SysMaint: Event Source Monitoring Settings

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by Susan Ewald on Nov 1, 2016
Version 2Show Document
  • View in full screen mode
 

Note: This tab is being deprecated. To manage Event Sources, see Event Source Management.

The Event Source Monitoring view consists of the Event Source panel, Add/Edit Source Monitor dialog, Decommission panel, and the Decommission dialog. You use the view to configure:

  • When to generate notifications for event sources from which the Log Collector is no longer receiving logs.
  • Where to send those notifications.
  • When to decommission a Log Collector when a Remote Collector and the Local Collector fails over to a standby Log Decoder.

The required role to access this view is Manage SA Auditing. To access this view:

  1. In the Security Analytics menu, select Administration > Health & Wellness.
  2. Select Settings > Event Source.
    The Event Source tab is displayed.

esm_monitoring_settings.PNG

For the related procedure, see Configure Event Source Monitoring.

Features

Event Source Monitoring Panel

                                   
FeatureDescription
Configure email or distribution list.Opens the Administration > System > Email view so you can adjust the email distribution for the Event Source Monitoring output, if necessary.
Configure Syslog and SNMP Trap servers.Opens the Administration > System > Auditing view so you can adjust the Syslog and SNMP trap distribution for the Event Source Monitoring output, if necessary.
Icon-Add.pngDisplays the Add/Edit Source Monitor dialog in which you add or modify event sources to monitor.
Icon_Delete_sm.pngDeletes the selected event sources from monitoring.
Checkbox.pngSelects an event source.
Source TypeDisplays the source type of the event source.
Source HostDisplays the source host of the event source.
Time ThresholdDisplays the time period after which Security Analytics stops sending notifications (Time Threshold).
ApplyApplies any additions, deletions,  or changes and they become effective immediately.
CancelCancels any additions, deletion, or changes.

Decommission Panel

                             
FeatureDescription
Icon-Add.pngDisplays the Decommission dialog in which you add or modify event sources to decommission.
Icon_Delete_sm.pngDeletes the selected event sources from decommissioning.
Checkbox.pngSelects an event source.
RegexDisplays if you choose to use regular expressions 
Source TypeDisplays the source type of the decommissioned event source.
Source HostDisplays the source host of the decommissioned event source.
ApplyApplies any additions, deletions, or changes and they become effective immediately.
CancelCancels any additions, deletions, or changes.  

Add/Edit Source Monitor Dialog

add-edit_source_monitor_dialog.png

In Add/Edit Source Monitor dialog, you add or modify the the event sources that you want to monitor.  The two parameters that identify an event source are Source Type and Source Host. You can use globbing (pattern matching and wildcard characters) to specify the Source Type and Source Host of event sources as shown in the following example:

                                            
Source Type Source Host
ciscopix1.1.1.1
*1.1.1.1
**
*1.1.1.1|1.1.1.2
*1.1.1.[1|2]
*1.1.1.[123]
*1.1.1.[0-9]
*1.1.1.11[0-5]
*1.1.1.1,1.1.1.2
*1.1.1.[0-9]|1.1.1.11[0-5]
*1.1.1.[0-9]|1.1.1.11[0-5],10.31.204.20
*1.1.1.*
*1.1.1.[0-9]{1,3}
                       
FeatureDescription
RegexSelect the checkbox if you want to use regular expressions 
Source TypeThe source type of the event source. You must use the value that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector device > View > Config view.
Source HostHostname or IP address of the event source. You must use the value that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector device > View > Config view.
Time ThresholdThe time period after which Security Analytics starts sending notifications.
CancelCloses the dialog without adding the event source, or changes to the event source, to the Event Source Monitoring panel.
OKAdds the event source to the Event Source Monitoring panel.

Decommission Dialog

decommission_dialog.png

                
FeatureDescription
Source TypeThe source type of the event source. You must use the value that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector device > View > Config view.
Source HostHostname or IP address of the event source. You must use the value that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector device > View > Config view.
CancelCloses the dialog without applying any event source additions, deletions, or changes to the Decommissioning panel.
OKApplies any event source additions, deletions, or changes to the Decommissioning panel.
You are here: References > Health and Wellness > Health and Wellness Settings Tab - Event Sources

Attachments

    Outcomes