This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2014-10-24 11:53 AM

How to get email alerts with actual logs using envision

Hi All ,

 

We have deployed some of our network devices to send syslogs and device related traps to RSA envision . We have also setup envision to send email alert to admins when a threshold is crossed for a specific log . The problem is that the email we receive doesnot have any information on what this log is all about .

 

For ex. : If there is a configuration change , the Network device generates a log " config change happend at xx.xx.xx by such and such using this ip address " , this log is received by envision and can be viewed too , but when we receive the email alert it doesn't have any information on why this email alert was received .It only contains the below fields , It doesn't have any information on what triggered the event .

 

View Name Device name

Date/Time Oct xx xx:xx:xx

Site Sitename

Event Category System.Normal Conditions.Services

Current Severity Low (1/5)

Peak Severity Severe (5/5)

Peak Time Oct xx xx:xx:xx

Trend Up (0.00%)

Count 80

Device Name x.x.x.x

Device IP deviceIP x.x.x.x

Device Class device class

Device Type device type

Source IP 

Source Port 

Destination IP

 

It seems like the admin have to login everytime on envision and look for the timestamp to find what happend which is kind of defeat the purpose of such an email alert . What use is an email alert if it doesnt tell about the alert .

 

I am new to this platform & dont know if I am setting email alert on envision wrong and would really appreciate if someone can point me to the right direction of how to setup email alert to send alert with actual logs .

0 Likes
Reply
7 Replies
DelfinAbzueta
Beginner
Beginner
‎2014-10-24 02:03 PM

Hi Sanjith,

 

You can control what to see in the SMTP messages sent by RSA enVision modifying or creating "Output action templates" ALERTS -> ALERT CONFIGURATIONS -> OUTPUT ACTIONS -> MANAGE OUTPUT ACTION TEMPLATES

 

There, you can select the format and what field include or not into the message

0 Likes
Reply
FernandoAllende
Beginner
Beginner
In response to DelfinAbzueta
‎2014-10-24 02:34 PM

Hello Sanjith,

 

The only way to do it is using a CSV file with every event that triggered a correlation alert. The feature is called "Composite Events" and is all documented in the envision online help. You can add the file to an Output Action, as Delfin described, but enVision still decide to send the event line, you cannot select which part of the line or which variable send ... fortunately it works! and you can see the file in you favorite CSV editor.

 

Regards from Chile,

Fernando Allendes.

0 Likes
Reply
DelfinAbzueta
Beginner
Beginner
In response to FernandoAllende
‎2014-10-24 03:42 PM

Hi Fernando,

 

 

You're assuming that Sanjith are using a correlated alert to use composite events.

 

 

Composite events gives you a link with every message fired in a correlated alert, but every messages will have the fields listed by "output action templates", if you do not include the fields you want to see, you will not be able to see it.

 

 

If you activate the "message text" field in the templates you use, you can get the real message recieved by RSA enVision. (the MostCommonField template, already has enable this field). The message you get will depend of the device itself and the level of logging of the device, for example the routers has different levels of logging that you must activate if you want more details.

 

 

From the online help:

Composite Events

When you set up composite events, RSA enVision sends you a link to get all of the events, within a configurable limit, that are associated with a correlated rule that fired.

0 Likes
Reply
FernandoAllende
Beginner
Beginner
In response to DelfinAbzueta
‎2014-10-24 04:39 PM

Hi Delfin:

 

Thanks for your clarification. You're right, I assumed that Sanjith was using correlated alerts because I tested in that way.

 

I would like to add that, besides the link, you can also receive a CSV file in the attached to the alert mail if you check both options in the Outpur Action Template zone.

 

 

Regards from Chile,

Fernando Allendes.

0 Likes
Reply
DelfinAbzueta
Beginner
Beginner
‎2014-10-24 05:12 PM

Hi Fernando,

 

Sure, you can get a link or a CSV file using composite events in a configuration rule, but you still need to configure the fields into the OUTPUT ACTION TEMPLATES.

 

Cheers.

 

Happy weekend.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to DelfinAbzueta
‎2014-10-28 03:04 AM

Yeap, Your are correct. You can select any of the below

 

Short Format

Most Common Fields

Long Format

 

However without enabling the logging level in the respective appliances, we cant see anything..

0 Likes
Reply
DelfinAbzueta
Beginner
Beginner
In response to RSAAdmin
‎2014-10-28 09:33 AM

Hi Yans,

 

That's right.!

 

I said that in an early response. "The message you get will depend of the device itself and the level of logging of the device, for example the routers has different levels of logging that you must activate if you want more details."

 

Thanks!

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.