cancel
Showing results for 
Search instead for 
Did you mean: 
zakhter
Level 8
Report Inappropriate Content
Message 1 of 10

Report on non-active data sources

Hi guys,

Looking for a tip to create a report on data sources which stops responding for any reason, decommission - SIEM account password change, etc.  Daily reporting on health check will be very useful.

Identified in SIEM as Device Status: Inactive.

Thanks.

9 Replies

Re: Report on non-active data sources

You can achieve it by creating an Alarm. Here are the steps.

1. Create a new Alarm.

2. On Condition tab, select "Device Status Change" as Type and check "Connection" and "Idle Time" as Health Monitor Status (screenshot). You can configure the interval after which you wish to be notified on particular data source.

3. On Device tab, Select the data sources to which you wish to monitor.

4. On Action tab, Select your desire action. Notice, you can also "Generate Report".

Hope this helps

Thanks,

Syed Rizvi

zakhter
Level 8
Report Inappropriate Content
Message 3 of 10

Re: Report on non-active data sources

Thanks for your response.   Alarm produces individual information and my end goal is to get a full report on all data sources not generating events.

Do you know a way to setup filter on Device log message?  For example, Logon failed for abc w/ NT status: NT_STATUS_ACCESS_DENIED - Access denied

Re: Report on non-active data sources

To generate that type of Report, we would need to get a bit creative. So, when you create the alarm, assign an odd Severity that you hope other alarms wont have, let's say 59, then create a new Report based on Event Summary and under option 6, Filter the Alarm Severity field equals to 59. Try that.

The only way I can think of filtering Device logs is to set it up as Data Source. So, that would mean forward device log to a separate syslog server and import it back.

Hope this helps.

Thanks,

Syed Rizvi

Highlighted

Re: Report on non-active data sources

Hello,

We have some 13K+ data sources and find that there is really no practical means in the product to simply report what Data Sources had 0 events in the past X hours or yesterday, etc. You should simply be able to do this by running an event count report, but someone at McAfee thought it would be best to simply drop any Data Source from such a listing if it happens to have a count of Zero.

So we take receiver exports, ESM last event received reports, and ELM stat files and blend them together with some perl scripts and whammo, we get a nice spread sheet the provides the last event received times. The scripting also takes into account that we use dummy parent folders the have a country location code and platform type encoded in them. So what we get is a listing the can be easily sorted to the group that owns the platform.

J-

cartere
Level 8
Report Inappropriate Content
Message 6 of 10

Re: Report on non-active data sources

I agree, I have always been disappointed that McAfee drops "0"'s from their reports.

zakhter
Level 8
Report Inappropriate Content
Message 7 of 10

Re: Report on non-active data sources

Hey Lospinoj,

Thanks for digging into it.  Can you please provide the detail steps and script which is producing the end-goal report?

Thanks.

Re: Report on non-active data sources

Sure, but I'll need some time to scrub out anything specific to my company.

J-

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: Report on non-active data sources

I wrote a script that does something similar and posted it about it here:

Example output, but it's easily customizable:

$ python esmcheckds.py

2016-09-24 16:46:12,824 | WARNING | Data Source has not seen any events in the past LAST_HOUR: Bro 4, 10.10.20.2

2016-09-24 16:46:13,354 | WARNING | Data Source has not seen any events in the past LAST_HOUR: cloud, 10.10.22.202

2016-09-24 16:46:14,399 | WARNING | Data Source has not seen any events in the past LAST_HOUR: mad-pc, 10.10.22.35

2016-09-24 16:46:14,977 | WARNING | Data Source has not seen any events in the past LAST_HOUR: Monster, 10.10.22.50

Re: Report on non-active data sources

Hello,

For some reason i can not see the link to the script and i am trying to do something similar, can you please help me out? My main goal is to run the script daily when i get to work to make sure everything works as supposed to without going thru all the devices one by one

 

Thanks a lot!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community