Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
3
Replies

NO CSIDS Alarms

fregon
Level 1
Level 1

‎09-10-2003 02:40 PM - edited ‎03-09-2019 04:44 AM

Hello,

I have CSPM 2.3.3i but it stoped receiving alarms from the sensor. Any suggestions? The only alarms I'm able to receive is when I restart the sensor, there are no alarms from stuff detected.

Thank you!

Labels:
0 Helpful
3 Replies 3

a.arndt
Level 3
Level 3

‎09-16-2003 10:15 AM

I could only suggest that you check the setting on the sensor to see what the minimum alarm level required is set to.

For example, sensors will record all events (severity 1 thru 5) in the local log file located in /usr/nr/var/log. by default but the setting for the outbound alarms is different. You can find out what it is set for in the following file: /usr/nr/etc/destinations

The entry for your logging console will look like this:

2 CSPM.ORG smid 2 ERRORS,COMMANDS,EVENTS

The first field (2) is the connection number and is always one-up from the one before.

The second field (CSPM.ORG) is the host and org names assigned during set-up, separated by a period.

The third field (smid) is the target process that will be listening for the alarms.

The fourth field (2) is the minimum severity required. This is the field that may be to blame for your lack of alarms, especially if it is set to 4 or 5!

The fifth field (ERRORS,COMMANDS,EVENTS) dictates which type of log entries will be sent, assuming that the minimum severity level is met.

In my experience, the predominant severity for most IDS signatures is 2 or 3. If the minimum severity is set too high for your CSPM, then you'll most likely see no alarms being delivered other than the ones associated with restarting the sensor.

I suggest that you double check the setting and adjust accordingly...

0 Helpful

miyoba
Level 1
Level 1
In response to a.arndt

‎10-20-2003 05:37 AM

Hi,

I also have the same problem, I went thru' all this stuff all is ok.I still cannot get any alarms but start up ones.

secondly, when I configure the sensor with CSPM, it fails to commit the configs to the sensor, so stuff like shunning which cannot be done manually still await this CSPM problem solving, please help ...

Faith

0 Helpful

lwierenga
Level 1
Level 1

‎10-21-2003 08:48 PM

Did this start after a signature update? This could be because of many reasons. Go to the sensor and use the command df -k and see if you are over 75% full. Another reason for this could be that traffic has stopped flowing on the sensors interface, use nrstatus at the netrangr command prompt to make sure that all of your services are running. Are you getting notifications 996, 997? If so then traffic has probably stopped flowing at the sensors interface. In that case use the nrstop/nrstart to bring services and interface back up. Let me know if any of these tips help, and elaborate on any further information.

0 Helpful
Customers Also Viewed These Support Documents