Management and Security powered by Landesk
Configuring alert rulesets
The Alert rulesets page displays all the alert rulesets that you can deploy to managed devices. There are three rulesets that appear by default, and you can create custom rulesets to apply specific types of monitoring to different kinds of devices.
The alert rulesets that appear by default on the Alert rulesets page are:
Core alert ruleset: This ruleset ensures that alerts originating on the core server are handled. This ruleset is installed on the core server but can't be installed on other devices, and you can only have one core alert ruleset. You can edit the ruleset but can't delete it from the core server. This ruleset contains a predefined group of alert types, including Device Monitor, Intel vPro alerts, and Serial Over LAN Session alert types.
LDMS default ruleset: This ruleset is deployed by default to all Ivanti managed devices. It includes alerts for security features included in Endpoint Manager, such as real-time inventory and monitoring, network access control, inventory scanner, and Security and Patch Manager alerts.
Provisioning ruleset: This ruleset contains alerts related to provisioning tasks, such as task begin and end, section completed, and wrong OS pre-boot environment. When a device is provisioned, this ruleset is used to send alerts related to the progress of the provisioning task. The ruleset is included in the provisioning agent and does not need to be manually deployed. You can edit this ruleset to change the actions associated with the provisioning alerts (for example, to be notified by e-mail when a provisioning task is complete).
In addition to these rulesets you can create custom rulesets and apply them to groups of managed devices. You can deploy rulesets by scheduling a deployment task, or you can include rulesets when you deploy agents to devices using agent configuration. While the default rulesets are available to be deployed with agents, you can choose not to deploy the rulesets when you define the agent configuration.
Conflicts between rulesets
When you create a custom ruleset for a device, be aware that if a default ruleset has already been deployed to the device you may have overlapping or conflicting alerting rules. If you deploy the default ruleset when you configure the managed device, and then deploy a custom ruleset, both rulesets will be executed on the device.
For example, if both rulesets generate alerts for the same alert type but take different actions, you may have duplicate or unpredictable alert actions as a result.
Default log action
Every time you create an alert rule, a rule is automatically created with a "Log handler configuration" action. This happens so that every alert is always logged at the core server.
This default rule must always be in the ruleset: you can't delete it unless you delete all rules for that particular alert. In other words, if you have three rules for an alert, you can't delete the default rule unless you delete all three rules, but you can delete either of the other two rules for that alert.
Process for configuring a ruleset
Rulesets contain a collection of associated alerts, actions, and time filters. As you configure a ruleset, you'll define multiple action tasks and time filters that can be reused. The general procedure for configuring a ruleset includes the following steps:
- Create a ruleset
- Add new alert rules to a ruleset
- Define alert actions to use in rules
- Define time filters to use in alert rules
- Edit alert rules in a ruleset
- Include rulesets within other rulesets
- Publish a ruleset
Click here for an example of how to configure a ruleset.
Was this article useful?
The topic was:
Not what I expected
Copyright © 2017, Ivanti. All rights reserved.