cancel
Showing results for 
Search instead for 
Did you mean: 
japie
Level 9
Report Inappropriate Content
Message 1 of 2

Use Case - Daily Automated Report for hosts not logging to SIEM in X time frame - Anyone?

Hi All

We would like to produce daily reports in areas like Solaris,AIX for hosts that didn't log to the SIEM in X time.

I know you can create a alarm which will fire off an alert but that's not what we want. We just want a simple report with the hosts names for the relevant BU/Technology to action.

Has anybody manage to get something like this working?

Thanks,

Japie

1 Reply
feeeds
Level 9
Report Inappropriate Content
Message 2 of 2

Re: Use Case - Daily Automated Report for hosts not logging to SIEM in X time frame - Anyone?

before you start with the report, I would build a query and graph first to ensure the syntax is correct.

One way that I can think of would be to start with an event Query based on Count. The one below is set to show us top talkers, so you would want to sort on descending, and maybe only pick the data sources that you are worried about..

You should be able to pick your time frame as well.

ESM-Count.jpg

The other way would be set up an alarm based on type of device status change, with the health monitor status of idle.  This can be problematic in that the heath of the data source is fine, you just want to know when its not sending events anymore. So you might need to play with that one as well.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community