Ironport ESA Alert question
What you are going to want to do is go to System Configuration, Messages, Manage Messages and look for Ironport ESA and the message which is Info_Entered:
)><@event_time:*EVNTTIME($MSG,'%B %F %N:%U:%O %W',fld20,
fld21,fld22)><@msg:*PARMVAL($MSG)><@action:user entered ac
tion> <fld20> <fld21> <fld22> Info: PID <proce
ss_id>: User <username> entered '<action>'; pro
mpt was '<info>'
Now, take an example of the message that you have collected in enVision and match up the data in the message with the different variables. Then you should be able to see which variable that you want to use. This message is a little easier:
fld20, fld21 and fld22 should all be part of time, so you can rule those out for session ID. You probably are looking at process_id or it is in info.
Now, my example is Content 2, looks like yours is Content 1, but just follow the same logic here and you can map your message to the variables to see which one holds the session ID.
Paul, thanks for the response, but I am still a bit confused.
My Ironport version must be different from yours. My MessageID is simply "entered", not "Info_entered" like yours. Mine is in the Access Control table. Still using Content 1.0.
When I look at the message, it says "Info: PID <poolid> ", and poolid is one of the options for me in the alert filter. If I understand correctly, I should be using poolid.
Sound right to you?