ESM: Alarms Tab

Document created by RSA Information Design and Development on Sep 6, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 12Show Document
  • View in full screen mode
  

From the Alarms tab you can view details of the alarms that have been generated.

The Alarms tab has one panel that displays Alarm status.

To access this tab, go to ADMIN > Event Sources > Alarms.

Workflow

This workflow shows the overall process for configuring event sources. It also shows where configuring alarms and alerts settings are located in the process.

 

What do you want to do?

                                      
RoleI want to...Documentation

Administrator

View and modify event sources.

Managing Event Source Groups

Administrator

Acknowledge and map events sources.

Acknowledging and Mapping Event Sources

Administrator

Add and configure parser mappings for a Log Decoder

Manage Parser Mappings

Administrator

*View event source alarms.

Viewing Event Source Alarms

Administrator

Troubleshoot event source management.

ESM Troubleshooting & Appendix

*You can perform this task here.

Related Topics

Configuring Automatic Alerting

Quick Look

The Alarms tab presents the details for Event Sources that are currently in violation of a policy and threshold. Only Event Sources in violation of a policy appear in the list. Once the event source returns to a normal state, the corresponding alarm disappears from the list.

Example of Alarms status screen.

                                                     
1Displays the IP, IPv6, or Hostname of the event source that is alarmed.
2Displays the type of the alarmed event source. For example, winevent_nic (for Microsoft Windows) or rhlinux (for Linux).
3Displays the event source group that contains the event source for which the alarm has been triggered.
4Displays the type of threshold that was triggered: High or Low
5Displays the conditions of the threshold that was triggered. For example:

5,000,000 events in 5 minutes

6Displays the number of events in the threshold time period causing the alarm.
7

Displays the initial time the event source went into an alarmed state.

Note: When you first access this view, the data is sorted by this column (most recent alarm first).

8

Displays the elapsed time since the event source entered an alarmed state.

9

Displays the Log Collector last collecting from this event source.

10

Displays the Log Decoder last receiving from this event source.

11

Displays the alarm type. Alarm type is either Manual or Automatic:

  • Manual: these are alarms that violate the configured threshold policy.
  • Automatic: these are alarms that deviate from the baseline for the alarmed event source.
12

Select the Filter icon to display the Filter menu:

esm_alarmFilter.png

Select either Automatic or Manual:

  • If you select Automatic, only the alerts that are based on baselines are displayed.
  • If you select Manual, only the alarms for which you have set thresholds are displayed.

Note: You can hide or show columns by right-clicking in the table header and choosing Columns from the drop-down menu. Select a column to display it, or clear the column to hide it.

Previous Topic:Manage Parser Mappings
You are here
Table of Contents > References > Alarms Tab

Attachments

    Outcomes