Issues setting up a Correlation Rule.
I'm trying to create a correlation rule feeded on some events from NIC System. My goal is to create a rule from other Correlation Rules, but I've tried to simplified it.
My steps are: I create a generic rule with device group NIC_ALL and a filter in Event Selection. Theb I create a view. When I try to start the view It keeps 'Error in view'.
The Event Viewer says:
6 2010/08/12 10:00:09.390 CEST 172.23.14.5 %NIC-5-608027: Alerter, Alerter, -, -, -, -, Detail: 5208: 729 view=VW_621 stopped.
5 2010/08/12 10:00:08.390 CEST 172.23.14.5 %NIC-4-608025: Alerter, Alerter, -, -, -, -, Detail: 5208: 9496 view=VW_621 error no devices configured.
4 2010/08/12 10:00:08.390 CEST 172.23.14.5 %NIC-5-608026: Alerter, Alerter, -, -, -, -, Detail: 5208: 1678 view=VW_621 started.
3 2010/08/12 10:00:03.546 CEST 172.23.14.5 %NIC-5-608024: Alerter, Alerter, -, -, -, -, Detail: 5208: 1620 view=VW_621 initialized.
2 2010/08/12 10:00:03.530 CEST 172.23.14.5 %NIC-4-608028: Alerter, Alerter, -, -, -, -, Detail: 5208: 12305 view=VW_621 device group=NIC_ALL not found.
1 2010/08/12 10:00:02.280 CEST 172.23.14.5 %NIC-5-608020: Alerter, Alerter, -, -, -, -, Detail: 5208: 1142 Requesting view=VW_621 to start
I've tried the following:
- Set up a mask in the Value field of Event Selection in the Statement definition.
- Set up the filter into [CONTENT] of Set Filter of the Statement with IN or REGEX.
- Remove all filters (I know it's not wise to trigger a correlation rule of the Event 919010, but it was just a test).
- I've tried to restart all services through NIC Service Manager service.
- I've tried changing the device group, of the Device Selection of the Correlation Statement to a custom dynamic device group of all NIC System.
Also I've read the thread "Correlation against the output of other correlation rules" that seems to be similar.
BTW, It's a LS enVision. Version: enVision v4.0 SP 3 Build: 0311
I would really appreciate if you could help.I have run out of ideas.