Critical System Protection

 View Only

  • 1.  How to create alert in SCSP to monitor admin logon to console?

    Posted Jun 02, 2012 05:45 AM

    How to create alert in SCSP to monitor admin logon to console?

    The alter settings event filter can not filter the audit event.

    Thank you.



  • 2.  RE: How to create alert in SCSP to monitor admin logon to console?

    Posted Jun 13, 2012 01:36 PM

    i don't think its possible in SCSP to monitor admin login console. May be this option is available in upcoming SCSP version.



  • 3.  RE: How to create alert in SCSP to monitor admin logon to console?

    Posted Jun 14, 2012 10:13 AM
    I also tried to configure such alert but with no luck. It looks that this particular event type isn't available when setting alert criteria.


  • 4.  RE: How to create alert in SCSP to monitor admin logon to console?

    Posted Jun 14, 2012 07:34 PM

    Are you interested in being alerted each time someone fails to log in or each time someone successfully logs in?

    If you're interested in the failures, here is how to do it:

    Create a Detection policy with the File Watch category.  Enable the options shown in the screenshot:

    Leave the "Type of diff algorithm" as the default value (Text).

    In "List of patterns" add the following two entries:

    com.symantec.sis.common.auth.AuthenticationException: Invalid password

    com.symantec.sis.common.auth.AuthenticationException: Invalid user name

    In "List of Files to Watch" add the following entry:

    C:\Program Files (x86)\Symantec\Critical System Protection\Server\tomcat\logs\sis-console.0.log

    In mine, I only configured it to Record Event to SCSP Console, but you may use the Execute Command feature to send a notification email.

    If you are interested in being notified for successful logons, the sisconsole logging level will need to be increased to TRACE, which is a pretty verbose logging level.  If you're okay with that let me know and I'll look into what line is generated upon a successful login.



  • 5.  RE: How to create alert in SCSP to monitor admin logon to console?

    Posted Jun 15, 2012 01:03 AM
    Interesting workaround... I will try this but still I think that options which allows to alert console login events should be available in SCSP console when new Alerts are defined. Regards


  • 6.  RE: How to create alert in SCSP to monitor admin logon to console?

    Posted Oct 05, 2012 10:36 AM

    You can create a Trigger or stored procedure in the database that will copy (insert) the specific events needed from the AUDIT table over to the CSPEVENT table where it can be monitored. Then create an ALERT that monitors for the new event that meets specific criteria needed (if inserted intot the EVENT Table).

    http://en.wikipedia.org/wiki/Database_trigger

    I have unsuccessfully tried to configure an Alert with the Audit Watch - Failure and Audit Watch - Success.