VMS Security Monitor Event Rules - Email Script Question

Similar Messages

• CiscoWorks VMS Security Monitor competed reports fail to email

  Windows Server 2000
  VMS 2.2
  SecMon 2.2
  We periodically have an issue with CiscoWorks VMS Security Monitor Reporting where VMS will stop emailing completed reports. In the past when we reboot the server the email which has been queued up somewhere all gets delivered and the email delivery will work for a few months until it stops again. We rebooted the server this time and the completed reports emails are still not being delivered.
  When I test email functionality from the Windows command prompt with blat I can send email from the system through the mail server to my email address. All of the CiscoWorks processes are running without errors.
  Where else can I look to troubleshoot this issue?
  Thanks in advance

  There might be probelm in contacting mail server configured in SecMon
  See this URL for Configuring the E-mail Notifications with Scripts for IDS Alerts Using CiscoWorks Monitoring Center for Security:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#maintask1

• Security Monitor Events display incorrect time

  I have a time issue between a 4240 sensor (5.0) and Security Monitor (2.1). The events in the sensor are correct but 7 hours off in Security Monitor, even though the VMS server understands the correct time (knows there are events in the last hour) but will not display them. After doing some research, it looks as though we needed to load CSCOids2.1.0-sol_SecMon_2_1_Service_Pack_1-6.tar right? Well I did, ran the perl script, everthing was successful. CiscoWorks shows the patch as being applied. Reloaded VMS and the sensor, and still I have what seems like a UTC problem (UTC offset always =0 yet time zone=arizona). Any suggestions?
  Thanks!

  Is the correct offset configured on the sensor?
  Execute "show conf" and verify the value for the timezone offset. Remember that this is in minutes and not hours. If the timezone diffence is 7 hours then the value on the sensor should be 7hours*60minutes=420minutes.
  Also use "show events" on the sensor to look at a few alerts on the sensor itself. It will report both the UTC/GMT time and the Local time. Verify that the offset between the 2 is correct on the sensor. (be sure to account for summertime/daylight savings time)

• Informational events in security monitor

  I am looking for the configuration method so that the VMS security monitor will display informational events in addition to low, med., and high events..
  The documentation I have found explains what the informational event is, but I cannot find out how to enable it in security monitor..
  thanks!

  It should display all events unless you have an event viewer filter. An event viewer filter can be configured for example to only show high severity events.
  http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/ch04.htm#wp322119

• Monitor event id rule vs monitor

  Hi!
  Should I use a unit monitor or a rule to monitor event ID?
  I know I can do it with both, but what is best practice?

  The question is more related with the scenario or monitoring solution.
  If you are monitoring for specific events that can then become good a monitor would be the ideal choice but if you want to know when an event is triggered then using a rule would be fit for purpose.
  There is also nothing stopping you for using both. So its really a question about how do you manage your alerts? Do you come in the morning and review them (rules would be better) or do you get called out during the night (monitor would be better as issues
  can sometimes resolve on their own)?
  With your specific question for monitoring an event ID, does the event have another event that is generated when the issue is resolved? if so then I would setup a Monitor if not then a rule.
  Cheers,
  Martin
  Blog:
  http://sustaslog.wordpress.com 
  LinkedIn:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• How to display events of only one IPS in Security Monitor?

  Hello,
  i searched the forum with no result. I have CW 2.2 with IDSMC 2.1. I got two IPS and 2 IDSM-2 (4.x is in production / 5.x is in test) which have all their four interfaces sniffing in different network segments. Now i am flooded by the thousands of messages from the internet with no possibilty to just concentrate my view on the events generated on only one special interface of a single IPS.
  To temporarily focus only one one interface of a single IPS how can i filter the events in Security Monitor to only display the events of a this device and a single interface?
  This would be extremly helpfull for to simulate attacks in an test environment with shuning/blocking. I have rare possiblities to set up a second CW IDSMC on another machine. And after all, i would appreciate to focus (filter) in that way for later examining my network to tune signatures and events.
  Furthermore, on IEV 4.1 i was able to get a real time dashboard showing 'real time' events. I did not see this functionality for IPS 5.x and IDSMC. How can i view real time data there to see my networks reaction to simulated attacks.
  Any ideas how to only display only wanted data in Security-Monitor?
  Thanks in advance, Gerhard

  As far as I know, you cannot display the events of only one IPS in Sec Mon.

• HT5312 I forgot the security answer also the email is incorrect. So can i use the other email to know the answer of security question

  I forgot the security answer also the email is incorrect. So can i use the other email to know the answer of security question

  The reset link will only work for the rescue email address that you currently have on your account. If it's wrong (you won't be able to change it until you can answer 2 of your questions) then you will need to contact iTunes Support / Apple to get the questions reset.
  Contacting Apple about account security : http://support.apple.com/kb/HT5699
  When they've been reset you can then use the steps half-way down the page that you posted from to correct your rescue email address for potential future use

• HT5622 Good day to advise you that I forgot security questions, email your questions to re-password security has been compromised by some persons illegitimate since the change

  Good day to advise you that I forgot security questions, email your questions to re-password security has been compromised by some persons illegitimate since the change.
  <E-mail Edited by Host>

  Apple does not respond here.  Do not put email addresses in posts here.  The world will see it.

• In vms 2.3 with security monitor 2.2 all signature is showing as false

  Hi,
  We are having cisco IPS 4255 with IPS version 5.1.1 and latest signature. We are connected IPS is in promiscuous mode and we are seeing all the signature are false in security monitor 2.2. Please help me to overcome from this problem.
  Regards,
  Ram

  Where are you seeing this? What does it mean by saying that a signature is "false"? Are you referring to false positives that the signatures fire?

• Can not use Cisco VMS 2.3 to send email alert to admin

  Hi all,
  I am using IDSM version 5 + Catalyst 6513.
  I am going to configure for Cisco VMS 2.3 to send alert email to admin. I downloaded scritp from cisco forum but now I can't configure.
  1. I rename the file emailalertv5.txt to emailalertv5.pl
  2. I copy the file to directory "E:\CSCOpx\MDC\etc\ids\scripts\"
  3. I configure in Cisco VMS 2.3 (like the attachment)
  However, I can't receive the alert email from Cisco VMS 2.3. When I connect to Security Monitor, I see many attack events.

  Hi all,
  if you know the answer, please answer me. I am looking for your answer.
  I read all materials about IDSM-2 but I can't configure email alert.
  Thank you very much.

• How can i get list of all monitors and rules that assigned to a node ?

  Hello,
  We r using the scom 2012 sp1
  i need to get list of monitors and rules that have assigned to nodes.
  for example :
  nodename - type - name
  node1 - monitor - montiorname1
  node1 - monitor - monitorname2
  node1 - rule - rule1
  node1 - rule - rule2
  can i get this list by using sql or powershell script ?
  thanks

  Hi,
  Please refer to the link below:
  How to View All Rules and Monitors Running on an Agent-Managed Computer
  https://technet.microsoft.com/en-us/library/hh212748.aspx
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Failover Cluster events through email

  Team,
  I'm trying to get  Windows Server 2008 Failover clustering events through email. I don't see  "Attach a task" option in Clustering events.
  Could anybody suggest how to accomplish it. Please note down we have a 4 node cluster and would like to run the script on remote computer.
  Thanks 

  Hi Reddy, this forum is not for writing scripts. Please request in this
  link
  You can try help like shown below
  help Send-MailMessage -Detailed
  help Get-EventLog -Detailed
  help Get-WinEvent -Detailed
  If you need further help post here
  Regards Chen V [MCTS SharePoint 2010]
  Hi Chen, It seems to be you misunderstood my question. I was looking for Attach a task" option in Clustering events. Do you  see this option in clustering events?  You can see the same in event viewer but not in clustering events

• Need to monitor event ID with Event Level :Critical , Also how to generate (powershell or otherwise) an event with Event Level :Critical

  Need to monitor event ID with Event Level :Critical , Also how to generate (powershell or otherwise) an event with Event Level :Critical

  Hi
  First, we Need to clarify what do you want.
  1) You want to Monitor a Windows Event with the severity "Error" (there is no Critical for Windows Events, only Error").
  2) You want to create an Event in SCOM. I think you if you talk about "Event" in SCOM you mean actually an Alert.
  There is no direct way like a tool/powershell script  of only creating an Alert in SCOM only if you are going to use the SCOM SDK
  http://msdn.microsoft.com/en-us/library/hh329086.aspx or using the Orchestrator Create Alert activity.
  If you want to create a SCOM alert depending on a Windows Event you either can create a rule
  http://technet.microsoft.com/en-us/library/ff730470.aspx or a Monitor
  http://jimmoldenhauer.blogspot.ch/2013/03/scom-2012-how-to-generate-alerts-from.html 
  Cheers,
  Stefan
  Blog: http://blog.scomfaq.ch

• SourceFire Defense Center Security Intelligence Events to External Syslog server

  Hi,
  I want to forward Security Intelligence Events to Syslog server, is it possible to do from Virtual Defense Center.
  I also wanted to forward system logs to Syslog server but it seems you cant forward it to syslog server and how to access Sourcefire Series 3 managed Appliances via SCP, if any one knows how to do it kindly let me know.

  Thanks for the help.
  I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem?  Do RME sends the standard syslog messages via UDP port 514?
  Sincerely.

• Cisco Prime LMS 4.1 - Monitoring events

  Dear all
  I have a problem to see the events in the Cisco Prime, for example when an event occurs (port-shutdown) in the switch I receive this information:
  Event Source
  DFM
  Description
  Cisco  Command Monitoring -> Event Command Source: Command Line, Event  Config Source: Running, Event Config Destination: Command Source
  Event Category
  Other
  Fault Last Updated At
  07-Mar-2013 16:57:40
  Event_Description
  InformAlarm
  Component
  192.168.10.5: Cisco Configuration Management Trap
  I don't see the details of the port that was done, or other deatiled that give aditional information abut the event. I have configured the Cisco Prime in this way:
  - Admin > Network > Notification and Action Settings > Event Sets  :   I have marked all the events
  - Admin> Network > Notification and Action Settings>Fault - Email notification : My mail is configured , I received alarms by mail.
  - Admin> Network > Notification and Action Settings>Fault Notification Group  : is configured
  Notification                      Group Name:
  TestSW4
  Device List:
  192.168.10.7 ; 192.168.10.6 ; 192.168.10.5 ; 192.168.10.253 ;
  Event Set:
  All
  Event Severity:
  Critical ; Warning ; Informational ;
  Event Status:
  Active ;
  Customer Identification:
  The snmp was configured in the devices:
  snmp-server system-shutdown
  snmp-server enable traps
  snmp-server community <community> RW
  snmp-server host 192.168.10.x <community>
  PLease your support or give some information to configure correctly the events and failures in cisco prime in order to see correctly

  Hi,
  This community is for collaboration. Pls post your question in the following community:
  Home --> NetPro --> Network Infrastructure --> Network Management --> Discussions
  Thanks,