For an introduction to Actions (i.e. Correlation Actions), see What are Actions?.
To create, enable, change, or delete an Action:
1. | In the side bar, select Resources >Configuration Manager. |
2. | In the side bar of the Configuration Manager, select Correlation > Actions. |
TLC presents your Actions in the workspace table.
Tip |
You can sort, group, and filter the contents of tables. For more information, see Working with Tables). |
---|
3. | To create a new Action: |
a. | ClickAdd. |
b. | In the Action properties dialog, complete the standard fields (see Table 98). |
c. | Complete the tabs in the Action properties dialog (see Table 99) and click OK. |
To modify an existing Action:
a. | In the workspace, double-click the Action. |
b. | As needed, edit the Action properties dialog and click OK. |
To enable a disabled Action, select the Action in the workspace and clickEnable.
To disable an Action, select the Action and clickDisable.
To delete an Action:
a. | In the workspace, select the Action. |
b. | Right-click the Action and select Delete Action. |
c. | In the confirmation dialog, click Yes. |
A Script Action runs an executable file (e.g., an EXE or BAT file) saved in the Scripts folder of the TLC Manager installation directory on your Primary Manager. If an executable file assigned to a Script Action has changed since the last time TLC ran the Action, the Action will be highlighted in the workspace table. In this case, TLC will not run the Action until the executable file's integrity is verified.
To verify the integrity of a changed executable file:
a. | Consult with your TLC administrator to confirm that the change is an authorized modification of the executable file. |
b. | In the workspace, right-click the Script Action and select Verify File Change. |
c. | In the Verify Change to File dialog, select the check box and click Yes. |
Tip |
Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers). |
---|
Field |
Description |
---|---|
Name |
The name of the Action. |
Description |
(Optional) A description of the Action. |
Action type |
Indicates the type of Action: Email, Notification, Syslog, or Script. For more information, see What are Actions?. |
Enabled |
If selected and a Correlated Event is created by a Correlation Rule to which the Action is assigned as an Output, TLC will run the Action (see Defining a Correlation Rule). |
Tab |
Description |
---|---|
Type Settings |
For a Script Action, this tab specifies the name of the executable file to be run by the Action. (The executable file must be saved on your Primary Manager in the Scripts folder in the directory in which you installed your TLC Manager software.) For a Syslog Action, this tab defines settings for the Syslog server to which the Action sends Syslog messages. Syslog server IP address. The host name or IP address of the Syslog server. Syslog server port. The Syslog server port to which messages are sent. For an Email Action, this tab specifies the email addresses to which TLC sends email messages generated by the Action. To add an email address: 1. ClickAdd. 2. Enter the Email Address. 3. (Optional) To disable the Action, select False from the Enabled drop-down. To change an email address, select and edit the value in the Email Address field. To remove an email address, select the address and clickDelete. For a Notification Action, this tab specifies the User Accounts for which the Action will display notifications in the TLC Console. To add a User Account: 1. ClickAdd. 2. From the User drop-down, select the User Account. 3. Select the Notification Type. If Online Only is selected, the Action will only display a notification in a user's TLC Console if the user is logged in. Otherwise, the Action always presents notifications in the TLC Console of the specified users. (For more information, see Working with Notifications.) To remove a User Account, select the account and clickRemove. |
Time Settings |
Note: This tab does not appear in the Action properties dialog if Notification is selected from the Action Type drop-down. (Optional) This tab defines a schedule to automatically enable and disable the Action. If you specify a time range for a given day of the week with the Start Time and End Time drop-downs, the Action will only be enabled during the time specified by the range. |
Options |
Note: This tab does not appear in the Action properties dialog if Syslog is selected from the Action Type drop-down. (Optional) To define a Threshold for the Action, select Alerts per Hour and enter a Count. With a threshold, TLC will limit the number of times the Action can run in the same one-hour period. |