Hi All,
We have CA-ACX (Access Control System) integrated to RSA enVision. CA ACX agents are install on all the UNIX based servers which send logs to CA ACX server as a consolidation point. NICSFTPagent picks up these logs every 5 minutes and sends to RSA enVision.
Requirement is, if agent on the UNIX server goes down, how can we monitor that. We tried to monitor using the following logs. The rules has been implemented as if there is no STARTUP event in 1 hour after the SHUTDON event happened.
1 2010/09/21 16:13:22.456 GMT xx.xx.xx.xx %CAACX-4-SHUTDOWN: [agent name or IP] 21 Sep 2010 10:36:54 M SHUTDOWN 0 seosd
1 2010/09/21 16:13:22.456 UTC xx.xx.xx.xx %CAACX-4-START: [agent name or IP] 21 Sep 2010 11:04:25 M START seosd
Here agent sends both the events at the same time when it starts up. Has anybody implemented this kind of Log interruption scenario? or if somebody has a better way to monitor downstream devices (devices behind the consolidation server)?
Appreciate your suggestions.
Thanks.
Kuljeet Singh
