Notification Methods

When a rule triggers an alert, ESA can send a notification in the following ways:

  • Email
  • Syslog
  • Script

Note: ESA SNMP notifications are not supported for NetWitness 11.3 and later.

Email Notifications

ESA Correlation can send notifications to users through email about various system events.

To configure these email notifications, you need to:

  • Configure the SMTP email server as an output provider. For instructions, see "Configure the Email Settings as Notification Server" in the System Configuration Guide.
  • Set up an email account to receive notifications. For instructions, see "Configure Email as a Notification" in the System Configuration Guide.
  • Configure a template for email notification. For instructions, see "Configure Global Notifications Templates" in the System Configuration Guide.

Syslog

Event Stream Analysis can send events and consolidate logs in Syslog format to a Syslog server.

To configure these Syslog notifications, you need to:

  • Configure Syslog server settings as an output provider. For instructions, see "Configure a Syslog Notification Server" in the System Configuration Guide.
  • Configure Syslog message format as an output action. For instructions, see "Configure Syslog as a Notification" in the System Configuration Guide.
  • Configure a template for Syslog. For instructions, see "Configure Global Notifications Templates" in the System Configuration Guide.

Script Alerter

Apart from the alert notifications ESA allows users to run scripts in response to ESA alerts.

Scripts enable you to do custom integration with applications that exist in your environment. For example, if you want to open an incident ticket from an application when a specific alert is triggered, Script Alerter lets you write a script that calls the application API and has ESA invoke it when the specific ESA rule is triggered. You can configure a FreeMarker template to define what details you want to extract from the output of the ESA rule and pass it as command line arguments to the script.

To use the Script Alert, you need to:

  • Configure the user identity and other details that are required to execute the script. For instructions, see "Configure Script as a Notification Server" in the System Configuration Guide.
  • Define the Script. For instructions, see "Configure Script as a Notification" in the System Configuration Guide.
  • Configure a template for the script. For instructions, see "Configure Global Notifications Templates" in the System Configuration Guide.​