This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

RSA Live ESA Rule is not sending emails

OrnaldoNaqellar
Beginner
Beginner

‎2018-08-31 05:03 AM

Hello,

We have two RSA Live Rules: Detects Firewall Configuration Changes & Detects Router Configuration Attempts. The syntax is like below:

For Routers:

/*
Version: 3
*/

 

module Module_esa000069;

 


@Name('Module_esa000069_Alert')
@RSAAlert(oneInSeconds=0)

 

SELECT * FROM  
            Event(
                     medium = 32
                    AND
                    device_class = 'Router'                    
                    AND
                    (    
                        event_cat_name = 'Config.Changes'
                        OR
                        (ec_activity = 'Modify' AND ec_theme = 'Configuration')
                    )
                ).win:time_length_batch(200 seconds, 1) HAVING COUNT(*) = 1;

 

For Firewalls:

 

/*
Version: 3
*/

 

module Module_esa000069;

 


@Name('Module_esa000069_Alert')
@RSAAlert(oneInSeconds=0)

 

SELECT * FROM  
            Event(
                     medium = 32
                    AND
                    device_class = 'Firewall'                    
                    AND
                    (    
                        event_cat_name = 'Config.Changes'
                        OR
                        (ec_activity = 'Modify' AND ec_theme = 'Configuration')
                    )
                ).win:time_length_batch(300 seconds, 1) HAVING COUNT(*) = 1;

 

The problem is that we are not receiving any mail when an alert is happening. In the summary we can see that the event happened but there is no mail. In the /opt/rsa/esa/logs i found:

 

ERROR freemarker.runtime - Template processing error: "Expression highAlarmsCount is undefined on line 4, column 36 in esm_smtp.ftl."

 

Our esm_smtp.ftl. is attached. Please any idea ?

 

Thank You

esm_smtp.ftl.zip
0 Likes
3 REPLIES 3

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2018-08-31 11:13 AM

That email template is intended for use with the Event Source Management (ESM) alerting function.  You want to use the ESA SMTP Template for your rules:

 

image004.jpg


Mr. Mongo

OrnaldoNaqellar
Beginner
Beginner
In response to JoshRandall

‎2018-08-31 11:26 AM

Yep, i just tried now. i performed a change in the fw and the mail was send. now i will wait to see with other changes. thank you

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-11-19 04:28 AM

Im trying to follow this in 11.2 version and it still does not send emails.

 

But when i try with script it sends. Is there any problem with ESA emails between versions?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.