We are on 10.6.5 and had similar issues with ESM, where we didnt receive alerts when events sources stopped sending. We also had an issue that general alarms would not clear for health and wellness. we've been told that it is fixed in 10.6.6 but I wonder if anyone can confirm.
We've not upgraded as I implemented my own ESA Rules as a workaround. Here is an example for Windows Events not received within 2 hours.
========
CREATE CONTEXT ContextEveryMin_event_computer_mswindows INITIATED @now AND PATTERN [every timer:at(0, *, *, *, *)] TERMINATED AFTER 1 min;
@RSAPersist(serialization=Serialization.JSON)
@Hint("reclaim_group_aged=86400")
create window Window_mswindows_event_computer.std:unique(event_computer,device_type).win:time(5 days) (event_computer string,device_type string, last_timestamp long);
ON Event(
event_computer IS NOT NULL
and device_type is 'winevent_nic'
and parse_error IS NULL
AND isOneOfIgnoreCase(alert,{ 'critical event source group' })
and medium = 32
)
AS myevent
merge Window_mswindows_event_computer myWindow_mswindows_event_computer
where myWindow_mswindows_event_computer.event_computer.toLowerCase()=myevent.event_computer.toLowerCase()
AND myWindow_mswindows_event_computer.device_type.toLowerCase()=myevent.device_type.toLowerCase()
when matched
then update set last_timestamp = myevent.esa_time
when not matched
then insert
select event_computer.toLowerCase() AS event_computer,
device_type.toLowerCase() AS device_type,
myevent.esa_time AS last_timestamp;
@Name('event_computer Log Not Received within 2 hours')
@RSAAlert(oneInSeconds=0)
CONTEXT ContextEveryMin_event_computer_mswindows
SELECT
Window_mswindows_event_computer.event_computer AS event_computer,
Window_mswindows_event_computer.device_type AS device_type,
Window_mswindows_event_computer.last_timestamp AS last_timestamp
FROM Window_mswindows_event_computer
WHERE
(current_timestamp() - Window_mswindows_event_computer.last_timestamp) > 1000 * 3600 *2
AND (event_computer.toLowerCase() LIKE '%mycompany.co.uk')
GROUP BY event_computer,device_type
output snapshot WHEN TERMINATED;
========
You wont be able to use this out of the box, as it looks for Event Sources where we tag them with "Critical Event Source" using an app rule or feed. But the logic is sound. You will just need to modify for your environment.
It basically created a named window for each Windows event source and populates the value with when it was last seen. Then every minute it checks for those system where an event was not seen in over 1000*3600*2 milliseconds = 2 hours.
You then get an alert, that contains all windows devices that haven't generated an event in the last 2 hours.
