So I have LEM monitoring logs for a host of systems. I recently started to look at a selection of workstations I wish to monitor a bit more closely and placed a rule to alert me when software was installed. I let it run over a weekend to see how many false positive it would generate, then went back and adjusted the rules with a bunch of 'not equal' statements. Guess what happened today? Windows Updates were rolled out! So now I received a whole host of new email alerts off of the rule. I do not particularly mind the cut-and-paste of adjusting the rule, but it made me wonder: how many conditions can a rule handle, and perhaps more importantly how many should it handle?
Also, I apologize ahead of time if this is in the forums - I did a search before posting but did not find anything.