Monitoring Policies Tab

The Monitoring Policies tab organizes thresholds by event source group.

To access this tab, go to netwitness_adminicon_25x22.png (Admin) > Event Sources > Monitoring Policies.

Workflow

This workflow shows the overall process for configuring event sources.

netwitness_111_05_viewmodalerts.png

What do you want to do?

Role I want to... Documentation

Administrator

View and modify event sources.

Managing Event Source Groups

Administrator

Acknowledge and map events sources.

Acknowledging and Mapping Event Sources

Administrator

Add and configure parser mappings for a Log Decoder

Manage Parser Mappings

Administrator

View event source alarms.

Viewing Event Source Alarms

Administrator

*View Monitoring Policies.

Monitoring Policies

Administrator

Troubleshoot event source management.

ESM Troubleshooting & Appendix

*You can perform this task here.

Related Topics

Setting Up Notifications

Disabling Notifications

Quick Look

The Monitoring Policies tab consists of three panels:

  • Event Groups Panel
  • Thresholds Panel
  • Notifications Panel

This is an example of the Monitoring Policies tab.

netwitness_12.1_monpoltb1_1122.png

1 Displays the Groups panel.
2 Displays the Thresholds panel.
3 Displays the Notifications panel.

Event Groups Panel

netwitness_esmgroups.png

The group selected in this panel determines which thresholds appear in the Thresholds panel. You can define a set of thresholds for each event source group. Notice that the groups are listed in a specific order:

  • Drag and drop groups to change the specified order.
  • The higher a group is listed, the higher the precedence for that group's thresholds: NetWitness checks the thresholds in the order provided in this panel. Thus, your highest priority groups should be at the top of this list

Thresholds Panel

This is an example of the Thresholds panel for an event source group.

netwitness_threshpan1.png

The Thresholds Panel contains the following features.

Feature Description

Enable

The Enable checkbox designates whether or not the thresholds that you define for a group are enabled. If so, notifications are sent whenever the thresholds for that group are outside of the defined range. If not, then no monitoring of that event source group is occurring.

Note: If you configure a threshold and attempt to save the page without enabling it, you receive a confirmation message, asking you whether or not to enable the policy.

If you enable a policy, but do not have any thresholds set, then you can still receive automatic (baseline) notifications, as long as you have turned on automatic notifications.

See below for more details on the look of notifications.

Low number of events

Low number of minutes or hours

This is the low end of the threshold. Enter the fewest number of events and the time range. If the event source group receives fewer messages than specified here, the threshold is not met, and notifications are sent.

High number of events

High number of minutes or hours

Works similarly as for the low values: If more messages than specified here are received, the threshold is not met, and notifications are sent.
Last Modified date and time This field indicates the last time and date that the thresholds were changed.
Save Saves the changes you have made to the thresholds.

Notifications Panel

This is an example of the Notifications panel for an event source group.

netwitness_notifpanel.png

The following table describes the fields on the Notifications panel

Field Description

Tools

+ -

The following items are available on the toolbar:

  • Add (+): clicking the Add presents a menu where you can choose the type of the notification
  • Remove (-): removes the selected row from the list.
Notification Settings

Clicking this link opens a new browser tab, and takes you to the Admin > System > Notifications page in NetWitness.

Type

Displays the type of the notification that you have chosen. The available options are as follows:

  • Email
  • SNMP
  • Syslog

Notification

See the Configure Notification Outputs topic in the System Configuration Guide for more details.

Notification Server

See the Configure Notification Servers topic in the System Configuration Guide for more details

Template

For Event Source Management, NetWitness provides three out-of-the-box templates for notifications. You can use the following templates as delivered, or customize them based on the needs of your organization:

  • Email template: sends notifications to the specified email addresses.
  • SNMP template: sends notifications to the specified SNMP server
  • Syslog template: sends notifications to the specified Syslog server.

See the Configure /Templates for Notifications topic in the System Configuration Guide for more details.

Output Suppression

Use this item to limit how often notifications are received for this policy, in case a lot of alerts are triggered in a short period of time.

The following are sample notifications, based on the supplied Templates.

netwitness_esm_highlowemail.png

  • Email:

    For email notifications, the third column, Alarm Type, specifies whether the triggered alarm was based on a user threshold, or the baseline data being out of normal bounds. If you have automatic monitoring or notifications turned off, you will not receive any Automatic notifications. The same is true for Syslog and SNMP, except those notifications are formatted differently.

  • SNMP trap:

    11-11-2015 11:57:33 Local7.Debug 127.0.0.1 community=public, enterprise=1.3.6.1.4.1.36807.1.20.1, uptime=104313, agent_ip=10.251.37.92, version=Ver2, 1.3.6.1.4.1.36807.1.20.1="NetWitness Event Source Monitoring Notification:
    Group: PCI Event Source(s)
    High Threshold:
    Greater than 500 events in 5 minutes
    10.17.0.10,ciscopix,Manual
    10.17.0.13,ciscopix,Manual
    10.17.0.8,ciscopix,Manual
    10.17.0.8,ciscopix,Automatic
    10.17.0.12,ciscopix,Manual
    10.17.0.5,ciscopix,Manual
    10.17.0.6,ciscopix,Manual
    10.17.0.4,ciscopix,Manual
    10.17.0.4,ciscopix,Automatic
    10.17.0.3,ciscopix,Manual"
    
  • Syslog sample:

    11-11-2015 11:57:33 User.Info 127.0.0.1 Nov 11 11:57:33 localhost CEF:0|RSA|NetWitness Event Source Monitoring|10.6.0.0.0| HighThresholdAlert|ThresholdExceeded|1|cat=PCI Event Source(s)|Devices| src=10.17.0.10,ciscopix,Manual|src=10.17.0.13,ciscopix,Manual|src=10.17.0.8,ciscopix,Manual|src=10.17.0.8,ciscopix,Automatic|src=10.17.0.12,ciscopix,Manual|src=10.17.0.5,ciscopix,Manual|src=10.17.0.6,ciscopix,Manual|src=10.17.0.4,ciscopix,Manual|src=10.17.0.4,ciscopix,Automatic|src=10.17.0.3,ciscopix,Manual|