This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Event Source Monitoring

TomiReiman
Beginner
Beginner

‎2015-10-07 09:15 AM

I am trying to figure out how to accomplish the following using event source monitoring policies:

 

 

Let's say that we have two SSL VPN clusters for example, where any given moment one of the nodes is the primary (logging a lot a frequently) and the second one is the secondary (logging hardly anything). Based on my understanding if I were to group these two event sources and to create a policy that alerts if this event sources in this group do not log anything in a 30 minute interval, then I would get an alert for the secondary if it was quiet even if the primary would still keep logging (and no alert for the primary). Have I understood this correctly? If yes, then how can I configure such event sources so that I would get an alert if that group in combination would not log anything in, say, 30 min? I.e. I would only want to see an alert if both of those nodes were quiet for 30 minutes, not if one of them keeps logging (because it is acting as the primary node) and the other stops logging (because it is acting as a secondary node)? Yet put another way, I want to make sure that at least one of the nodes in a cluster are sending logs, but I do not really care which node does the sending. In this case I would therefore only want to base my alerting rule on the event source type (device.type) and not care about the IP address (example: "Alert if no logs are received from device.type = 'junipervpn' in 30 minutes").

 

 

And also, how can I configure the policy so that I do not care what the event source type is for the event source IP address? As an example I could have three different event source types from a Blue Coat ProxySG ('cacheflowelff' for the access logs, 'ciscorouter' for the system logs (of course wrongly parsed in that case), and last 'unknown' for events that are not parsed. In any case I would have received a log message from the device, but as I think the event source monitoring module treats different event source types from a single IP address as separate event sources (as it would with a host that is generating both Windows operating system logs and Exchange Server logs), I would get an alert if I do not receive 'cacheflowelff' logs in a 30 minute interval even if I was receiving 'unknown' logs. I.e. in some cases I would simply say that I want to monitor if I am receiving logs within a time period of x from this IP address regardless of the event source type (or device.type) value in those logs.

 

 

Is this kind of behavior possible in SA 10.5.0.2?

0 REPLIES 0
© 2022 RSA Security LLC or its affiliates. All rights reserved.