HowTo: Setup an alert for no logs received
I have been having a problem with a set of Checkpoint firewalls not sending their logs. I have been trying to figure out how to set up an alert that would send an email if Envision does not see a log entry from a specific firewall in XX hours? Can anyone point me in the right direction?
I have setup up a couple of alerts, but they have been the type that look for a specific string. Never done one like this before.
Have you played with the threshold settings in the Statement definition? There is an option there for "Consider if NO events come in within ____ seconds."
I'll be testing something similar (for our IPS) soon, as this is something that I've recently been asked to do, as well -- I'll let you know what I find (and if you have any tips in your experimentation, please share them, as well!).
The best way to do this is to look for NIC events with the ID 508100. These are related to the packager and the message contains a filed detailing how many events have been processed.
You can create an alert to look for these events and use the filter option to look for events with 0 in the events field. These packager events are created every minute for every device. You can also use the threshold options to determine how many you need to see before generating the alert.
That is the NIC023 out-of-the-box alert -- I didn't have much luck with it when I just turned it on to see what it did, but that could have been more related to a lack of understanding of what it was doing. I'll take a look at it again.
For those cases where we are forwarding on information from a centralized device (for instance, our Air Defense sensors and Unix server authentication only show as one device in enVision), is there anything easy that can be done for this? I assume that the 508100 will only generate for the single device that is forwarding the events.
Oh, and to find the Threshold information, create a correlated alert (through the Alerts Module -> Alert Configuration -> Correlated Alerts -> Manage Correlation Rules). When you create a statement, there is a little dropdown that allows you to set a threshold. It is minimized by default, so you have to click a little arrow to display your options. Hope that helps!
I am interested in using this alert to determine if events are being forwarded from a Remote Collector. If I am correct, only if the forwarder is working properly will the packager process events from the Remote Collector. So if I set a threshold of say no events from this site in an hour or 2, would that be a sign that we were having communication issues?
Kent Saunders CISSP