1 of 1 people found this helpful
zakhter You can achieve it by creating an Alarm. Here are the steps.
1. Create a new Alarm.
2. On Condition tab, select "Device Status Change" as Type and check "Connection" and "Idle Time" as Health Monitor Status (screenshot). You can configure the interval after which you wish to be notified on particular data source.
3. On Device tab, Select the data sources to which you wish to monitor.
4. On Action tab, Select your desire action. Notice, you can also "Generate Report".
Hope this helps
Thanks for your response. Alarm produces individual information and my end goal is to get a full report on all data sources not generating events.
Do you know a way to setup filter on Device log message? For example, Logon failed for abc w/ NT status: NT_STATUS_ACCESS_DENIED - Access denied
To generate that type of Report, we would need to get a bit creative. So, when you create the alarm, assign an odd Severity that you hope other alarms wont have, let's say 59, then create a new Report based on Event Summary and under option 6, Filter the Alarm Severity field equals to 59. Try that.
The only way I can think of filtering Device logs is to set it up as Data Source. So, that would mean forward device log to a separate syslog server and import it back.
Hope this helps.
We have some 13K+ data sources and find that there is really no practical means in the product to simply report what Data Sources had 0 events in the past X hours or yesterday, etc. You should simply be able to do this by running an event count report, but someone at McAfee thought it would be best to simply drop any Data Source from such a listing if it happens to have a count of Zero.
So we take receiver exports, ESM last event received reports, and ELM stat files and blend them together with some perl scripts and whammo, we get a nice spread sheet the provides the last event received times. The scripting also takes into account that we use dummy parent folders the have a country location code and platform type encoded in them. So what we get is a listing the can be easily sorted to the group that owns the platform.
Thanks for digging into it. Can you please provide the detail steps and script which is producing the end-goal report?
Sure, but I'll need some time to scrub out anything specific to my company.
I agree, I have always been disappointed that McAfee drops "0"'s from their reports.
I wrote a script that does something similar and posted it about it here: ESM API: Part Duex
Example output, but it's easily customizable:
$ python esmcheckds.py
2016-09-24 16:46:12,824 | WARNING | Data Source has not seen any events in the past LAST_HOUR: Bro 4, 10.10.20.2
2016-09-24 16:46:13,354 | WARNING | Data Source has not seen any events in the past LAST_HOUR: cloud, 10.10.22.202
2016-09-24 16:46:14,399 | WARNING | Data Source has not seen any events in the past LAST_HOUR: mad-pc, 10.10.22.35
2016-09-24 16:46:14,977 | WARNING | Data Source has not seen any events in the past LAST_HOUR: Monster, 10.10.22.50