This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Event sources availability monitoring

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-03-13 03:28 AM

Hello, guys,

 

There is a nice feature in envision to generate an message when the event source stops generating logs. There is a default message 508100 and a custom message 40029. You can setup that 40029 message with a special config: for example for one event source type to generate this message if no events come within 1 hour and for another device group to generate if no events come within 24 hours.

This is really good to monitor device availability.

I wonder is there anything like that in SA?

As I get it in 10.3 rsa put all the alerting/correlation in the paid ESA module - so I see no way of doing it automatically right now.

 

PS. You can find more info in the attached old-school 4.0 SP3 envision release notes.

Preview file
163 KB
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
huanzhou1
Beginner
Beginner

‎2014-03-13 10:22 AM

go to Administration - System , event source monitoring, you can monitor the event sources accordingly, is this the function you need?

View solution in original post

16 REPLIES 16

Go to solution
huanzhou1
Beginner
Beginner

‎2014-03-13 10:22 AM

go to Administration - System , event source monitoring, you can monitor the event sources accordingly, is this the function you need?

Go to solution
RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2014-03-13 10:52 AM

Thanks! Will try, didn't notice there was such an easy way, hope it works

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-03-13 10:59 AM

i found out when i was doing some project, the customer also requested the same. you can view the event sources status under log decoder status, then monitor accordingly, can send out email if you want.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-03-13 12:59 PM

Hi Patriot,

where we can see the device status? can you please tell us the path

like administration>Device>select decoder>

or if event source stop sending logs then can send out mail for that we have to configure email in system>email tab.

is that right ? or have any other way to configure email notification for event source monitoring?

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-03-13 05:48 PM

So this seems to work if we reboot the box but say if the log decoder stops capturing but all other services are working we dont get notified. We loaded the RSA custom parser to parse its own messages and are going to attempt a ESA alert for this. If anyone has a better solution let me know.

 

See :

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-03-13 09:38 PM

Devices -  select log decoder - stats , under Log Stats you can find all the event sources.

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-03-13 09:40 PM

I think the function was monitored by jettysrv, i believe you can use snmp to monitor the processes.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-03-14 11:49 AM

I didnt event think about SNMP but maybe. Is there a mib? My issue is even if the service is running capture or consuming may be paused. Not sure how to monitor/alert on that just yet. If I get ESA working i'll post something on it.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-03-18 01:00 PM

it's default MIBs, check the /etc/snmp/snmpd.conf.

 

I used the syslog for the event source monitoring so i create an app rule for it to alert. Or you can use email.

© 2022 RSA Security LLC or its affiliates. All rights reserved.