Need help with alerting for monitored devices not sending logs...with a catch.
We have a somewhat unusual (maybe not) situation here. We want to generate an alert any time we have not received any events from a monitored device after a given time period...let's say 1 hour. We have done a bunch of work to create some custom alerts to do this by message type (so we will know if we are only missing certain events from a multi-device). The problem is, a big chunk of our monitored devices, which are WinXP, are routinely powered off when not being used so we don't want to alert in that scenario.
I am looking for a way to alert us if one of these devices is online (not powered down) AND we have not received any events in our predefined time period (1 hour). Pinging the hosts would be a good indication they are online. Also there would be a shutdown event PRIOR to the absense of received events for the one hour threshhold.
Has anyone here faced and come up with a solution for this scenario? Any creative ideas?
Is it safe to assume that you have something that is monitoring the up/down status of the devices? If so, you could potentially feed that information back to the SIM for an additional piece of your correlation rule. I'd recommend importing the lists of systems that are up into a watchlist and then creating your alert if the system is in the watchlist.
Thanks for the response. We do use OVO for monitoring, however due to some technical and resource constraints we cannot pursue integration at this time...probably not until sometime next year. One problem with using a watchlist is that the group of monitored devices is somewhat dynamic meaning that devices are added and removed VERY frequently, so maintaining such a list could be a full time job.
You already mentioned it, but I would think the best option is to incorporate the Windows Shutdown event into your rule: Security_513_Security.
You may need to extend the decay time in the rule to cover the time period that the systems are typically shut down.
I think there is a workaround for the manual watchlist maintenance...but I'll have to get back to you on that one...if you have an alert that monitors the up/down status, you should be able to create a relatively dynamic watchlist (I've seen it discussed in a tips and tricks), but I'll have to research that a little more before I could tell you how to do it.
Otherwise, going the other way... Can you create the alert for no messages received in a period of time and use an SNMP output action to send the data to OVO for analysis? It might be easier for the operators there to quickly determine the up/down status and take action.
Your second idea is what I am currently looking into, however our OVO infrastructure is a bit "distressed" at the moment, so I am not sure when they will be willing to work with me on this one.
Thanks for the ideas!