Alerting: Notification Methods

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Apr 26, 2017
Version 3Show Document
  • View in full screen mode
  

When a rule triggers an alert, ESA can send a notification in the following ways:

  • Email
  • SNMP
  • Syslog
  • Script

Email Notifications

Event Stream Analysis can send notifications to users through email about various system events. 

To configure these email notifications, you need to:

  • Configure the SMTP email server as an output provider. For instructions, see "Configure the Email Settings as Notification Server" in the System Configuration Guide.
  • Set up an email account to receive notifications. For instructions, see "Configure Email as a Notification" in the System Configuration Guide.
  • Configure a template for email notification. For instructions, see "Configure a Template" in the System Configuration Guide.

SNMP

Event Stream Analysis can send events as an SNMP trap to a configured SNMP trap host.

To configure these SNMP notifications, you need to:

  • Configure SNMP trap host settings as an output provider. For instructions, see "Configure the SNMP Settings as Notification Server" in the System Configuration Guide.
  • Configure SNMP trap settings as an output action. For instructions, see "Configure SNMP as a Notification" in the System Configuration Guide.
  • Configure a template for SNMP. For instructions, see "Configure a Template" in the System Configuration Guide.

Syslog

Event Stream Analysis can send events and consolidate logs in Syslog format to a Syslog server.

To configure these Syslog notifications, you need to:

  • Configure Syslog server settings as an output provider. For instructions, see "Configure the Syslog Settings as Notification Server" in the System Configuration Guide.
  • Configure Syslog message format as an output action. For instructions, see "Configure Syslog as a Notification" in the System Configuration Guide.
  • Configure a template for Syslog. For instructions, see "Configure a Template" in the System Configuration Guide.

Script Alerter

Apart from the alert notifications ESA allows users to run scripts in response to ESA alerts. 

Scripts enable you to do custom integration with applications that exist in your environment. For example, if you want to open an incident ticket from an application when a specific alert is triggered, Script Alerter lets you write a script that calls the application API and have ESA invoke it when the specific ESA rule is triggered. You can configure a FreeMarker template to define what details you want to extract from the output of the ESA rule and pass it as command line arguments to the script.

To use the Script Alert, you need to:

  • Configure the user identity and other details that are required to execute the script. For instructions, see "Configure Script as a Notification Server" in the System Configuration Guide.
  • Define the Script. For instructions, see "Configure Script as a Notification" in the System Configuration Guide.
  • Configure a template for the script. For instructions, see "Configure a Template" in the System Configuration Guide.
You are here
Table of Contents > Choose How to Be Notified of Alerts > Notification Methods

Attachments

    Outcomes