000035858 - Previously configured email alerts are no longer triggering in RSA Web Threat Detection

Document created by RSA Customer Support Employee on Jul 21, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035858
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Mitigator
RSA Version/Condition: 5.1, 6.x
IssuePreviously configured email alerts in RSA Web Threat Detection were working but now are never triggering. 
  • Get a Support Snapshot to observe var/log/messages, and to look at the configuration of ActionServer, look at the rules. 
  • It is helpful to have a webex with the customer to get the history of why this worked and now does not.  Any recent changes?
  • In the FUI (Forensics UI) make sure that Alerts are working, identify the Rules that should trigger and have the Customer show you these rules in the Admin console. 

Here are some good diagnostics --

If alerts are not working then you need to troubleshoot the alerts. (Doing so is not within the scope of this article.

If alerts are working, follow these steps below.

1.  Configure Action Server in DEBUG Mode

2.  Start Action Server on the console with ActionServer service stopped in Scout. 

Example -- 

/var/opt/silvertail/bin/actionserver.py -f /var/opt/silvertail/etc/universal.conf

3. Look through var/log/messages for ActionServer and UIServer messages.

4. Make sure email is working.   Although this is a basic OS level functionality, it is crucial that email can be sent from the WTD server to the intended mailbox.   

a. Determine the method of email used in the system -- This is usually PostFix or Sendmail.  Examples will be shown for these two applications.
b. Telnet to the mail host on port 25 (make sure port 25 is enabled in the Customer environment.)
c. Send an email from the console

  • PostFix(with SendMail) $   echo "this is the body of the email" | mail -s "this is the subject line"  user@example.com
  • SendMail                   $

If mail does not send from the console, the Customer should be asked to do an internal investigation to determine what changes
might have occurred which are now preventing email alerrts from being sent. 

  • Find out what was the previous configuration, mailhosts, smtp relays etc. to get the mail routed from the WTD server. 
  • On the affected system make sure that IP Tables are not on and or blocking mail, and make sure SELinux is set to Permissive