Critical System Protection

 View Only
  • 1.  CSP Event severity help

    Posted Nov 04, 2009 09:42 AM
    Hello I am in need of some help. I have the info below. I am in need of a explination on where this is setup and where it can be manipulated. We are discovering events and getting much chatter. We changed it to just critical but we want to know what is critical i see the numbers but more specific than that etc. i hope this makes sense coudl really use the help



    Rule severity Select the severity number from the following range of rule
    severity numbers:
    ■ Info: Events with a severity of 0-19 contain information about
    normal system operation.
    ■ Notice: Events with a severity of 20-39 contain information
    about normal system operation.
    ■ Warning: Events with a severity of 40-59 indicate unexpected
    activity or problems that have already been handled by
    Symantec Critical System Protection.
    ■ Major: Events with a severity of 60-79 imply more impact
    than Warning and less impact than Critical.
    ■ Critical: Events with a severity of 80-99 indicate activity or
    problems that might require administrator intervention to
    correct




  • 2.  RE: CSP Event severity help

    Posted Nov 29, 2009 07:47 AM
    Hi,
    These numbers are to be used when creating a detection policy for example "Windows Template"
    You create a new Detection policy, choose the settings that are right for you (file watch, registry watch, etc...), give it a Severity number for example 90, save and apply.
    Then you can go and make an SMTP alert with a filter to show you only the Detection alerts with a critical severity, this will trigger an e-mail for that specific event.
    Hope this helps.
    Regards.


  • 3.  RE: CSP Event severity help

    Broadcom Employee
    Posted Dec 09, 2009 03:27 PM
    You mention events creating a lot of chatter.  One option you also have is the bulk log utility.  Please see the admin guide for more detail but essentially this allows you to offload the type of events that are being sent to the CSP database and send them to flat files on the CSP managers for archiving instead.  Very useful for data that needs to be recorded but that you do not want taking up space within your database.  

    You can also build custom real-time monitors (under the Monitors section) to present you with only the data you want to see.  You can specific any/multiple values for all of the major fields in the CSP database.  For example, show events where OS = Windows 2003 server, severity = critical and type = file change.  More detail is in the Admin Guide.