Video Screencast Help

I need help in rule creating

Created: 19 Nov 2012 | 5 comments

Hello

I need to create rule which will generate incidents in case of disabling cisco device. For example, events were sending by cisco swithes. And one of cisco switch damaged and I can't receive events from it How can I  find this switch?

System state monitor rule doesn't work in this case because I have 1 agent, 1 collector, 1 sensor and many cisco switch. Collector sends events from cisco but I have a lot of switch and I want to find only one (damaged) switch

Thanks

Comments 5 CommentsJump to latest comment

Laszlo2's picture

Hello,

There's a default rule for this purpose. You can use the "Inactive Logging Device" rule. Before activating the rule you have to fill the "Monitored Logging Devices" lookup table. After that the SSIM will alert when a syslog devices (which is in the lookup table) does not send event in a pre-defined time period. I think it generate only alert incident but you can customize the rule to create security incident.

If you don't have this rule rule under the System rules, run the LiveUpdate on the SIM Content, SIM Rules etc. components.

Regards,

Laszlo

ederov's picture

Hello

Thank you

And I don't have this rule. How can I run Liveupdate on SIM Content and SSIM Rules. I have to do it via ssh?

thanks

Laszlo2's picture

Hi,

No, you have to run it from the WEB UI, Maintenance, LiveUpdate and select the SIM Rules, Filters and Monitors check box.

Laszlo

Laszlo2's picture

Or you can create the lookup table and the rule manually, I attached the rule screenshot.

rule.png