Overview

When a custom rule is not being applied to events, there are two possible scenarios to this issue:

• A custom rule was created, however, this is not being triggered and events might not be collected.
• A custom noise rule was created, and the events are being collected.

This article provides information on the cause and the steps to troubleshoot this issue. 

Environment

• GFI EventsManager
• All Supported Environments

Root Cause

This issue often results from a misconfiguration of the custom rule.

Resolution

There are 3 options available to troubleshoot the issue:

Solution 1

1. Go to Configuration > Events Sources.
2. Right-click on the group or computer and select Properties.
3. Go to the tab according to the event log type the rule applies to (e.g. Windows Event Log for Windows events).
4. Under Process the logs with the rules selected below, make sure that the folder and rule set which the custom rule belongs to is enabled.

Solution 2

1. Go to Configuration > Event Processing Rules.
2. Double-click on the custom rule to open its Properties.
3. Go to the Conditions tab and click Advanced.
4. Verify that the advanced conditions specified apply to the event being collected.

Solution 3

Verify that there is no noise rule blocking an event to be archived by doing the steps below:

1. Go to Configuration > Event Processing Rules.
2. Double-click each Noise Reduction rule to open its Properties.
3. Go to the Conditions tab and check that no condition matches the information of the event you want to archive.