KBI 220221 AND And OR Logic In Argent Rules
Version
XT 7.0A and later
Date
21 May 2004
Summary
Many of Argent Rules use OR keywords.
Technical Background
In all these cases, the OR button is provided on the right-top corner to allow entering the keyword OR.
The logic of the condition is:
- AND logic is assumed between items not separated by keyword OR.
- Any group separated by keyword OR is true, the condition is true.
- If there are multiple condition lists, AND logic is assumed for the lists. In other words, the rule is true if only if all the condition lists must be true.
- Empty condition list is assumed to be true.
Example One
Performance Rule ‘PRF_SERVER_REALLY_BUSY’ has the following lines in the list:
% Processor Time of Processor (0) GREATER THAN 80.00
Pages/sec of Memory GREATER THAN 100.00
The rule is true if only if CPU usage is greater than 80% and Pages/sec greater than 100.
Both conditions must be true in order that the rule is broken.
Example Two
Performance rule ‘PRF_SERVER_SOMEWHAT_BUSY’ has the following lines in the list:
% Processor Time of Processor (0) GREATER THAN 80.00
OR
Pages/sec of Memory GREATER THAN 100.00
The rule is true if only if CPU usage is greater than 80% OR Pages/sec is greater than 100.
The rule is broken if either of these conditions is true.
Example Three
Performance rule ‘PRF_SERVER_BAD_SHAPE’ has the following lines in the list:
% Processor Time of Processor (0) GREATER THAN 80.00
Pages/sec of Memory GREATER THAN 100.00
OR
% Free Space of LogicalDisk (Any Instance) LESS THAN 30.00
The rule is true if only if CPU usage is greater than 80% and Pages/sec is greater than 100 or some disk has free disk less than 30%. So, if the machine has some free disk less than 30%, rule is broken. Or, if the machine has CPU usage greater than 80% and
Pages/sec greater than 100, the rule is broken.
Example Four
Event Log Rule ‘EVT_EVENT_1000’ has the following conditions:
(Event ID Filter) Include Events With ID Equal 1000
(Event String Filter) Empty
(Event Time Filter) Empty
The rule is true if and only if the event id is 1000. The event string filter and time filter are empty, so they are assumed to be true.
Example Five
Event Log Rule ‘EVT_EVENT_1000_ROUTER’ has the following conditions:
(Event ID Filter) Include Events With ID Equal 1000
(Event String Filter) Include Events Contains String “Router” From Event Fields: Text
(Event Time Filter) Empty
The rule is true if and only if the event ID is 1000 and the event detail contains the string ‘router’. The event time filter is empty, so that is assumed to be true.
Example Six
Event Log Rule ‘EVT_EVENT_1000_ROUTER_10PM’ has the following conditions:
(Event ID Filter) Include Events With ID Equal 1000
(Event String Filter) Include Events Contains String “Router” From Event Fields: Text
(Event Time Filter) Include Events Occurring After 22:00 And Before 23:00
The rule is true if and only if the event ID is 1000 and event detail contains the string ‘router’ and event must happen between 10 p.m. and 11 p.m. each day.
Resolution
N/A.