John Tyson

Reporting Alert alertInterval

Discussion created by John Tyson on Apr 7, 2017
Latest reply on May 2, 2017 by John Kisner

Designed a SMTP reporting alert to send an email whenever a specific log message was ingested.

 

The rule basically said msg.id =  '%C4K_CHASSIS-3-MUXBUFFERREADSUPERVISORSELECTIONFAILED'.  Which indicates that a 48 port card was down.  The network team would get an email and get to work on it.  

 

When setting up the alert, there were 2 options "execute once" or "execute each event".  Execute once was selected in the alert, but this is a little misleading.  The alerts were being logged about every second, and it didn't send that many emails; however we were receiving an email every minute.  

 

Fortunately this was a simple fix, by editing the "AlertInterval" located under the 'reporting engine>explore>  com.rsa.soc.re>alertConfiguration'; from 1 to 10 we now receive emails only every 10 minutes.  

 

Happy Hunting, hope this saves you some digging.

Outcomes