Lost Logs or Events
I need a rule ( ESA rule ) or anything that can do the trick to monitor if an event stopped sending logs.
Yesterday Apache, and the Firewall stopped sending events and logs for 3 hours and we did not noticed, because no alert was triggered.
Is there a way to monitor that by an alert or something like it? I could create a dashboard ( which we already have ) or open the alarns in the Event Source but if we are occupied analysing an incident or doing something else we cannot tell whats going one, like yesterday...
You should be using the Event Source Monitoring feature (doc linked below) to monitor your event sources. You can group them by policy and set thresholds per group.
Feb 11-18, Mar 11-15
Senior Practice Consultant | RSA
I Have configured the monitor policies:
But it didnt worked...and receiving an alert, as we have the alerts going to our phone can give us a better look.
Do you think that in the Event Source Monitoring it would work better than an alert?
Hello Naushad Kasu
I put the Apache in Unix
and created a new table for the firewalls
But for example in the Apache pic the one that has the event source 127.0.0.1 is not sending logs at the moment and im not receiving any emails our alerts about that
I'll mention that you should not be using the Settings tab in Health & Wellness, that is deprecated feature to my knowledge and you should only be using the Admin -> Event Sources to manage your policies.
Can you go to Admin -> Health & Wellness -> Event Source Monitoring and see if your sources are listed there with any idle times?
One of the issues with Event Source Monitoring is that if you already have an idle device then you add policies, it will not trigger because there was no triggered event to be alarmed on e.g. was logging -> now not logging.
One of the features you can leverage if you do not have too many event sources (because its intensive on the system resources), is under Admin -> Event Sources -> Settings -- we have a dynamic policy that baselines all of your event sources and alerts you if they fall out of some established threshold.
Essentially, whether you go with the automatic monitoring (under Admin -> Event Sources -> Settings) or manually build your policies, you should first and foremost ensure that your events are logging currently then the policies will be reputable.
I would not recommend BETA features as a workaround because the core ESM doesn't work properly.
In my case, this BETA feature was taking SMS, IM and rabbitmq down with it and was enabled by default. It took Support total of nearly 6 months to figure out that they had to purge the contents of the tables that filled up with the statistics as the only solution to fix it (It's not called BETA for no reason). Not a great "feature".
This is what had to be done to clean the mess. How to: Clean all the data from db table for Automatic Monitoring (BETA)10.6 & 11 And because you delete the entries of the table, it completely defeats the purpose as you would have to start from scratch on the baselining.
Push Support to sort ESM out so that it works properly as it should.
I agree Marinos. In an environment with 1000s of event sources it’s best to avoid the automatic monitoring and use ESM directly. I’ve seen it perform much better in v11 but still a lot of room for improvements for larger environments.
Sent from my iPhone