0 Replies Latest reply on Mar 24, 2016 8:54 AM by jjensen86

    Question on email alerts

    jjensen86

      About a month ago I got our email alerts working.  I'm now seeing some below alerts appear.  I was wondering if the information field is self explanatory on why the alert is appearing?

       

      IE freespace override = ran out of space and purged logs?

       

      Is there a document or something that would explain what these alerts mean?

       

      For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

       

      ___BEGIN_CMD___

      acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160318040233 and etime 20160318040233" /var/log/audit.raw ___END_CMD___

       

      Note: Due to rounding error and network traffic patterns, the above command

            may produce more events than were included in this alarm.

       

      The following are the last 1 events seen:

       

      2016-03-18 04:02:33 -0500 f_kernel a_tepm t_attack p_major

      pid: 1578 logid: 0 cmd: 'sfagent'

      hostname: XXXX category: policy_violation

      event: dom violation srcdmn: SFag

      reason: OP: OP_SYS_FS_MGMT wanted perm: 0x80<rootness> granted perm: 0x0

      information: ffs_alloc(): freespace override

       

       

      ___BEGIN_CMD___

      acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160317214806 and etime 20160317214806" /var/log/audit.raw ___END_CMD___

       

      Note: Due to rounding error and network traffic patterns, the above command

            may produce more events than were included in this alarm.

       

      The following are the last 1 events seen:

       

      2016-03-17 21:48:06 -0500 f_kernel a_tepm t_attack p_major

      pid: 15321 logid: 108 cmd: 'vscanupdate'

      hostname: XXXX category: policy_violation

      event: ddt violation srcdmn: SCDU filedom: Kern filetype: diry

      reason: OP: OP_FS_WRITE perm wanted: 0x2<write> perm granted: 0x1<read>

      information: dumpcore: vscanupdate.core

       

      For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

       

      ___BEGIN_CMD___

      acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160307152455 and etime 20160307152455" /var/log/audit.raw ___END_CMD___

       

      Note: Due to rounding error and network traffic patterns, the above command

            may produce more events than were included in this alarm.

       

      The following are the last 1 events seen:

       

      2016-03-07 15:24:55 -0600 f_kernel a_tepm t_attack p_major

      pid: 1778 logid: 105 cmd: 'tcsh'

      hostname: XXXX category: policy_violation

      event: dit violation srcdmn: User tgtdmn: Audt

      reason: OP: OP_PROC_TRAN perm wanted: 0x1<trans> perm granted: 0x0

      information: Exec /usr/bin/acat

       

      For a complete listing of the events that triggered this alarm please execute the following command (All on one line):

       

      ___BEGIN_CMD___

      acat -a -e "(event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM) and stime 20160217084609 and etime 20160217084609" /var/log/audit.raw ___END_CMD___

       

      Note: Due to rounding error and network traffic patterns, the above command

            may produce more events than were included in this alarm.

       

      The following are the last 1 events seen:

       

      2016-02-17 08:46:09 -0600 f_kernel a_tepm t_attack p_major

      pid: 3771 logid: 108 cmd: 'tcsh'

      hostname: XXXX category: policy_violation

      event: ddt violation srcdmn: User filedom: mtac filetype: scrp

      reason: OP: OP_FS_EXEC perm wanted: 0x2000<exec> perm granted: 0x9<read,execute>

      information: Exec /usr/bin/mailq