09-10-2003 02:40 PM - edited 03-09-2019 04:44 AM
Hello,
I have CSPM 2.3.3i but it stoped receiving alarms from the sensor. Any suggestions? The only alarms I'm able to receive is when I restart the sensor, there are no alarms from stuff detected.
Thank you!
09-16-2003 10:15 AM
I could only suggest that you check the setting on the sensor to see what the minimum alarm level required is set to.
For example, sensors will record all events (severity 1 thru 5) in the local log file located in /usr/nr/var/log.
The entry for your logging console will look like this:
2 CSPM.ORG smid 2 ERRORS,COMMANDS,EVENTS
The first field (2) is the connection number and is always one-up from the one before.
The second field (CSPM.ORG) is the host and org names assigned during set-up, separated by a period.
The third field (smid) is the target process that will be listening for the alarms.
The fourth field (2) is the minimum severity required. This is the field that may be to blame for your lack of alarms, especially if it is set to 4 or 5!
The fifth field (ERRORS,COMMANDS,EVENTS) dictates which type of log entries will be sent, assuming that the minimum severity level is met.
In my experience, the predominant severity for most IDS signatures is 2 or 3. If the minimum severity is set too high for your CSPM, then you'll most likely see no alarms being delivered other than the ones associated with restarting the sensor.
I suggest that you double check the setting and adjust accordingly...
10-20-2003 05:37 AM
Hi,
I also have the same problem, I went thru' all this stuff all is ok.I still cannot get any alarms but start up ones.
secondly, when I configure the sensor with CSPM, it fails to commit the configs to the sensor, so stuff like shunning which cannot be done manually still await this CSPM problem solving, please help ...
Faith
10-21-2003 08:48 PM
Did this start after a signature update? This could be because of many reasons. Go to the sensor and use the command df -k and see if you are over 75% full. Another reason for this could be that traffic has stopped flowing on the sensors interface, use nrstatus at the netrangr command prompt to make sure that all of your services are running. Are you getting notifications 996, 997? If so then traffic has probably stopped flowing at the sensors interface. In that case use the nrstop/nrstart to bring services and interface back up. Let me know if any of these tips help, and elaborate on any further information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide