NetWitness Community

RenatoGoncalves · ‎2018-11-29

I can see that in Admin we have a tab for Event Sources and in Event Sources we have:

Discovery / Manage / Monitoring Policies / Alarms / Settings / Log Parser Rules

My question is:

Its possible to create a policie to see an event source?

For example in the Manage Tab we have the Event Source the Event Source Type and the log collector and log decoder like this table:

Event Souce Event Source Type Log Collector Log Decoder

125.1.2.5 apache Logdecoder1 LogDecoder 1

I want to create an alarm that can tell me that the Event Souce 125.1.2.5 in apached stopped sending logs or the quantity has diminished .

Is that possible? How?

someone · ‎2018-11-30

Hi Renato,

Global notifications should already be setup.

Then you can go to Event sources-> Manage and create a group based on your requirements similarly to screenshot.

Then go to monitoring policies tab and find the group you just created under manage. Set the thresholds that you want and the type of alert (syslog, smtp etc).

someone · ‎2018-11-30

Also make sure to disable the BETA features from the last tab (Settings) that RSA have automatically enabled for 10.6 and 11 so that it doesn't affect other parts of the system.

If not, you may end up having to delete entire tables because RSA have not designed any mechanism to maintain the DB tables.

https://community.rsa.com/thread/195339

NetWitness Community

Event Sources Monitoring