It's also possible that this rule definition might need to be tweaked. Is it the same event which is triggering (basically the same message repeating) or multiple events? Would you be able to share some event data so that I could take a look (scrub your information of course)?
Looking at the message ID in the sample data, it looks like your ISS vulnerability scanner is recording that the logging is disabled in your Cisco device. Obviously, I would recommend that you confirm that is indeed the current configuration of your Cisco device. If that's the case and you want to leave the logging disabled on your Cisco devices, I would suggest two possible remedies:
1. (Preferred) Configure your vulnerability scanner to not check this configuration setting on the specific Cisco devices. That way the vulnerability scanner will not continue to report this to enVision and set off alarms.
2. Make a copy of CRL-00107 and remove the specific message IDs (or the entire statement) which looks for the ISS scanner messages. I don't recommend this option because if we update the rule to reflect updated device XMLs, you will not automatically see those updates.
Hope this helps.
Thanks for the advice Daniel
The strange thing is the addresses its refering to are actualy windows server.
That's very strange. I'm curious if you look at the output from your ISS scanner, what type of device does it think that system is?
Retrieving data ...