This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
KentSaunders
Beginner
Beginner
‎2011-11-30 03:15 PM

Ironport ESA Alert question

Hi all, I am coding an alert for ESA, and have a question about which variable I should be using. Basically, I want to monitor for the Message ID 'entered', but only for some specific Session IDs. When I look in the Filter options, Session ID is not an option. These are my options: Action Event Time Event Type Field 20 Field 21 Field 22 info poolid User Name [CONTENT] Event Type seems like the most likely candidate, but I wanted to know if anyone else had some more insight into this for me. Thanks, Kent
0 Likes
Reply
4 Replies
RSAAdmin
Beginner
Beginner
‎2011-12-01 08:53 AM

Kent,

 

What you are going to want to do is go to System Configuration, Messages, Manage Messages and look for Ironport ESA and the message which is Info_Entered:

 

 

<@ec_subject:User><@ec_theme:ALM><@:*SYSVAL($MSGID,$ID1
)><@event_time:*EVNTTIME($MSG,'%B %F %N:%U:%O %W',fld20,
fld21,fld22)><@msg:*PARMVAL($MSG)><@action:user entered ac
tion> <fld20> <fld21> <fld22> Info: PID <proce
ss_id>: User <username> entered '<action>'; pro
mpt was '<info>'

 

Now, take an example of the message that you have collected in enVision and match up the data in the message with the different variables.    Then you should be able to see which variable that you want to use.  This message is a little easier:

 

fld20, fld21 and fld22 should all be part of time, so you can rule those out for session ID.  You probably are looking at process_id or it is in info.

 

Now, my example is Content 2, looks like yours is Content 1, but just follow the same logic here and you can map your message to the variables to see which one holds the session ID.

 

Paul

 

 

0 Likes
Reply
KentSaunders
Beginner
Beginner
In response to RSAAdmin
‎2011-12-02 10:33 AM

Paul, thanks for the response, but I am still a bit confused.

 

My Ironport version must be different from yours. My MessageID is simply "entered", not "Info_entered" like yours. Mine is in the Access Control table. Still using Content 1.0.

 

When I look at the message, it says "Info: PID <poolid> ", and poolid is one of the options for me in the alert filter. If I understand correctly, I should be using poolid.

 

Sound right to you?

 

Kent

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to KentSaunders
‎2011-12-05 10:35 AM

Hey Kent, since you are using content 1 XML. the session id could be found in poolid; where PID is parsed; or info; where the prompt is parsed. Ahmed
0 Likes
Reply
KentSaunders
Beginner
Beginner
In response to RSAAdmin
‎2011-12-19 12:12 PM

Just so everyone knows, the correct field was EventType, not PoolID or INfo. Thanks for everyone who responded.
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.