Phone Lines icon GFI Support

Articles in this section

See more

Understanding Events Processing Rules

Author: Ma. Vivien Zarsuelo Updated

Overview

Events processing rules are checks that are run against event logs when they are collected. This article provides information about Events Processing Rules and how they can be used.

Information

Based on the conditions configured in a rule, events processing rules help you:

  • Classify processed events
    Assign a severity rating to collected logs. This enables you to trigger actions or notifications if a certain severity log is processed. By default, events are classified using five main ratings, however, more ratings can be added.
  • Filter out noise (repeated events) or unwanted events
    Remove duplicate logs or logs that are not important for you and archive important event data only. This reduces database growth and saves storage space.
  • Trigger Email, SMS and Network alerts1 on key events
    Send notifications to configured recipients upon detection of certain events. You can configure an event processing rule to send notifications to recipients when the rule conditions are met.
  • Attempt remedial actions
    Run executable files, commands, and scripts upon detection of specific events. This enables you to automatically perform remedial actions to mitigate or completely eliminate a detected problem.
  • Filter events that match specific criteria
    Remove event logs that are not important for you.
    Example: You can run a rule which filters out low severity or duplicate events.
  • Archive2 filtered events
    Event archiving is based on the severity of the event and on the configuration settings of the event processing rules.
    Example: You can configure GFI EventsManager to only archive events that are classified as critical or high in severity and discard all the rest.

The flowchart below illustrates the event processing stages performed by GFI EventsManager:

Screen_Shot_2019-06-26_at_3.06.44_PM.png

Event Classification

Event classification3 is based on the configuration of the rules that are executed against the collected logs. Events that do not satisfy any of the event processing conditions configured in the event processing rules are tagged as unclassified. Unclassified events may also be used to trigger the same alerts and actions available for classified events.

GFI EventsManager classifies events in the standard importance levels such as Critical, High, Medium, Low and Noise4.

 

1Network messages (known as Netsend messages) - inform recipients that a particular event has occurred. These messages are sent through an instant messenger system/protocol and are shown as a pop-up in the system tray of the recipient’s desktop. To set up network alerts, you must specify the name or IP of the computers where the Netsend messages will be sent.

2Archive - A collection of events stored in the SQL Server-based database backend of GFI EventsManager.

3Event classification - The categorization of events as Critical, High, Medium, Low, or Noise.

4Noise - Repeated or unwanted log entries which report the same event.