Looking for a tip to create a report on data sources which stops responding for any reason, decommission - SIEM account password change, etc. Daily reporting on health check will be very useful.
Identified in SIEM as Device Status: Inactive.
1. Create a new Alarm.
2. On Condition tab, select "Device Status Change" as Type and check "Connection" and "Idle Time" as Health Monitor Status (screenshot). You can configure the interval after which you wish to be notified on particular data source.
3. On Device tab, Select the data sources to which you wish to monitor.
4. On Action tab, Select your desire action. Notice, you can also "Generate Report".
Hope this helps
Thanks for your response. Alarm produces individual information and my end goal is to get a full report on all data sources not generating events.
Do you know a way to setup filter on Device log message? For example, Logon failed for abc w/ NT status: NT_STATUS_ACCESS_DENIED - Access denied
To generate that type of Report, we would need to get a bit creative. So, when you create the alarm, assign an odd Severity that you hope other alarms wont have, let's say 59, then create a new Report based on Event Summary and under option 6, Filter the Alarm Severity field equals to 59. Try that.
The only way I can think of filtering Device logs is to set it up as Data Source. So, that would mean forward device log to a separate syslog server and import it back.
Hope this helps.
We have some 13K+ data sources and find that there is really no practical means in the product to simply report what Data Sources had 0 events in the past X hours or yesterday, etc. You should simply be able to do this by running an event count report, but someone at McAfee thought it would be best to simply drop any Data Source from such a listing if it happens to have a count of Zero.
So we take receiver exports, ESM last event received reports, and ELM stat files and blend them together with some perl scripts and whammo, we get a nice spread sheet the provides the last event received times. The scripting also takes into account that we use dummy parent folders the have a country location code and platform type encoded in them. So what we get is a listing the can be easily sorted to the group that owns the platform.
Example output, but it's easily customizable:
$ python esmcheckds.py
2016-09-24 16:46:12,824 | WARNING | Data Source has not seen any events in the past LAST_HOUR: Bro 4, 10.10.20.2
2016-09-24 16:46:13,354 | WARNING | Data Source has not seen any events in the past LAST_HOUR: cloud, 10.10.22.202
2016-09-24 16:46:14,399 | WARNING | Data Source has not seen any events in the past LAST_HOUR: mad-pc, 10.10.22.35
2016-09-24 16:46:14,977 | WARNING | Data Source has not seen any events in the past LAST_HOUR: Monster, 10.10.22.50
For some reason i can not see the link to the script and i am trying to do something similar, can you please help me out? My main goal is to run the script daily when i get to work to make sure everything works as supposed to without going thru all the devices one by one
Thanks a lot!