cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
schrmat
Level 9
Report Inappropriate Content
Message 1 of 5

Custom type displayed on a triggered correlation event

Hello everyone,

I receive some port up- and down events from my switches.

I have parsed the switch port from the event to the custom type "device_port".

I have built a correlation which shall trigger if this events occurs a few times.

Is it possible that the device_port is displayed in the correlation event?

So that I am able to build a mail alarm which triggers on the Signature ID from the correlation event and displays the device port in the mail?

Best regards

4 Replies
schrmat
Level 9
Report Inappropriate Content
Message 2 of 5

Re: Custom type displayed on a triggered correlation event

Does nobody have an answer?

sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Custom type displayed on a triggered correlation event

Try add Device_port to aggregation fields.

schrmat
Level 9
Report Inappropriate Content
Message 4 of 5

Re: Custom type displayed on a triggered correlation event

You mean at the correlated event "HA- Switch Port blocked or offline or online"? Aggregation fields Source IP & Device Port?

Would be nice if it would work but how shall he aggregate for the Device Port if it does not know the device port? As you see in the picture the field is empty 😕

Nevertheless it is not possible to aggregate for the device port.

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 5

Re: Custom type displayed on a triggered correlation event

Old post, but here's an idea anyway: Leave the correlation rule alone, then create your alarm to fire based on that rule. In the alarm template create a [REPEAT] section if necessary, but most importantly create a [SOURCE_EVENT] section. Make sure Device_Port is between the START and END of the Source Event section.

Using your screenshot above as an example: as a result you'll have 4 source event entries in your alarm; one of them will be blank (that'll be the one without a port) and the other three will show the port. You'll have duplicate information, but at least you'll have the information.

Unfortunately it seems correlation rules take the most recent event and uses it as the placeholder. Without the Source Event section in your alarm the only information you'll ever see is what the correlation rule shows in the GUI.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community