Owner's Manual
814 Events, Rules and Actions
• If you configure correlation, then when a correlated incoming alarm’s key bindings match the
initial alarm, that same count increment occurs. If they do not match, the system generates a
new alarm
• If you configure correlation, and the Message Template or Severity do not match for
otherwise matching alarms, then the EMS closes the existing alarm and opens a new alarm.
Performance, Syslog and Traps
By default, this application generates alarms and event notifications for every event definition. This
provides maximum visibility for messages received. The caveat is that such a strategy can be
processor-intensive, unless its is well managed. Best practice is to determine which traps or syslog
messages are essential, and should generate events or events and alarms, and which traps to reject
without processing.
Because it is typically verbose, syslog has a potential to produce many events that would consume
processor time unnecessarily. The default for syslog is for the system to
accept
for such messages,
generating an event for Event History without generating an alarm, but even this consumes
processor time.
Best practice is therefore to limit syslog messages on the device itself, restricting them even before
they get to the EMS. A typical solution is to configure the device to forward only the categories of
syslog messages that generate alarms. The alternative is degraded performance.
Escalating Syslog
This application has a single Event Definition for all Syslog messages. If you create a new Event
Processing Rule – Syslog, then it can escalate certain Syslog messages. The User Interface displays it
as
Syslog Escalation Policy.
See Event Processing Rules below for more about creating these.
Some use cases:
• If you are receiving too many Syslog messages and want to quiet them down some, create a
Syslog escalation rule to escalate only the desired messages, then alter the Event Definition
for Syslog messages to
reject
all others. This rejects all Syslog messages except the messages
you have filtered in the escalation.
• If you want such messages to have a higher severity than the default Syslog Event Definition,
then create the escalation with that higher severity.
• If you want to search for certain strings in the Syslog message and raise the severity based on
that string, make a new escalation rule with these characteristics.
• If you want to tie an action to a certain Syslog messages, then add an action to the rule. (see
Action Editor on page 836)
• If you only want to use Syslog for security purposes, you can create an escalation rule to look
for only security messages and reject the rest.
These capabilities increase the power and flexibility of your response to syslog messages.