Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Ace_Syndrom
New Member.
176 views

attacker address in the mail

Hi,

At Admin Entry, I receive emails with lines like :Event time, event name, admin profile ,attacker address and attacker host name 

I get value in all lines but not in those lines : attacker address and attacker host name  


How to solve it?

thnaks

 

0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: attacker address in the mail

Hi

Not all events populate those fields - what device is recording the "Admin Entry" - is it a Windows login, ArcSight login, or something else?

If the underlying event has the right detail then then the next thing to look at is to check that the rule that is alerting / generating the email has those fields set to aggregate (use source Address, source Hostname in most instances)

 

0 Likes
Ace_Syndrom
New Member.

Re: attacker address in the mail

Hi,
The device is fortigate and the line is written only https without all the
address
0 Likes
Knowledge Partner
Knowledge Partner

Re: attacker address in the mail

Depending on how the user logs in and the version of Fortigate etc then you may not get any Source / Attacker fields set

The parser attempts to set the source Address to an IP address within any of the following key fields in the Fortigate event:

  • srcip, src, saddr, remip, rem_ip, remote_ip, ui (where it is an IP Address)

Source HostName is either set using the DNS resolution of the source Address or using one of the below fields if available in the event

  • srcname, src_name

In the below sample Fortigate Admin Login event you can see it just says the logon has occurred using the jsconsole - so there is no Source host / address detail to populate.

2015-10-17 02:11:37 testhost 10.10.10.5 date=2015-10-17 time=00:11:36 devname=FGT60D devid=FGT60D logid=0100032001 type=event subtype=system level=information vd="root" logdesc="Admin login successful" sn=1445065896 user="admin" ui=jsconsole action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

Some events may set the "ui" field as below - in which case the source IP Address should populate OK

ui=GUI(10.63.28.147),.......,msg="User admin login failed from GUI(10.3.28.1)"

Compare this to the raw Fortigate event you are seeing? Hope this helps? 

0 Likes
ianfitz Outstanding Contributor.
Outstanding Contributor.

Re: attacker address in the mail

It kind of sounds like maybe part of your issue is the content of the email you receive...

Are you using ESM? (assume so)

Have you created any custom email velicity macros on the manager under config/notification ?

You can choose which macros to parse depending on your specific notification, so that it doesnt include fields not relevant to that alert.

Just a thought.

Cheers,

Ian.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.