Testing and Debugging Rules

Real-time detection rules are, in fact, small programs. They require testing, debugging and maintenance to ensure they work properly. The following suggestions will help you with this process.

• Make sure that all the actions and events that you want to include in your rule are captured by the IBM i (OS/400) audit settings (current setting, user activity auditing, and object auditing). If you create a real-time detection rule for an event that is not captured by the IBM i (OS/400) audit settings, it will not function.

• Enable logging for all real-time rules. The history log provides you with a complete audit trail for your rules. This information is invaluable when testing and debugging complex rules.

• Test the filter conditions in your rules before adding actions (alert messages and command scripts). Use the Query and/or Display Audit Log features to examine the history log entries. Verify that the log contains all the events that you wish to capture and only those events that you wish to capture.

• Create and test your actions before including them in a rule. Use the Run Action feature (STRAUD> 61 > 5) to perform the test.

Temporarily disable any other rules that include the same events or otherwise conflict with the rule that you are testing. Set the Log parameter to ‘N’ and the Action parameter to ‘*NONE’ to accomplish this.

Note:

Do not forget to re-activate your rules after you finish testing.