Highlighted
Absent Member.
Absent Member.
251 views

Same Email Alert notifications triggering repeatedly

Dear All,

Any one faced below issue - in e-mail notification alert.

I'm getting e-mail alert whenever rules fires perfectly.

actually I installed my console on one of windows servers where i installed connectors as well.

The issue is - today this server got restart for 2 to 3 times due to power cable issue.

during that time , the user got e-mail alert of last correlated events - Lets assume = 4th april alert for 2 to 3 times whenever that server got restarted.

Even I checked in notification tab in console, yes it is appeared and alert populated. I checked in active channel for that rule - no correlated events triggered that time. The last correlated event triggered as per the rule is 4th april

Only notification/e-mail alerts were firing whenever the server restarts.


regards

Santhosh I

Labels (1)
0 Likes
Reply
1 Reply
Highlighted
Valued Contributor.
Valued Contributor.

Re: Same Email Alert notifications triggering repeatedly

Hi Santosh,

For notification there are 2 files.

1. Email.vm

2. Your custom created file based on different type of rule. eg:FirewallDeny.vm

Email.vm:

  • This is the file which has logic to help decide which template to use when sending notification.By default it has only 1 option.
  • It makes decision based on a particular field. This field should be set by you while defining Rule action.
  • The Email.vm will work from top to bottom, so make sure any entries which you have defined is above the default     one.
  • You have to add entry for each individual template like below in the Email.vm

#if($introspector.getDisplayValue($event, "flexString1") == "FirewallDeny")

#parse ("FirewallDeny.vm")

#end

  • Where "flexString1") == "FirewallDeny" has to be defined in the Rule action.
  • #parse will use the custom template.


Custom Template(here FirewallDeny.vm)

  • Here is the body of the Email, add which ever field is required for your investigation.

Template FieldName:

YourfieldName: $introspector.getDisplayValue($event,"Field Name in ArcSight")

Example:

SourceAddress: $introspector.getDisplayValue($event,"sourceAddress")

Location of Email.vm : $ARCSIGHT_HOME/config/notification

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.