How to get email alerts with actual logs using envision
Hi All ,
We have deployed some of our network devices to send syslogs and device related traps to RSA envision . We have also setup envision to send email alert to admins when a threshold is crossed for a specific log . The problem is that the email we receive doesnot have any information on what this log is all about .
For ex. : If there is a configuration change , the Network device generates a log " config change happend at xx.xx.xx by such and such using this ip address " , this log is received by envision and can be viewed too , but when we receive the email alert it doesn't have any information on why this email alert was received .It only contains the below fields , It doesn't have any information on what triggered the event .
View Name Device name
Date/Time Oct xx xx:xx:xx
Event Category System.Normal Conditions.Services
Current Severity Low (1/5)
Peak Severity Severe (5/5)
Peak Time Oct xx xx:xx:xx
Trend Up (0.00%)
Device Name x.x.x.x
Device IP deviceIP x.x.x.x
Device Class device class
Device Type device type
It seems like the admin have to login everytime on envision and look for the timestamp to find what happend which is kind of defeat the purpose of such an email alert . What use is an email alert if it doesnt tell about the alert .
I am new to this platform & dont know if I am setting email alert on envision wrong and would really appreciate if someone can point me to the right direction of how to setup email alert to send alert with actual logs .
You can control what to see in the SMTP messages sent by RSA enVision modifying or creating "Output action templates" ALERTS -> ALERT CONFIGURATIONS -> OUTPUT ACTIONS -> MANAGE OUTPUT ACTION TEMPLATES
There, you can select the format and what field include or not into the message
The only way to do it is using a CSV file with every event that triggered a correlation alert. The feature is called "Composite Events" and is all documented in the envision online help. You can add the file to an Output Action, as Delfin described, but enVision still decide to send the event line, you cannot select which part of the line or which variable send ... fortunately it works! and you can see the file in you favorite CSV editor.
Regards from Chile,
You're assuming that Sanjith are using a correlated alert to use composite events.
Composite events gives you a link with every message fired in a correlated alert, but every messages will have the fields listed by "output action templates", if you do not include the fields you want to see, you will not be able to see it.
If you activate the "message text" field in the templates you use, you can get the real message recieved by RSA enVision. (the MostCommonField template, already has enable this field). The message you get will depend of the device itself and the level of logging of the device, for example the routers has different levels of logging that you must activate if you want more details.
From the online help:
When you set up composite events, RSA enVision sends you a link to get all of the events, within a configurable limit, that are associated with a correlated rule that fired.
Thanks for your clarification. You're right, I assumed that Sanjith was using correlated alerts because I tested in that way.
I would like to add that, besides the link, you can also receive a CSV file in the attached to the alert mail if you check both options in the Outpur Action Template zone.
Regards from Chile,
Sure, you can get a link or a CSV file using composite events in a configuration rule, but you still need to configure the fields into the OUTPUT ACTION TEMPLATES.
Yeap, Your are correct. You can select any of the below
Most Common Fields
However without enabling the logging level in the respective appliances, we cant see anything..
I said that in an early response. "The message you get will depend of the device itself and the level of logging of the device, for example the routers has different levels of logging that you must activate if you want more details."