https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381145#M97706 <HTML><HEAD></HEAD><BODY><P>Many thanks for the BUG ID. U save my time on open up a TAC case <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>BTW, seem this BUG is already identified for sometime, just wonder when DE will solved it. As the CWVMS is free of charge for 5 hosts now, more and more customer will encounter the problem.</P><P>Thanks again.</P></BODY></HTML> Tue, 23 Nov 2004 01:41:25 GMT jmmleung 2004-11-23T01:41:25Z https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381141#M97696 <P>On VMS 2.2 with SecMon 1.2.3, the section admin/event rule allows you to send an email. </P><P></P><P>I have a requirement to send an email for various signatures when they are triggered on a particular sensor. The email should include the source and the destination address as well as the time, date and count etc.</P><P></P><P>I created a rule as follows</P><P>Rule Name: Rule</P><P>-----------------------------------------------</P><P>Comment: &#147;signature description&#148;</P><P>-----------------------------------------------</P><P>Active: yes</P><P>-----------------------------------------------</P><P>Filter: (Signature Name = &#147;signature description&#148;) AND</P><P>(Originating Device = abc) OR</P><P>(Originating Device = xyz) </P><P>-----------------------------------------------</P><P>Rule Actions:</P><P> Notify via Email:</P><P> Recipient(s): ----</P><P> Subject: Rule</P><P> Message: (Signature Name = &#147;signature description&#148;) AND</P><P>(Originating Device = abc) OR (Originating Device = xyz) </P><P></P><P>The following rule: ${RuleName}, has triggered ${MsgCount} times on the ${DateStr} ${TimeStr}</P><P> </P><P></P><P>-----------------------------------------------</P><P>Thresholds and Intervals:</P><P> Issue action(s) after 3 event occurrences.</P><P> Repeat action(s) again after 5 event occurrences.</P><P> Reset count every 30 minutes.</P><P></P><P>Unfortunately it does not seam to work as I thought it would. Could anyone tell me if this is at all possible or even achievable with VMS?</P><P></P><P>The strange thing is that with this rule active, I receive emails even when the &#147;signature description&#148; has not even triggered.</P> Sun, 10 Mar 2019 09:10:07 GMT https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381141#M97696 darin.marais 2019-03-10T09:10:07Z https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381142#M97697 <HTML><HEAD></HEAD><BODY><P>The following link might help</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a00801fc770.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a00801fc770.shtml</A></P></BODY></HTML> Tue, 26 Oct 2004 20:41:47 GMT https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381142#M97697 didyap 2004-10-26T20:41:47Z https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381143#M97699 <HTML><HEAD></HEAD><BODY><P>The script in the suggested CCO tech doc. does not work when the filter rule contain IP address trigger condition. The trigger filter works fine, but the notification email contains empty content!</P><P>Any body has workarround, beside MOD the script?</P></BODY></HTML> Fri, 19 Nov 2004 01:58:15 GMT https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381143#M97699 jmmleung 2004-11-19T01:58:15Z https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381144#M97702 <HTML><HEAD></HEAD><BODY><P>This is due to bug CSCed91589 (<A class="jive-link-custom" href="http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed91589&amp;Submit=Search" target="_blank">http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed91589&amp;Submit=Search</A>), unfortunately no workaround at the moment, it's to do with incompatible database entries and needs a major rework. </P><P></P><P>"Severity=High" will work fine, but "Severity=High AND SourceIPAddress=1.1.1.1" will not.</P></BODY></HTML> Tue, 23 Nov 2004 00:11:24 GMT https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381144#M97702 gfullage 2004-11-23T00:11:24Z https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381145#M97706 <HTML><HEAD></HEAD><BODY><P>Many thanks for the BUG ID. U save my time on open up a TAC case <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>BTW, seem this BUG is already identified for sometime, just wonder when DE will solved it. As the CWVMS is free of charge for 5 hosts now, more and more customer will encounter the problem.</P><P>Thanks again.</P></BODY></HTML> Tue, 23 Nov 2004 01:41:25 GMT https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381145#M97706 jmmleung 2004-11-23T01:41:25Z https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381146#M97709 <HTML><HEAD></HEAD><BODY><P>I currently make use of the script that is listed in this thread I would like to upgrade a system to version 2.01 of secmon/idsmc but after reading through the release note I noticed the following bug identification which appears to be applicable to the script.</P><P> </P><P>Bug CSCsa12013 &#147;Event Rules ${Query} keyword is incompatible with IdsAlarms in scripts&#148;</P><P></P><P>There are currently no known workarounds for the problem. Could anyone from Cisco advise if there are any plans to fix it?</P></BODY></HTML> Thu, 03 Feb 2005 14:40:18 GMT https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381146#M97709 darin.marais 2005-02-03T14:40:18Z https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381147#M97713 <HTML><HEAD></HEAD><BODY><P>This bug is the same as the aforementioned one in this thread. It was opened for v2.0 specifically so that it could be tracked and fixed in this release. It doesn't however, mean that the emailalert.pl script doesn't work in v2.0.</P><P></P><P>If you have it working currently on 1.2.x, then upgrading to v2.x will have no effect on the functionality of the script. </P><P></P><P>The above bug, and the similar bug opened on v1.2, deal with having more than one Event Filter defined. In other words, if you have just Severity=High then it'll work fine with v1.2 and v2.x. If you have Severity=High AND SourceAddress=1.1.1.1 then it won't work in either version.</P><P></P><P>As I said, if it's currently working for you in v1.2, then go ahead and upgrade and it'll keep working for you in v2.0</P></BODY></HTML> Fri, 04 Feb 2005 00:05:39 GMT https://community.cisco.com/t5/network-security/emailing-events-automatically/m-p/381147#M97713 gfullage 2005-02-04T00:05:39Z