RSA Admin

create correlated alert from cisco router message

Discussion created by RSA Admin Employee on Dec 8, 2010

When I see this message:


IP-EIGRP(0) 17231: Neighbor (Tunnel51) is down: holding time expired


and if


IP-EIGRP(0) 17231: Neighbor (Tunnel51) is up: new adjacency


does not appear within 2 minutes - I want to generate an alert.


i can't even get the first circuit to fire - ie just alert if it sees the first message.

I'm not sure what to put in the filter:

In the report for the same thing this works fine:


Message LIKE '%Neighbor%% is down%'

But this doesn't work in the alert.


Do I use regex?


In events message view the following regex works: Neighbor*.* down


but it doesn't appear to work in an alert




Thanks in anticipation