Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
943
Views
0
Helpful
6
Replies

Emailing events automatically

Go to solution
darin.marais
Level 4
Level 4

‎10-20-2004 06:38 AM - edited ‎03-10-2019 01:10 AM

On VMS 2.2 with SecMon 1.2.3, the section admin/event rule allows you to send an email.

I have a requirement to send an email for various signatures when they are triggered on a particular sensor. The email should include the source and the destination address as well as the time, date and count etc.

I created a rule as follows

Rule Name: Rule

-----------------------------------------------

Comment: “signature description”

-----------------------------------------------

Active: yes

-----------------------------------------------

Filter: (Signature Name = “signature description”) AND

(Originating Device = abc) OR

(Originating Device = xyz)

-----------------------------------------------

Rule Actions:

Notify via Email:

Recipient(s): ----

Subject: Rule

Message: (Signature Name = “signature description”) AND

(Originating Device = abc) OR (Originating Device = xyz)

The following rule: ${RuleName}, has triggered ${MsgCount} times on the ${DateStr} ${TimeStr}

-----------------------------------------------

Thresholds and Intervals:

Issue action(s) after 3 event occurrences.

Repeat action(s) again after 5 event occurrences.

Reset count every 30 minutes.

Unfortunately it does not seam to work as I thought it would. Could anyone tell me if this is at all possible or even achievable with VMS?

The strange thing is that with this rule active, I receive emails even when the “signature description” has not even triggered.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to darin.marais

‎02-03-2005 04:05 PM

This bug is the same as the aforementioned one in this thread. It was opened for v2.0 specifically so that it could be tracked and fixed in this release. It doesn't however, mean that the emailalert.pl script doesn't work in v2.0.

If you have it working currently on 1.2.x, then upgrading to v2.x will have no effect on the functionality of the script.

The above bug, and the similar bug opened on v1.2, deal with having more than one Event Filter defined. In other words, if you have just Severity=High then it'll work fine with v1.2 and v2.x. If you have Severity=High AND SourceAddress=1.1.1.1 then it won't work in either version.

As I said, if it's currently working for you in v1.2, then go ahead and upgrade and it'll keep working for you in v2.0

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jmmleung
Level 1
Level 1
In response to didyap

‎11-18-2004 05:58 PM

The script in the suggested CCO tech doc. does not work when the filter rule contain IP address trigger condition. The trigger filter works fine, but the notification email contains empty content!

Any body has workarround, beside MOD the script?

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to jmmleung

‎11-22-2004 04:11 PM

This is due to bug CSCed91589 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed91589&Submit=Search), unfortunately no workaround at the moment, it's to do with incompatible database entries and needs a major rework.

"Severity=High" will work fine, but "Severity=High AND SourceIPAddress=1.1.1.1" will not.

0 Helpful

Go to solution
jmmleung
Level 1
Level 1
In response to gfullage

‎11-22-2004 05:41 PM

Many thanks for the BUG ID. U save my time on open up a TAC case ;)

BTW, seem this BUG is already identified for sometime, just wonder when DE will solved it. As the CWVMS is free of charge for 5 hosts now, more and more customer will encounter the problem.

Thanks again.

0 Helpful

Go to solution
darin.marais
Level 4
Level 4
In response to gfullage

‎02-03-2005 06:40 AM

I currently make use of the script that is listed in this thread I would like to upgrade a system to version 2.01 of secmon/idsmc but after reading through the release note I noticed the following bug identification which appears to be applicable to the script.

Bug CSCsa12013 “Event Rules ${Query} keyword is incompatible with IdsAlarms in scripts”

There are currently no known workarounds for the problem. Could anyone from Cisco advise if there are any plans to fix it?

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to darin.marais

‎02-03-2005 04:05 PM

This bug is the same as the aforementioned one in this thread. It was opened for v2.0 specifically so that it could be tracked and fixed in this release. It doesn't however, mean that the emailalert.pl script doesn't work in v2.0.

If you have it working currently on 1.2.x, then upgrading to v2.x will have no effect on the functionality of the script.

The above bug, and the similar bug opened on v1.2, deal with having more than one Event Filter defined. In other words, if you have just Severity=High then it'll work fine with v1.2 and v2.x. If you have Severity=High AND SourceAddress=1.1.1.1 then it won't work in either version.

As I said, if it's currently working for you in v1.2, then go ahead and upgrade and it'll keep working for you in v2.0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card