Configuring enVision to use the 400029 message and alerting on it
I would like to see a demo on the configuration of the NIC 400029 device down message and configuring an alert for it. For my specific case, I would like to alert when a device has been generating the NIC 400029 message for 30 days. I would like for the alert to run a script on the ASRV as the output action. I think it would nice to see multiple scenarios for the configuration.
Do you have a sample message you could post? I have no instances of %NIC-4-400029 that I have been able to generate, and I'm not sure what condition triggers this particular log.
We typically use the 508100 event when it shows a count of zero to flag for devices that may have stopped working. There are several out of the box rules that do this for you (See the CRL-00023 series of alerts).
The other catch is that we can't run any correlation rule for more than 30 hours. What event source type are you concerned with that would by lying dormant for 30 days?
Check out the release notes for either SP3 or SP4 for details on how to configure this item. You need to enable the 400029 message and define the DEVICEDOWN.CONF file. You'd need a line like this to check for a dvice down for 30 days:
DEVICE_TIMEOUT ciscopix 10.99.99.100 43200
This waits for 43200 minutes (30 days).
Now, I'm not sure what the final NIC 400029 message looks like, but I would imagine it includes the IP address. So your correlation rule would likely look for NIC 400029 event messages, and then filter for laddr matching 10.99.99.100 in my example above.
Here is the message from enVision.
pe>,<obj_name>,<fld1>, Detail: <pid>: <action
> Collection Host: <fld2> IP: <laddr> DeviceType: