Currently, all versions up to 21.x
When creating Notification Rules, if you combine multiple criteria with AND and OR statements, the results will often NOT be as expected.
The short answer is to NOT do so. If you have a rule defined, ensure there are only AND combinations or only OR combinations.
The reason for this is there are no logical modifiers in our Notification rules like parentheses, nor are there operational rules of execution (e.g. AND takes precedence over OR).
When we create a rule like this, we "think" in terms of basic algebra, but the rules do not work this way currently. For instance, take a look at the following common scenario:
BAD Event Notification Rule Example
This saves having to have 3 rules. Or so it seems.
The REAL effect of this is that we look for 3 different rules.
- Event ID matches expiring AND Value 1 matches 30
- Value 1 matches 60
- Value 1 matches 90
Notice that option 2 and 3 do NOT include the first row checking the event ID. MOST of the time, because the Value 1 field isn't used often, this will actually work. However, it is essentially the same as not having the first Event ID condition at all, and has very interesting results.
For instance, a discovery job uses Value 1 to report on how many certs it found.
If you modified this value to be Less than instead of Matches, the odds of hitting an invalid row in the logs increases.
Some have considered that you could repeat row 1 between the OR statements, with the net result of:
- AND 2
- OR 1
- AND 3
- OR 1
- AND 4
LOGICALLY this may work and sometimes it does. However, experience has shown that it is not reliable, so we recommend against it.
The BEST answer to this is to make 3 rules. Make the 30 day rule, save it, copy it and modify just the 30 to 60 so it inherits the same channels listed at the bottom of the screen shot.
PS> Consider suggesting a change at ideas.venafi.com, or voting for one that is already there.