This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2012-07-30 04:00 AM

Problems with custom event source alerting???

Hi, I'm having some weird errors with correlated views and a custom event source. It should be very straightforward. I can see the messages I want in 'Manage messages to parse' yet when I use a view to refer to a correlated alert matching the message I want, the view fails with a 'no devices configured' error message. If I add another statement to my existing correlated alert for the custom event source, using an RSA-defined event source, it saves without error. A very similar alert using an RSA-defined event source works fine. Just wondering if anyone has had similar problems in the past with custom event sources and alerting? Thanks, Mark.
0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2012-09-18 11:29 PM

Hi CIETCSecops,

 

I have seen a similar problem in the past with custom events that I've configured.  The situation with my events was that although I believed all the messages were parsing, they were all being recorded as undefined.

 

You can see if the messages are being defined by clicking on the Analysis tab, expand Graph View and select "Events by Event Type". 

 

Capture2.JPG

Then in the right hand window select "Display Advanced Graph Options" and select "Event Categories" under the Data Type selection box.

 

Capture3.JPG

Apply the filters in the top section selecting your custom event type from the dropdown list and select a large enough timeframe to ensure that messages have been received.

 

When you click the "Update Now" button you will see a graph displaying what categories the messages are being parsed into.  If the only category displayed is "Undefined" then the messages are not parsing.

 

I would start there and then update this post with your findings, maybe we can find the solution.

 

Good Luck,

Steve

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.