7 Replies Latest reply on Jul 31, 2008 1:18 PM by Jeffcrx

    RSD 2.0 - Email issue

      Hello,

      I am have a question. I would like to be emailed whenever any rogue system is detected on the network. I have successfully set it up to cover all of our subnets and all that. The problem is that it only emails me for a handful of rogues. In the dashboard, it shows 25+ rogues found, but it only emailed me for two of them. I set up the email alerts for this via "Responses", to send an email when any rogue system detected, no filters applied.

      So i tried creating a manual notification rule for it, and it does email me for all 25 machines this way, but it doesnt show me any information im looking for, like IP or computer name - It just says 'not available' for those variables.

      Any idea why the Responses method barely emails me about the Rogues?

      Thanks,
      Jeff
        • 1. RE: RSD 2.0 - Email issue
          rwhitehill
          Mine works the same as you say.

          Machine IP: Not Available
          Machine Name: Not Available

          Time of Rogue: 7/30/08 10:40:39 AM
          • 2. RE: RSD 2.0 - Email issue
            When my RSD detects devices like non-managed switches or IP Phones, I just get the mac address information in the email notification. When computers are detected (incl ones that are not members of our domain), I get the full compliment of information that I have configured in the body of my Email Notification under Actions.

            Here is how I have it configured:

            4. Actions

            Send Email

            Body:
            DNS Name: {DnsName}
            IP Address: {IPV4}
            Netbios Name: {NetbiosName}
            MAC Address: {MAC}
            Last Detect Time: {setOfLastDetectedTime}
            • 3. RE: RSD 2.0 - Email issue
              I have it configured very similar, i guess my wording may have been a bit confusing. Its not that its not showing me the variables such a dnsname, etc. When an email is sent to me, i get all of that information fine.

              The problem is that I also set the action to Send email for all occurrences, but the server only sends me a rogue detection email for like 2 out of 25 machines detected, not all. Do you have that problem at all?

              Thanks
              • 4. RE: RSD 2.0 - Email issue
                We just upgraded to EPO 4 and I have only deployed the 2.0 sensor to 1 subnet, which is the same subnet that our EPO server is on (which also happens to have the majority of our rogue machine connections). I have been getting notifications on every detection.

                Do you have aggregation configured for emailing on every event or multiple events?
                • 5. RE: RSD 2.0 - Email issue


                  Nope, I set it so that it sends an event for every event. Here are my summary of settings:

                  Name: Rogue System Detected
                  Description:
                  Event: Event group: Rogue System Events
                  Event type: Rogue System Detected
                  Status: Enabled
                  Aggregation: None
                  Actions: 1: Send Email


                  But I am covering 7 different subnets. It currently shows 50 rogue machines detected all in all, but i didnt even get 15 emails total. It misses the majority of them via the email...

                  This is frustrating!
                  • 6. RE: RSD 2.0 - Email issue
                    I can imagine..

                    I am 35 detections and 35 notifications.

                    Do you have the "Response Triggered" in your audit log for the detection events?

                    Start Time: 7/31/08 1:32:50 PM EDT
                    Completion Time: 7/31/08 1:32:50 PM EDT
                    Action: Response Triggered
                    Priority: Low
                    User Name: system
                    Details: The response 'Rogue Detection Email Notification' was triggered.
                    Success: Succeeded
                    • 7. RE: RSD 2.0 - Email issue
                      Never thought to look there! I just deleted all detected rogues to start fresh, and it does indeed have an event for all of them:


                      7/31/08 2:17:26 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:16:51 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:14:15 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:12:25 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:12:25 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:11:51 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:11:51 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:09:14 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:09:14 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:08:57 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:08:16 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:07:25 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:07:25 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:07:25 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:07:25 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:06:51 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded
                      7/31/08 2:06:51 PM EDT system Response Triggered Low The response 'Rogue System Detected' was triggered. Succeeded


                      But from all of those triggers, my inbox only has 5 emails from the server... :mad:


                      EDIT: Also, it seems to be two specific subnets that I do not get any emails about... though an event was triggered and successful for it. Very strange.