Monitoring Log interruption for devices behind a consolidation server
We have CA-ACX (Access Control System) integrated to RSA enVision. CA ACX agents are install on all the UNIX based servers which send logs to CA ACX server as a consolidation point. NICSFTPagent picks up these logs every 5 minutes and sends to RSA enVision.
Requirement is, if agent on the UNIX server goes down, how can we monitor that. We tried to monitor using the following logs. The rules has been implemented as if there is no STARTUP event in 1 hour after the SHUTDON event happened.
1 2010/09/21 16:13:22.456 GMT xx.xx.xx.xx %CAACX-4-SHUTDOWN: [agent name or IP] 21 Sep 2010 10:36:54 M SHUTDOWN 0 seosd
1 2010/09/21 16:13:22.456 UTC xx.xx.xx.xx %CAACX-4-START: [agent name or IP] 21 Sep 2010 11:04:25 M START seosd
Here agent sends both the events at the same time when it starts up. Has anybody implemented this kind of Log interruption scenario? or if somebody has a better way to monitor downstream devices (devices behind the consolidation server)?
Appreciate your suggestions.
I do not see enVision offering support for CA Access Control (ACX or etrust Access Control for UNIX). Did you develop the UDS for this yourself?
I have a client that uses this and wishes to send these logs to enVision.