Ornaldo Naqellari

RSA Live ESA Rule is not sending emails

Discussion created by Ornaldo Naqellari on Aug 31, 2018
Latest reply on Aug 31, 2018 by Ornaldo Naqellari

Hello,

We have two RSA Live Rules: Detects Firewall Configuration Changes & Detects Router Configuration Attempts. The syntax is like below:

For Routers:

/*
Version: 3
*/

 

module Module_esa000069;

 


@Name('Module_esa000069_Alert')
@RSAAlert(oneInSeconds=0)

 

SELECT * FROM  
            Event(
                     medium = 32
                    AND
                    device_class = 'Router'                    
                    AND
                    (    
                        event_cat_name = 'Config.Changes'
                        OR
                        (ec_activity = 'Modify' AND ec_theme = 'Configuration')
                    )
                ).win:time_length_batch(200 seconds, 1) HAVING COUNT(*) = 1;

 

For Firewalls:

 

/*
Version: 3
*/

 

module Module_esa000069;

 


@Name('Module_esa000069_Alert')
@RSAAlert(oneInSeconds=0)

 

SELECT * FROM  
            Event(
                     medium = 32
                    AND
                    device_class = 'Firewall'                    
                    AND
                    (    
                        event_cat_name = 'Config.Changes'
                        OR
                        (ec_activity = 'Modify' AND ec_theme = 'Configuration')
                    )
                ).win:time_length_batch(300 seconds, 1) HAVING COUNT(*) = 1;

 

The problem is that we are not receiving any mail when an alert is happening. In the summary we can see that the event happened but there is no mail. In the /opt/rsa/esa/logs i found:

 

ERROR freemarker.runtime - Template processing error: "Expression highAlarmsCount is undefined on line 4, column 36 in esm_smtp.ftl."

 

Our esm_smtp.ftl. is attached. Please any idea ?

 

Thank You

Attachments

Outcomes