Sys Maintenance: Configure Event Source Monitoring

Document created by RSA Information Design and Development on Mar 22, 2017Last modified by RSA Information Design and Development on Aug 1, 2017
Version 8Show Document
  • View in full screen mode
  

To monitor event sources you have to configure the event sources so that they generate and send out notifications when required. For the related reference topic, see Health and Wellness Settings Tab - Event Sources

Procedures

Configure and Enable Event Monitoring

To configure and enable event monitoring in Security Analytics:

  1. In the Security Analytics menu, select Administration > Health & Wellness.
  2. Select Settings > Event Source.
    The Event Source tab is displayed.
    esm_monitoring_settings.PNG
     
  3. Under Event Source Monitoring, click Icon-Add.png.
    The Add/Edit Source Monitor dialog is displayed.
  4. Define the Source Type, Source Host, and Time Threshold for the source of the event source that you want to monitor to detect when Security Analytics stops receiving logs from it.  If you do not specify a Time Threshold, Security Analytics monitors the event source until you set a threshold.

Note: For Source Type and Source Host, you must specify the values that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector service > View > Config view. You add or modify the the event sources that you want to monitor.  The two parameters that identify an event source are Source Type and Source Host. You can use globbing (pattern matching and wildcard characters) to specify the Source Type and Source Host of event sources

add-edit_source_monitor_dialog.png

  1. Click OK.
    The event source is displayed in the panel.
  2. Configure the method of notification, by doing one of the following:
  • Select Configure email or distribution list.
    The Administration > System > Email Configuration Panel is displayed so that you can specify to whom the notifications are sent.
  • Select Configure Syslog and SNMP Trap servers.
    The Administration > System Auditing Configuration panel is displayed so that you can configure the Syslog and SNMP Traps to which the notifications are sent.
  1. Click Apply.
    Security Analytics begins sending notifications when it stops receiving events from this event source after the time threshold has elapsed.

For details on various parameters and description in the Event Source Monitoring settings view, see Event Source Monitoring View.

Decommission Event Source Monitoring

If a Log Collector service (Local Collector or Remote Collector) for which you set up Event Source monitoring becomes inoperable, Security Analytics continues to notify that you it is not receiving events from it until you decommission the Collector.

Caution: If you configured a failover Local Collector for a Remote Collector and the Local Collector fails over to a standby Log Decoder, you must decommission the Local Collector to stop the notifications.   

 To decommission event source monitoring for an event source:

  1. In the Security Analytics menu, select Administration> Health & Wellness.
  2. Select Settings > Event Source.
    The Event Source tab is displayed.
  3. Under Decommission, click Icon-Add.png.
    The Decommission dialog displays.
  4. Define the Source Type and the Source Host for the source for which you want to decommission event monitoring notifications.

decommission_dialog.png

Previous Topic:Monitor Event Sources
You are here
Table of Contents > Monitor Health and Wellness of Security Analytics > Monitor Event Sources > Configure Event Source Monitoring

Attachments

    Outcomes