RSA Admin

create correlated alert from cisco router message

Discussion created by RSA Admin Employee on Dec 8, 2010

When I see this message:

 

IP-EIGRP(0) 17231: Neighbor 172.1.13.12 (Tunnel51) is down: holding time expired

 

and if

 

IP-EIGRP(0) 17231: Neighbor 172.1.13.12 (Tunnel51) is up: new adjacency

 

does not appear within 2 minutes - I want to generate an alert.

 

i can't even get the first circuit to fire - ie just alert if it sees the first message.

I'm not sure what to put in the filter:

In the report for the same thing this works fine:

 

Message LIKE '%Neighbor%% is down%'

But this doesn't work in the alert.

 

Do I use regex?

 

In events message view the following regex works: Neighbor*.* down

 

but it doesn't appear to work in an alert

 

 

 

Thanks in anticipation

 

 

 

Outcomes