ESM: Alarms Tab

Document created by RSA Information Design and Development on Sep 6, 2017Last modified by RSA Information Design and Development on Mar 2, 2018
Version 9Show Document
  • View in full screen mode

From the Alarms tab you can view details of the alarms that have been generated.

The Alarms tab has one panel that displays Alarm status.

To access this tab, go to ADMIN > Event Sources > Alarms.


This workflow shows the overall process for configuring event sources. It also shows where configuring alarms and alerts settings are located in the process.

Workflow shows the overall process for configuring event sources.

What do you want to do?

RoleI want to...Documentation

Set an alarm threshold.

Managing Event Source Groups

Administrator Change the alarm threshold parameters.

Managing Event Source Groups

Related Topics

Viewing Event Source Alarms

Managing Event Source Groups

Quick Look

The Alarms tab presents the details for Event Sources that are currently in violation of a policy and threshold. Only Event Sources in violation of a policy appear in the list. Once the event source returns to a normal state, the corresponding alarm disappears from the list.

Example of Alarms status screen.

1Displays the IP, IPv6, or Hostname of the event source that is alarmed.
2Displays the type of the alarmed event source. For example, winevent_nic (for Microsoft Windows) or rhlinux (for Linux).
3Displays the event source group that contains the event source for which the alarm has been triggered.
4Displays the type of threshold that was triggered: High or Low
5Displays the conditions of the threshold that was triggered. For example:

5,000,000 events in 5 minutes

6Displays the number of events in the threshold time period causing the alarm.

Displays the initial time the event source went into an alarmed state.

Note: When you first access this view, the data is sorted by this column (most recent alarm first).


Displays the elapsed time since the event source entered an alarmed state.


Displays the Log Collector last collecting from this event source.


Displays the Log Decoder last receiving from this event source.


Displays the alarm type. Alarm type is either Manual or Automatic:

  • Manual: these are alarms that violate the configured threshold policy.
  • Automatic: these are alarms that deviate from the baseline for the alarmed event source.

Select the Filter icon to display the Filter menu:


Select either Automatic or Manual:

  • If you select Automatic, only the alerts that are based on baselines are displayed.
  • If you select Manual, only the alarms for which you have set thresholds are displayed.

Note: You can hide or show columns by right-clicking in the table header and choosing Columns from the drop-down menu. Select a column to display it, or clear the column to hide it.

Previous Topic:References
Next Topic:Discovery Tab
You are here
Table of Contents > References > Alarms Tab