Security Application stops functioning
Can you be a bit more specific? What security application are you referring to? What aspect of "stop" do you want to be alerted on? The application itself not sending logs to enVision? Alerting on an application-specific command to stop the app?
It is upon to the application, some times The application itself not sending logs to enVision could means that the application is down and it is interesting to monitor that, or the second proposition in Alerting on an application-specific command to stop the app seems to be another manner. i don’t care of the way to monitor that, what is important for me is monitor the application when they stop functioning. Regards, Mounis
Two scenario's I see. Your looking for the default correlation rule of NIC023 which is when enVision does not recieve a valid log to parse from the "application" or event source (event source or application is not sending data or has gone down). Second scenario would be the "event source" triggering an event that alerts you to a problem with the log. Such as Windows event log cleared, Event 517 will show you your log cleared and something is up. Or A reboot message maybe? Or a Firewall event, a failover on a asa/pix message if you recieve might show the application malfunctioning and result in loose logs due to application "event source"
Is this what you were looking for? If not, please explain more in depth. Thanks
Thanks for your answer, I still use envision at low level, just generating and schedule reports, from a quick look at NIC023 it seems is a nice starting to Monitor for a device not sending data, how can i activate it or if it is activated by default where i can get these events when occured.
It is not activated by default. You will need to create a view (I suggest the name be "enVision System Health,") and then add the correlation rule NIC023 to this view.
You can do this by selecting the Device as "Correlation" from the "Select Devices and Correlation Classes" and then adding the NIC023 within the proceeding screen.
I added screenshots for you.
In my opinion the NIC023 correlated alert is not working properly. In what cases the alert will fire?
Therefor I made my own 'No_events' correlated alert. It simply keeps track of the number of messages processed per device ip & type. enVision generates every minute a '508100' event (xx messages processed) for each active device it has in configuration.
Just keep track of these events when the count = 0. For example, if this happens 60 minutes long, the device is not sending events for one hour.
The negative side of this is that you need a lot of statements to create when you want a bigger interval than 60 minutes... also a problem is that a bug in enVision only let you specify the parameter 'within (seconds)' for the operator 'followed by' of the first statement. RSA is working on a fix for that.
Although the alert seems to work very good, I tested for a couple of enVision sides for over several weeks now.
PS. We do a lot of consultancy for implementations of enVision in The Netherlands/Europe. Please send me a private message for company information.
Alerting by NIC023 is fine with me, but I have also configured a report on dashboard which gives me a quick of the devices that are currently not sending logs. This helps me in getting a quick overview of all the devices without getting into any alert details.
I have used the alerts table with the sql query "DeviceType > 99 AND EventMessageID LIKE 'TTSL_NIC023'" to generate this report.
Seems to be working fine for me.