.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Events Source Monitoring in Security Analytics at the time of writing has the following issues:- If the event source is a member of multiple groups, then only the policy assigned to the first group will work.
- If the Log Decoder Logstats reports the event source name, and this contains capital letters then the policy will not fire. This is because a feed is generated and the names in the feed are in lower case only. An event source name that is not completely in lower case will therefore not match this feed..
Cause
To troubleshoot event source monitoring issues do the following:1. Turn on debug for ESM alarm by running command as below on 10.5 SA box setup using the command. To turn off debugging change DEBUG to INFO. The output will be stored in the /opt/rsa/sms/logs/sms.log file.
/opt/rsa/sms/bin/config_logging com.rsa.smc.esm.groups.threshold.listeners.EsmAlarmListener=DEBUG
2. Go to REST http://
This will list all devices and you can see which group they are in. Make sure your event source is associated with group you created on Event Source->Manage tab.
device=ciscoasa forwarder=NWAPPLIANCE4760 source=8.8.8.8 count=105 lastSeenTime=2015-Aug-12 16:18:47 lastUpdatedTime=2015-Aug-12 16:18:48 groups=Ciscoasa_Alarm1416902709
Workaround
To work around the issues, perform the steps below.- Make sure that the event sources are only in one group by configuring rule to exclude them from other groups.
- Change Event Source names to be in lower case where possible).
Notes
Issue is tracked in Jira SACE-4768
Internal Comments
Archive it
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Security Analytics UI, Event Source Monitoring (ESM)
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
Summary
This internal document lists the current limitations in Event Source Monitoring in Security Analytics 10.5.x
Approval Reviewer Queue
Technical approval queue