responses may be processed simultaneously.
Alert Processing Rules are applied to the generated alert objects. Responses defined in Alert Processing Rules run in response to the actual alert object, not a new response or alert object as in the case of responses defined in Event Processing Rules.