HOW TO CREATE AN ALERT ON A WINDOWS ENVIRONMENT

Article:HOWTO75061  |  Created: 2012-04-12  |  Updated: 2012-10-29  |  Article URL http://www.symantec.com/docs/HOWTO75061
Article Type
How To



In this example, we will set up an Alert to monitor the SCSP Agent communication with the SCSP Management Server.  

The following applications are to be installed prior to configuring the Alert:
·         Microsoft Exchange Server with Outlook Express
·         SCSP Management console
·         SCSP Agent
On the SCSP Management Console:
 
1.       Configure the windows_baseline_detection policy [NOTE: When working with a freshly copied policy the following should be configured by default]
 
How to configure the windows_baseline_detection policy:
                     i.            Go to the: “Detection View” Tab > “Polices” Tab > “Windows_Baseline_Detection” policy
                    ii.            Right click and copy the “Windows_Baseline_Detection” policy
                  iii.            Move the policy to the a “Test Polices” Group
                  iv.            Rename the policy
                   v.            Right click and go to “edit Policy”
                  vi.            Drill down to “System Login Activity and Access Monitor” and confirm it is enabled
                vii.            Drill down “System Failed Login Monitor” and confirm it is enabled
               viii.            Drill down “By Admin to Desktop and confirm it is enabled
                  ix.            Apply this windows_baseline_detection policy to the agent
 
2.       Configure the Agent Health Setting
 
How to configure the Agent Heath:
                     i.            Go to the: “Detection View” Tab > “Assets” Tab > “Windows”
                    ii.            Find the SCSP Agent on the right pane
                  iii.            Right click and go to “Properties”
                  iv.            Under the “General” Tab click the button called “ Configure Health”
                   v.            In the “Agent Health Settings” windows and configure the “Health Timeouts” to the desired time
                  vi.            Enable all the health events and click “OK”
                vii.            Click “Apply”
               viii.            Click “OK”
 
3.       Test the policy by stopping and starting the SCSP Agent IDS services
4.       Confirm that the event was generated: Click the “Monitors” and look for “Event Type” called “Communications”
 
 
 
5.       Configure the Alert
 
How to configure the Alter:
                     i.            Go to the: “Detection View” Tab > “Alerts” Tab
                    ii.            Under “Tasks:” Click “New Alert”
In the “New Alter” window:
                  iii.            Click on the “General” Tab
                  iv.            Give the Alert a meaningful name
                   v.            Click on the “Filters” Tab
                  vi.            Select the filters to trigger the alert:
a.        In this example we will use:
                                                                           i.      Event Type Equals Communications
                                                                          ii.      Operation Equals AGENT HEALTH CHANGE
                                                                        iii.      Agent Name Equals jess-charley
 
 
 
                vii.            Click on the “Email” Tab
               viii.            Click Add
a.        In this example we will use:
                                                                           i.      To: administrator@jess.mail.lab
                                                                          ii.      Subject: Test - Checking the Agent Health
                                                                        iii.      Body: {EVENT_TYPE_D}{AGENTTYPE_D}{OPERATION_D}
                  ix.            Click “Save”
                   x.            Click “Apply”
                  xi.            Click “OK”
 
6.       Configure Alert Settings:
 
How to configure the Alert Settings:
                     i.            Go to the: “Detection View” Tab > “Alerts” Tab
                    ii.            Under “Alerts:” Click “Settings”
                  iii.            Go to the “Email Settings” and set the SMTP Server to the IP address of the Exchange Server
a.        In the example we will use:
                                                                           i.      SMTP Server: 10.130.8.198
                  iv.            Click “Save”
 
7.       Test the Alert: Stop and Start the SCSP Agent IDS services
8.       Confirm that the event was generated: Click the “Monitors” and look for “Event Type” called “Communications”
9.       Check the Exchange Server for Email Alert


Article URL http://www.symantec.com/docs/HOWTO75061


Terms of use for this information are found in Legal Notices