Correlation Triggers tab

The Correlation Triggers tab is accessed by clicking the Correlation tab at the top of the screen, and then selecting Triggers. The purpose of this screen is to watch for specific message patterns, and then set flags (with an expiration time) when messages are received. This supports other correlation features, such as Threads, Actions, and Patterns. The Correlation Triggers tab is depicted in the following image.

image2019-3-22_15-36-17.png

Correlation Triggers, like Correlation Alerts, provide an important way of correlating activity on the system, and comprise a major function of the BMC Defender Server. Operators can add new Triggers, or modify existing Triggers, based upon message content.

Trigger configuration items

When the user clicks the AddNew or Edit option, BMC Defender Server displays an input form that allows the user to create or modify the various trigger parameters. Both admin and user type logins can add or modify BMC Defender Server alerts. These trigger parameters are as follows: 

  • Unique Trigger Name—This is the unique name of the trigger. The name must be brief and under 15 characters in length. (This short name is used in various drop-down menus, and can be used as a variable in expressions, so succinctness of the name is required.)
  • Pin Trigger To Top Of List—This drop-down menu appears only on the Edit screen, and allows the user to pin the trigger to the top of the list. This allows users to keep track of particular trigger of interest. Each user can pin items without affecting other users.
  • Trigger is Retriggerable—This input specifies whether a message that matches the Set Trigger Expression (defined) causes the trigger expiration time to be reset. If the value is set to Yes, the counter retriggerable, and the trigger timer is reset to zero. If the value is set to No, the counter continues. This affects whether the trigger tracks the first matched message, or the last matched message. (In many cases, this is immaterial, but this setting might be important for some types of correlation.) 
  • Set Trigger Expression—This text area defines what messages set the trigger. The operator can specify a simple or complex match patterns, logical combination of match patterns, macro definitions of match patterns, and logical combinations of macro definitions. Brief help on match expressions is also available by clicking the Expression Help hyperlink to the left of this text area. The format of the match expression is identical to that found in the Threads facility. 
  • Clear Trigger Expression—This text area defines what messages clear the trigger. The format of the matched expression is identical to that of the Set Trigger Expression. If a message matches the Clear expression, the trigger is immediately cleared. Otherwise, the trigger clears when the Trigger Expiration Time (defined) is reached. 
  • Trigger Expiration Time—This input specifies the time in seconds for the trigger to expire. If a Clear expression is not matched (or is not specified) the trigger is automatically cleared when the expiration time is reached. The time left to expire appears on the top-level Triggers tab. 
  • Trigger Expiration Severity—This input specifies the severity of a message that is generated if the trigger expires. By default, no message is generated when a trigger expires. The value can be used to correlation situations where an expected message (following the previous message) does not occur, such as when an invalid login is not followed by a valid login within two minutes. 
  • Manually Set Trigger—This option allows you to immediately set the trigger. When the trigger is set, this option changes and allows the user to manually clear the trigger. This allows the user to test trigger states and combinations without generating test messages. 

Trigger active instances

Each Trigger has a top-level indicator used in the Threads and Actions screens, but can additionally have multiple separate instances that are dynamically created. The Active Instances link, in the third column of the table, allows the operator to drill down and view the currently active trigger instances, useful for determining the particular devices associated with the trigger message. 

When a trigger is set, a copy of the trigger is automatically created (associated with the sending device address). Therefore, a trigger reflects each device that has sent a message, as well as all aggregate messages. This capability is used in the Alert > Patterns screen, documented in a section, and provides special utility in tracking the state of individual devices as well as aggregate messages. 

Additional notes on triggers

Triggers are a more advanced feature of the BMC Defender Server system, and are incorporated into the Threads, Correlation Actions, and Patterns screen. Triggers provide the ability to add context to the list of streaming messages. They can also be used in match expressions. 

In general, most correlation does not require trigger capability, and this function is not necessarily used at every site. However, if a particular type of correlation relies on message context of any type, where a series of messages relies on the reception (or non-reception) of a previous message, the trigger facility is essential. For example, a correlation includes  capturing data following an error, a system alert, or a system message, that impacts the messages that follow. Any of these conditions require a trigger.

Related topics

Correlation-screens

Match-expressions

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*