AnsweredAssumed Answered

ESA Rule not working

Question asked by Sean Koniarz on Jul 17, 2018
Latest reply on Jul 17, 2018 by Sean Koniarz

I am attempting to get this alert working to detect when a client sites VLC stops sending logs or something wrong just happens.  

 

The rule is similar to the no log traffic found from device. I have the time set very low currently for testing but the alert never seems to want to populate.  I am clearly doing something wrong or lc_cid is not actually passed to ESA. 

 

 

/*
Version: 3
*/

module logcollectordown;


@Name('logcollectordown')
@RSAAlert(oneInSeconds=0)

SELECT * FROM pattern
[every a = Event(
(lc_cid.toLowerCase() IN ('devicename')) and medium = 32)
-> (timer:interval(60 seconds) and not Event((lc_cid.toLowerCase() = a.lc_cid.toLowerCase()) and medium = 32))];

Outcomes