3 Replies Latest reply on Oct 15, 2013 8:11 PM by lichnt

    Correlation Rule to Alarm Help


      This is probably a simple problem that I am having but I am very new to McAfee Nitro SIEM (ESM).



      McAfee ESM

      Version 9.3.0 Build 20130919112150






      I am trying to create an alarm, on ALL failed logins, that sends syslog messages to single syslog server. 



      First, I created a Correlation Rule that Filters on normalization Login and Event Failure:


      Correlation Rule.png


      I enabled the correlation rule on the correlation Engine for the local receiver:


      Correlation Rule Enabled.png


      Then I created/enabled an alarm based on the new rule, and under Actions i set it to "Send Message" and configured it to send to a specific Syslog server.




      I also created an Event Forwarder from the ESM to forward all User/Debug events (Facility: User/ Severity: Debug) so I know that syslog and communication between the ESM and the Syslog service work.  I can see all of those failed logon messages just fine.

      I then turned the event forwarding off and tried to logon to a few systems with incorrect credentials to test the alarm. 

      I can see the events in the dashboard, but no Alarms are being triggered.





      Any ideas?  I know I have to be missing something simple here.  I am curious how the normalization might be affecting this correlation as I did not set a count threshold.