AlertLogToFileThis Handler writes a formatted line for each alert, when cleared (manually, normally, or via prioritization). To properly log each of those three types of clearing, the handler instance must be placed at the three associated handler call-out folders: 'isClear', 'forcedClear', and 'superceded'.
As each alert clears, a line of fields (defined in the 'format' setting) is written to a log file. The file is named via the three 'file.*' settings. The 'file.date' setting defines a date format, using standard Java codes. The period between rolling to a new log file is effectively controlled by this format. If the format only defines a calendar date (default), then the file will be rotated each day; if the format includes the hour of the day, then the file will rotate on the hour.
A purger automatically maintains the directory based on the 'purge.*' settings. The purger runs nightly at 12:09 AM.
The variables available for substitution in the 'format' setting are: %RULE_NODE%, %ALERT_COUNT%, %GATEWAY%, %ONUS%, %TASK_GROUPS%, %DIVISION%, %ELEMENT%, %SUMMARY%, %TIME_INIT%, %TIME_CLEAR%, %TIME_NOW%, %DOWNTIME%, and %REASON%. The %REASON% variable has one of three values: CLEAR (The alert was cleared by a 'clear' event), FORCED (The alert was manually cleared by a user.), or SUPERCEDED (The alert was automatically suppressed by a higher-priority alert.).
In addition to the alert field viarables described above, any variable parsed in the rule tree, or enriched via a handler, may be referenced. This may be useful for "tagging" alerts for easier post-processing.
All times are in milliseconds since 1970 GMT. The DOWNTIME is the milliseconds between TIME_INIT (when the first event was received) and TIME_CLEAR. For alerts with delayed clear thresholds, the delay is ignored, so the TIME_CLEAR is the time of the clearing event.