Using alerts on a reporting server with Symantec AntiVirus 10.1 and Symantec Client Security 3.1

Article:TECH101785  |  Created: 2006-01-30  |  Updated: 2007-01-02  |  Article URL http://www.symantec.com/docs/TECH101785
Article Type
Technical Solution


Environment

Issue



You run Symantec AntiVirus 10.1 or Symantec Client Security 3.1. You install Reporting Server. You want to know how to create and use alerts.


Solution



About alerts
Alerts are notifications about events happening in your security network. You can configure notifications to be sent when an event occurs. The notification can be an email to an administrator. You can also send the alert notification to the reporting database to be logged in the alert log. You can specify that a batch file runs when the alert occurs.

The alerts list shows the alerts that have been sent for events in your security network. You can filter the list to make viewing the alerts easier.

The following table describes the types of alert configurations.



Alert configuration type

Description

Virus outbreak

Sends notifications that are based on the number of overall viruses that are found within a given time period.

Outbreak on a single computer

Sends notifications when a set number of viruses is found on a single computer.

Outbreak by # of computers

Sends notifications when a set number of computers have detected viruses.

Single virus event

Sends notifications when viruses are found on a single computer.

Find new viruses

Sends notifications when new viruses are found.

New report available

Sends notifications at the start of a new day, month, or year. Email notifications include a link to the full risk report.

Virus definitions out of date

Sends notifications when virus definitions are out of date for a set number of computers.


To configure an alert
  1. Start Symantec System Center.
  2. In the left pane, expand Reporting, and then expand Reporting Servers.
  3. Click your reporting server.
  4. Type your reporting user name and password, and then click Login.
  5. On the Alerts tab, click Alert Configuration.
  6. Under What type of alert would you like to manage, in the Alert type drop-down list, select the type of alert that you want to configure.
  7. Click Create Alert.
  8. Under What filter settings would you like to use, set the filters for the events that trigger this alert notification.
    Some filters are not available depending on the type of notification you selected.
  9. Under What settings would you like for this alert, in the Alert condition text box, do one of the following:
    • In the Alert condition text box, enter the number of occurrences of the security event, then enter the number of minutes during which the occurrences happen that trigger the notification.
    • If you created a New report available alert, in the Alert condition drop-down list, select the type of report that triggers the alert (daily, monthly, or yearly report).
  10. Under What should happen when this alert is triggered, check Write alert to database to log the notification to the alerts log.
    This option is not available for the Single virus event or New report available alert types.
  11. Check Execute configured batch file to run the batch file you specify on the Agent Configuration page.
  12. In the Send e-mail to these addresses text box, type the email addresses to which the notification should be sent. Separate each entry with a comma.
  13. Next to Hyperlink to, select Report or Event list.
  14. Click Save.


Examples
The following example shows how to create an alert for a Virus Outbreak, defined as three virus detections within five minutes. This example writes the alert to the database and then sends an email notification.


Note: These settings may not be appropriate for your environment, depending on the number of computers in your server group.



To create the example virus outbreak alert
  1. Start Symantec System Center.
  2. In the left pane, expand Reporting, and then expand Reporting Servers.
  3. Click your reporting server.
  4. Type your reporting user name and password, and then click Login.
  5. In the Alert type drop-down list, click Virus outbreak.
  6. Click Create Alert.
  7. Next to Alert condition, in the occurrences box, type 3
  8. Check Write alert to database.
  9. Check Send email to: and then type the email address that you want to receive the notification.
  10. Click Save.

To view and acknowledge unacknowledged alerts
  1. Start Symantec System Center.
  2. In the left pane, expand Reporting, and then expand Reporting Servers.
  3. Click your reporting server.
  4. Type your reporting user name and password, and then click Login.
  5. Click Home.
  6. Look in the lower left pane for unacknowledged alerts. For example, you may see the message "2 unacknowledged alerts in the last 24 hours."
  7. Click the unacknowledged alerts hyperlink.
    All events that triggered an alert appear under Alert Events. The most recent events appear first in the list.
  8. Click the blue arrow next to an alert to view more details.
  9. Click the red X to close the Alert Detail Information window.
  10. Click the red icon next to an alert to acknowledge the alert.

To view the alert events log
  1. Start Symantec System Center.
  2. In the left pane, expand Reporting, and then expand Reporting Servers.
  3. Click your reporting server.
  4. Type your reporting user name and password, and then click Login.
  5. On the Alerts tab, click Alert Events.
  6. Do one of the following:
    • Select an existing filter from the Use saved filter drop-down list.
    • Click Advanced Settings to create a new filter for the log.
  7. If you selected Advanced Settings, make any changes to the filtering options.
  8. If you want to save the filter settings, click Save Filter.
  9. If you want to save the filter settings to a new configuration name, in the Name text box, type a new configuration name.
    A message appears that the filter is saved, and the filter is listed in the Use saved filter drop-down list.
  10. Click View Alerts.




References
For more information about using alerts, read the Reporting User's Guide (Report.pdf) in the Docs folder of the installation CD.





Legacy ID



2006033014325048


Article URL http://www.symantec.com/docs/TECH101785


Terms of use for this information are found in Legal Notices