The <eventSelector> element defines the events that are selected for processing by a rule.
Not coding any <eventType> elements can negatively impact system performance.
Assume that you want to select all events of type Audit Failure. You can use a filtering predicate to further refine the selection criteria to include only the events that have an event attribute with a certain value. For example, you would code an <eventType> element to select all events of type Audit Failure, and code a <filteringPredicate> element to select only those events that have a hostname attribute with the value MyCriticalSystem.
<eventSelector> has the following attribute:
Name | Description | Data type | Required? |
---|---|---|---|
alias | This attribute is valid only within a sequence rule, which is the only rule that has multiple <eventSelector> elements. It uniquely names an event that is selected by a certain event selector in the sequence rule. Filtering predicates and actions can then use this alias name to access that event. | xsd:NMTOKEN | No |
<eventSelector> contains the following elements.
The elements must be coded in the order that is shown. If an element is optional, it does not need to be coded, but all elements that are coded must follow the correct order.
Element | Required or optional? |
---|---|
<eventType> | Optional. 0 or more occurrences are allowed. |
<filteringPredicate> | Optional. 0 or 1 occurrence is allowed. |