NetIQ Security Solutions for iSeries
The Alert Log entry with status of 'CLOSED' actually reflects the status of the last action performed, not the status of the LOG(NEW) entry.
It is best practice not to configure a LOG action because PSDetect will automatically generate a log entry with status of 'CLOSED' for successful completion of whatever action is configured. If the configured action does not complete successfully a log entry with status of 'ERROR' is automatically recorded in the Alert Log. Configuring a LOG action is recommended only for demonstration purposes or for debugging.
If you have a filter configured with a LOG(NEW) action, followed by some other action, such as EMAIL, and the EMAIL action completes successfully, then the Alert Log will only have a log entry with status of 'CLOSED', reflecting the status of the last action performed. On the other hand, if you configure the filter with an EMAIL action, followed by a LOG(NEW) action, then the Alert Log will only have a log entry with status of 'OPEN'.
It is therefore recommended that PSDetect filters not include LOG actions, unless the LOG action is the only action.