ESM: Monitor Policies

Document created by RSA Information Design and Development Employee on Mar 22, 2017
Version 1Show Document
  • View in full screen mode

Use the Monitoring Policies view to manage alert configuration for your event source groups.

You can create policies that alert on event source groups, by setting thresholds and notifications:

  • Thresholds set ranges for frequency of log messages. You can specify a low threshold, a high threshold, or both.
  • Notifications describe how and where to send alerts when thresholds are not met.
  • You combine thresholds and notifications to create alerts based on the frequency you specify.
  • If automatic alerting is enabled (it is by default), you can create and enable a policy without setting any thresholds. If you then turn on automatic notifications, notifications will be sent whenever an event source in the group is above or below its baseline by the specified amount.

For example, let's say that you have created an event source group that consists of all your Windows event sources based in the United Kingdom. You could specify a policy that alerts you whenever fewer than 1000 events per 30 minutes arrive.

Note: In addition to, or instead of setting up monitoring policies for your event source groups, you can Configure Automatic Alerting to view alarms when the number of messages for an event source are outside of the normal bounds.


Previous Topic:Sort Event Sources
You are here
Table of Contents > Monitor Policies