Highlighted
Cadet 1st Class
Cadet 1st Class
468 views

log stoppage

Jump to solution

wanna create an alert for log stoppage. can anyone help..???

ESM 6.9

0 Likes
1 Solution

Accepted Solutions
Highlighted
Commander
Commander

Hello Rahul,

I’m guessing that log stoppage mean ‘devices or Log source’s that are not forwarding the logs to ESM,  if my assumtion is same as your requirement then please go through the  below or you can skip it here. 😉

Connector itself has the feature of Device status monitoring under processing and you can make a use of it, please refer below snap for better understanding.

Connector DSM.png

Follow the below steps to Create an alert:

 

  1. Enable Device status monitoring on required connector by seetting the value to 60000 or 90000.
  2. Create an Correlation rule with the condition 'device event Class ID=agent:043'
  3. notice the meta key Device Custom Date1. (Last Event Received).
  4. Create a local variable for time difference with above filed and current time.
  5. Use that time difference in the conditions as per your asset criticality and requirement. eg:  like device stopped sending logs for more than 4 hours.
  6. Configure the notification as per your requirement.

That’s it, This Rule will be alerting you if any device failed to forward the logs to ESM.

Kindly note: As far as I know, internal event ‘Agent:043’ will not trigger if any device is connected and still generating 0 events Like router, ACS and etc.., it will only trigger when log source actually loses the connectivity or Failed to send the logs to EMS.

 

Hope this will help you, Please give a like if it works out! 🙂

 

Cheers! 

Kiran yadav 

View solution in original post

3 Replies
Highlighted
Fleet Admiral
Fleet Admiral

Hello,

 

can you be more specific and try to provide more information related to the issue that you have?

 

All the best,

 

Daniel

 

0 Likes
Highlighted
Cadet 1st Class
Cadet 1st Class
Hello Daniel,
I want to create a report for the devices who are not sending logs to ESM. How to creat that..??

0 Likes
Highlighted
Commander
Commander

Hello Rahul,

I’m guessing that log stoppage mean ‘devices or Log source’s that are not forwarding the logs to ESM,  if my assumtion is same as your requirement then please go through the  below or you can skip it here. 😉

Connector itself has the feature of Device status monitoring under processing and you can make a use of it, please refer below snap for better understanding.

Connector DSM.png

Follow the below steps to Create an alert:

 

  1. Enable Device status monitoring on required connector by seetting the value to 60000 or 90000.
  2. Create an Correlation rule with the condition 'device event Class ID=agent:043'
  3. notice the meta key Device Custom Date1. (Last Event Received).
  4. Create a local variable for time difference with above filed and current time.
  5. Use that time difference in the conditions as per your asset criticality and requirement. eg:  like device stopped sending logs for more than 4 hours.
  6. Configure the notification as per your requirement.

That’s it, This Rule will be alerting you if any device failed to forward the logs to ESM.

Kindly note: As far as I know, internal event ‘Agent:043’ will not trigger if any device is connected and still generating 0 events Like router, ACS and etc.., it will only trigger when log source actually loses the connectivity or Failed to send the logs to EMS.

 

Hope this will help you, Please give a like if it works out! 🙂

 

Cheers! 

Kiran yadav 

View solution in original post

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.