How to create alert in SCSP to monitor admin logon to console?
The alter settings event filter can not filter the audit event.
i don't think its possible in SCSP to monitor admin login console. May be this option is available in upcoming SCSP version.
I also tried to configure such alert but with no luck.
It looks that this particular event type isn't available when setting alert criteria.
Are you interested in being alerted each time someone fails to log in or each time someone successfully logs in?
If you're interested in the failures, here is how to do it:
Create a Detection policy with the File Watch category. Enable the options shown in the screenshot:
Leave the "Type of diff algorithm" as the default value (Text).
In "List of patterns" add the following two entries:
com.symantec.sis.common.auth.AuthenticationException: Invalid password
com.symantec.sis.common.auth.AuthenticationException: Invalid user name
In "List of Files to Watch" add the following entry:
C:\Program Files (x86)\Symantec\Critical System Protection\Server\tomcat\logs\sis-console.0.log
In mine, I only configured it to Record Event to SCSP Console, but you may use the Execute Command feature to send a notification email.
If you are interested in being notified for successful logons, the sisconsole logging level will need to be increased to TRACE, which is a pretty verbose logging level. If you're okay with that let me know and I'll look into what line is generated upon a successful login.
Interesting workaround... I will try this but still I think that options which allows to alert console login events should be available in SCSP console when new Alerts are defined.
You can create a Trigger or stored procedure in the database that will copy (insert) the specific events needed from the AUDIT table over to the CSPEVENT table where it can be monitored. Then create an ALERT that monitors for the new event that meets specific criteria needed (if inserted intot the EVENT Table).
I have unsuccessfully tried to configure an Alert with the Audit Watch - Failure and Audit Watch - Success.