The Event Log Processor processes events in a similar way a firewall processes packets. It evaluates a set of rules, which can be final (a final rule will be the last evaluated one) or not.

Figure 1. Rule Evaluation Example
In the Rule Evaluation Example figure, an event is submitted to the root rule ( Rule 1 ) and gets propagated into the chain. Here Rule 5 is a final rule. An example of final rule is a rule that forwards the event to the next Processing Element. When the evaluation engine evaluates a rule, there are 4 possible results:
  • continue : This is the default result of most rules. It simply tells the engine that evaluation should continue.

  • success : A rule returns this result when it has successfully handled the incoming event. In firewall terminology, it very similar to an ACCEPT target. This is what happened on Rule 5 of the previous example.

  • failure : This result is returned when a rule failed to evaluate. This typically means that the incoming event doesn't meet some preliminary condition that the rule is expecting. In firewall terminology, it very similar to a DROP target.

  • error : This happens when a rule fails badly or unexpectedly for a reason which is not under its control. For example, a rule that would access an external resource could result in an error if the resource is not accessible.

Note: Only the continue result will process further rules. The other results will stop processing within the current rule set and return control to the parent set. For each individual rule, you can override the result and replace it with another. For example, if a rule returns a failure because an event does not match a condition, you can choose to continue the evaluation by overriding the failure with continue . In the Rule Evaluation Example, the success result of Rule 5 could have been overridden with continue which would have forwarded the event to Rule 6 . This way it is possible to define complex backtracking nested chains that handle many different kinds of events and process them appropriately. See section Event Log Processor Configuration for an example of the override syntax.