4 Replies Latest reply on May 2, 2016 8:39 PM by alis

    ACE correlation disabled?


      How can I determine whether a correlation rule is enabled on some device....  The default policy shows as disabled.


      Secondly,  is there a way to tell when a rule was last changed and what changes were made to the rule or the policy



      Thanks in advance

        • 1. Re: ACE correlation disabled?

          Look for a file in /usr/local/ace/rules on the ACE. It's XML and readable. It will list all of the active rules. If your rule is disabled, you won't be able to locate it in the file. The timestamp on the file should reflect the last time the policy was rolled as well.

          • 2. Re: ACE correlation disabled?

            Thanks Andy

            The rule is present in the said file and also shows active in the correlator.sh -status output. phew!


            However, I can not still tell where it is deployed. Is there a way verify from the GUI?

            • 3. Re: ACE correlation disabled?

              If it is a correlation rule, I would assume it's tied to a correlation engine. How many do you have?


              Assuming it's one, you can select the Correlation Engine in the Policy Editor and should be able to locate the rule from there. Rules are and should remain disabled in the Default Policy at the top level. Any enabled rules should be visible by selecting the device they are associated with.


              Or if I'm misunderstanding or if there is something weird going on you might want to post a screenshot.

              • 4. Re: ACE correlation disabled?

                thanks for the pointers... found it .... on the real time ACE ... and it does show enabled....