Create a rule to monitore anormal increase of logs
I've another question, is it possible with envision to create a correlation rule to determine when a device send more log than usual?
Generally a Bluecoat device send 40 messages each minutes per day each week.
But one day, we receive 400 messages.
So it's not a normal way, and I would like to trigger an alert.
I tried this:
Create a correlation rules
Create a circuit
Create a statement
In this statement I monitore the Nic device itself
I monitore the event id 508100
And I create a treshold of 40% per minute Baseline.
But It's seems that this correlation rules trigger all the time
I'm in the right direction???
There's a few issues to consider with the rule you are proposing.
Let's first examine the event filter criteria. You are looking at the events from Envision and specifically only event 508100. This event reports the number of messages processed per device. If there are no events processed, it will still generate a 508100 event stating that 0 events were processed. The 508100 event will occur continuously and each device will have it's own event record.
So now let's consider the baseline increase of 40%. In the scenario you outlined, you are actually looking for an increase in the number of NIC 508100 events. What you probably want to do is filter to only include the Blue Coat device and the specific message IDs you want to consider from Blue Coat. That way you are looking at an increase in Blue Coat activity logs.
One last pointer to consider is which baseline you want to really use. Since you specificied the minute baseline, what you are effectively comparing is the total number of matching events for the current minute against the same total in the same minute from the previous hour. This may trigger false positives if your web traffic follows a typical workday flow where the volume of traffic falls off during certain hours. You may want to consider using the hour baseline which compares against the same hour and day from 1 week prior.
Thanks for your answer.
Effectively, I'm totally in false when I check the 508100 events. Because I can't use the value before the string "XXXX processed" where XXXX is the number of event processed for the device.
So today I've tried another approach, create a watchlist with the IP of the device that I want to have an alert if an abnormal amount of flow occurs.
I don't want to detect an anormal amount of events for a specific message.
I would like to have an alert to detect an anormally flow.
For example, usually, for a Week a Checkpoint device generates 1400events, I assume that we have 200events per day.
So If one day the Checkpoint generate 3000events for one day, it's not normal, so I would like to have analert saying "Humm I detect an anormal traffic, please keep an eye on it".
So with my watchlist I tried to check all messages processed by a device, using the Baseline value 60% Per Hour.
I use a Where clause to find the concerned devices (A watchlist for each BLuecoat, another for each Checkpoint....).
By I can't write a such correlation rules, because it soesn't work so I think I'm in false too, and maybe it's not possible to create a such rule.
First, I must admit that I have never tried this, but it should work. What you need is:
- script to start/stop view (was already somewhere on forum, in tips&tricks section)
- perl or awk and sed
1. Create report which presents total or average (it depends on granularit and how often you want to run it) number of evenets per devices in specified time (use granularity of you choice. Schedule it and order to save results in csv file.
2. Create correlation rule wich will lool for events 580100 with filter: value of events larger then any number (for now) you want. Create separaret cirtuit for every device you want to monitor.
3. Locate xml file which represents correlation on disk. And create script with perl which will replace number in filter with values from csv report.
4. Place rule in separate view, and then schedule script created in step 3 + command to restart view.
It should work.
since envision doesn't support counters (yet i hope) this is what i would have done:
create a correlation -> create a circuit called bluecoat or whatever you like -> than create a statement called bluecoat or whatever now at the device type choose the device you want to monitor in our case the bluecoat
at the eventid choose * (everything) and choose at the treshold any raise of 40% at the hour / day baseline.
now what this will do - since your intersted in monitoring a general raise of events for the specific device you won't be able to do it with the nic system event but you can see the increase of total events for the device itself if you would like to see a change in specific events than just choose them at the event id.
hope this will help,