This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-06-15 04:49 PM

Will alert fire when the view it's in is restarting?

I have a correlated alert ( no multi-threading, no threshold) which is supposed to be triggered by the following messages: Security_624_Security; Security_624_Security:01; Security_624_Security:02.  I think what happened is that the view the alert is in was restarted, while it was restarting aSecurity_624_Security:02 came in and this didn't trigger an alert b/c the view was not done restarting yet?  Does that sound right? I included what I think are the relevant log messages. Any thoughts or alertnative theories would be appreciated.

 

2010/06/02 08:50:05.068 CDT %NIC-5-608023: Alerter, Alerter, -, -, -, -, Detail: 2732: 1129 Requesting view=Windows Alerts to reset

 

2010/06/02 08:50:47.109 CDT %NICWIN-4-Security_624_Security: Security,rn=1700813 cid=0x00000007 eid=0x00000270,Wed Jun 02 08:51:04 2010,624,Security,domain1/user1,Success Audit,hostname1,Account Management,,User Account Created: New Account Name: user2  New Domain: domain2 New Account ID: None  Caller User Name: user1  Caller Domain: domain1  Caller Logon ID: (0x0,0xE3F71CE)  Privileges -  Attributes: Sam Account Name: user2  Display Name: <value not set>  User Principal Name: -  Home Directory: <value not set>  Home Drive: <value not set>  Script Path: <value not set>  Profile Path: <value not set>  User Workstations: <value not set>  Password Last Set: <never>  Account Expires: <never>  Primary Group ID: 513  AllowedToDelegateTo: -  Old UAC Value: 0x190030  New UAC Value: 0xB8  User Account Control:     'Temp Duplicate Account' - Enabled    'Workstation Trust Account' - Enabled    'Don't Require Preauth' - Disabled    'Undefined UserAccountControl Bit 19' - Disabled    'Undefined UserAccountControl Bit 20' - Disabled  User Parameters: <value not set>  Sid History: -  Logon Hours: <value changed, but not displayed>

 

2010/06/02 08:52:01.646 CDT %NIC-1-919010: domain3:ENVISION-AS1 stamp=Jun 02 08:50:05 type=1601 level=4 niccategory=99 event_category=9999999999 addr=y.y.y.y deviceclass=SYSTEM msg_id=608023 view_id=e138ca21-74be-4abb-a891-79f30e499c58 view_name=NIC_View device_id=326bd243-69f2-4ebf-a40d-d19f7308b267 lp=x.x.x.x:5367:4176285452 status=0 coreid=ve138ca21-74be-4abb-a891-79f30e499c58_c1998_NIC_ALERTER_201006020852010004 ipmatch=0 ip_addr_1= ip_count_1=0 ip_addr_2= ip_count_2=0 ip_addr_3= ip_count_3=0 device_type=100 source_ipr= destin_ipr= msg=%NIC-5-608023: Alerter, Alerter, -, -, -, -, Detail: 2732: 1129 Requesting view=Windows Alerts to reset

 

Matt

0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2010-06-16 10:14 PM

Matt,

 

That sounds right...the alerter isn't processing the events while it is restarting the thread for that view.

 

Paul

 

 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.