1 Reply Latest reply on Dec 7, 2015 9:56 AM by feeeds

    Use Case - Daily Automated Report for hosts not logging to SIEM in X time frame - Anyone?

    japie

      Hi All

       

      We would like to produce daily reports in areas like Solaris,AIX for hosts that didn't log to the SIEM in X time.

      I know you can create a alarm which will fire off an alert but that's not what we want. We just want a simple report with the hosts names for the relevant BU/Technology to action.

       

      Has anybody manage to get something like this working?

       

      Thanks,

      Japie

        • 1. Re: Use Case - Daily Automated Report for hosts not logging to SIEM in X time frame - Anyone?
          feeeds

          before you start with the report, I would build a query and graph first to ensure the syntax is correct.

          One way that I can think of would be to start with an event Query based on Count. The one below is set to show us top talkers, so you would want to sort on descending, and maybe only pick the data sources that you are worried about..

          You should be able to pick your time frame as well.

          ESM-Count.jpg

           

          The other way would be set up an alarm based on type of device status change, with the health monitor status of idle.  This can be problematic in that the heath of the data source is fine, you just want to know when its not sending events anymore. So you might need to play with that one as well.