Example: Correlating Events Based on Receipt of Other Events Within a Specified Time Interval
In the following policy, a set of commands is issued and the output is logged and saved to a given location. The policy is executed if event3, event4, or event5 occurs within 60 seconds after event1 or event2 occurs. The pseudocode for the policy is as follows:
if this event is (event3 or event4 or event5)
(event1 or event2 has been received within the last 60 seconds)
run a set of commands;
log the output of these commands to a location;
Specify two archive sites in the configuration. The device attempts to transfer to the first archive site in the list, moving to the next site only if the transfer fails.