How to create such Symantec rule?
Created: 20 Jan 2011 | 2 comments
Hello all.
I hope for your help.
I get events thru Cisco IOS Event Collector 4.3.
Events as "Interface FastEthernet0/7, changed state to up", "Interface FastEthernet0/7, changed state to down" and so on...
I need such rule, which will create alert when Interface changed state to down, but not changed state to up for 5 minutes, for example.
I tried create "X not followed by Y" and "Y not preceded by X" rules, but that rules check events, which was obtained. And I need rule, wich will check, that there was no events with "changed state to up" in description.
Thank you.
Discussion Filed Under:
Comments
Hi, Bohen. For X not follwed
Hi, Bohen.
For X not follwed by Y rules there is a timespan SSIM is waiting for the Y event. If it is not getting this event within configured time after getting X event - it will fire a rule and create an incident.
Thanks,
Alexey.
Thanks,
Alexey.
BadBoo, thank you veru
BadBoo, thank you veru much.
It seems it works!
I don't know why it didn't work before... In any case your answer was very helpfull.
Would you like to reply?
Login or Register to post your comment.