Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

How do I include the packet when sending an email notification about an alarm?


I want to inlcude the packet in my email notification that I send when one of my alarms is triggered.  Can anyone help me and tell me how this is accomplished?

Thank you

3 Replies

Re: How do I include the packet when sending an email notification about an alarm?

The packet data is identified by the token "[$Packet Data]".  It's in the template editor under Event Fields/Network.

Remember that Alarms are generated by the ESM, and the ESM can only include the packet data in the alarm email if the ESM has access to it.  By default, packet data is NOT copied to the ESM.  In the standard config, packet data is stored on the Receiver.  There are 2 ways to get packet data to transfer to the ESM:

- Manually by reviewing the event packet tab.   This causes the ESM to reach inito the Receiver and copy the packet for the relevant event from the Receiver to the ESM.  This assumes that the packet still exists on the Reciever.  The Receiiver has a limited amount of storage, and keeps packets for the most recent events.

- Automatically by modifying the policy.  There is a setting called "copy packet" for each rule in your policy.  If you set this to "on" for the relevant Data Source rule(s), then the ESM will automatically copy the packet from the Receiver to the ESM during the regular receiver polling interval. 

Note that this increases the amount of storage used by these events, and therefore can decrease the number of event records your ESM can store.  The amount of increase depends greatly on what kind of events you're talking about.  As a rule-of-thumb, I generally assume that the event record + packet is about 2x the size of the event alone, although for some large complex logs it can be 3x or more.


Re: How do I include the packet when sending an email notification about an alarm?

Wondeful!   Thanks for this information.  Works great trying to see the URL from Windows DNS failures ( SigID 43-3317837541).

Question - Is it possible to be get this Packet information in a report?

Re: How do I include the packet when sending an email notification about an alarm?

Question about this as well. Will this work when receiving an email from a triggering correlation rule? Correlation rules technically do not have any packet data - just the source events on the correlation rule. If not, is there a way to include packet data in an email from source events on a correlation rule?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community