activateOnEvent element

The <activateOnEvent> element defines the events that can activate the rule or, for rules that are defined with a <groupingKey> element, a rule instance.

Following are the three possible ways of selecting events:
  • The use of one or more <eventType> elements with a <filteringPredicate> element
  • The use of one or more <eventType> elements without a <filteringPredicate> element
  • The use of a <filteringPredicate> element without any <eventType> elements

If the rule is inactive and no <eventType> or <filteringPredicate> element is coded, any event that occurs is selected.

Not coding any <eventType> elements can negatively impact system performance.

Assume that you want to select all events of type Audit Failure. You can use a filtering predicate to further refine the selection criteria to include only the events that have an event attribute with a certain value. For example, you would code an <eventType> element to select all events of type Audit Failure, and code a <filteringPredicate> element to select only those events that have a hostname attribute with the value MyCriticalSystem.

Attributes

<activateOnEvent> has no attributes.

Contained within

<activateOnEvent> is contained within the following elements:

Contains

<activateOnEvent> contains the following elements.

The elements must be coded in the order that is shown. If an element is optional, it does not need to be coded, but all elements that are coded must follow the correct order.

Table 1. Elements contained within the <activateOnEvent> element
Element Required or optional?
<eventType> Optional. 0 or more occurrences are allowed.
<filteringPredicate> Optional. 0 or 1 occurrence is allowed.
<stopAfter> This element is valid only when the <activateOnEvent> element is contained within the <activationByGroupingKey> element.

Optional. 0 or 1 occurrence is allowed.