Skip navigation

Log Source Not Reporting

Posted by cblack1 Jul 29, 2015

mkgurz Jun 23, 2015 9:23 AM


Hi Chris,


Is there a way to alarm on a data source when it goes inactive? For example, the SIEM allows us to alarm on other things like Signature ID, IP address, domain, etc. We would like to have an alarm get sent out to a group after like a day when one of those data sources stops collecting logs. I know that the yellow "device inactive" flag shows up on the individual data sources, but is there a way to send out an email when that happens? Would we need to make a correlation rule? If so, what rule setting would the alarm trigger on?






Thanks for the question Mike. There is indeed a way to alarm when a device is not reporting as expected.


Though there are many non-security related reasons a device may stop reporting log data, disabling the logging function is a known malware tactic to evade detection. Whether for continuity or security reasons, the organization would be well served to know when devices stop communicating.


Users may be notified of alarms in several ways, by local notification within ESM, by email, or by SMS message. If notification is not configured, users may still view triggered alerts by clicking on the gold bell icon from the line at the top right hand corner of the screen.


The triggered alarms will be displayed in the center pane. To view the details of an alarm, click on one of the “Data Source Not Reporting” alarms. View the details in the tabs below, including the final event that caused the rule to trigger.


From the details tab, you may click on Create Case to open a case and assign it to an analyst.


To configure ESM to notify for event log sources not reporting, you will need to configure an alarm.


Step 1:


Go to System Properties>Alarms. Click Add



On the summary page, name the alarm, choose the assignee, and set the severity level of this event. Check  “enabled”.



Check Connection and Idle Time, and configure the interval after which you wish to be notified.




Select the receivers or individual devices to which you wish to apply the rule. Selections at the top of the tree will propagate to the devices below.



Configure the desired actions and escalation options.


05-Alarms list.png


Click Finish and return to the Alarms screen.

That's it. You're all set. Hope this helps.