ESA Rules are not triggering Up
I have configured test alerts for the server shutdown for one of my server whose logs are as;
and the rule I configured is as;
But when we have tested by rebooting the system, the logs came but the alert didn't triggered up. Likewise there are many alerts which are not triggering though we received the logs on SA server.
Note: Concentrator is successfully added on ESA and is enabled.
Do anyone know about the root cause?
Okay, I was going to suggest the case sensitivity - but you have matched the case of your meta exactly so it is not that.
Have you actually deployed the rules to your ESA and are they deployed successfully?
I did some testing on this yesterday, and this morning on the way to work, realized I had made an error in my logic to get it to trigger at all.
This morning, I continued my testing and am having problems getting it to work.
Once I figure this out, I'll post something but let me know what version of Security Analytics and ESA you are using.