RSA Admin

Issues setting up a Correlation Rule.

Discussion created by RSA Admin Employee on Aug 12, 2010

Hi.

I'm trying to create a correlation rule feeded on some events from NIC System. My goal is to create a rule from other Correlation Rules, but I've tried to simplified it.
My steps are: I create a generic rule with device group NIC_ALL and a filter in Event Selection. Theb I create a view. When I try to start the view It keeps 'Error in view'.
The Event Viewer says:
6 2010/08/12 10:00:09.390 CEST  172.23.14.5 %NIC-5-608027: Alerter, Alerter, -, -, -, -, Detail: 5208: 729 view=VW_621 stopped.
5 2010/08/12 10:00:08.390 CEST  172.23.14.5 %NIC-4-608025: Alerter, Alerter, -, -, -, -, Detail: 5208: 9496 view=VW_621 error no devices configured.
4 2010/08/12 10:00:08.390 CEST  172.23.14.5 %NIC-5-608026: Alerter, Alerter, -, -, -, -, Detail: 5208: 1678 view=VW_621 started.
3 2010/08/12 10:00:03.546 CEST  172.23.14.5 %NIC-5-608024: Alerter, Alerter, -, -, -, -, Detail: 5208: 1620 view=VW_621 initialized.
2 2010/08/12 10:00:03.530 CEST  172.23.14.5 %NIC-4-608028: Alerter, Alerter, -, -, -, -, Detail: 5208: 12305 view=VW_621 device group=NIC_ALL not found.
1 2010/08/12 10:00:02.280 CEST  172.23.14.5 %NIC-5-608020: Alerter, Alerter, -, -, -, -, Detail: 5208: 1142 Requesting view=VW_621 to start

I've tried the following:
 - Set up a mask in the Value field of Event Selection in the Statement definition.
 - Set up the filter into [CONTENT] of Set Filter of the Statement with IN or REGEX.
 - Remove all filters (I know it's not wise to trigger a correlation rule of the Event 919010, but it was just a test).
 - I've tried to restart all services through NIC Service Manager service.
 - I've tried changing the device group, of the Device Selection of the Correlation Statement to a custom dynamic device group of all NIC System.

 

Also I've read the thread "Correlation against the output of other correlation rules" that seems to be similar.

 

 

BTW, It's a LS enVision. Version: enVision v4.0 SP 3 Build: 0311

I would really appreciate if you could help.I have run out of ideas.

Pedro.

 

Outcomes