This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-06-30 01:08 PM

DeviceDown.conf?

Anyone using the devicedown.conf file and alert messageID 400029?  I'm trying to use it but the details are hairy.  The sparse documentation in the SP3 Release Notes give the file format.  But it does not indicate a way of entering comments or notes.  I'm finding that DEVICETYPE_TIMEOUT yields too many alerts and more specificity is required with DEVICE_TIMEOUT.  That's doable, but with a long list of IP addresses, it would be handy to be able to enter a comment so a year from now I know what machine that referrred to.  Anyone else?

 

0 Likes
Reply
4 Replies
RSAAdmin
Beginner
Beginner
‎2011-06-30 04:43 PM

We tried it out with DEVICEGROUP_TIMEOUT entries, but found it much too noisy for devices that don't log very much. Getting your timeouts right seems like the hard part. Adding 'ALERT_PERIOD 0' helps squelch repeated alerts for quiet devices.

 

Also note that DeviceGroup_Timeout entries can not have spaces in them, so if you've already got a group named "Cisco Switches" you'll need to recreate it as "Cisco_Switches" or something similar before you can use it with DeviceDown.conf.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-09-19 02:17 PM

Noted... essentially, this is a good idea that needs some further work from RSA. Thanks...
0 Likes
Reply
PatricioDemarch
Beginner
Beginner
‎2012-01-04 12:34 PM

Hi all. I am experimenting with devicedown.conf file to set timeouts for different device type. I ran into the problem of where to get the names of the types of devices to be specified in the variable DEVICETYPE_TIMEOUT. The documentation do not help about this.
I found the name to use on the the help of Supported Devices (Event Sources):
Here
 
Fourth column contains the name and ID. You must use the name.
 
An example of devicedown.conf
SYSTEM_TIMEOUT                                    60
POLLING_PERIOD                                     5
CONFIGURATION_PERIOD                        60
ALERT_PERIOD                                        0
DEVICETYPE_TIMEOUT    oracle               720
DEVICETYPE_TIMEOUT    openvms           480
DEVICETYPE_TIMEOUT    ibmmainframe   30
END

Patricio

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to PatricioDemarch
‎2012-01-10 02:27 PM

I've been using this successfully for a couple of months now.  I just look at the most critical devices however (in my alert). 

 

If you have device groups setup for what you want to monitor for, just create a simple view that pulls the 400029 message and filters out the most important devices (domain controllers, firewalls, etc).  You use the Local Address field for this (laddr).  I then setup a supression of 24 hours (again based on laddr) so that I get notified once per day of what isnt sending to Envision.

 

I get the device names for the conf file from e:\nic\version\sitename\etc\devices

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.