This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-04-10 05:20 PM

HowTo: Setup an alert for no logs received

I have been having a problem with a set of Checkpoint firewalls not sending their logs.  I have been trying to figure out how to set up an alert that would send an email if Envision does not see a log entry from a specific firewall in XX hours?  Can anyone point me in the right direction?

 

I have setup up a couple of alerts, but they have been the type that look for a specific string.  Never done one like this before.

0 Likes
Reply
6 Replies
RSAAdmin
Beginner
Beginner
‎2008-04-15 10:55 AM

Have you played with the threshold settings in the Statement definition?  There is an option there for "Consider if NO events come in within ____ seconds."

 

I'll be testing something similar (for our IPS) soon, as this is something that I've recently been asked to do, as well -- I'll let you know what I find (and if you have any tips in your experimentation, please share them, as well!). 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-04-15 11:32 AM

I am ignorant as to where that is. I have beed trying to find it.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-04-17 11:56 AM

The best way to do this is to look for NIC events with the ID 508100.   These are related to the packager and the message contains a filed detailing how many events have been processed.

 

You can create an alert to look for these events and use the filter option to look for events with 0 in the events field.  These packager events are created every minute for every device.  You can also use the threshold options to determine how many you need to see before generating the alert.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-04-18 02:47 PM

That is the NIC023 out-of-the-box alert -- I didn't have much luck with it when I just turned it on to see what it did, but that could have been more related to a lack of understanding of what it was doing.  I'll take a look at it again.

 

For those cases where we are forwarding on information from a centralized device (for instance, our Air Defense sensors and Unix server authentication only show as one device in enVision), is there anything easy that can be done for this?  I assume that the 508100 will only generate for the single device that is forwarding the events.

Message Edited by Jeff on04-18-200801:48 PM
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-04-18 02:51 PM

Oh, and to find the Threshold information, create a correlated alert (through the Alerts Module -> Alert Configuration -> Correlated Alerts -> Manage Correlation Rules).  When you create a statement, there is a little dropdown that allows you to set a threshold.  It is minimized by default, so you have to click a little arrow to display your options.  Hope that helps!

0 Likes
Reply
KentSaunders
Beginner
Beginner
In response to RSAAdmin
‎2009-04-01 11:13 AM

I am interested in using this alert to determine if events are being forwarded from a Remote Collector.  If I am correct, only if the forwarder is working properly will the packager process events from the Remote Collector.  So if I set a threshold of say no events from this site in an hour or 2, would that be a sign that we were having communication issues? 

 

Thanks,

Kent Saunders CISSP

Midwave

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.