RSA Admin

Need help with alerting for monitored devices not sending logs...with a catch.

Discussion created by RSA Admin Employee on Aug 21, 2008
Latest reply on Aug 22, 2008 by RSA Admin

We have a somewhat unusual (maybe not) situation here. We want to generate an alert any time we have not received any events from a monitored device after a given time period...let's say 1 hour.  We have done a bunch of work to create some custom alerts to do this by message type (so we will know if we are only missing certain events from a multi-device). The problem is, a big chunk of our monitored devices, which are WinXP,  are routinely powered off when not being used so we don't want to alert in that scenario. 

 

I am looking for a way to alert us if one of these devices is online (not powered down) AND we have not received any events in our predefined time period (1 hour).  Pinging the hosts would be a good indication they are online. Also there would be a shutdown event PRIOR to the absense of received events for the one hour threshhold.  

 

Has anyone here faced and come up with a solution for this scenario? Any creative ideas?

 

Thanks! 

Outcomes