ESM: Monitor Policies

Document created by RSA Information Design and Development on Jul 15, 2016Last modified by RSA Information Design and Development on Feb 27, 2017
Version 5Show Document
  • View in full screen mode
  

Use the Monitoring Policies view to manage alert configuration for your event source groups.

You can create policies that alert on event source groups, by setting thresholds and notifications:

  • Thresholds set ranges for frequency of log messages. You can specify a low threshold, a high threshold, or both.
  • Notifications describe how and where to send alerts when thresholds are not met.
  • You combine thresholds and notifications to create alerts based on the frequency you specify.
  • If automatic alerting is enabled (it is by default), you can create and enable a policy without setting any thresholds. If you then turn on automatic notifications, notifications will be sent whenever an event source in the group is above or below its baseline by the specified amount.

For example, let's say that you have created an event source group that consists of all your Windows event sources based in the United Kingdom. You could specify a policy that alerts you whenever fewer than 1000 events per 30 minutes arrive.

Note: In addition to, or instead of setting up monitoring policies for your event source groups, you can Configure Automatic Alerting to view alarms when the number of messages for an event source are outside of the normal bounds.

Topics

Previous Topic:Sort Event Sources
You are here
Table of Contents > Monitor Policies

Attachments

    Outcomes