3 Replies Latest reply on Oct 15, 2013 8:11 PM by lichnt

    Correlation Rule to Alarm Help

    nakoz69

      This is probably a simple problem that I am having but I am very new to McAfee Nitro SIEM (ESM).

       

      System:

      McAfee ESM

      Version 9.3.0 Build 20130919112150

       

       

       

      Problem:

       

      I am trying to create an alarm, on ALL failed logins, that sends syslog messages to single syslog server. 

       

       

      First, I created a Correlation Rule that Filters on normalization Login and Event Failure:

       

      Correlation Rule.png

       

      I enabled the correlation rule on the correlation Engine for the local receiver:

       

      Correlation Rule Enabled.png

       

      Then I created/enabled an alarm based on the new rule, and under Actions i set it to "Send Message" and configured it to send to a specific Syslog server.

       

      Failed_Login_Attempts_Alarm.png

       

      I also created an Event Forwarder from the ESM to forward all User/Debug events (Facility: User/ Severity: Debug) so I know that syslog and communication between the ESM and the Syslog service work.  I can see all of those failed logon messages just fine.

      I then turned the event forwarding off and tried to logon to a few systems with incorrect credentials to test the alarm. 

      I can see the events in the dashboard, but no Alarms are being triggered.

       

      Tiggered_Alarms.png

       

       

      Any ideas?  I know I have to be missing something simple here.  I am curious how the normalization might be affecting this correlation as I did not set a count threshold.