Step 12
Step 13
Event Rule Tests
Table 4-2 Event Rule Response Parameters (continued)
Parameter
Send to SysLog
Response Limiter
Enable Rule
Click Next.
The Rule Summary window appears.
Review the configured rule. Click Finish.
This section provides information on the tests you can apply to the rules including:
Event Property Tests
•
IP/Port Tests
•
Date/Time Tests
•
Device Tests
•
Event Property Tests
The event property test group includes:
STRM Log Management Users Guide
Description
Select the check box if you wish to log the event. By
default, the check box is clear.
For example, the syslog output may resemble:
Sep 28 12:39:01 localhost.localdomain
ECS: Rule 'Name of Rule' Fired:
172.16.60.219:12642 ->
172.16.210.126:6666 6, Event Name:
SCAN SYN FIN, QID: 1000398, Category:
1011, Notes: Event description
Specify the frequency you wish this rule to respond.
Select the check box to enable this rule. By default,
the check box is selected.
Creating a Rule
47