Event rule actions, such as bans, approvals, and moving computers between policies, can cause serious security and operational issues if not properly configured. Because of this, it is strongly recommended that any new rule be run in Simulate only mode before it is fully enabled – this is one of the options on the Add Event Rule and Edit Event Rule pages.

When you run an event rule in Simulate only mode, you can apply the rule to past notifications and view the events that could have been processed by the rule. You can then review these results. You can also choose to add or change filters for the rule to reduce the conditions under which the rule is triggered. If you open the Edit Event Rule page for the sample rules, you can see some of the ways filters are used to limit events processed by the rule. For description of such rules, see Sample Event Rules.

Procedure

  1. On the console menu, navigate to the Rules > Event Rules page.
    The Event Rules page appears, showing the available rules and their status.
  2. Click the View Details button next to the configuration you want to edit.
    The Edit Event Rule page for that rule opens.
  3. Examine the configuration of the rule, changing it if necessary.
  4. In the Status field, check the Simulate only radio button.
  5. Make any other changes to the rule and click the Save button.
    Note: You must remain on the Event Rule details page to complete this process, so do not click the Create & Exit button.
  6. On the Advanced menu to the right of the page, click Re-apply rule, select a time period in the dialog box, and click Go.
    This action determines the window of past events the rule will be applied to. Depending upon the volume of matching events, you might want to limit the initial test to a short period, such as 1 day.
  7. Continue to monitor the page, periodically clicking Refresh Page in the Processed Events panel until the Last Processed Event field in the History panel shows no more events to process.
    For an example of the information shown in the Processed Events panel, see Event Rule History and Processed Events List.
  8. If you do not see the events you expected to appear in the Processed Events panel, or if you see more or different events than expected, modify the rule accordingly, click Save again, and reapply the rule.
    If you followed the steps above, events related to the rule appear in the table of events as Simulated in the Status field.
  9. To simulate the rule for a longer period, change the Re-apply rule value and click Go.
  10. Once you see the events you expect and determine that the rule has no negative effects, change rule Status to Enabled, and click Save & Exit.

Results

The rule is executed on new events. Use the Re-apply menu if you want the rule to run actively on past events.