AnsweredAssumed Answered

Event Source Monitoring Parser

Question asked by Grif Garcia on Jan 30, 2017
Latest reply on Feb 1, 2017 by Eric Partington

Has anyone developed a parser for the syslog Notifications from the Event Source / Monitoring Policies?  I have been able to identify the log as an 'unknown' device type from the log collector and then generate an alert. Thanks.

 

Jan 30 15:22:20 localhost CEF:0|RSA|Security Analytics Event Source Monitoring|10.6.1.0| LowThresholdAlert|ThresholdViolated|1|cat=All Windows Event Source(s)|Devices| src=qtc,app007p.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app085t.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app093pb.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app196t.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app364da.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app364pb.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app409u.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app421p.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app427d.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app447ua.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app448p.prod.ds.russell.com^winevent_nic^Manual|src=qtc,app460u.prod.ds.russell.com^winevent_nic^Manual|src=qtc,db059pa.prod.ds.russell.com^winevent_nic^Manual|src=qtc,db059pb.prod.ds.russell.com^winevent_nic^Manual|src=qtc,web055p.extranet.russell.com^winevent_nic^Manual|src=qtc,web093t.prod.ds.russell.com^winevent_nic^Manual|src=qtc,web450ua.prod.ds.russell.com^winevent_nic^Manual|

Outcomes