I need help in rule creating
Created: 19 Nov 2012 | 5 comments
Hello
I need to create rule which will generate incidents in case of disabling cisco device. For example, events were sending by cisco swithes. And one of cisco switch damaged and I can't receive events from it How can I find this switch?
System state monitor rule doesn't work in this case because I have 1 agent, 1 collector, 1 sensor and many cisco switch. Collector sends events from cisco but I have a lot of switch and I want to find only one (damaged) switch
Thanks
Discussion Filed Under:
Comments 5 Comments • Jump to latest comment
Hello,
There's a default rule for this purpose. You can use the "Inactive Logging Device" rule. Before activating the rule you have to fill the "Monitored Logging Devices" lookup table. After that the SSIM will alert when a syslog devices (which is in the lookup table) does not send event in a pre-defined time period. I think it generate only alert incident but you can customize the rule to create security incident.
If you don't have this rule rule under the System rules, run the LiveUpdate on the SIM Content, SIM Rules etc. components.
Regards,
Laszlo
Hello
Thank you
And I don't have this rule. How can I run Liveupdate on SIM Content and SSIM Rules. I have to do it via ssh?
thanks
Hi,
No, you have to run it from the WEB UI, Maintenance, LiveUpdate and select the SIM Rules, Filters and Monitors check box.
Laszlo
Or you can create the lookup table and the rule manually, I attached the rule screenshot.
I'll try to do it
Thank you
Would you like to reply?
Login or Register to post your comment.