This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Event sources availability monitoring

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-03-13 03:28 AM

Hello, guys,

 

There is a nice feature in envision to generate an message when the event source stops generating logs. There is a default message 508100 and a custom message 40029. You can setup that 40029 message with a special config: for example for one event source type to generate this message if no events come within 1 hour and for another device group to generate if no events come within 24 hours.

This is really good to monitor device availability.

I wonder is there anything like that in SA?

As I get it in 10.3 rsa put all the alerting/correlation in the paid ESA module - so I see no way of doing it automatically right now.

 

PS. You can find more info in the attached old-school 4.0 SP3 envision release notes.

Preview file
163 KB
0 Likes
16 REPLIES 16

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-03-18 01:03 PM

Ahh good point, thanks! I'll give that a shot

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-03-19 03:16 AM

Does anyone know what message appears and where when a log decoder receives a message from new event source? Is it the same message if it's a multi-device (two event sources on one ip)?

It's good for new devices availability monitoring (especially syslog).

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-03-19 10:44 PM

you can put different device types with same IP address.

 

For example this server:192.168.0.1 linux with apache, you can do like this:

apache 192.168.0.1  10mins

rhlinx 192.168.0.1  10mins

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2014-07-09 09:19 AM

Do you have information if wildcards or regex is supported for Event Source Monitoring?

For example:

winevent_nic * 1 hour - to monitor all windows servers

* 192\.168.* 30 mins - to monitor all dmz devices

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-12-30 02:52 PM

Is there anyway to remove previous VLC logdecoders from the event source monitoring?

I'm getting lots of false positives from event sources that have moved to new VLC collectors.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-01-05 09:05 AM

You probably need to clear out the logStats to do this, but I would check with RSA support before doing this - there's no way to selectively remove old devices AFAIK.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2015-01-16 10:05 AM

I can see the Event Source Monitoring in the SA console but do you know how to get report for Event Source availability?.I'm looking for a solution in V10.4. Thanks!!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.