cancel
Showing results for 
Search instead for 
Did you mean: 

Question on email alerts

About a month ago I got our email alerts working.  I'm now seeing some below alerts appear.  I was wondering if the information field is self explanatory on why the alert is appearing?

IE freespace override = ran out of space and purged logs?

Is there a document or something that would explain what these alerts mean?

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160318040233 and etime 20160318040233" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-18 04:02:33 -0500 f_kernel a_tepm t_attack p_major

pid: 1578 logid: 0 cmd: 'sfagent'

hostname: XXXX category: policy_violation

event: dom violation srcdmn: SFag

reason: OP: OP_SYS_FS_MGMT wanted perm: 0x80<rootness> granted perm: 0x0

information: ffs_alloc(): freespace override

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160317214806 and etime 20160317214806" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-17 21:48:06 -0500 f_kernel a_tepm t_attack p_major

pid: 15321 logid: 108 cmd: 'vscanupdate'

hostname: XXXX category: policy_violation

event: ddt violation srcdmn: SCDU filedom: Kern filetype: diry

reason: OP: OP_FS_WRITE perm wanted: 0x2<write> perm granted: 0x1<read>

information: dumpcore: vscanupdate.core

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160307152455 and etime 20160307152455" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-03-07 15:24:55 -0600 f_kernel a_tepm t_attack p_major

pid: 1778 logid: 105 cmd: 'tcsh'

hostname: XXXX category: policy_violation

event: dit violation srcdmn: User tgtdmn: Audt

reason: OP: OP_PROC_TRAN perm wanted: 0x1<trans> perm granted: 0x0

information: Exec /usr/bin/acat

For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

___BEGIN_CMD___

acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160217084609 and etime 20160217084609" /var/log/audit.raw ___END_CMD___

Note: Due to rounding error and network traffic patterns, the above command

      may produce more events than were included in this alarm.

The following are the last 1 events seen:

2016-02-17 08:46:09 -0600 f_kernel a_tepm t_attack p_major

pid: 3771 logid: 108 cmd: 'tcsh'

hostname: XXXX category: policy_violation

event: ddt violation srcdmn: User filedom: mtac filetype: scrp

reason: OP: OP_FS_EXEC perm wanted: 0x2000<exec> perm granted: 0x9<read,execute>

information: Exec /usr/bin/mailq

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.