The <activateOnEvent> element defines the events that can activate the rule or, for rules that are defined with a <groupingKey> element, a rule instance.
If the rule is inactive and no <eventType> or <filteringPredicate> element is coded, any event that occurs is selected.
Not coding any <eventType> elements can negatively impact system performance.
Assume that you want to select all events of type Audit Failure. You can use a filtering predicate to further refine the selection criteria to include only the events that have an event attribute with a certain value. For example, you would code an <eventType> element to select all events of type Audit Failure, and code a <filteringPredicate> element to select only those events that have a hostname attribute with the value MyCriticalSystem.
<activateOnEvent> has no attributes.
<activateOnEvent> contains the following elements.
The elements must be coded in the order that is shown. If an element is optional, it does not need to be coded, but all elements that are coded must follow the correct order.
Element | Required or optional? |
---|---|
<eventType> | Optional. 0 or more occurrences are allowed. |
<filteringPredicate> | Optional. 0 or 1 occurrence is allowed. |
<stopAfter> | This element is valid only when the <activateOnEvent>
element is contained within the <activationByGroupingKey> element. Optional. 0 or 1 occurrence is allowed. |